Security controls can be a bit of a cat and mouse game-you block one attack, new ones spring up. Malicious actors continue to innovate new ways to hack your software,so responses end up being attack-specific and often manual. It’s not just your software, it’s your third-party dependencies, to. So Exaforce built software that can automate some of the responses and attack detection.
I spoke with Ariful Huq, co-founder and head of product, and Marco Rodrigues, co-founder and head of product, at Exaforce last month at AWS re:Invent.
———————————-
Q: Tell us a little bit about what what Exaforce does.
Ariful Huq: We are focused on helping organizations of all sizes,starting from high growth startups all the way to mid enterprises,depending on where they are in their SOC journey. If you do not have a SOC, we enable you to build one in days, literally without having to go buy tooling, get detection, engineers, get analysts. If you do have a security operations center when you have analysts, our goal is to amplify the capability of these analysts. Think about a team of two or three analysts-how do you make them a team of ten? That’s essentially what we do.
Q: Where do you find that organizations are the most lacking,either pre-SOC II audits or after?
Marco Rodrigues: In our experience at least,customers tend to come to us once they have the SOC II compliance or ISO that’s clearly an attestation and an evidence-driven security compliance framework. When it comes time to actually start putting together incident response plans or where there’s legal liability that’s being driven through their customer contracts, that’s where they tend to get a bit more serious.
A lot of these companies are at the early stage startups. They barely have one or two security engineers to begin with. Usually where they’re lacking depends on the journey of the company. A lot of them can be where they have no tools at all, and they need some detection framework.They need individuals monitoring and actually writng those detections. You need a routine that actually responds and remediates to it. So we’ve seen a kind of a variance of companies in that space.
Some of the larger companies,they just can’t keep up with the growth of detections as they come in. They need to augment their teams. The reality is that the skill set is not there-they can’t hire these people even if they wanted to.They’re using AI SOC, as an example, to augment and fill in that gap.
Q: When you do construct these sort of detection frameworks for these operations, how much existing infrastructure are you building on? I know a lot of folks have a CloudFlare base to help with that, or HAProxy to route traffic. What are you coming in to? Does anyone just have nothing?
AH: Surprisingly, even in the largest organizations that we work with, sometimes they have nothing, specifically around cloud and SaaS.We found in starting our journey in building this AI SOCplatform is that most of the market thinks about this as an AI analyst problem.
But we think about four primary tasks in the SOC and detection is one of them: detections, triaging, investigations, and response. If you’re a very small institution, typically two to three person security organization, you don’t even have the bandwidth to actually go think about detection engineering or building detections.
What you’re realy looking for is getting off the ground, right? So you come with out-of-a-box detections: great! If you have existing detections from, as a notable example, CloudFlare, we’ll leverage those detections for enrichments and those sorts of things.
Even the larger organizations, like Fortune 2000 companies that we work with, what we find is a lot of them don’t even have detection coverage for SaaS services that you would think they would consider very critical.
Q: Open to the internet.
AH: Exactly. Like
Arctic Wolf Expands Security Operations with Data-First approach to LLM Integration
Arctic Wolf Networks is differentiating its security operations by prioritizing data engineering and enrichment alongside large language model (LLM) integration, rather than relying on third-party detections. This strategy aims to improve the precision and dynamism of threat response, according to company executives.
arctic Wolf’s approach focuses on four key areas: investigations, detections, triaging, and response. According to Arctic Wolf Head of Product, Adam Hunt, the company chose to ”ingest the data and build semantics around it, build a bunch of enrichments,” rather than layering LLMs onto existing detection systems.
Hunt explained that while some fine-tuning occurs - specifically in converting natural language to SQL queries – extensive data engineering minimizes the need for constant model adjustments. The company primarily leverages LLMs through APIs, capitalizing on their general intelligence while providing domain-specific context for more accurate results.
“We give them all the domain specific context. So they use a combination of general intelligence and domain-specific context to give you really good results,” Hunt said.
arctic Wolf continuously measures LLM output precision as new models become available, reassessing its pipeline accordingly, according to a member of the Arctic Wolf team, MR.
The company’s response capabilities extend beyond traditional Security Orchestration, automation, and Response (SOAR) playbooks. Hunt noted that automated response actions, such as password resets, instance isolation, and session token resets, are now possible. However, he emphasized that effective response requires a more dynamic approach than simple step-by-step processes, acknowledging that threat responses can be complex and multifaceted.
