The sheer volume of security alerts and data being generated by various sources like firewalls, servers, and endpoint devices is daunting. The challenge lies in sifting through this vast amount of information to identify genuine threats without throwing manual effort at it. Traditional security logs merely tell us what happened but do not provide insights on what’s happening now. The demand is for more actionable intelligence that focuses on different, more relevant data types rather than just more data.
In this episode, Subo Guha, chief product officer at Stellar Cyber, discusses the company’s efforts to turn raw security alerts and IT data into actionable intelligence at scale. Subo is joined by our panelists, Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show, and Steve Zalewski, co-host of Defense in Depth.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Stellar Cyber
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know, the show that connects security solutions with security leaders. Today we’re talking about Stellar Cyber and what they’re doing in security operations. Now, the problem they’re trying to solve is turning raw security alerts and IT data into actionable intelligence at scale.
Helping us get some answers to these questions is Steve Zalewski, former CISO of Levi Strauss and the co-host of Defense In Depth, and Nick Espinosa, host of the nationally syndicated Deep Dive radio show. Nick, I’m going to get started with you. Why are we still struggling with converting our data into something actionable?
[Nick Espinosa] Because there’s a ton of it. If you think about it, look at every firewall, every computer, every server. We are generating an absolutely enormous amount of data, logging everything that we would need for forensics. There’s so much noise, and by virtue of that, we need a way to effectively streamline it.
Are you going to sit there and watch logs for eight hours a day? No. Nobody wants that job, and you’re going to miss a ton of stuff. So I think it’s super, super important to have a solution like this. And so by virtue of that, as we grow, as we expand, as we scale businesses and organizations, and as we increase our data usage, whether it’s basically session traffic on a web browser or something else, we are collecting all of this data that really just needs a lot of sifting through, killing of the noise to really find those kinds of threats.
And I think that’s a really important thing these days that, quite frankly, a lot of organizations are missing.
[Rich Stroffolino] Steve, do you agree? Do you have a take on why this is still a problem?
[Steve Zalewski] I think we’re solving a different problem now, which is we, in the past, have aggregated log data, security context, where it’s coming from security tools. And what we’re realizing now is it’s not just about the security logs. Security logs told us what happened, and what we’re being demanded to do now is to find out what’s happening and execute on that.
And that’s requiring not necessarily more data, but it’s certainly requiring different types of data than traditional security. So I have this exercise of ending up with a net more data, but also ending up with net different types of data, and then figuring out not just how do I collate it, but how do I reason through all of that data to be able to determine that something is happening, not just be able to determine an old attack that happened.
[Rich Stroffolino] All right. Today we’re going to be talking with Subo Guha, the SVP of product from Stellar Cyber, to get some answers. And now, Subo, before we get into the questions from Steve and Nick, we’ve got to get three essential questions answered so that we can get into the details. So first up, our triumvirate of questions here: How do I explain the value of our solution to a CEO?
What does your solution do, and what does it not do? And what is the pricing model? Subo, let’s get some of the preliminaries.
[Subo Guha] Thanks, Rich. That’s great questions and good to meet you, Steve and Nick. Glad to be here. So what do we do and what’s the value we bring? The big value we bring is we serve and power 77 of the top 250 MSPs and 12,000 customers worldwide. And what we provide is an AI-based platform, which gives an end-to-end security operations capability.
I like what Steve talked about: the world is changing, right? So you have to get multiple data points and understand what’s happening, and that’s what we do. We have three value propositions. It’s open, it’s unified, and it’s human-augmented. And hopefully, we’ll talk more about that. We can integrate from any data source.
It’s not just about logs. So we’re open to whatever SIM you have and what you’re capable of doing. We provide multiple deployment capabilities. Our biggest strength is one platform, one price. You don’t have to pay for multiple products. We don’t like to nickel and dime our customers. And what we want to do is get you up and running and be able to scale fast.
[Rich Stroffolino] All right, CISOs, you’ve gotten a taste of this solution, but I’m sure you’ve got a lot of questions. So let’s start with you, Nick. What other questions do you have about Stellar Cyber?
[Nick Espinosa] So I want to talk about innovation in cybersecurity because, to Steve’s point and my point, we’re collecting a lot of data. Steve’s point is there’s a ton of different data out there that we need to basically understand and therefore be very proactive in our defensive capabilities, if I’m understanding Steve correctly, and I do believe I am.
So with that, we know that, unlike traditional technology, cybersecurity pivots on a dime, right? We know that the iPhone 17 is going to be better than the 16 because it has a slightly better camera, etc. But we never know in cybersecurity when that 15-year-old kid is going to break all of Google, and we have to slam on the brakes and figure out what on earth just happened and therefore create an innovation.
So by virtue of that, let’s talk about Stellar Cyber in that vein. How do you plan to evolve your platform over the next, let’s say, 12 to 18 months, as we see new threat indicators, as we see new attack methods and patterns and whatnot? And what’s on your roadmap to basically, one, quantify data now, but two, really evolve into the future as we evolve our capabilities?
[Subo Guha] Yeah, that’s an excellent question. As I talked about, our platform is open, right? When we designed the platform, we didn’t want to get stuck with a certain EDR for endpoint alerts or certain APIs for certain applications. We can collect data from any source, right? It doesn’t matter what endpoint you use or what EDR technology you use.
We also have a next-generation SIM built in, but if you prefer to use your existing SIMs like Splunk and others, we can absorb those logs too. So what’s in our roadmap? Our roadmap is about—we have a modular sensor capability today that allows you to do different ingestion of data as well as being able to do different types of parsing, because we want to be able to collect all the data and then, through our AI platform, be able to parse and do that.
Because the demand of integrations is becoming so heavy, we’re moving more toward a self-service model where customers can actually, in the UI, start building integrations on the fly. So that’s one of the things we’re working on. We’re working on AI automation, hyperautomation capabilities to be able to rapidly discover more things and be able to do it faster.
So definitely it’s all about speed toward moving to the autonomous SOC vision.
[Steve Zalewski] Cool. So I’m going to ask his question slightly differently. When I look at the SOC, the thing that always has frustrated me more and more is, as soon as I have to do eyes on glass, as soon as my level one or level two analyst has to get involved to start running a runbook, I’ve lost the war because it just is too slow.
So when I look at something like Stellar and what you said around looking at what’s near real time, looking at a security mesh, and looking at AI, I then go, are you trying to make me more efficient—which is, are you trying to get rid of the level one and level two analysts because the work they’re doing really isn’t relevant anymore because I’m trying to look at what’s happening—or are you trying to make me more effective at stopping the attack, which is, are you using your reasoning models to now get me to a containment stage before I engage my level three analyst to then go figure out what additional containment needs to be done?
So efficiency versus effectiveness: remove level one and level two analysts because they just aren’t doing the job I need, and empower level three analysts to actually do post-containment, not first-gen containment. Where do you stand?
[Subo Guha] Yeah, so I think we’re definitely on the effectiveness side. One of the things—why we built our platform to be AI-layered—is to be able to reduce the alert fatigue. What you’re talking about is level one, level two are spending an enormous amount of time just trying to figure out what these alerts mean and then trying to triage and be able to do that.
Our goal is, with our AI capability, we’re able to get all the alerts, we’re able to filter it, and then we’re able to correlate because there could be some dependencies or time-based things that are causing it. You can quickly determine if there’s a kind of issue that’s happening and it’s a constant issue, and you can do it.
What we’re moving towards is the autonomous SOC model. Through auto-triage, we’re going to be able to do that faster. I want to demystify a myth: we don’t believe the world tomorrow is going to be human-less, right? Less people. We think autonomous SOC means we’re going to augment the SOC to be more intelligent.
We’re going to have agentic AI agents that are smarter because of the AI technology to be able to filter and make recommendations, but there’ll be that feedback. So your level one, level two start becoming smarter. They’re not doing the daily grunge work of trying to figure out the volume versus the remediation.
And that’s where we’re moving towards hyperautomation and autonomy, to be able to make the platform more intelligent.
[Nick Espinosa] So that then opens up a question for me. Let’s talk about ROI or time to value, because that’s essentially what we’re driving at here. And so I’d be curious to know, if I’m looking at this from a CISO perspective—I’m interested in adopting your technologies and platforms to help my company—do you have metrics on things like mean time to detect, mean time to remediate, reduction of incident response times, all that kind of stuff?
When we’re talking about automation, we’re talking about artificial intelligence, what we’re really talking about is remediating threats significantly faster than if a human has to do it. And when you’re talking about reducing the load on, let’s say, level one or level two SOC employees, then essentially that’s what we’re talking about, right?
So can you speak about that for a bit?
[Subo Guha] Yeah, so definitely mean time to detect, but more importantly, mean time to repair, right? So basically, remediation is probably more important. We actually have a performance management module in our product where you might want to have SLAs and SLOs. Most of our primary customers are MSSPs who have multiple tenants.
So they could be a Pepsi, Coke, whoever, right? And they have SLAs they have to serve back if it’s a critical incident or if it’s a moderate incident risk level. So we look at different metrics and we actually are able to track that. You can put thresholds in the platform to say, are you meeting the SLAs that your customers are expecting, like an MSSP to their end customer?
And then we learn from that—how do we improve it with our AI detection capabilities?
[Steve Zalewski] When I was at Levi’s, I used to say, was my job to secure the company, was my job to protect the business, or was my job to sell more jeans? And ultimately, the job is to sell more jeans. So as a security vendor then, for me to go to my executives, how are you or how do you provide my first line of defense, my last line of defense, and evidence of defense in selling more jeans?
[Subo Guha] At the end of the day, if you’re a retailer, it’s about selling product. If your systems are down, if a customer can’t purchase or there’s an attack, you’re shutting down, right? So what we do is deterrence and prevention is the best cure—being able to make sure you understand where the potential risks are coming from, being able to then put in the right amount of security capabilities.
And then, more importantly, having the capability to detect on a mass scale globally what potential for you might have in the future. So it’s all about prevention at the front end in terms of understanding where the attack could be. It’s more in terms of when something happens, you can quickly get back.
The issue that we saw last year with all the airlines and everything with CrowdStrike—it’s all about how you can recover faster, right? So you can sell more jeans. But you have to first put in that firewall, right? Be able to understand where the threats could come from, be able to understand all the different areas to do that, but more importantly, how do you recover from it in a faster way?
[Nick Espinosa] And I will just say that was a really fun day at the airport for me in 2024. I had nothing but time on my hands to blast out memes on how angry I was about it.
[Subo Guha] Yeah, you don’t want to keep seeing blue screens, right?
[Nick Espinosa] Not so much, not so much. No, that was an interesting day. But one of the things that you mentioned, too, is that Stellar seamlessly integrates pretty agnostically with the tools that anybody’s going to run. Basically, it’s a pick-your-own-adventure with EDRs, firewalls, cloud services, etc., etc.
But I want to talk about what you don’t necessarily integrate with. So think about it from a perspective of legacy OS, or I’m thinking manufacturing. There’s a ton of ICS out there that was essentially manufactured when the Macarena was popular, and they’re running until the wheels fall off still. And so, by virtue of that, when you’re looking at legacy systems, operating systems, old ICS, all this kind of stuff, how can Stellar help with those kinds of things?
Or is this something that you’re just attempting to isolate and just wall off or segment off the network?
[Subo Guha] Yeah, that’s one of the things—when I joined this company, I was just surprised how many thousands of integrations we can do. One thing that people don’t know is we also integrate NDR, which is a network detection capability in the platform, because we think the threat could come from anywhere.
It could come from a firewall. It could come from a network. It could come from an endpoint. People also may not know this, but we also can get sourcing because the world of OT has changed. Before, it used to be a proprietary way to get OT devices, which are manufacturing, right? So the world of IT and OT is converging.
We actually can get alerts and detections from IT and OT, which we’re seeing a lot of manufacturers have stopped using the more OT-only vendors because then you have to have an OT-based security platform and an IT security platform. Our platform does both because now the OT protocols can be retrieved over the IP address.
Now, we strive to get as many OSs as possible. There are some legacy VMs and all that that make it problematic, so it’s a case-by-case if we don’t. But our goal is to be able to be an open API and open integration platform, so we want to do as much as we can. But I’m sure there are some that we just don’t cover.
[Rich Stroffolino] Subo, what’s one thing we didn’t ask about that we need to know?
[Subo Guha] I think the key thing here is there’s all this debate about the future being the autonomous SOC. And I think, what is the role of the human in the SOC, right? I think people are not going away, and I think it’s important to understand SOCs need to be human-augmented, not replaced. This is not a driverless Tesla world that we’re trying to talk about.
We’re talking about making the SOC smarter, and humans will actually make it better.
[Rich Stroffolino] That’s it for this episode of Security You Should Know. To learn more about Stellar Cyber, head on over to StellarCyber.ai. Thank you to Steve Zalewski and Nick Espinoza for helping us learn more about Stellar Cyber—some fantastic questions today. And thanks to Subo for their time in answering all of these great questions about Stellar Cyber.
Thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.