 Hi, and welcome to another CUBE Conversation. I'm Peter Burris from our outstanding studio in Palo Alto, California. And today we're talking security, which is a specially important topic in today's digital business driven world. And specifically we've got Slavik Markovic, who is the CEO and founder of Demisto. Welcome to the CUBE. Thanks for having me here. So Slavik, there's so many directions we could take a conversation about security these days, but let's just start with a relatively simple one. Security operations is becoming increasingly important, but remains especially complex. How is the problem manifesting itself in business today? Yeah, so I would summarize it really simply as having too many with too few. There's just too many alerts, too many security tools, very fragmented landscape, and there's not enough analysts to handle all the security events that are coming up. And so this is a huge problem in the sense that security is hurt by that. You have a lot of events that are just left on the table unhandled. And so that's what we're kind of trying to solve is helping the analysts basically have a much better life and process and handling those kind of issues much more efficiently. So if you go inside, if you go to a security operations center, a sock, you rarely encounter a party. Yeah, they're a lot happier. The more likely scenario is you see some people who are highly stressed and largely unhappy and counting the hours until they can retire. How, and partly that's a function of the fact that we got all these tools and we got all these higher increasing risks as more folks attack, but there's also some uncertainties associated with actually how processes work. So to what degree can a solution like D'Amisto bring some clarity to how security processes should operate within a sock? Yeah, it's a great question. So as you said, when you go and visit those analysts, they're very unhappy. They're unhappy because people have this concept of when you go into security, you're going to deal with the sophisticated stuff. You're going to deal with finding that, you know, nation state attacker and this malicious, super persistent hardware malware and so on. Oh, you're the top, you're going to be a hero. Yes, you're going to be the hero. And that's a very interesting perception, but then the end result is that most of your day is being, you know, handling the basic, you know, fade logins and VPN alerts and change password requests and phishing attempts, things that are very mundane. High-risk drudgery. Yes, high-risk drudgery. That's perfect. And so those analysts just hate this process and they spend so much time on it and this is why you see this turnover of analysts that don't last over like 18 months or 20 months in a job because they're dealing with all this mundane stuff. And even when you're dealing with the more interesting stuff, that's, as you said, there's no consistent process of how to handle it. And there's might be like a document somewhere on your wiki or SharePoint that specifies what you should do, but there's no way to actually quality assure that and make sure that what they're doing is indeed matching the process. And so, yeah, the analysts are, you know, getting bogged down by those mundane alerts, don't have time to look at the interesting stuff. And when they do have time, it's very hard to follow the process. And what we at the MISTO are doing and trying to fix that problem is that we're trying to solve it by having a single platform handling all of the life of the SOC, meaning handling all the knowledge management, all the processes and the people assigning and all of that. And so, what we're doing is having a full kind of case management for incidents, including all the metrics and all the SLAs and assignments and, you know, evidence tracking and cryptographically assigning them and so on. But beyond that, we allow you to specify a consistent process that you do in a Visio chart. So you basically just drag and drop all the steps and we then allow you to take those steps and replace them with automations because we have integrations with hundreds of security tools and those hundreds of security tools provide thousands of actions that you can do across those security tools. And so, when you have a step that says, you know, check the prevalence of this file or detonate this in a sandbox or do any of those, you can actually replace that manual step with an automation and save the analyst the time of actually going ahead and doing that. And so, not only we're bringing consistency to the process, but you're also bringing a lot of efficiencies because you can just replace those manual tasks and then a lot of the kind of simple mundane incidents, you can just, you know, take away from the analyst completely. So we can focus on the really important stuff. And then beyond that, what we're offering is when you have to, you know, get off the predefined process. And so, you know, we're dealing with a smart adversary. Some of them are super smart. It's not all incident. Some of them are the smartest. Smartest, yeah. A lot of money to be made and messing up the companies up these days. Exactly, and not all incidents are cookie cutter. And so when you have to get off the predefined process, we allow the analysts actually to collaborate with other analysts, invite them to our virtual war room, and then also talk with our bot and do interactive stuff beyond the predefined. So you can go to our debot and say, hey, dear debot, retrieve this file from this endpoint, detonate it in this sandbox, bring me the result. Oh, it's malicious. Then isolate the endpoint and block this IP. And you can do all of that in one single place without going to 10 different tools to, and then copy-pacing it into your case management system. But so let me make sure I got the summary because you said a lot there. So trend, a lot more users, whether they're actually human beings or devices, much greater surface area from an attack standpoint. So a lot more events are being generated. Those events can now be trapped by an existing tool set that, again, corresponds to that degree of specialization. And then when they generate alert, you have a low code approach being able to through APIs, capture that information, simply describe automations, and then have the shop follow the processes and conventions and routines associated with the automations of the day design. Have I got that right? Exactly. And so it's not like we're saying we're going to replace your analysts with automation. That's usually not the case, but we do allow you to basically apply a process, a consistent process that has automations to make their analysts work much more efficient. And so, as you said, an incident comes in from, and it can be from various sources. It can be from a high-fidelity security tool, or from your SIM, or from your mailbox, somebody reporting abuse or something like that. We take that incident, automatically apply the process, run all the automations, and then allow the analysts to make the important decisions. So the analyst sees the data and then decides, oh, you know what, this is malicious, and then we can do the response. Or it's not malicious, and then we can close the ticket and so on. But we're not replacing the analysts, we're just elevating his level. A lot of these integrations out of the box? Yeah, we have over 200 integrations out of the box with your, I would say, usually the security tools, IT tools, Active Directory and your endpoint and your network and so on and so forth. And the second related question is obviously one of the biggest challenges that you face with any of these very powerful tools is that they can take a long time to configure, set up, and then roll out. Time to value associated with the minister, what is it? So just the installation and configuration of the integrations, it's a matter of an hour and you're up and running. But then when you take a use case and build a playbook and automation for that, this usually takes days. So per use case, it takes time to adjust it to the process of the enterprise. And so out of the box, we come with about 50 playbooks but then an enterprise will take those playbooks and adjust them to their own processes. That's great. So you've been around since 215, first ship, 2016. Where are you on the maturity? So we've been growing like crazy in a sense. We are now releasing our fourth version of the product. 4.0 is coming to Black Hat. And this is, you know, we have hundreds of customers, about over a hundred employees and been growing and hiring aggressively. So if you think about what the next two years is going to be, higher risk, more devices, more work to do, but tooling like D'Amisto is going to be able to better manage a lot of that and facilitate collaboration amongst the team. For example, I believe you have some pretty decent slack integration directly in the tool. That's true. So this becomes a way that you can actually, it's a tool for running your sock. Exactly. It's a tool to run your sock, but when we kind of look ahead of that, what we really focus on, what I'm excited about is the capability to enhance or add more efficiencies to the process by using machine learning and then trying to learn from the organization and feed that knowledge back into the organization. So if we see analysts interact with our bot and asking for certain actions, for certain types of incidents with certain indicators, we can learn from that and then a new incident comes in, we can then recommend it and say, hey, you know what? What we've seen in previous incidents, this is what worked, this is a sequence of actions that worked and we can feed that back into the analyst. And we can actually feed that back into building the playbooks and reaching them even more. So I think we can actually use machine learning across the entire kind of platform and even take it outside of the sock and into other use cases. So we already integrate with AWS, so we can actually help you with all the cloud securities if you detect something, we can take a snapshot, we can change IAM. You mean end to end. End to end. So they're going to do fine with their own security, but you mean end to end. Of course. So you're incorporating them into your security chain. Yeah, so we view ourselves as kind of the brain of the process, right? So we want to help you define what should happen and we'll actually invoke and execute that across your security tools. So part of it can be on AWS, part of it can be with your compliance team or with your vulnerability assessment team or up security team. Kind of expand even beyond the traditional use cases of the sock into anything in fact insecurity that has a process tied to it. Slavic, thanks very much for being on theCUBE and talking about security. An incredibly important topic that requires a lot more conversation but even more doing. Okay, thanks for having me. So once again, Slavic Markovic is the CEO and founder of D'Amisto and you've been watching another CUBE conversation. Until next time.