At CrowdStrike’s Fal.Con 2025, theCUBE’s Dave Vellante and Rebecca Knight sit down for an exclusive conversation with Jaifar Al Mamari, head of cybersecurity at Vodafone Oman. Fresh off a 24-hour trip from Muscat, Al Mamari shares how he built a security operation from scratch, embracing a cloud-first strategy and leaning on CrowdStrike as a core partner. He explains why avoiding tool sprawl was a priority, how consolidation drives efficiency and how a lean team of just four manages end-to-end operations. The discussion also highlights the balancing act between regional regulatory pressures and the unstoppable force of cloud adoption.
Al Mamari details how Vodafone Oman trials Falcon modules on demand, automates vulnerability management and validates security posture with OverWatch red-team detection. He underscores the regional challenge of limited threat intel and shares how automation, API-driven integration and proactive detection keep his SOC lean and fast. Looking ahead, he discusses AI oversight, discussing how security leaders can navigate both regulatory demands and novel adversary tactics.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For CrowdStrike Fal.Con 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for CrowdStrike Fal.Con 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to CrowdStrike Fal.Con 2025
Please sign in with LinkedIn to continue to CrowdStrike Fal.Con 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Jaifar Al Mamari, Vodafone
At CrowdStrike’s Fal.Con 2025, theCUBE’s Dave Vellante and Rebecca Knight sit down for an exclusive conversation with Jaifar Al Mamari, head of cybersecurity at Vodafone Oman. Fresh off a 24-hour trip from Muscat, Al Mamari shares how he built a security operation from scratch, embracing a cloud-first strategy and leaning on CrowdStrike as a core partner. He explains why avoiding tool sprawl was a priority, how consolidation drives efficiency and how a lean team of just four manages end-to-end operations. The discussion also highlights the balancing act between regional regulatory pressures and the unstoppable force of cloud adoption.
Al Mamari details how Vodafone Oman trials Falcon modules on demand, automates vulnerability management and validates security posture with OverWatch red-team detection. He underscores the regional challenge of limited threat intel and shares how automation, API-driven integration and proactive detection keep his SOC lean and fast. Looking ahead, he discusses AI oversight, discussing how security leaders can navigate both regulatory demands and novel adversary tactics.
At CrowdStrike’s Fal.Con 2025, theCUBE’s Dave Vellante and Rebecca Knight sit down for an exclusive conversation with Jaifar Al Mamari, head of cybersecurity at Vodafone Oman. Fresh off a 24-hour trip from Muscat, Al Mamari shares how he built a security operation from scratch, embracing a cloud-first strategy and leaning on CrowdStrike as a core partner. He explains why avoiding tool sprawl was a priority, how consolidation drives efficiency and how a lean team of just four manages end-to-end operations. The discussion also highlights the balancing act betwe...Read more
exploreKeep Exploring
What event is taking place, and who are the participants involved?add
What are the strengths and weaknesses of CrowdStrike in various cybersecurity areas, and how does their integrated vulnerability management enhance its value?add
What are some strategies to effectively build a security ecosystem while managing tool proliferation and addressing risks?add
What is the most mature large language model (LLM) that is enriched with cybersecurity data?add
>> Good afternoon, everyone, and welcome back to theCUBE's live coverage of Fal.Con 2025 here in Las Vegas, Nevada at the MGM Grand. I'm your host, Rebecca Knight, alongside Dave Vellante, my co-host and co-founder of theCUBE. I would like to welcome Jaifar Al Mamari, head of cybersecurity at Vodafone Oman. Direct from Oman, thank you so much for coming on theCUBE, Jaifar.
Jaifar Al Mamari
>> Thank you very much, Rebecca. We were just speaking about it. 24 hours flying in, it's a long way to come, but it's worth it.
Rebecca Knight
>> Yes. Well, you seem remarkable for being as jet-legged as you must be right now.
Jaifar Al Mamari
>> Yes, exactly.
Rebecca Knight
>> So, let's really get into it because you had the really unique and special opportunity to build Vodafone Oman's security operations from the ground up, with no legacy systems and do it from scratch. Talk about what that was like and what were some of the first big decisions that you had to make.
Jaifar Al Mamari
>> Sure. So, Rebecca, having to build that is really a blessing, but it can be a curse as well, right? I mean, it's a blessing that you don't have any legacy with you, but it's a curse because you need to deal with it differently. You need a different mindset. I mean, how am I going to secure this? If everything is on cloud, how am I going to do my defenses? How am I going to put my parameters or firewalls, right? So, it requires a complete shift of strategy and mindset. And I know from day one, since we are adopting a cloud-first strategy, we need someone or a partner that's already cloud-native, that understands cloud, that can go into virtual machines or SaaS applications or containers, wherever we need them, and this is why I decided to go with the CrowdStrike. But to be honest, even initially we started with the basic stuff with them. I mean, we grew naturally. We were like, "Let's test their EDR capabilities, let's see what they have here." Also, one pillar of my strategy was as well, I didn't want to have the best-of-breed, let's say, right? Having 20 different solutions, not integrated, in silos, just a hassle to manage. So, I really wanted something that I can consolidate, that I can integrate, it can be easy to manage as well. Make my security operations easy. So, today in Vodafone, I only have four people doing everything from A to Z. Not just the SOC. This is like the engineering part, the governance part, everything. So, my SOC is quite clean and efficient, and CrowdStrike was one of the strategic partners that I had to deal with and work with to build this cybersecurity-efficient operation.
Dave Vellante
>> If I could ask you a follow-up on that.
Jaifar Al Mamari
>> Sure.
Dave Vellante
>> When you say you didn't want best-of-breed, I infer from that you mean you didn't want to just choose a bunch of best-of-breed tools that weren't integrated?
Jaifar Al Mamari
>> Yes.
Dave Vellante
>> But my question is a philosophical one. Can you be an integrated platform and best-of-breed?
Jaifar Al Mamari
>> Yes, of course you can. I mean, you can. If you think the ranking of CrowdStrike, for example. They rank the best in the EDRs. They rank the best in other sectors as well. So, they are best-of-breed, but not in every area. So, in threat intel, yes, they are the best-of-breed. When it comes to EDR, yes, they are. But if you think about it, in vulnerability management, not really. I could have gone with another vulnerability management solution, but having a vulnerability management integrated into your Falcon platform gives an immense value to all of your detections. Because all of the sudden, instead of you just having to deal with the vulnerability in silo, you deal with it in the whole context of things. And the APTs, what are they doing in my region? Are people targeting telecom industry also using a vulnerability within my environment? So, I can do a lot of correlation as well. I can prioritize what to patch, what to not to patch. So, there is a lot of value by having even the small stuff. I do this not just with CrowdStrike. So, I have few strategic partners and I just go all the way, keep it very efficient, keep it very lean, and then maximize, automate, maximize, automate.
Dave Vellante
>> What's interesting is, Rebecca and I were just talking, we were at four years ago, and this ecosystem was much, much smaller. Now, you see so many-
Rebecca Knight
>> The room is heaving in case you can't tell at home. Yes.
Dave Vellante
>> They need a bigger boat. So, an example would be SASE. Maybe they partner with Zscaler or Identity with Okta, even though people confuse CrowdStrike Identity with Okta, you don't have to go there. How do you decide how to build that ecosystem? Because you don't want tools creep is what you indicated. Most of your peers struggle to reduce the number of tools in their security stack. They have all this technical debt, but at the same time something new comes up. So, they go for best-of-breed, try to plug a hole. How do you balance that?
Jaifar Al Mamari
>> So, it's very simple. I have a problem, I have a risk I need to deal with. I need some controls. Let me go to the existing partners I have today. "Anyone have a solution?" "Yes." "Let's test it out." The beauty about Falcon platform as well, you can sign up on the fly for two weeks trial on any of their modules. You don't have to talk to your account manager, you don't have to do anything. It's just a click and then it's enabled. Figure it out. Test it out. Do you like it? Does it add value? Does it solve your issue or control? If it does, perfect, because it's already there. Some modules, I kid you not, I started with the two weeks and then I saw huge value. For example, on the vulnerability, I called my account manager, I said, "Just keep it." And it's already built in. No need to invest in adding something, building something, a project. That's it. It's already live from day one. And it gives me time to do other stuff. And it's all about scale and speed, right?
Dave Vellante
>> Sorry, the onboarding experience is like the cloud.
Jaifar Al Mamari
>> Exactly. Exactly.
Dave Vellante
>> Click here, spin up a virtual machine and you go.
Jaifar Al Mamari
>> There you go.
Rebecca Knight
>> So, you're talking about this rigorous of prioritization, reprioritization and focus. So, how does this workflow impact your team's relationship with IT operations?
Jaifar Al Mamari
>> Beautiful. We're enablers. We're enablers. We make it easy for them. And because you can automate so many of the things, it becomes like, okay, let's do a workflow, automate it and then just monitor that workflow. So, in the example of the vulnerability management, we only prioritize based on the expert rating from CrowdStrike. So, if the expert rating says it's critical, then we deal with it critical. We take that intel, automate it, create a ticket, assign it to the vendor that is managing that system, and that's it. And this all happens automatically every single month. Take, do and see. And we just monitor how many ones are closed and open month-by-month, and that's it.
Dave Vellante
>> What are the similarities and differences of protecting your customers and Vodafone Oman in your region? What are the unique and salient attributes there versus say Vodafone in other parts of the world, in EMEA or in Europe, for instance?
Jaifar Al Mamari
>> Unfortunately, Dave, there's not so much intel. There's not so much threat intel. So, if you look at the threat intel that is focused on our region, it's not as heavy or as rich as versus Europe or the US, right? So, there could be a lot of things happening and we don't have intel or previous intel about it. So, you really need to be very proactive, very, very proactive. So, this is a big challenge that we are facing. And to be honest, what keeps me up at night is these ones, is the APTs that all the threat intelligence are not even tracking and they're just doing things on my region. So, they're not in the radar of CrowdStrike or Recorded Future or however. So, that makes it very challenging for us. We need to be able to detect, protect, and keep up with all these emerging things. Some of the stuff that are really just specifically to the telecom industry. Now, we see threat actors are trying to breach through telecom protocols, not even using IT protocols. And that's very unique. This is challenges that are not even solved today. So, there's a lot of challenges, industry and in the region by itself.
Dave Vellante
>> So, the threat intelligence isn't as global as sometimes we like to think it is-
Jaifar Al Mamari
>> No, it's not....
Dave Vellante
>> because essentially, you're in a niche adversary world and they're coming up with novel threats that aren't widely visible.
Rebecca Knight
>> Are you the testing ground in a way?
Jaifar Al Mamari
>> In so many cases, yes, it will be, 100%. I'm pretty sure there are some unique phishing techniques that are only working in that region. And if no one is looking into that, then good luck.
Rebecca Knight
>> So, you have a red team that intentionally tests Overwatch detection capabilities.
Jaifar Al Mamari
>> Yes.
Rebecca Knight
>> What have those exercises taught you about your security posture? And what's your recommendation for other organizations like yours in terms of doing these kinds of red teaming tests?
Jaifar Al Mamari
>> So, Overwatch, I think, is a secret weapon of CrowdStrike. So, many people, they don't realize the power of Overwatch, but imagine you're getting service and then you have one of the best teams in the world that are fighting the top APTs, looking into your environment, enriching your detections, flagging the stuff that cannot be flagged by your team for the lack of capabilities or whatever the scenario is. But that assurance is amazing. So, that's on one side. On the other side, I also like to do my own testing and purple teaming. I'm not going to just wait for Overwatch to do everything. And in all of the cases, let's say, all of our testing was detected by Overwatch. They don't know it's a testing or a red team happening. And I love that when I see it. I say, "Yes, my supporters in the US are awake and they're picking things up. Yes, this was part of the testing. Let's close the ticket." And that's a validation. I even tell this to my management. Sometimes you buy stuff and they don't know the value, they don't see it. And I say, "Look, we run these tests last week. It was a test. They don't know about it. It was flagged as a breach. How beautiful is that?"
Dave Vellante
>> You were saying that you wanted cloud-native, starting with a blank sheet of paper if you will, but you also secure private clouds, hybrid clouds.
Jaifar Al Mamari
>> Yes.
Dave Vellante
>> We've noticed a trend in the US, I wonder if it's true in your region, where not everything's going into the cloud. People want to bring the intelligence, the AI to the data is the buzz phrase, particularly in financial services. I don't know if it's case in telco, but I'd imagine it would be they're building their own on-prem AI stacks, but there aren't as many solutions as there are in the cloud. The cloud's got one of everything. And so, look at AWS, it's amazing, same with Microsoft and Google. How are you seeing that in the region? How are you dealing with that diversity or lack of tooling on-prem versus in the cloud? Are you seeing that trend to bring AI to the data?
Jaifar Al Mamari
>> Dave, this is one of the most challenging questions to the regulators. The regulators are confused. They don't know what to do. They're saying for people on one hand, "Stay on-prem. Protect your data," but then the solutions are powered by cloud solutions. You cannot afford to train your own LLM. With security, let's say cybersecurity, you cannot. It's too expensive for you to do. So, the next best thing is rely on someone who already done it, who have an LLM trained on all the tactics and techniques and all the attacks that happened in the last decades or two and use it. And this is a question, actually, I ask for everyone. Who have the most mature LLM that is enriched with cybersecurity data? I think CrowdStrike, if it's not the only one, it's one of the leading ones.
Dave Vellante
>> What about public policy in the region, specifically around things like sovereign AI, sovereign cloud? I was talking to AWS recently, and this one individual's... Maybe this is not speaking for AWS, but this one individual's premise was, like the early days of cloud when everybody was afraid of the cloud, eventually people will become more comfortable and they'll be able through, whatever, VPCs or whatever, be able to create a sovereign-like cloud. Other that I talked to you in government say, "No, we want to have our own private cloud, sovereign cloud." What are you seeing in the region and what role does Vodafone Oman play in that?
Jaifar Al Mamari
>> To be honest, Dave, as I told you, they're struggling, right? I mean the force of cloud is just too good. I mean even Microsoft, it's more secure on cloud. Imagine if you had the exchange vulnerability. It's crazy. It's crazy. So, there it's inevitable going to the cloud, but then how can we protect our data? And so, this is the question. So, for example, in Oman we see a trend where, okay, let's do a mixture. We have this discussion all the time with regulator. "Guys, allow us to put more thing on public clouds." And they say, "No data..." And, "Okay, let's reach to a middle ground. How about I do the data plane within country and the control plane and the logic on cloud? Is that okay?" "Yeah, that makes sense." "Okay. How about if we're talking about a call center solutions, what is sensitive about this?" "The voice recording." "Okay, how about I keep the voice recording within and all the functionality abroad. Is that okay?" "Yeah, that seems like a good idea. Why don't we do that?" And this is the discussion that we're getting into, yeah?
Dave Vellante
>> Everything's a one-off.
Jaifar Al Mamari
>> Yeah, yeah, yeah, yeah. but it makes it difficult because... And I understand their position, right? They cannot say, "Yeah, just do whatever you want," and then they get blamed for it. But eventually, we can reach a medical ground where we can work around it. "Okay, let's say our data is there. Okay, how about we encrypt it? How do we send it? Can we create a separate tunnel that you guys are comfortable with instead of just pushing it through the public internet?" And these kinds of discussions, I think can help us reach somewhere by adopting the future and still having some control and securing that stuff.
Rebecca Knight
>> So, Vodafone Oman was the first group within Vodafone to adopt CrowdStrike. What are you sharing in terms of the lessons that you've learned and the best practices with other markets?
Jaifar Al Mamari
>> So, as I told you, they are very interested in the efficiency that I have created using CrowdStrike. "How do you maintain a small team?" These are the questions. "How do you keep up a small... How do you automate this stuff?" Because the way I use CrowdStrike is not just a dashboard and I click, I integrate with an API with my whole security stack. So, we do a lot of automation with our store, moving things here and there. So, they're very interested about, "Okay, how did you manage the vulnerability using CrowdStrike? Does it work if you prioritize using the expert rating or not? How is the intelligence working? Do you enrich it with something else?" And I actually do. You cannot sometimes also with intelligence, just rely on one source. So, I have multiple sources. Let me enrich CrowdStrike, but having it centralized in one place makes it so much easier and efficient. Instead of having these multiple systems and solutions.
Dave Vellante
>> The automated SOC, the full self-driving must have resonated with you, George Kurtz's keynote, because you have a highly-productive staff. I mean you're doing a lot with very little. So, I think we generally understand the upsides of automation. What are some of the gotchas? What are some of the downsides that you would... Maybe it's not downsides, but some of the cautions that you might share with some of your peers?
Jaifar Al Mamari
>> Two things. One, LLM today in cybersecurity is not as mature as we think it is, so don't let it take the driving seat. Still, use it, but have an oversight over that, that is very key. The second thing is you really need to know what is your use case. So, I'll give you an example. I have certain use cases where, for example, it's the employee stuff and I'm comfortable allowing the AI to make a decision. At the end of the day, the impact, even if it's a false positive or a true positive or whatever the scenario is, it's just an individual machine. But doing that on my critical infrastructure or critical servers, I cannot do that. So, this is my policy. I have different policies. Even on the prevention side. Hey, no, no, no, don't take full preventions... And this is beauty, by the way, you can do on Falcon. You can decide the detection part and the response part. So, you can say, "I want full visibility, full detection. But on the response, no, I'm comfortable only with this much. The rest, I want a human to intervene and then make a decision."
So, these are really two key things that we need to be very mindful with. Yes, automation and AI, very nice, but don't let it be taking decisions that maybe the board will call you one day for.
Rebecca Knight
>> So, last question, what is next with CrowdStrike and Vodafone Oman?
Jaifar Al Mamari
>> So, we've been doing so many things with them. Okay. One of the things I'm excited about is to see the future of Charlotte AI. Now, today you've seen maybe in the keynote, they are moving to more agentic. Instead of just having Charlotte AI, we're going to have seven agents. I'm very excited to see. What am I going to do with these seven agents? Do I need my analysts in two years or no? I don't know. These are questions I'm going to ask myself, right? So, the agents part, having someone looking into malware only or having someone only responding or have someone just communicating for the management, that's really cool.
Dave Vellante
>> I heard a new term today in the keynote, security AGI. I hadn't heard that before. George Gilbert coined the term enterprise AGI, we have AGI. Enterprise AGI refers to an organization's own private data that they want to apply, their own language models doesn't seep into the internet, doesn't get trained by ChatGPT. But does that analogy apply for security AGI? In other words, do you have specific proprietary security protocols, data intelligence that you want to apply to AI that nobody else will have access to? Or is it different in security because you want to share with the good guys? Or maybe you don't want to share with anybody? How do you think about that?
Jaifar Al Mamari
>> This is the exact question, Dave, I was having today with one of the CrowdStrike employees, Royan, right? She's struggling to sell the idea. In some countries, they're very conservative. They say, "CrowdStrike is on cloud, so let's not do." But I told her, "Come on, you know what you're sharing to the cloud. It's not like you putting everything on the cloud. It's only you would process names, your hashes, your connection, which actually, you want to share with as much people as you want." I mean, 9/11 happened, what was it... Post-9/11, it's lack of sharing. We did what they call it is the opposite of lack of sharing is the confidentiality and keep everything. And then, the agency said, "No, we had so much intelligence, but we didn't just share it with enough people to pick that up." Similar thing on cyber. Seriously, we need to share more stuff. While not sharing our actual data. We're sharing telemetry. We're sharing stuff. Some of the management, or let's say companies, they mix stuff because it's very technical. I say, "Okay, listen, I'm going to show you exactly what I'm putting on the cloud. These are the lists. These are the stuff I'm sharing. Do you have any issues with the file name or hash file?" "No, I don't care." That's it.
Dave Vellante
>> Yeah.
Rebecca Knight
>> Excellent. Well, Jaifar, a pleasure having you on. You are now a CUBE alum, so thank you so much.
Jaifar Al Mamari
>> Thank you very much, Rebecca. I'm happy to be here with theCUBE.
>> I'm Rebecca Knight for Dave Vellante. Stay tuned for more of theCUBE's live coverage of Fal.Con 2025. You're watching theCUBE, the leader in enterprise tech news and analysis.
Rebecca Knight
Dave Vellante