Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Good afternoon. My name is Dave Robbins. I'm the APJC Regional Lead for Extended Detection & Response here at Cisco. This week at the RSA Conference in San Francisco, we launched our next-generation Cisco XDR platform. So today is an opportunity on a nice APJC-friendly time zone to have a bit of a discussion around what XDR is all about, the different strategies that organizations can use to mobilize and take advantage of that capability and do it in a way that can improve their security resilience. So with me today to help unpack that conversation and dive a little bit deeper into what it's all about. We have Timothy Snow, who's our lead security architect here in Asia Pacific, and Natalie Timms as our SOC lead in the region as well. Good afternoon, Tim and Natalie.

Tim, I'm going to start with you. And I want to start, if I can, on the topic of security resilience. We know -- certainly a lot of organizations I speak with, and I think it's something you're talking about every day, right, is how do we improve resilience? What are the different ways? What are the different success factors that can contribute to that? So maybe before we deep dive into XDR, could you give us a bit of an overview of what security resilience is all about?

Sure, Dave. And a pleasure to be here in APJC. So I think in order to address some of the ways that we're looking at XDR and some of the benefits that we're bringing, we need to understand some of the challenges. We have been seeing some major challenges in the past in how IT delivers services to its users. This has been accelerated over the last couple of years and created new challenges. I think for the customers that I speak to in the region, there's a few that kind of bubble up to the top. And the first one is a very complex IT environment. Not only are customers in APJC struggling with, let's say, legacy systems debt, but also changes to their environment and strategies, such as hybrid workforce, shifting to a cloud or multi-cloud and that kind of dissolved perimeter. The second one is closely coupled to the first, and that is architecture and framework changes towards looking at models like zero trust. And I think in looking at the APJC security outcomes report, we did find a direct correlation between customers that had a mature zero trust deployment, also had a 30% improvement in their overall network security resilience. And so that means that they've examined their environments, and they can respond accordingly commensurate with the events that they see in their environment. And that really is the core definition of security resilience, is being able to not only protect the environment, detect, but also take that appropriate action, keeping the services and the business running. And I would say that the last one or the third one is being able to handle those challenges with a stretched-thin security team. And so they're busy trying to secure the environment with those above transitions, managing and maintaining some of those legacy systems and the daily deluge of events that are coming in from the many disparate systems that they have that are typically not integrated. And so they're fighting the good fight, but just every day, it's a barrage of new things that are happening.

Yes. Got it. Thanks for sharing, Tim. And certainly, you mentioned the Security Readiness Report, and both that and the Security Outcomes Report are some really interesting sources of new -- of data and research that kind of support a little bit of the, if you like, the science to go with the art of cybersecurity. One of the ones I found most interesting was the finding in the Security Outcomes Report that organizations that kept some capacity in demand to be able to respond to incidents performed a lot better on outcomes, and in fact it's a better predictor than the total staffing levels for cybersecurity in those accounts -- or in those organizations. So a really interesting set of findings there. But let's double-click on that third and final point you mentioned, which was around really the ability to deliver a lean SOC-type operation, if I can call it that, and really to manage through, for want of a better term, but kind of alert fatigue. We've mentioned a few starts today. I think 100% of SOCs would say that dealing with the number of alerts, dealing with that deluge a real challenge. So touch a little bit -- or maybe dig a bit deeper for me on the capabilities and really the different challenges and resources we've got to support organizations dealing with those sort of challenges.

Yes. In fact, I'm at an event -- I ran an event today talking about security resilience, leveraging zero trust architecture frameworks. And common message from customers is just it never stops. You kind of plug one hole and a new thing opens up, like a dam, right? And that message is they're inundated with events, disparate and uncorrelated events. And are trying to acquire different technology within their SOC to try and collate these events, automate some of that triage. And so what they do is they add on something like an SIEM tool and then they add on a SOAR, and then they try to have to kind of build in some of these integrations themselves. And while they're trying to fight that good fight, they're having to be developers to try and merge these things, that -- those disparate systems. And so I think while they may collect, they may not be able to orchestrate and automate their workflows and playbooks to do the things they want, which is ultimately to protect, detect and respond in a commensurate way to the threat. So yes.

Awesome. Thanks, Tim. I appreciate you sharing that. And probably gives me a good excuse to bring Natalie into the conversation as well. And so Natalie, this week, at RSA, we launched our new solution. We've been working on for a long time, we're all super excited about it, and the way it can help us detect threats sooner, be able to prioritize alerts, be able to act on them faster as well. But before we dig into that, try and hold back for a moment and get you maybe to more broadly talk about XDR as what it means today. We know that -- everyone's been looking at all the coverage from RSA. And in fact, there's been so many different conversations around XDR. So maybe start by netting that out for us, please.

Yes, sure. Thanks, Dave. And Tim really gave me a great lead-in here because, I mean, really, the whole concept of XDR, it's not a new one. There's been systems that have started to come out over the last few years. But as Tim had said, some of the earlier revisions, they were more SIEM-like. They had limited analytics, and then they slowly started to add more and more capabilities. And then you had some of the SOAR platforms that came up over here. And then you had XDR cases, SIEM platforms, and you had a consolidation of the 2. So I mean, really, it's not a new concept, but it has taken time and research to actually build a solution that will truly address the pain points and the requirements of the SOC that Tim had spoken about earlier.

Yes. Got it. Makes sense. And so as different capabilities, they came along, they're really good for aggregating the data. But it's kind of all about how we actually make that actionable and how we take that action before that risk manifests in a ransomware incident or whatever the case might be. So you touched on a little bit on how it's different from maybe those architectures already. Maybe dive a bit deeper for me into what it is that we've actually launched now and how that's different. What is Cisco XDR?

Yes, sure. And honestly, there's probably folks out there that said, "Hey, Cisco. We've seen vendors X, Y, Z out there with products and platforms and solutions for a while, and you guys are a little bit late to the party." But I think we've had an advantage here because many vendors have been selling detection and response solutions, and we've been able to leverage feedback from customers using those platforms and what they like, what they don't like gathering feedback, focusing on whether they're happy with products. And combining that with what's going on in the industry, how attacks have evolved over the years. It's really allowed us to build an XDR solution that will truly help customers and satisfy their objectives. So sometimes, you have an advantage coming in a little bit late, and you get to take advantage of lessons learned and have customers actually tell you, "Hey, this is what we really need, and we're not seeing it." Because I mean, really, how many times have you've gone and spoken to a customer or the customers out there, you bought a product because of some shiny new sexy thing. But then once you start to dig into it, it's really hard to configure and understand and it's cumbersome. And maybe you don't have the expertise in-house to be able to optimize that particular purchase. So you tend to either let it fall by the wayside or you just make do with out-of-the-box configurations and rule sets and things like this, which are not really giving you what you need. And in fact, a lot of the times, going with an out of the box config means that you will deal with false positives because you haven't actually gone in and tuned the system to make it work in your environment. So really, the concept of Cisco XDR, we can see on this particular slide here, we're looking at some key elements that we've made part of our solution. I mean, number one is supporting multiple telemetry types. Although this is a Cisco product, we have integrated with specific third-party vendors and products, and we'll talk a little bit more about those coming up. But having additional telemetry sources, having an extension from not just taking telemetry from endpoint detection response systems, but also network, from e-mail and all these types of things, enhances detection and also adds context. And that makes it easier for an investigator to go and actually dig into a threat that's begun in the network. Having strong analytics, beyond what would be deterministic rules or signatures-based, we really need to get beyond that today because when it comes to day 0, there's no point looking at rule sets that know about what we know. Adding context-enrichment capabilities, having threat intel feeds, particularly with Cisco Talos, and being able to integrate with other threat feeds, third parties that customers may have that will actually reach and verify a particular incident. And threat framework mapping is one that is also part of this particular solution because -- you see how well it works with other vendors. A lot of vendors actually support things like the MITRE ATT&CK framework, which are based on industry standards, a lot of research, a lot of data science to, actually put those models together. And I think finally, the big piece is, when you have all the these nice things going on under the covers and you have capabilities and the ability to define playbooks and things, you need an intuitive and descriptive user interface that actually makes it easy to maneuver through the system and do the things that you need. So streamlining that process of detecting and responding is something that is actually a main element of Cisco XDR.

Yes. Got it. Makes sense. And it's great to have, for example, the ability to link to the MITRE ATT&CK framework because we know that the TTPs, the different things that adversaries are doing, what was once the domain of the very sophisticated attacker is now something that we're seeing universally across threats, so it's important that we get that right. So it's great that we can detect the threat. Delve a little bit deeper for me about, once we've got that capability to detect it, what we can actually do to act and be able to respond to it, that automation piece.

Yes, sure, Dave. I mean, really, when you look at an XDR solution that includes a number of key elements. Obviously, like I mentioned, telemetry collection, being able to ensure that you're picking up events from your key security elements within the network that give you the best context. Having coverage across a number of security roles, whether it's network detection and response, picking up metadata flows, endpoint, next-gen firewall products, e-mail, all of these things go into the mix and are treated by converged analytics. That will actually go through using algorithms, such as things like deep learning algorithms, that actually will go through and help take individual alert actions and start to chain those together. So the whole idea is having strong analytics that actually build an alert chain and give you a really good idea of what's going on. When you're working with the MITRE ATT&CK framework, it's actually going to describe, hey, what are the tactics and techniques that map to these alert events that I'm seeing coming into my incidence panel? And that is going to help you build what would be a complete response. So like you mentioned, Dave, there's that piece of detecting and making sure that your detections are validated through building correlated alert chains, by adding threat intel and all that good stuff, but then having the R in XDR also have as much strength. So it's a capital R for Cisco XDR. It's not a lower-case R because we're driving automated outcomes that take the prescriptive intelligence and alert information, and actually allow you to then build a playbook that will completely satisfy the requirements to mitigate that threat. And to have that done on a more automated basis and make it easy for a customer to say, "Hey, if I see this, let me go and mitigate this threat on this particular device." I think what that does is it eliminates any ambiguity in terms of deciding how to go ahead and mitigate that threat. And it helps ensure that nothing is missed in that process.

Got it. Makes sense. I love how you mentioned those different threat vectors as well. I know one of the things we've seen is that, over the last couple of years, we've gone from kind of you needed to catch that maybe in 2 different places, and maybe like the network and the endpoint was good enough to get that threat early, but that seems to be trending. In fact, we have the data to say that's trending towards 3 different places we need to capture. So I like the way you put that how those analytics and kind of come together, package that up. So instead of sending a whole bunch of alerts to our SOC analysts and asking them to make sense of that, we're kind of bringing that together and defining that as, right? That's correct, yes?

Yes.

And so with that being the case, one of the other things that I know we've worked a lot on is driving an open approach to that system, both in the different places we can collect that data from and also in the ways we can act from it. And obviously, as Cisco, we've got capabilities in endpoint and through things like the VPN client even, as well as of course e-mail and network, cross-identity. So we've got this great, rich source of different threat detections we can build, but recognized as well organizations will have other technologies there as well. So click down a little bit for me on the open component of the strategy that we've just announced.

Sure. And can I have somebody advance the slides, please? So yes, one of the big things is, it's great that we have a plethora of security products, and they're all really strong in their particular security technology areas. But we're not silly here. We realize that customers have a choice in security vendors, and they've made investments with various products, various third-party tools. So what we're offering here with Cisco XDR is the ability to leverage that investment that customers may have made with other vendors and support specific third-party products, whether they're next-gen firewalls, whether they're intel feeds, whether they're endpoint detection and response. So I mean, we're looking at things like being able to leverage CrowdStrike as an endpoint. Palo Alto products. Microsoft, both in terms of Sentinel feeds and Azure as an active directory identity component. And being able to add that information allows the customer to get a view of their network from a threat perspective that pertains to the elements they actually have. And the cool thing is that these integrations we're actually taking the data flows from those third parties and normalizing those and using that information to help with the detections. Look, I've worked in the area of telemetry ingestion before. And I know as writing a [ parser ]. I'm getting a data flow from any vendor out there. Send me a syslog message, I'll parse it. And maybe it gets used in a detection. And the thing is that you want to be sending and receiving those event messages, that make the most sense that actually are used for detections because sometimes, a vendor can say that they support a gazillion different products, they then actually use that data. And on the backside of it, all you have is a bunch of messages sitting in a data lake somewhere and you have your SOC team complaining that they're looking for certain things and the searches are dogs slow just because of the bulk of the intel and the event log messages that are in there that they're trying to really just sift through and find the stuff that's important. So when we work with third parties, we're looking at telemetry ingest, and we're also looking at the way we start to apply responses. Because like I said, let's say that something has been detected on an endpoint and there's CrowdStrike there. Hey, it's really great that you can say, I want to isolate that endpoint or apply a policy to that CrowdStrike endpoint, and we can do it through Cisco XDR.

Yes, absolutely. And even like some of the use cases I know we've looked at and talked to organizations about is how that needs to model across organizations where maybe it's not even possible to put endpoint security on some of these capabilities. I think for a big part of XDR has been a lot about you're building from the endpoint up. But if I've got an MRI machine running Windows NT, it's pretty hard to install endpoint security on that, or on an academic research platform. So having that flexibility to maybe take it from the EDR, apply it -- and then apply it maybe as a network security control, those are some of the core use cases I know that we've been talking a lot about. And so I want to then kind of drop into, well, how is the SOC team actually going to use this? So I know you've got an amazing experience in working in the SOC, how are organizations actually going to be able to apply this capability to address some of those key challenges they face in the region?

Yes. Good question, Dave. Can we have the slides advanced, please? Next one. There we go. Alrighty. So all right, we've heard -- the issues with working in the SOC. Number one, yes, the alert fatigue. And how do I prioritize things I need to go and look at? Now having your incidents, number one, based like we talked about with the MITRE ATT&CK helping us define the tactics and techniques that are going ahead in our network. What actually happens here. And you can see this is a screen shot that's actually taken from Cisco XDR. And one of the things that we're trying to achieve here is not just give you alerts and incidents, but actually giving you something here that, number one, has had things like threat intel applied to it. And by doing that, you'll see over on the right-hand side, there are some scores there. There's a risk score and there's an asset score. One of the key differentiators here is you want to make sure that the threats that pose the most risk to your organization from a security standpoint bubble up to the top of your prioritized list. And you also want to make sure that, as a customer, you know the value of your assets. Being able to assign a score to assets to help raise the priority of different incidents is also something that's going to help the SOC target specific things first. Now the other great thing here is there's a lot of analytics that's going on under the covers that are actually part of Cisco XDR, and it involves doing things like not only the threat framework mapping, but also being able to do automatic correlations. Because as a SOC analyst, particularly at Tier 1, your job #1, I get an alert, what do I have to do? I have to go triage it. I have to go and investigate as much as possible and try to bring in as much context that helps me validate that this is something that really needs to be looked at. And what we're doing is taking some of the burden then of those analysts in the triage stage and using analytics and correlation to do that for you. So when your incident pops up here and it's been prioritized, it's gone through in the threat modeling process, it's gone through the risk scoring. And it's come up and actually said, "Hey, we've not only found a particular event, but where possible, we're building a complete alert chain that actually shows you when an attack may have begun all the way to where we've actually done the detection." So it takes a lot of that burden off your T1 analysts, and it then allows them to go and focus on things that are already verified. A lot of products out there, they will give you an alert, but then it's up to the analysts to do a lot of manual investigation and pivot off to screens and go and look at intel feeds. But here, we're trying to do the bulk of that for you so that takes the onus of off the SOC folks. And the other piece of it, too, is one of the things we hear from customers is they don't have the staff to start their stock 24x7x365. There's folks that say, "Hey, we can have people on staff, but they're there during business hours." So what do I do if there's nobody there and one of these alerts triggers? Having a prescriptive response that is in tune with the detection. So we've seen these particular techniques used in the MITRE ATT&CK framework, these map to remediation steps which you can then build into your playbook to say, "Hey, if we see these things, let's go and let's at least isolate or contain an endpoint," for example. And you could do that out of hours and then have somebody come in and dig into that when they're available to do so. So it gives you that flexibility there. And again, it sort of helps you. It does a lot of that legwork for you. Automating and orchestrating playbooks means that time is saved and those things can actually happen in real time. So reducing that mean time to respond for the SOC personnel is really important, too.

Got it. Thank you. And I love the example that we gave at RSA. [ Can lead YouTube details ] back to what our worldwide leader on the engineering side around this idea of this augmented AIS SOC assistant that would go and do all of this for us. And I know that, that's coming and might even be here sooner than we think. But in the meantime, this is such an important capability, and I think, even then really, such an important capability to really prioritize what matters. So Natalie, I guess the next question is to -- we talked a little bit before around, well, once I've got an incident, what do I actually do about it? But now we're having a look at what the product really looks like, how it really operates. So maybe step us through what that looks like from an incident response standpoint. What am I going to see as an operator? How do I take action on that? Which I think is this next screen shot coming up. Awesome. Thank you.

Yes. Yes, the incident response piece, there's nothing worse than a product's told you, "Hey, I found this problem." And it gives you a bit of a spiel as to maybe how you go about and remediate. And maybe that remediation only targets that specific endpoint or that specific device that was, I guess, the target of the attack, but it's not going to enough detail to help you go back retrospectively and find out what all else went on. And being able to have here, as you can see on this screen shot, the incident response, is going to give you what we call a prescriptive response because it's a step by step mapping to each of the elements and each of the target areas and the techniques from MITRE and saying, "This is what you need to do." And it also then helps you define that response and save that for posterity so that we see these types of things again, we have our playbook already created for those particular events. So I think that's definitely going to be really helpful for folks. The part of what's also available through the UI, both from, hey, we detected a threat, to responding, is a lot of great visualizations. So you can actually go and visualize the nodes that were involved in a particular attack. What are the relationships between them? We can actually see if there was lateral movement. So where our initial detection was, where all else has it gone? It's giving you a really good picture of how to actually visualize that. And one of the other things that it visualizes is the time frame of the attack as well because you might know that this thing happened at this particular time, but that was my alert. But then how far back do you need to go to find when this actually started? So we're able to go through because this, underlying the analytics here is a data lake where we're storing your telemetry for a period of time, and we're able to go back retrospectively and then start to build that time frame so we know exactly when the alert started. And that again gives you more information and more visibility onto what actually happened. So responding and giving you the full information is a key thing here. I think and I think just one other thing, too. We're talking about a solution that's cloud-based. And one of the great savings here is, as a SOC analyst or someone involved in maintaining platforms, hey, you don't have to do this here because things are hosted in the cloud. So scalability, performance, growing your data lake, these are all things that you don't have to worry about. And you also don't need to worry about patching systems. So folks with SIEM tools, where they're doing them in-house and they've had to procure equipment and make sure that those systems are patched and they have everything up to date in terms of their signature sets and the analytics, that's all taking care of here.

Yes. That's pretty remarkable, actually, how much data some of those systems need to pull together and process, and just the way -- I didn't realize quite how long some of these queries could take to execute on a more traditional system. So I love that we've now got the ability to react really quickly. And in fact, one of the things we've been doing in XDR capability for a while. Of course, we've had SecureX. And one of the things that's always been amazing about that is the way it would bring the case book together. So I'm glad that we've built this brand new capability, this brand new architecture. Some of those things that organizations really loved about SecureX. So the ability to maybe do those prebuilt case books, being able to do the investigations behind the scene. We've carried that over, but then we've brought this new data-rich architecture, this new ability to respond, and this new user experience on the new product. So it's great that we've kind of bought the best of it over. That example of bringing the investigation across, I know of multiple examples of where that's saved SOC teams real time. Because instead of waiting to pick that ticket out of the queue and then I start my investigation, the moment I take that up, the moment I pick up my privatized action, I already know that I've got all that information there and ready to go. That augmentation, if you like, has already been done to bring all that information together. And so Natalie, I think this is an interesting exploration so far. We might have organizations from our partners that we build solutions with on the call as well. So we've got the control center up, so maybe touch a bit on that. But then I'd love to hear your view on how you could use this from a service creation set. Is this a sort of thing you could build an offering around?

Yes. I think this is really a great opportunity for partners because they can obviously sell the solution, but it gives them that opportunity to, I guess, really add their own value-added services to all this. Because one of the things that I -- this is my feeling with XDR. I mean, these are great tools, but they're also almost like a garbage in, garbage out situation. Because if you haven't onboarded the solution properly, if you haven't identified your telemetry types and got your logging configured appropriately, so you're sending the right information into the telemetry ingest. If you are not tuning and working to eliminate false positives and set up exclusions and these type of things, then you're really not going to reap the full benefit of an XDR solution, and that's any vendor's product. So for partners, if they're able to offer things like onboarding services, tuning and optimization. Maybe some of them want to think about how they would actually assume some of the SOC capabilities, I think they have a great opportunity to do that with this product. It really does give them that flexibility. And yes, I think it's definitely something we're going to see partners want to utilize and build value-adds around it.

Yes. Got it. Makes sense. So I do like the way we've got that behavioral detection model. So I know we've got that level of false positives a lot lower. I think the latest data I saw was we're in about 93% of the time, the alerts that are coming through are being marked as positive, which is way better than it's been in the past. But again, you've got to get that data there, and we've still got that last 7% we want to act on as well and potentially build incident services and that sort of thing. So thank you, Natalie. I really appreciate you sharing that detail. It has been an awesome exploration. But I do want to swing back over to you, Tim, just to put this in an architectural framework for us. So I know you're working with security leaders on their road map, how they piece all these bits together. Where does and where should XDR fit in that sort of road map for organizations on the path to resiliency?

Yes, I think it's a key point. When we think about zero trust. We think about security resilience. I have a slide, if they can bring that up, that talks about some key pillars. And they are -- the first one is to establish trust and how we do that. And maybe it's something like verification of your user. MFA as a great example, or that second factor of authentication. Maybe it is a device posture checking. So how do we establish trust? And we know that trust is temporal. We may combine the user identity piece with the device, kind of merge those things in, take in risk. And from that, we can go to the next phase, if you could click forward, and that is establish a baseline of trust, then we can then enforce that trust. And the trust enforcement could be a particular access policy to the network. It may be access through a particular firewall to a set of applications. And depending upon what type of device I'm using or the risk that's associated with my profile, where I am geographically, my policy will change. And that is enforcing the kind of lease the least-based policy based on the trust, right? So we don't want to have a wide open infrastructure. We want to provide the amount of access required for that user, for that device and based on the risk associated with them. And so if we click to the third one. If there is any changes to that, meaning, let's say we've noticed that the user's laptop has authenticated from one place and the phone is trying to authenticate from somewhere else, or maybe there's a signal from the endpoint. So Natalie mentioned a couple of EDR, endpoint detection and response systems, that may signal up something has changed. And being able to take those kind of things and consistently and continuously validate that trust. So it could be location, device posture, behavioral components. It could be indicators of compromise, again from the endpoint systems, vulnerability insights, whatever it happens to be. If some of those things change, it may go back and reflect a new access policy. And so that's really the last part, if the team could click forward, and that is responding to the change in trust. And so that fourth pillar that you see there is kind of putting the whole system together. So it's great to have great protections; detect if something gets through, the inevitable breach case; and then respond in kind or respond commensurate with the threat. If it's a single endpoint, maybe I'd take a certain action. Maybe it's automated as part of the system that was demonstrated. And I think that's a really simple way of looking at zero trust pillars, looking at a framework or a journey and saying, "Okay, do I have all the pieces in place to be able to have the kind of full life cycle of capabilities?"

Got it. Makes sense. And so -- and I've always thought about it in terms of, you've got the trust bit and you've got the threat bit, and it's really when you get those things integrated and working together and you've got that depth of protection there, you get to those really good security outcomes. And that needs an architecture where trust and threat works together. And I know that that's something you spend a lot of time on, is this reference architecture type model. So maybe talk us through that a little bit, Tim.

Yes. I mean, if we look at the pillars of, let's say, the CISA. They go from identity, who is my user? What is the device? The device pillar, which is the system that the user may be using. The posture and hygiene of that system. The networks, which can be your wired, your wireless, your VPN, your SD-anything, your multi-cloud, whatever the network infrastructure is. We have our applications, our secure workloads, and we also have the data that sits in those applications. And then kind of at the -- underneath those pillars is the analytics and visibility and analytics and automation and orchestration and governance. And so if you're -- the viewers are familiar with the CISA framework, we have built our security reference architecture to align with that. And so if you look at the left-hand side of the diagram there, you see user and device, and that is the identity and device. Within that, the capabilities, such as multifactor authentication, device hygiene, secure endpoints, secure connectivity. So that is aligned with the first 2 pillars. In the middle, right? Cisco has a pedigree of delivering market-leading capabilities around network and security platform. So we've got a strong portfolio in the middle covering everything from the SASE component, both the security services edge, the SSE security stack, but also how we connect things like Meraki, Viptela, the SD-WAN products, up into the SASE cloud. Traditional or more traditional network security products like IPS and firewall and malware prevention devices and e-mail threat detection systems, cloud mailbox defense, all those security products that we have, and IT/OT. So there's a lot of goodness kind of in the middle there. On the right-hand side, we have the application security or the secure workload piece. And we've got a bunch of different offerings that are there, depending upon the customers' environment. And it's all about securing the application, understanding dependencies, controlling access to those applications and looking for things that may happen. And it's all about protecting the data. Wrapped around all of that is the XDR solution that Natalie walked us through. That's powered by a bunch of different capabilities from those products, going up, but also down into the products. And I think Talos is a great example of a component of that, that goes kind of both ways, right? So we get telemetry from Talos, our centralized intelligence group, but they also pushed down into the products. So the things we learn from one betters telemetry and signals from another, right? So it could be a URL that we see in umbrella is now shared with the firewall. And so also helps to stitch in different indicators across all of the different products. And so that's our reference architecture. If you look at the URL in the top corner, you can see the Cisco one, how that maps to industry standards. We also have some different documentation on that. And so when I speak to customers, specifically around zero trust, we often talk about this and how these different components fit in. And I think today's example of the new XDR launch really shows our breadth and depth in each pillar.

Got it. Makes sense. And I think we've had these components for so long, and in fact, they've talked to each other for a long time as well. But the maturing as an industry here is now we can deliver this, not as a bunch of components that talk to each other, but as a single system with a great user experience that people actually really love to use and engage with. And again, it's nothing without that threat research sort of capability, with identity and threat and having the right research to support the information around threats, and having that timely is such a critical capability. So Tim, I know a lot of the organizations -- and again, we've got the data for Asia Pacific. We know -- in fact, I think it's around about 90% of organizations are looking to increase the level of security investment that they have in order to address these challenges. And we know as well that, particularly in Asia Pacific, even as they're making those increased investments, organizations are really keen to make sure that they're getting the right return on investment from that, the genuine improvement in security outcomes, and also that they're able to operationalize it as well. It's no good just buying bits and pieces and gluing them together and then not being able to afford the operational nightmare it is to operate that. So what's your guidance to organizations as they look to up their security posture and investment? How do you make the most of that?

Yes. It's a really great question. I mean, we need to realize that the acquisition of a product or a technology is not just the initial -- what it costs on the initial PO to acquire the product. It's the TLC part of it, right? So we've got the product acquisition, the initial design, the installation, ongoing licenses, servicing of the platform, upgrades and maintenance. And the cost of the staff to maintain it, both for training and benefits, and it really gets quite expensive. And so when we look at the APJC Security Outcomes Report, that was one of the balances that we're doing. Like how do we look towards servicing new trends and moving on to maybe multi-cloud when we still have this legacy IT debt that we talked about? So we've got all these disparate systems that all require kind of TLC to keep them running and providing value to the organization. But we also want to acquire these new technologies, which then become burdensome to our budgets, right, because we're just sinking money into it. And then we also have the talent retention and acquisition, right? So we've got to service all these products. We've got to keep people trained in using them. We want to move to new generation stuff. And the market is really, really challenging in the IT space. So regardless of which country I go to, that's a common -- a feedback point from customers, is that we struggle to keep not only IT security, because we talked about the number of events, and it's always like -- there's always something happening, but also the exposure that they have and the possibilities that they have to maybe move abroad or to move to a different company for better benefits and salary, work from home, that sort of thing. So I think we need to look at the high level point of like what can we integrate? How can we make things better, easier, right? So collecting and Natalie summed it up great. It's collecting the information, bringing it into one place that I have a nice, simple view, that I can look at different nodes in my environment, see how things are coming together, take actions and allows me to respond quicker, maybe put out some of the base fires and focus on what's really, really important. And so I think that's -- it's a really, really good point. I'm looking forward to seeing some more information and some more demos on that.

Awesome. And you hit -- I think as you mentioned the word debt, like we talk about pick up a newspaper or look at -- potentially more likely. And there's always a discussion around financial debt and interest rates, but I wonder almost might almost be a bigger problem in the world, which is the interest rate on technical debt and the implications for cybersecurity of that kind of higher interest rate that we're paying these days on that technology debt. So it's an interesting conversation. I love to dive deeper on, but we probably don't have the time now. Thanks, Tim. Appreciate you sharing that. I think the reference architecture is such a good way of framing that in that model.

Thank you, David.

So as we wrap up, Natalie, I wanted to just drop back to you. You've got amazing experience in operating, security operations or SOCs. Sum it up for us. What does this mean? What are your final thoughts as we wrap out today?

Well, I've been involved with security at Cisco, look, I don't ever want to mention how many years as it's a little bit -- it's a bit shocking. But one of the things, I think, as a company, we're often underestimated in the security space. And I think here is a place where I'm really excited about this. It shows not only that we're definitely dedicated to this technology space, but we continue to be invested in security technologies, and we do have some really great products. I mean, I've seen them all. I was there right from the start with the first security-based acquisition at Cisco, and seen how it's grown. So definitely, I think this is terrific. The user interface is great. And I think customers will be happy. I mean, there's a really good way for them to really, I guess, whet their appetite a little bit with this. We do have a self-guided demo available. And we'd love you -- we'll walk you through it, if you want, to have a look at what the capabilities are for Cisco XDR. And I think this also plays into the things that Tim was talking about with the whole security architecture. I mean, XDR is like throwing a security blanket over your security infrastructure and your network infrastructure. And it not only protects you from a security standpoint, but because you can do things like customize your asset risk and these type of things, it also helps you with your business objectives. How do you protect those key assets in the network? How do you ensure your customers that you're securely handling their data transactions and their data storage. So these are really -- this is a really good tool to be able to do that. And it also, I think, forces you as a customer to understand your network and to do the legwork upfront, to do your asset discovery, to ensure that you have solid processes in place to be able to do your incident response, to be able to plan what detections are important to you. So overall, you're focused on this full security mindset, which I really love. And if you're new to the security game, you're a little bit worried about what it takes to actually implement XDR, are you SOC-ready? We've got folks at Cisco on the Advanced Professional Services side that can actually review all of that with you. So we have you covered, and you're not alone in taking on these technologies.

Awesome. Thanks, Natalie. So as we wrap it up, how do we have a platform that helps you detect sooner, prioritize by impact, speed up the investigation as well and then act effectively on that response? That is what we're delivering with Cisco XDR. I hope you can hear we're excited about it. Natalie, you mentioned that step-through a demo. For me, I'd step through another demo. That was really how it hit home for me, just how different this is to the other approaches that have been taken across the industry, how it truly brings it together, how the actions are really consolidated. So if you are interested, in fact, we don't even need to give you a fancy URL just hit cisco.com because right on the front page, we've got that big splash around the new security announcements from RSA Conference. So with that, thank you for joining us. Enjoy the rest of your day. We hope today was useful. And again, please don't hesitate to reach out if there's anything at all we can assist with. And stay secure. Thanks and bye for now.