ESG's Jon Oltsik talks with Exabeam Chief Marketing Officer Rick Caccia about SOAPA and Cybersecurity. This is part 2 of a 2-part series.
Read the related ESG Blog: SOAPA Interview With Rick Caccia of Exabeam- Part 2 (Video)
Jon: So I'm here again with Rick Caccia, CMO of Exabeam. Welcome back, Rick.
Rick: Thanks, Jon. Great to be here.
Jon: Part two.
Rick: Love it.
Jon: So, now, I know you came from…Exabeam came from the UBA space, User Behavior Analytics. I find there's still a lot of confusion about that space, and then when you pile on artificial intelligence or machine learning. Are you still seeing that? Are people starting to break through and understand where this fits?
Rick: I think there is a lot of confusion. One of the problems has been vendors have said things like, "Just pour data in." And people expect something to come out of these machine learning algorithms. It doesn't work that way. Otherwise, if you don't have pre-built use cases that know how to make sense of this data for security, you're just sort of reinventing the wheel with every single customer. So customers have been misled to some extent to believe that this is magic, and it's not magic. I think that's one of the problems in the industry today.
Jon: It's not magic.
Rick: It's not magic. We didn't do magic this time.
Jon: Oh, boy. I'm glad you explained that to everybody watching because that's an important point. But we're here to talk about SOAPA, and SOAPA is an architecture. Now, you've taken UBA and you've built on top of that some other pieces that you can now buy separately. So tell me how that works and how that kind of really dedicates Exabeam architecture.
Rick: Yeah. So I think SOAPA is about a few things and it's a next gen of SIEM. So, one is, how do I collect all the data I'm generating? And with SIEM, you had proprietary ways to do that. With SOAPA, you generally have open source ways to do that.
Rick: Two, how do I make sense of this data? And with SIEM, it was with correlation. And with SOAPA, it's with UBA, it's with machine learning. And then the third is, how do I respond once I've made sense of that data? And SIEM didn't really have a good answer here. There was case management, but not a good response. With SOAPA, you're seen this orchestration and automation, and tools that can run playbooks to do it. And Exabeam has all those pieces and we see that as the standard going forward.
Jon: Yeah. And our research says that people are really interested and adopting tools for security operations, automation, and orchestration. Now, I know you've carved out a particular product for that. What are the use cases there? What are people asking you for?
Rick: Yeah. So there's a couple things. One, they can't hire the people they need. So they're saying, you know, I have hiring pressure, what I do? Two, they have too much variability across the people they have. So someone says, "Well, if my Splunk Ninja's working when some incident comes in, that guy may know how to detect and respond. If my new junior analyst is working that day, he may not know what to do." So, not only do we wanna take hiring pressure off, we want consistency across the response, and they see orchestration and automation as a way to give that consistency.
Jon: And are there particular investigations, forensic investigations, operational activities that they're pointing that at?
Rick: Yeah, you see common ones. So, malware is one. I see what looks like malware, some sort of credential theft running through the network. I wanna trace it all the way back and see what caused it. Who got the email with the malware attachment that caused it? Then I wanna be able to respond and do what I need to do to respond. Common one. So, you know, phishing is one, malware is one, detecting insiders trying to steal data is another one. Those tend to be some of the big ones we see.
Jon: Now, your old colleague and our mutual friend, Haiyan Song from Splunk was in recently shooting a video. And she came up with a really good statement and she said, "You know, security is a team sport." And I believe that. So, you can't do it all. Customers have already invested in things. So, what are customers asking you to integrate with in terms of other data sources, other security analytics tools?
Rick: That's a great point. I think security especially, you have many, many layers. And security as an industry seems to infinitely split to new niches every year. So, we're getting asked for things like integrate with end point security, integrate with cloud security. To some extent, physical security, badges. But end point's a big one and clouds a big one. Those are the two most common for us.
Jon: And what about just integration with the SIEM? Like, hanging off of a SIEM.
Rick: Yeah, you get that, of course. Certainly, UBA started that way as a plug-in to a SIEM. A lot of customers are looking at replacing their SIEM over time as well.
Jon: And so, my final question is this. So, I believe in the SOAPA architecture and people I've run it by say, "Yeah, that seems to make sense." But customers have these legacy or they've had these investments in security products. How do you help them get to the next generation of security analytics without throwing the baby out with the bathwater?
Rick: Yeah, that's a good question. So, there's a phased approach. So, for most of the customers, they start…they have a SIEM, log management system, they don't wanna pull it out so they use UBA as a plug-in to make sense of it. Then the second step is typically, well, let's add incident response, so there's a way to respond. Longer term, they're saying, "Well, you know, when I look at this way, most of my budget is tied up in log management, and that's kinda commoditized now. So over time, I'm gonna wanna replace that. Free up that budget and pay for other things." And that tends to be the thing that comes after.
Jon: Okay. Well, Rick, very insightful. I appreciate your time. And thanks for educating our audience.
Rick: Thanks for being here.