Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hey, everyone out there on cybersecurity-verse. It's Mike Storm with Cisco, distinguished engineer for the Cisco Security business. And I've got with me a very special guest today. I've got Nick Carrieri, the director of network security go-to-market for the Cisco Security business for SBG. Nick, how are you today?

Mike, good. How are you doing?

Doing fantastic, man. It's really good to have you on the show, have a chance to talk about some of this stuff.

I mean it's the landscape is changing so much. The threat landscape is constantly evolving. And interestingly, I have heard so many people talking recently about the variation in the way that different controls are being used. One of them specifically is firewall, topics on threat and how they're responding to threats, resilience. We just had Cisco Live Australia. I mean, give us -- what's the latest, Nick? What's going on out there?

Man, there is so much going on. There's Cisco Live Australia. We just had the partners on it. We're doing a big global series of road shows recently. And man, we're getting out in front of customers and partners everywhere. And one of the big things we're hearing is just people haven't talked enough about firewall recently, right? So we're getting that. We're updating them on what's happening, what's going on; and talking about customers. Most of our customers aren't even running the latest releases recently. We're finding out that 80% to 90% of our customers are running some older codes, all right? They're not ready to make the jump yet. I think they're a little apprehensive, but now that we're talking about the new features, they're hearing the word about what's going on. And we'll get into that a little bit later on, a lot of the new features customers are just really itching to get to. So really excited to talk to you about them tonight and get rolling here.

Awesome. So how far are we finding that customers are behind, years potentially?

I'd say it's a couple of years, yes, yes.

Really...

A lot of the customers, when asked at the beginning, "Have you heard from us in 2-plus years?" most of them haven't heard an update in over 2 years. So I think COVID got the best of a lot of us.

Yes, I guess so. And what's really remarkable about that is, 2 years ago, we really started releasing the latest threat engine, Snort 3.0. So if people have not yet had an opportunity to use code in the 7.x train, which I know we're going to talk more about -- but in the 7.x train, they're not getting anywhere near the type of threat protection that they deserve, correct?

Yes, absolutely, yes. Snort 3 was a game changer, right? We had Snort 2 best-in-class IPS for a long time and then we finally renewed the engine. And all of the new capabilities, all the evasions that's happening out there today, we can't do anything about it unless we have a better detection engine. So Snort 3 is where it's at right now.

Right. Something that happened recently that I thought was interesting: We always hear about public tests. And sometimes there are things you participate in. Sometimes there are things people just do and you find out later, but there was a test that I believe we were involved in, although it was another group that ran it. And these testing houses, the real critical thing is that you -- they have to be reliable, right, so the type of testing that they do, it's not a matter of matching on hashes or signatures that have been around for a long time. It's got to be new data. So there is a group, SE Labs, who ran a recent test which was a pretty advanced threat test for a firewall. And I was actually pretty amazed when the threat intelligence guys first came to me and said, "Hey. What do you think of this?" I was really surprised to find out that SE Labs actually gave us a AAA rating. We had a 100% legitimate accuracy rating, and all of the new data that they tested was new. And it was against 3 very, very elaborate threats: Wizard Spider; Sandworm; and Dragonfly, both 1.x and 2.x or 2.0. All 3 of those are attacks that are so complex and have so many [ MITRE ] techniques. They're really not -- you really wouldn't expect a firewall to be able to detect every single technique throughout these various attacks. What makes that possible?

Yes. I mean I think a lot of the new maneuvers or a lot of the new engines that we have available inside Snort 3; and getting into these new evasions, these evolving threats, right? Even things like encrypted traffic and protocols like QUIC, right, that just simply weren't available to be detected in Snort 2, we now have that availability, right? And even to take that one step further, we just released 7.3. And they have the MITRE map for those detections inside our firewall as well, so not only using and leveraging those techniques but showing it to the end user where those maps are for those detections.

See, that's amazing. And I've always kind of felt like never put an impossible problem in front of really good Cisco engineers because they'll figure it out. And one of those problems was we have -- the Internet is dark. The network is dark. Threats are being obviously run over encrypted channels, so they're much more difficult to detect, much -- even see, for that matter. Because of compliance, there is this kind of 2 camps, if you will. And 1 camp says, "Oh, just decrypt everything and scan it for threats." The other camp says, "No. We actually have some data that we have to keep private here," so you must be able to scan encrypted data at -- in real time for threats without decrypting it. And I understand that our encryption engine, encrypted visibility engine, I believe, is the name, actually has the capability to do that.

Yes. I mean it was one of the impressive things that, as we talked about -- as we talked with customers recently, we found, years ago, everybody wanted to talk decrypt everything in the firewall. And as TLS 1.3 became more pervasive, right, there's just areas you can't do that anymore. And then you have new protocols like encrypted SNI that make it even more difficult, right? So those customers that were talking about that found out that it was very expensive in a firewall capacity to use those resources that do decrypt, right? And that's exactly where the encrypted visibility engine really began a couple of years ago. And when we launched the TLS server identity, which was the first iteration of that, we really blazed a path that really was differentiated from anything else out in the market. So instead of [ expending ] those expensive resources within the firewall, we actually offered the ability to look at things like URL and app visibility and, soon, malware within -- without doing decrypt. And the best part about this is like you don't have to take our word for it, all right? Everybody is like, "Well, how can I trust this? How do I know what the false positive rate is?" There's actually a confidence score inside the logs now that will say, "Hey. We matched this many percent of the identifiers that we expect to figure out if something is malicious or not." So really powerful. And it's a really great method as well as a great deliverable really resonating with a lot of customers these days.

Yes. That's pretty amazing. And I have to say, knowing some of the technology that used to exist on switches that did this -- they encrypted traffic analytics. The fact -- the simple fact was, because I'm not really truly decrypting it, I'm looking into the encrypted traffic using inference schemes and things like this. It -- my PII was never at risk, but I was also able to do it at line rate. And those 2 things, I think, are really critical, especially for businesses that have different types of regulations and governance that they have to maintain, right?

Yes, exactly.

If you were to compare Snort 2.0 and Snort 3.0 by a percentage, how much better is Snort 3.0 from a -- just a pure capabilities perspective from threat detection and all the things that it does with multi threading and so forth?

Oh, man, percentage-wise, 60% better, right? There's just so many different things, and it's really like what you're talking about specifically. Like everything is different, literally from Firepower recommendations, to how it does a restart and how it tackles that, how it does updates, right? It's just it's a whole different beast when you're talking about Snort 3, so it is a lot better significantly across the board, but I would hit the ballpark at 60%.

Hit the -- okay, I know you're a conservative guy, so I was actually expecting less than that. So that's a good number. That's why I threw it at you. Awesome. So Nick, we're in a hybrid world and there are so many workloads that are moving to cloud, so obviously this is a big deal. And even though we find that probably 90% of our customers still are somewhat of a hybrid model, that probably is an even bigger reason why having workload capabilities in the cloud, as they are joined to what we're currently doing on site, is important. Let's talk a little bit about some of the workload stuff. What's new with workload and microsegmentation?

Workload formerly known as Cisco Tetration, all right? So our app security. So the biggest thing recently that's hit is really the tight-knit integration between firewall and the workload solution. And I don't mean it's integrated in the sense that you have to have a PhD and DevOps and APIs to figure out how to make this stuff work together. It's a really well-built native integration between the two. And the power of the solution really comes in when you're discussing the microsegmentation or, some customers calling it, Zero Trust segmentation [ asks ] that a lot of our customers are hitting today, all right? So having the ability to take the workload and all the analytics and now all the application dependency maps that it's building and deciding on policy and sending that automatically to the firewall, all right? So a lot of customers use firewalls as choke points or enforcement points in their networks, so now you have the capability to take the analysis and all the rules that are created by workload and make an API call automatically to the management center that pushes down to those firewalls. And so that's a great part, right? And then there's advantage of the integration like modeling and profile policy detections and what happens there, all right? So some really powerful stuff that's happening with these 2 solutions. When people were asking us what's 1 plus 1 equals 3 for Cisco, this is one of those solutions.

So it's -- what's really cool about this is it's taking me from my data center to the cloud in a seamless fashion, right? I mean this is there's absolutely no disruption whatsoever. It allows me to do it all with an integrated solution, so what's the footprint look like, as far as if somebody were to want to do this? This is all installed in the cloud, could contain a combination of on-prem and cloud-based resources, right?

Well, the perks and one of the disadvantages of Cisco, right? We have to offer it in every space, so we do offer a virtual and a hardware form factor for both of these solutions, all right? So we do have a 39RU and an 8RU offering for workload for those that are really doing big analytics. And really getting into a lot of data, like you said, in the data center, you need that type of storage capacity, but we also have a SaaS offer as well for those that want to stand it up quickly, get their hands on it, get it working seamlessly in their network, right? We do have the SaaS model, so something to take advantage of there.

That's great. So pretty much every use case is covered. That's kind of the way we do things because we don't have just one customer. We've got customers that are doing all kinds of stuff. Awesome. So here's one of the other things that's come up for me a lot as I've been talking to some of our larger enterprises, especially as they've been trying to do everything they can to simplify the stack. And what they mean by that is they have so many things to do. They've got so many systems to touch. And one of their biggest pain points is policy. It's how do I manage policy between disparate systems. How do I bring it together from on prem to cloud, between workload, between firewall, whether it's networking with ICE or whatever the case may be? And we have a solution for that. I mean CS DAC. Tell us more about the dynamic attributes connector.

We released the dynamic attribute connector, man, over almost 2 years ago now. And it's just been a fantastic technology, right? So conceptually with CS DAC was it's a translator, right, that will hook into dynamic environments and pull down attributes and give them to the firewall management center to make policy decisions. The power of this is that, once the dynamic object is created, admins don't have to consistently update these objects. So [ where they are ] in those dynamic environments where workloads are spinning up, spinning down in any public cloud or Office 365, NSX-T environments, your admins don't spend their whole lives updating objects, right? So it's a really powerful system that brings the advantages of reducing the operational overhead for a firewall admin. Now one of the awesome things about how this was built, and I know you know this: We built it with, of course, the API-first strategy, all right? So even for connectors that we don't have today, it's an open API framework to build into any dynamic environment. We have customers that have reached out and said, "Hey. Can you build it for this environment?" or this environment. We're able to build those off cycle and provide connectors into those environments, making it easier and easier for customers to deploy firewalls.

Yes. That's awesome. And the adapter side is pretty cool too, which is the side where the systems that are actually creating the policy are talking, right? So not only the firewall -- FMC, CDO, potentially ICE and many more in the future that could plug in as adapters as a means of managing policy. And that's pretty awesome, that it runs all the way through that entire architecture.

Yes. And one of the other big callouts that we did recently, right, that a lot of customers, you said, don't want the heavy operational lift, right? So they no longer have to run it as a separate VM. It's integrated directly into the manager. So for those that are using the cloud manager, and we're going to be launching it on the on-prem manager in the spring, you don't have to build up another box. You don't have to stand up that Linux VM. You hit those -- you hit the integrations that you want to do, Azure, AWS, o365. You put in your API keys. And you're off and running, getting mappings instantly.

Yes. That's pretty awesome. And I -- one of the cool things that I saw recently that I thought was just amazing was the fact that we actually have the feed from 365. So we've got all of their IPs, so as they change their IPs around inside of the cloud, they're dynamically updated on our end. So if something is down, you don't send stuff to an unreachable destination, which is really cool.

AWS, Azure, GCP, o365. We could go on all day with this list of dynamic environments, but the power is really not only -- today, we're doing it with IPs, but in the future, we're going to be bringing the tuple support, right? So as you get into things like containerized environments that use single IPs, where a tuple makes a lot more sense, you're able to leverage these directly in your security policy and stay up to date, all right? So more power. That's going to keep evolving; as you talked about, integrations with ICE, integrations with other aspects of Cisco. It's just going to bring more power to the firewall policy.

Yes. And I'll tell you what: Customers love nothing more than [ SimCity ] at scale, all right? I mean that's where it's at. So yes, really, really cool that we're taking that on. I think it's going to be a game changer to keep all that stuff in sync. I mean I know from the customers that I talk to it's a really big deal. I mean I -- one of the other things that I should throw out there is just our platform focus right now on making sure that everything we do in every one of our products allows you to do it once and it ends up everywhere. And that's really cool from an authentication, identity perspective, provisioning. All these things that we're currently doing and releasing and also working on for the future are really going to change the game for customers. And one more: off glass. That was something that has come up so much recently, being able to do everything with an API. So you're locked into a UI. I want to use an ITSM like ServiceNow. That's going to be my workflow manager with ticketing. We'll do it there. As long as it [ supports the rest of the API ], you can do it all. And that's -- that really does kind of release the customer from some of these being handcuffed to a particular user interface to get things done.

Yes. I mean we have a lot of large enterprise web-scale SP customers today that are doing homegrown tools, that have the resources to build these dedicated teams, right? So having those APIs; having those capabilities; making sure it's open across the board, not just at the firewall, right? And I know we're talking about firewall here today, but everything inside our business group these days inside security has an API-first-led strategy that is being harmonized so people don't have to learn a cloud-delivered firewall API versus an on-prem firewall API, versus a workload API, right? We're really making that and extracting that complexity out from customers' hands and letting us take that on with our unified API.

Yes. That's great. And what that leads to, of course, is our customers being able to leverage all of their investments Cisco or otherwise, because those APIs are universal. And that allows them to then do further integrations with some of their other tools that may not be Cisco, so that's a huge benefit. Here is another topic that I would love to talk about because I think, when -- I talk to a lot of customers: And obviously it's about a variety of security solutions, but when I get to the firewall portion of any conversation, the audience is sometimes different, right? So we have -- from an end point perspective or a SOC perspective, we have pure analysts, folks that are literally just security practitioners. That's all that they do, but at least half the time, if not more, when I'm talking with someone that is managing firewall, their roots may be in networking. And so they're not a deep SOC analyst. They're not that kind of -- that's not the job. They do networking. They do firewall. They do a lot of things. And for them, we've always been a little bit on the complex side because we've always targeted our products towards more of that pure-security practitioner. I understand there's a tremendous amount of new capabilities, simplicity, usability that are really targeted at the firewall persona. Do you want to talk about that for a few minutes?

Yes. When we acquired Sourcefire years ago, spot on, right? It was a heavy security company. That was the focus. Those were the teams we were talking to years ago. And I think one of the things we found, exactly to your point, is firewalls are being used everywhere in the network, right? It's not just the security team. It's the network team. It's the DevOps team, right? It's across the board, and so we've really gotten into the ins and outs of making it easier to use. So over the past couple of years, you've seen our -- if you've seen our road maps, usability and ease of use have been a big focal point for us. So making things like streamlining uptime, doing things like low-touch provisioning and delivering those. Making it easier to stand these boxes up for these teams was a really big focus area; as well as resilience, right? What happens to the firewall in a DR scenario? How can you recover the firewall? Does it automatically recover the management tunnel if something breaks from a bad config, all right? These are things that plague ops teams across the board no matter the team. And we also had a big focus on monitoring the firewall. A couple of years ago, somebody came to me when I was in the field, and they said, "Hey, Nick. How much bandwidth is flowing through these 5 interfaces?" There was a lot of math and a bunch of show interface stats that I had to put together, but we could get to it. Nowadays, we have a single UI, a device health monitoring page where you can easily see this data and correlate this traffic. And more importantly, for the NetOps team or anybody that's administering this, if they want to correlate data or they create custom dashboards, they now have that capability. So maybe they're trying to track an elephant flow to a pegged CPU. It's a really powerful system that's now available. And lastly, I'll give you one more. We just released the ability to do static core allocation. So if you buy a firewall, maybe you need to buy a single model, but its purpose has a couple of different plays in your network depending on the team. So now you could buy the single appliance. And maybe you have a VPN heavy use case, so you can allocate more cores to the data plane now and use that box as a VPN termination point. Or you can now allocate more cores to the inspection plane, right? And where you're doing maybe your DPI [ heavier straight ] IPS use cases, right? So it's really advantageous for customers now to look at single boxes and figure out how to deploy them differently with the [ same cut ].

That's awesome. And I'm sure that probably takes the multi-instance stuff to a new level as well if we're having to split firewalls up into virtual boxes, right? Because, I mean, they've been physical for a long time. We've had physical CPU and memory resources and code allocated to each incident so you could reboot them. You could -- individually. You could upgrade them individually. And this is something that not a lot of people know about if they haven't talked to us in a few years, but I'm sure now with the static core allocation this really starts to get cool.

It is. And one of the most powerful things for the customers that came from ASA and multi context, after you talk to them and you really dig into what are you using multi context for, 90% of our customers are actually using it just for route separation. So we actually offer VRFs and multi instance, right, so you can virtualize it at the route layer. Or if you do absolutely need those physical separations, maybe for a PCI environment, you can go multi-instance path.

So Nick, being in the industry as long as we have, we've seen it all. And one of the things that I've seen pretty regularly is that, for the persona that needs to manage a firewall, they want as -- want it to be as simple as possible, but we've always seen this compromise with a lot of vendors where they compromise what's being shown, the visibility. And sometimes that leads to what's actually been detected was missed, just to simplify the front end. Not only have we simplified, but I also understand that we've also created a bunch of form factors if you need to do it in the cloud, if you want to have it on box or if you want to have multi manager. Give us a little bit more information about some of these innovations.

Yes. I mean it was interesting. At one of the road shows we kicked off with a partner, we were going through the virtual enhancements. And he flat-out said, he said, "I really just want the same function as on prem in my virtual space." And I kind of chuckled, but I realized some people don't realize that we have offered the same function security-wise and firewall-wise on prem as in virtual for years now, all right? But one of the big ones is around the ability to do firewall clustering, which was typically and traditionally a physical firewall feature. Now we've actually [ bought ] the clustering technology to our virtual space both in the private cloud and in the public cloud, right, so we've really closed that gap on that outstanding item that I think has been plaguing our customers, but now, even more importantly, we now have true ability to do stateful replication in the public cloud space. But customers aren't paying for a cold box to just sit there and run some script against. It's actually running those stateful connections across 2 boxes. So that's the good part on the physical side. We just launched the 3100 as well. As you know, this has just been an absolute phenom of engineering accomplishments. I mean just [indiscernible] that box...

Yes, yes. There's nothing like it on the planet, I mean, yes, nothing like it on the planet, so...

Yes. It's crazy. I mean there's very few times in my career I've been able to say we've been 17x better from one gen to the other. So for those that are looking down the TLS space or those that are looking down the VPN space, especially those looking for single-flow encrypted throughput, I mean, 31 gigs in a single SA flow is like unheard of across our industry right now, so really impressive feat that's been done by engineering on the 3100 itself.

Yes, especially with that footprint, right? I mean it's a small footprint. It's not a big, gigantic box, so...

So 1RU. It's [ a beast ].

Yes, exactly. That's pretty awesome. Last thing here: Let's talk about management because it's your underlying system and I -- you would think that 90% of probably what firewalls do are pretty much table stakes today. There's certain things that make each one of them better and preferred based upon use case, but it always seems to come down to management. And so let's talk a little bit about the new cloud FMC and CDO because I know that those are some things that, people who haven't seen us in a few years, they know nothing about.

Yes, absolutely. Great call, Mike. And this is another great one that we just got delivered at the beginning of this year. So those -- for those customers that are looking to move away from on-prem management, right, they're trying to move away from big iron. They want less infrastructure, less patching work, less items for their teams to take care of. Cloud-delivered FMC is really where this is at, right? So it's a pure SaaS model. It's not some [ parted-out ] VM that they're going to have to maintain anyway, so this is really where the advantage is now, right? You don't have to patch. You don't have to worry about version control. You don't have to worry about how the compatibilities work with your manager. And the best part about this whole thing was, for those customers that have been using FMC and loved FMC for years and years, we ported the exact same manager to the cloud, right? So for those that do want to take advantage of that, there's 0 learning curve. Literally the menus, the navigation is the same.

Awesome. So we have 100% parity between hardware, virtual and cloud from the platform level; and we also have 100% parity now from on-prem and cloud management as well.

That's right...

That's awesome. Really can't go wrong with that, I suppose, right?

Yes, absolutely. And one of the other big callouts there: There's apprehension everywhere, of course. I mean we're technologists. We're always going to call things into question. We gave customers and partners the ability to jump in-between. So say you migrate the devices on prem to the cloud. You can actually revert that, bring it back down if you say, "Hey. It's not working out for me. I don't like it," for whatever reason. No harm, no foul, you can revert back to your on-prem manager, so a really exciting feature, right? It derisks the customers that want to look at this and give them the flexibility that they really need.

Yes. And that's kind of nice too, I suppose, because that eliminates the whole concept of a forklift upgrade. If I want to try a few in the cloud, I can do that, but I can still have my multi manager on prem or otherwise VM or hardware if I'd like, correct?

Exactly.

We've talked about it a lot, and obviously there's a lot more we can talk about. And I'm sure we can talk for days on this stuff because there's just -- there are so many new cool things about Firepower and our FTD and our FMC and all these things -- all acronyms. Sorry about that, but -- so many cool things about it, but one of the things that I think is really critical: If somebody is listening and they want to find out, "How do I go learn more?" is there anything going on right now that they could use as a means of getting more education on where we're currently at and why they might want to talk to Cisco?

Yes, yes, absolutely. If you want to get hands on boxes, we offer test drives. They're guided [ 2-day ] hands-on keyboard access to the technology. It walks you through the ins and outs of everything we just talked about...

Is that virtual?

That is virtual, yes. That is a virtual offering.

Okay, cool.

Yes, absolutely. And for those that like to do a little more self paced, a little self-learning, you can jump over to getcdo.com. Fill out a smart sheet. And we'll actually provide tenant access to CDO and the cloud-delivered FMC, if you want to get your hands on it. You have a box or a VM you want to stand up. We always offer trial licenses so people can get their hands on it, get dirty, start playing with it any time day or night.

Very cool. So for the folks out there that don't know the acronym: CDO is Cisco Defense Orchestrator. It's a multiple device, meaning more than just firewall. It's firewall and a lot of other stuff and it's a unified manager in the cloud, so what Nick is talking about. getcdo.com allows you to get into that and do a test drive. Now one last thing, Nick: I had heard that there was actually some really cool options from Cisco for customers that may have existing boxes. They can get some free upgrades...

Yes.

Tell us about that.

Yes. This is another big one, right? Obviously, like you said, we spend a lot of time with customers. And all the features are great, but how do you get from point A to point B is really problematic, right? That's one of the defining pieces that I think customers bring up to us, so we have really 2 offerings right now. So we have a free service that's CX led for existing customers that want to upgrade into the newer codes. So we'll upgrade 2 HA -- an HA pair of FMCs and 2 HA pairs of firewalls, for free, to the latest suggested cut, right, which is currently [ 7.0.4 ]. All those features we talked about available, you can get your hands on today for free, right? And [ tech is on standby ]. We have the dev team on standby. Anything happens, we'll be there to support you and which is a fantastic offering. There are a lot of customers obviously out there that have a lot more than just 2 firewalls, right? And so we also have what we're calling the firewall migration help desk that's out there to really help guide customers from point A to point B. If you're doing a refresh of your FMC, you're going from an older model to a newer model, you're upgrading to an older software or newer software, you're going ASA or even if you're going from a third-party firewall to us, we now support that migration option. So definitely I know some people have to reach out to their local account teams to get that set up, but it is an offer that is available for free for everybody.

Awesome. That's really cool. So we have the place to go get stuff. We've got a bunch of free stuff. We've got a -- it sounds like we have a safe harbor version, [ 7.0.4 ], that we offer, but we're just about to release 7.3, so there's a bunch of new stuff coming there. For those of you that haven't looked lately: I mean we're talking, across the board, dynamic objects, unified policy across multiple systems. We've got a dynamic attributes controller that is -- it's going to change the industry, as far as simplifying your stack and helping you to do things in multiple places. Cloud workloads, encrypted traffic analytics that doesn't decrypt. I mean there's just so much that's out there right now. All of those things are here today, and we've got so much more coming in 7.3. Nick, it has been awesome to talk with you. Any last words, or should we turn them loose?

I would definitely connect with your local team here more; set up deep dives; set up demos; and of course, request licenses. We provide licenses all the time. Get your hands on this and get to work and let us know what you think.

Sounds good. Thanks, Nick. It's always a pleasure to talk with you.

Thanks, Mike. I appreciate your time. Thanks for the invite.