October 24, 2024
7
min read

An interview with Eric Hulse: Insights from recent Command Zero engagements

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.

Eric Hulse
Director of Security Research
In this article

Q: As you engage with customers, what is the main driver for their interest in a platform like Command Zero? What problems are they trying to solve?

Eric: Each customer has different problems they're trying to resolve, but there are some common themes:

  1. Dealing with the deluge of alerts and incidents: The sheer volume of data is overwhelming for many SOC teams.
  1. Handling nuanced investigations: These go beyond what can be easily automated or applied to a simple playbook.
  1. Lack of knowledge about newer data sources: Teams often struggle with how to investigate unfamiliar systems like AWS deployments or GitHub.
  1. Doing more with less: This is a universal goal across all our customers.

Q: What should customers expect as they set up Command Zero in their environments?

Eric: Each customer environment is exceptionally different in terms of tech stacks, architecture and configuration, but there are commonalities with vendors and technologies they all have, like email.  

One of the biggest advantages of our platform is its ease of use and quick setup. We've designed our integrations to require minimal configuration steps. For most integrations, you only need an API token or perform an application consent. We've eliminated the need for complex setups like deploying virtual machines or extensive log parsing. It's as simple as inputting your credentials, consenting to read-only permissions, and you're ready to go.

Q: Let's go with a hypothetical customer environment with Entra ID, Office 365, CrowdStrike, and Proofpoint. How long does it take to integrate Command Zero and start the first investigations?

Eric: Assuming all the necessary permissions are in place, you could be up and running in probably less than 30 minutes, realistically closer to 15 minutes. In fact, it will probably take you longer to gather your credentials and grab your MFA token to log into those individual products than it will to actually configure the integrations in Command Zero.

Q: Any interesting anecdotal feedback from customers after they've seen Command Zero in action?

Eric: One of the biggest issues we address, which is common across all clients regardless of their size or industry, is the constant context switching between different consoles. This leads to errors in copying and pasting, missing key leads, or going down the wrong investigation path.

We had a particularly striking example with a customer investigating a departing user. They told us it had taken them about 50 minutes the previous night to gather the necessary information across four different products about this user. We then walked them through the same investigation using Command Zero. By entering the user's name, executing one of our pre-built facets, and adding two questions, we completed the entire investigation in just 2 minutes, with another 2-3 minutes for data analysis and report generation. In total, we accomplished in 4-5 minutes what had previously taken them 50 minutes, and we uncovered 90% of what they had found manually plus additional insights.

Q: What value do reporting and timeline generation features deliver for customers?

Eric: The timeline feature saves an enormous amount of time by eliminating the need to constantly refer back to notes. It provides a graphical presentation of the investigation's progress and subsequent actions.

Our summarization capabilities, available in three forms - artifact summary, facet summarization, and overall report summarization - make a significant difference. In recent releases, we've fine-tuned our verdicting capability, which now very accurately portrays whether an incident is a false positive or if the severity should be adjusted based on the added context.

We've received a lot of positive feedback on how the reporting lays out observations in a different format, presenting it in bullet form with correlated pieces. This effectively reduces complex data (like dozens of JSON artifacts with hundreds of lines each) down to four bullet points, emphasizing the critical elements that analysts should focus on.

Q: How does Command Zero help junior and senior analysts with every day tasks?

Eric: For senior analysts, the platform saves a significant amount of time. They no longer need to constantly oversee or guide less experienced analysts. It also empowers junior team members to gather information independently, making it readily available for senior team members to review.

Senior analysts particularly appreciate the artifact summarization feature, especially when dealing with unfamiliar data sources like AWS. This enables them to rapidly understand and contextualize information without needing deep background knowledge on that particular data source.

Junior analysts often express excitement at the types of questions they can ask and the capabilities they can access. Command Zero empowers them to facilitate Tier 1, Tier 2, and sometimes even Tier 3 level questions and capabilities. This not only acts as a force multiplier but also as a force enabler, facilitating progression, learning, and skill advancement in a way that's often challenging to achieve in traditional organizational structures.

Q: How does Command Zero's approach to implementing AI differ from other approaches in the industry?

Eric: Unlike many in the industry who are implementing AI as a bolt-on chatbot, we're taking a different approach. We're utilizing AI to empower analysts to continue their investigations by providing options and supporting data. We've recently added context to explain why specific answers, reports, synopses, or verdicts were generated, essentially "showing our homework."

We recognize that chatbots, while useful, require a certain level of knowledge and experience to interact effectively. This can be a problem, especially for less experienced team members. Our approach focuses on using AI for reporting, question summarization, question suggestions, and even content production on the back end, which then goes through a human-in-the-middle approach before it's implemented.

Q: What are the core use cases or investigation types for customers?

Eric: We excel in several common use cases:

  1. HR-Driven investigations: This includes data loss prevention cases or instances of users inappropriately accessing or removing files. These investigations also include watch lists (high risk users, flight risk, suspected compromised accounts) and are highly impactful.  
  1. Identity visibility: We provide comprehensive visibility into identity across multiple integrations. We can map identities across various platforms (SharePoint, GitHub, AWS, email, etc.) and tie activities back to specific identities.
  1. Device-identity association: We can look up the identity associated with a device, or vice versa. Combining these associations with MFA and user activity yield valuable information.
  1. Phishing and BEC investigations: We help facilitate investigations into various types of phishing alerts, such as malicious URLs detected in emails or URLs removed after delivery. Our facets and curated question sets make it easy to verify incidents, determine their scope, and assess their impact. Business email compromise (BEC) continues to be a driver for many investigations.  

Call to action

Eric’s recent observations during customer engagements demonstrate the power of Command Zero in streamlining investigations, providing comprehensive visibility, and enabling more efficient and effective security operations.  

We highly encourage Security Operations teams to book a demo with our team to see how Command Zero can help transform threat hunting and investigations.  

--

Editor’s note: We’re experimenting with a new format for this post. We’ve combined a Microsoft Teams interview between Eric and me (Erdem), genAI capabilities and good old editing by humans to create it. Overall, the ideas in the conversation are still organic (human ideas). GenAI helped us generate the transcript for this interview, convert the raw transcript to a clean-ish draft and we took over from there. As a result, we’ve saved hours on building this post.

Eric Hulse
Director of Security Research

Continue reading

Investigations
Highlight

Current SecOps tools are hard to operate and investigate

Despite the early and sincere focus on search/investigations, modern SIEM and SOAR capabilities have evolved to satisfy compliance/regulatory requirements. Today, these technologies do not provide dedicated investigation tools and the right user experience for an effective flow. In this post, we dive into findings from our research, discover sample use cases and recommend solutions to common issues for investigations.
Dean De Beer
Oct 30, 2024
8
min read
Investigations
Highlight

Uncertain security alerts: Common hurdles and recommendations

Security Operations Centers (SOCs) struggle with uncertain security alerts, which create inefficiencies and analyst fatigue. The main challenge is the high volume of non-conclusive alerts that only indicate "interesting patterns" rather than definitive threats. Analysts must investigate numerous alerts daily, requiring extensive context-gathering about users and their behaviors. While playbooks can help with known attack patterns, they're difficult to maintain and can't keep pace with constantly evolving security threats. In this article, I’d like to highlight some of the common practical hurdles we observe with uncertain (aka non-conclusive, non-definitive) security alerts, and our recommendations to overcome them. The key is facilitating better decision-making through improved data collection, context building, and flexible investigation tools.
Alfred Huger
Oct 23, 2024
8
min read
Investigations
Highlight

Rediscover threat hunting and investigations

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.
Alfred Huger
Jul 11, 2024
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.