Allie Mellen: [00:00:00] It was really interesting coming to BlackHat because at RSA, everyone was talking AI. There's been so much less of that. And in part because, and we see this with clients all the time, they're disillusioned about generative AI and its use cases here because a lot of the demos over promised and ultimately under delivered.

SOAR is one of the areas where generative AI can be really useful, especially if you're talking about what the practitioner can do to leverage generative AI instead of just whatever the vendor is going to build in. Because ultimately, if you think about what generative AI is, it's basically a very good probabilistic model of what comes next in a very complex sequence, which is why it's great for human language.

One of the problems that I have with some of these implementations is they've created something where Great, you can go and ask it any question, but if you can ask it any question, what question are you supposed to ask it? The fundamental problem that I see a lot of security operations teams facing is looking at a lot of these tools and messages and thinking, okay, where is my shortcut to automate people out of this process?

Ashish Rajan: [00:01:00] Cloud Detection Response is dead. Yes, CDR, as we have all known. need to change. And for this conversation, I had Allie from Forrester, who is focusing primarily on the SOC security operation, AI usage and security at Forrester, which is an analyst firm. And in this particular conversation, we spoke about the fact that, hey, if you are someone who is a SOC director looking to build your SOC team, or someone who runs a SOC team in an enterprise, what are some of the challenges you're facing today in terms of technology?

Is AI the answer for you? And perhaps some of the ways you can hold on to the stuff and not making them burn out, irrespective of what comes next after cloud, whether it's AI or anything else that may be coming in the future. There's a lot of ways you could be addressing this. And in this particular conversation, Allie shared a lot more about her experience by talking to CISOs as well as the product side of the world, where there was a balance between what is the right way to approach the detection response space and what kind of skill set would you require for your teams to be able to respond to for the growing number of threats that are coming in based on new [00:02:00] technologies like cloud AI and even going deeper into some of these as well. If you know someone who's building a SOC team or working in a SOC team, please do share this episode with them. They will find the conversation we had with Allie quite valuable from the experience she has talking to all these CISOs from all these amazing enterprise out there.

If you are for the second or third time and have been finding our episodes valuable, I would really appreciate if you're watching this on video on YouTube or LinkedIn, definitely give us a follow. If you are listening to this on Spotify or iTunes, definitely drop us a review or rating. It definitely helps more people find out about the amazing work we're doing on Cloud Security podcast and helps us bring more conversations like these over to you.

So I hope you enjoy this conversation with Allie on the current state of security operation and whether AI could be the answer to save your SOC team. Because after all, teams are the most important things we have as assets in our organization. It's not the tools. Welcome to another episode of Cloud Security Podcast.

Today I have Allie with me. Welcome Allie. Thank you. Welcome to the show. For people who may not know about you, could you share a bit about yourself?

Allie Mellen: Absolutely. Thank you so much for having me. I'm thrilled to be here. I'm Allie Mellen. I'm a principal analyst at Forrester Research. [00:03:00] I have been with Forrester for three and a half years now, and I cover three things.

Security operations, which is where I spend most of my time, detection engineering, all that fun stuff, nation state threats, and AI and its use in security tools, which is not a hot topic at all.

Ashish Rajan: Oh, all would I talk about AI right now? It's like MDDR or MDR is so hot. I also realized as a CISO, I never appreciated Forrester and other analyst firms, right?

No not in the context of in the importance of it. I just did not realize what is it that Forrester does, or what is the value of an analyst, because I think if you can set that context as well so people understand your perspective, it would be good because I used to assume that, oh, is there a lot of reporting coming out?

But there's a lot that goes behind it. Clearly, we spoke about this before, we'd love to share , if you don't mind sharing a bit more about what does an analyst do and what this is all about as well.

Allie Mellen: Yeah, no, I'm more than happy to. It's an interesting job because I was not looking for it when I got hired.

I was like, oh, I'm an analyst, what am I going to do? [00:04:00] Most people think of the Forrester Wave or the Gartner Magic Quadrant when they think of analyst firms which is an evaluative piece of research on a particular technology or market category. In reality, what we do is, That's a lot bigger than that, right?

That's one small piece, but where the fun stuff comes in is all the research we do around that. In the context of security operations, I obviously cover EDR, XDR, SIEMs, SOAR, security analytics, but also the people process side with detection engineering, the security analyst role, analyst experience.

So long story short, what my job basically is I spend a third of my time doing research on these topics. Basically, looking at the problems that we see our clients, which are Fortune 500 CISOs having. That could be the technology. It could be the process. It could be the people. Then I spend a third of my time giving recommendations to CISOs and their teams on how they should be approaching security operations, nation state threats, and AI and its use in security tools.

Based on that research.

Ashish Rajan: Yeah.

Allie Mellen: And a lot of [00:05:00] times the questions that come out of that, that I can't answer are what leads to more research, . Ah, yeah. Yeah. And then a third of my time doing things like this, like podcast press going to conferences, speaking on some of the research that we do.

It's really fun. I really enjoy it. It's. Interesting because analysts come from a lot of different backgrounds. So like my background is, I was a computer engineer before running a consultancy, mostly with startups out of MIT. And then I became a hacker before becoming a security practitioner. So it's cool that we're at BlackHat because this was the first conference that I ever spoke at. Oh wow! Yeah, it really introduced me to the field. And I just loved it. I fell in love immediately.

Ashish Rajan: And you're still stuck here. It's you never left. Come on Allie, come back over here. I'm glad you brought this up because it's sets the context as well.

And I would like to dig deep a bit more. You've mentioned MDR, EDR, SOAR, SIEM. Let's start with the whole EDR space. What is EDR? Is that for people who don't know what that is?

Allie Mellen: EDR is [00:06:00] Endpoint Detection and Response. So typically that means having an agent on an endpoint and looking for attacks that are happening in real time or tracking enough information that you can go back and find attacks that have happened previously.

Very attack oriented, not very misconfiguration oriented. And that's some of the, especially for those that aren't in the detection and response space, I often see confusion as to what is detection and response? Yeah. In the EDR context, in the XDR context, it is all about finding attacks that are happening.

Ashish Rajan: What is an XDR? You just literally, you walked into that one as well. What is an XDR?

Allie Mellen: XDR is the evolution of endpoint detection and response technology. So it's where we see that technology moving and having moved, which is basically take all the good stuff that you got from EDR, very popular. We see that through the ER market and the MDR market.

Keep in mind that you get a lot of high quality telemetry from the endpoint.

Ashish Rajan: Yeah.

Allie Mellen: But. You also know that endpoint data is not enough. You need information from the network, as much as I might hate it. You need [00:07:00] cloud information, you need identity information, email security. All of those tools can be really useful for context around an investigation.

Previously, you'd have to do that pretty manually in the SIEM. Do some manual correlation there. With XDR, It's all about integrating very specific telemetry sources for higher quality detection with the endpoint as a large focus, but expanding out from there and continuing to make sure that those are really high quality detections.

That's what kind of differentiates it from. What we see with the SIEM market, which is much more open, bring in whatever you want from a log perspective.

Ashish Rajan: And I'm glad you mentioned the difference between misconfiguration and actual threat detection as well, because a lot of the audience we have, even though they've been practicing for a long time in cybersecurity or they're CISOs themselves, a lot of people have unfortunately been marketed the term that, hey, the new wave of security vulnerabilities, for lack of a better word, is misconfiguration.

You're like, actually, threats still exist. And I think that's what you're referring to as well here. That the EDR, MDR, XDR space is primarily more around the [00:08:00] real life to your point, earlier you said nation state. All those things still happen. It's not that everything is a misconfiguration.

Allie Mellen: I think the distinction is very important.

And I take a lot of inspiration from Sunil Yu, who published the Cyber Defense Matrix. Oh, yeah. He talks about the difference between basically NIST's now govern identify protect and detect respond recover. And the way that I like to talk about those is you've got, on the one hand, infrastructure improvements on the identify, protect, and govern side.

And then you've got the more situational actual attacks that you're facing on the detect, respond, recover. So you can think about it as like the infrastructure piece or the structural component of this, of the enterprise, versus the very situational attack that's happening on the infrastructure. What are you doing about it?

Ashish Rajan: And sounds like it's probably the field prime for some kind of a, I won't say disruption. I probably say acceleration by Gen AI, because sounds like to what you said, it's a lot about getting the right context and fairly quickly. So you can respond to it accurately. How do you see the Gen AI impact?

Because you obviously are specializing research in that space as [00:09:00] well. How do you see that? It's a long time. You already sighing like, Oh, it's going to be a long time.

Allie Mellen: It really depends on who you ask. There are a lot of people that think it's going to accelerate things a lot. To be honest, especially.

It was really interesting coming to Black Hat because at RSA, everyone was talking AI. There's been so much less of that at

Black Hat, especially on the show floor. And in part because, and we see this with clients all the time, they're disillusioned about generative AI and its use cases here.

Because a lot of the demos over promised and ultimately under delivered. There's some cool use cases for generative AI, especially on the security operations front around things like reporting. What practitioner likes to write long reports about the cool stuff that they've done, they'd rather be doing the cool stuff.

I relate to that, having to write reports every single day. And then the other aspect that's been really useful is on script analysis. So just basically inputting a script saying, what is this doing? Give me some guidance. That's where we're seeing a lot of really beneficial. Although not as [00:10:00] exciting improvements with generative AI.

Ashish Rajan: Yeah. And what I'm excited for over the next few years is to see now that hopefully we've calmed down from some of the hype, what other areas we can get really useful and not really be looking for. Basically having a solution looking for a problem.

You have a hammer, you're just looking for a nail.

Everything is a nail. That's what it's

Allie Mellen: been for the last few years.

Ashish Rajan: And because, something which has been there for a few years has been SOAR. It's a SOAR subject as well. No pun intended. Oh, terrible. But I believe a lot of people felt that Gen AI could be the answer to finally achieve SOAR.

Because it used to be, I'm going to use this bad joke again, it used to be a SOAR topic because people would think that, oh, this is going to solve automation, ultra automation, whatever the next version of it became. Where is SOAR in all of this?

Allie Mellen: I love this question so much because I think that it's actually, SOAR is one of the areas where generative AI can be really useful, especially if you're talking about what the practitioner can do to leverage generative AI instead of just whatever the vendor is going to build in.[00:11:00]

There's a crossover here between what you can do with a playbook and how you can integrate a prompt book. And that's going to be the sweet spot for them. is, hey, you're going to be able to do all the steps you would normally do in an investigation that you're automating with SOAR because it's way more focused on automation of investigation than response.

There is a misnomer here. And then you are able to use generative AI to say, write that report. immediately at the end of the investigation

and to execute tasks like that, that you have to do, but you don't necessarily want to do manually. So I think there's a big opportunity for that crossover. The way that we talk about generative AI in security tools is into three buckets.

So the first is content creation. So creating text, creating code, images, all of that. Yeah. The second is behavior prediction, which is a really cool one, but not something we're seeing a lot of yet. Because ultimately, if you think about what generative AI is, it's basically a very good [00:12:00] probabilistic model of what comes next in a very complex sequence, which is why it's great for human language, right?

But when you put it in those terms, it becomes very clear what it can and cannot do. In a lot of ways, like it's not a brain, but if you're able to model what's going to come next in the complex sequence, you could do that for a lot of different things, not just language, but you could treat attacker activity as a language.

You could treat user activity as a language. We haven't seen it be used in this way because to be honest, machine learning does a good job of that, and it's not necessarily worth the cost and the development time to use it that way, but it's interesting. And then the last one is the knowledge articulation chatbot use case, which is interesting because we're actually seeing that a lot of teams just aren't really using the chatbot capabilities.

Ashish Rajan: Yeah. They didn't do too smart for it I'm smarter than a chatbot.

Allie Mellen: I think it's largely because there's no trigger to actually go and use the chatbot. One of the problems that I have with some of these implementations is they've created something where, great, you can go and [00:13:00] ask it any question.

But if you can ask it any question, what question are you supposed to ask it? That's a part of the problem here. So I like to see it built into the analyst experience and the analyst workflow. Because that's where it's actually going to be useful, is when we understand what the analyst needs and we just give it to them.

Ashish Rajan: I was at RSA and I made this, I made a prediction. I called it suggestive prompts. The intent was that you don't want a 3am phone call and you're a SOC person, SOC analyst, you wake up and you realize log4j, insert whatever vulnerability, but you don't have a starting point. You don't even know what kind of question to ask.

Which is probably is and if the product was smart enough to realize that, hey, my threat Intel tells me that now log 4j is prevalent. It's everywhere. And it's coming. So probably the first question I say, am I being impacted by log 4j is the first prompt that comes up automatically. And so it's a suggestive prompt, as I like to call it, then it's Oh, I have a starting point.

I'm not like it's like a almost like you're like a it's not a block for a writer's block or whatever you call it. Yeah. You just basically what am I writing here? Like I might just might as well do what I know I'm just gonna leave this [00:14:00] and just try and find some research find the people I personally think there's to what you said with the chat board.

The knowledge consensus thing. I think it's pretty awesome. I think the behavioral field is already interesting as well. It's very interesting to see here that it has not gotten a lot of adoption, or maybe this does, and maybe that's where people would be a lot more excited about. I feel like chatbot one to point to what you said, unless it's so suggestive front.

You're not gonna really gonna use it. But it makes me wonder if I were to set the baseline for people who are CISOs or SOC directors, what are they doing wrong about SOC right now? Because I feel like this is like one of those turning points that they can use as I should probably do something better.

It's like I'm ready for AI when it's ready. Because do you want Three buckets. We're still evolving. We probably are not there yet. What are they doing right now, which is probably wrong in the way they do SOC. You can start there and I'm going to pull that thread a bit more. So where do we start?

Allie Mellen: This is such a difficult question because it's very dependent on the team and how they're approaching it.

But the way that I'll get into this is, I like to use the term the blob. Okay. To describe some [00:15:00] people in the security industry. Which are

Ashish Rajan: Any person named Blob is going to be like, so offended, Allie.

Allie Mellen: Basically it's taken from Ben Rhodes, who was the former Deputy National Security Advisor for the Obama administration.

Ashish Rajan: Okay.

Allie Mellen: And he called the foreign policy establishment in Washington the Blob. Okay. Basically, a group that is seeped into their group think that they can't escape it.

Ashish Rajan: Okay.

Allie Mellen: And we have a blob of our own in security. Okay. And it tends to be, unfortunately, people who are putting out a lot of marketing messages, a lot of messages to investors that don't represent the reality for the practitioner or the reality for the technology.

And it may seem oh, okay, this isn't a big deal. But I actually think it is a big deal because one of the challenges that it raises is it causes a lot of confusion for practitioners, for CISOs as to what's possible with a particular technology and what isn't possible. And just what's possible for the SOC as one example, but it's all over security to be honest.

And so [00:16:00] the fundamental problem that I see a lot of security operations teams facing is looking at a lot of these tools and messages and thinking, okay, where is my shortcut? To automate people out of this process and to try to remove people from this process. I fundamentally believe that we will not see, certainly not in our lifetimes, and by that point, I don't have to worry about the prediction because I'll be dead, that we will not see security operations be completely automated.

I don't see a reality where that's ever going to be possible, because at the end of the day, I The coolest thing about security operations is we're constantly fighting an actual person. There are actual people that are trying to break into our systems. Now, taking me back to my background in computer engineering, one of the things that you learn very often and early in software development is it doesn't matter whether you're writing machine learning algorithms, writing AI, writing just typical code, you are creating something that has a set of constraints, and you have to operate within those constraints.

The technology has to operate within those [00:17:00] constraints. You know what loves to go around constraints? Hackers! They love to find ways around it. And so I worry about some of the energy that's being put into trying to surpass or avoid having more people and investing more into the people and process pieces.

Ultimately, that is where we should be focusing more of our time and understand that technology is supplemental to that.

Ashish Rajan: Oh, okay. So to your point, the mistake perhaps is the fact that instead of focusing on, hey, how can we improve so we can respond quicker to things instead of what tool can I buy to basically have, more screens to look at for a SOC analyst.

Allie Mellen: Which, that's the fundamental problem that we've seen with SOAR, is the expectation that you're going to be able to automate people away, or automate through the entirety of response. It's not going to happen that way because it's not structurally built to do that. The other thing that I really prioritize is, I used to work with a CISO, and he would say to me, security analysts have the worst job [00:18:00] in the world.

And he was only really half joking about that. We need to be better about how we are making sure that security analysts feel comfortable getting to the next steps in their career. Yeah. The way that we talk about this is through detection engineering and through making sure that analysts are able to explore detection engineering more and take it on as part of their role.

We see this being very successful in a lot of enterprises and in a lot of security vendors, actually, especially in the services space. But anything that we can do to support the analyst experience is so critical, and we oftentimes really fail here. And it leads to a lot of people getting burnt out, leaving the industry entirely, or just getting enough experience to go to a security vendor and calling it a day.

And if you think about it. Security operations is the gateway to talent for the rest of the organization.

Ashish Rajan: Yeah.

Allie Mellen: And we need to make sure that those people can get there. Otherwise, we just see them leaving and, I don't know, going and making furniture or something like that, which is great. I'm very happy for them.

But I would like to keep people in this [00:19:00] field. Of course. And make sure that it's more accessible to more people.

Ashish Rajan: And maybe going back to that third bucket that you referred to.

Allie Mellen: Yeah.

Ashish Rajan: Perhaps. A way to achieve this could be that the knowledge is available through a chat bot if you want to go down the path for a analyst to at least start learning asking questions and the way I hear that conversation also is that the reason why it's a hard job is because a there's a shift work that definitely is a mental toll.

Leave the technology aside in itself. It's just I struggle to sleep at all times. So I can't imagine what this would be like when you have a shift work. So for that reason alone, it's already hard on them and kudos to them for doing an amazing job. But to put another lens to it, if they have a way to say, quote unquote, upscale or be understanding the context of the organization fairly quickly and be able to create detection for it.

And I feel like that not that third bucket that you referred to, you reckon that can help bring that bar a bit more. Or even the bar, for, can that third bucket even [00:20:00] the bar for those cyber security analysts or SOC analysts, where now they are able to be more productive, as they're calling it, to be able to have more context?

What would make it easier? Because I think, yes, we've called out that it's difficult. Yeah, what would make it easier? How could we close that gap? Is there a solution right now for that?

Allie Mellen: I think that there is, I don't think it's generative AI, and I'll explain both sides. So from a solution standpoint, there's a couple of things that I think are important.

First off, we need to tear down the L1, L2, L3 structure in every organization. We should not be operating under that structure because at the end of the day, if you have an L1 analyst, That's just taking things through triage and then passing it off to someone else. They have no job satisfaction. They never see the end of their work.

They never get to learn about how to take an alert from start to finish.

And what it leads to is they end up having to do that work outside of the job. So they're working this shift job and then they're going home and they're doing a bunch of learning to try and get to the next level and try to get the knowledge that they need so that they can actually do that for the business.

And compounding that is certifications as [00:21:00] requirements to get to that next level. Nothing against certifications, but one of the big problems is they're often required to get to the next level between L1, L2, L3, and they don't speak to the experience that the practitioner actually has, and often the business is not willing to pay for them.

So you have to be studying for, preparing, and paying for this certification on your own personal time. Which is one of the things that makes it really difficult. What we talk about with detection engineering is basically, take your analysts, make sure every single one takes an alert from start to finish, doesn't matter what level they are, they could be, it could be their first day.

Keep in mind, this relies on a lot of mentoring from people who have more experience. Yeah. Which is actually a really beneficial thing for them because they're in an interesting place in their career, which we could talk all about as well. And we actually recommend also turning your analysts into detection engineers and having them spend at least some of their time building detections themselves.

This gives them experience because they can start a detection from a threat hunt. They can [00:22:00] start a detection from threat intelligence. They could start it from data science. They could start it from just getting an alert. 16 times in one week and saying, I don't want to get this anymore.

Ashish Rajan: It's annoying enough that they'll automate their way out of it.

Allie Mellen: Exactly. And giving them that agency is so helpful because it transitions their role from just opening and closing tickets into process improvement, into improvement of the actual system. So that's that piece on the generative AI front. Here's my concern. I think in a perfect world, it would be really great to be able to teach people with generative AI.

The problem that I see is that the implementations are not where they need to be to make that happen. And so it becomes a risk to the business. I'll give you an example. Last year, I was talking to a company that shall remain nameless that was implementing generative AI features, specifically around incident response recommendations.

So basically, you're in an incident, it's giving you a list of things to do. They were like, isn't this great for new people? I was like, okay. I looked at the response recommendations, and one of them was [00:23:00] block Excel across the environment.

Ashish Rajan: It's like the same example as I use glue to stick pizzas together.

Yeah, same example.

Allie Mellen: But let's take this down to something a little bit less ridiculous, right? Let's say, even though that's a real example, let's say it was saying, hey. block macros across the environment. If you're fresh out of school, say you've only been in academia, you may be like, yeah, why would we be allowing macros in this environment?

Ashish Rajan: It does make sense, yeah.

Allie Mellen: Finance department's gonna be pretty mad if you take that action. But realistically, if you are new, you may want, you may consider that academic answer to be the best one.

Ashish Rajan: Yeah.

Allie Mellen: And so it poses a risk to trust the output of generative AI right now because it's not finely tuned or trained enough to the business context, and just to what actions need to be taken.

Now, there's opportunity for that to change. But right now, it's very difficult, because that would require either constant training on the enterprise environment, or likely using some combination of that and RAG, [00:24:00] retrieval augmented generation, in order to make sure that the inputs are correct, and basically aligned to incident response processes.

Ashish Rajan: Maybe you're thinking about people who are day one on building a SOC team as well. They're definitely organizations like that there. This is very valuable for people who already established and definitely trying to figure out, Hey, what can I do? And I'm glad we did not go into a tool conversation. It's more about a process and how do we use the existing talent to make their lives easy.

So we all happy and they hopefully get a career path that is long enough that they actually stick around in the environment and not just leave the cybersecurity completely go. I'm totally burned out. What about people who are starting to build a SOC today? From the ground up. A lot of people go down the whole managed SOC path as well.

Oh, we can't manage it, we need a team, whatever. What are you seeing there that people should use as a starting point? The reason I ask that question is because sometimes it's the ROI for an organization for investing in, whether it's a managed SOC or even to start a SOC, could be hard to define.

And in an enterprise context, very well established. They already know. What is an ROI that [00:25:00] is a good one to, talk about to an organization from, why do I need a SOC kind of conversation?

Allie Mellen: One of the benefits of working at Forrester is every year we do a security survey of thousands of security decision makers.

We ask them questions about their top challenges, top priorities. We also ask them questions about the cost of breaches. I like to quantify this a little bit so that we can actually get down to a fundamental cost. One of the questions that we also ask is from a challenges standpoint. Are you struggling with the lack of incident response processes which is fundamentally connected to the security operations and the actions you're going to take.

And we find that the organizations that are struggling with having established incident response processes, they spend 250, 000 a year more on breaches than those that actually have incident response processes in place that make sense for their organization or they struggle less with it. They're also breached more.

The trade off is, do you want to make sure that your organization is spending less on breaches? And, do you want to have fewer breaches? [00:26:00] That's the reality of the situation. And that's very much so in line with a lot of the data that's also publicly available from other research and that type of thing.

So that's the simplest quantification that I have for it. The other factor here is, if you are an enterprise and you are not doing detection or response in some capacity, we need to have a conversation. Because there's a problem and it extends much deeper than just not having a SOC. Because at that point, there is a fundamental mismatch with the prioritization of security within the organization.

If you don't trust your CISO enough to be helping them to establish the things that they need that are fundamental to the security organization, There's a problem there. So for those just starting out down this path, awesome, bravo. You have an opportunity to do this in a hopefully more beneficial way than a lot of those who had to do trial and error.

I do recommend working with a service provider, especially once you're starting, because I find that a lot of times organizations [00:27:00] that are just starting out will hire one person that has a lot of experience in security operations or is just maybe sometimes even just getting started, but is excited to wear a lot of hats and that person burns out very quickly because there's just too much to do.

So managing those expectations of what one person or two people will be able to accomplish and augmenting that with a service provider that can give you the support that you need, especially as you either choose to build up a team internally or just keep us a small team and use your service provider that way.

Ashish Rajan: Yeah.

Allie Mellen: That's the best path that you can go down.

Ashish Rajan: Do you think there is a need for, as more organizations go down the path of adopting more AI based applications? And would love to get into the whole cloud detection as well, because there was a point when I was trying to talk to people about incident response.

In fact, in one of the roles that I had as a CISO before, when I would talk to the SOC team about, hey, we obviously are going into AWS or Azure, Google Cloud. What would we do for detection response? We've done an amazing job on premise. What does that look like? Or just give me the logs. I'll figure it out, right?

I don't know, man. It's [00:28:00] like sounds a bit more than just a log thing. And then obviously there's been this explosion of those whole CSPM, CDR and all of that thing came through. When people look at a SOC at the moment and an executive kind of thinking what is my SOC doing in terms of capability going where I'm like, today I'm talking about data centers. Tomorrow I'm talking about cloud. Now I'm talking about AI and whatever else comes after this. Is the expectation from a SOC team, even if it's a managed SOC team, that the people who are, whether it's level one, level two, level three, they need to know the application side of it as well.

Or are we, to what you said, it's good enough for me to know the detection side oh, okay. So I'm using a NPM or Node. js or whatever application. The threats in that case quote unquote category of these, I only focus on these. Because a lot of people are almost lost in that translation for what should a SOC be doing when insert new technology comes in.

So you just take the logs and call it a day and what does that mean?

Allie Mellen: That is such a difficult problem, especially when you're talking about new and emerging technologies. The way that we talk about this [00:29:00] is we, find this to be a very good use case for threat hunting early on, because in reality, if you're just getting used to a new technology, there's likely not a security tool to protect it yet.

There's likely not a security tool to do detection and response, if that's even going to be possible in the long term. And so threat hunting, Especially doing group hunts, where you have experts in the technology from other parts of the business, or in the case of say like homegrown applications, whoever has created that application, working closely with them on group hunts to look for what abnormal activity would look like is one of the best ways to start exploring that in a better way, because the problem with bringing in all the logs is great, we can bring on in all the logs, but it's expensive, and it doesn't mean anything like logs without something like rule sets in place are just. They're just spent money, like

Ashish Rajan: you see your money running through as well.

Allie Mellen: Just like just light it on fire. It'll be more fun to watch. Definitely recommend approaching it from a threat hunting, hunting standpoint at first. And that will help you [00:30:00] understand what logs you need to be bringing in, what logs you even have access to. Because if you look at some applications in the cloud, especially SaaS, some SaaS applications just won't give you access to logs.

And that is, a nightmare scenario for a SOC team. So that's the first step in that process. Going further than that, to me, especially if you're in a situation where there's not a detection response tool for that particular coverage, I recommend using this as an input to the detection engineering function.

Like this is one of the things that I love about detection engineering is that you can do partner programming almost on new detections with people from other parts of the business, much like you do a group threat hunt, people who understand something like that better. For example, with homegrown applications, we recommend working very closely if you have specific instances where you want to be bringing in logs from those applications and working very closely with, The developers who have created that [00:31:00] application and then understanding the behavior based on that and building detections from there and then looking for improvements in those detections over time, it gets very difficult once you go down that path, because banks know this better than anyone.

Is it a fraud use case? Is it just a bug like an IT issue or is it a security issue? There's a lot of different paths these things could go down and it makes it very difficult and there's not really a standardized way, especially when they're homegrown applications. Cloud's a little bit different. You can have a little bit more supported with the tools there, but there's still to a certain extent a lot you have to do from a detection engineering perspective or use a service provider who supports that, which when you look at like cloud detection, identity detection, incorporating email security.

Most MDR providers are going to be supporting that and looking for ways to try to improve that.

Ashish Rajan: And I have to ask this question, because a lot of the community that we've worked with, a lot of them belong to the public sector as well. They sometimes end up going down the path of managed SOC as well, because that's what the term it is, or whatever, for whatever [00:32:00] reason, they were already facing the challenge where they had SOC teams that did not understand cloud.

On the other end, are we at that stage where even though we had established a real It's real standard for hey, what does detection response look like in the on premise data center context? Now that we're in this cloud and AI world as well, should people update that expectation from a managed SOC as well that, hey, great, if a managed SOC comes up to me and says, Send me the logs, I'll be fine.

Should people be questioning what should be the expectation from a managed SOC moving forward? Because I think, at least the way I saw the whole crawl, walk, and run thing has been, Oh, I don't have anyone, let me have a managed SOC before I build a team, as I build a team, or I can start scaling, I can have red teams, whatever.

For people who are in that managed SOC phase, What is the expectation they should at least try and have, as we sit here and have this conversation from Black Hat, what should be the expectation they should have from a managed SOC, apart from just that, I'll send you an alert, there's something going on wrong.

Don't worry about everything, I'll just send you the logs.

Allie Mellen: There's a couple of [00:33:00] expectations that are really important. I do think that having metrics around the quality of detections is incredibly important. This is one of the biggest challenges and honestly one of the ways that I've seen CISOs get the most excited is they're like, I figured out that the MSSP was just closing the same alert over and over again.

I've been tracking these metrics. Making sure that you understand what they're actually doing and what the process improvement looks like, which is part of the reason why I highlight detection engineering, because I think that's the path to continuous improvement. Making sure that is happening and that they understand the value of the telemetry that you're giving them.

Ashish Rajan: Yeah.

Allie Mellen: Because that's the other thing is we see this on both sides where there are some service providers that are like, just give me all the data. That's not an ideal world. There are some customers who are like, I just want to give you all the data. Also not an ideal world. You need to approach it strategically and make strategic decisions about what data you're providing and when.

When you talk about the cloud aspect of this, it gets even more complicated. I just published a blog a couple [00:34:00] weeks ago with some of my colleagues that was called Cloud Detection and Response Tools Do Not Exist.

Ashish Rajan: And Someone on the other end basically had a heart attack, like what CDRs are dead?

Allie Mellen: So many people at Black Hat right now are like shivering, like what happened? But the reason that we did this is because as far as a market category is concerned, if you were to make something about cloud detection and response, you'd have a lot of different types of tools. There's not one. thing in the cloud that makes cloud detection and response a thing, right?

It is a lot of different things, whether it's the SaaS applications or the CloudTrail logs or the way that you're monitoring containers or Kubernetes there's so many elements of this that have to come together and are held together by the people in the process side of it that, and the way that we talk about this is as different detection surfaces.

Basically, so the IT assets that you're detecting on, when you have multiple different detection surfaces, it doesn't make sense to call it cloud detection and response because it's [00:35:00] actually way more complicated than that. And that has a lot of implications for how you do response. Whether or not the detections are actually accurate, how to maintain the quality of those detections, and a lot of that comes back to the infrastructure that you choose to have set up and what you want your service provider to be monitoring.

Ashish Rajan: I agree to this as well. For example, the whole CSPM market as a community, we all agree that it's just died, basically I think it's almost like a standard. Now, it sounds the same thing as saying, I no longer put my resume that I know Excel, PowerPoint, and Word, like it's almost as for me, it's the same as saying that I am putting that in my resume, it doesn't make sense.

So with the SOC teams at the moment, where a lot of the detection response comes from the log aggregation, and having a SIEM provider, I find that to what you said about the detection in Cloud requires a lot more context because it could be coming from anywhere. What is like the biggest mistake perhaps people are doing in terms or maybe it doesn't have to be a mistake.

You just say what's the challenge they're facing as they start adopting this because I think I was reading an annual report from Amazon which [00:36:00] talked about the fact that 85 percent of the world is still on data centers and I'm going oh wait so that means these people have not even gone into the cloud there's no one doing detection response in cloud for these 85 percent people for those who are preparing to get into the cloud space and been doing an amazing job in that world and potentially going to hybrid world.

What is the hybrid world challenge looks like for detection response , how different is that to on premise?

Allie Mellen: It's very different. And it comes back to what you said earlier, the biggest challenge is a lack of education around all the fundamental components of the cloud and how that fits in ultimately, especially in security operations, you got very technical people who understand what's going on in the endpoint, what's going on in the network, what's going on from an email standpoint.

Now they got to adopt a new technology here and understand it. And it's not obviously it's not a new technology. But you can't expect your security operations people to be on premise experts and cloud experts, but there is a fundamental level of knowledge that needs to come with that. We spent a lot of time doing research on this because it's, So [00:37:00] annoying, because it's not just oh, here are the different types of cloud assets and then you can call it a day.

You got some tools that will do different levels of protection or detection across multiple different types of data. Yeah. So it becomes even more complicated, but that fundamental understanding is what will ultimately lead to better outcomes from a cloud detection standpoint. The other option is to have your service provider do it and just say, we're not worrying about this.

We're going to maybe ease into it, especially like some of the MDR providers have very interactive platforms, and so you can help your teams learn through the actions that the MDR provider is taking. That's an interesting way to introduce your team to it, get them up to speed, get them more comfortable with it.

Ashish Rajan: Yeah.

Allie Mellen: And also make sure that you're protected in the short and longer term.

Ashish Rajan: Because the thing gets a bit muddy as you go different levels up as well. Like to what you said, level one, level two would be happy with that. But as a SOC manager, or as a CISO i'm going, what about level two, level three was [00:38:00] supposed to be advanced.

Allie Mellen: Yeah,

Ashish Rajan: they're supposed to be like, really, oh, this Kubernetes thing came out. I need to be able to go and threat hunt this in the entire network. What are you seeing in that space for them to as they move from on premise experts to now? I need to know, Not just cloud, I need to know, cloud, containers, kubernetes, AI, serverless, because when I started the cloud, I just thought, oh, I just EC2 instances, virtual machines yeah, that looks pretty easy, right?

Yeah. And now 10 years later, I'm going, holy shit, this is it's basically self evolving. It's becoming a thing where as more people go into it, more kinds of implementation come in, people trying to find different ways to make it more easier. microservices, Agile, Vagile, are we going to go down that path as well?

Where do you see the level two, level three SOC kind of fit into the space as they transition over to the non existent CDR space?

Allie Mellen: For them specifically, I do think that there's a head start because they have a better understanding of the environment. Many of them have experimented and have an understanding of the cloud fundamentally.

So it's honestly just a game of just [00:39:00] working at it. And continuing to understand and identify the different aspects that you need to keep track of. Because in reality, a part of it is dependent on your environment as well. Where things get really complicated is the fact that it's not even just those asset types, it's also those asset types on different cloud platforms.

Ashish Rajan: Yeah, that's right. Yeah. Oh my god, yes.

Allie Mellen: The complexity just gets ridiculous. Yes. To a certain extent, it requires a lot of interfacing and work with the teams who are experts on those different cloud technologies and just getting their input into this process, like that partner programming that I was talking about around detection engineering, and just learning a new area.

Unfortunately, having a better understanding, in many ways, especially if you're used to the on prem world, you can start with containers and move from there. CloudTrail logs tend to be a really natural next step to there's a lot of resources out there on how to do cloud detection well, but you're 100 percent right.

It's not a simple transition it requires training. It requires better understanding of how the cloud [00:40:00] works, which I think for level two level three can be exciting. You know there. They know what they're doing. They're used to what they have to do. And this is an opportunity to explore something else. It also, like I mentioned, becomes an input into detection engineering where they can start to explore something new.

Ashish Rajan: The basic level of knowledge for level one, level two, level three SOC teams would probably need to have the similar basic foundational knowledge. It's more the level two and three have a lot more exposure to say, some of the much bit more detail of applications and how they work and how it works across the environment.

It's using that basic foundation knowledge and how that applies to the broader environment, which is where they probably have to work harder. Whereas for level one, it's oh, I now understand what CloudTrail is, what EC2 is. And if I see that, and if I see that in my CSPM or CNAPP or whatever, oh, I can do one plus one equals two.

This is probably a false positive or not, at least I feel they can get to that point where they're able to validate that before that gets sent over to level two, level three, but a level two, level three, [00:41:00] just knowing communities would be a good starting point to now go, Oh, how do we use it? What's our implementation of it?

Because I think it was worthwhile calling out that difference. Because somehow, it was a lot of people confused out of us. Oh, isn't that the same? I just trained the same thing to level one, level two, level three, but they forget the fact that the level two and three would have to do a lot more extra work internally, which is probably a bit more context required for how the environment uses instead of what the Internet tells me and how Kubernetes can be hacked.

Like, how would you stand on that?

Allie Mellen: I completely agree. Yeah. The difference is. That's the business context that you have, both from the standpoint of understanding the incident response processes and then how these assets and applications are being used internally and the boundaries that you have as an analyst as to what you can do with those assets.

That is a hundred percent the fundamental difference. And then also as a part of that. Just understanding the trade offs the business is willing to take with these things. You come in as an L1, you're not familiar with that yet, you're not comfortable [00:42:00] with that yet. Unfortunately, it's the type of thing that's very difficult to codify.

It is tribal knowledge that you have to learn in the organization. There's some crossover between organizations, but everyone is going to be different, especially based on industry with regards to like, disruption tolerance, what you're willing to accept from that standpoint. So I completely agree. I think it's that combination of, okay, having the fundamental skills to understand in an enterprise environment, what you have either learned in academia or have learned in a career path as like on the IT side, and then also the business context to make the big boy, big girl decisions.

Ashish Rajan: The only reason I'm probably going to have a follow up question is because I get asked this quite often. Where? Where does the level one level two level three, because there's not a lot of training available for this as well. It's oh, I go to a cloud certification that's not truly what you're trying to do in your actual day job.

And people are like, what do you mean? I'm sure like, I get a lot of hate from this, all these certification people. But I think the actual implementation of it [00:43:00] and how you use in the organization is different. The place where it becomes interesting is that As managers, I don't know how many people recognize the need for training, not just in the, what's the latest hack?

I think, I feel like a lot of the training has gone down that path where my teams need to be a best offensive security team so that they can be red team, threat hunting, all of that. Is that belief shifted in the world of cloud and AI for you? And on what the SOC managers or CISOs should provide for their teams?

Allie Mellen: Security training is built to train staff on products. not on the principles of security. We do not have, outside of SANS and what you'll see in SANS, we don't have training just on what it means to be a practitioner. It's a huge gap.

And it's not something that's being fixed outside of the work that like SANS does, as one example.

But unfortunately, like that can be very difficult for teams to manage from a cost perspective. So I think this is a gap [00:44:00] fundamentally with everything about this field. And it's really interesting because it definitely manifests in academia as well where, and this is not to hate on academia, but I worked with a lot of people who are trying to get a degree in cybersecurity or trying to get a master's in cybersecurity.

And they're operating in a perfectly spherical world, where they have infinite resources, they have infinite budget, infinite people to do these tasks.

Ashish Rajan: All the best tools in the world.

Allie Mellen: The business is like take whatever you need. All we care about is security. Yeah. And they're like, oh, zero trust. It's easy.

Ashish Rajan: Yeah. Why is it so hard for you guys? I'm like.

Allie Mellen: That's the fundamental problem is, it is very difficult to, make the leap from the academic context to the actual business context. And we don't have a set of training that can help support that. Instead, and that's partly because who's going to pay for it?

Who's going to buy it?

Ideally, the managers, but it's also non trivial to [00:45:00] create that type of content. I do think that one of the stopgaps for this is using detection engineering and using the mentoring that you have in that process between the newer analysts and the ones who have more experience because even, I'm talking about a green analyst taking an alert from start to finish.

In reality, you put an analyst in that position who is brand new, they're not going to be able to do that.

Ashish Rajan: They'll be overwhelmed.

Allie Mellen: They'll be overwhelmed. Yeah. And they need the support of somebody who has more experience to say, Yeah. Don't do that. That's stupid. Do this. Yeah, fair. And so the mentoring becomes a really critical component of this.

Which is one of the things that I love about the security community is that I think there are a lot of people who are really supportive and are really willing to spend a lot of time and effort to help. Yeah. But we need to operationalize that. In organizations a little bit more instead of relying on a couple of like rock stars in the industry to help everyone.

Ashish Rajan: Yeah.

Allie Mellen: And then I do think that the training aspect of this is a gap [00:46:00] that has yet to be filled and could be a really good opportunity if somebody's thinking about, startup ideas.

Ashish Rajan: Funny you say that because after doing this for five years, I realized. The more conversations I had, everyone was sent down the path of doing certification.

Allie Mellen: Yes.

Ashish Rajan: And every time I will have an actual conversation about, hey, something super simple, right? How would you identify as a good starting point to start even detecting things? They were told that by a Amazon certification, you can have CloudWatch and CloudTrail. And that's where it ends.

And you almost feel, oh, wait. Is that there's more to it. If I don't understand what service is being used,, all I would say is at least what we're trying to do is we're trying to fill that gap. We've started educating. I think we've been doing it for almost a year now.

We've had a few companies that went through it. And I'm glad you mentioned because I want more people to do it as well. And at your point, I don't want to be the only person who does it. I think we need more practitioners in the space, even if people are detection engineering. They should definitely come out and talk about it, train other people, share some blogs to go out there [00:47:00] and keep talking about because you don't want one or two people to be the ones who are holding the weight of the entire world.

And just by the way, me as an English speaking person was doing this. We don't even considering all the non English languages around the world as well. There's a so much there. And if cloud is that technology that's moving people from around the world into the space of now we are all API enabled, we are all in microservices, but no one says let them Hey, this is what you should be doing in your job.

This is how you can actually do your job. Yeah, sorry, I'll stop the rant over there. No, which is why we've gone down that path as well.

Allie Mellen: I could not agree more. I think it's great that you're doing that because that is what we need more of is the actual. the actual training beyond just, hey, here's the tool, here's what you can do with the tool.

Good luck. Yeah, good luck, right? It's so much more than that. And that's the coolest part, is that it's so much more than that. It's funny that you mentioned having more people come out and talk about what they're really good at. I was talking to someone earlier today, who was saying that, in a lot of cases, the more technical you get, the more imposter [00:48:00] syndrome you have.

Ashish Rajan: I agree with that. Which is why I'm saying, hey, everyone else, please come in and talk about it. That's what I'm saying. I definitely have that for this particular thing. I'm like, am I really the best trainer for this? I'm sure there are more smarter people than I am.

Allie Mellen: And I think that's 100 percent the case that you get these really technical people who are doing really cool stuff.

And they're like, everyone knows this. No, everyone does not know this.

Ashish Rajan: 100%. I'm so glad you say that as well now that I, my imposter syndrome is out in public. Please people, come and support me as well. Don't worry about anyone else. Just support me. Don't worry about anyone else. No, but that's also a good segway towards the end of the conversation as well.

Cause I think now we've established the fact that, hey, this is where SOC people SOC teams, SOC directors have been making mistakes in enterprise is where they can start and improve it and maybe scale it out. Where do you see this go? Like obviously to what you said, gen AI at the moment has those three buckets.

Yeah. And only the first and third bucket has seen some traction. Second one, with the behavior still evolving, where do you see this go? And obviously prediction is a very, I'm just gonna, like we, we don't have, we'll come back to this [00:49:00] episode one day and talk. But what is your, something that you're looking forward to the next few years in this particular space that is either exciting for you?

Or you're glad it's going to die away like the CDR thing.

Allie Mellen: We have a unique opportunity to fundamentally change the way that we do security operations and to make it much more effective than it's ever been. To learn the lessons that software development teams learned a long time ago when they made the transition from waterfall to agile.

And some teams are doing this. Many teams have started actually really talking about how they're doing it and just in some of the research that I've done and the conversations that follow, there's a ton of interest in taking that approach. I do fundamentally believe that is the path to making sure that we have analysts stay in this field and start to explore things and be able to learn more and get a better technical understanding.

Regardless of the underlying technology. And so that's what really excites me. I don't think that you need a software development background to do it. I think that's one of the cool things is [00:50:00] that we can manage those expectations. The tools are also getting better to support that if you want to go down the path of detectionist code and all of that.

But this to me is one of the most critical changes that security operations teams need to make. Because we've got a ton of data coming in, and we can't do the open close alerts. We can't do it anymore. It's not sustainable. So that's the first thing. The second thing is, a couple of years ago, I've mentioned this a couple times, but a couple of years ago, me and one of my colleagues defined the term analyst experience, which is security analyst perception of the tools, technologies, and processes that they work with.

with the ultimate goal of keeping people in this field and helping them get better. And also from a technology perspective, getting technology to be more focused on the user instead of the economic buyer, which is where it's been historically. And it's been really heartening to see the response to that research over the past few years.

We figured, okay, vendors are going to like this, they'll see it as like a user experience. Yeah. The cool thing has been the number of security teams and CISOs who have come to us, [00:51:00] brought their data science team and been like, what can we do to improve analyst experience? What is the thing that we can fundamentally do here?

To me, it speaks to the fact the most important part for CISOs is the people that they're working with and how they can make sure that they can retain them and help them improve. And I think that's where we have just such a big opportunity.

Ashish Rajan: As much as a CISO would like to take all the credit, they're not nothing without their team.

Allie Mellen: Yeah,

Ashish Rajan: and if you can't hold on to your team, all these experts that you have that you can boost about to other people, if they're not in the team, then you can't boost anymore as well. But I'm glad we called that out. I'm super excited about a possibility where it becomes easier for security analysts to do their job even more.

Hopefully we can get rid of the whole shift work as well for them, but I totally understand why they have to go down that part. don't have any hate against it, it's just that I'm not the person who would be able to do it. I'm just too old for that now, I feel. But, and that's all the technical questions I had.

I've got three more fun questions for you. First one being, what do you spend most of your time on when you're not working on this detection, response research space?

Allie Mellen: So I moved to New York two years ago.

Ashish Rajan: Oh, wow. You've turned into a manic person, is that right? [00:52:00]

Allie Mellen: So what I spend most of my time on is going out, hanging with friends, going to comedy shows, going to concerts, living the New York life.

And highly recommend. I will say the first six months are really rough. The pace is brutal, but once you get over that hump, it's so much fun. And I've just been having a lovely time of trying to experience more culture instead, because I feel like the first majority of my life was very focused on computer engineering and tech and getting deep into technology.

And now it's switched where in New York, I can really embrace culture and art and all of those facets. So that's what I'm spending a lot of time on right now.

Ashish Rajan: And I funny enough, I relate to that because I moved over from Australia to London a year ago. And similar experience to what you said, now it's a lot more oh, I didn't realize I had access to so many things that I could do.

It's almost like I have to say no to an activity. Earlier it used to be, oh, what can we do? There's nothing. Oh, I guess I'll just go back to my normal life.

But now it's oh, wait, there are 10 things happening. Which one am I saying no to?

Allie Mellen: So true. Yeah.

Ashish Rajan: So I 100 percent agree people who have the [00:53:00] opportunity to do they should definitely explore.

Obviously, people are different parts of their life and phases of their life. So please don't make a decision on this . Yeah. Yeah. Follow based on what your life goal is or many of where your life is. The second question is, what is something that you're proud of that is not on your social media?

Allie Mellen: I spent a lot of the first couple decades of my life, two decades really lonely.

And really struggling to connect with other people. And it took a lot of introspection and understanding of myself to get to the point where I could start having really deep connections with people. And that's been a fundamental change over the past decade, to really be able to connect on a deeper level, to feel the connections to people, to be present in conversations in a unique way, and to develop.

Friendships and relationships with others that feel just really good and really fundamentally good. And so in some ways that does manifest on my social media, like I'm posting pictures with friends and family. But really it's something that you wouldn't know about me just from looking at my [00:54:00] social media.

But you would be able to see from the way, I think, from the way that I connect with people and I'm able to engage people in a much more personal way. And it's been the most enriching thing that I've ever done.

Ashish Rajan: No, thank you for sharing that. Final question. What's your favorite cuisine or restaurant that you can share with us?

I've been exploring a lot more in New York, so I'm curious as well. The true answer is I love steak. I am obsessed with a good ribeye. Okay. And there's a restaurant in New York, it's called St. Anselm. And they get the best steak in the city. It is a hanger steak, it's 39. It's unbelievable. It's very hard to get a reservation here.

Oh, no wonder. Okay, fair. for a steak. It's that hard to get a reservation.

Allie Mellen: It's like a very small, cozy place. Oh, okay. There's a lot about this place that's very cool.

Ashish Rajan: Okay. Okay.

Allie Mellen: And I just love it. And the thing is I've tried to eat less steak and like to stop it, but I feel like every time I go out, I'm like, Oh, I'll get the steak.

Ashish Rajan: It's what are we having? Steak again, oh, nothing wrong with it. I enjoy meat as well. But thank you for sharing that. [00:55:00] Where can people connect with you on the internet to know a bit more about this? Why is CDR dying? And what's CDR and all of that as well? Where can people connect with you on the internet?

Allie Mellen: Yeah. Connect with me on LinkedIn at Allie Mellen at hackerxbella. And yeah, you can find me on Twitter X, LinkedIn, Instagram, all the above, please don't connect with me on Facebook.

Ashish Rajan: That is definitely weird. If you do that, if I'm your friend, obviously, totally go for it. I will put those links in the shownotes as well.

Thank you so much for coming on the show. I really enjoyed my conversation. I'm sure others would as well. But thank you. Really appreciate this.

Allie Mellen: Thank you so much for having me.

Ashish Rajan: No, thank you. Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years.

So I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on cloud security podcast, or make a training video on tutorials on cloud security bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI Cybersecurity Podcast, which I run with former [00:56:00] CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as the evolution of chat, GPT, and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

‍