 Good afternoon, everyone. Welcome to theCUBE's day two coverage of crowdstrike.com 23. We're at Caesars Palace in Las Vegas, Lisa Martin with Dave Vellante. We're going to have a great analyst conversation next. Allie Mellon is here, principal analyst at Forestry. We're going to be talking about the security analyst experience, sock metrics that matter, and the impact of Gen AI. Allie, great to have you on theCUBE. Thank you for joining us. Thank you so much for having me. Want to get your overall impression of CrowdStrike over the years that you've been following it? The seventh falcon, the biggest in terms of announcements, impact, attendance, give us your take on CrowdStrike's business. You know, it's changed so much because for so long they were such an endpoint-centered company and this is really a turning point for them where they're taking a much broader view and starting to look outside of the endpoint at other sources of telemetry, both that they own and then third party as well. So I see this as a huge pivot point for the company and I'm very, very excited to see where they take it next and whether they can apply all of that expertise and domain knowledge that they got from the endpoint onto these other telemetry sources. So President Michael Santonis called you out today in a good way at the keynote. So that's got to feel good as an analyst. He said you were the one of the few, if not the only analyst really digging in to the sock analyst experience. So first of all, congratulations. That's nice to get the call out, but what is it about that sock analyst experience that intrigued you? What kind of research have you done there and what can you share with us? Yeah, thank you. It was really great to hear Mike say that. Mike has been such a big supporter of analyst experience and security analyst experience that we are totally aligned on the importance of that. You know, when I started out in the industry, I worked with a CISO who would frequently talk about security analysts and he would jokingly, kind of half jokingly, say that they had the worst job in the world. And that always struck me as being very upsetting because at the end of the day, these are the people who are feeding into other parts of the security organization. They're the talent that we need to make sure that they actually enjoy their jobs that they actually get value out of them. And instead, they tend to go on for three to five years and they're like, I can't do this anymore. I'm out. This is not what I want to do with my life. So, analyst experience, and one of the reasons I've been pushing this so hard is because I want the people who start in this industry to really understand what's really valuable about the industry and find their own path and find their own way to becoming better defenders. So when it comes to analyst experience, it's everything around what security analysts do day to day. The processes they deal with, the technology they deal with, the people that they're dealing with, their career paths, and how do we make all of those different elements better? Now, there's an obvious tie-in to user experience and to the experience that you have with the product, but it's really about taking it a step further and looking at every feature you're building from a workflow perspective. What do you have in a product that helps an analyst make a decision faster? Because ultimately, we need to be making these decisions as fast as possible. We want to have fast and accurate and complete response, and we can't have that if the tools we're using are fighting us. I'm picturing an air traffic controller, just getting burned out. Exactly. So what kind of research, first of all, I should ask you upfront, scope out your research area, what's your practice area, and what kind of research have you done on this topic? Absolutely. So I've been with Forrester for a little over two and a half years, and I cover security operations. So a lot of people think of Forrester or other market research firms, and they think of the technologies that they cover. In that case, for me, it's EDR, XDR, SIM, SOAR, and security analytics. But I prefer to talk about my coverage through security operations or detection and response, because ultimately, I get to do research on the process side and on the people side, which is so critical to anything you're doing with the technology. So security operations is really my focus, and then of course, security analysts are a key part of that because they're the ones using the tech, they're the ones going through the processes. So security analyst experience came up through that and through, honestly, a lot of really cool data that we were able to pull on what analysts were struggling with. Things like the fact that context switching is for the vast majority of analysts negatively affecting their jobs. Other things like we have data from thousands of security decision makers that says that in the incident response process, investigation by far takes the longest. It's not detection, it's not response, it is the investigation and the trying to figure out what's actually happening part of this. And to me, that wasn't surprising, but it was so validating to drive home the point that we need these workflows to be better and to understand what the analyst is doing more. Talk a little bit about what you've seen from CrowdStrike the last couple of days and how you feel that they are on the right track to really improve that security analyst experience, getting them the information that they need faster, improving that UI so that from a job sustainability perspective, there's much more there for them to do. You don't have to say they're on the right track if you don't think so. It's okay if you're not. No, but it's a great point because there's an interesting split of vendors in the industry, those that have a service like an MDR service or an MSSP and those that don't. And those that have an MDR service tend to understand analyst experience much better than those that don't because at the end of the day they have a team of practitioners that has to use that product every day and they have to make money using that product every day and so they understand what needs to be done to help their analysts make decisions faster and so they can feed that back. It's like a great product feedback loop to help improve the product over time. We see a lot of vendors in this space looking at things like generative AI and their potential applications to improve this. Obviously CrowdStrike made a lot of announcements around this with Charlotte AI and I'm really excited about the potential here both from the standpoint of things like reporting and reporting on incidents, making that a lot easier for the analysts so they don't have to be writing reports all the time and then also from the standpoint of having interactions with AI where it can give you advice on what next steps to take. Now fundamentally there's a very important part of this which is the underlying data that you have to train these models and if you have a service you're much more inclined to have the data to train these models to make better decisions because the service provider, they're taking response actions all the time, they're taking investigation actions all the time so it all feeds into improving the analyst experience through what you're able to glean whether it's using something like generative AI or whether it's even just building out a better user experience in the workflow. So I wasn't at Black Hat but we were at RSA and I didn't see a lot of generative AI demos. George Kurtz on his earnings call said we were pretty much the only at least large company or established company doing a real demo with Charlotte AI. We saw the demo up on stage, looked pretty good. First of all, was that your experience? Did you see others? I got to believe everybody is talking gen AI. Other companies like Palo Alto have AI shops and I know they're working on stuff if they haven't shown it yet but they probably have, I just not at the date on it. So how much of a differentiator is Charlotte AI in your opinion? You are 100% right at RSA. There's so much talk, so many people just saying things about generative AI but not a lot of implementation and then even at Black Hat, we were starting to see demos but they were so early, very like locked down private preview and the capabilities were very limited. I expect that we will see most vendors have some type of generative AI capability built into their security operations product by Q1 of next year, so by January, February timeframe. They're at different places with what they're building. There are a number of vendors who are definitely further along this path but there are also some who aren't. Would you say a CrowdStrike is further along? Is that? I would say CrowdStrike is one of the vendors that is definitely further along in what they've been able to demonstrate and in what they've been able to enable their customers with. I mean we know in this industry, it's like the NFL, I mean everybody catches up and it's just sort of game of leapfrog. But I mean I was impressed with what I saw in the demo. But back to the SOC analyst experience, how do you see that affecting, I mean you saw a lot of marketing terms, eight hours down to eight minutes but how ultimately Ali do you think it will affect the SOC analyst in their experience? There's a couple of areas where this is really important, right? It's not going to solve every problem. There's no reality where it replaces the analyst which is something that I hear quite a bit. But what it can do is it can save a lot of time on things like reporting because nobody wants to write a report, sit down for an hour and write a report. So it saves a ton of time there and in just understanding what's going on in an incident in a human readable way. So there's an element of this that is all about the texture of communicating in a way that human understands that we haven't been able to do so easily and so fluidly as we can with generative AI now. Then of course, there's the standpoint of what recommendations are you able to make so that you can orchestrate actions as an analyst faster and how can you speed up the time to make those decisions by basically giving them that on a silver platter and saying hey we think you need to take XYZ action, you can add as you see fit but these are at least the smallest set of actions that you need to take and just saving them time with that. I think that we talk a lot about generative AI saving time for the newer analysts. I actually think it's going to be a big enabler of analysts that are at the midpoint in their career or later because there's a set of actions that they know yeah I want to do that, I want to do that, I want to do that, I'm going to add on this one and then call it a day. Whereas the newer analyst is still trying to figure out is this the right action, what do I need to think about as I go through the process? Is that, I think it's three or 3.5 million open, is that a forester number? No. Okay, whatever, because forester has a lot of data around this stuff. We do. But it's a big end, let's just say. Do you think that generative AI will compress that end? I find this to be a very difficult question because the immediate answer is most people think, oh yes it's going to solve this problem, right? But at the same time some of the implementations that I've seen of generative AI in security tools are really broad and don't give actionable advice. They give advice, but it's not something that an analyst would actually implement or do. And so I worry that at least in some technologies and some vendor tools it's going to hamstring some analysts. Now there will be other tools, like a lot of what we've seen recently, that are able to help support the analyst and get them to that next level because they're trained on the right data and because they understand what next steps really need to happen. But I do think there's going to be a balance here where we're going to see some issues for analysts that are trying to figure out what the right thing to do is. What's been some of the feedback at the event for you? I presume you've spoken with a number of security analysts, crowd-strike customers and the ecosystem. What are some of the main challenges they're presenting you with and what's some of your advice to them to be able to do their jobs better and faster and in a way that to your point is actionable? Yeah. Unfortunately, it's the same challenges that we've seen for years and years and years, right? Complexity of the IT environment, day-to-day tasks, too much happening, too much pivoting and context switching between tools that comes up constantly. And it kind of feels like we're running on a hamster wheel with no end because inevitably we just see analysts facing these same problems. Now, my hope and what I'm seeing a lot with the industry is that XDR is helping to solve some of this because there's so much about XDR that is about building better workflows into the platform natively without having to build them yourself. But it's still a work in progress because even with XDR, a lot of the stack is much more limited than you'd see with something like a SEM or a security analytics platform. I'd love to have an analyst on who know the market because and I love, you know, we come to events like this. CrowdStrike is a sponsor of ours. I'm sure they're a client of yours as well. So we always disclose that, but we're independent and we want to kind of get to the truth. CrowdStrike is great marketing. And one of the lines that they've used all throughout this show is good enough is not good enough. And we know exactly who they're talking about. They're talking about Microsoft going right after Microsoft. But good enough is so alluring. You see this in so many of Microsoft's markets, certainly with Endpoint, with CrowdStrike. They recently announced more identity, more network security going after Okta and Zscaler respectively and others in that space. So Microsoft is a force. They've got a big business. They've got Azure. It's a flywheel for them. What do you make of that? Let's cut through the marketing and get to the reality. Customers will purchase from Microsoft because it's easy to do. It's obviously a competitive threat to companies like CrowdStrike. But are we at the point where, and there is a lot of overlap by the way between the accounts, we know that. Like there's, I don't know, 75, 80% overlap. Yes. In other words, CrowdStrike accounts is probably 70% plus. Also use Microsoft security tools. 100%. Maybe it's a lot of shelf wear. I don't know. So what are you seeing out there? Is this dynamic, are we separating from the pack in CrowdStrike, or is it more, Microsoft is sort of always there? Microsoft is such a behemoth in this space. It has been for so long. And when we talk about good enough isn't good enough and all of that, it depends on what values you have and what your goals are. One of the biggest problems in security, and I see this all the time. I've mentored a lot of students who are getting degrees in cybersecurity. And the thing they always say to me is, well, why don't these businesses just implement zero trust or implement this tool and then cybersecurity problem solved? But in reality, it's not that simple because the environment is complex because there are budget constraints, because there are staff constraints because they have to work with other teams like IT. And that's what happens with technology options as well is that sometimes good enough is unfortunately good enough because you don't have the budget to afford something else or you don't have the staff to afford something else. And so whenever I think about these problems, as much as I would love to say spend all of your money on all of these great tools and all of this great staff and get it all to work together, it's not a reality for every enterprise. And so there are many circumstances where I'll make recommendations based on the vendor that's best fit for that particular customer based on their needs. Sure, you got a car that's out of warranty. You could buy a new car or you could keep fixing the old car. Well, it might only be $2,000 to fix the existing car and you're going to get hit with another bill, six, nine, 12, 18 months down the road but you don't want to shell out $50, $60, $80,000 for a new car or take out a loan or interest rates are too high. Those factors weigh in. I mean, I would love to own a Ferrari. Does it make sense in New York streets? Maybe not. Maybe in Vegas with that one coming in a month. Yeah, yeah. What are some of the things that we can look out for from you on the research side, Ali, and where can we go to really get caught up with the things that you're... Yeah, thank you. Always open to connect on LinkedIn with anybody who wants to learn. One of the big benefits of my job is that I get to write and share with as many people as possible what's going on in the industry. So connect on LinkedIn, go to the Forrester website. I have a blog that's open to anyone. And as far as upcoming research, you mentioned it at the beginning, actually I have something coming out on SOC metrics that I'm really excited about because that's another key piece of this puzzle and a key piece to improving analyst experiences. How do you actually start measuring analyst experience so that you can make sure that over time you're improving it, not just guessing at it? And then I'm doing a lot of work on detection engineering and detectionist code and what that means for an enterprise because we are seeing more teams move towards that. So those types of pieces that are going to be way more into the process and the people side. I'm really excited by it. It sounds like some really innovative research that you're doing. What are those metrics that really matter in particular for that SOC analyst experience? Are you measuring burnout? If only, yes. No, that is a key piece of it though is a analyst sentiment with the activities that they're doing is a big part of it. The way that we break up metrics is by tactical, operational and strategic metrics. So strategic is obviously going up to that board level. Operational is more SOC manager, even up to the VP of security operations in CISO and then the tactical or the SOC manager and security analysts. And a lot of times it comes down to a lot of the metrics that we know and kind of love to hate, like mean time to remediate, mean time to contain. But the thing that I always push is whenever you're measuring these metrics, you need to make sure that you're doing them in line with some other metric so that it makes sense. One of my colleagues refers this to having a numerator and a denominator. So if you're measuring something like the detection firing frequency, then you also want to be measuring with it the false positive rate. Because maybe it's okay if you have more false positives because it's firing so much that there's a lot more that needs to be done there. Or for example, maybe you have more false positives but it's also something that if you didn't catch it, it would result in a breach. You're going to accept some more false positives so that you can make sure that you're protecting the organization. So making sure that you have both of those sides of the equation is very, very important when doing metrics. And the board wants to measure, I would guess, reduction in expected loss. Yes. Are we getting a return on our investment? That's how you would presumably measure it. Can you connect the operational and the tactical metrics to that? 100%. You read my mind. The tactical metrics roll up into the operational which roll up into the strategic. And at the point where you get to the strategic level, it's not just the sock that's affecting them. That's a big part of this for me too is if the board wants to get into what security operations is doing, you should be able to go there. But there's very few boards that are going to care or even know what security operations is. So keep it at that high level. Talk about it more from a security program perspective and then be able to dig deeper if there's a specific tool that you got buy in for that you want to show the value of or a full-time employee headcount that you got that you want to show the value of, things like that. Awesome. Allie, thank you so much for joining us on theCUBE and really talking about what that optimal security analyst experience can look like, the impact of GenAI, those sock metrics and some of the research that we can be on the lookout for you. We really appreciate you joining us today. Thank you. Thank you so much for having me. It was our pleasure. For Allie Mellon and Dave Vellante, I'm Lisa Martin. You're watching theCUBE from CrowdStrike Falcon 23. We'll be back with our next guest in a few minutes.