The case for automation in cybersecurity is strong. Talent is scarce, and cyberattacks are on the rise. Meanwhile, the systems required to manage an effective SOC are often complex and diverse. In this episode, we’re joined by Elvis Hovor, Sr. Director Product Management at Secureworks. He explains how today’s SOC analysts are overwhelmed by alerts and the weight of responsibility to protect their organizations. Automation is essential to helping them do their job with greater confidence and time to focus on what really matters. While reducing alert fatigue and the risk of human error, intelligent technologies like automation, AI, and machine learning deliver insights that greatly enhance investigative work. Learn how this works in practice with real customers, helping analysts hunt down and fend off even the most sophisticated threats.
What We'll Cover
· Why automation is essential in today’s cybersecurity landscape
· The combined power of human and machine intelligence
· The benefits for prevention, detection, and response
· How a strong security partner can help SecOps teams leverage automation, AI, and machine learning
· How this works in practice in customer engagements
Secureworks Interview with Elvis Hovor
Sally : Hi everyone, and a warm welcome to Let's Talk SoC, a special feature today on the role of automation in threat detection and also threat response. And to dive into all the details, I'm delighted to be joined now by Elvis Hovor from Secureworks. Welcome Elvis!
Elvis : Thank you very much, Sally. I'm delighted to be here.
Sally : Oh, fantastic. Such a timely topic area. And perhaps we could get started just by finding out a bit more about you Elvis and your role at Secureworks.
Elvis : Yes, certainly. So I'm a Senior Director here in the product management org for Secureworks. My main focus is making sure we build out the XDR platform and make sure it's performant for our customers.
Sally : Superb, absolutely. And kind of taking that as our starting point, such a dynamic market we have right now, many changes coming together, many different vectors of change, I would say. And some of these challenges, I think automation is so essential to help negate the risk. Perhaps we could start from that. What are you seeing as A, the key drivers, and then we can drill into how automation makes a big difference.
Elvis : Yes, certainly. I believe one of the biggest key drivers hasn't changed over years. There's always been a shortage of skilled professionals in cybersecurity. The ICS squared recently did a workforce study that shows that the cybersecurity workforce gap is about a short of about 3.4 million people. This is staggering, which means that employees are most likely overwhelmed. They're looking for help in streamlining the multitude of alerts that they have to deal with on a daily basis. You look beyond that, there is also like the proliferation of security tools, an increase in cyber-attacks and this kind of leaves our security practitioners in a constant state of fatigue. Another study from IDC actually states that security professionals are so fatigued and so tired and overwhelmed that they are ignoring about one third of all the security alerts. And they're actually spending just as much time investigating false positives. One last thing that I would like to push in there also is that, you know, adversaries or threat actors are creating exploits at machine speed today. So there's new exploits coming out every day. You know, practitioners have to deal with this, right? Think about all the alerts that they already have to deal with, all the integrations, all the multiple tools they have to jump through. And then the fact that the adversaries are coming at you even, you know, more than they used to before. It's a lot, it's very overwhelming, right? In the same way adversaries are using automation to build their tactics and techniques and adversary tools, we also have to do the same as defenders to make sure that we can facilitate our defense.
Sally : So, so true. I think what you said there, Elvis, just brings to the fore that we talk about like multi-layer security, don't we? But I think the multi-layers kind of vectors of risk you're really bringing to the fore there in so many different areas. So A, we have the supply talent gaps in cyber security, couldn't agree more. I think COVID kind of heightened that as well, particularly when it comes to diversity and security. There's been quite some interesting research there to showing how, for example, more like women in cyber. who were showing real kind of love of role, you know, it kind of really, really strongly in that research, but actually propensity to churn from it was very, very high and quite a difference, for example, with other demographics. So really interesting areas there, but also other things from a technical point of view, as you said there about kind of mal alignment across technology or things like tool sprawl or even vendor sprawl, for example, too. So, lots of different levels to address there as well, but I also hope that actually, if we look at the dynamism of this space, perhaps we can attract more people in because wow, if we get some of these better, some get some of these things managed in a different way, what an amazing space to help make a difference and give people kind of agency to negate some of these threats too. So, I'd love to maybe come back to that bit at the end as well, but so, so true, lots of friction points at the moment to address automation and security right there as a priority to help do that. So perhaps we could drill into that a little bit more, particularly where we associate automation in security too. So, I think traditionally it's more, you know, associated with SOAR, isn't it? But what do you see as a role more for an XDR proposition, for extended detection and response? Where is the best fit there?
Elvis : Yeah, so you are right. Automation has traditionally been associated with SOAR. And I might even say rightly so. The promise of SOAR was that it was going to be able to apply predefined actions to contain and remediate issues, freeing up operators as we know today, the ones that are obviously overwhelmed to... freeing them from the manual operation so that they can focus on things that are more high level. The reality though is this, it's been difficult for organizations to get their SOAR investments off the shelf just because of the complexity and integration and setup that needs to go into it for the most part. That has been a huge issue. Companies that have investments in log management tools, SIMs, end point product have to purchase these additional capabilities in SOAR, stitch them all together and hope that they have the expertise to make all of this work together. Because XDR, on the other hand, integrates a wider range of products, like endpoints, cloud applications, emails, and more, it is better suited to combine the whole prevention, detection, investigation, and automated response capabilities to combat threats. It feels as though that in an XDR platform, it's a single platform where the integration and automation is all built through. It's easier for you to streamline that process and better use automation in that.
Sally : Absolutely, so far more expansive, I love that. And the points you make there about kind of integration and visibility in many ways. I think that echoes what I hear, working with many different organizations and not just in security, frankly, as well. It's a couple of the biggest challenges we have are improving integration, improving visibility, and also frankly, reducing complexity as well. So I think it really supports that trajectory too. And as part of that, I'd love to hear a bit more about the evolution of automation within Secureworks yourself. So, XDR, but also MDR point of view as well. How has that grown and kind of what's coming next?
Elvis : Yeah, so it's great that you asked that question because we've also gone through a journey on our end to make sure that we are doing better for our customers. If you remember, we transitioned from being MSSP, you know, an MSSP provider into being this, into an XDR, MDR provider. And this means that, you know, what we used to do before, where we could throw very quickly, just throw our alerts over the fence to our customers, so that the customers can go pull their own context, has changed. Right now we do have the telemetry, we do have the law, we do have the context that we need to be able to make, or to be able to pull more context into alerts, filter it down, reduce the noise significantly, create investigations that have deep context just because of how much purview we have across all of these log sources, before sending it over to our customers. So, as part of this process, we’ve embraced automation as a core tenant of our XDR and MDR process to help drive this for our customers. It is critical, right? Because when you look at the challenges that we have, then that's the same challenges that our customers have always had too. The sheer amount of alerts that the SOCs have to deal with, you know, you would definitely need some level of automation to make sure you're reducing the noise that's coming in, you are detecting early, you are prioritizing these alerts, and these are all functions. that automation is able to kind of like speed up for an organization. But beyond that, we are always evolving, right? And we are focused on using advanced systems powered by things like artificial intelligence and machine learning to help protect our mission critical operations for our customers. We leverage machine learning to build some of our most advanced detectors within the space, like our hands-on keyboard detectors. The hands-on keyboard detector really is an ability for us to be able to score threat actors or identify threat actors who are performing very low-level manual tasks on a host that you would typically not see, right? They're trying to behave like a regular human and all of that within the host. So, it's very difficult for you to see. Things like command line paths and some of the things that they will do along those lines, we score them using machine learning for us to be able to detect better some of these threat activities that are going on. So that's a little bit of evolution and we haven't stopped yet. We are still going through building more capabilities around automation, but then focusing more on bringing machine learning and AI components into our platform.
Sally : I love that, I love that. And the word like empowerment is basically ringing through my ears as you're describing that. I really do think in so many different areas, so kind of reducing that overburden and the fatigue that you described, throughout our conversation so far, and it is such a big point. I'm listening a big kind of churn rate across the industry related to this. It's growing and growing, I totally agree with that. But, also for example, that scoring mechanism, the low level threats that become bigger ones that can be quite in stealth mode for quite some time, making those more visible, helping to prioritize. It's really giving this empowerment and this agency to act. So, it's so, so powerful. And I love what you were bringing in there about the use of AI and ML as well. Definitely see such a powerful trajectory there. Again, to get more granular, get more specific, but also filter away what we don't need to be seeing and giving that agency and empowerment to make those better decisions. So, brilliant, love that, fantastic Elvis, thank you. And in terms of kind of this inaction, have you got any examples you can share, totally understand you a bit with client confidentiality, et cetera, but maybe something we could kind of share with the audience now of this inaction, how have you worked with organizations to make a difference using automation in your solutions, plus of course the power of trusted partnership as well, and the education piece you provide.
Elvis : Yeah, definitely. I think I'll try and be as open as I can here and maybe even give you some metrics as to how we've been doing. So from a detection standpoint, and like I said, we use automation across detection, prevention, making sure that we can give our customers automated responses all across their threat lifecycle. From a detection standpoint, we are certainly better detecting threats because we're leveraging a lot more automation in our process to enrich, correlate, group, and prioritize the alerts that we are getting so that we can accelerate investigations overall. Automation and machine learning has helped us reduce the noise that we had in our platform. And I'm not talking from too long. It's helped us reduce it by 45% again. So, our alert volume has reduced by 45% when we focused a lot more in driving machine learning AI in our processes. And this has been super helpful. You can understand how much our SOC needs to work, how quickly they need to go through this to make sure that our customers are being protected in a timely manner. So that is a significant amount if we are able to reduce that amount of noise through the process, because then we can focus on the things that are really important. From an investigation standpoint, we leaned in very heavily into automated investigations. There's always the capability for us to use automations to make sure that we aren’t losing the context that we need. Like, humans are always prone to make mistakes, right? If you can automate a process around investigations, the likelihood of it being consistent is higher. But beyond that, we also use automated investigation as something we call draft investigations to be able to help prepare the context and the content that an analyst needs for them to be able to do their investigation. So before they sit down, that an investigation, we would have gone through using automation to go pick up all the context that's needed, all the alerts that are correlated, all the events that they need, put it together for them so that they have one single place to go and make a decision on an investigation. So, that's a way that's speeding up significantly the output from our analysts. We always want to keep that human analyst in the mix for when things are a little bit more complex and you need some discernment. That makes it easier for them to pick up those alerts and be quicker. From a response perspective, you know, there's obviously the faster remediation through like predefined playbooks that we have and containment, you know, playbooks that we have. That's always been great. And that's something that we keep doing. But our MDR service also offers automated response actions. This is an ability for us to take remediation action on behalf of our customers and as you can imagine, this completely shortens the life cycle of a threat or an attack on the customer significantly. So, this is something that we do for our customers also. Overall, Secureworks leaning into automation, machine learning and AI, we've seen a considerable improvement in speed and accuracy when we are triaging alerts, investigating incidents, and this has had a direct impact on our managed service customers' most important metrics. Like their time, their mean time to triage alerts, their mean time to resolve these alerts. And we are seeing significant improvements in that space for our customers, which makes them, I think, more confident in our capabilities.
Sally : Oh, absolutely. Honestly, thank you. Such a range of examples there as well, which is so, so powerful and kind of is our ending point as well. I think it brings everything together so nicely. And the fact that the use of automation there is the holism of impact that it can bring. So right through the support you were mentioning there for analysts and in terms of giving them the active intelligence they need and taking away some of the burdens we've talked about today as well and giving that kind of single pane of visibility you were describing as well, right through to areas like the remediation impact you talked about. So literally it is end to end in terms of security support. I love that. And the percentages, they really do bring to the fore just the level of impact that you're having there as well in terms of speed and addressing the sophistication, but also just the different vectors of change we've been talking about today, that support across the process of doing that and ever more obviously in the AI and ML field as well. really powerful in terms of impact. So brilliant to see that. And, you know, I know we have to bring it to a close now as well. I'd love to come back again another day to see the next stage in the evolution of automation in security with yourself and at Secureworks and bring more people involved in this too, because I think what an exciting space to be in terms of as this moves forward, as we negate some of these challenges, is an impressive, you know, impressive place to be to have agency to tackle, well, frankly, some of the biggest challenges of our time, affecting people, families and big organizations and small ones alike. So, it's something that concerns all of us as an Elvis. So, thank you so much for all you're doing in this field.
Elvis : Sally, thank you so much for having me. It's been an absolute pleasure to talk to you about automation and some of what we're doing here at Secureworks. I would certainly love to come back and tell you what some of the next steps we are taking are in this space.
Sally : Wonderful. Thank you, Elvis. And thank you all for watching and joining us on another episode of Let's Talk SoC. We'll be back soon looking at another area of security detection and response. Thanks for joining us.