SOCs are drowning in alerts. Human analysts find themselves overwhelmed by the sheer volume of security data generated from multiple tools and platforms. And that’s before we consider the rapid growth in threat actor activity. The traditional approach of manual alert triage, threat hunting, and incident response simply can’t meet the realities of today’s threat landscape.
In this episode, Simone Rapizzi, CSO at RedCarbon, explains how their AI-powered platform uses specialized models to automate threat detection and response while learning from each customer’s unique environment. Joining him are Jonathan Waldrop, former CISO, and John Scrimsher, CISO at Kontoor Brands.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, RedCarbon
Full Transcript
[Voiceover] Connecting security solutions with security leaders, Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. Today, we’re talking with RedCarbon and what they are doing in the emerging AI SOC space. Now, the problem that they’re addressing, it’s a big one. And it’s the reality that humans can’t scale to meet the massive surge in cyber threats. I work on Cybersecurity Headlines. We see this all the time. Helping us find more about their solution are Jonathan Waldrop, CISO at large, and John Scrimshire, CISO at Contour Brands. So, Jonathan, I’m going to start with you. Why are cybersecurity professionals still struggling? Why are we hitting this human limit in the SOC?
[Jonathan Waldrop] Well, find me a team that anywhere says, “Yep, we’ve got enough people. I couldn’t do anything else if you gave me another person.” We have a full, great handle on all the tech we’ve got. There’s no new cloud applications. There’s no new AI that we’re trying to manage and secure and data coming from all different directions. So, there’s still this plethora of data and systems and telemetry that we’re trying to sort through. There’s never been more of it, and it’s never been more difficult to really get to and sift down and filter through what we need to take action on, what is actionable intelligence to go stop threats.
[Rich Stroffolino] All right, John, I’m going to come to you. Why are we still struggling right now with kind of this human scale in the SOC problem?
[John Scrimshire] It really boils down to two words, scale being one, and contextualization, the other one. The context of the threat, as Jonathan mentioned, are constantly changing. The tactics, techniques, and protocols change. And being able to quickly switch context for the different types of threat actors at scale is nearly impossible for the human capabilities.
[Rich Stroffolino] All right. Well, today we’re going to be talking with Simone Rapizzi, CISO at RedCarbon. To start out, we’re answering three essential questions. So, Simone, help us out here. How do I explain the value of your solution to my CEO? What does it do and what does it not do? You know, what are its kind of category limits here? And what is the pricing model? Can you help us out with these preliminaries?
[Simone Rapizzi] So, our solution aims to help the people in the SOCs to be more active, more proactive in facing the new, faster emerging threats that we are facing. So, since the attackers are getting stronger, they’re getting more skilled than defense people, they have more time, they have more tools. We also have multiple tools in defense, so we are increasing the number of our alerts. We[Inaudible 00:02:32]help a human to put order in these scales and to be as fast as possible because even the attackers are getting faster than the humans. So, that’s the main idea. Moreover, with this solution, we can not only address an issue in the shortest time as possible, we also may help your team to get rid of the skills shortage and have the time to increase in the skills they need to be as effective as possible. Otherwise, we may overlook some others that is very important.
[Rich Stroffolino] And then in terms of pricing, where are we at? Is this based on ingest? Is this based on proceed? Well, just kind of that kind of basic.
[Simone Rapizzi] It’s based on cases. You can say a case is an incident, so it’s not a single alert. It’smore broad scenario idea. So, the price model is based on the number of cases we address in a full year of license.
[Rich Stroffolino] Fantastic. All right. So, CISOs, we’ve gotten a taste for the problem. We’ve acknowledged that. We’ve heard a little bit about what RedCarbon is doing. I’m sure you still have a lot of questions though. So, John, I’m going to start with you. What other questions do you have for RedCarbon?
[John Scrimshire] As you said, there’s lots of questions, but the first one is around the contextualization piece, that it’s already difficult training people on the business and where the different systems are, where the risk levels are, and things like that. I can imagine it would be difficult to train an AI model. So, I would really like to understand better, what does the training look like? How do you train it for each unique environment that every business is?
[Simone Rapizzi] We have multiple models. One of these models is called the ThreatHunter, which has a single job. It’s to understand the environment. So, it runs across all the cases we have on the platform. They understand how the analyst solves a case, what are the roles or the objects he finds, so a server, what is his role, if he’s normal, andhe’s trying to find abnormal pattern in this full number of alerts he has. So, thanks to this kind of a retrospective analysis, we can understand what’s going on better. Moreover, we can have a feedback for the training model to increase from time to time, so we can have kind of a more specific training for each customer inside a broader model.
[Rich Stroffolino] All right, Jonathan, I’m going to come to you. What other questions do you have for RedCarbon?
[Jonathan Waldrop] Yeah, it sounds like an interesting way to solve this problem. I’m curious, really, where it sits in our tech stack, and if there’s existing tech, you know, EDR, SIEM, different technologies that we would need to have in place before we would want to bring in a technology like RedCarbon. Or is it a standalone? Can it come in and stand on its own legs? That would be my first question.
[Simone Rapizzi] Okay, so RedCarbon cannot work on his own. I mean, he needs information. This information, this data may arrive from multiple sources. Of course, it was designed based on the EDR solution or XDR solution, moreover. So, we have a multiple connector for multiple solutions. I mean, the top of the bridge [Phonetic 00:05:34]right now. We suggest to have at least SIEM, to have EDR. I mean, kind of a baseline solution nowadays that we need. So, that’s all we need. More important, the less visibility you have, the less useful we may be, of course. So, we work with the customer to increase the visibility they need.
[John Scrimshire] I’d like to ask a little bit about the licensing model. Again, you mentioned it was on cases. As a CISO, that concerns me a little bit, and I’d like to maybe understand if I misunderstood how the model works because I can’t control the number of cases that come in. That’s an external threat actor function. And so what could I do to control the costs that I may be incurring?
[Simone Rapizzi] Well, right now, we have an idea of the top number of cases for each year. So, we adjust the price at the end of the year in order to match the real number of cases we have. So, we can’t predict how many cases you will have in the coming year, of course. As you say, it’s more a threat actor activity to be, I can say, as gentle as possible to create less cases. But since we are also helping the company to increase their visibility, we know that the number may increase. So, we will perform an adjustment at the end of the year to understand which is the real number of cases we need and to change the kind of cost to the next year. So, it’s kind of dynamic, it’s aesthetic in this case.
[Jonathan Waldrop] I’ll switch over to the interface of the platform. How does a SOC analyst interact with your platform? Who’s the right level of analyst to be logged in and to take this type of data?
[Simone Rapizzi] Well, the platform provides a full environment to the analyst. So, he has the case, he has the observable items he found, he has some threat intelligence that has been found by one of the models inside the current[Inaudible 00:07:20]. So, every case is enriched by all the information we may have, both from internal and external providers. I mean, company systems, for example, or external threat intelligence provider. And evenlevel one analyst has all the tools he needs to better help his own company in managing the case. So, we can start from the low-level analyst to the top one. We can also haveThreatHunter, which may use a threat-hunting model to performSigma rules-based analysis, for example. Or we may have incident responder. For example, I’m one of them. They can use the platform to perform some investigation in a case. We also have a mobile app for the manager [Inaudible 00:08:00].
[Jonathan Waldrop] Oh, interesting. Does the platform, is it providing information for the analyst to make a decision? Or is it providing a recommendation? Or is the goal for this tool to ultimately automate a case based on the information that’s gathered and a rule set that the analyst helps set up? Hey, if we see this anomalous login activity, then we’re going to proactively reset this account type of thing, reset the password or MFA, for example.
[Simone Rapizzi] The platform provides all the information about the case. So, it also provides some already analyzed idea. So, based on the experience he has on the customer, based on the other cases he has already analyzed, and information, of course, in a single case, it provides the analyst kind of a pre-made case solution and recommendation. So, he can say, “Okay, it’s fine. I’m satisfied with this information,” or “I want it to go deeper.” And he can also perform other analysis.
[John Scrimshire] What does the overall reporting look like? So,at the back. So,not addressing incidents, but executive reporting or just being able to provide metrics back to the CISO, the CIO, the CEO, what kind of metrics are built in?
[Simone Rapizzi] We have, of course, a technical report about a single case, and we have a report about the entire environment, so for a single customer. So, for the C-level, for example, we have a specific report that can help them have a better insight of what’s going on, so without the technical information. And we also have compliance point of view, so we also provide some information about how the environment is performing based on some of the main compliance framework. So, we can also add this type of reporting. And the report is a PDF you can easily download or access.
[John Scrimshire] Since it is artificial intelligence, does it look at the context of the past 30, 60 days of types of threats or cases that it’s addressed and provide recommendations for change to the environment?
[Simone Rapizzi] Well, we can run back to six months based, of course, on all the information we have. We can also perform the analysis on our cases, so based on this data lake, or directly on a data lake of the customer. So, without any, I can say, already analyzed information, we start from scratch, for example. So, the ThreatHunter model will start from scratch and perform a new scenario hypothesis. So, we can run back as far as needed so far. We say six months, but in real time, we can go back as back as data we have.
[John Scrimshire] Frequently, I’m always running into problems with integration of new solutions because whether we use a different ITSM or we use something that’s different, all those different things that can happen. What does your ideal customer look like? For your ideal customer, it’d be the easiest implementation.
[Simone Rapizzi] Well, I think the easiest one is the one that has all solution with an API because we are API, all documented API, so we can easily integrate with other solution. We can also develop specific connector for the best of breed solution. So, right now, we have multiple connectors to the main vendor about XDR solution or SIEM, for example, and so on. And we have yet still a customer with, I can say, some custom integration, let’s say. In this case, we can develop the connector if needed.
[Jonathan Waldrop] As far as your SOC analyst personnel, do you have metrics on estimations for how much time it’s going to save them? How much more efficient are they? And to the extent that you could potentially not necessarily reduce headcount, but you could hold off on hiring additional headcount because you can scale more easily with this platform.
[Simone Rapizzi] We know for each case how much time we have saved. So, we have our own statistics based on the multiple SOCs we have worked with. So, we have our benchmark. We know how much time a single analyst can save based on the case, based on the complexity of the case. But the main idea is to help the people to perform better so they can run multiple cases, more cases in a day, or they can train in the meanwhile with the spare time, so they will be more effective later.
[John Scrimshire] So, kind of building off the last answer, frequently people believe that if you implement AI, it can allow you to replace the entire team, which I know you’ve already kind of said is not the goal here. But if I’m talking to my CEO who doesn’t understand the technology, I need to be able to explain to him there’s always administrative overhead and things like that. What is a minimum number of employees you need to have just to manage the solution?
[Simone Rapizzi] We’ve seen SOCs with two people. So, I mean, the problem may be that based on the number of alerts they have, two people, even with this platform, may be not enough. It depends, of course, on number of incidents.
[Rich Stroffolino] All right, Simone. Well, what’s one thing we didn’t ask about that we need to know?
[Simone Rapizzi] What I think is the common features we will have. So, we are going to focus on different solutions for the same platform. One of these is an on-prem solution because we arecloud-based mainly, of course, due to the AI solution, of course. But we have some customers that require off-the-grid analyst support, let’s say. So, we are working to provide them a totally disconnected solution that can have the same properties and same capabilities. This is kind of a huge goal from my side, but it’s very important because we have, for example, a public sector that cannot use public cloud in Italy. And moreover, some strategic sectors and strategic companies may need to have as private as possible their information.
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more about RedCarbon, head on over to RedCarbon.ai. And if you have any feedback on this show or questions for Simone, send them over to us at feedback@CISOseries.com. A huge thanks to Jonathan Waldrop, CISO at large, and John Scrimshire, CISO over at Contour Brands, for helping us learn more about RedCarbon, digging into the details about what matters to security leaders. And a huge thanks to Simone Rapizzi, CISO at RedCarbon, for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISOseries. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info at CISOseries.com. Thank you for listening to Security You Should Know, connecting security solutions with security leaders.