Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone. I'm Monika Prokopová, facilitator for this webinar. And I'd like to welcome you all to this session. In a moment, I will turn the [ discussion ] on. But before doing so, I have a few housekeeping that we should cover. Should you have questions throughout the session, please ask them in the chat panel. And our panelist, [ Ian Stockdale ], is here to reply as quickly as possible. With that [Audio Gap].

All right. Hello, everyone, and thanks a lot for joining us today. My name is Tom Baumgartner, and I'm from the Cisco Secure Product Marketing team. My partner today is Chris Bilodeau from our Technical Marketing Engineering team. We hope you consider this webinar a good use of your time. So let's get right to it. Pretty simple agenda here, just to set some expectations at the start, I will do an overview of what generative AI is. I make no assumptions here about what people attending today know or don't know about it. I'll highlight some of the pros and the cons of using generative AI, and I'll share some real-life examples. Then, I'll focus on ChatGPT specifically and use cases for ChatGPT that Cisco Umbrella handles. I'll hand things over to Chris at that point, and he can give all of us a really great product demo. And then we'll close with a few pointers to some next steps that you can pursue after the webinar. Just a heads up, I would recommend being ready to take some screenshots at that point so that you can easily grab the URLs that I'll be sharing on the screen. So a family member said to me recently, "I don't really understand what generative AI is. Do you?" And I thought about it, and I was like, well, I didn't really have an answer other than, "Yes, pretty much." But for this particular person, that wasn't a very helpful answer. So I thought to myself, "Can I really explain it well enough to legitimately answer the question?" And when I realized that I couldn't, I decided to change that. So here, for anybody else who might not want to ask the question out loud but might be thinking about it and keeping it to themselves, let's answer it, at least in the context of this webinar. First, at a high level, an artificial intelligence system takes natural language input prompts from someone like any of us here today, and it generates the kind of output that you can see here in response to it. The processing of these prompts is known as prompt engineering, which uses what's called prompt learning to generate tasks that converts the tasks to prompt-based data sets, and it trains a large language model to produce those outputs. It was OpenAI in 2019 that created the open-source large language model called generative pretrained transformer or GPT for short. Okay. Now raise your hand, even if I can't see it, if you knew that GPT stood for generative pretrained transformer before now. Come on, be honest. All right. And thank goodness for 3-letter acronyms, right? Models like this are what take that input data like the text, the images, the other media to generate the outputs, outputs like a college essay, software source code maybe, possibly a marketing plan, basically things that make life easier for us human beings and sometimes make us seem really clever and smart. They all fall into the category of machine learning. And today, OpenAI's ChatGPT, it's variant Bing Chat, which is a chat bot that was also built by OpenAI, and Google Bard are a few of the most used generative AI systems. Now there are lots of pros and cons to using generative AI. Let's look first at some examples of the pros. Rapid content creation ranks among the more obvious advantages of generative AI. The ability to generate content quickly, such as marketing newsletters and blogs, provides tangible and useful value. In fact, Gartner expects that 30% of large organizations' outbound marketing messages will be synthetically generated by 2025, which is up from only 2% in 2022. From a customer experience perspective, organizations can benefit from employing chat bots that offer more human-like responses to customer inquiries, and those responses can have greater depth due to the scale of the underlying language models. These chat bots can perform in self-service modes for routine customer inquiries, or they can assist agents in providing better human-to-human service. Organizations with a strong client services facilitation focus, such as consulting firms, can use generative AI to run research data on a given subject through a model to identify high-level business patterns that inform business strategy creation for their clients. Generative AI can also help organizations boost personalization by using machine learning algorithms to analyze the customer's purchasing history and their online behavior to improve product recommendations or to generate custom content. Meanwhile, salespeople and marketers can use it to create more personalized presentations and campaigns. Another pro is the variety of efficiency gains that organizations can achieve. For example, machine learning models can suggest application code to increase developer productivity, or a software vendor's deal desk could use generative AI to streamline the complex process of co-terming contracts by gathering data on a customer's different licensing models that might be scattered across business units and then efficiently combining multiple contracts for products or services into a single vehicle. The use of generative AI-led enterprise search and knowledge management systems can help unlock information in some kinds of organizations like health care, financial services and legal firms, where the exchange of knowledge is often bogged down by the absence of proper tools and processes. And the last pro to mention, at least in this slide, is the development of new products and the acceleration of design cycles. This can be especially the case within industries where research and development processes can take several years, such as in pharmaceuticals, where it can sometimes take more than a decade to develop, test, develop more, test more and ultimately launch a new product. But there are cons, too. The quality of content generated by generative AI can vary widely, depending on the quality of the data that's used to train the model. The content may be low quality or even nonsensical. Generative AI can perpetuate biases that exist in the data that's used to train it. For example, a generative AI trained on a biased data set may generate content that is discriminatory or offensive. From an ethical standpoint, generative AI can be used to create content that can be used to spread misinformation or to deceive people. It can also create content that may infringe on intellectual property rights, such as copyrights or trademarks. This is generally not on purpose, though. It's probably a result of the quality and detail of the input and the tool not knowing any better about the kind of output to deliver. Also, while generative AI can create content quickly and efficiently, it does lack the human touch that can make content truly unique and memorable. Lastly, but again, only last for the purposes of this slide, is the possibility of sensitive data leakage. Perhaps it's software source code or some other kind of confidential organizational data that employees most likely inadvertently put into a generative AI tool with good intentions but without realizing the risk of its vulnerability there if it gets into the wrong hands. This is one of the most common cons of generative AI tools that we see in the news headlines of today. This article from Forbes covers how business leaders can leverage ChatGPT to enhance their business but by doing it in the right way following 4 ethical principles: do no harm, which also includes preventing harm; make things better, be fair and care and respect others, which includes telling the truth, protecting confidentiality and keeping promises. This blog post from Salesforce covers three ways that generative AI will reshape customer service for the better, including improved personalization, faster case resolution and a more positive customer experience, all similar pros to what I mentioned just a moment ago. On the other hand, in spite of good intentions, workers at Samsung caused one of the better known negative news stories just this past April when they inadvertently leaked private company information via ChatGPT, which led Samsung to temporarily banning employee use of generative AI tools on not just company-owned devices but also on noncompany-owned devices that are running on internal networks. And an even more recent but somewhat similar example is this story about how cyber attackers figured out a way to use the code generation capabilities of ChatGPT to spread malicious packages in developers' environments. But the Samsung example is good reason for information security officers everywhere to scrutinize the risks of similar data leakage events happening in their organizations. As their organizations try to leverage AI to increase efficiency and stay on the bleeding edge of innovation, they must ask themselves, "How do I allow my employees to use generative AI tools like ChatGPT to be more productive while I ensure that they don't accidentally put sensitive enterprise or customer data into the wrong hands?" Cisco Umbrella can help. With threat intelligence from Cisco [ Talos ] and a single management interface, Umbrella is a robust, cloud-native and cloud-delivered solution that integrates DNS-layer security, secure web gateway for full web proxy, outbound firewall, remote browser isolation and a cloud access security broker that includes malware detection, data loss prevention and advanced application discovery and control functionality. It is often said that the first purpose of a cloud access security broker is to enable visibility of shadow IT activity so that security admins could be -- can better understand which cloud applications its organizations users are accessing or just simply trying to access. This is the first use case for ChatGPT risk mitigation that Cisco Umbrella addresses. Umbrella includes ChatGPT in its application database for discovery purposes, and it designates it as a high-risk application because of how easily corporate intellectual property and other sensitive information can be leaked through it. An admin can see who is using it or again, trying to use it, how frequently it's happening and where. Assessing ChatGPT risk is going to be unique to every organization because it's largely based on that organization's risk appetite or its risk policies and therefore, what the ChatGPT users are trying to do with it. Some organizations are more risk averse than others, so their risk assessment will be different from an organization that is more risk tolerant. And we'll go further into this topic in the coming few minutes. Besides ChatGPT usage being discoverable with an Umbrella, it's also controllable, thanks in part to a new AI control category. And it can be blocked through both Umbrella's DNS-layer security policy and its secure web gateway policy. Heavily regulated and risk-averse organizations that often have numerous compliance requirements, will find this capability particularly helpful, as will many software companies that need safeguards in place to protect source code. Finally, being able to ensure safe ChatGPT usage and, more importantly and specifically, determining for what purposes to allow it can increase employee productivity without sacrificing data security. Umbrella's data loss prevention functionality provides this clarity to help thoughtfully mitigate ChatGPT risk. There's no question that generative AI tools prevalence will increase over time, accompanied by constant scrutiny of the risks and the rewards of leveraging them. By having correctly configured data loss prevention rules in Umbrella, information security officers and administrators alike can enjoy peace of mind knowing that ChatGPT usage is happening in such a way that the risk of confidential company information being leaked is effectively mitigated. Now let's look at each of these use cases in just a bit more detail before we get to the demo. The first is discovering ChatGPT usage. Again, this is usually considered the main use case for a CASB, which is basically unraveling shadow IT. Umbrella allows customers to discover where ChatGPT is being used and how it's being used in the organization, and it shows up in the application recovery -- or excuse me, application discovery report, as you see here. By the way, in the demo that Chris will give us in a couple of minutes, this screenshot and the several screenshots that follow it will make much better sense. As I mentioned a couple of moments ago, Umbrella designates ChatGPT as a high-risk application from a business risk perspective. You can see that, that risk is indicated here with the orange-ish, red-ish box in the upper left, as well as about halfway down, and you can see that some of the business risk factors are listed there in the middle. And if we drill down, we can see that because it's corporate usage and because we might be exposing unstructured data, we might be exposing legal documents, maybe source code or other kinds of intellectual property or sensitive company information. And that's why it rates high on the risk scale. And beyond just discovering that there's usage of ChatGPT in the organization, an admin can also drill down and see who is using it, understand who the user groups are, what is their level of usage and what is it that they are trying to do with it, things like that. So then the second use case, again, is all about assessing whether what the users are doing or trying to do with ChatGPT, aligns with the organization's risk appetite or risk policies. Having a data loss prevention monitor rule for all destinations as its monitoring criteria enables security admins to do this. The screenshot here gives you an idea for how you can set this up in Umbrella. An existing rule in Umbrella will automatically recognize ChatGPT without need for reconfiguration, but admins can also create a very specific new rule, comprised of the most concerning types of data classifications to help them better identify events, the volume of usage and more detail about that usage. A report like this one here gives these details. And you can see that advanced filtering is available, including for application, and this is where we've filtered by OpenAI ChatGPT about midway down on the left. And at the bottom left, you can create a rule specific to ChatGPT also, if you want. This visibility of usage, combined with a good understanding of ChatGPT risk as it relates to risk appetite, can help inform any changes that need to be made to an organization's data loss prevention policy. And one of those changes might be to block ChatGPT usage. Many existing customers and potential customers are telling us lately that at least for the time being, they want to just completely restrict all ChatGPT usage. They say typically that they still haven't decided or figured out how to use it safely. So they just want to block it completely until they're more educated about it and can make better informed decisions. With Umbrella, ChatGPT usage is not just discoverable but also controllable. And you can see on the right that you can block it through DNS policy or secure web gateway policy. And in the demo that Chris is going to give us shortly, you'll see how Umbrella's additional data loss prevention capabilities offer even more protection. This capability is a really good fit for the organizations that have a low risk appetite. Perhaps they have lots of regulations to abide by. And so the uncertainties around ChatGPT make -- using it feel too risky for them or the tech companies -- I'm sorry, software companies that are developing code, debugging code, getting snippets for various needs during the development process, who decided to take a very low risk approach, and they just want to completely block it. On the other hand, many organizations do appreciate the higher productivity that can come from employees leveraging generative AI tools like ChatGPT, but they want to make sure that they allow it only in a safe, low-risk manner and within policy. This is how the large majority of organizations are going to approach generative AI usage over time. The productivity and efficiency advantages are undeniable. And as the prevalence of them of using these tools increases, not using them or blocking them completely will put organizations at a disadvantage. The majority of organizations that do use ChatGPT and other AI tools will just need to figure out how to do it safely without exposing the kinds of data that [ both ] adhere to parties that aren't supposed to have it. Think of Samsung as an example. Umbrella with its DNS-layer security, its secure web gateway, its application visibility and control capability and its data loss prevention policies is what allows them to do this. Okay. So enough talk and enough pictures. Let's get to the demo already. And for that, I'll hand things over to you, Chris.

Awesome. Thank you so much, Tom. We're going to switch over to my screen here. And thank you all so much for hanging out with us today. I'm really excited to spend the next 15 or 20 minutes really kind of just digging into those use cases and what they actually look like. Okay. So everything we're going to look at here today is live, right? I don't have a private version of ChatGPT running in my basement. So it's always going to be fun to see what kind of responses we get. And as we mentioned earlier, we don't want to make an assumption about where everyone is with their knowledge and experience. Some of you may be just rock stars and experts and are using ChatGPT every day. And some of you, this is the first time you've really kind of taken a breath and looked into what it is. So here, I am logged into my ChatGPT account. And I just want to kind of give some examples of what it's like to interact with ChatGPT. So to start off with something simple, right, let's ask ChatGPT to tell us a computer joke. Why do programmers prefer dark mode? Because light attracts bugs, all right. That's pretty good. I actually like that. Probably not the best use of a cutting-edge generative AI model. So let's try and to do something maybe a little more realistic, right? Let's ask if we can generate a social media post for a webinar titled, AI Risk versus Reward, The [ CISCO ] Dilemma. If that name sounds familiar, just double check the registration for this webinar later. But we can see as it's going through, it's writing out a nice social media post for us, giving us options where we can plug in the date and time, the location, right? And so this is really kind of cool and awesome because coming up with the first draft of any piece of content is the most difficult. It's a lot easier to edit something after you have something to work with. And so this gives us a really nice, quick, easy way to get to that first draft so we can then edit it, make it more specific and really reduce the time that it takes us to generate this content. One of the other big use cases that Tom mentioned, of course, was on the programming side. So here let's ask ChatGPT to generate a Python function to convert from 12-hour to 24-hour time. We can see that it goes through programming much faster than I ever can, shows us how to use it, and it also gives us a couple of examples. So this is really kind of really cool and exciting that we can see how fast and easy we can use something like ChatGPT to increase our productivity. In fact, the Samsung example that Tom talked about, one of the ways that the leak happened is that somebody uploaded meeting information to -- a recording of a meeting and asked for a summary, right? So "Hey, here's some meeting notes. Can you summarize this so I can send it up to my boss?" And of course, in those meeting notes were sensitive information. And I was considering using an example like that here. And then I was like, "Oh, man, then I'm going to have to generate some fake meeting notes, and that's going to be a lot of work." And then I was like, "Or I could just ask ChatGPT to." And surprisingly, that worked incredibly well. I just said, "Hey, create meeting notes for a fictitious meeting." And it spit a whole lot out at me. So it's really kind of cool. So that's just to give kind of a quick overview of what it actually looks like to interact with ChatGPT. And maybe after seeing that, you're kind of in that use case of like, "Okay, that's great. That's awesome. It's also terrifying, right?" I think there are so many ways that this could be misused, intentionally or unintentionally that for right now, I just -- I really want to block it, right? And so here, I've got set up a little lab for us. We've got our Umbrella dashboard, and then I've got 2 workstations that we're going to use to emulate client computers. And inside our Umbrella dashboard here, we can go over to our policies and into our DNS policies. And so obviously, we love DNS here at Umbrella because we can just do so much at the DNS layer. And if we can do it at the DNS, then we don't have to go up into any of those higher, advanced security controls. Obviously, we have them, and we're going to take a look at them. But for just blocking an application, doing it at DNS makes a lot of sense. And it makes it really easy to do it whether the user is on site at headquarters, at a branch site or even remote. And so here in our policy, we can see that we've created a no-AI-for-workstation-1 policy. And if I look in my identities, I can see that I've just selected workstation 1. And then under my application settings, I have this generative AI. And this is using that category that Tom mentioned. You can see that it's one of many categories that we have. So inside Umbrella, when we talk about application discovery, we can actually discover over 20,000 different cloud applications that your users are using. And of course, we're constantly adding to that like with the generative AI. And if we see under our category here, right, it's not just ChatGPT but a large number of other generative AI platforms as well. And we can see that we've set those all to block by checking that box. And that's really all there is to trading the policy. Now, I know we haven't gone through the deployment of how you redirect your DNS traffic or all of your traffic to Umbrella. We do have other webinars that cover that. Today, we wanted to really stay focused on how we configure those security policies around AI. But with that, so if we go over to our workstation 1 and open up our browser, right, we can see if we do an Umbrella test that we are using Umbrella. So we got a nice green banner here. And if I go to Browse to chat.openai.com, which is the website for ChatGPT, I get a block from Umbrella that it has been blocked by the network administrator. So awesome. Our users can't access it. And again, just to kind of reinforce, we're not just picking on ChatGPT. This is -- we can also -- because we had Bard blocked in there as well, we can see that Bard is blocked. Now sometimes when I show a demo like this, someone's like, "Okay, well, I mean, that was bard.google.com. I can block that on a Raspberry Pi." And that is true. You can block domains on a -- whether it be a Raspberry Pi or another on-prem device. But something to remember is that these websites, these really cloud applications, don't just use one domain, right? So I've seen applications use 50 or 100 different domains on the back end. And so one of the benefits of Umbrella is that we are managing all of those on the backside and updating them constantly, so you don't have to worry about when an application adds a new domain to the list that they're using. We will update that, and it will get blocked automatically. So that's great. That's awesome, right? If we want to completely block ChatGPT or other AI applications so that we have time to kind of figure out like what does this mean for my business, what is my risk appetite. But let's say we're in that category of "I see the value of this, and I want to be able to allow my users to use it, but I want it used in a safe manner," and that's where those additional security controls come into play. I do want to give just a quick call-out to our firewall policy within Umbrella. So Umbrella is a full Layer 7 firewall. We also have intrusion prevention, so IPS capabilities, all within the platform. So this allows us to detect those applications like BitTorrent that don't use specific ports, and they'll try to bounce ports around to make it harder to detect. So we can do all of that in Umbrella. But what I really want to focus on for today's webinar is our web policy and our data loss prevention policy. So Umbrella is a full secure web gateway or a full proxy. So inside our workstation 2 rule set here, we can see that I have HTTPS inspection enabled, right? And this is what allows us to decrypt that web traffic that is going across port 443 so that we can start to inspect it. And this is really, really key because almost every app out there on the web is using HTTPS now. And so it's all going across port 443. And so we can't see the content of it unless we're able to decrypt it. And decrypting traffic takes a lot of effort when we have lots of users creating lots of traffic, Doing it in a cloud platform like Umbrella means that we don't have to worry about what is the processing speed or the memory capability of my local devices, We just send the traffic to Umbrella, and then we're able to do that there. And that's really important because it allows us to see additional information in the request. So in our example policies here, we can see that I have Gambling blocked. But up here, I've created a rule to allow access to Gambling.com's About Us page. And so normally, right, we won't be able to do that at the domain layer because we wouldn't see what page they're accessing, just that they're going to gambling.com. But with the secure web gateway, we're able to get that information. And I just wanted to do a quick call-out on this because this is the foundation of the technology that allows us to do the ChatGPT data loss prevention. I'll also call out, Tom mentioned our remote browser isolation. This is how easy it is to configure. It's just a rule action within our rule sets. So when you're signing up for your personal demo at the end of the session, be sure to mention that you want to see how that works. But let's really dive into our DLP policy. And before we go into where we actually configure the policy, I want to call out our data classification. So the use case here, right, is I want to allow my users to access ChatGPT, but I want them to do it in a safe way. I want to be able to control the type of data that is submitted. And that's what the DLP allows us to do. You can see here that we have a variety of built-in classifications for common use cases, PCI with credit cards, HIPAA for U.S. health data. And then we can see that I've created a couple of new ones up here as well: One is our source code classification, so this actually recognizes over 20 different types of programming and scripting languages. And I've also created one called employee data, so one of the really cool things that we can do is, say, I don't want to block all e-mail addresses. I just want to make sure that my employees' e-mail addresses aren't uploaded. You can actually use a tool that we have to create hashes of all your data, upload that to Umbrella, right? So we just see the hashes. We don't have the actual data. But then you can choose to restrict that information from going out to ChatGPT or a variety of other platforms. So we call that exact data matching, a very cool technique. And so as we go into our actual DLP policy though, so normally when we talk about DLP, right, we have 2 different types: We have real-time, and then we have SaaS API. So real-time is what we're talking about today. So as a user in real-time is making a request to ChatGPT, I want to be able to expect that traffic and block it. SaaS API is where I have data at rest, maybe it's in Webex or maybe it's in Microsoft 365, and I want to inspect the data that is sitting at rest in those cloud platforms to make sure it doesn't include data that I don't want leaked. Nice thing about Umbrella is that all of that is integrated into a single policy here and it uses the same data classifications. So although we're focusing on the real-time rules today, anything that we configure can be configured for SaaS API in exactly the same way. And here, I've created 2 different rules: One that focuses on PCI data, so using that built-in classification; and then the one that we really care about, our top line, our ChatGPT source code and employee data. And we can see here, it's really simple. I just go through, I select classifiers that I want to check for. I've set it up to be 4 workstation [ tubes ] by checking that box. And then I have selected OpenAI ChatGPT, both their website that we're using today and the API interface as what I want to block. And you can see it on my action down here, I can block or I can choose to monitor that. So maybe I don't want to block it, but I just want to know when it happens, I can choose to do that as well. And that's all there is on the configuration side of this. So if we go over to our workstation 2 now, I'm just going to give a refresh to make sure that we have a fresh session here, so we can see that we're still able to use ChatGPT. So we can ask it to give us a computer joke again. And we can see that, that will go through, and we will get a response. Computer went to the doctor because it had a virus and needed some bytes. That one was a little more painful, I liked the other one better. But we can see that we're connected, right? So I'm able to use ChatGPT for benefit. But I can also make sure, right, that the rules that I use are being applied. So we've set it up to block source code. So here, I've got an example function from that question that we did earlier about the 12-hour formatting going from 12 hour to 24-hour. And so here, I'm going to ask ChatGPT to convert that to go. So we're using a fairly benign example here with converting to 24-hour, but maybe this is an internal function or an internal script, and we've made the decision as a company that we're going to convert our code over to go, and that's the new programming language we're going to use. And so I, as a programmer, have just inherited this project. I've got lots of other work that I'm doing. And so I'm like, "Hey, this is just converting code. I can have ChatGPT do that for me." And unbeknownst to them, right, there is intellectual property in this function that we don't want to be available out on the Internet. And so when we go to submit this, Umbrella will actually inspect that. It sees that the request had a source code in it. And then you'll see that ChatGPT actually gets a network error because it's not able to get a response on that because Umbrella blocked it. So this would be the experience that your users would have. They're able to use it for approved purposes, so for example, asking a joke here. But if they try to submit something that matches one of those DLP rules, then they're going to get this network error, okay? And the great thing about this is whether we're blocking or monitoring, all of this is logged within the Umbrella dashboard. And so if we go into our data loss prevention report, we can see all of the instances that I've created in the past, and the ones from today will show up as well. And we can click into them and get information about that request. And so we can see what rule is triggered. We can actually see the exact request that was sent. So here, we can see the convert the code to go. We can see what components were identified. And so this is really great because we cannot only block it, but we can see what the actual request was. If I go to another one that I created when preparing, we can see the -- this was the employee data classification. So we can see that the e-mail address and IP address, that was that explicit data that I uploaded for exact data match is matched here. And we also censored that, right? So we're not showing the data even to an admin that may not be authorized to see it. So we have an auditor role that can be used to see all of that data. And so hopefully, this just gives you a really nice overview of kind of what it's like to interact with ChatGPT, what some of those benefits are, but then also the ways that we can control it so that we can allow safe usage of it, so we can get the productivity benefits but still make sure that we're protecting our companies. . And with that, Tom, I'm going to hand it back over to you.

All right, Chris. Thank you. Let me get back to my screen here. And let's talk about some next steps. So if you're interested in watching this webinar again, you can go to this URL here up at the top, and it's just that simple. Please give it another whirl if you've got the time or the interest. You can also schedule a custom product demo, so something even better than what Chris just shared that's specific to your unique needs. And you can learn about the different Umbrella package options that we offer at this last URL here. There's 4 packages outlined on this page. You'll be able to see how the full Umbrella [ SIG Advantage ] package offers, all the capabilities that Chris and I have covered today, and you should be able to answer most of the your questions on your own, thanks to that package comparison. So we will stick around here for another few minutes as questions come in, and we will do our very best to answer them. Thank you very, very much for being with us today. We hope this was time well spent for you, and I hope to see you again on the future webinar. Thanks.

Yes, I would like to thank you, everyone, for joining us today for our webinar. And I hope that you have all a great day. Bye-bye all.