Craig Patterson: [00:00:00] I think this becomes the biggest blind spot, the biggest blind spot for every single organization, because again, 80% of these breaches are, are being caused by insider threats. For most companies that adopt these platforms is they don't really have the insider threat capabilities built into those platforms.
And so one of the biggest use cases that we see every single day is companies trying to solve that blind spot. They love the platform, they love all the capabilities, but they gotta fix that one particular blind spot.
Max Clark: I'm Max Clark. This is Signed. My guest today is Craig Patterson, who's the Global Channel and Ecosystem Chief at Exabeam, one of the largest independent SIEM vendors in the market, and one in the middle of market consolidation, monolithic vendor bundling, explosion of AI, and a category that won't sit still.
Let's get into it
Exabeam-LogRhythm merger closes summer [00:01:00] of 2024. So from, from the customer's vantage point, what's changed, you know, in the two years since that?
Craig Patterson: Yeah, no, it's, it's a good question. You know, you look at the why. I think it's always good to kind of reflect back on the why. You know, why did Thoma Bravo, you know, put the two organizations together?
And so the thesis was this better together scenario, 'cause you look at, you know, historically what LogRhythm was known for, you look at what Exabeam was known for, and, you know, they really are sort of complementary when you think about the success that each had. So LogRhythm, you know, uh, Gartner Magic Quadrant leader from an on-premise perspective, you know, very good in the, um, you know, the use cases where customers prefer on-premise, you know, w- whether it be government, you know, whether it be certain, uh, geographical areas.
You know, I would use the Middle East, I would use a lot of, [00:02:00] um, areas in, in Asia-Pacific too, that still kind of prefer that, uh, on-premise scenario versus being in the cloud. You know, just more from a, um, you know, more from an adoption perspective. They're just not quite there in terms of cloud adoption yet.
So that was LogRhythm, and then on the Exabeam side, you know, kind of the opposite, right? So, you know, born in the cloud, you know, Gartner Magic Quadrant leader from a on-cloud perspective. And so the thesis really was this better together scenario to put the two organizations together. Own-- Each has its own strength to really create a situation where customers have, uh, the ability to migrate to the cloud over time.
And so that really was this thesis. You know, when you put two organizations together that are the same size, you know, literally the same size coming together, there's gonna be a little bit of friction, right? There's different cultures, there's different strategies, but, um, ultimately, you know, we're [00:03:00] now a couple years post that, uh, integration and I'd say, you know, I think the thesis was spot on.
You know, we're giving customers the, the opportunity now to migrate to the cloud. You know, th- they've got a very specific migration path. You know, plus it really is complementary in that there's not-- there wasn't a tremendous amount of overlap. So when you think about both organizations, both are, both are very much channel centric in nature.
You know, when you look at cybersecurity in general, about ninety percent of all services are sold through channel distribution. Well, the unique piece about this migration and merger was the focus geos were different, as I already said, but also the ecosystem itself was somewhat different. And so putting the two pieces together was very complementary, um, from the tech innovation perspective, from a channel ecosystem perspective, like all the pieces very nicely aligned.
And so, you know, I think all in all, you know, that [00:04:00] integration is difficult, but now we're starting to reap the rewards of that better together thesis.
Max Clark: There was a time where there was a lot of friction between on-prem and cloud, and, and it was almost became this, this joke, uh, or, or, um, you know, you know, in, in the space around people that wanted to have on-prem, you know, the serv- you know, server hugger, you know, mentality, so to speak.
You know, for, for people that were on-prem, that were in on-prem workloads now have this like, okay, you know, the future is cloud, and we've known this for a long time, and now we have a merger that really reinforces, like, the future is this pathway. How is, um, I don't wanna say, like, acceptance and adoption been, or, or re- re- really more like response?
You know, LogRhythm now has... If you were on a LogRhythm platform, you've got a much big capability suite available to you that just, you know, and here's, like, a roadmap now that we want you to follow. It's like you had this stuff on premise, now you have to, you know, do this instead, but you get these things.
So have you found, [00:05:00] you know, friction and pushback with that, with people who are still trying to stay, you know, "We wanna be on, on-prem. We wanna have our stuff here," or has it felt like a, a really natural extension to move, move forward with that?
Craig Patterson: Yeah, I mean, our philosophy there really is we wanna meet customers on where they are with that journey in terms of how they wanna adopt, you know, cloud services.
So, you know, if customers prefer to stay on premise, no problem. We continue to innovate the LogRhythm, uh, product capabilities every single quarter. Um, so no problem staying on premise if, if that's their desire. You know, if a customer would like to adopt cloud, obviously we support that as well. But there's also kind of the in-between scenario, you know, where, you know, from a SIEM perspective, maybe that technology lives on premise, but they want some, some cloud adoption in terms of some other capabilities, right?
And that could be, like, the user entity behavior analytics or UEBA, where [00:06:00] we can sort of build this hybrid path, right? Where they stay on premise from a SIEM perspective, give them some additional capabilities that can be delivered through the cloud, um, which kinda gets them s- moving towards that full cloud adoption.
So it's really just kind of being, uh, flexible, Max, you know, giving them- Mm ... the path and, you know, really kind of catering to their desires in terms of where they are in that journey.
Max Clark: Thoma Bravo is one of the most respected PEs in software in terms of assets and stewardship, but PE for customers is not necessarily a positive phrase that comes in when you're talking about a critical piece of infrastructure.
Um, and also, you know, PEs are buying platforms because they see a value opportunity. You know, is it merger? Is it efficiency? Is it growth? You know, there's, there's a playbook that they're looking for that ultimately ends up being, are we going to have an add-on transaction? Are we gonna exit with IPO? You know, how do we generate and recognize [00:07:00] profit for our investors as well?
So y- you know, when, when you're, when you're, when you're looking at it from, like, interacting with customers, you know, PE introduces a question mark for a lot of people. Like, what does this now mean for me? And how, how do you see that balance playing out, uh, in terms of, like, customer value and producing customer value and, and, and telling that story versus, you know, a reluctance or a fear that comes out of PE with a lot of people?
Craig Patterson: Yeah. No, I think it's, it's a very, uh, valid question. And I think there's always, there's always pros and cons. Um, so from my vantage point, I think it's been a very, uh, very positive things for customers because you look at the investment, right? And so now we have, you know, a, a private equity owner in Thoma Bravo that's very much focused on continued innovation in our platform.
And so what we've been able to do is get really laser-focused on creating [00:08:00] value for customers by focusing on the overall market itself, the capabilities that customers are looking for, and the outcomes they're looking to achieve. And so from, from my perspective, I think it's, it's positive in that it's really allowed us to focus in on the technical innovation, you know, really embracing AI, you know, into our platform, right?
Which drives pretty material outcomes for CISOs, which is what the market really wants to see in general, right? It's kinda moving from, you know, a situation of having all these tools, you know, assuming the positive things are happening towards actually driving outcomes, right? That can become measurable.
So I think just really fueling that innovation, you know, to help customers achieve the outcomes they're looking to get. And then secondarily, you know, I'd say it's really, uh, allowed us to focus on, you know, very critical components of our go-to-market organization. [00:09:00] So, like, as an example, you know, part of the strategy of this better together was really fueling this channel ecosystem.
And that's the reason why I'm sitting here today, Max, is, you know, as the, as the integration was complete, they knew that in order to really be relevant in the market, they needed to kinda reinvent and relaunch their entire channel ecosystem. So again, provided the necessary investment to really, uh, allow me to come in here and, you know, build a, a best-in-class, you know, channel ecosystem play.
So, you know, I don't really see a lot of downside. You know, of course, we're more strict in terms of our, you know, spending and, and where we invest money. But at the end of the day, from a customer's vantage point, it should be, it should be largely positive 'cause we're investing in all the critical areas they wanna see, whether it be go-to-market, whether it be innovation, whether it be, you know, building additional capabilities in our [00:10:00] overall platform.
Max Clark: Um, Exabeam is positioned as the largest pure play independent in the market, right? You know, the, this, this combination brings, you know, interesting and, you know, synergies and components together. On the other side, we have, you know, all the O- hardware OEMs. We've got EDR vendors. Everybody's trying to push, you know, e- expansion in mar- in, uh, in, in segment expansion through more capabilities and more integrations and more things, right?
You know, this company buys that company, this company buys this company, this company launches this functionality and stacks on top of it. So as you're, as you're, you kn- you know, from, from a customer, like evaluating this, right? Ultimately, you still get into this thing where it's like we need an EDR to feed data, you know, telemetry.
What else is feeding telemetry into our s- into our... What does the stack look like? How does this stack then, you know, how do we then action this stack, right? And, and there's a lot of platforms coming out, we'll get into this more in a minute, but that are really pushing, you know, this [00:11:00] kinda like holistic, bundled, you know, we have everything for you approach.
Now, I've, I've got my own view of that, but I'm really interested to hear, you know, your view on this now as you're selling in this market with, with people trying to figure out, you know, we've already got this firewall in place, so should we buy this, you know, fill in the blank marketing term that we're now using for all the rest of the software components into it versus going out and bringing somebody that has different capabilities, different roadmap, different push, very laser-focused in, in a, in a different segment of the stack
Craig Patterson: Yeah, very, uh, very good question.
And that's one of the biggest trends that's happening in the security market, right? If you look at, you know, the macro trends, this evolution from, you know, tools to outcomes, obviously a big relevant topic. But you nailed it, you know, the evolution of these platforms. You know, we're seeing a lot of customers really lean in on adopting these [00:12:00] platforms.
Why? Because I think it sort of en- enables them to reduce, you know, re- reduce, reduces like kind of the, the fragment and approach that they're operating in today by, you know, having multiple vendors for multiple different things, right? It sort of consolidates the number of tools, which really gives them the ability to drive the outcomes they're looking to get.
You know, our vantage point is, is that we want to really create differentiation, you know, in very specific areas of the market. And so you look at Exabeam, we're known for really two things, right? We're, we're known for our SIEM platform. Um, you know, we've invested a lot of money and time and energy to build a, a platform around SIEM, you know, our new scale fusion platform.
We could talk about that more. Mm-hmm. Um, so that's kind of the primary, um, line of business one, but that's a very, very competitive market, right? There's a lot of [00:13:00] companies that are battling for market share, you know, in that particular area. So very relevant market, you know, something we'll continue to, to focus on.
But where we're going, Max, is we're really focusing on the areas that we can create differentiation in the market. And so you think about the Exabeam second line of business, user entity behavior analytics We're the gold standard. And so we're the gold standard as it relates to, you know, helping companies solve the insider threat use case.
You know, that's really something to talk about because, um, insider threat isn't just protecting the humans anymore. It's also protecting the emergence of all these digital workers. And so that's, that's something we should dig into as well. But what we're focused on is that particular use case, because even if a company [00:14:00] chooses to adopt a platform play, you know, one of our competitors that have all the capabilities built in, you know, MDR, EDR, DLP, you know, firewall, all those things combined in a platform, they still need this capability around how do we protect against insider threats.
Because if you look at the world of security, you know, everyone's sort of been told this lie out there, and that's, "Hey, if I buy a tool, you know, it's really gonna... Another tool, another firewall, you know, put another blinking box in a data center, like it's gonna protect me against, you know, every bad thing that's gonna happen."
But it really hasn't, because the reality, Max, is that the majority of the risk actually comes from insider threat. In fact, like 80% of all breaches are due to, you know, insider, insider threats. And so we believe that's really the focus area for [00:15:00] us because we can, we can really create good differentiation in the insider threat capability.
And so- I, I- ... the way that works is we can help augment. So if a customer buys a platform, well, guess what? They still need the gold standard on user-based entity, excuse me, user entity behavior analytics, or UEBA, that we can ingest and integrate into the platform of their so choosing.
Max Clark: Okay. Craig, you've got me on three tangents already, so I'm gonna try to come down these one- Here we
Craig Patterson: go.
Max Clark: Here we go. Well, I'm, uh, we're, we're gonna, we're gonna come down one at a time here. Let's, let's start with I think the first one, which is like foundational here, which is the bundle, right? Let's just use Microsoft 365 as an example of the bundle. Microsoft's really good at pushing bundles. They know how to bring bundles to market.
They know what this looks like. They know how to entice people with it. And so we see E5 security and the Defender stack on top of, you know, on top of Microsoft, and you dig into it, and the first part of it, of course, becomes [00:16:00] if you're running Defender, you get Sentinel for free. I mean, it's not technically free.
You know, there are, there are limits. There's some, you know, caveats for free. But from a, from a buyer's perspective, SIEM has always been very expensive, 'cause you're, first off, you're trying to figure out how much data is feeding into it. Like, well, like how much data do we actually have going into our SIEM?
And you're like, "Well, we don't really know until we turn it on." And then you're like, "Okay, how much is it gonna cost us, and what does this run rate really look like?" And compared to the other side where you're like, "Oh, you know, this thing is free," in air quotes again, right, over here to the side, like sneaky, sneaky free.
You, you touched on this a little bit, right? But when, when you're, when you're s- you know, ultimately you're selling up against this, and you're positioning up against this, and you're talking about capabilities that are not, that are not present in these other systems. So kind of like two, two questions here.
Like, what i- what's the effect of positioning against this, like, idea of, like, single platform bundle? And then the second part is, for the customer, does that mean that you're a [00:17:00] Rip out Sentinel or another SIEM, or are you a coexist on top of ingest from this is how you solve this gap in your- Yep ... in your capabilities?
Craig Patterson: All right. So if we break that question down, there's a couple- It's a lot ... different answers. Yeah, it's a lot, but I love, I love it. It's, it's really good conversation. So I think there's a couple different ways to take this, uh, response. You know, the first is kind of go... reflecting back to what we talked about earlier, and that's the notion of kind of moving from tools to outcomes.
And so you asked the question, like how do we position against some of the competitors, and that's exactly what we do, is we really focus on the outcome piece. And so a couple things I would highlight there in terms of the capabilities that we're positioning that help differentiate us against the Microsofts and, and the others that are out there is, you know, really driving those outcomes.
And so the first, you [00:18:00] know, you think about the SIEM market, and you think about customers trying to really prove value. And so- Mm-hmm ... imagine you're a CISO, you know, and the CEO says, "Hey Max, how are we doing? How's our security posture? Are we getting better?" And you say, "Yeah, we're getting better, you know, we bought all these tools."
And then his next question is, "Well- How do I know that's real? Mm-hmm. How am I actually able to measure a tangible impact, and how can I quantify that? And you're like, "Well, I think it works 'cause I got all these tools," right? And the reality is, um, a lot of CISOs today struggle with this. You know, they struggle to correlate how we're actually adding value.
And so what we've really focused on tackling this issue, and so within our tool, something we're really proud of is, is this thing called Outcomes Navigator. And so if you're familiar with the [00:19:00] MITRE ATT&CK framework, so the MITRE ATT&CK framework for those people out there that are, that are not, is kind of the playbook that criminals use.
Like these are the, the categories in which they attempt to create breaches, and there's like 14 different categories, and there's different techniques that exist beneath. And so it's like, you know, the why. So as an example, it would show the why, and that could be something around ga- gaining initial access, getting into, you know, the company br- the breach itself, and then the lateral movement, kinda moving along the company, throughout the company.
That becomes- Mm ... the lateral movement. And then there's like the, the exfiltration, which is like taking the data, which is what everybody's, you know, very, very scared of. And so it kinda correlates the technique, you know, and it correlates, um, the why, so the, the chapters of the playbook. And [00:20:00] so what we've done is we've taken this Outcomes Navigator to define the playbook, so all these different ways in which criminals act, and then it creates a tangible correlation to the company's, you know, security posture.
And so what does that mean? Well, it measures all these security outcomes every single month. And so now when the CEO says, "Hey, Max, how are we doing against, you know, this specific technique?" Like- Mm ... and you can say, "You know, I can tell you with absolute certainty that we're performing well because we have Exabeam's Outcomes Navigator built, and I can tell you specifically our ransomware coverage right now is 65%.
And while that's good, we have a plan to make it better because our roadmap is to do these certain things to improve our overall coverage on that [00:21:00] particular, uh, technique." And then it measures it week over week, month over month, and so you can show that quantification back to the CEO to say, "Hey, we're actually improving on our overall security posture on this spec- on around this specific technique."
And so it really kinda takes that notion of correlating, you know, moving from a tool to an outcome So that's one way that we're really kind of positioning, um, ourself in the market to be, to be better. So this-
Max Clark: I've, I've, I've had a version of this conversation over the years, which is, y- you know, there's a lot of, lot of security practitioners that try to come up with these frameworks, right?
Like, you know, where are you on the maturity model and where are you on this? Yep. And they come up with these like, oh, you know, and they try to quantify it to say like you're one to 10, and you're like, "Well, what's the difference between a three and a four," right? Like really. And, and you have the conversations with, you know, with end users that are trying to figure out how to improve their s- their [00:22:00] posture of their company, defend their business.
And, and the tension that I see all the time is trying to quantify what is meaningful increases in our security posture against what is the cost of that, because security spend is not revenue accretive, accr- you know, I'm s- I'm just pronouncing that wrong. My, my brain's just not gonna, just gonna... It's not getting there right now.
You know, but you know what I mean? Like you don't go out and buy a security tool and increase your revenue 10%. Like you're defending your revenue, you're defending your reputation, you're defending your brand, you know, you're... But you're not. But you, but at the same time it's like, oh, we have this tool.
It's like y- you, you... There's not a, also not a direct correlation to like, okay, now we're, we're, y- y- we've, we've eliminated these risks 100%, right? Like it, it's, it's this... There is, there is a certain amount of like fluidity into this space around, you know, what's the return or what's the promise that people are actually going out and buying, and how do you position and, and, and facilitate that?
Craig Patterson: Yeah. It's a good question. You know, and that, that sort [00:23:00] of weaves in the second outcome that we look to achieve, right? And this is another way that we sort of differentiate ourself. And so within our tool we built, we built a capability that we call Nova, which is basically our AI engine that- Mm ... executes and performs within the tool.
And so, you know, it works directly with, you know, the SOC analysts, the SOC managers, the CISOs to help them, you know, kind of fine-tune their security posture across that MITRE framework. You know, kind of gives them a roadmap. You know, "Hey, based upon what we're seeing as we analyze all these particular logs, you know, and we're looking at this MITRE framework, here's some tangible steps you could take to improve your overall security posture."
And so, you know, while it doesn't, you know, correlate the value back to, you know, the cost of a breach or anything like that, it does correlate the value in terms of how they're improving their [00:24:00] security posture. Um, which is one thing. The second thing is when you look at the tool itself, it really provides the ability to improve overall efficiencies.
So basically, you know, what we do is we turn a, a good SOC analyst into a great SOC analyst. And like you think about the problem that exists today in cybersecurity, like there's this mass shortage of talent that's available out there. And so, you know, by improving efficiencies, by improving the overall, you know, kinda mean time to, um, respond to these critical events, like we're also able to provide value.
And so the way this kind of this Nova framework works is, you know, typically what happens is like in a manual SOC, there's all these different alerts going on, right? They have to be investigated by a SOC analyst. And this, the new Nova way sort of [00:25:00] becomes this AI detective, right? Mm-hmm. And it sort of, it sort of investigates these alerts and helps to kinda triage things in a way, um, to help these SOC analysts, you know, improve their overall response time and also kinda shorten that investigation, in-inves- investigation time.
And basically what it does is it sort of correlates all these events together. And so like, you know, imagine a situation where there's this impossible travel sort of alert that gets created.
Max Clark: Mm-hmm.
Craig Patterson: And when we say impossible travel, what we're talking about there is this is more like behavior analytics, but hey, you know, Max typically logs in from Texas every single morning.
While all of a sudden, why is Max logging in Romania? Like that's very, that's very, um, unique for Max. And so that sort of creates this- Mm-hmm ... this risk profile that gets investigated. And so like the old way, [00:26:00] like these SOC analysts would have to kind of swivel between all these different tools. They have to look at like their, their, their endpoint logs, the VPN logs.
They'd have to look at to see if there's any EDR alerts, things like that. And then try to correlate things together in sort of this, this timeline to put all the facts together. And then, you know, what they do is they sort of go through this process. They try to correlate all these events together. They kind of brill- build out this, this incident, uh, response report, you know, that gets escalated to their supervisor.
Their supervisor then has to look into the situation to say, "Do they get all these facts right? Do, does this correlation make sense? You know, is there, is there actual risk here?" It takes a lot of time, my friend. It takes a lot. And so what happens now in this new world is Nova takes care of a lot of that, you know, administrative task itself.
You know, it automatically correlates, you know, all those [00:27:00] different log sources. It's automatically looking to say, "Hey, did Max get an email that maybe was phishing in nature, or maybe his credentials could have been compromised to cause this impossible travel?" And so we start to correlate all these different log sources to create this timeline of events, um, to create that, that clarity and visibility so these, these, uh, tickets can be investigated.
So, you know, what we found is y- most times these SOC analysts, they spend on average, you know, 45 minutes to an hour kinda correlating all these things together in this manual process. And by, you know, building out this AI capability around Nova, you know, we take that timeframe of 60 minutes or an hour literally down to five minutes.
And so now you think about what is the impact, and kinda going back to your [00:28:00] question, we can move much faster, and now you think about the risk and what we're able to actually stop. Mm-hmm. And so that impossible travel person, you know, maybe they were trying to exfiltrate data. Well, now because we can respond in five minutes, we can, we can take action, we can shut that down, and we can actually stop that breach from, from actually happening.
Max Clark: Okay. One or two more questions on the... I've got so many notes here on AI. Let me... I'm gonna finish this, this thread and then, and then dive, dive really into the AI here. You mentioned earlier, um, you know, tool sprawl, right? So we have this idea of, like, tool sprawl and then convergence and then bundling, right?
So, uh, y- you know, like Flatly is, you know, m- monoculture with a single security vendor and deploying everything within their stack, is that in itself a security risk for a company at this point?
Craig Patterson: Love this. Love this. And I think this becomes the biggest blind spot, the biggest [00:29:00] blind spot for every single organization, because again, 80% of these breaches are, are being caused by insider threats.
And so this is the blind spot for most companies that adopt these platforms, is they don't really have the insider threat capabilities built into those platforms.
Max Clark: Mm-hmm.
Craig Patterson: And so one of the biggest use cases that we see every single day is companies trying to solve that blind spot. And that is they love the platform, they love all the capabilities, but they gotta fix that one particular blind spot.
And so the way we do that is we just, we, uh, we, you know, we coexist. We coexist with those platforms where they simply ingest our UEBA, and we can solve that blind spot in terms of what's happening on insider threat. And there's really, like, there's four main parts around insider threat when you think about what's happening.
There's the villain, right? And that is the malicious insider. Mm-hmm. Malicious insider is trying to do [00:30:00] harm, right? They've, maybe they've accepted a job at a competitor and they're trying to exfiltrate data so they have their customer list that makes them successful kind of in their new role. That's just one example of what we see around that.
Um, the second use case is around the, the, the, the person who's sort of accidentally creating risk.
Max Clark: Mm-hmm.
Craig Patterson: Mm-hmm. Right? And that is, you know, they, they've clicked on an email, right? They've done something which has given access to the bad guys. And so it's kind of n- negligent, right? They're not bad people, but they, they made a, they made a mistake.
Max Clark: Mm-hmm.
Craig Patterson: And then the third is the compromised insider, right? And this is the one that's gained the credentials. And so this is one that's very difficult to detect because they have the credentials. And so when they're looking [00:31:00] at a lot of their log sources, they're seeing Max log in.
Max Clark: Yep.
Craig Patterson: It looks like normal behavior, but it's the things that are happening inside the organization which we can start to kind of really pinpoint.
And so- You know, a cou- ... those are the three-
Max Clark: A couple of decades ago, I think it was Sans, you know, uh, the first time I remember reading this, it was talking about what are the actual top 10 threats for a business, right? And it's, and the, and the l- they've, they've changed the wording. Like, you used, like, malicious, like, these different things.
And what, what really stood out to me then and still stand out, stands out to me now, it's like accidental acts or malicious acts, like intentional versus accidental acts. And, you know, as an IT practitioner, there's always this, like, tension between the IT teams and then the employees, right? And we, we send out all these, like, security awareness training, like mandates now where it's like you have to, like, we're gonna try to phish you and like, "Aha, got, we got you," you know?
You see this, you know, prevalent in a lot of organizations. But you're like, you're up against professionals who make a living out of [00:32:00] doing these things. And it's like, you know, people get into this idea of, like, targeted versus non-targeted and, like, you're on the internet, you're targeted, right? But, like, when you're, when you're...
Like, you're dealing with you're professionals that are, that are trying to do something to then generate revenue and income for themselves Like you, you've got no sh- no chance. Like that line between, like, intentional versus accidental acts internally, uh, y- you know, it's not to say that we're like, y- you know, the user is the risk and we have to protect against them and we have to like, you know...
Y- it's just like they're, th- they're a soft spot, right? Like it's just the easiest path to compromise now from a, you know, most, most attacks, whether it's email vector or this vector or that ve- Like that almost doesn't matter anymore. It's like this is the we-- You know, this is just it. This is what you go after.
Craig Patterson: 100%. And this becomes the whole behavior analytics piece, and this is the blind spot. And so what needs to happen, like, is to really kind of profile the entire organization to [00:33:00] understand what normal behavior is- Mm-hmm ... so then we can see when things kind of fall outside of that. And that's exactly what we do, and that's how we coexist with all these platforms, is we become that, that behavior analytics.
And so we profile every single person within an organization to understand what normal behavior. You know, what are the normal applications they're logging into? What is the normal time they're logging on for work, you know? And then geographically, where do they typically work? You know, what, what, um, you know, what applications do they use?
You know, what prompts are they using? Like we can sort of correlate all these things to create a profile. And so then, you know, if they, they are compromised, right, it'll still work because we can start to see if they start acting outside of, of the norm. And that's the big thing, Max, is like most companies don't really have these capabilities today, and this becomes the big blind spot.
And [00:34:00] this whole insider threat thing is, is terrifying, but what's really terrifying is the notion of like this synthetic impersonation. And so the rise of digital workers-
Max Clark: Mm-hmm ...
Craig Patterson: where these digital workers actually start to mimic behavior of like, this is what Max normally does day in and day out, so I'm gonna do this like synthetic impersonation so I can, I can mimic his behavior.
And so you think about that blind spot where most organizations don't have user ba- you know, the, the behavior analytics built in, and now all of a sudden I've got a situation where I've been breached by a compromised insider who happens to be a digital worker who's now impersonating my employees, which make normal behavior analytics almost difficult to, to, uh, to trigger.
So it's,
it's
Craig Patterson: pretty fascinating.
Max Clark: Okay. So this is the... This, this is a great segue into AI here, right? Um, and, and let's, let's, um, let me, let me think how to partition this, right? So AI, I, I think about AI, [00:35:00] like, on three fronts, right? Like, listening to your conver- you know, listening to this conversation and, and walking into it, right?
We have, um, you know, AI driving advances in the defensive stack, right? What's the actual security suite? How do we leverage- Yep ... AI to improve the security suite?
Craig Patterson: Which that's Nova. Right. That's the
Max Clark: Nova
Craig Patterson: piece.
Max Clark: The, so then you have, of course, AI that's driving adversarial capabilities. You're just talking about synthetic workers, like how do we do better phishing campaigns?
How do we do personalization at scale? How do we do, you know, all these sorts of things, right? So speed and capability on the attacker side. And then there's this third thing, right? Which is now the digital worker, the agentic experience inside of the enterprise. So you've got this, like, you know, three-pronged You know, AI pressure coming into an enterprise.
And, and when you, when you, when you... Now from a, like a Exabeam strategy, right, you have to layer all three of those into a conversation with a customer, right? Like, "Here's our AI to help you. [00:36:00] Here's what the AI, you know, here's AI that's attacking you, and here's AI that you're using, and this whole thing is now AI."
And, um, you know, you know, so like how, how do you see this landscape, you know, continuing to evolve, you know, I mean, short term, right? Like over the next six months, uh, you know, is probably as far as we can predict out here. And, and, uh, you know, so how is it evolving the landscape, and how does that position Exabeam into the market with a customer conversation?
Craig Patterson: Yeah. This becomes the, the, the, the extreme differentiation in the market. So you, you asked earlier, like, how we're gonna be able to compete and differentiate ourself. This is it, my friend. This is exactly where we're focused. This is where we're spending a lot of our energy and time on innovation, um, because this is the, the new frontier of risk, right?
And so, like, overall, you know, Gartner predicts, you know, 50% to 60% of all, uh, enterprise companies will have some level of AI agents deployed within them, you know, [00:37:00] over the next two years. And so this becomes the biggest blind spot for every company is, you know, how do we protect against the emerging threats that are now caused by these AI agents?
And really it's like how do we put these guardrails in place to ensure that our AI agents are not acting rogue? And so, you know, really the, the, the, the strategy we're taking is almost to, you know, view these digital workers as, uh, another insider potential risk. And so we built a brand-new capability, which is called, um, Agent Behavior Analytics, which is basically looking at the behavior of all these AI agents that get deployed.
So again, massive, massive market opportunity, something that every single company out there is gonna be dealing with. Okay, you know, I'm, I'm being told we have to deploy AI, right, by our board. We wanna gain efficiencies. You know, we're trying [00:38:00] to measure the outcomes to make sure the strategy's actually driving the right results, but how the hell do we protect against it?
Mm-hmm. This becomes the massive problem that everybody's trying to To solve. And so what we've done is, you know, we've profiled... We're using the same kind of UEBA technology to profile the behavior of the, the AI agents. And so the first thing that we do is, like, each a-agent within an organization gets this unique entity or, um, identity.
So it's no longer, you know, "Hey, we've got this particular AI agent." Well, now we know this AI agent is specifically doing these tasks. Like it becomes, you know, marketing automation agent number one. And so, you know, each AI agent gets its own identity within our platform, so we can sort of measure and correlate the behavior and specific things.
And so then it's like, you know, [00:39:00] we sort of learn its normal day, right? It's, it's, it's all about watching it and understanding the behavior of those AI agents. Like what systems are these AI agents talking to? You know, what commands are they running? You know, what time of day are they operating? And so, like, for example, let's say there's finance bot number seven.
You know, we, you know, we learn that it should be looking at sales data from Salesforce, but it should never attempt to try to connect to our source code repository, right? It should interpret the Salesforce data, but it should never attempt to go create, um, and recode our so- our source code. And so then it's like we try to detect an, you know, we try to detect and alert on those deviations.
So the moment we see that agent do something outside of its normal routine, [00:40:00] there becomes the risk indicator. And so it really kind of flags that anomaly in the same way we would with a normal human. And so the outcomes that we're really focused on, I'd say, are, are kind of like two main, two main areas.
Number one is, like, really setting up the guardrails. You know, by leveraging our ABA capabilities, it gives the guardrails to kind of safely adopt AI innovation, right? And so it gives them some safety precautionary measures so they can deploy this and feel comfortable that they're not gonna create additional risk in terms of their security posture.
And then the second is probably the most important thing is that speed. Because, like, you look at these catastrophic breaches, right? And, and the overall impact that these create. You know, like a compromised human, like they could [00:41:00] steal a couple hundred files But an AI agent that's been compromised, well, guess what?
It could steal everything. It could steal your entire customer database, your intellectual IP, in a matter of minutes. And so, like the overall speed and the damage that's created through these AI agents is so much more significant. And so if we're able to, to kind of see and correlate those anomalies and what these AI agents are doing, like we enable these companies to take action to stop those catastrophic breaches.
Because you look at historically what's happened, you know, in some of these financial institutions, like you look at, there was a big one many years ago with Equifax. Well, everything got stolen, right? Their entire customer list, all the security or Social Security numbers, everything got breached. And that was pretty massive, and it caused obviously huge damage [00:42:00] for, for Equifax.
I don't remember exactly, but I think it was something, you know, $600, $700 million in, in damage that they had to pay out. So like when you think about the, the outcome here is like you're trying to prevent against those catastrophic breaches, which the AVA capabilities do. And then the third piece is, is all about, you know, really creating clear visibility and, and accountability.
You know, 'cause it's like you've gotta understand very quickly, you know, without a shadow of doubt, which AI agents are, are creating the risk. And so you kind of eliminate all this finger pointing inside. So those are really some of the, the outcomes that we drive through our AVA capabilities. But I think most importantly, it's giving companies like the, you know, giving them a little bit of protection as they adopt AI, you know, every company's doing it, and then really creating the [00:43:00] visibility, transparency on what's happening with their AI agents, plus protecting against those catastrophic events.
Max Clark: I, I flagged a couple of, of, of, of tidbits you've said here, right? You, you talk about- Reducing the time for SOC correlation drastically, right? 90% reduction in time approximately, right? You, you talk about, um, solving blind spots in existing tooling and capability. Um, you know, when, when, when I th-think about this, when somebody is evaluating you, right, really we're talking about is capability that they're gonna give into their SOC team, whatever their, their SecOps teams are.
Is this dominantly like are we seeing, you know, are you seeing this as like is it a cost reduction? Is it throughput? Is it capabilities, detection quality, correlation? You know, um, uh, going after risk they don't have a, a way of accomplishing today. Like what, h-how, how [00:44:00] much of what, you know, of, of these different swim lanes become the actual like buying trigger for people?
And, you know, and does that shift based on segment or industry or, or size of the organization on the back, on the backside?
Craig Patterson: Yeah. The answer is yes. All the above. All the above. I mean, every customer's different, right? Mm-hmm. Every customer's different in terms of the, the problem they're looking to solve.
So, you know, I think we talked about a lot of these use cases, right? I mean, a lot of companies are really trying to prove value, so they're trying to correlate, you know, how we actually improving our security posture. I mean, that's, that's done through our, you know, our, our Outcomes Navigator capabilities.
So we see that resonate a lot. In fact, like we've had a couple examples where, you know, companies are trying to prove value and, of course, you know, every time we get into a renewal situation, it gets [00:45:00] competitive, right? And there's always someone that's coming to prove or claiming they have a better, a better tool, a better mousetrap, right?
Like, everybody always makes those claims. But there was a recent example where we were kind of in this very competitive renewal situation, and the CISO kept coming back to say, "Well, guys, I'm really... I just, I've gotta prove value. I've gotta prove value." And no problem, like, "Where is your biggest blind spot?"
And so we started talking about their security posture, and they start naming a couple of these use cases. Okay. Let's, let's show you a real live example of how we view you today on those particular use cases. We log into the tool, we show them the Outcomes Navigator piece, how it integrates with our Nova capabilities, how it gives them a roadmap to continue to improve its posture.
Gets some really good feedback from the CISO. He gets some tangible actions he can start to take. [00:46:00] He goes to implement those little bitty things, and guess what? We have a, a, a revisit a month later, and guess what happened? His security posture improved on that particular use case.
Max Clark: Mm-hmm.
Craig Patterson: So guess what happened.
Immediately, immediately, value created, goes back in, proves the value to his CEO, and then it kinda swivels away from, like, being a monetary conversation to more focused on value and, like, you know, us helping to solve that particular pain point. So I think that's one thing that we see is just really kind of focused around those particular outcomes, is really kinda helping companies identify the value, and that's really kind of the outcomes navigator on the, you know, the overall SIEM play.
But if you think about the conversation we just had and that big blind spot that most organizations have today around insider threat and the fact [00:47:00] that it's the Wild West and every single company is deploying these AI agents at a rapid pace without any regard to the complexities they're creating or the additional, um, you know, risks they're creating for their companies, like, this is the, the use case that we're very focused on because this is how we're able to create the differentiation in the market, is, is really focusing on that particular use case.
Max Clark: AI has become its capabilities, right? It's integral to your product. And then AI is also now a marketing term that every company is going to do. I mean, every single company that a buyer is evaluating at this point is gonna have AI stamped on it in some way or another. Um, what would you tell those people to ask when they're trying to evaluate a vendor and separate the wheat from the chaff of like, is this real?
Is this not real? Am I getting value out of this? Am I not getting this, you know, value? Are you just,
Craig Patterson: like, fudging it like, "Oh, we've got AI because we've integrated with [00:48:00] some chat LLM"? Y- you know, how, how do people navigate
Max Clark: this? This show exists because of what we do at itbroker.com. If you're in the middle of a real tech decision right now, new technology, vendor selection, a contract that doesn't feel right, an M&A event that just landed on your lap, and so on, we help buyers like you get it right.
Independent strategy, sourcing, and contract negotiation. No kickbacks, no sales quotas, just someone in your corner. Schedule a call at itbroker.com. Back to the episode.
Craig Patterson: Yeah, I think it's, it's more about don't confuse activity with outcomes.
Max Clark: Mm-hmm.
Craig Patterson: And so you're right, everybody in the world, y- if you were at RSA and you walk down the halls, I think it'd be easier to find a booth that didn't have A- AI capabilities listed, because the majority of all vendors had, you know, AI, like, built within their strategy.
Um, but I think it's really challenging vendors, you know, not [00:49:00] on their, their AI strategy itself, but, like, how it's actually gonna create a better outcome for me as a customer. Again, like, looking at, you know, how do I improve my security posture? How do I protect against the blind spots? How do I improve my, you know, my, my mean time to respond, or how do I improve my overall TDIR, um, strategy?
Like, what are the tangible outcomes that I can derive by leveraging your AI platform? Because mo- a lot of vendors today can't answer that. They can't actually answer on how their AI is gonna make you better. And so, you know, if, if I was evaluating, um, a solution, that's really what I'd zero in on, is just, like, how do I correlate value back to outcomes?
Max Clark: Mm-hmm. Um, for a long time, SIEM has been the, the, the integral integration point to feed all data into it, and then there became this, like, blurry lines of SIEM [00:50:00] and what was a SIEM and what wasn't, how do you go from data collection or l- a- you know, analytics or, you know, data lakes, and all these people trying to be like, "We're also a SIEM."
But at the s- and at the same time, you see EDRs trying to come up stack and saying, "Hey, you don't need a SIEM because it's already in our platform. We have this, like, SIEM-like functionality." Uh, you know, you know, and so, like, there's a lot of blurriness that's going on and, and confusion that gets created when you're actually trying to evaluate, like, how do you piece these things together?
Y- you know, so when you're, when you're talking with organizations, and on one side they've got, you know, whatever vendor and they're saying, "Hey, here's our EDR. You no longer need a SIEM," and you're over here and you're saying, "Well, fundamentally we're the SIEM, but we have capability on top of that requires us to..."
I mean, what's that, what's that conversation? How do you explain the role of, of, you know, where Exabeam fits in this puzzle against the like, "Oh, you don't need this tooling because we can already give this to you in this bundle"?
Craig Patterson: It'd be ki- it'd [00:51:00] almost be like, you know, saying, "Hey, you know, the brain is important, but I don't need it."
You know, because that's really what, what's being positioned. Because when you think about the role of a SIEM, it really is the brain in terms of the, the SOC operation. I mean, it's, it's, it's the tool that's being used to really understand what's happening by analyzing the, you know, thousands or millions of events that are happening every single day for these, these companies.
So I think it'd be very difficult to ha- you know, to be able to operate in life without a brain. And so I think it's a kind of a funny, it's a funny comment, but I think it's very, very real. And so I think there's always gonna be a need for companies to really have a SIEM capability. I mean, otherwise it's too difficult to really understand what's happening across their entire security posture.
And then secondarily, like even if you have a good EDR platform, you still got that massive blind spot as it [00:52:00] relates to what's happening on insider threat.
Max Clark: Mm-hmm.
Craig Patterson: And I think that's the most terrifying thing, is like if you... You're completely flying blind if you have an EDR and you're not really focused around that insider threat capability.
And then of course, you know, then as they adopt the AI capabilities, they're just, they're even worse
Max Clark: Um, so from my s- seat, with the exception of compliance or customer requirement, you know, there, I don't see direct correlation between security investment and revenue for most companies, right? Like, we see cases where a customer will say to them, "We're not gonna sign this contract or do business with you as a vendor until you meet X, Y, and Z," or maybe you're moving into some sort of regulated industry and you need to have, you know, certain boxes checked in order for you to conduct business there in the first place, right?
So direct, like, "We need revenue. This is what we need to do in order to get it. Okay, go get this thing so we can go get the revenue." Outside of that, you know, y- I, I love your answer about creating value within organizations, right, and outcomes, but there still becomes... There's, like, this friction around [00:53:00] ROI and TCO.
Like, at some point, you know, like, this became, like, the gold standard of, like, we have to qualify everything around ROI and TCO, which, uh, uh, I'm not... Actually, I'm gonna try not to go down this, this segue too much. But for security, the TAM is effectively every computer, right? Like, every computer needs security posture.
But then there becomes this, this limited SAM. You have a, you have a smaller addressable market because these are companies that have actually realized, like, "We actually do care about security, and we need to deploy security." And y- you know, so how do you expand? Like, how do, how does this, from a, from a security vendor, outside of somebody coming to you and say, "Hey, we've decided we need this capability because of whatever event has happened," or, or, "Our neighbor had this thing," or, "We saw this breach," or, "Compliance has forced it," how do you expand the addressable market of people that are actually out buying and evaluating these tools and looking at these things and thinking like, "Hey, we've got this EDR.
Maybe we have this other SIEM pl- that was bundled into it. It doesn't give us these capabilities." Y- [00:54:00] where is that, where is that... How do you, how do you, you know, help them through that process of understanding, like, UEBA is really important to you, agent security is gonna be really important to you? Like, not on a fee- but, like, to the point where they're actually going to sign a contract and in- invest dollars in solving these problems.
Craig Patterson: Yeah. So, I mean, I think the first thing is around y- you mentioned kind of the overall market opportunity itself. Like, and I'm a big believer in segmentation.
Max Clark: Mm-hmm.
Craig Patterson: Like, you always wanna understand, obviously, the customer profiles that are buying your services. You know, what do they look like, and is there any variance, uh, region by region?
So it's a big exercise I've been involved in, you know, looking at our overall customer segmentation. And then what I found is, you know, you've gotta be careful in terms of how you position those products and services and capabilities across those various segments. It's not a one-size-fits-all approach.
Mm. You know, [00:55:00] many times you have to make packaging, pricing differentiation across the different customer profile and, and segments. And so- What we've done here is, you know, we kinda have two different customer segments. We have our commercial side, which basically we define as customers that are twenty-five hundred employees or less.
And then we have our enterprise segment, which is customers that are twenty-five hundred seats or greater. And so within those customer seg- segments, we have, you know, specific product, a product strategy that aligns to those customer segments. And so we sort of like get away from this one-size-fits-all approach and sort of work on packaging, pricing, value proposition for those different customer seg- segments.
And so we've tried to eliminate some of those friction points for customers as they, they, they go through this adoption phase by making sure at the end of the day, what we're trying to deliver to them actually aligns [00:56:00] to their specific needs. And so, you know, that's one thing in terms of what we've done in the market.
The second is we've really tried to, uh, be very focused around this, this channel ecosystem because what we found is, you know, most, like I said earlier, if not all, um, transactions kind of flow through this, this partner ecosystem, and that's sort of evolved as well, where it's not like, you know, you and I have known each other a long time, Max.
Um, you know, the days of, you know, one partner being involved in a deal, you know, that still happens, but I think for the most part, we're really kind of moving in this ecosystem-type play where there's multiple partners in every single transaction. Each partner kind of plays a more specific role, right?
So you have your, your traditional security VAR that's working with customers, both in the commercial and [00:57:00] enterprise segment, to understand the problem they're looking to solve And then you have your distribution partner where the security VAR kind of works through. They-- That security or that distribution partner helps a lot with deployment and implementation.
And then you have your MSSP partner who also helps on the management side. And so all these different pieces are kind of working together in this overall ecosystem. We believe there's something like six to seven partners involved in every single, single transaction. And so your question was like, how do we help customers on adoption?
Well, one, it's the product capabilities, making sure they align to the market. But secondly, it's making sure that we have really built this ecosystem to help customers, you know, really, uh, embrace the technology, make sure they get value, and make sure they get, um, you know, the overall management and implementation of those [00:58:00] services.
And that's, that's derived through this channel ecosystem. So it's really understanding that lifestyle of a customer and how, how they buy, you know, how they, uh, interact with us across their entire, the customer journey, and then making sure that this ecosystem is there to support that customer across all those various stages of that, that buying criteria.
And I think that's the difference for us versus many others, is that we really have adopted channel as our primary route to market, and we understand channel is the, the operating model to scale. Mm-hmm. And again, that's the reason why, you know, we're having success. That's the reason why if you look at our pipeline creation, it's up significantly year over year.
It's 'cause we're adopting, you know, that channel ecosystem, which in turn provides that value, you know, that adoption, those capabilities to those end user customers.
Max Clark: So you mentioned partners. LogRhythm, you know, was for, you know, on-premise for enterprises, but it was also foundational for a lot of [00:59:00] MDR vendors and, you know, MSSPs taking product to market and offering the service to, you know, to end users.
Um, now the combination and the intro-- you know, of Exabeam and now this cloud platform and capabilities I, I mean, you're rewriting the playbook now for your MSSP and M- you know, MDR partners with capabilities that they have available via Exabeam that now they can take to their customer as well, right? So that, like, line of, like, you know, what are you contracting?
What's the service delivery? What's the value creation, right? Like, how do you see that changing go-to-market and, and your partner integration with MDR and MSSP part-- you know, companies that are running on top of Exabeam?
Craig Patterson: Yeah. Yeah, this, this was the fun project that I was, uh, tasked with coming into the organization.
Um, but what we see, I mean, the MSSP partners are s- are incredibly value- valuable to our overall ecosystem.
Max Clark: Mm-hmm.
Craig Patterson: You know, we see an MSSP attached [01:00:00] almost 50% of the time.
Max Clark: Mm-hmm.
Craig Patterson: Right? 'Cause you think about the complexity of, you know, transacting with SIEM and UEBA capabilities, that's a, that's a complex, um, value proposition.
But what's more complex is, like, how do I actually get value with these tools? And that becomes the role of the MSSP partner 'cause they're the ones that actually can deliver value, make sure the customer achieves value, leveraging th- that tool set. And so, you know, you look at the two ecosystems, as you mentioned, they were wildly different.
You know, you had a lot of partners that were very much focused on on-premise capabilities, you know, paired that with e- the Exabeam ecosystem, you know, very much focused on in the cloud. And both programs were sort of, um Underdeveloped is probably the best way to describe both of them when I came in.
Like, there was a, there was an [01:01:00] overall channel strategy somewhat.
Max Clark: Mm-hmm.
Craig Patterson: But it really wasn't built into this overall framework in terms of how the company could achieve scale. And so, like, when we came in here, we were very careful. You know, I came in, I really wanted to understand what the perspective was of all these legacy LogRhythm partners, what the perspective was of all the legacy Exabeam partners.
But you kinda have to, you have, you have to balance that with what's happening in the overall market. And so I spent a lot of time when we came in here to really do this assessment phase, kind of understanding everyone's, uh, perspective and opinion. And so what does that mean? I went out and did a bunch of time-- I spent a bunch of time having conversation with our top-tier partners on the Exabeam and LogRhythm side to get their perspective.
I did a lot of broad surveys so I could get the entire voice. I've got 3,000- Mm-hmm ... partners around the [01:02:00] globe, so impossible for me to interview them all.
Max Clark: Mm-hmm.
Craig Patterson: But, uh, you know, I can kinda survey them, and then you kinda balance that by what's happening in the market itself. And what I've, what I sort of started to see and notice was there was a lot of common themes that I was seeing through the conversation I was having with partners, but also the trends that I was seeing in the overall market And to give you some examples of that, you know, at the end of the day, you know, customers really wanted more value, or partners wanted more value in their customer engagements.
And so, you know, historically a lot of these programs have sort of been focused on, like, what happens at the point of transaction, but I think they've been less focused on, like, how do I support that, that partner across the entire customer life cycle?
Max Clark: Mm-hmm.
Craig Patterson: So important. And so what does that mean? It, it means kind of rethinking the, the financial incentives in a way [01:03:00] that provide value for partners across that encire- entire customer life cycle.
You know, so what happens at the point of deal registration? Like, what happens at the point of that first transaction? What happens at the point of retention and renewal? What happens at- Mm-hmm ... upsell, cross-sell? Like, these are all very important milestones that should be considered as you build out this, this value-based, um, package for partners.
That was one thing, is just kind of rethinking the entire financial incentives. But the second, I think is the most important thing, and that is, like, partners really wanna become better. And so when you think about that, it becomes this whole strategy around enablement. And so we sort of, kinda started headed down that path, like, how do we make partners better?
And the feedback I was getting often was, you know, most companies have some [01:04:00] level of enablement that's in place, but it's these old school LMS platforms-
Max Clark: Mm-hmm ...
Craig Patterson: that don't correlate competency level to enablement. Yeah. You're laughing because I know, I know- Oh ... this is exactly what you're thinking. And that's like, you know, let me ask you the question, Max.
How do you get certified? If you had to log into an LMS platform, like, what is that process like?
Max Clark: It, it's such a waste of time. You know, like, I, I mean, look, I, I mean, this goes back for me almost three decades now, right? Working for, for VARs where, uh, you know, it's important for channel of course to say, "Hey, we have X amount of certified salespeople and X amount of certified sales engineers, and based on the tiers of the certification you hit a different program."
And, you know, and, and this all comes about, like, being able to signal to an end user, to a customer saying, "Hey, you know, you need this capability and, like, here's a partner, and you can find a, a portal and do a search," and they have these, you know, criteria met. Like, oh, they're a gold partner because they've done X, Y, and Z.
And, [01:05:00] you know, I was the guy that went to Compact and HP and Cisco and all these different trainings and, you know, had to get the stamps, you know, like, in order to meet these things. And, and don't get me wrong, the Compact branded tool, tool kit that I got, you know, from, from- ... server training was, was great, you know?
But like-
Craig Patterson: Exactly ...
Max Clark: but, but when you look at it from like, um- y- you know, how much information or, or like, you know, there was, there's inevitably there's very few certification programs that actually carry value over long term because you just end up with paper certs. It's really easy just to go through, especially talking online training modules, click, click, click, click, click, click, click, multiple choice test.
You know- We've made- You know, you're done.
Craig Patterson: Here, here's the reality. We've made an ecosystem of professional test takers.
Max Clark: Yes. Yeah.
Craig Patterson: Yeah. And that's the reality. And so when I was having all these conversations, and I, I agree with you 100%, so all these conversations, that was the feedback I was getting is like, "Craig, like we wanna be better [01:06:00] in life.
We wanna be better in our craft." Mm-hmm. The current system, the current way of learning is not driving the outcome we're looking to achieve. It simply put, does not raise our competency levels. Mm-hmm. And so as we built out this new program, this, this Apex, this Exabeam Apex partner program, like this was a, a problem that we took head on.
And so we've really sort of reimagined this whole learning experience in a way that, number one, drives higher competency levels, but number two, ties back to the outcomes my company's looking to achieve. 'Cause you think about like, what is Exabeam, what is Thomo Bravo looking to do? Obviously we wanna grow revenue Right?
That's important. But what are some of the other KPIs that we can measure in terms of actually raising competency level? Mm-hmm. And so how do I raise my conversion rates, right? [01:07:00] If a partner has higher competency levels, that should drive higher conversion rates. That can be measured.
Max Clark: Mm-hmm.
Craig Patterson: How can I measure the time to first deal?
So if I'm bringing a new partner on board, like we should understand what the average time is for them to actually transact. And guess what? If I can raise their competency level, I think I can effectively reduce the time to first deal. And then as you look at your sales cycle times, you know, each company has its own sales process, own sales stages.
Like good revenue architects should know obviously the velocity piece, you know, how much time each deal is sitting in each particular stage. But if I can raise competency levels, I can effectively drive a positive outcome on like improving my overall cycle time. And so when we were sort of reimagining this whole enablement piece, it was [01:08:00] really, again, driving competency, but also improving the outcomes my company was looking to do.
And so, you know, I think we have a market leading enablement program now today that's all hinged on AI. So the entire learning experience has been rebuilt. You know, now I've, I've launched a tool called Sherpa. There's a number of use cases around Sherpa, but the three major ones are: number one, I have a tool that's always on, becomes this virtual cam.
If you're a partner, no matter where you are around the globe, you can engage in your local language. You know, if you're in the Middle East, you speak Arabic, no problem. You're in Korea, I know you're heading to Korea. Guess what? Korean's available today in Sherpa. You can engage, you can talk in your local language, you can ask about product capabilities, use cases, you can ask about ICP customers.
And the beauty of [01:09:00] it, it all integrates into tools you're already using today. And so imagine a world, Max, where you log in to say, "Hey, Sherpa, I'm particularly interested in this particular vertical. Sherpa, could you look at my LinkedIn connections today to see what accounts are in the healthcare vertical that I have a contact with that correlate to Exabeam's target accounts and ICP?"
And guess what happens? Sherpa will spit out, "Hey, guess what? You have these contacts today that align to Exabeam's target accounts and ICP." That's cool, but imagine that you then say, "Hey, Bill, can you, can you give me a sequence? Can you give me-- Can you build me a campaign with all of my email sequence that I can then use to launch a campaign?"
No problem. So we're, we're driving outcomes in the market around, you know, [01:10:00] capabilities, answering questions, and then helping partners start to build specific, uh, strategies around campaigns. That's use case number one. Use case number two is we've reimagined that whole certification process, again, because the reality today is everybody does the same thing you're thinking as they log into these tools, they log into this LMS, they turn the volume down, they multitask-
they try to fast-forward, if possible. If the tool allows them to fast-forward, they're gonna go straight to the end.
Max Clark: Mm-hmm.
Craig Patterson: They're gonna get to that quiz, and guess what they're gonna do? They're gonna open up ChatGPT-
Max Clark: Yep.
Craig Patterson: Yep. Copy ... and they're gonna, they're gonna start figuring out how to answer that question.
You don't learn that way. And so- No ... there's a brand-new, very dynamic learning experience that's been created where, "Hey, I'm interested in this topic." Boom, I start to explore that topic. "Hey, help me position-- how would I actually [01:11:00] position this topic in this use case?" It allows you to record how you're actually gonna position that use case, that capability, and then it grades you.
"Max, you did a pretty good job. I give you, like, a, a solid B, B+, but next time, why don't you say it this way?" And now what we've done is we've just upleveled how you position that one particular thing, which has raised- Mm-hmm ... your overall competency level. When you master that, you then get a certification Which that's cool.
The third use case, and this is one I think you're gonna be blown away by, is we built a, we built an, an always-on virtual coach. And so imagine a world, Max, you're on a call with a prospect that's in the healthcare vertical or whatever vertical you so choose. You're having conversation around a particular problem they're looking to solve, and you had a virtual coach in the background giving you feedback to say, "Hey, the [01:12:00] customer's talking about this.
You know, talk to him about this new use case that Exabeam just delivered. Talk to him about this, this customer that just adopted the service or this value proposition. Hey, they're giving you this objection. You should say this." So now what we're doing is we're making you a better seller, um, in terms of how you position those.
And then where we're going next is I'm gonna start to raise your overall acumen. And so we're gonna start to incorporate lessons on how do I position my, the services to a CRO? Like, what are the terms I should use to a CRO versus a CISO? Like, it's gonna make you a better seller in general, and it's gonna make you a better seller on Exabeam, raise your competency level, you know, close at a higher rate and, uh, just make you better in general.
Max Clark: Craig, I love that you're, you're a broken record about my two favorite things, and that's outcomes and value, right? Are you creating value? I mean, you talk a- it, it's, everything just [01:13:00] comes down to that, right? Is there perceptional value? And, and if you're delivering value, then everything gets easy, right?
Like, fundamentally, life's still hard, but, you know, people see and understand value that you're creating, it's better, right? You're helping them. You, everybody, everybody's happy. Now, um, l- last question here. Well, you- you- you've touched on this in a little different, you know, different ways. Ultimately, in every s- in every sales cycle, you have an economic buyer, right?
You have the, the CFO, the finance team, you know, CEO, whoever it is that's looking at a contract that's saying, "Okay, you know, this thing's cost us much money," right? Like, "We're, we're ingesting logs, it's expensive. We're doing this, it's expensive. We're having a deal renewal, it's expensive. You know, do we need to keep this thing?"
'Cause they're not interacting with it, so maybe the security team, the, uh, CISO that's involved with it, right? This is something that they need. They've, they've identified capabilities that they don't have, that they want, um, you know, e- [01:14:00] efficiencies they can drive with their SOC team, right? You know, all these, all these different things that you- you've touched on.
What is the conversation that you'd want that CISO to be able to have with their CFO? Or what conversation would you have with the CFO if you were in the room? Like, what, what, what would you hope the CFO would ask you that then you'd be able to answer and, and walk them through this?
Craig Patterson: Yeah. Well, I think there's kind of two main portions, right?
It's, it's, you know, what is the budget today associated to protecting our overall security posture? Like, and that's, that conversation sort of correlates into, you know, what are all the tools they're using today.
Max Clark: Mm-hmm.
Craig Patterson: How we can consolidate some of those tools today, right? And then you can sort of tie that back to the value proposition that we offer.
So it's kinda understanding their current state. The second piece is, like, understanding the operational efficiencies that can be gained through the system and tool [01:15:00] that we provide. It just kinda goes back to we were talking about, like, making the analyst better. Like, 'cause I think there is, there's a, there's a, um, there's a lot of value there, right, in terms of how we can make that organization more efficient.
Maybe it's less cost operationally, right, in terms of all the analysts that, that are working there or are deployed, or maybe they just up-level their talent in general. Like, there's a lot of things that can be dis- discussed around that. So it's the, the current spend, it's the operational burden that's put onto it.
But the big piece, my friend, is, is the risk. Like- How much money are we willing to dedicate to ensuring that we have all these guardrails up in a way to protect against those catastrophic events which would cause irrevocable harm to our organization?
Max Clark: Mm-hmm.
Craig Patterson: And that's the difficult one, and it's difficult to really put a, a number on that, right?
It's difficult to really, to get a budget [01:16:00] associated with like that CYA. It's like a CYA. Like, what is the amount of money you're willing to put on the line to pr- to make sure that you've completely covered yourself? And so it's a combination, combination of all those things, honestly. But, you know, it... We always really focus on trying to get away from like the financial conversation as best we can, because what we found is there's better adoption in terms of solving those use cases, especially around the AI adoption, because it's such a new piece that most organizations are struggling with.
Max Clark: Mm-hmm.
Craig Patterson: So it's like, let's understand their current posture, let's understand like, you know, the risk that's being created, let's understand where they're going on AI, let's get a POC going to actually prove the value. We can s- we can actually put these guardrails into place that make them feel comfortable.
Mm. The money piece always works itself out.
Max Clark: Yeah.
Craig Patterson: Like, that's the way you kinda have to [01:17:00] lead to those sales cycles. The people that fail, you know, they, they just try to lead with the dollar signs. Like, "Hey, let me come in here and try to like save you money," or, you know, those kinds of things. Like, it's more about the ultimate value.
You know, you've been doing this-
Max Clark: Yeah ...
Craig Patterson: you know, as long as I have.
Max Clark: Absolutely. Security, you know, it's, it's like if you're, if you're having that conversation, you're having the wrong conversation. Just what you said, right? You know, 'cause ultimately there's somebody who's gonna convince you that they can bundle it for free, you know?
So like you're n- you're never gonna, you're never gonna win that conversation. You're like, "Go, go have... Go, go enjoy free and when it doesn't work, you know, we'll, we'll, we'll be here." Uh, you know, the other side is, you know, security seems expensive until you're dealing with a breach, right? There you go. And all of a sudden it's like your definition of what's expensive changes really quickly.
Like, it's pretty remarkable.
Craig Patterson: You nailed it.
Max Clark: You nailed it. Um, Craig, this was fantastic. Um, thank you so much for your time. Got a lot out of this. Really enjoyed it.
Craig Patterson: No, thank you, my man. It's always good to get reconnected. We've [01:18:00] known each other a long time. Congrats to all your success. I've been... I've really enjoyed the conversation myself and, uh, you know, hopefully the, the listeners get a lot out of it.
So thanks for having me on.
Max Clark: Absolutely. That's our show. Thanks to Craig Patterson for the conversation. If you're navigating a tech decision and want somebody working entirely on your side of the table, that's what we do at itbroker.com. Independent strategy, sourcing, negotiation, and optimization. Buy tech without regret.
Find every episode assigned at itbroker.com/podcast. I'm Max Clark. See you on the next one
