Security operations teams are drowning in alerts, losing analysts to burnout. The answer for the past decade has been to add more tools, but for many organizations, the problem is not a lack of technology, but a lack of integration.
Chris Jacob is the Field CISO at Securonix, an AI-powered, cloud-native security operations platform. Jacob joined Securonix through its acquisition of ThreatQuotient, where was a founding executive and had spent over a decade as Global Vice President of Threat Intelligence Engineering. He now helps organizations rethink their SOC strategy with a platform Securonix calls a “SOC operating system.”
Expert Insights spoke to Jacob about the biggest challenges facing SOC teams today, why identity management has become the top attack vector, and how agentic AI can reduce analyst burnout without replacing the human talent.
Listen to the full podcast:
Q. Could you give us an introduction to yourself and an overview of Securonix?
My name is Chris Jacob. I’m currently the Field CISO at Securonix. I’ve been with Securonix now for going on eight months. I came by way of an acquisition last June, where Securonix acquired Threat Quotient. I had been the Global Vice President of Threat Intelligence Engineering at Threat Quotient for 10 and a half years or so before the acquisition. So long stint there. It’s good to get aboard the new company and learn some new products and see how well the threat intelligence platform really folded into what we’re doing over at Securonix.
What we’re really building is the modern SOC operating system. And what we mean by that is an AI-powered, cloud-native, and really outcome-driven, complete operating system for the security operations center. Not just an additional bolt-on product, but a new approach using a lot of the classical approach, but more holistically, and then of course with the emergence of AI, bringing that agentic AI approach to it as well.
Q. You were one of the founders of ThreatQuotient. What has the integration with Securonix been like?
We’ve worked quite well together. One of our major integrations at Threat Quotient was a SIEM. So a UEBA/SIEM company purchasing us made a lot of sense. It allowed us to get fully integrated very quickly because we had a lot of experience with integrating across all the major SIEM platforms.
There was a decision early on after the acquisition that none of that was going to go away. While we obviously believe you’re going to get the best experience with Securonix products across your security operations center, if you choose to go with other SIEMs and other products, other UEBA products, you still have the full functionality of the Threat Quotient platform. That was really important to us as we were coming on board and it turns out it was important to Securonix too, so it’s worked well.
People-wise, the same sort of security-driven, intelligence-driven mindset that we had at Threat Quotient. If there was anything that was troublesome for me, maybe simply losing our Rhino over at Threat Quotient as our logo because it’s become near and dear to our heart. I think you’ll still see it around places from time to time. Not ready to completely let it go yet.
Q. There are a lot of challenges for SOC teams right now around alert fatigue, talent shortages, rising costs, and the accelerating attack landscape. What are the biggest challenges security operations teams are facing today?
I think you kind of nailed it. That signal-to-noise ratio is really still so high. For the past decade or so, the approach has been to add more tools. This next tool is going to solve the problem. And really, it’s more about the analytics. It’s more about reducing that signal-to-noise ratio and finding what really matters.
That honestly isn’t a new approach. It’s just we’re back to it where I think we’re finally starting to see a little bit of reduction in the new shiny toy. We’ve sort of got an understanding of what powers a SOC. It’s just, are we doing it the right way?
One of the things I like to talk about especially when we talk about alert fatigue is the talent and how that impacts it. There’s certainly some things we can talk to from a technology standpoint on cost, but one of the biggest costs really is just your analyst burnout. You see a sharp decline in their effectiveness and ultimately the decision to move on, either to what they perceive to be a less stressful role or maybe getting out of the industry altogether, which is certainly a shame.
If we dig through some of this AI hype that we’re seeing across the industry, that’s one area where I really think that AI can bring a lot of help. And it’s about replacing analysts. It’s really about the assistance, having an agent with an analyst-focused outcome. I think it’s going to go a long way to help reduce that stress.
And ultimately, that will help reduce costs, which is probably the second biggest problem that SOCs are seeing. That’s around people, but also around just the immense amount of data. Storing data, whether hot storage or cold storage, being able to index it. It’s like somebody came up with a pricing model once and everybody has just continued to use that.
I think SOC leaders need to question their vendors and really push on their vendors. It’s not just “reduce your costs.” It’s “work with me and let’s come up with a better way to price this so that I can still accomplish my mission and get what I need, you still make what you need to make, but we have better control.” Because it’s not just about the total cost, it’s about how unpredictable that cost can be.
If your SOC is hit with an event and you’re storing massive amounts of data, all of a sudden that following month or the end of the quarter, you get this bill that you didn’t expect. I think we need to creatively look at how better to approach that to help our customers and partners with these costs.
Q. Are there any principles from the SOC teams you’ve worked with that make a team particularly effective? Any lessons our listeners might find helpful?
When you talk about process, you have two very different reactions to it. On one side, you have very process-driven to the point that sometimes things become over-architected and you lose the ability to be creative and find innovation. On the other side, you have people who are deathly afraid of process and want to be that run-and-gun kind of wild west approach.
In my early years, I definitely fell on that latter side. We’re smart people, we don’t need to be put in boxes, let us go out and accomplish this mission. As my hair has grayed over the years, what I’ve learned is that your process is just your current understanding of best practice. Process needs to be written down, it needs to be understood by the team, but it needs to be easily adaptable. Almost like a version control, like a GitHub. Write your process in GitHub so that when someone has a better idea, it’s just a pull request. It’s kind of an analogy, but you could actually do it that way.
Having good, structured process, but having the ability to change that process, is super important. And I think another point that ties into that is to empower your analysts. Let them know that they have that latitude to make the decision. If it’s not the right decision, then we can go back and fix that and we can talk about it and make sure everybody learns and collectively we’ll make the right decision the next time. But nobody should ever be afraid to make that decision. Always make sure your analysts feel that they’re empowered. Those are two key tenets of running not just a SOC, but really, they apply to most every team.
Q. Securonix ThreatLabs tracks thousands of emerging threats every month. What are some of the significant trends your team is seeing right now?
Right now, I think the top of the list is all around identity management. There’s been a large push over the years, rightfully so, to get into multi-factor and different types of identity management systems. But that has also now become a very large attack surface. It in some ways has made it almost easier because instead of spending the time to develop a zero day or the money to buy a near zero day, you can employ social engineering type approaches, all sorts of other less sophisticated attacks to be able to steal tokens and other authorization credentials.
So, identity is really close to the top. And then adding to that attack vector is misconfiguration of identity management. It’s a very complicated approach. If the people in charge of it aren’t up to speed, they inadvertently leave a lot of attack surface open with too much privilege or exposing things that they shouldn’t. That’s definitely number one.
And probably a close second, but along that same theme of complexity sometimes bringing a lack of security, is around the cloud control plane. Again, very complicated, lots of knobs and dials, and more and more data is being pushed into the cloud, not just from SaaS providers, but also from enterprises that are extending their data centers into the cloud. That just brings another layer of security that’s required, a larger attack surface, and we’re seeing it as a close second there to the identity stuff.
Q. The Securonix platform is described as a unified defense SIEM powered by agentic AI. Could you walk us through the platform and some of the recent features like Sam, the AI SOC analyst?
A little bit of where the company came from: coming out of the UEBA space and behavior analysis, which I think is often overlooked but still a very important part of the overall SOC approach. They early on expanded into both UEBA and SIEM in a very traditional sense, but then adding that overlay of behavioral analysis gave them a unique approach. Then, as I mentioned, mid last summer they purchased Threat Quotient, and that brought this whole threat intelligence engine into the mix as well. And then more recently, as we start to build on top these AI agents, that’s really what’s giving us the combination of all those things and being able to use these agents for specific tasks.
Sam, the SOC analyst, sits on top of all of these underlying agents and they can all share information, share decision-making and ultimately bubble up to that SOC analyst. When you’re reading marketing material, it becomes a little scary that Sam’s coming for our jobs, and it’s not that at all. It is and needs to be a human-in-the-loop approach, but it helps offload a lot of the things that analysts need to do today.
Being able to see that, to prove that, to measure that is also very important. Both for us as a vendor to show you that you are actually getting value from Sam and all his other little buddies, but also for you internally as a SOC analyst, as a SOC leader, and all the way up to the C-suite. If you have measurable, demonstrable metrics, it makes explaining the cost so much easier. And it also helps you understand where you could maybe move some things around. If you have your budget for the year and we’re starting to save time and eliminate a lot of work over here, maybe we can move some of that budget over to this other bucket.
It’s just building that network of agents assisting with that analyst-focused outcome to help really reduce the amount of manual work that an analyst has to do, ultimately resulting in the analyst taking action, but doing so being informed by what is their single source of truth, which is this SIEM slash threat intelligence platform that they’re pulling from.
Q. As Sam rolls out across more organizations, are you seeing a compounding effect of improvements as the AI gets smarter and understands workflows in more detail?
Absolutely. And that’s one of the exciting things about AI in general. Anyone who has dipped their toe into it, even for simple tasks, automation of daily tasks for an individual, you very quickly see what’s possible. We are all in with that. We really believe that’s the correct approach, but to make sure it’s being broken down by these focused, purpose-built agents to do these subtasks and then with the ability of all of them to communicate over that mesh.
Q. With Sam, Securonix has introduced a productivity-based pricing model, measuring work completed rather than volume processed. What’s the reason for that shift?
I think it’s the skepticism with AI. AI is here. I don’t think anybody can argue with that. And AI budgets are starting to be put together, but nobody really knows what they’re for yet, how much they should be. So if we just put a price tag on this and said it’s going to be X amount annually, that’s a hard sell. But if we can say, hey, you’re only going to pay for how this thing helps. And not that the more it helps the more you’re going to pay where you get that same surprise bill at the end of the quarter. But build guardrails around it, but really have it be demonstrable and measurable success. To get buy-in from your analysts at the SOC level and also to get a better understanding up to your CISOs and CFOs and the rest of the people that are ultimately responsible for those budgets.
Q. As much excitement as there is around AI, there is also some skepticism, and security people tend to be the most skeptical. How does Securonix handle those questions around handing over investigative work to AI?
I don’t know if I can call this a differentiator because I believe this is the way it should be. And as we see other products emerge, hopefully they’ll take the same approach. But it’s really being open by design. Every decision that’s made, every action that’s taken needs to be logged, needs to be understood by the analyst, needs to have the ability to undo those things. And if those things were done in error, needs to have the ability to be corrected. So it’s open by design, very outcome driven. What is the end result? How did we get here?
What I do think we need to see, and I think we’ll see it relatively quickly because of the people that tend to make up the security community, is really good governance around AI. Being on a vendor side, I watched within a six-month period, potential customers and customers go from “don’t talk to me if you have AI anywhere in your platform, we don’t have the appetite for it, our risk team has said no, hard stop” to “what’s your three-month roadmap with AI?” We really were getting pressed to make sure that we’re adopting and taking advantage of.
Things have gone from, and I think rightfully so at the beginning, “we don’t have governance for this, so the risk is way too high, we’re not going to accept any of it” to the benefits are starting to be seen and understood and so risk is getting pushed down, but we really need to get into some good, well-established governance and standardization across at least industries.
How are we different? It is that analyst-focused, completely open and human-in-the-middle approach. But again, I hope that doesn’t make us different. I hope that’s the way that people go, because it really needs to. But it also brings on the other side that I don’t think is talked about as much, and that’s how much it opens up the other side as well, how much it increases your attack surface. That’s the other critical part that we need to make sure we’re in front of.
Q. How do you think about the security risks that AI could introduce from the adversary perspective, and how should security teams be thinking about that?
There are those two sides of it. There’s the how it helps the adversaries. They’re in the same type of arms race that we’re in. There are not just new technologies, but new tools that are available to them. People are developing new techniques and this is going to increase its scale. I think that’s a concern, but I don’t think it’s as big a concern as the way that it impacts the attack surface. That’s where I think we need to focus.
When we talked about what are the biggest risks that the SOC overall faces right now, identity management and the cloud control plane, this fits right in there. They’re all cousins of each other. How you configure your AI tools is super important, but not very well understood yet. It needs to be a very controlled rollout. Going back to governance, going back to how do we approach this as an enterprise, how are we going to adopt AI? Hire some AI experts. They’re starting to come fast and furious now. There’s a lot of good education out there on AI. Now it changes a lot. You’ve got to have someone who’s willing to keep up with all the changes.
But it’s a necessary technology. It is here, but it is going to increase the attack surface. It’s the new perimeter. It used to be we talked about the perimeter, then we talked about cloud as the new perimeter. And now AI is the new perimeter because it reaches into everything, both internally and externally. And as a security practitioner, it’s kind of a nightmare to secure, but it’s something that needs to be figured out, and rather quickly.
Q. Looking ahead, how do you see SOC teams evolving over the next few years, and what should security leaders be doing now to prepare?
It’s a great question. It’s one that we should be constantly asking ourselves. Starting with get your arms around AI, but adopt it with this human-in-the-loop approach. I feel like that should go without saying, but surprisingly it doesn’t. It needs to be said. Human in the loop, open decision making. Why did you do that? How did you come to that? Cite your sources, all that sort of stuff.
Continue to standardize workflows so that they’re well understood by the humans before they’re implemented in AI. And then telemetry. I think that telemetry coming out of the SOC is so important right now. We need to move away from the alerts and the whack-a-mole game that we’ve been talking about for decades and into better metrics and telemetry. Not just for justifying cost, but really to understand what’s happening within the enterprise.
The one thing that AI we know is really good at is crunching a lot of really big numbers. And so there’s a perfect application for AI to help you store all this stuff somewhere, throw it to AI, and start to build this telemetry so that the analysts know where to look, the SOC leadership understands what the analysts are working on from day to day. And as a CISO, maybe most importantly, so the CISO goes to bed at night knowing where his or her company is protected, where they maybe need to work tomorrow, and the more data, the more telemetry, the better. I think that should be the focus.
Listen to the full podcast:
Learn more about Securonix
