Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hi, everyone. Thanks for joining us in this webinar today on Automate and Orchestrate Your Way to Simplified Security with XDR. Please note, your microphone has been automatically muted, but feel free to ask your questions in the Q&A panel throughout the session, and to view the Q&A panel, click the 3 dots on the lower right corner of your WebEx window. At the end of the session, a survey will automatically pop up, please continue to complete the survey. We really appreciate your feedback. With that, we'll be ready, so let's get started. Gio, in a few seconds, it's all yours.

Thank you. So hi, everyone. Welcome to today's webinar on Automate and Orchestrate Your Way to Simplified Security. We really appreciate you being with us today. So in a few moments, you will be seeing a playback of our webinar recording. The webinar recording has been recorded ahead of time to ensure a smooth even experience for everyone. So please tune in and please keep your questions coming in. You will have experts on standby to help reply and respond to any of the questions. So today's webinar will feature Matt Vander Horst. He is a technical leader focused on Cisco SecureX and XDR. So over to you Matt. If you could just play the recording.

Hello, everyone, and thank you for joining us for this webinar. Today's topic is automate and orchestrate your way to simplified security with Cisco XDR. My name is Matt Vander Horst, and I'm a technical leader in our technical marketing team for Cisco XDR. In today's session, we're going to start with a intro to XDR, so talk a little bit about what XDR is. We'll then talk about our implementation of it at Cisco and our vision for what XDR means. Then we'll talk about automation, and there's going to be a bunch of different topics here, things you can do with XDR to achieve automated outcomes, as well as how XDR uses different kinds of automation to achieve its outcomes. We'll do a demo. So we'll actually take a look at the product, walk through it and see some of these things in action. And then we'll do a conclusion, share some resources, answering you guys along your way. So to get started, we got to set the stage. So we now have hybrid multi-vendor, multi-vector environments, right? There are any number of emerging threats. Our environments are becoming hybrid and moving to the cloud. And of course, we have this tool and vendor fatigue where we have a lot of different tools in our environment, and of course, they are not all from a single vendor. There's kind of 4 pillars here of things that we're noticing: a, everyone's an insider. So 30% or more of incidents are involving stolen credentials or malicious insiders. And that's a pretty difficult thing to deal with. We also see that attack start from anywhere. So 45% of breaches are occurring in the cloud now and 19% may be due to a compromise at a business partner. We definitely don't want hybrid cloud environments to see compromises in the cloud to lead back to infiltration to the internal and on-premises networks. Alert fatigue is worse than ever. So 37% of IT and SecOps pros are complaining about swelling alert volume. So obviously, as we have more tools, we have more noise. And part of the thing that we want to address with XDR is sifting through that noise to find the stuff that really matters. And of course, as the infrastructure grows, as the cloud grows, as the number of applications grows, the attack surface is expanding, right? So 22% increase in the average cost of a data breach. So these breaches are getting bigger, the surface is getting bigger and they're getting more expensive. So to address the threats of tomorrow, we need to change how we look at detection and response today, and that's what we're trying to do with XDR. Obviously, the environment is constantly changing. The threats are constantly changing. We don't know what people will come up with tomorrow. We don't know what 0-day exploits there will be tomorrow. But if we change the way how we look at detection and response today and we better prepare ourselves, hopefully, we'll be ready. So the promise of XDR involves the collection of telemetry from multiple security tools. So the goal here is to say, you've got all these different tools, generating logs and flows and alerts and all of those intelligence. XDR wants to bring that closer together, right? The point of extended detection and response, what XDR stands for, is to leverage detection across your portfolio and then leverage response capabilities across your portfolio. So by bringing all that telemetry, bringing all these things together, we then apply analytics. So we collect the data, we homogenize it, and then we analyze it to look for detection of maliciousness, right? We want to find the stuff in that pile of noise that matters. And then once we find those things, we want to respond and remediate. So it's not just about visibility, it's not just about here's a pile of data, it's also about the ability to respond and remediate and act on those detections of maliciousness. When we look at an advanced threat like ransomware, right, there's a pretty complex, but typical series of events we see. Employees get an e-mail. They go to a questionable website. Maybe a strange process shows up on their device. That process starts doing some lateral movement, right? There's a kind of typical progression we see. And this is a complex type of attack because there's a bunch of different tactics and techniques, right? And there's a bunch of different vendors. These different control points and these different security points, these are not all going to be tools from one vendor. As much as we would love, of course, for them to all be Cisco, we know that, that is not realistic and not the case for a lot of customers. So we need a way to bring all of these things closer together and increase our detections across this entire attack surface, both in terms of all the tactics and techniques, and then, of course, in terms of all the different vendors involved. So we want to do that, and we want to do it with Cisco XDR. And what we're trying to do with Cisco XDR is, of course, bring all of the Cisco stuff closer together. But we're also trying to bring in third-party tools, third-party intelligence and all sorts of other resources as well. So this is not just about bringing all of your Cisco products closer together, it is also about bringing all of your products closer together, third-party and otherwise. So this is built on the Cisco Security platform. It's open and extensible. It is a modular framework. So you can actually build your own integrations, if you want. Obviously, we're going to build and have a bunch in our catalog that you can use out of the box, but you can build your own. The real big value of what we're trying to accomplish here is prioritization. So not just generating hundreds of incidents that you have to look at and sift through, but generating incidents that are meaningful and giving them to you in a way that you can prioritize and work through more effectively. Of course, a lot of this is powered by automation. We're using automation to do the enrichment of incidents. We're allowing you to use automation to respond and do any number of other things within the platform. We're going to talk about those things. And then, of course, we're streamlining how investigations happen by bringing data together across your products and, of course, allowing you to respond across your products or streamlining the investigation process. And this product is designed for a multitude of audiences, right? It could be SOC analyst. It could be a CISO wanting to get metrics and KPIs. It could be, of course, an incident responder looking at incidents and taking response actions. So a very flexible, very versatile product. We believe this is what an effective XDR looks like. So I've already touched on this. Telemetry and data in context from a wide portfolio of products is key. So bringing in your endpoint data, network data, e-mail cloud, identity firewall, any number of different security products, and in some cases, nonsecurity focused products, bringing all of that together and bringing that into Cisco XDR gives you a really great view into your environment. You can streamline your investigations with all that visibility. You can prioritize your alerts better by having context from different products that give you more granular information as to what's going on. And then, of course, the automated response actions allow you to take all these things to the next level. Now your investigations can move at machine speed, not human speed, which is, of course, a little slower. Our approach to XDR comes down to these 4 value pillars here. So first, we want to detect the most sophisticated threats. We talked about multi-vendor detection. We've got this hybrid cloud situation now where we have on-prem, off-prem things, right? We have a big attack surface and want to detect the things that are reeling their way through. And we want to do that by leveraging all of that different telemetry and context from the different products. So by taking this big sea of noise and combining it in a more meaningful way, we can isolate the things that really matter and are of high importance. That, of course, then allows you to act on what truly matters faster. So by prioritizing the data, unifying the data, and giving you that data in a more meaningful way, you can act more quickly, which is, of course, hugely important for any security operations team. We want to elevate productivity. So by filtering out the noise, we reduce the time wasted doing that filtering. So we want you to be able to do more with the same resources that you have. And of course, automation is a key component of that. And then as you fine-tune your alerting and you fine-tune your environment and your products, you can build resilience. So you close the gaps in your security posture. You use intelligence that you're accumulating in the platform to make more informed decisions about the future, and you can ultimately be more prepared. These are the 5 business needs and 5 kind of outcomes that we've aligned XDR with. So detecting sooner, obviously really important here. We really want to reduce time to detect. And by having more visibility and more data in context from a wide portfolio of products, we can get not only more accurate detections, but quicker detections, right? You could have a small number of individual events from a bunch of different products that independently may not be significant. But when you combine all those things in XDR and we apply analytics to it, we apply machine learning and other things, we can say, hey, we may have seen some faint signals in 4 different products, but when we put those 4 faint signals together, they do matter, and there is something significant. So we want to be able to do that, detect sooner. Prioritizing by impact is key. This is a key part of our strategy to get the incidents that matter in front of you as quickly as possible. But we want to prioritize them by impact, right, which incidents are having the largest material impact to the business. So looking at the tactics and techniques that are involved and, of course, then looking at the assets that are involved and determining prioritization based on the value of those things. Now once we're raising these alerts, we're doing these detections, obviously, we want to bring down the time to investigate. So by giving you a quick and full view into an incident, including all the context, all the detections from the different products, we can reduce the amount of time it takes to do that investigation and come to a decision as to an action plan. And then once an action plan is decided, we want to accelerate your ability to execute. So how quickly can we respond and how confidently can we respond? And by responding using automation and other automated parts of the product, you can do these things quicker and more reliably. And then finally, all of these things rely on full visibility. So do we have full visibility into our assets. And we have some features in the product that not only bring together security intelligence, not only bring together events and alerting and all these other types of things that I've mentioned, but we can also bring together asset data. So looking at what assets are in your environment, whether they're registered in something like a Microsoft Intune or a mobile device manager like a MobileIron , right? We can bring in that visibility as well and combine that with your security posture information, right? Take the security information about an endpoint and combine that with its inventory and management information, which is pretty cool. All right. So let's focus now on automation. So before jumping into automation, I just want to share what the definition of an observable is. This is a term that you may or may not see throughout different parts of Cisco XDR. But this is a term that you will definitely see if you intend to do any sort of automation or software development within our XDR product. So an observable is something you can observe. And it's kind of a silly definition, but that is ultimately what it is. It can be an IP address, a file hash, e-mail address, user and domain in hosting. There's probably 30, 40, 50 different types of observables that we support. But these are the little bits and pieces of things that you can see in the environment. So these are things that you'll observe, and it might be an IP address connecting to another machine, it might be an asset downloading a file hash from a host name or from a domain name. There's any number of ways these things will be combined. But these observables are what you'll see in your environment. And then, of course, we'll have relationships on how these things are interacting. But it's just important to understand this term before we talk about automation. The 3 pillars of automation that we're going to talk about within XDR are these, so playbooks, pivots and workflows. We're going to start with playbooks. So in our new incident manager, we have this new response tab. And the goal of a response tab is to give an analyst a guided 4-stage approach to working their way through an incident. So the stages include identification, containment, eradication and recovery. So we want to identify what's going on, contain whatever we can, eradicate those things from the environment, and then, of course, validate the data eradication was successful. These playbook items are actually powered, some of them by out-of-box XDR automation workflows. So even from within an incident, you'll have access to this playbook. You can say, I want to contain some assets, click on select, and pick the assets you want, and that will actually run a workflow in XDR automation to do that for you, and we'll take a look at what that looks like. This is just a little more detail about those 4 stages. So some of these stages involve automation, some of them are still manual tasks that an analyst would need to complete. But the idea is to do a guided approach, so that there's consistency and that your analysts are following the standard process when they respond to an incident. The pivot menu is kind of an interesting and I think unique concept to us. The pivot menu allows you to pivot literally on an observable and contain action. So you could be any number of different places in the product. And let's say, in this example, we have an asset, we have an IP address here. And if you click on that little down arrow icon next to the observable, we get the pivot menu. And a pivot menu tells us, for this IP address, here are all the things that you can do. So even when you're in an investigation, in an incident, you still have the ability to dig deeper and you have the ability to actually take response actions right, do something with that observable. So some of the things you can do create a judgment. This goes in your private intelligence stores. So you can say, hey, I think this thing is naughty or nice, and we'll keep that data for later for future incidents. You can add it to a case, you can link out to another product. So in this example, we have secure network analytics, and you can actually click a link to view a host report for this IP address, and we'll pivot you out to the other product and show you that report and you can take response actions either through an integrated product or by executing a response workflow in XDR automation. Now everything in XDR is integration based. So we're using these integrations to get context, to get enrichment, to get things into the product. But we also have that conduit there to go back to the product and respond. So we can not only bring data in, but we can push response actions back. XDR automation is our no to low-code drag-and-drop editor, so this is essentially a cloud-based workflow editor, and it is drag-and-drop. You don't actually have to write any code to use this. It powers the playbook feature I mentioned in the incident manager. So we have prewritten workflows that are built into the product and get triggered when you click those execute buttons in your response playbooks, and there's also prewritten workflows that you can download and import from Cisco. So we have almost 80 prewritten workflows, which are full use cases, right, end-to-end use cases for different security tasks. You can import these right from Cisco, configure them and use them. And of course, you can build your own. So you can come in here, you can build a workflow that does pretty much whatever you want. There's not really a lot of limits. So this is a very flexible part of the tool, not only for you to build your own security use cases and your own automation, but to leverage in other parts of the XDR product. Some of the typical outcomes we see with workflows here, first and foremost, investigation. So obviously, if you have a workflow doing an investigation for you, you're going to significantly reduce your time to investigate. So you can have a workflow go out and do proactive investigation for you. You can also automate response. Not everybody is quite daring enough to do this in the world because automating response can go 1 of 2 ways. But it is something that you can do, whether it's automated and the platform is doing it on its own, or whether you're using a workflow triggered by an analyst to go out and do something in an automated fashion. So there's a couple of ways of doing automated response. But of course, this will significantly reduce the time it takes to take those actions, and it will enforce some amount of consistency on how those actions are taken. You can, of course, also automate the stuff you don't want to do. This is one of my personal favorites. There's lots of things that a lot of us probably don't want to do in our day jobs. We can automate a lot of that. So if you have data they need to collect, auditing you need to do, whatever the case is, you can build workflows to do things like that. And of course, we have products that may not integrate in ways that we want or we may find new and interesting ways to leverage data from different products and bring things together. Workflows can do that as well, right? We can bring products and services together in new ways and then leverage those new actions to address emerging threats. Just an example of an investigation. So week 4 example with a workflow could fetch our IOCs from the Internet. This could be from the website, from a blog, any number of places. We can then scrape the blog, scrape the website for IOCs, and can extract those IOCs, and then we can use XDR to do an investigation. So the workflow can go back to XDR and say, hey, I've got this list of observables. Tell me what you know about them. And then that investigation is conducted using XDR, using your integrated products, and that investigation is always unique to you in your environment, right? Because it's using your integrations, your products. So we can fetch those things, do the investigation and then, of course, we can notify an analyst. So if XDR comes back and says, hey, I saw this malicious IP or I saw this malicious file, we can notify an analyst and say, hey, you might need to do something about this. And this is all happening at machine speed, right? We're not waiting for someone to do this investigation. It's just going to happen in a workflow. Once we've identified maybe some things we want to take action against, we can do that with a workflow as well. So we can respond. We can say, okay, we've identified some malicious things that have been seen in our environment. Let's take an action, right? Let's block a machine, kick it off the network. Let's disable somebody's MFA, right? Let's block a domain. Whatever the case is, automation can not only do the investigation, but it can respond as well. And really, what's most powerful is when we put these things together, right? We can have 1 workflow that does all of this end to end. We can fetch the IOCs, we can investigate them. We can determine maybe what we want to take some actions upon, and we can actually take that response. And so all of this can be done in an automated fashion from a workflow. One thing I want to touch on because this is a really cool new feature that's coming with Cisco XDR is automation rules. So you can have a workflow run for any number of different reasons. And some of them are very simple like just having a workflow running to schedule, right? Maybe the work flow runs every 10 minutes, every hour, once a week, whatever the case is. That's probably the most simple use case. But we also have rules that will allow you to trigger a workflow when things like an approval task is active on. So maybe there's an approval task in a queue, an agent clicks approve, that can have actually a workflow triggered or run behind it. We can also have workflows run when an e-mail comes in an inbox. So let's say, you have an inbox that's maybe where spam reports or phishing e-mail reports go. You can have a workflow triggered when an e-mail comes in that mailbox, and you can have the workflow pick up that e-mail and conduct an investigation automatically. Perhaps my favorite, the incident automation rule, this allows you to run a workflow when an incident is created. So whenever a new incident is created in XDR, you can trigger a workflow. Now you can filter this and say, okay, only if it's from a certain source or only if there's a certain severity, right? You can customize all of this. But it's a really neat way to say, okay, I've got an incident. I want to do an immediate automated investigation with the workflow. You can do that with an incident rule. And then finally, the webhook rule, and this allows you to trigger workflows from other products. So maybe you have a bot sitting in a WebEx team space. Well, you can send that bot a message or tag it, and that can actually trigger a webhook just as an example for a workflow to run. So a lot of versatility, a lot of different things you can do with these workflows. And I also want to mention that APIs are core to XDR. So the entire product has a rich suite of APIs behind it. These APIs allow you to do most of, if not all, the same things you can do through the user interface itself. So creating a managed incidence, creating and managing intelligence, inspecting content for observables, extracting observables from text, performing investigations and then communicating with your integrated products and triggering those response actions. And on the right hand side is just a quick little snip at a postman showing an example of extracting observables from a block of text. So XDR APIs are a really powerful way that you can take the platform even further. Obviously, you can use the user interface, go in there, do an investigation, whatever it is you want. But you might have existing tools or existing processes and other products where you want to bring intelligence out, where you want to be able to push a workflow in, right? There's any number of different ways you can do this and APIs allow you to really extend what the product can do. Just another example, what can we do with these APIs? We can inspect, right, extract some observable from a body of text. We can deliberate on those observables and say, are they clean or known malicious or suspicious. We can observe them. So we can ask XDR, have these things been seen, right? So maybe we have extracted some IP addresses, a few of them came back as malicious. So we can ask XDR using an API, have any of the integrated products seen this malicious thing in the environment. And then of course, if the answer is yes, maybe we say, oh, we found an endpoint that communicated with this malicious IP. Well, maybe we have an automated action that goes out and isolates that machine, right? And we can do that using XDR APIs. All right. So best way to show all of this is, of course, to demo the product itself. So this is Cisco XDR. This is our new control center, which is a dashboard. This allows you to customize visibility across a bunch of different products. So you cannot only have 1 product represented here, you can have multiple. So you could have 1 dashboard with 10 products in it, if you want. So it's a very flexible part of the product here. Let's take a quick look at the incident manager. So this is our new incident manager. And obviously, as I mentioned, automation is a component of how this works. So we've got our list of incidents. You'll notice that they have priority scores here. And those priority scores are a combination of the detection risk, so those tactics and techniques and how risky is this activity, combined with the value of any of the assets that are found in that incident. So a really nice clean way to see your list of incidents is to see them ranked by priority and decide on what you want to act on. Now once you pull up an incident itself, you'll get this nice attack graph view. So we have kind of a visual representation of those observables and how they interacted with each other. And then down here, we have assets and observables, and this is where we can see our pivot menu. So if we look at our pivot menu, this is a demo environment, so there might be some goofy stuff in here. But this is what the pivot menu looks like. And so these first couple of options here are referral links. So those will kind of bounce us out to another product. And at the end, we have our XDR automation. So this machine here, maybe we've decided it's naughty. We want to move it to a triage group. We can click on that. And that's actually going to run a workflow in XDR automation to take that action. And these are completely customizable. You can write your own workflows, and you can crash them in a way that they will show up in this pivot menu, so you can customize how you investigate and respond. Now in the incident manager itself, we do have the new response playbook here. These are the 4 phases of incident response that I mentioned, so identify, contain, eradicate, recover. And if we look at the contained step, we've got a few different options. Let's take a look at assets. And if we say, okay, let's run this, it's going to give us a list of assets to choose from. So these actions here are kind of contextually sensitive to the type of observable that we want to act on, in this case, assets. So we can say, all right, well, we've got a couple of EC2 devices. Maybe we're suspicious that something strange is going on there. So we're going to contain them. We're going to isolate them from the network. And then we can pick those assets and say, let's contain them and that action is going to execute in the background. And that workflow is going to run in XDR automation. If we take a look at our work log, we can see, right, that, that action was triggered by me and that the action was successful. So not only are we triggering these things in the background and letting automation do the work, we do, of course, have an audit log of what's been happening there. We can take a look at XDR automation itself. So this is XDR automation. These are the list of workflows that we have in this environment. There's a whole pile of stuff in here. But we can actually take a look at that contained incident assets workflow. So this is the workflow that would have run when I clicked on those assets and clicked on the execute button. And you can see, right, step by step, we're going to go through and do a bunch of different things. And this is that drag-and-drop workflow editor. So we're going to go to secure endpoint, Cisco Secure Endpoint, and try to find endpoints. And if they're there, we'll isolate them. We're going to go to SentinelOne, do the same thing, right? Look for those endpoints, if we find them, disconnect them from the network, and same on CrowdStrike. So these workflows are also vendor agnostic, right? This particular workflow for containing assets actually supports 3 different EDR vendors as of right now. And of course, will be expanded to include more in the future. So these workflows are a really cool and powerful way to do any number of things. And as I mentioned, they power a bunch of different parts of the product, right? They power that ability to go in an incident and run a response playbook and automate parts of how you're investigating and responding. They allow you to go in that pivot menu and say, okay, I want to take an action on this observable right? The workflows can do that. And then, of course, you can build workflows for whatever you want. So we have a workflow here for Talus that will actually scrape the Talus blog and conduct an automated investigation. And so if you look at this, it's doing a lot of the same things a person would do in the tool, right? We're going to inspect the content for observables, going to deliberate on them and determine is it malicious, suspicious, clean or unknown. And then for the things that we think are a little suspicious, we're going to enrich them, right? We're going to go out to XDR and say, hey, talk to all of the integrated products and find out what they know, and then we'll continue our investigation and so on. And the result of this workflow is you can run this once a day, once an hour, whatever you want. It will actually scrape the Talus blog. It will inspect the content, do an investigation and create a case book and say, I did an investigation and this is what I found. And all of this end-to-end is automated. All right. So to summarize, we believe an XDR solution should confidently tackle the most pressing security operations challenges. And there's 3 really important things here: simplicity, visibility and efficiency. Simplicity is critical, and we want our customers to be able to integrate their technologies with turnkey interoperability. We don't want it to be an onerous difficult process to integrate your products and leverage all of the context and visibility and all the different things that those products have. And the goal of Cisco XDR is to enable that simplicity. Obviously, we want to reduce time to detect, time to investigate, time to respond, all of these things. And by giving you that centralized visibility, centralized ability to respond and do all of these different things, we can accomplish this task here and give you visibility across your portfolio of products. Then of course, efficiency. All these things we've talked about in terms of automation enable efficiency and enables your team to do more with less and to do things more quickly. We also want to quickly position teams to achieve XDR milestones incrementally. Having a successful EDR that's fully configured, fully operational, fully automated, whatever, all these goals, right, it doesn't happen overnight. So we want to help you integrate your products and bring them together, unify things, right, unify your ecosystem of products. We want to have better prioritized detections, we want to allow you to build really useful, meaningful automation to address how you investigate and respond, and then you evolve from there, right? This optimization at the end is a continuous process. This whole thing is a continuous process, determining which products to integrate, how to best leverage them, how to automate around them, and then, of course, how to fine-tune and move forward. All of these things are iterative. If you would like to learn more, and hopefully you do, you can go to cisco.com/go/xdr, and that will be the XDR homepage, where you can see any number of different resources about the product, its capabilities. and more. So please check out that page if you're interested. And with that, I will thank you for joining me. Again, my name is Matt Vander Horst. I'm a technical and marketing engineer for Cisco XDR, and I thank you for your time.

So we'd like to thank you all for attending this webinar. We hope you found it informative. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel, and it will also pop up in your browser as you exit. Also, the link to this recording will be e-mailed to you in the next couple of days. So thank you for joining, and have a great day.