Q: As you engage with customers, what is the main driver for their interest in a platform like Command Zero? What problems are they trying to solve?
Eric: Each customer has different problems they're trying to resolve, but there are some common themes:
- Dealing with the deluge of alerts and incidents: The sheer volume of data is overwhelming for many SOC teams.
- Handling nuanced investigations: These go beyond what can be easily automated or applied to a simple playbook.
- Lack of knowledge about newer data sources: Teams often struggle with how to investigate unfamiliar systems like AWS deployments or GitHub.
- Doing more with less: This is a universal goal across all our customers.
Q: What should customers expect as they set up Command Zero in their environments?
Eric: Each customer environment is exceptionally different in terms of tech stacks, architecture and configuration, but there are commonalities with vendors and technologies they all have, like email.
One of the biggest advantages of our platform is its ease of use and quick setup. We've designed our integrations to require minimal configuration steps. For most integrations, you only need an API token or perform an application consent. We've eliminated the need for complex setups like deploying virtual machines or extensive log parsing. It's as simple as inputting your credentials, consenting to read-only permissions, and you're ready to go.
Q: Let's go with a hypothetical customer environment with Entra ID, Office 365, CrowdStrike, and Proofpoint. How long does it take to integrate Command Zero and start the first investigations?
Eric: Assuming all the necessary permissions are in place, you could be up and running in probably less than 30 minutes, realistically closer to 15 minutes. In fact, it will probably take you longer to gather your credentials and grab your MFA token to log into those individual products than it will to actually configure the integrations in Command Zero.
Q: Any interesting anecdotal feedback from customers after they've seen Command Zero in action?
Eric: One of the biggest issues we address, which is common across all clients regardless of their size or industry, is the constant context switching between different consoles. This leads to errors in copying and pasting, missing key leads, or going down the wrong investigation path.
We had a particularly striking example with a customer investigating a departing user. They told us it had taken them about 50 minutes the previous night to gather the necessary information across four different products about this user. We then walked them through the same investigation using Command Zero. By entering the user's name, executing one of our pre-built facets, and adding two questions, we completed the entire investigation in just 2 minutes, with another 2-3 minutes for data analysis and report generation. In total, we accomplished in 4-5 minutes what had previously taken them 50 minutes, and we uncovered 90% of what they had found manually plus additional insights.
Q: What value do reporting and timeline generation features deliver for customers?
Eric: The timeline feature saves an enormous amount of time by eliminating the need to constantly refer back to notes. It provides a graphical presentation of the investigation's progress and subsequent actions.
Our summarization capabilities, available in three forms - artifact summary, facet summarization, and overall report summarization - make a significant difference. In recent releases, we've fine-tuned our verdicting capability, which now very accurately portrays whether an incident is a false positive or if the severity should be adjusted based on the added context.
We've received a lot of positive feedback on how the reporting lays out observations in a different format, presenting it in bullet form with correlated pieces. This effectively reduces complex data (like dozens of JSON artifacts with hundreds of lines each) down to four bullet points, emphasizing the critical elements that analysts should focus on.
Q: How does Command Zero help junior and senior analysts with every day tasks?
Eric: For senior analysts, the platform saves a significant amount of time. They no longer need to constantly oversee or guide less experienced analysts. It also empowers junior team members to gather information independently, making it readily available for senior team members to review.
Senior analysts particularly appreciate the artifact summarization feature, especially when dealing with unfamiliar data sources like AWS. This enables them to rapidly understand and contextualize information without needing deep background knowledge on that particular data source.
Junior analysts often express excitement at the types of questions they can ask and the capabilities they can access. Command Zero empowers them to facilitate Tier 1, Tier 2, and sometimes even Tier 3 level questions and capabilities. This not only acts as a force multiplier but also as a force enabler, facilitating progression, learning, and skill advancement in a way that's often challenging to achieve in traditional organizational structures.
Q: How does Command Zero's approach to implementing AI differ from other approaches in the industry?
Eric: Unlike many in the industry who are implementing AI as a bolt-on chatbot, we're taking a different approach. We're utilizing AI to empower analysts to continue their investigations by providing options and supporting data. We've recently added context to explain why specific answers, reports, synopses, or verdicts were generated, essentially "showing our homework."
We recognize that chatbots, while useful, require a certain level of knowledge and experience to interact effectively. This can be a problem, especially for less experienced team members. Our approach focuses on using AI for reporting, question summarization, question suggestions, and even content production on the back end, which then goes through a human-in-the-middle approach before it's implemented.
Q: What are the core use cases or investigation types for customers?
Eric: We excel in several common use cases:
- HR-Driven investigations: This includes data loss prevention cases or instances of users inappropriately accessing or removing files. These investigations also include watch lists (high risk users, flight risk, suspected compromised accounts) and are highly impactful.
- Identity visibility: We provide comprehensive visibility into identity across multiple integrations. We can map identities across various platforms (SharePoint, GitHub, AWS, email, etc.) and tie activities back to specific identities.
- Device-identity association: We can look up the identity associated with a device, or vice versa. Combining these associations with MFA and user activity yield valuable information.
- Phishing and BEC investigations: We help facilitate investigations into various types of phishing alerts, such as malicious URLs detected in emails or URLs removed after delivery. Our facets and curated question sets make it easy to verify incidents, determine their scope, and assess their impact. Business email compromise (BEC) continues to be a driver for many investigations.
Call to action
Eric’s recent observations during customer engagements demonstrate the power of Command Zero in streamlining investigations, providing comprehensive visibility, and enabling more efficient and effective security operations.
We highly encourage Security Operations teams to book a demo with our team to see how Command Zero can help transform threat hunting and investigations.
--
Editor’s note: We’re experimenting with a new format for this post. We’ve combined a Microsoft Teams interview between Eric and me (Erdem), genAI capabilities and good old editing by humans to create it. Overall, the ideas in the conversation are still organic (human ideas). GenAI helped us generate the transcript for this interview, convert the raw transcript to a clean-ish draft and we took over from there. As a result, we’ve saved hours on building this post.