Sponsored: Tines shines at solving interesting problems - Risky Bulletin

Summary4 min read

Risky Bulletin Podcast Summary Episode: Sponsored: Tines Shines at Solving Interesting Problems
Host: Casey Ellis
Guest: Matthew Muller, Field CISO at Tines
Release Date: August 3, 2025

Introduction

In this sponsored episode of the Risky Bulletin podcast, host Casey Ellis engages in an insightful conversation with Matthew Muller, the Field Chief Information Security Officer (CISO) at Tines. The discussion delves into how Tines is revolutionizing security orchestration and automation, addressing common challenges faced by Security Operations Centers (SOCs), and exploring innovative use cases that extend beyond traditional security functions.

Common Use Cases in Security Automation

Matthew Muller opens the discussion by highlighting the foundational challenges that many security teams encounter. He humorously refers to these challenges as the "base of Maslow's hierarchy of security angst," primarily dealing with managing tickets and alerts.

"When people first come to us, they're at sort of the very base of what I would sort of jokingly call Maslow's hierarchy of security angst, which is, you know, dealing with like tickets and alerts."
— Matthew Muller [00:51]

Muller explains that initial use cases often involve reducing false positives from detection systems and managing the overwhelming influx of security alerts. However, Tines' capabilities extend far beyond these entry-level solutions, offering orchestration and automation across increasingly fragmented tech stacks within security organizations.

Automation vs. Orchestration

A significant portion of the conversation distinguishes between automation and orchestration. While automation involves executing a set of predefined steps within a single system, orchestration coordinates multiple systems that may not naturally integrate.

"Automation is merely the set of steps that you want to have happen when a set of conditions occurs. Orchestration is a little different... pulling together two or more different systems that might not necessarily talk to each other out of the box every time."
— Matthew Muller [01:56]

Muller emphasizes Tines' strength in orchestration, enabling seamless collaboration between different teams and organizational boundaries. He cites an example where IT administrators used Tines to cross-reference asset lists with CrowdStrike data, facilitating better collaboration between IT and security teams without granting direct access to sensitive dashboards.

Innovative Use Cases: Beyond Traditional Security

Muller shares unique and unexpected use cases that demonstrate Tines' versatility. One notable example involves an organization using Tines to manage shift handovers within their SOC. By leveraging Slack emojis and Tines workflows, the organization created a gamified and engaging process to ensure continuity between shifts.

"They built a whole system that relies on Slack emojis that get fed back into a tines connected app... making the shift handover process a little bit more engaging for folks."
— Matthew Muller [05:42]

This approach not only streamlines critical handover procedures but also makes them more enjoyable for SOC operators, addressing both operational efficiency and employee engagement.

Measuring SOC Performance with Automation

The conversation shifts to the importance of metrics in SOC operations. Muller points out that many SOC teams currently measure analyst workload solely based on ticket volume, which only scratches the surface of their true responsibilities.

"Sans actually just published some survey data that said that the vast majority of SOC teams measure analyst workload based solely on ticket volume... Once you start thinking about processes that you can automate automation makes it measurable."
— Matthew Muller [07:49]

By automating processes with Tines, organizations can gain deeper insights into their operations, making previously invisible work visible and providing meaningful metrics for management. This facilitates better reporting and informed decision-making at the leadership level.

Empowering Teams with a Flexible Platform

Muller discusses how Tines bridges the gap between highly technical engineers and less technical team members. The platform's no-code/low-code approach allows advanced users to customize workflows while enabling junior members to contribute ideas without extensive coding knowledge.

"You get the best of both worlds where the advanced builders can go into the hood, do as much customization or technical stuff as they want and junior members of the team can log in, suggest changes, understand what's happening."
— Matthew Muller [11:21]

This flexibility ensures that Tines can cater to diverse teams, fostering collaboration and innovation across different skill levels.

Conclusion

Casey Ellis wraps up the episode by acknowledging Tines as a standout player in the platform security engineering space, noting its significant growth and adoption over recent years. The discussion underscores Tines' ability to address both common and niche challenges in security operations through robust orchestration and automation capabilities.

"We have a bunch of out of the box templates, but everything is as customizable as you want it to be."
— Matthew Muller [12:03]

For more information about Tines and their innovative solutions, visit www.tines.com.

Thank you for tuning into this episode of Risky Bulletin. Stay tuned for more insights and updates from the cybersecurity frontier.

Loading summary

Transcript52 lines

[00:03]
Casey Ellis
Hey, this is Casey Ellis for the Risky Business podcast. This is a sponsored interview with Matthew Muller from Tynes. How you doing, Matt? Good to, good to see you.
[00:11]
Matthew Muller
Ah, doing wonderful.
[00:12]
Casey Ellis
Great to, great to be chatting today. I was excited to get the opportunity to talk with you and to talk about Tynes because it's just always been a fascinating solution to me since, since it first landed and since then, you know, the whole idea of like security orchestration where Tynes fits into that and kind of the leadership you guys have developed in the industry has been pretty obvious. I wanted to ask the question, there's a billion things you could automate with this platform by design, but obviously there's a tyranny of choice and some interesting trends I'm probably sure that you're seeing. What are the most common use cases that you're seeing that are kind of providing value back to the user?
[00:51]
Matthew Muller
I think when people first come to us, they're at sort of the very base of what I would sort of jokingly call Maslow's hierarchy of security angst, which is, you know, dealing with like tickets and alerts.
[01:04]
Unknown
Right.
[01:04]
Matthew Muller
Like these are the things that for a lot of teams, you know, their, their ticket queue is the thing that's just always lurking in the background, always waiting for them, always counting down until they violate an sla.
[01:15]
Unknown
Right.
[01:15]
Matthew Muller
And these are just very top of mind things. And so whether it's, you know, reducing false positives from a detection system or sort of triaging that, you know, security at junk drawer inbox that everybody's, you know, sending emails to, never heard of it. This is where I think a lot of folks start. Right. But it's certainly not where they end. You know, I think one of the things that people realize once they've tamed the noise of that is that there's a number of different parts of the security organization, not even just within the SoC, that can do with orchestration, automation across what is, you know, becoming an increasingly fragmented tech stack. And that's where I think Tynes really, really starts to shine.
[01:54]
Casey Ellis
Interesting. So can you give some examples of that?
[01:57]
Matthew Muller
Yeah, absolutely. I think when we talk about automation versus orchestration in general, the way we sort of divide those two concepts is automation can happen within a single system.
[02:07]
Unknown
Right.
[02:07]
Matthew Muller
Automation is merely the set of steps that you want to have happen when a set of conditions occurs. Orchestration is a little different. Orchestration is about pulling together two or more different systems that might not necessarily talk to each other out of the box every time. For example, you do chat ops Right. And you have a slack bot go ping you to kick off even a deployment in another system, you're engaged in some sort of orchestration. And so for us it's really exciting to see teams start to use tines as not just orchestration between technical systems, but as an orchestration between teams and across organizational boundaries as well. We actually run a competition every year called you did what with Tynes and, and the winning entry this year was somebody who built an interface for IT admins in their organization to be able to cross reference a list of assets against what CrowdStrike knew. And so, you know, these IT analysts weren't normally allowed to have access to the CrowdStrike dashboard. They don't need it for their, for their day to day work. But by orchestrating this cross referencing with tines now these two teams are able to collaborate much more effectively. Right. Because you have these, the IT organization whose mission is to make sure that everyone's endpoints has a certain software payload and you have the security team who asks to make sure that CrowdStrike specifically is deployed everywhere and running and detecting things. And the only way for these two teams really to achieve that mission together was through orchestration with tines. So I think those are the types of use cases that I love seeing people sort of expand their worlds to and moving beyond just satisfying alert triage.
[03:45]
Casey Ellis
Yeah, yeah, that's a really compelling sort of thought. The idea of like a high side, low side interface where you've got things that shouldn't or can't be directly touched by the user, but you've got the ability to transact value across that boundary.
[04:01]
Matthew Muller
Absolutely. And in the modern SaaS world we see a lot of what I would just sort of call the inspectability problem. Right. Where it's often difficult to get a full audit trail out of the tools that you use. Or maybe you have security controls in place that these tools just don't support. For example, I think a really common one is there should be dual approval of changes to sensitive systems and you would be surprised how many critical SaaS systems don't support that notion out of the box. And so where people will use tines is to initiate that change from a TINES workflow where we actually have a end user facing UI that we call Tynes Pages and the admin can propose the change through there. It automatically starts generating an audit trail, it can go to a different admin for approval. And now you have all those controls over your processes that you sort of expect by default. And now you can apply that to a less mature IT system.
[04:54]
Casey Ellis
So you've effectively retrofitted but using that same system that you're using for all of the other things.
[04:59]
Matthew Muller
Absolutely.
[05:00]
Casey Ellis
From an orchestration automation standpoint. Yeah. That's very cool thinking through what that would look like. The example that you just gave. Like, what are some other examples of that type of use case? Because that to me feels like, you know, probably the weirder or the more kind of edgy use cases or the more kind of customer specific.
[05:21]
Matthew Muller
Yeah, I mean, I think, you know, one of the sort of unexpected use cases that I saw was an organization that actually built out an entire shift handover solely using tines. So they had a use case where, you know, an analyst would come to the end of their shift and maybe for whatever reason they're in the middle of working a ticket.
[05:42]
Unknown
Right.
[05:42]
Matthew Muller
And, and haven't completed that process and you know, high performing security teams want to make sure that the ball doesn't get dropped in between regions or in between shifts or what have you. And so they built a whole system that relies on Slack emojis that get fed back into a tines connected app. And based on the Slack emojis that they apply, you know, tickets coordinate between different states and you know, again, it's a kind of a fun and gamified way to do shift handover, which, let's be honest, my eyes start to glaze over when I say the words shift handover.
[06:12]
Unknown
Right.
[06:12]
Matthew Muller
And you know, you can make this process that's critical actually a little bit.
[06:16]
Casey Ellis
More engaging for folks that's, I mean, that's fun. That's a great idea. Like the idea of using a platform like this to address what's functionally kind of a HR problem really when you think about it, it's like, how do you make the SOC operators shift changeover process just that slightly less sucky?
[06:34]
Matthew Muller
I mean, and it's, it's a process that's near and dear to my heart as well. I mean, coming from a security operations background myself, I'll always remember back in the day when, you know, we would have maybe a user that would have some kind of, you know, anomalous activity alert, not necessarily guaranteed malware, but something a little bit, little bit unexplainable. And so, you know, our process back then was ping the user on Slack, hope that they're still online, hope that they reply to me before shift handover, and if not, just sort of sit around and wait to see if they end up ever slacking me back that night.
[07:03]
Unknown
Right.
[07:04]
Matthew Muller
And so there's ways with tines to make that process not just about the shift handover itself, but having the robots handle the process of pinging the end users, receiving the response, feeding it back into the case, so on and so forth.
[07:16]
Casey Ellis
That's very cool. So I guess, interesting, some of those use cases, that's a very kind of esoteric component of working in a SOC that wouldn't necessarily be obvious to the Maslow's hierarchy thing that you were talking about before. So I guess do you see those kind of meet in the middle? Like you've got your management and your top down sort of CISO level prerogatives. But then obviously this has been designed as a platform to be used by engineers or people at least with an engineering mindset. How does that work?
[07:49]
Matthew Muller
Yeah, I mean, I think what we sort of see is that as people start to understand a little bit more exactly what their SOC and security operations processes are, that's where they actually can start to get a little bit more sophisticated about it as well. Sans actually just published some survey data that said that the vast majority of SOC teams measure analyst workload based solely on ticket volume. And when you really think about it, when you really think about everything that a security operations team does, that just scratches the surface.
[08:21]
Unknown
Right.
[08:21]
Matthew Muller
And so you have analysts that may have unseen and undiscovered processes, or at least unseen to management.
[08:27]
Unknown
Right.
[08:29]
Matthew Muller
Who can only sort of measure ticket flow. Once you start thinking about processes that you can automate automation makes it measurable. And measurable means you can now start thinking back and reporting up to leadership on. Here's what actually is all the work that the SOC is doing.
[08:43]
Unknown
Right.
[08:44]
Matthew Muller
And give that management view.
[08:46]
Casey Ellis
So putting, I guess putting the ability to distill out management friendly but relevant metrics. Yeah, that's a really clever. That's a logical interface point because yeah, you're right. The only thing worse than no metrics is bad metrics. So to be able to arrive at that kind of place faster is very powerful.
[09:08]
Matthew Muller
Yeah. And what's even worse is that the data also suggests that those bad metrics are also mostly being calculated manually today, which just adds insult to injury really.
[09:17]
Casey Ellis
So there's like the meta.
[09:20]
Matthew Muller
Not only are your metrics bad, you are painstakingly scraping them together in a spreadsheet. That's just. Yeah, not the world I want to be in.
[09:25]
Casey Ellis
Yeah, it's something that we just talked about. We'll touch on this briefly before we wrap. But yeah, this idea of, of kind of platform security engineering focused platforms kind of you know, to me like having their heyday at the moment, you think about you guys, you think about some of the others that are, that are around and out there and many of them had a slow burn for a period of time, but they've sort of taken off over the past three or four years. And I would consider Tynes to be one of those in that mix. Right. Maybe at the time it dropped in the market it was a little bit too security engineering in its focus or the security engineers didn't have enough authority to promote it internally. Would be very keen to get your thoughts on that just in terms of what you've observed and what you think about that thesis or that observation.
[10:13]
Matthew Muller
Yeah, I think there's so many pendulum swings in cybersecurity.
[10:17]
Unknown
Right.
[10:18]
Matthew Muller
And you see that in the Sim vs Data Lake debate that seems to rehash itself every couple of years. And I think on the automation front what we discovered was there was a lot of pent up talent that was locked into very sort of rigid automation frameworks that often required heavy coding knowledge or had brittle integrations. And so tines when we first launched with this no code low code builder, it unlocks people that had the knowledge and thought process to go build automations but maybe didn't have the Python chops. I think the best kept secret of tyence today honestly is that you can actually pull back those covers and you can write code under the hood if you want to, but most folks discover that it's actually best to stick with that automation workflow builder. And so then you kind of get the best of both worlds where the advanced builders can go into the hood, do as much customization or technical stuff as they want and junior members of the team can log in, suggest changes, understand what's happening.
[11:21]
Unknown
Right.
[11:22]
Matthew Muller
And you get more contribution from folks with less technical knowledge. And it sort of serves as the bridge between the highly technical engineers and the less technical folks that may just have good ideas but can't contribute them.
[11:32]
Casey Ellis
And I mean I think going beyond that as well, you still at the end of the day providing a solution that has more flexibility to the actual use case of the user. I mean the alternative in terms of previous generation solutions you've got like Thus Saith, Palo Alto Networks or McAfee or whatever else. And for some that works and for certain problems it's effective and then there's everything else.
[11:52]
Matthew Muller
Yeah, it's really an 8020 rule where probably 80% of the integrations and use cases are going to be very, very similar across organizations. But it's that last 20% that counts so much.
[12:03]
Unknown
Right?
[12:03]
Matthew Muller
And that's really where I think Tyne Shines is. We have a bunch of out of the box templates, but everything is as customizable as you want it to be.
[12:10]
Casey Ellis
Tynes Shines. I like that. That should be a blackout T shirt, if it isn't already.
[12:15]
Matthew Muller
We'll get one made up specifically for you. There you go.
[12:17]
Casey Ellis
I appreciate that. All right, so thank you everyone for tuning in. This has been Casey Ellis on the Risky Business sponsored podcast with Tynes. We've been speaking with Matt muller, the field CISO for Tynes. Check them out at www.tynes.com.
[12:30]
Matthew Muller
Thanks so much for having me, Casey.