Home
Blog
Investigations
October 24, 2024
7
min read

An interview with Eric Hulse: Insights from recent Command Zero engagements

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.

Product
research
investigations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Q: As you engage with customers, what is the main driver for their interest in a platform like Command Zero? What problems are they trying to solve?

Eric: Each customer has different problems they're trying to resolve, but there are some common themes:

  1. Dealing with the deluge of alerts and incidents: The sheer volume of data is overwhelming for many SOC teams.
  1. Handling nuanced investigations: These go beyond what can be easily automated or applied to a simple playbook.
  1. Lack of knowledge about newer data sources: Teams often struggle with how to investigate unfamiliar systems like AWS deployments or GitHub.
  1. Doing more with less: This is a universal goal across all our customers.

Q: What should customers expect as they set up Command Zero in their environments?

Eric: Each customer environment is exceptionally different in terms of tech stacks, architecture and configuration, but there are commonalities with vendors and technologies they all have, like email.  

One of the biggest advantages of our platform is its ease of use and quick setup. We've designed our integrations to require minimal configuration steps. For most integrations, you only need an API token or perform an application consent. We've eliminated the need for complex setups like deploying virtual machines or extensive log parsing. It's as simple as inputting your credentials, consenting to read-only permissions, and you're ready to go.

Q: Let's go with a hypothetical customer environment with Entra ID, Office 365, CrowdStrike, and Proofpoint. How long does it take to integrate Command Zero and start the first investigations?

Eric: Assuming all the necessary permissions are in place, you could be up and running in probably less than 30 minutes, realistically closer to 15 minutes. In fact, it will probably take you longer to gather your credentials and grab your MFA token to log into those individual products than it will to actually configure the integrations in Command Zero.

Q: Any interesting anecdotal feedback from customers after they've seen Command Zero in action?

Eric: One of the biggest issues we address, which is common across all clients regardless of their size or industry, is the constant context switching between different consoles. This leads to errors in copying and pasting, missing key leads, or going down the wrong investigation path.

We had a particularly striking example with a customer investigating a departing user. They told us it had taken them about 50 minutes the previous night to gather the necessary information across four different products about this user. We then walked them through the same investigation using Command Zero. By entering the user's name, executing one of our pre-built facets, and adding two questions, we completed the entire investigation in just 2 minutes, with another 2-3 minutes for data analysis and report generation. In total, we accomplished in 4-5 minutes what had previously taken them 50 minutes, and we uncovered 90% of what they had found manually plus additional insights.

Q: What value do reporting and timeline generation features deliver for customers?

Eric: The timeline feature saves an enormous amount of time by eliminating the need to constantly refer back to notes. It provides a graphical presentation of the investigation's progress and subsequent actions.

Our summarization capabilities, available in three forms - artifact summary, facet summarization, and overall report summarization - make a significant difference. In recent releases, we've fine-tuned our verdicting capability, which now very accurately portrays whether an incident is a false positive or if the severity should be adjusted based on the added context.

We've received a lot of positive feedback on how the reporting lays out observations in a different format, presenting it in bullet form with correlated pieces. This effectively reduces complex data (like dozens of JSON artifacts with hundreds of lines each) down to four bullet points, emphasizing the critical elements that analysts should focus on.

Q: How does Command Zero help junior and senior analysts with every day tasks?

Eric: For senior analysts, the platform saves a significant amount of time. They no longer need to constantly oversee or guide less experienced analysts. It also empowers junior team members to gather information independently, making it readily available for senior team members to review.

Senior analysts particularly appreciate the artifact summarization feature, especially when dealing with unfamiliar data sources like AWS. This enables them to rapidly understand and contextualize information without needing deep background knowledge on that particular data source.

Junior analysts often express excitement at the types of questions they can ask and the capabilities they can access. Command Zero empowers them to facilitate Tier 1, Tier 2, and sometimes even Tier 3 level questions and capabilities. This not only acts as a force multiplier but also as a force enabler, facilitating progression, learning, and skill advancement in a way that's often challenging to achieve in traditional organizational structures.

Q: How does Command Zero's approach to implementing AI differ from other approaches in the industry?

Eric: Unlike many in the industry who are implementing AI as a bolt-on chatbot, we're taking a different approach. We're utilizing AI to empower analysts to continue their investigations by providing options and supporting data. We've recently added context to explain why specific answers, reports, synopses, or verdicts were generated, essentially "showing our homework."

We recognize that chatbots, while useful, require a certain level of knowledge and experience to interact effectively. This can be a problem, especially for less experienced team members. Our approach focuses on using AI for reporting, question summarization, question suggestions, and even content production on the back end, which then goes through a human-in-the-middle approach before it's implemented.

Q: What are the core use cases or investigation types for customers?

Eric: We excel in several common use cases:

  1. HR-Driven investigations: This includes data loss prevention cases or instances of users inappropriately accessing or removing files. These investigations also include watch lists (high risk users, flight risk, suspected compromised accounts) and are highly impactful.  
  1. Identity visibility: We provide comprehensive visibility into identity across multiple integrations. We can map identities across various platforms (SharePoint, GitHub, AWS, email, etc.) and tie activities back to specific identities.
  1. Device-identity association: We can look up the identity associated with a device, or vice versa. Combining these associations with MFA and user activity yield valuable information.
  1. Phishing and BEC investigations: We help facilitate investigations into various types of phishing alerts, such as malicious URLs detected in emails or URLs removed after delivery. Our facets and curated question sets make it easy to verify incidents, determine their scope, and assess their impact. Business email compromise (BEC) continues to be a driver for many investigations.  

Call to action

Eric’s recent observations during customer engagements demonstrate the power of Command Zero in streamlining investigations, providing comprehensive visibility, and enabling more efficient and effective security operations.  

We highly encourage Security Operations teams to book a demo with our team to see how Command Zero can help transform threat hunting and investigations.  

--

Editor’s note: We’re experimenting with a new format for this post. We’ve combined a Microsoft Teams interview between Eric and me (Erdem), genAI capabilities and good old editing by humans to create it. Overall, the ideas in the conversation are still organic (human ideas). GenAI helped us generate the transcript for this interview, convert the raw transcript to a clean-ish draft and we took over from there. As a result, we’ve saved hours on building this post.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Email Investigations: The Epicenter of Security Analysis

Email remains at the heart of most security investigations, from phishing alerts, insider threats to business email compromise (BEC for both internal and third-party emails) incidents. While many teams focus solely on whether a malicious link was clicked, the real challenge lies in understanding email activities and other user behaviors in the big picture - what users do after an incident occurs. This post explores how email credentials represent full user identities and why this makes them prime targets for attackers. Using real examples, like the case of an Acme Corp administrator with extensive system access, we demonstrate how attackers can easily identify and target high-value accounts through LinkedIn and other public sources. Traditional email investigations face significant challenges: time-consuming manual correlation, complex access requirements across multiple systems, and difficulty in assessing the full blast radius of compromised accounts. Command Zero addresses these challenges through unified data analysis, AI-guided investigations, automated timeline analysis, and intelligent narrative building. The post concludes by emphasizing that email investigations can't be treated as checkbox exercises - they require sophisticated tools that can handle complex data correlation while guiding investigators toward meaningful conclusions. This approach transforms email investigations from time-consuming manual processes into rapid, comprehensive analyses that any investigator can conduct effectively.
Alfred Huger
Feb 20, 2025
12
min read
Investigations
Highlight

Investigate password spray attacks with accuracy and speed

Password spray attacks remain a persistent threat to enterprise environments, serving as a crucial barometer of an organization's security health. These attacks, while common, offer valuable insights into an organization's authentication posture and prompt important questions about targeted identities, potential unnoticed breaches, and possible data leaks from previous breaches. Traditional investigation methods pose challenges when it comes to analyzing password spray: Time constraints, multiple system navigation and potentially superficial investigations. Command Zero transforms password spray investigations by: increasing efficiency and automation, ensuring comprehensive analysis and transparent reporting.
Alfred Huger
Jan 22, 2025
6
min read
Investigations
Highlight

2024 Learnings and 2025 Predictions Through Frequently Asked Questions

Disclaimer: This is not yet another 2025 predictions post where the author states the obvious (or the outrageous). Instead, we cover three frequently asked questions about Command Zero, what these questions taught us about 2024 and how they shaped our predictions for 2025. In this post, we will cover three frequently asked questions and responses: Who is Command Zero is for? How does Command Zero complement existing security operations investments? How is Command Zero similar to or different from AI-powered SOC analysts? AI-powered chatbots? We will also share our three predictions for 2025 based on these questions and observations. Happy holidays and we hope you enjoy this format!
Erdem Menges
Dec 19, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All