ReliaQuest CEO Brian Murphy on Joining SecOps, Threat IntelCEO Shares How Digital Shadows Acquisition Helped Clients to Customize Threat Intel Michael Novinson (MichaelNovinson) • November 22, 2022
ReliaQuest customers have tailored Digital Shadows' threat intelligence to their organizations to ensure conversations about their brands or products are being captured, says ReliaQuest CEO Brian Murphy.
The Tampa, Florida-based security operations vendor says the $160 million Digital Shadows acquisition has fortified its detection and response muscle by incorporating emerging threats that aren't broadly known, according to Murphy. Enriching ReliaQuest's data sets with Digital Shadows' risk data has allowed the company to act decisively, automate more and remove noise from security operations environments (see: Black Hat: Web3 Defense, Open-Source Intel & Directory Hacks).
"Digital Shadows' context gives you more certainty," Murphy says. "And certainty allows you to automate more, which is the goal of the large enterprise."
In this video interview with Information Security Media Group, Murphy also discusses:
- The biggest similarities and differences between TDIR and XDR;
- How security operations need to differ between SMBs and enterprises;
- Why big customers prefer ReliaQuest to traditional MDR vendors.
Murphy's unique approach to driving operational excellence and repeatability makes him a frequent source for industry analysts, news media, higher education leaders and other civic leaders. Under his leadership, ReliaQuest has received numerous accolades for its commitment to focused growth while maintaining a positive company culture. Prior to founding ReliaQuest in December 2007, Murphy served in multiple leadership positions across accounting, finance and operations. He began his career as a management consultant with PwC.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Brian Murphy. He is the founder and CEO of ReliaQuest. Good morning, Brian, how are you?
Brian Murphy: Great, Michael. Good to be with you. Appreciate you having me on.
Novinson: Of course, thank you for making the time. I want to start off by getting an update on the Digital Shadows acquisition. I know that close to the start of June $160 million. What does that meant for you over the past couple of months?
Murphy: The acquisition has been great. We had a thesis going in of connecting the external digital risk platform capability that Shadows had. Their outside-in view from our inside, connecting it to our inside-out view, and it's gone as expected. We've seen a lot of interest in our customer base working with that digital risk platform, and then a lot of interest in their customer base coming over to our security operations platform, and GrayMatter. So teams are integrated; dev team, we lifted and shifted over to work is one. That's on schedule, everything's going well, and it's been a lot of fun working with that team.
Novinson: So from the standpoint of existing GrayMatter customers, what have been some of the most concrete or tangible benefits?
Murphy: I think, for us, we look at it in a multiple multitude away. All of ReliaQuest customers are going to get the benefit of the capability. Digital Shadows has a threat research team, it speaks more than 25 languages, are constantly creating content, updating IOCs, updating threat information on emerging threats across the dark web, across different risk platforms out there. And so immediately, every customer got the benefit the day it closed. So that's been well received. And what our customers are doing are just leaning in more around that digital risk platform. And so getting more curated, fit directly to their organization, threat intelligence out there watching for any conversations being had specifically around their brands or products. And so the good thing about that platform is it can be tailored to fit our enterprise customer. Our customers on average do more than a billion in revenue. And so they're the very largest size of the enterprise. And those types of protections mean a lot for them.
Novinson: What are some of the synergies that are unlocked when you bring together security operations and digital risk, especially at that larger enterprise level?
Murphy: Yeah, some of the synergies, if you think about how ReliaQuest, or GrayMatter, or our security operations platform, we build our global detections and being able to build those detections with some of those digital risks we see out there from a research perspective, that may not be known. Things that we're watching, things that they're studying, that are not broadly known out in the market, our detections can be built in advance to take into account some of the things that we believe to be emerging. So it's definitely enriching our detection capability, post detection and response capability with a GrayMatter platform that we're able to detect, investigate and respond, whether it's across endpoint data, on-prem data, or cloud data, and enriching those three data sets and those artifacts with that digital risk data, along with your traditional speeds and feeds from threat intelligence allows us to automate more, make more decisive actions, remove a lot of the noise out of security operations environment, so that context just gives you more certainty. And certainty allows you to automate more, which is the goal of the large enterprise.
Novinson: Recent months I've been hearing more of this, that this phrase TDIR - threat detections, investigations and response - I was wondering how you've been hearing it a lot and so how similar or dissimilar do you feel it is from XDR? Which do you feel is a better framework for customers to follow?
Murphy: It's interesting, Michael. I view XDR is an architecture, it's a conversation of the building of a customer's architecture. And so I think, from our perspective, it's not much different. I think what XDR and you can all the different acronyms that we can put out there is the acknowledgement that the customer needs to detect, investigate and respond, regardless of whether they're relevant security data sets. What I know from working with large CISOs of large enterprises is they will never only use one piece of technology. You and I both know that. They're not going to be all one endpoint, they're not going to be all one firewall, and they're not going to be all one cloud storage. And so we need to be able to detect, investigate, respond and ultimately automate out the noise, regardless of what these companies own. And that for some of our customers that can be mainframe technology, right? I mean, some of these things are just not going to get replaced. So I'm definitely hearing more and more acronyms, but I think what, every time we create a new acronym, what we're doing is we're trying to define the outcome that the customer is asking for, right? And what they're asking for is we have to eliminate the noise in our environment. We're tired of alert fatigue, we're tired of too many tools. And we need to drive automation. Because our customers know that no matter how many people they hire, they're still going to be chasing data all over their network.
Novinson: How successful do you feel the industry is in terms of eliminating noise. But when you have new technology, but you also have additional telemetry sources, additional vendors on to enter the ecosystem, how successful do you feel folks have been here?
Murphy: I think there's a lot of work to be done, we've acknowledged with XDR, and some other frameworks that the kind of Blackbox, send me all your logs kind of sensor-based approach doesn't work, especially doesn't work for large corporations. And so I think from an architecture perspective, we've acknowledged that we need to do better, we need to be able to increase that visibility and reduce complexity at the same time. But at the same time, everybody's arguing for storage, right? Everyone wants to own all the data, which I think is the unique approach that ReliaQuest takes. We don't want to change anything in your environment. We want to use wherever that data woke up in the morning, we want it to go back to sleep at night, and will allow you to detect and respond without us being the authoritative source, because I think the interesting thing is the customer doesn't want to keep paying to secure and store the same data multiple times. And, as an industry, once we start to work together that way, I think that outcome of reducing the noise is going to come much quicker. So conversation's headed in the right way, the customer is going to drive it as always. The chief information security officers out there and security teams are as talented as they've ever been. And they're asking specifically for these outcomes. So that's going to force us all to get there.
Novinson: Why don't you talk a little bit in terms of what your customer segment at ReliaQuest is? You mentioned earlier, your heritage is in the large enterprise focusing on those organizations with more than a billion in annual sales. How do the needs of a large enterprise around security operations differ from their counterparts in the SMB or the mid-market space?
Murphy: They're different in the sense that they're more multiple in a lot of cases. So in a lot of cases, they're built to be different divisions and different product lines. Sometimes they've grown through acquisition. So some of our customers have 40 business units that do more than a billion in revenue on their own, right? And so their use cases are very specific. And I think so that's the difference is they're more multiple. They're not talking about running one technology, from a security perspective, they understand that, depending on whether they made a merger acquisition, they want to keep that stack in place of the company they bought, and they want visibility to it, but they want to have to replace all of it. Or as they just grow organically, like a lot of our customers do, they want to have what I call optionality around how they secure their information. And they want their security operations approach to be modular, right? So optionality and modularity. I'll say, though, for us, we defined the lower enterprise as kind of a 200 million revenue to a billion revenue. They're not that much different. I mean, they're probably a little more forward and adopting, leaning in and new technologies, new storage capabilities, new sales, automation tools, and that's requiring a different flexibility, same optionality/modularity from a security perspective, because a lot of those CISOs came from larger organizations. And so they're wanting to be particular on what they buy, and where they invest, because they've got to get the most out of their dollars.
Novinson: You mentioned storage here a couple of times. I am curious, why is storage so central to this conversation around security operations? And how is the storage landscape changing either from a price or from a capability standpoint?
Murphy: I don't know that it's changed all that much from price, I think what it is, is just acknowledging that instead of bringing all the data into one central theme, these massive data lakes or trying to read name, the same conversation we've been having for a decade, why don't we just take action and pull the artifact you need when you need it, right? And that's the benefit of the move-to-cloud is changed the conversation around. It's not, where's our security data? Is it on-prem? Is it hybrid? Is it in endpoint? Is it in the cloud? It's everywhere. And it's probably a multiple instances of those things. And so, for me, it's less about just storage as a central theme. It's more of the acknowledgement that we have relevant security data sitting in our ecosystem everywhere. And if the answer is constantly to take the data and send it to some central point, you're never going to get out of this cost cycle. You're never going to get out of this just complexity from an architecture perspective and limitation perspective. So for us, we want to change the conversation, and view it through another lens. Let's just treat wherever our data lives, as small little data ponds. We'll pull it back as needed. Won't store it. And it reduces the complexity in environment. And so that's one approach that we think works the best.
Novinson: How easy or difficult is it to analyze data where it resides? What are some of the challenges and obstacles you've got to navigate in order to do that?
Murphy: Here's 50 different patterns that make up the GrayMatter platform. One of the most central being the universal translator. So to be able to push and pull data bidirectionally, translate it on Ingest, take an automated action, kick off a hunt, and then push it back to that source technology and re-translate it back to whatever that language that source technology is built in, is very difficult. Took years. We went through the motions of building these massive data lakes for customers. We know when they break. When we came to this concept, it took a ton of technical lift. And then we've got well over 200 software engineers working on this problem. And we've got 85 different bilateral, bidirectional integrations with some of the top tools and environments in the industry. And so it took a lot of time, took a lot of partnership, took a lot of listening to the customer. So it's definitely a high bar to get over for sure.
Novinson: I can understand where you're coming from there. Why don't you get into the market landscape a little bit? If you were to find yourself in a competitive situation with GrayMatter. What are the other vendors or products are most frequently encountering and what do you feel are GrayMatter's biggest differentiators over those?
Murphy: Yeah, I think as we get to smaller organizations our ASPs are much higher than you would get down. It is like an MDR space, if you get an MDR provider that's trying to come up market, they're typically working with much smaller businesses, usually those businesses outgrow the MDR and grow and sometimes we'll bump into them down. Down below, there's still the traditional outsourcing plays, where you've got a large, global outsourcer. And they're doing helpdesk ticketing and those things and trying to convince the organization to, hey, just outsource all your security. That's less of an issue anymore, because there's just the talent-from-a-CISO-perspective level is so high, they understand that you can't just forward your problems away. So definitely are running into some of the old traditional legacy vendors that way that the MSSP, the Hey, "put my sensor on the network and for me all your logs and trust me, I'll let when something happens at the enterprise," that's not something that works out well. So it's still a very fragmented market. There's a lot of large enterprises are building their own, they want to use open source technologies are trying to build their own data lakes, and we felt the same way. Here's what we found, like, here's when these environments break, here's when the speeds and feeds don't work. And so it's a consultative conversation. It's a difficult problem to solve. But the good thing is I think that the customer is asking the right questions now. Right? So it's an easier conversation than it's ever been before.
Novinson: Wanted to kind of circle back here in terms of the organic activity, this Digital Shadows acquisition was a pretty big one, a pretty strategic acquisition for you. Do you anticipate doing additional inorganic activity to address green fields? Are you more focused on organic development going forward?
Murphy: It's a good question. We've always been organic growth, and we grow at more than 40% a year, we're more than 160 million in ARR. And that's without the Digital Shadows acquisition, the growth rate. So we've always been a high growth, organic grower. Digital Shadows made a lot of sense. We are opportunistic, we're out there now, I think, from a funding perspective, and I've always run the business like a business. So I've never run it with high cash burn growth at all cost mindset. Puts us in a powerful position today to be durable and sustainable from a growth perspective. And I think we will be opportunistic, we find the right piece of technology, or geography that makes a lot of sense. But our plan is still the majority of what we'll look at is organic growth. But we've got the opportunity and the backing to listen to anything that makes sense similar to the Digital Shadows acquisition.
Novinson: It's an interesting point. And I know I've been hearing a lot in recent months, businesses talking about having to shift from growth to profitability, and be more cost conscious and then have macroeconomic downturn in the sprint. Have there been any changes that you've made in terms of how you're running the business or how you're thinking about things like this?
Murphy: Yeah, Michael, I'm the founder of ReliaQuest. I bootstrapped the business without outside capital for nine years. I mean, at one point, I had over a half a million dollars in cash, advance credit cards and mortgages, as we were building this technology before we raised capital. So I've never put the business in a position where we had to make dramatic changes to it from behavior from one thing to the next. I've always looked at a sustainable, scalable, durable model over the long term, and that's what we are. And we're 15 years building business up to a scale now that if you get to, and we're able to get there and grow past there. Because we don't outgrow our business. We don't out scale or out sell our product, our infrastructure, our people, and our teams. We're going to do it the right way. Because our enterprise customer, we can't fail them, right? You can't fall down for the largest airlines and largest banks and largest insurers. So for us, I've always held on to the levers of the business very strong, we have a great CFO, great team, and we're always modeling and forecasting that the market gets a boat, and we're ready to make any shift that we need to but so far, we haven't seen anything in our buying trends at the enterprise. Security is not discretionary and then we're an ecosystem place. We're going to make you more efficient, and we're going to optimize you. So for us, we think we fit pretty well. In some ways, we'll grow faster and stronger in an environment that's slowing down a bit.
Novinson: Let me ask you here, finally, I'll ask you to gaze into your crystal ball and look ahead into the 2023. What are some of the things you see on the roadmap for existing GrayMatter customers, for prospects in terms of what's coming down the pike in terms of features, capabilities, etc?
Murphy: Yeah, so I last year, I did 100 campaigns, I spoke to 100 of our large enterprise customers, in 100 days for an hour and just listened. And that's how we came to the Digital Shadows acquisition. We'll have an add-on piece to the GrayMatter platform that will launch in Q1. And what I'll say is our priority is in the security operations platform, is we want to continue to be the force multiplier for security operations teams, whether that team is one person, or 300 people, we have both versions of customer base. And we're going to eliminate the things that take a ton of time, but are just mind numbing like no human should look at, right? So we're going to automate out and eliminate high-time, low-brain activities and our Q1 product launch, our second quarter and third quarter product launch and updates and enhancements are all going to start yields, to start seeing this to continue to move the noise out of the way of the security operations team making them more efficient and faster and ultimately allowing them to make better decisions around managing risk. And so the crystal ball is we're going to continue to do what we've done. We've got some great roadmap items along the way that we're excited about. And we're excited because customers asked for them, so it's easy when you have good customers that are willing to talk out loud about their problems, and then we just go do something about it.
Novinson: Definitely. There'll be a lot of interesting stuff to watch. Brian, thank you so much here for the time.
Murphy: Hey, appreciate the time. Thanks a lot. Good to be with you.
Novinson: Yourself as well. We've been speaking with Brian Murphy. He is the founder and CEO at ReliaQuest. For Information Security Media Group, this is Michael Novinson.