This episode explores how Crogl’s patented approach removes the need for data normalization, allowing security teams to query unstructured data directly across systems. Director of Product Marketing Cory Wallace joins Sean Martin to discuss how this innovation empowers analysts, reduces schema drift, and restores visibility across complex environments.
Breaking Free from Data Normalization: A Smarter Path for Security Teams
Traditional security models were built on a simple idea: collect data, normalize it, and analyze it. But as Director of Product Marketing Cory Wallace explains in this conversation with Sean Martin, that model no longer fits the reality of modern security operations. Data now lives across systems, clouds, and lakes—making normalization an inefficient, error-prone step that slows teams down and risks critical blind spots.
Rethinking How Analysts Work with Data
Cory describes how schema drift, inconsistent field naming, and vendor-specific query languages have turned the analyst’s job into a maze of manual mapping and guesswork. Each product update or schema change introduces a chance to miss something important—something an attacker is counting on. Crogl’s new patent eliminates this problem by enabling search and correlation across unnormalized data, creating a unified analytical view without forcing everything into one rigid format.
From Data Chaos to Analyst Empowerment
This shift isn’t just technical—it’s cultural. Instead of treating SOC analysts as passive alert closers, Crogl’s model empowers them with meaningful context from the start. Alerts now come with historical data, cross-referenced fields, and prebuilt queries, giving analysts the information they need to make decisions faster and more confidently.
Efficiency with Intelligence
Wallace explains how this approach saves time, reduces training burdens, and cuts dependency on multiple query languages. It helps overworked teams move from reactive triage to proactive investigation. By removing unnecessary layers of data transformation, organizations can accelerate incident resolution, minimize risk, and help analysts focus on what matters most—catching what others miss.
At its core, the conversation highlights how removing the barriers of data normalization can redefine what’s possible in modern security operations.
Watch the full interview: https://youtu.be/Kx2JEE_tYq0
Learn more about CROGL: https://itspm.ag/crogl-103909
Note: This story contains promotional content. Learn more.
GUEST
Cory Wallace, Director of Product Marketing at CROGL | On LinkedIn: https://www.linkedin.com/in/corywallacecrogl/
RESOURCES
Learn more and catch more stories from CROGL: https://www.itspmagazine.com/directory/crogl
Press Release: https://www.globenewswire.com/news-release/2025/11/05/3181815/0/en/Crogl-Granted-Patent-for-Analyzing-Non-Normalized-Data-for-Security.html
Forbes Article: https://www.forbes.com/sites/justinwarren/2025/11/05/tackling-cybersecurity-data-sprawl-without-normalizing-everything/
LinkedIn Post: https://www.linkedin.com/posts/activity-7391913358817517569-QaCH
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Spotlight Brand Story: https://www.studioc60.com/content-creation#spotlight
[00:00:32] Sean Martin: And hello everybody. You're very welcome to a new brand story conversation here on ITSP magazine and uh, it's a place where we get to talk about new and cool innovations. And how those, how those innovations can help teams and programs. And most importantly, companies succeed at their, uh, security management and security operations, uh, to help the business grow and, uh, protect the revenue that it [00:01:00] actually generates.
And I'm thrilled to have Cory Wallace on from Kroger, Cory, how are.
[00:01:04] Cory Wallace: I'm good, Sean. Thank you for, uh, inviting me to the show. Very exciting. And, uh, our CEO was just here with you, so I'm, I'm glad to be here to follow up.
[00:01:11] Sean Martin: I know we've had a couple chats with Manzi and, uh, uh, I mean, brilliant guy and, uh, he, he knows what's happening. He, he's seen
[00:01:21] Cory Wallace: He does. does. He is, uh, you know, a very unique and rare, rare individual. That's just brilliant. And, uh, I met Mony, you know, 15 years ago and, uh, we became fast friends and, uh, just, uh, excited to be working with him again, uh, for the second time now.
[00:01:38] Sean Martin: Exactly. Exactly. And we'll probably touch on, uh, some of the things that you guys experienced a few, few years back
[00:01:44] Cory Wallace: Yeah. Yeah. There's a lot of history there. A lot of history.
[00:01:48] Sean Martin: And so today's conversation is really rooted in an announcement that you just made. And, uh, I'm sure it was, it was a quick thing to put together.
Right. It's easy to get a patent.[00:02:00]
[00:02:00] Cory Wallace: Very super easy, very inexpensive. Yeah. No red tape whatsoever. Yeah.
[00:02:06] Sean Martin: No, but I think it, what's cool is that, uh. The, the, the way Mony thinks, and the way the team has put the solution together at Kroger, uh, is unique. And, um, I'd say kind of blows up the model of what, what's been built over the last 10, 15 plus years. And that's, that's kind of where the, the patent is, uh, is grounded.
So, uh, maybe. Very quickly, a few words about your role at Crow. Um, maybe the, the elevator pitch for what Crow will is, and then we'll get into the specifics of the patent and the technologies and what it really means to folks.
[00:02:42] Cory Wallace: Sure, yeah. I'm the director of product marketing here at Kroger and, uh, joined, uh, I was at Splunk for 10 years and then, uh, Cribble recently before coming to Kroger. So, you know, a lot of history there, uh, that, that, uh. We're, you know, Monsey and I met at, at, uh, Splunk, you know, about 15 years ago, [00:03:00] uh, at Kroger.
We wanted to do something, you know, unique and disruptive. We kind of, uh, latched onto that disruptive thing, you know, back in the day at Splunk. And, uh, so we're helping soc analysts with, uh, this, this large amount of alerts that are coming in today. They're very hard for them to triage and make informed decisions on how to manage these, these alerts.
So, uh, we're using our experience with, uh, data, uh, data management, data access along with our security backgrounds and, uh, AI to help soc analysts make informed decisions about these alerts and incidents that are coming into their systems.
[00:03:38] Sean Martin: Yeah, and I was involved, uh, a few decades ago, a couple decades. I'm doing this for a while, but a couple decades ago, early on where. You had all these systems generating all this data and you needed to, to know what it was and what it meant and how it connected together. And the, the industry basically came up with a model of, well, first we have [00:04:00] to collect it, right?
So we have to bring it to us. Then we have to normalize it so we know what we're looking at it, and then we can just begin to act on it. That's just how it was. But, uh, kind of give us a, gimme a little more background on that. Why, why that model had to work that way and, and maybe why it's falling over at this point.
[00:04:20] Cory Wallace: You know, 15, 20 years ago, you know, Splunk, when we started, uh, with that product, nobody was consolidating log data. So there was no way to get this, uh, this kind of single pane of glass, uh, view where you could correlate. Events, uh, between different systems, right? If you, uh, you, you had to back then, you know, Telnet or SSH to, to a firewall, you know, grip through the logs and rinse, repeat, right?
It was not very efficient. So at that time, you know, having a model that ingested all of the data, indexed it into a, a very high performance, uh, database and. [00:05:00] Putting a search engine on top of that was brilliant and we changed the industry when we did so, and that model was great at the time. You know, at that point nothing existed.
Fast forward to today, and you know, evolution has happened here and data's all over the place. Data lakes have become, you know, a very important piece of infrastructure today, cost control. Um. And a lot of things that are originating in the cloud just naturally end up in an S3 bucket or lake. So that model needs to change Now.
Uh, we need to think differently about how we access data across all of these disparate systems.
[00:05:36] Sean Martin: Yeah, so there's, there's the access part of it, which you're not going to each piece or each system or each API or service or whatever, right? Each
[00:05:45] Cory Wallace: You're right.
[00:05:46] Sean Martin: Um, and it's basically, it's all collected in a, in a data lake or some, some storage unit, and you go to that instead. Um. But more specifically, it's the [00:06:00] normalization as well that we want to touch on as well.
So maybe highlight what, what that looked like and why that doesn't work anymore either.
[00:06:07] Cory Wallace: Sure. Yeah. One of the things that happened is we started indexing is, uh, you know, we had to kind of format things into some standard format or schema because, uh, lock files look differently, you know, very differently and. So we were applying some kinda schema at that point in time. And again, now as we've evolved, there's so many data sets out there that again, are in different systems.
You know, we have some systems that are in a, something like a Splunk or an Elastic, and then we have, uh. Data that's, that's in S3 buckets and in a lake like Databricks or something like that. And, uh, trying to lock that into one specific format, uh, like OCSF or something like that is, is just not realistic.
Right. Uh, it, it's a very heavy lift to try to take all that data and normalize it. And it's grossly inefficient for the people that are trying to do research on that data to try to do this and manage that [00:07:00] problem. And then if that data is not normalized in the right way, maybe they're missing something.
And the scariest thing for security analysts is to just to miss something, right? Uh, in the, in the midst of an investigation. So what we've done through our decades of, of experience with data and log data is we figured out a way via this, this, uh, patent that we've released. To search data without it being normalized in any standard schema or format.
So if there's a, say a field that's, uh, called IP address and Splunk and maybe cripples calling it IP underscore address, and you know, maybe in a different system, some administrator thought they'd be cute and funny and just call it, you know, the source or something like that. We're now taking that IP address and giving it a common name that is recognizable to the security analyst, uh, when it's presented into their chain of evidence.
So I think it's a big, big step for us. I think it's going to be very disruptive and we're going to change the way that now security analysts are looking at and accessing data.[00:08:00]
[00:08:00] Sean Martin: And I wanna get to that, but before we, we actually dig into the, the use by the analysts who, in my opinion. Kind of get forgotten when vendors are selling their wares. They usually go straight to the CISO and talk about programs and hopefully then make the CISO successful talking to the executive leadership team.
And oh, by the way, there's a SOC analyst that's having to deal with hundreds of alerts. Let me just close out a hundred today because they look like the a hundred yesterday. And in there, maybe the one that that really matters and we don't know. Um, so before we get to that kind of scenario. Um, talk to me about, you mentioned the schemas and, and just that I, I remember back in the day just setting up connectors between all these systems and, and mapping the schemas and vendor would change part of their logging format or they would add more stuff and we don't have that in the, in the new.
Search and, and ana analysis capabilities. 'cause it's new from that vendor and it's not something we figured out. So just keeping it [00:09:00] maintained, but also just deploying it. So talk to me about the value of what you're doing now in terms of, uh, deployment, ease, maintenances, connecting and, and managing all these data systems.
[00:09:12] Cory Wallace: Yeah, first and foremost, yeah, there's a lot of things, like you take Syslog data, we'll use that, you know, everybody has syslog data. It's, it's still the OG of data sources out there. Uh, you know. Syslog is easily sent to a destination. No problem. Right. You know, we, we've had that capability for, for quite a while to push Syslog data, uh, to a source.
But if you're having to pass it through something to then normalize that data, you're adding an another additional step, another level of complexity there that. You may that, that you may or may not want to have that level of complexity. It's another thing that can break, another thing can make mistakes.
And the thing that scares me, uh, the most about data schema is what we call schema drift. So, you know, [00:10:00] firewall vendor releases, uh, a software update, the syslog format now changes. And now those key value pairs that that mapping that is being done by the schema is now wrong. So you're missing. A field or fields, and now you cannot make that informed decision about, you know, an incident.
And that's pretty scary. I think, uh, you know, prior, in my prior life before coming to Kroger, we talked a lot about schema drift, you know, and, and people are out there making products to address schema drift. Uh, we're trying to dig it a step further and just say, let's just take schema out of the equation completely.
[00:10:35] Sean Martin: I love it. I love it. So the impact to the analysts now, their, their job is to get assigned alerts, receive alerts, whatever. Um, try to figure out is this something I need to, to roll up? Is this something I need to investigate more? Um, do I put in the back burner because it may be related to something down the line and I don't know what to do with it right now.
[00:11:00] Describe to me how that kind of the process and their day-to-day activities change with the removal of the schema. The no, no need to normalize data before they get that alert and actual more context and and insight perhaps with the information they get now too, helping them.
[00:11:17] Cory Wallace: Sure. Right now with the, you know, schema applying. To things when they, they go around looking one, they don't necessarily, the sim is telling them that something happened, but then the investigation falls on them for the most part. Right? Uh, the SIM is 9 1 1 in most cases. Right. And then they have to go try to solve the crime.
They become the detective and CSI and all those things. They're hopping around to data hunting at that point and that, that was why the original consolidation model was nice. But then it fast forward to now we're, we're sche it. Drift and chemo changes are a problem. We also have the problem of multiple query languages that these analysts are [00:12:00] trying to figure out.
So now because data is in different places and different formats, they don't just, uh, have to know SPL Splunk's language. Now they need to know KQL, uh, SQL, other query languages. And you, you take an overworked analyst who already has too much on their plate, and I'll say, oh, by the way. I need you to learn different, all these different query languages and while you're threat hunting in the heat of battle, remember how to convert these, these query languages.
So we're doing that for them. And by one, having access to all this data without the need for schema, we can map out what, what needs to be found. We can create those queries for them. And we're actually appending those into our workflow, putting them in the ticket history for the analysts and helping them identify, you know, you don't that common, uh, name that I mentioned earlier.
Now you don't have to figure out what IP address is called in three different systems. We've done that for you. And you know, we're all [00:13:00] talking about time and efficiency here when it comes to threat hunting. And, uh, so now we've saved them minutes to hours by doing that for them.
[00:13:08] Sean Martin: Yeah. Yeah. And Zy was showing that I, I am trying to remember the numbers. I think it was like eight phases of, of investigation and 40 activities. These, and, and there's a handful of queries and you may know one, but not the other five or four or whatever it is, and, and, and you're trying to connect with the rest of the team.
Hey, do you know how to write this query? And you're waiting for that person to come back and you're stalled on the, on the response to that, that alert and. That's only if you decide to go in. I think the
[00:13:38] Cory Wallace: Right, right.
[00:13:39] Sean Martin: you're, you're closing it because you think it looks like one yesterday. I kind of joke about that.
And it doesn't, it looks benign, but you don't know until you actually get into the query and say, well, what is in here? And is there anything unique? And you do that analysis as well, which I think is, is, uh, pretty cool.
[00:13:55] Cory Wallace: Uh, it's, it's really great. You know, I think one thing that we learned early on at Splunk [00:14:00] is that, uh, it's, it's not the thing you're looking for. It's the thing you're not looking for that you should be scared of. And I think, you know, there is that risk of closing the alerts because, you know, today with, with AI and threat hunting evolving or, or threats evolving, you know, uh.
You, you don't necessarily, A hacker doesn't need to be a really astute programmer to come up with something fairly good, uh, to initiate attack where, you know, user behavior analytics don't really apply. They can, they can emulate a, an identity for a while and, and make the behavior pattern look normal.
And it, it looks like just the, another alert you should just disregard and it's something. And the way to find out what that something is, is through data investigation and looking in places. For that,
[00:14:47] Sean Martin: Yeah. And if you're using, I think we used the word rigid. If you're using rigid schemas and static rules, yes, maybe the rules can dynamically change, perhaps with some ml in there. But, uh,
[00:14:59] Cory Wallace: you [00:15:00] right.
[00:15:00] Sean Martin: you're, you're not really gonna get the best results with a fully automated schema based. Drift involved.
[00:15:11] Cory Wallace: No, I,
[00:15:13] Sean Martin: Yeah.
[00:15:13] Cory Wallace: no, no. You know, as Morpheus told Neo in the Matrix, you know, rules can be bent and, and broken. And a good, and a good hacker knows how to bend those rules and they do so. And, uh, so you, you have to think outside of creating rules. I.
[00:15:28] Sean Martin: So I'm gonna encourage everybody to, uh, to watch that, uh, demo from Mon. But as we wrap here, maybe you touched on time savings and we, I think we've kind of. Rounded around on, uh, some of the capabilities of investigation and hunting and, and making that easier and and faster. What other outcomes do you expect, uh, teams to have and then security operations centers to have because of this?
I.
[00:15:55] Cory Wallace: I think first and foremost, we, we want to increase their efficiency, right? Again, I, [00:16:00] I want the overwork soc, analyst to not open an incident that's just a blank, you know, here's the alert and I have nothing else, no other context to go with this. With us, we start working the 14 steps of the kill chain, and by the time the analyst gets to that incident, we've already provided them a history of what we have found.
About this incident. So the meantime to resolution is getting better. Uh, they're gaining efficiency by having, you know, needing less FTEs. Uh, right now the problem with the, the alert volume being so absurd is that the only way to handle that today is to try to throw FTEs at it or to. Just, you know, like you've talked about close, just close instance, you think don't matter.
Uh, both of those things are, you know, one is risky and the other thing is just hard to do right now in a market where soc analysts are very valuable resources and then, uh, it takes time to train them. So I think one of the main things that we provide today is efficiency for the SOC analysts that's in the hot seat.
Our, our goal is to [00:17:00] make that analyst life their life easier. Give them. A lot of information to help them make an informed decision quickly, but responsibly and, uh, we're documenting all that for them.
[00:17:11] Sean Martin: Yeah, and one thing I'll point out is 'cause it's easy for. Easy. I think it, it's one thing for an organization or a vendor to say, we're gonna do all this for the SOC analyst, and it's all under the covers and they don't have to worry about anything. It's automated. But what I saw in the demo is you, you're actually showing the query, you're showing the steps, you're showing the information.
The analyst gets smarter. They're not getting, they're not getting dumber and just clicking buttons. They're getting smarter and they wanna hunt. They wanna find that hard thing that's, that's sitting there, that's going to be the thing that busts the company and. You're giving them the tools and the information and, and the environment with which to do that.
And this is really, really cool. So thrilled to have this conversation and to, I mean, [00:18:00] you guys are blowing up the model and, uh, now you've patented that, so congratulations on,
[00:18:05] Cory Wallace: We have.
[00:18:06] Sean Martin: on, on that.
[00:18:07] Cory Wallace: Thank you. We're we're, we want to be disruptive and again, we, uh, we do care about the SOC analysts and that's not just a, a marketing line or just, um, something we're throwing out there to sound cool. You know, uh, Mony went and worked as a SOC analyst for a year, tier one SOC analyst before we, you know, started the company.
And, uh, we truly care about making the SOC analysts better and helping them, uh, you know, be more efficient. So
[00:18:32] Sean Martin: Yeah,
[00:18:33] Cory Wallace: we're gonna stick to that mission. Yeah. Yeah. Yeah.
[00:18:35] Sean Martin: He told me that yesterday and I was like, that's pretty cool.
[00:18:38] Cory Wallace: Uh, pretty cool. Pretty cool. Yeah.
[00:18:40] Sean Martin: like, you wanna do what I want? I wanna give you a team. And he says, no, I wanna be one of the team.
[00:18:47] Cory Wallace: yeah, yeah. Put, put, put me in the,
[00:18:49] Sean Martin: put me in,
[00:18:49] Cory Wallace: one. Yeah. Put me in coach. Yeah. Yeah. It was great that he did that. Again, just a testament to Monty's character and how much he cares, uh, about this problem and the people that are in the, on the front [00:19:00] lines.
[00:19:00] Sean Martin: absolutely. Well, thanks, uh, Corey for this again. Congratulations, everybody listening and watching. Thanks for, uh, joining us here for this brand story on ITSP magazine. Uh, connect with Corey online. Find ZI online. I'll include his link in LinkedIn as well. C-R-O-G-L. comwell.com for all that they offer.
And of course, you can find this in other conversations we've had with the team on itsp magazine.com as well. Um, thanks again, Corey. Uh, best luck. Looking forward to more conversations. Keep well
[00:19:32] Cory Wallace: Absolutely. All right. Thank you.
​[00:20:00]