David Moulton

You're listening to the Cyberwire Network. Powered by N2K.

Erez Levy

Is your endpoint stuck in the past? Cortex XDR certainly isn't. For the second year in a row, Cortex XDR delivers 100% detections in the 2024 MITRE, ATT and CK evaluation. This is a historic first. No configuration changes, no delays, no compromises. Just the industry's best. Ready to see what perfection looks like? Visit palo altonetworks.com today today we're interrupting our regularly scheduled episode to bring you an exciting update about the just released mitre, ATT and CK ingenuity evaluation results. Erez Levy, Director of Autonomous SOC at Palo Alto Networks, is joining me in discussing this achievement. Arez you guys crushed it in the MITRE eval. I'm curious if you can talk to me about your thoughts, your reaction to those results that you got for us.

Ali Mellon

You know, this is validation that we're expecting to get, but it's always nice to get this kind of validation year after year. It gives us validation that we're doing the right things. We're prioritizing the right projects, we're collecting the right data, we're using AI as we should eventually. In our world, there's so many things we can do, so many decisions we take day by day. So being able to show year after year good results that validate that we protect our customers in the best possible ways is always good news for us.

Erez Levy

Absolutely. I gotta think that this is really motivating for the team to see all of those decisions, all of that hard work, the execution against strategy paying off in such a visible way. What was the team's reaction?

Ali Mellon

So the team is very excited when we get the results and we see how good they are. It really gives us a lot of energy to keep on doing what we do and also keep on doing it year after year during the test and not during the test.

Erez Levy

I'm wondering, are you a lateral movement guy? Initial access? Maybe you're really into credential theft. Is there a. Is there a particular attacker technique that you like to research or work to prevent?

Ali Mellon

I consider myself whatever it takes guy. So I come more from the attacker's perspective, at least initially in my career. And when you are an attacker, you just do whatever it takes. And I think we need, and we do, we use the same perspective on the defensive side. I'm specifically more of agent guy coming from operating system internals initially in Windows, but also other operating systems over time. I think what excites me the most is using both AI and operating system, internal data to find things that otherwise can't be found. This is for me, the, the great joy I get at Palo Alto Networks is first, the people, and second, combining two things I love the most other than this, my family. It's AI and operating systems. That's my passion.

Erez Levy

Erez Levy, I can hear you smiling as you talk about it. Thank you for joining me on threatvector to talk about your team's work. Your reaction to the Mitre ingenuity evaluation results. Congratulations. It was really fantastic and I appreciate you giving us a little bit of time this morning on threatvector.

Ali Mellon

Thank you, David. Thank you for having me.

David Moulton

There is nothing more important than understanding what your point of view on whatever situation you're a part of is and being able to articulate that in a way that makes sense to others. That's what the values conversation is ultimately about. That's what I expect and hope for from vendors whenever we do a wave evaluation. That's what I expect and hope for from customers whenever they're talking about what they want a vendor to do differently. And so I hope that everyone can take away from this conversation that if you are able to think about and develop your unique point of view and back that up with actual data and understanding of how you're going to get to the outcome that your perspective is giving you, then that will lead you in the right direction. And I've seen that at least in my life, for my entire Life.

Erez Levy

Welcome to ThreatVector, the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of thought leadership for unit 42. Today I'm excited to be joined by Ali Mellon, principal analyst at Forrester and a thought leader in the field of security operations. Ali specializes in XDR detection engineering and the evolving security technology landscape. Her research and insights have helped countless organizations navigate cybersecurity threats more effectively, and she also shares her analysis with the broader community through her popular newsletter, the Latest Breach. Our topic today is Decoding xdr. As XDR rapidly evolves, it's becoming a key tool for security teams to consolidate data and better detect and respond to cyber threats. But what's next for xdr, and how can organizations separate hype from reality? Stay with me today to hear from Ali how she answers this challenging problem. Ali Mellon, welcome to Threat Vector. I'm really excited to have you here on the show.

David Moulton

Thanks so much for having me. I'm thrilled to be Here, I want.

Erez Levy

To start by asking you a quick question about your newsletter. The latest breach, what inspired you to start that and what do you think the biggest value is for your readers?

David Moulton

So I think that there's so much going on all of the time in cybersecurity that can be difficult to kind of look back and dig into some of the things that have happened in the space and why they're important. And so what the latest breach is really looking to do is let's take a look at some of the breaches and some of the cyber activities that have happened in the past several years and first off, give a really easy to understand explanation of what happened and why. Because I think that's one of the biggest gaps is there's just so much confusion and so much difficulty for people of all levels to understand what's happening from a cybersecurity perspective. And then also let's use it to help make the case for why cybersecurity is important and to help communicate that to other people in either your organization or just in your lives in general. I know that I get a lot of questions from family members and friends that are like, hey, what happened here? Why did this cyber attack happen? Or what does it mean for me? And the goal is, especially with the latest breach, is to kind of explain things in a way that other people can understand.

Erez Levy

I love that it's so difficult at times to avoid the jargon or the specific language of the industry. Even some of the fud, like, let's just ramp up the fear because it does seem exciting and scary. It gets almost Hollywood. But to move away from that and just the facts, talking about it in a way that's accessible, the fact that you do that is awesome. I appreciate that. And I'm seeing more of that in our space, which is encouraging, where it's content that's accessible to everyone. I hope to do that on this show, actually. So I'm aligned with you on a principal level. Today we're going to get into the XDR landscape and into your process on Building Waves. We've got a lot to talk about, so let's see where this conversation goes. Allie, what was the most impactful thing you've ever done in your career?

David Moulton

The most impactful thing that I've done in my life that furthered both my career and my life in general was to do a values exercise, which I don't know if you're familiar with, but there's an exercise that Renee Brown has on her podcast and also her website it's totally free. You can, like, download this PDF that has all of the different values that you could potentially have in it. And she walks you through the steps of determining what your values are. And I really needed this maybe, like, 10 years ago in my life, and I was listening to a podcast that she did and hearing about this values exercise, and at first I was like, oh, I don't really need this. Like, I already know what my values are. And I spent, like, two seconds thinking about it, and I was like, I really value being nice. But as I went through the exercise, what I realized is that was not one of my values at all. And if anything, that was kind of just a. A way to hide who I truly was and what I truly valued in life. And so I went through this exercise and realized, oh, my God, my values are not at all what I thought they were, because I don't actually feel good when I'm being nice all the time, which sounds kind of weird, but there are situations where I would much rather tell someone the truth than do something that's nice and feels good for me in the moment. And so going through this exercise, I identified that my core values are growth, respect, trust, connection, and playfulness. And that last one is actually really important because I love to be playful with my friends and everyone, to be honest. But trust and connection are really linked and have changed a lot of the dynamics of how I approach situations, because I went from trying to say the thing that people wanted to hear to saying how I truly felt. And that helped me to connect much deeper with people and to develop a much better form of trust with people. So everyone's values are different. There's no reason that, like, certain values are better than others. But for anybody who is kind of thinking to themselves about how they define themselves and how they want to approach that, I recommend doing the values exercise.

Erez Levy

Ali, that's the Dare to lead list of values from Renee, right?

David Moulton

Yes, it is.

Erez Levy

Yeah. And you said playful, you said growth.

David Moulton

You said trust, connection, and respect.

Erez Levy

Yeah. You remind me of a book that I read years ago, Creativity Inc. It is about Pixar. Great, great movie house. And they had this idea of asking for your honest opinion, and it put people into a moral position. You can either be honest or dishonest. There's kind of a black and white piece there. And Ed Catmull and his team came up with this idea of candor turning the candor up. You know, turn it up to 11, if you will, to quote yet another movie. And I like this idea that you could move your candor up and down. And over the years I've done that because I thought that was being, you know, open and I could hear things without hurting someone. And somebody talked about the difference between nice and kind. And nice is what you were talking about. And kind is telling you you do have spinach in your teeth as opposed to being nice and just letting it go. You tell the truth. And I suppose that one's not one that has a ton of consequence. And by the way, yes, tell me if I have spinach in my teeth. But I think that's interesting that the most impactful thing that you've done for your career is to go look at your values and be introspective, learn a little bit about yourself. And maybe it's a little bit fun to know that playfulness is so important to you. I think that sometimes doing things that are fun or silly just because they delight you makes your day better, makes your life better, makes the people around you maybe smile.

David Moulton

It also makes it a little bit more light hearted because I think that one of the challenges with trust and respect as core values is that can get very heavy and honesty, that can get very heavy. But if you have playfulness mixed in there and you can still have fun with it, then it's. I don't know. That is the balance that I like to strike.

Erez Levy

So let's shift gears a little bit from this larger Ali Mellon conversation and go a little bit more focused on your work there at Forrester. Talk to me about the most surprising aspect of your cybersecurity research, especially as our industry has evolved.

David Moulton

The most surprising. So there's a couple of things that I cover right. As an analyst at Forrester, I focus on security operations. So that includes detection engineering, security analyst, the security analyst role, and from a technology perspective, that's sim, soar, edr, XDR and security analytics. I also cover nation state threats and AI and its use in security tools. As far as my research is concerned, I'd say there's a couple of things that are surprising. First in the job I feel very grateful that like kind of coming back to this values conversation. My whole job is about being direct and honest and telling it how it is with the research. So that's really cool and something that I think is very unique to the role that I have as a forester analyst. But what's most surprising from the research, I'd say it's the. It's something that I knew going into it, but I didn't realize how bad it was in the industry, which is we really do spend so much time hyping up and talking about products when the biggest challenges in organizations are the people and the processes and the fact that the reality of the situation is the security practitioner role is very poorly defined. We don't really develop skills for security practitioners that are based on security as a practice. We expect practitioners to know how to use tools. And so there's a big divide in the actual process side and people side and how we develop those people and how we build processes within an organization that is ultimately supported by the technology. And I think that that's one of the biggest challenges in the industry and it's one of the reasons why I talk about analyst experience so much, is we need to develop this as a discipline instead of just expecting people to be using tools.

Erez Levy

Ali the front side of my career, I worked as a designer and first couple of years I thought if I could just master Photoshop, I'm a designer and I realized, especially as I saw other tools coming in, that that wasn't going to cut it. I had to understand the fundamentals, I had to understand what I was solving for. It wasn't just to make something that was beautiful, but it was also functional, especially in the UX space. And what you're talking about, I've seen over and over in professional roles where if you could just master the tools, then you are a X. If you could just get to a level of proficiency on a set of tools, you're incredible in your role. Even if you don't understand those underlying principles and the foundational skills that would allow you to move from any tool set and any place to driving an outcome. What is it that fascinates this industry so much with tools and how do we break away from that?

David Moulton

So it's a really good point and I'm glad that you brought it up with that framing because the one thing that I do want to say is that I'm also very cognizant of and recognize that sometimes you just got to get the job that you were hired for done, and sometimes that is just using the tool. And so I want to give space for that because I think that that is very true. The part that I want to challenge in that is that you can get the job done by understanding the tool. You can't get the job done better just understanding the tool. That's where the people in the process has to come in if you want to actually improve the organization and improve the industry. So that's the first thing on what you were saying as to why we're so fascinated with this, That's a difficult question. But to be honest, I think it ties back to. We have. If you think about it, as far as tech is concerned, first off, I think across all of tech, it tends to be people who like to focus on technology, don't necessarily want to be the business person in the room or to kind of be the one developing those relationships. There are exceptions, but especially with the roots of cybersecurity, that's a lot of tech people who want to be in the tech, who want to be doing cool tech stuff. What that means, though, is that we're missing on some of the business side of how do we establish processes around this? What can we learn from other industries that have done this well? How can we operationalize this beyond just what the tech person is working on? And. And also how can we teach others? Because ultimately, if you look at cybersecurity, a lot of the talent that came up did it through trial and error that they did by themselves and not necessarily through going to school for it. And we even see this permeating the academic scene as well, to be honest, where even if you get a degree in cybersecurity, or in my case, a degree in computer engineering, you're not prepared to walk into an enterprise and work in cybersecurity. The practices that you learn there are very academic, and they are not built for the difficulties, the resource constraints that you'll face within an organization, or, frankly, the politics and the things that you have to navigate in business. So, to me, it's a combination of those factors that leads to just a difficulty getting to that next level of operationalizing something to be more effective than just that one person. And the other factor at play there is. It's a really technical field. It is not easy to find these unicorns that not only understand the technology and understand what it is to be a practitioner, but also understand how to play the politics game and want to play the politics game in an organization. And so it's just rare to find that mix of a person.

Erez Levy

So a couple of weeks ago, you and I sat down and recorded a podcast, and the piece that stuck with me since then was, you talked about your process of making a wave. It sparked a couple of questions. And for our audience, could you give a quick recap of your process? Because I think that was the piece that surprised me and I think is really interesting that I'm not sure everyone knows about.

David Moulton

Yeah, definitely. I certainly didn't know the Full extent of it before I became an analyst three and a half years ago now. So the Forrester wave, for those who are not familiar with it, is basically our evaluative piece of research. Think it's the equivalent of the Magic Quadrant, but for Forrester, and we typically evaluate up to, I think it's like 14 or 15 different vendors depending. And one of the things that I think makes Forrester unique in this process is that the person who leads the coverage is the one who leads the wave and does all the work for the wave. Now we of course have a managed cent of excellence that makes sure that the methodology is consistent across waves and has us have a basically project manager that makes sure we follow that methodology. But when it comes to the person that you are going to talk to about implementing XDR and the person that you're going to talk to about the different options you have to buy xdr, that is the same person, that is me, and the same thing for the person who's going to be talking about security operations. So there's continuity there that I really value because I can talk about the process side and then I can say, okay, but this tool is or is not working for that process. And here's how we need to make changes to make sure that that's better. Now, when it comes to the work behind the wave, this is a three to sometimes five month process. We do the wave every two years typically. Sometimes we do it more frequently or less frequently depending on the market. But it is looking at up to 14 different vendors and measuring them against a series of criteria. Now, over the course of those months, we do a couple of different things. We get a questionnaire response from all of the vendors and that has a variety of different questions for each criteria. And the criteria can be up to like, I think it's like 24 or something like that. And we measure vendors based on their strategy and then also their current offering. So we take a look at where's the product right now, where's the product going? And we score them based on that. And so we base it on the questionnaire is the first piece. And then we do a typically two to three hour briefing and demo from the vendor to try and better understand, okay, what is the strategy for the future. And then let's actually get into the product, let's dig into it, see what it's like, like, see what it's about. And then the last piece of this is we do a series of customer reference interviews. We try to do at least three per vendor because ultimately, I don't necessarily know what it's like to work day in and day out in the technology, but I want to to be able to give better advice to our clients. And so I'll do 30 minute sessions with multiple customer references per vendor to make sure that I get a full perspective. And those are some of the most interesting and fruitful conversations. Because it's really fascinating if a customer reference really likes the product. It's also even more fascinating when the vendor gives us a customer reference and the customer hates the product or hates the vendor, because that's where you get the real juicy stuff.

Erez Levy

I'm sure.

David Moulton

The reality is we talk a lot in the cybersecurity industry about like, oh, what do customers need? What do we need to tell them? They're so tuned in. Like, CISOs are so tuned in to what's working in the industry, what isn't. Sometimes they just want to gut check on whether or not what they're seeing is the truth, but they're really tuned in and really aware of what's going on. And so I love having those conversations with CISOs and then especially with their teams who are actually using the tools, because that's what I love is like, is this actually making your lives easier as the user, not just as the economic buyer, or is this something that's like just a pain to use or a pain to work with the vendor in general? So that is a very helpful part of this. And then we spend several weeks evaluating everything that we've found. We also, of course, go online, look at the vendor's website, look at the different resources we have access to do additional research, and we formulate a point of view on the vendors in the market. And now the cool thing about the WAVE is that it is relative to others in the evaluation. So when you get a WAVE score, whether it's a one, a three or a five, that's dependent on is the vendor capability for that criteria, is it on par with the market, is it above par, or is it below par compared to others in the market? And so everything is really based on where the market is currently at and where we expect that it should go. And the other thing that I really love about this process is we of course have the WAVE graphic, which is based on the scores, all of the scores. You can download an actual Excel spreadsheet and read into what the scores were, what they mean, what the questions we asked to get to those scores and to get to those answers and insights so you can get a really deep perspective of where we came at the evaluation from. And then of course we do a write up which kind of goes into more of our point of view on where the vendor is at. So it's a very involved process. But it's also just. You leave having such a deep understanding of the market.

Erez Levy

Let me go a different direction. Is there anyone that you try to stay away from or that you prefer not to have to spend your time with during these, these research periods?

David Moulton

So for any research, I'd say that the people that I don't like talking to are, or that I, I struggle to get real value out of our conversations are the ones that are just trying to sell me something. Like, to a certain extent, I understand a vendor comes in, they want to have a, they want to talk about how great their product is. But the challenge is that in a lot of those conversations they have first off think that they're the best. Which there's a lot of vendors in the industry that think they're the best. But in many cases they've lost sight of who the actual hero of this story is. And it isn't the vendor, it is the user of the product. It is the CISO that they are providing and working for. And so I want to hear about that. I want to hear about what the customer problem is, why the product really solves this well, and how you've been able to support serious transformation in these organizations with what you've built. So that's kind of my biggest priority and my biggest challenge is like, if I get in a room with someone who's telling me they have the best product in the world, I already know we're going to fight and it's going to be, I'm going to have to push them really hard to get to the root of what they're doing and whether it's actually helping customers.

Erez Levy

It sounds like just like a good soc, you're looking for like that diverse number of points of view, different ways of seeing what the product does and then looking for somebody that has that curiosity to go on that exploration and the research with you, not just a closed mind. This is what the problem is. Here's how to solve it. We're done.

David Moulton

Yeah, because it's not that simple. Right?

Erez Levy

Right.

David Moulton

There's a factor of respect here and respect for the people that have come before you, the people that have been working on this problem for a long time and understanding that you could have a really good solution to this problem that doesn't make it the best in the world. But you got to come back to the customer and the challenges the customer has.

Erez Levy

So is there anything that you try to keep in mind through the entire process? And are there any observations that you've made where vendors assume or get something wrong or right throughout that. That set of conversations and evaluation?

David Moulton

The thing that vendors get the most wrong in these evaluations is they approach it from the. Some approach it from the standpoint of what does Allie want to hear? And that actually plays into the start of your question, which was about, what is something you keep in mind throughout this. The thing that I want to keep in mind throughout this is that I might not be right. And that's really important to me is I don't go into this research with a point of view like, these vendors need to fit in the box that I have created, and then they're going to be the best. I go into this with the perspective of I want this vendor to convince me that what they're doing is right for the customer. Maybe it's not something that I have ever considered as an option, but if they can convince me it's right for the customer, that's differentiated, that's interesting. That's cool. And unfortunately, a lot of the vendors that are part of this evaluation, a lot of times they come in and they're like, well, we know Allie likes this, and we know Allie doesn't like this because she's written on this. So we're just going to say what we think she wants to hear. And the problem with that is that it often doesn't align to the point of view that the company has on the market. And that's the priority to me is like, what's your point of view on where the market is going? What's your point of view on the solution and the way to get to the solution? I may not agree with it. I don't have to agree with it, because I can tell you that not every client that I talk to, not every CISO that I talk to, agrees with my point of view. They go a different direction. And then we have a discussion about why that worked or didn't work. And so when I think about these evaluations, what I want is I want to see why what you're doing is important, who it's important to, and why it's different from everyone else. And that's not going to be something that I agree with 100% of the time, and that's a good thing.

Erez Levy

So, Ali, you talked about the most fruitful part of the conversation is talking to the customers, when you hear from those customers and they tell you what they want, they say very specifically, I want a faster horse. And you're seeing that the market's got the Model T right. How do you deal with that? And how do you reframe what they are saying they need? When you're. When you're having a conversation with a vendor to understand does their vision or does that point of view align with what a customer actually needs? If the customer's saying they desperately want something, but they're focused on the immediate solve, not necessarily the larger technology solve, that's possible.

David Moulton

I love this question so much because it comes up constantly, this idea of, oh, let's just reinvent the wheel here to solve the customer problem, but we're so good at it that we're going to solve it in a different way kind of thing. Now, with customers, this is especially difficult, right? Because, I mean, I was listening to a panel, a customer panel for a detection and response vendor, and in one breath they were asked, okay, what do you want to see in the product? Like, what would be really useful for you? And they said, we really want you to start doing configuration management and giving me visibility into that. Because you do such a good job on the detection and response side, it would be so useful if you could do a good job like that on the configuration management side. And then in the next breath, they were asked by the moderator, okay, what do you not want us to do? What do you think is the thing that we need to be most careful of? And they said, stay in your lane. Don't do something that you're not specialized in. We love what you do, we love what you're working on. Keep doing what you're good at. Those two things are completely at odds. Like, they could not be more at odds. But the problem is, is that, like, they're answering two different questions and they're giving honest answers to those two different questions, but they're not recognizing that sometimes a vendor will say, well, a customer said, I had to do this, so I'm going to do it. And we see that happening right now quite a bit with a lot of the changes that are happening in the SIM market, where many vendors are going, well, we're detection and response vendors. Our customers love us, but they want us to replace their siem. And so what should we do to do that? We should build a siem. And customers are like, yay, you're going to replace my SIM and you're going to do it better. But the biggest problem is how are they going to do it better? What are they going to do differently so they don't end up in the same issues that the SIM has been in for so long? If we think about the SIM market, look at ingest based pricing as an example. There are so many vendors out there who have said we're going to get away from ingest based pricing for the sim. Love that idea. That is a huge pain point for CISOs. But what ends up happening? They spend a couple of years burning investor money supporting a model like based on entities or pricing based on entities or some other model than ingest. It doesn't work, it's not sustainable. And they default to ingest based pricing after a couple of years. We even see this with hyperscalers. And to be honest, if hyperscalers can't solve a data ingest problem at scale and not defaulting to an ingest based pricing model, why do we think that there's a different vendor who can? They're the ones actually supporting the infrastructure. They're the ones who could do this at the lowest cost. And so I always try to have this conversation with the customer where I'm asking them, okay, you're trusting the vendor to do this, you want the vendor to do this, but why do you expect the outcome to be different and how are you making sure that the outcome is going to be different? And I do the same thing when I talk to any vendors and that is one of the most difficult conversations to have because they want their immediate problem solved and they trust the vendor.

Erez Levy

Right. So Ali, what's next in terms of your research? Are there any new approaches or challenges that you're excited about?

David Moulton

So the SIM market is kind of, for anybody who, who has been tracking that is kind of a bit of a dumpster fire right now. So that is the thing that I'm the most excited about and the most interested in. There's a lot of M and A happening, there's a lot of changes that are going on and I really want to dig into that because I get a lot of questions from clients. I'm like, what are my options right now? Like, what am I going to do next? What can I do next? And so we're actively working on research in that area around data management and approaches to data management. There's a lot of changes that have happened in the broader data management space that we can apply to security. So between that and then also detection engineering is such an important topic to me because I think that this is one of the ways that we can develop practitioners better and actually give them a practice. Those two factors are, I think, the most exciting things happening in security operations right now.

Erez Levy

Ali, thanks so much for the conversation. This has been a blast. I really appreciate you sharing your insights and sort of a behind the scenes look at your process and your career and really going deep on what you care about.

David Moulton

Thank you so much for having me. This was really fun.

Erez Levy

Before we wrap up, I want to invite you, the listener, to a special webinar that takes a closer look at the evolving XDR landscape. As cybersecurity threats grow more complex, extended detection and response has become essential for organizations to stay ahead. Join Josh Costa, Director of Product Marketing at Palo Alto Networks and today's guest Ali Mellon and myself for an insightful conversation on the latest developments in xdr. We get into market analysis, share practical insights and have a thoughtful conversation on the transition from EDR to XDR and what that means for your security strategy. I'll make sure there's a link in the show notes or you can search the Palo Alto network site for the State of XDR featuring Forrester. That's it for today. If you've liked what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvectoraloaltonetworks.com I want to thank our executive producer Michael Heller. Our content and production teams, which include Kenny Miller, Joe in a Court in Virginia, Tran, Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.