September 09, 2025

Sprinklr’s Roger Allen on Why Vendor Telemetry Only Gets You 90% There

24 minutes

Modern attackers have abandoned obvious indicators and now mimic legitimate engineering activities so closely that traditional detection methods fail. Roger Allen, Sr. Director, Global Head of Detection & Response at Sprinklr, has watched this evolution firsthand. He gives Casey the rundown of how his team's response involves outcome-based detection strategies that focus on what attackers accomplish rather than the specific actions they take to get there.

But detection is only part of the equation. From transforming UBA alerts into contextualized "events of interest" that correlate across the MITRE framework to implementing breach response scenarios that consider cloud-native production implications, Roger shares tactical approaches that bridge the gap between red team thinking and blue team operations.

Topics discussed:

Why focusing on what attackers accomplish rather than individual actions creates more effective monitoring as threat actors become increasingly sophisticated in mimicking legitimate engineering activities.

Filling the critical 10-20% gap in security coverage through business context enrichment and custom detection logic that vendors can't provide.

Converting traditional user behavior analytics from noise-generating alerts into correlated "events of interest" that map to MITRE kill chain stages for dynamic alert prioritization.

Systematic approaches to removing unnecessary tools like Netcat and Telnet while creating contextual detections for essential utilities.

Building tier-based response frameworks that account for production disruption risks when containing threats in environments where simply isolating hosts could shut down customer-facing services.

Implementing scenario-based training that goes beyond tabletop exercises to create muscle memory for security operations teams responding to active compromises.

Why having practitioners in both development and leadership chains at security vendors correlates with product effectiveness and company growth trajectories.

How to distinguish between genuine artificial intelligence capabilities and rebranded automation when evaluating security tools, plus practical applications for analyst efficiency without replacement

Listen to more episodes:

Apple

Spotify

YouTube

Website

...more

View all episodes

By Sprocket

September 09, 2025

Sprinklr’s Roger Allen on Why Vendor Telemetry Only Gets You 90% There

24 minutes

Topics discussed:

Filling the critical 10-20% gap in security coverage through business context enrichment and custom detection logic that vendors can't provide.

Converting traditional user behavior analytics from noise-generating alerts into correlated "events of interest" that map to MITRE kill chain stages for dynamic alert prioritization.

Systematic approaches to removing unnecessary tools like Netcat and Telnet while creating contextual detections for essential utilities.

Building tier-based response frameworks that account for production disruption risks when containing threats in environments where simply isolating hosts could shut down customer-facing services.

Implementing scenario-based training that goes beyond tabletop exercises to create muscle memory for security operations teams responding to active compromises.

Why having practitioners in both development and leadership chains at security vendors correlates with product effectiveness and company growth trajectories.

How to distinguish between genuine artificial intelligence capabilities and rebranded automation when evaluating security tools, plus practical applications for analyst efficiency without replacement

Listen to more episodes:

Apple

Spotify

YouTube

Website

...more

Share Sprinklr’s Roger Allen on Why Vendor Telemetry Only Gets You 90% There

Sign up to save your podcasts

Sprinklr’s Roger Allen on Why Vendor Telemetry Only Gets You 90% There

Sprinklr’s Roger Allen on Why Vendor Telemetry Only Gets You 90% There