Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone. I'm Monica Prokopova, facilitator for this webinar. And I'd like to welcome you all to this session. In a moment, I will hand the session over to a panelist, but before doing so, I have a few housekeeping notes to cover. [Operator Instructions] The session is being recorded, and the recording will be set after the session. Please take a moment to fill on the survey, which will pop up at the end of the session. Your feedback is very important to us. So we ask -- this shows us to know how we did with the program. With that, let's get started. Gio, are you ready?

Yes. Thanks for joining today. So today's set is actually on the topic of the story on alert and specifically about how XDR, a key component of the XDR strategy and how you can really leverage it. So in a moment's time, you would hear actually a replay or rebroadcast of a webinar recording featuring Manasa Agaram, who is the Product Marketing Manager at XDR for Cisco; as well as Rob Gresham, who is a Principal Technical Marketing Engineer at Cisco. So the webinar has been recorded ahead of time to ensure good webinar experience. But if you have any questions, do keep them coming through. We will take those questions in the Q&A tool, as Monica has mentioned. And welcome all questions to come in. So with that, over to you, Monica.

Yes, thank you.

Hello. My name is Tony Morbin, Executive News Editor, ISMG, and I'm your moderator for today's panel discussion. That escalated quickly, the story of an alert. Our subject matter experts today are Manasa Agaram, Product Marketing Manager, XDR, Cisco; and Rob Gresham, Principal Technical Marketing Engineer at Cisco. Alarms, cars, door sensors, alerts around your own home can drive you to frustration. So imagine how your SOC team feels with hundreds of more alert tailing. That's why effective that prioritization is vital for any XDR solution and why Cisco takes a data-driven approach helping SOC teams correlate and prioritize their alerts to better manage the riskiest threats impacting their organization. They were talking to Cisco experts to learn more about why this is such a key component of any effective XDR strategy. Before we begin, for those of you unfamiliar with Information Security Media Group, we're a global education and intelligence firm with 30-plus international media sites in vertical sectors such as banking post security, GovInfoSecurity and health care employee security with more than 950,000 members registered to our sites. [Operator Instructions] And if you experience any technical issues while viewing today's webinar, please use the e-mail address on your screen. Also, I do need to emphasize that the content being presented in today's webinar is copyrighted material and the event for today's session, an individual study purposes only. If you or your organization would like to use the information presented in today's session or looking for customized training or education, please contact us. Our sponsor today, Cisco is the worldwide leader in technology that powers the Internet. Cisco inspires new possibilities by reimagining your applications, securing your data, transforming your infrastructure and empowering your teams for a global and inclusive future. For more information, please visit www.cisco.com. Now back to our subject matter expertise. Manasa Agaram is a Product Marketing Manager for XDR at Cisco, passionate product market here. Manasa is responsible for go-to-market strategy messaging, content creation and sales enablement for Cisco's XDR solution. Manasa has over 15 years of marketing experience, starting out in telecom and later moving to the security field and has a Bachelors of Science from the University of Waterloo, where she made it insights and business. Manasa loves travel, good food and wine and has a new found interest in gardening. Connect with Manasa from LinkedIn to chat to her about XDR, security or if you have any gardening picture. As Principal Technical Marketing Engineer, threat detection and response for Cisco, Rob has over 20 years of experience in building cybersecurity teams with private and public entities. His experience includes several years of instructing on cyber threat intelligence, conducting incident responses for public and private entities, optimizing security operations designs, processes and defensive security architecture and design. Rob supports customers on innovating their security operations with automating investigation and response outcomes for e-mail, network, endpoint and malware analysis systems for XDR and SecureX products.

Welcome, Manasa, Rob. Okay. So let's jump straight into the discussion. What do we need to know about the reality of living in a hybrid multi-vendor, multi-vector world? Manasa?

Yes, sure. So I think we can now simply say we're not going to go back to the days of every employee being in an office building all the time, people travel, people work from home. So that's one aspect that we now have to live with. This hybrid world of where we all work and run our business from. The other part is this multi-vector, multi-vendor ecosystem that we live in. So to effectively detect threat and to effectively protect, you have to look across all of the multiple telemetry sources that organizations have at their disposal. So it's not enough to just look at endpoint and use that as the end all be all of threat detection. Looking at network and e-mail and the cloud is so equally important because that tells you a lot more about what's happening in the organization. It helps you kind of put a whole picture together. And then, of course, we have this multi-vendor ecosystem. We know no organization out there has every single security tool from one vendor. We know network consolidation is becoming more and more of a priority for organizations. So being able to leverage that information and those security tools from multiple vendors is also very important for this kind of new ecosystem in this new world.

I'm just going to quickly follow up on that, but can you just talk about multi-vendor, and yet you're putting forward an integrated platform. So how does the integrated platform approach compared to having your favorite tool for a particular operation and hanging on to that. And the whole integration, if you do hang on to a favorite tool?

Yes. So integration is very important. This idea that you can interoperate and integrate with other existing security tools, I think, is very, very powerful and something that's absolutely a necessity today. Kind of going back to that same point of you have existing tools in your infrastructure, you need to be able to leverage them. But bringing that into a common platform that can normalize all of that data, that can help provide that investigation and maybe those response capabilities is very important. So having that one tool that you can go in and you can use that you prefer and you like to do your investigations and stuff from is great to have and just having that tool be able to integrate and operate with other third-party tools or native tools from that same vendor is definitely a necessity.

I would add to that because it's ultimately incident response is partial about intelligence in trying to do the capabilities that you have. And the more intelligence you have, the more prevention capabilities, a little more -- the more signals you have to know that something is bad. So having differing layers of tools, best-of-breed per se, right now, best of breeds are hard to put together. You have to have [indiscernible] in a SIM and you have to spend a long time to put them all together to get them working and what Cisco is trying to accomplish is how can we have best-of-breed products integrated and simple for the customer to use, not just Cisco products, simple and for a customer to use.

I mean in addition to this complexity of our network and all the tools that we need to integrate, we're also getting increased complexity from the threat environment as well. What's the impact of the blurred lines between how nation states and the cybercriminals are now acting?

Yes, that's a great question. So the tactics and techniques that we've seen in the past, more exclusively used for larger nation-state attacks, those tactics and techniques unfortunately, are now being used much more commonly. They're being used every day by everyday attackers to impact smaller organizations, everyday businesses, businesses that you and I use every day. And so it's no longer the case, unfortunately of not needing to worry about those types of very complex and large-scale attacks because every organization has to try and protect against them because they're becoming so much more common.

So given that we're all facing these much more complex threats and as you say, all of us -- it's not just the large organizations. How do we change detection and response to prepare for these challenges as they get even worse going forward? I'm thinking of things like ChatGPT and other AI, how do we prepare for these future challenges?

Yes. So I think some of the first things we need to look at our unique solutions to be able to do is look for threats across the entire organization. So that kind of goes back to this multi-vendor, multi-vector type environment. So being able to really take a look at the telemetry data coming in from not just your endpoint, but also threats that are coming in from the e-mail and network and cloud and identity solutions, all of that is very important. But with all of that extra data and all of that extra telemetry, there just comes a whole lot of alerts that come in. So kind of that was. That's the theme of today's talk is just this overwhelming number of alerts that we see. And we all live in smart homes to a certain extent. We have smart devices, smartphones, smart doorbells and whatnot. When that all works well, it's great. But when something goes wrong, sometimes it's really hard to pinpoint exactly what's happening, where that alert really is coming from or where that problem really exists. So if that gets overwhelming for just us and our homes imagine what our SOC teams feel like. They have thousands of alerts that come in. And I think something like 10,000 alerts daily, which is just not tenable for any SOC team, regardless of how large they are, even if they run 24/7 hours. It's just -- it's not enough to deal with. So being able to take all of that data, but then actively correlate it, effectively prioritize them in a way that makes sense for the SOC and make sense for them to really understand what's happening. I think is very, very important, because then with that, you can then go on to investigate in a much more streamlined, effective way and then you can respond in a much more effective way.

Rob, anything to add there on preparing for the challenges of tomorrow?

Yes. Well, it goes back to the same problem with the actors, right? The actors are consolidating resources, Tullow one of the Rio, one of the other actors out there doing ransomware. Ransomware as a service is a combination of services, part Motec, part TrickBot, [ part Rag ] and they're combining their capabilities to actually attack customers in their space. Well, we're not consolidating our resources. There are no real true integrated companies.

So what is it that we do need to bring together? I mean, what are I know we're talking about the problems of complexity and yet we're also trying to get everything together into a single platform. So what are the components needed in a modern XDR?

So we need to be able to bring multiple data sources in e-mail network, endpoint data, cloud data and pull all of this data together in order to provide a multi-vendor solution. This is a great concept, right, and then make it easy and usable for customers. The hard part is really not so much the data, it's understanding the data. The analyst time to actually ramp up to raw data, understand context of different rosin, relate them together and then bring them to a picture so that they could tell their manager, this thing is bad and we really need to do something. It takes time. It could take anywhere between 1 year and 6 months or 18 months to actually get that all together in one tool, but it also could take even more time to get an analyst up to speed, just come in fresh out of college. So what we tried to do is summarize the data in an attack wrap and provide additional detail that's linked to the raw data so that the analyst gains trust and the information that's being presented. So they have attributes, behaviors and characteristics of the attack and they can trust on these components. In that way, when they look at the graph, they see it telling them something, whether they look at the story of the indicators, they understand what the story is saying and they can act faster. Basically, Ransomware is the most prevalent other than nation state is the most prevailing attack in our industry today. And with that, you have less than 40 seconds or 40 minutes to actually have a decent response mechanism. And sometimes it's just 40 seconds, but it ranges so widely that you want to be able to respond and block those signals as soon as you can.

Okay. So maybe you could just walk us through exactly how an alert proceeds through a modern XDR, the whole way from initial identification to how you eventually respond, Rob?

So we need to be able to bring separate telemetry outsources or telemetry sources together into a delay to actually provide the signals that we need. And then we need to be able to create correlations of these alert days, different tools have different detections, like you see on the screen. We have a network tool discovery of an IP scan. We have a command control from a different DNS protection tool or we have an execution alert from the endpoint. But the trick here or not even the trick, it's actually just what the analyst does is correlate these together. Now most of the time, this is done manually. There are a few tools out there that actually do this automated. But what's happening is that an individual vendors, they prioritize their alerts first, right? And the recently from our recent Cisco Live event, we heard that from our customers that they weren't taking all the signals in, that they weren't correlating. Now this is just further evidence for us that we're doing the right thing. That we're -- we need to take our competitors' information, our competitors' alerts and combine them with our existing telemetry to make their data more valuable. It gives the SOC the right context of the threat and where to do it. And this is where we think the XDR market is going with respect to how this XDR solution should provide capabilities for customers. It shouldn't just be honed in on one triggering alert. It should be a correlation of an attack pattern like you see here, and then added weights being able to give certain weights to certain tactics in order to combine them into a one common picture. When we look at the attack chain, we want to use the MITRE tactic revelance, meaning the tactic is the technique or the type of technique that a customer is using all over a period of time. And then we give that a priority score. We make sure that all the data coming in vendors and tools actually has the MITRE tactic and technique associated to it, so that we can then turn around and wait it appropriately and things that are more impactful like on the bottom where you see impact is 30%, but ex-filtration, command and control, they are impactful. They do elicit, things are happening already. And combine those with alert sensitivity, how many the volumetric of alerts or the sensitivity of the asset and combine those together to actually create a risk-based and machine-oriented attack pattern. Just as you see from reconnaissance, down to impact the progression of an attack, we stitched those pieces together. And as we stitch those pieces together, you can see the relevance of the things that are happening in your environment. And with that stitching of it together, we can actually show the progression of its attack just like the Wizard Spider incident. The Wizard Spider incident actually demonstrates a multi-host attack where you transition to the first asset. And then you move laterally in the environment to attack progressing until you get to a valued asset and from that valued asset, they perform ransomware on that and then hold that. Generally, the attack investigation happens, you can only see one portion of the attack because different tools have different signals and you're bouncing between tools trying to coordinate these pieces together. Having a consolidated system that stitches the attack together, and then applies risk and value to those attack parameters based on what attacks are being used most prevalent in investigations and in incident response and in risk assessments, then we can actually understand how the MITRE ATT&CK is relevant, but also we can provide value to how to numerically count for those risks in our environment, in addition to having a risk-based approach to looking at all these incidents. We've combined anywhere between 10 to hundreds of incidents together to create one attack chain because the attacker on the network takes their time. They're low and slow. They're using tools that we know. They're using those tools, and we're looking for that one capability to actually trip a wire like, for example, curve roasting as a technique of the rayo -- ransomware. That provides a good trigger for us to know that bad things have happened from now and then we just do like a detective. We spread out and understand that investigation.

So we're talking about the capabilities of a modern XDR. But what's unique about Cisco's approach to XDR?

So Cisco's approach to XDR is, first, it's a variation between the 3 different markets. Now this isn't to call out the markets confusion, but it's definitely XDR is on the Gartner Hype Cycle, where it's at the top of the height. Everybody's got a XDR. It seems like we were kind of late to the game. But what we had coming a little bit later is clarity of thought. If Forrester says that EDR is essential, and Gartner says that threat detection and incident response is essential, that's essentially what we've brought together as a capability. So when you have the endpoint, the network, the e-mail, the cloud identity and firewall and you bring this in with your intelligence, your asset contexts, your user contexts and your minor TTPs and then real-world breach information, pulling all of this together is a monumental task for any organization, including Fortune 2000 organizations. But everybody deserves security. And at Cisco, what we really want to focus in on is being able to make this easy and simplistic for the incident responders to be able to integrate and security professionals to integrate their products together, whether it's best-of-breed products or it's all Cisco products. Because believe it or not, Cisco has endpoint network, e-mail, cloud identity and firewall data that we could provide in our own solutions. So we understand where the customers are coming from trying to do this, but we also understand in our environment that customers have different products in different telemetries. So we want to make sure that we can integrate the best-of-breed products and make that simple.

Manasa, anything you would like to add to that from your perspective?

Yes. I think Rob did such a great job talking about that prioritization workflow because that really is something that is still important for any XDR solution. And we really have taken that to heart when we built Cisco XDR. But I think some of the other key points as well that we've already touched upon is that ability to effectively correlate this data together. Like it's not having an alert come in doesn't necessarily give you the causation of what's happening. So being able to correlate that together and be able to provide a more streamlined investigation for SOC analysts and instant responders, is key. And another thing that I think is very important and doesn't really get talked about a lot, is this idea of analysis paralysis, where we are just given so much information all at once that becomes very difficult to sift through all of that data to make an informed decision. So having this approach of progressive disclosure, where you're given the information that you need to move on to the next step helps really allow SOC analysts and incident responders to look at the information that's really important for them at that point to help them make an informed and effective decision to get them to the next step and then the next step. And I think that's a really effective way of going about the simplified investigation process. And then the last thing, which every XDR needs to do, there would be no XDR without the response capabilities. But having it -- having response capabilities that are integrated with all of your security control points. So whether it is native control points or whether it's a third-party control point, but being able to take those response actions on all of those whether it's an endpoint security solution or a network or an e-mail, that's really important. And then being able to automate as much as possible because there is just too much to do. Wasting analyst time by having them do very repetitive and tasks that can be automated. It's just not a good use of anyone's time. So having those automation capabilities, having those guided response capabilities to really help in that automation process is very important. And that's why we've put a lot of work and effort into that aspect to next year.

I have one more thing to add to that. AI is all the rage right now. You had ChatGTP, generative, artificial intelligence. The idea and the focus of what this can provide us, right? There's definitely dangerous -- the attackers, I can tell you are going to use AI to their benefit to build better phishing e-mails and the language that you prefer. Gone are the days of the Nigerian prints, who can't speak English correctly. Now he just needs to go get open AI account, do the ChatGTP, ask for -- send it, create an e-mail with this kind of context and the way they go. But why can't the responders use that same capability to build a report, to inform summaries to their leadership, to better make it easier and take things that take time. For example, you see all these objects on the screen here with identity, e-mail cloud. These are all individual alerts. How do you take all of these data points and stitch those together? Well, you want to be able to use like a Generative AI to actually take on all those data points summarize them and give them -- be able to stitch that context and that summary data together to provide something for the analysts. Generative AI gives the incident responder, a capability to build reports after action reports, to see all the things that they've done and give a distinct time line without making it technical. They can summarize it. They can run it in a different voice. They can change it into different languages for different leaderships. I think we can use Generative AI to a successful point for everybody, not only in our products but also in other products that Cisco has.

Good to hear the optimistic side of use of AI. Now when we're looking at our capabilities. What was the question that audience need to ask about its abilities to detect and respond?

So when it comes to detection and response, XDR is generally a correlation tool. There are some unique detections that XDR can do. But the majority of XDR solutions are taking known alerts and then bringing them and stitching them together into valid alerts. So the detection capability is going to be really based on those point products, finding events and then bubbling them up. And then the attack chaining of those to bring that context to light, knowing the lateral movement has occurred, knowing that the beacons are happening in different host. Then the other side of this for the response side is actually integrating those simply. Manasa talked about the integration of response integration. Well, a lot of times when attackers have a response, they need to go to multiple tools to respond. Wouldn't it be easy if you just click one button and you said, block this domain, and they blocked it on all the available devices because it knew how to do that. Everybody wants automation to do the things for them and make it easier, but the problem is it takes work to do that. And in order to do that and for us to do that, we have to do that -- we have to slow down our integrations and do the right integrations first. And I think we focused on our initial 13 integrations in this space, and we'll treat them just like we do our own first-class products in our own environment. We'll treat those third-party partners as first-class citizens in our environment. And if they give us the access to the APIs that they have, then we'll use those same APIs to actually create a unique system that our customers can use that speeds up their time to detection and time to response.

Time to take a few questions from the audience. So first up, can you maybe dive a bit deeper into your prioritization process?

I know I popped this slide up earlier is a big word slide to keep your eyes busy while you're listening to me. And what we want you to understand in the attack chain is 2 things. This is not a representation of what Cisco is actually using. It is a representation to make it easy for this presentation. Presentation for MITRE ATT&CK revelance and the attack chain process is actually steeped in 2 things. It's steeped in machine learning coming from Cana Security that has an enormous amount of machine learning data about relevant attacks and basic tactics that attackers are using. We use that data in addition to the data combined in the alerts coming from the host. Now when we look at this particular piece, what we're trying to show you is that each MITRE tactic has a priority value coming from the customer products. Now that we give that a numerical value. So that numerical value, as you can see above on the top in the yellow, we took a discovery event and that discovery event shows a single value of 10. But if we take that value combined with 3 events of 10 plus 3 events in the store. That -- this is a more manual way to kind of do what our machine learning does on the back end. It takes the threats based on the attack tactics, prioritize them numerically starting from 10 to 100. And then from -- on the other side, and here you see 30. But then you take the other side and you calculate it up against the asset severity or the alert severity and the priority of the asset that we're actually looking at. So that alert sensitivity is the store against the actual asset itself.

Now next question is what tools do I need? And what skills do I need to implement XDR?

So I think the tools are you need an XDR platform. You need an XDR solution that can help you do those things. And kind of to an earlier question is, what should you look for, I guess, in that tool. So being able to correlate all of these different telemetry sources together, whether they're native, whether they're third party, but then being able to make sense of that telemetry is very important. And then being able to investigate that, so you can find the attack chain like Rob has taken us through and then to effectively respond. So having that solution in itself, that products itself very important, but having all of that really insightful telemetry that you're bringing into the XDR solution to is equally as important because you need to get those alerts and that telemetry from somewhere. And then I guess, in terms of what are the skills that you need or SOC teams have many different levels of SOC analysts in your soft organizations from entry-level SOC teams to higher-level SOC analysts, but a next-year tool really should be able to help all of those SOC analysts just perform at a higher level. Help them kind of get rid of those repetitive tasks and help them to take on more proactive or more strategic type of SOC initiatives and SOC roles. So being able to have those skills is very important and then having an XDR tool on top of that just helps to amplify those skills that your SOC team already has.

Okay. Your last answer is partially answered our final question here, which is how can taking the XDR approach help us retain our valued SOC analysts? You've mentioned a bit there about enabling them to operate at a higher level, but just expand on that.

Yes, for sure. So we know that there is a shortage of SOC analysts. I think I saw a recent stats that the need for SOC analysts are just vastly, vastly outpacing the number of available analysts that we have today. So we're able to help them work much more efficiently. And it's just -- it's so important for any organization to do. So having an XDR solution that can do that is important and help them be more efficient in a few different ways, right, helping them investigate things a little bit more clearly, effectively and rapidly. Helping them take those response actions. And when they're not sure of what response actions to take, being able to provide those guided response, that remediation help is very important for them. And then like I mentioned before, just allowing them to offload some of those repetitive tasks, help automate all of those things that they don't need to be spending all of their time run to help them focus on much more strategic things. Maybe they can spend a bit more time threat hunting or they can investigate certain IOCs that are coming up in the industry that they've seen in other places. That will all really help to not only just retain SOC analysts but really help them up level and be more effective.

Also, Manasa, they can actually work from any location like you can see I'm not actually in the office, right? I'm out somewhere out and about in the world. And one of the biggest things is that we need to be able to make this capable -- this technology capable for everybody anywhere. The real focus is we -- from our team is we focus on the lean IT group, right? That lean IT only has 5 or 6 people working the whole security, IT infrastructure. What happens if somebody wants to go on vacation? And we sit -- attackers don't take vacation, actually they do. It's between July and August. We won't talk about that. The main thing is, we need to be able to provide capabilities for everybody anywhere. Customers need to protect themselves regardless of whether their people are in the office or not and that they can act from any place. It would be just as easy for me to be on vacation, Manasa calling me and going, "I have this critical thing. I need your help, Rob, can you get online really quick?" And up pops Starlink and often away I go. Sorry, Elon, I got to give you some credit for me being out in the wilderness. But being able to respond and do it from anywhere, being able to use a tool that allows me the maximum capability and the network to do so is what I think Cisco is really trying to grab.

Thank you, Manasa, Rob for sharing your insights and expertise today. And thanks to our sponsor Cisco. I also want to thank you for taking time out of your day to attend this session. And I trust today's discussion has provided some useful data points to enable your organization to address escalation of alerts. We hope to see you again at one of our upcoming events for Information Security Media Group. I'm Tony Morbin.

Thank you, everyone, for today's session. If you have any questions post event do drop myself an e-mail and we will be sharing a recording post event out as well [indiscernible] as well. With that, I would like to wish everyone, have a good rest of the day ahead and hope to catch you soon on our next webinar. Thank you for your time.