Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to Blueprint for Threat Detection and Response Webinar. I am Mark Watts, your WebEx producer today. In a moment, I'll turn the session over to our speaker Natalie Timms. But first, I have a few housekeeping notes to cover. Please note, your microphone has been automatically muted. So feel free to ask your questions in the Q&A panel throughout the session. And to view the Q&A panel, click the 3 dots on the lower right corner of your WebEx window. To enable closed captions, click on the closed captions icon next to the meeting assistance on the lower left corner of your WebEx screen and click on the downward arrow and choose your language. And at the end of the session, a survey will automatically pop up in your browser. Please continue to complete the survey. We really appreciate your feedback. With that, we are ready. So let's get started. Natalie, in a few seconds, it's all yours.

Hi, folks. Thanks for joining the session today. A little bit of a different session. This is more one where I'm going to get you guys thinking a little bit. So rather than dig too much into what is an XDR, it's more along the lines of -- are you actually ready for XDR? And readiness means I've decided I need a threat detection and response system, but how do I know how to prepare for it? What do I need? We're going to talk more and more today about XDR needing visibility, needing quality inputs. And it's one of the reasons why I wanted to walk through how to be ready for that. And being ready for XDR means understanding your environment and understanding what it is that you're expecting from a threat detection and response system. There's a famous quote from Benjamin Franklin, and it's along the lines of, if you're not prepared, if you haven't done your preparation, then you're pretty much doomed to failure. And I think really, this is the case with things along lines of threat detection and response. We all know that we need them, but there's no point going out and spending a whole lot of money on something when you're not going to get your bang for the buck and you're not going to be protected. So this is really the gist of the presentation today. And in order to do that, we're going to cover a few of the topics here. So first of all, we're going to talk about this concept of blueprints. And having a blueprint for your organization and collecting foundational knowledge that doesn't just lend itself to threat detection response, it really is something that everybody needs to do if they're planning any sort of investment, if they're now having to deal with certifications and compliance mandates and having to adopt frameworks and even models such as 0 trust. Having an idea of what it is in your organization is critical because if you don't spend the time to go off and do that discovery upfront and know what's going on and know what people do in your organization, you can bet that somebody else is going to do that for you. What's the first thing that our friendly hacker folks usually do? They do recon. They do poking and prodding and asking questions and learning about their target. So you need to be proactive about understanding what you have in your environment. Then we're going to look at how the information we've collected in our blueprints helps us be XDR ready, okay? So how do we ensure that when we actually select a solution, and again, knowing what you have in your organization, what your security policy looks like, that's going to help guide you into what solution you want to deploy. Once we've looked at those components, I'm going to look at really how XDR can help you validate your security policy. So just as you put inputs into an XDR, there are some different aspects you can glean from that system that actually shows you how successful your policy is going to be. So we have a bit of a use case there, and then we'll wrap it up with a summary and some references. So blueprints and foundational knowledge. Why gather foundational knowledge? Well, hey, that Oakley [ shy ], you know about it, you can't protect what you don't see. One of the biggest issues that I've run into -- as a consultant, both here and in the U.S. where I was based for 25 years or so, is oftentimes folks don't know what they have in their organization. They may have -- have some old systems sitting out there somewhere. They may have had employees that have left and never cleaned up after them. It's this whole idea of not really knowing or taking stock. And every so often, you actually need to go in and clean your closet and throw out the things you don't need. So foundation knowledge defines your organization's business and its associated IT requirements, okay. Forms the basis of the security policy, every organization today needs to have a security policy. If not just for, obviously, protection, but if you actually do have a breach, by understanding what your policy look like, what your organization's information looks like, you're able to react a lot quicker and be able to understand how to recover from those breaches. Your foundational knowledge is also a baseline for your security posture. And really, it's the starting point of what I like to call a security life cycle because when you look at security policy, because it's mapped to your network, and the network is almost like a living, breathing entity. You've got something that's fluid, that's changing, that's moving. You need to be able to keep pace and keep improving your security posture, adding new features when they become available, adding new protocols, recovering from breaches. And the more you learn, the more you can feed into that, and you have that life cycle approach. It's also really the basis for gap analysis. I mean sometimes what you think you have is not what you actually have in real life, and being able to document and spend the time to do that work will actually show you where you are missing things. And that goes for whether it's a technology that's missing, whether you have processes missing, whether you're not making the most out of the people that you have in your organization or you're not helping people take a more secure view of their working world. And obviously an integral requirement for many compliance frameworks and mandates, usually the first thing that comes out of any of those things, whether it's based on NIST, any of the frameworks that you see out there, it's usually hey, you need to do some discovery, you need to know what you have, and then you can start building your security on top of those particular fundamentals. So what is the blueprint? It's really a set of 3 different, what I call, knowledge bases. So you're collecting information about your organization, and that includes identification of roles and responsibilities, looking at the processes that you have, coming up with things about resiliency in the organization. And we'll take a more in-depth look at each of these 3. But for now, just knowing organization, so how do we actually run my business, who's involved with my business? And it's almost like you're looking at a natural language representation of what your organizational and IT goals are. Then you've got your security policy elements knowledge base. Now this is taking your organizational goals and objectives and then having them represented by almost like flows and context. So you might end up with a bunch of almost matrix-like elements that say, hey, I know I do business with suppliers, but let me just take a look at what that would look like from a flow perspective, and your flow being who's my source? Hey, it's my supplier. Destination is the systems in my environment that, that supplier may need to context -- to contact and then layering context on that flow. Things like what sort of authentication and authorization rules do I need for the people in that supplier to be able to connect to those systems within my network. Then the last capability -- the last area here, technological capabilities, right? So protecting your organization and enforcing the security policy that you've defined. So you might have your policy that's laid out in a matrix. But then how do we actually apply that in the real world in my network? What technology capabilities do I need from the systems and the enforcement points that actually build my network. So we'll take a look at what some of those particular things would be as well. So why is it important? So here's our quote from Benjamin Franklin. "If you fail to plan, you are planning to fail!". Interesting, he said this in around 1790. The guy should have been in cyber security. But sometimes, I think we were all in such a hurry to get to play with the new toys and to go and get them working and configure them that you really forget why you bought the thing in the first place and that was to solve a problem. So you need to go about actually defining that problem space, okay? To measure success, you need a solid baseline for comparison. When you start to look at threat detection and response, there's a whole lot of terrific analytics that are out in a lot of systems today. And a lot of those rely on the fact that you have to start with the baseline that represents the things that are acceptable within your organization. Then once the behavior deviates from that norm, from that acceptable norm, then you want to be alerted about that. But if you don't know what that normal is, then you're going to end up with a bunch of false positives and you're going to be spinning your wheels trying to work out how do I tune these types of things out, okay? Evolution and enhancement requires detail and accuracy. This probably seems like a bit of a mouthful. But as you evolve, as you get more sophisticated, as you add more detail, then you're able to add more and more information to your policy, you're able to add enhancements to make changes to that policy. And the more detail that you have, if something goes wrong in that network, you're able to better go back to where you may have had a failure and process and go about making changes there. Basis for compliance, as we said, enforces roles and responsibilities. And obviously, hey, sometimes it's fun to actually go work out what it is that you have. It's like spending some time going through your IDC when you haven't looked at it in a while and forgetting about the things that you bought, right? And so it can actually be fun to go through that exercise. So let's go ahead and take a quick look at our organizational knowledge and what that actually is. This is the fundamental part, and it's probably the fun part because you get to understand, what is it your organization does? I mean, what's the business functions and what's the structure? Who do you do business with? Who are your users? How do you interact with them? And a lot of times, it's really great because you get to go and look at what other folks in the company doing, what are their roles and responsibilities and get feedback from them. Being able to talk to folks in an organization and ask them their opinions, ask them what they do, ask them where their issues are, it really starts to get everybody involved in planning a security policy. And having folks involved, you get a lot more valuable information, and it starts to build that teamwork mindset that this is important and everybody is playing a role and everybody has a voice in that. And being able to determine all of these different elements of your business structure, you can start to then look at building a matrix that becomes part of your security policy that shows where the interdependencies are between those groups of users, their locations, et cetera. Understanding things like other specific requirements that are related to industry or government, whether it's things like handling financial information with PCI compliance, whether you have residency requirements as part of country-specific mandates, having those documented and what systems that would need to be applied to is pretty important. Operational goals, metrics and processes. Everything that you do in your organization, there should be a process for it. And I know people think, "Oh, all the red tape and I have to dot the eyes, cross the tees and jump up and down with my hand behind my back and do all these things. But in the long run, having things documented is really important. It allows you to be able to really, I guess, connect the dots if something goes wrong. It also helps people understand what it is that's expected of them. Some folks are really good at going ahead and acting ad hoc and something happens and they can quickly go fix it. But that's not for everybody. And being able to have a standard way of performing different things is very important to an organization. Service-level agreements are one that often can be overlooked. If you, as an organization, are providing the service to customers, then they're going to expect that there are service level agreements and service level objectives applicable to that relationship. And the same thing, if you're actually consuming a service, then you need to be aware of the SLAs and SLOs that are part of the offering from that particular vendor that you might be using. Operational and planning requirements and processes. There's a lot of things that need to be documented here. Everything from how do I actually handle data in my organization? How do I store it? Do I need encryption? How am I classifying that data? How do I access it with things like role-based access control? Having a critical assets database, so you know explicitly what are the systems within your organization that take priority when it comes to things like attacks or downtime, having processes for audit logging -- chain of custody requirements. Again, very important because if we have an issue that requires a legal intervention, we need to have a way to be able to connect the dots between how these particular attacks that happen and who has been actually collecting information for logs, auditing, et cetera. Management, monitoring and troubleshooting, network device and user provisioning, I won't go through all of these things, I'm already losing my voice here. But really having these things documented again in more of a natural language kind of way is something that really is part of building this knowledge base. And where all of this ties in is knowing about how to handle data, knowing what's important from a user perspective, important systems allows you to start also doing a risk analysis within your organization and really just trying to be able to identify the threats that are of the most risk to your organization. So what's the goal of this knowledge base, okay? Goals, everything from engaging your stakeholders, helping to strike a balance between productivity and security, often, people try to skirt around security if they find is holding them back somehow, articulates how people work, all right, understanding roles responsibilities, which assets they access their hours, all goes into your security policy. Fosters, an environment of security awareness, and also then again defines this concept of a baseline for planning, detection, response and recovery, which, oh, by the way, sounds a lot like the things that an XDR gives us. We get to understand the threats to the organization based on who our users might be in our organization, do we have folks that may be, for example, victims of phishing. And this is really important to XDR because when you're selecting a product, you want to be able to ensure that, that product will actually be able to detect on those specific use cases. And then obviously, your risk assessment data and allows you then to also identify, do I have any gaps in my policies? Do I miss anything with my objectives. And it helps prioritize by just some work efforts. So let's move on now to our security policy elements. So our policy elements here are taking what we've defined with our foundational knowledge, and we're now trying to actually define these in terms of rules that will be part of our security policy. So we're going to look a little bit at how we've actually defined our user groups and things. But the other thing we're doing here is we're taking almost like a greenfield approach. So I know what my organization does and rather than trying to shoehorn my objectives on an existing infrastructure, I'm going to actually define my policy in terms of -- if I'm starting from scratch and I need to do this properly, what do I actually need for my policy? So in this case, I'm going to go ahead and start trying to understand my topology. Now my network topology is -- I think people underestimate the value of network diagrams. I came from a background as an SE originally. And one of the things that we'd often do is document customers' networks. And it really made it easy from a troubleshooting perspective because you knew where things are, you knew what the addressing look like, you knew where you were running your routing protocols between each systems, you knew where your enforcement points were, whether there are routers or firewalls or IPS. And it's the same thing here for your security policy. Taking your organization's needs and then actually defining or designing your topology. And when it comes to having access from suppliers to your internal network, where do I need to place critical infrastructure like a firewall, like an authentication system to be able to make sure that I'm enforcing my policy. So this is one of the things here we do with our policy elements. And we take all of our different -- whether it's user groups or assets and we start to define flows and apply those towards our network diagram. So we can see we're about in our network, these flows need to go. And we're going to do that for all of our user groups and all of our devices, et cetera. So your policy elements, user groups have a metrics of which groups need to communicate with each other, which groups need to communicate with devices and the assets in our network, and we're going to then also start to apply context to those. Context being things like which of these interactions or flows need authentication, which needs specific role-based authorizations. Then with our assets and our devices group, we're going to also start looking at things like what versions of code we need to run. How do we avoid using software that has vulnerability, these type of things. And understanding what our policy looks like from a flow perspective, that is our source, our destination, whether we're going to allow that flow or deny it, and what sorts of rules we have around the flow, this is the basis of your security policy. And it's something, again, that is written more in a matrix form, but as we start to build our information and we document our flows and the security needs that we have around those, and we create our knowledge base, we're then ready to take that information and translate into something that becomes configurable actions on technology. So as you have your flows and again, looking at these types of things, if you look at your policy, this is your baseline, okay? So if I'm moving ahead and looking at my XDR system that's actually going through and doing analysis on the flows that come in, it's there actually validating that policy for me, and we'll talk about that in the next section. So what are the goals of security policy elements, okay? So the output of this knowledge base, this is your security policy. It's taken what you've documented in your organizational knowledge base, and you've now defined it as a set of flows or a set of rules and each of these rules has context around it. Now when you build your rule set, it's always got to be based on something called the principal of lease privilege, and -- this really falls into a lot of framework today, a lot of different architectures, one of them being zero trust, which is, as everyone knows, very, very popular today with the concept of everything is denied unless explicitly permitted. And that's really where the principal lease privilege comes in is you give people only enough access for the things that they need to do, okay? Now a few other things to note here is when you get your flows defined, you get the rules around those flows defined, these become your baseline. These are your normal. So when you have threat detection and response that are looking for things like anomalies in those behaviors or these things are acceptable, you can easily relate that back to security policy, okay? And you're easily able then to determine whether, hey, I've just been flagged that this particular behavior is anomalous. When I look at my policy, is this something that could actually have been acceptable and a false positive. So it helps you to track those down easier. And another thing that's really important here is, would you actually start to map those flows on the diagram and you look at where the access points in your network are and where you'd place firewalls and where you have the different systems and critical assets that you need, you can start to see whether you may have gaps in your current situation in terms of technology, and without filling those gaps, you're never going to actually be able to apply that security policy. So it's a way to identify gaps in visibility and gaps in policy. So if you have gaps or you have things that you would like to implement from a policy standpoint, this is where we now start to look at our third knowledge base, which is your technology capabilities, okay? So I have my rules and I have my process, but what do I need in my network for my organization, for me to be able to actually configure and enforce those capabilities. So collecting information about what technologies are needed is the third part of this Blueprint puzzle. So when we talked initially about looking at assets and what we have, that's been more along the lines of the function of those assets and who needs to get access to them and how they need to access to them, whether they need to go through authentication, for example. But now when it comes to assets and technology, we're looking more in terms of what operating systems are they running? Are we looking at something that could potentially be vulnerable because we haven't patched something in ages. So really being able to evaluate what's there from a vulnerability standpoint. Looking at technologies, logical and physical network design concepts and best practices. I mean sometimes we can look at our network diagram and say, "Yes, I know I want to run OSPF in this particular area of my network. But am I actually running a version of code on a device that gives me the best security. Do I need to think about OSPF v3 with IP6, for example, because I really want to go and look at something that's more like a routing security best practice. So you're able to evaluate all of your assets in critical infrastructure from an actual capabilities perspective. And if you're missing something, if you need to either buy new product, upgrade your product, this is the way that you actually assess if that needs to be done and what needs to be done to satisfy your security policy. And there's actually a bunch of other things that you can start applying as well because -- if you have your security policy rules, you know your flows through your network, what needs to pass through which point of access, there are other things that you can apply to the enforcement points and the connectivity points within the network. So you might want to look at things like if I've got VLANs on a switch, I want to allow connectivity between 2 VLANs, can I apply or buy a switch product that gives me layer 2 security features, for example. So we can start actually then layering security on those technology elements. So we're going above and beyond what we need for our security policy, but we're also layering security on top of all of the elements in our device that handle those flows. So yes, routing and forwarding, making sure that you have access to routing features, allowing you to do things like secure updates that you're even looking at your planning from a performance and resiliency standpoint. Because one of the things organizationally, you might define is I need certain areas in my network to always have backups. I need redundancy for those accesses. You can go through and make sure that you have systems in place where you do have redundancy plan into that network. If you're concerned about capacity planning and adding new security features, this is a time when you start to look at maybe doing load balancing among features and these type of things. Because one of the things I think people forget is it's focused so much on security, but they forget that a device that's performing poorly and is having all sorts of issues that's going down because it's basically on fire because of too much traffic load. I mean really that's almost as bad as -- you're dosing yourself basically, in that case. So spending the time to plan around capacity planning, load balancing, having alternate parts, looking at different features that allows you to do filtering or quality of service, these are all things that play into ensuring that you have the best experience with your security policy. And really, I guess, the goals of this is -- you've been -- you've got your security policy. You've got the idea that you can take a policy and look at it almost from a greenfield approach and just say, what do I need from a technology standpoint that's actually going to allow me to go ahead and deploy that security policy? And if you can sell that type of approach, I'd tell you it would go a long way with management. Helps with budgeting to say, hey, this is the policy that we deem is important. We've had everyone come in and have a buy-in on it. So this is what we need from a budget perspective when we go and buy product to actually help us deploy this policy. So I mean that brings us into, I guess, the next section here. We understand a little bit more about Blueprint and why we need to collect that information. So now we're going to look at XDR readiness. Now one of the things that -- I guess the big lesson of this section is that Blueprints are the things that give you visibility and context around your security policy and what's a technology that really helps us also get visibility and context around the threats that are important to an organization. It's XDR, Extended Detection and Response. So I've got this diagram here that really just sort of goes into a little bit about the connections between whether it's our security policy elements here, our organizational information, where we've defined our risks, our processes, what are the threat use cases important to us, for example. Then we've got our technology capabilities, of which really XDR is a technology capability. But it's kind of a special one because when you start to look at your policy elements that we've converted to something that's configurable and deployable on our technologies, we're then using the outputs, in particular, the logging information that's collected by things like our critical assets and our enforcement points. And we're collecting those with XDR. So XDR is using those as imports. And it makes it kind of a special technology because it allows us to validate our security policy via assessment of the quality of the telemetry that we're collecting from our technology elements, for example, our firewalls from our endpoints, from our routers, from our switches, et cetera. And by doing assessments on those logs, collecting things like our flow information, so our policy is going to include a bunch of these type of things, for example. And when it comes to what the policy looks like to XDR, well, it looks like something like this because our flow information is captured by our technology sent across as a flow or a log to XDR. And this is what XDR acts on. So the more information here that is geared towards threat detection, the more context that we have, that we can feed into XDR, the better the visibility and the fidelity of anything that is detected there in terms of a threat, okay? It also gives us visibility into the quality of the logs that we're getting and allows us to tune those capabilities. And there's arrows all over the place because, again, this is our life cycle. XDR also, it may detect a particular threat in the network. And we'd like to hope that the threats are being detected mirror the ones that we said were are of the most significance to our organization when we define that organizational knowledge base. So we're validating the threat-use cases that we had defined here. We also went ahead and we did a lot of process documentation. So one of the things that you want to do with your processes or your organization is have incident response processes documented. If this particular thing happens in my network regarding these assets, what's my incident response process, what do I do. So having responses here that mirror the response action that is required here is another key capability that you can get with an XDR solution. Your policy elements, hey, if we have threats that are detected here that show that we had a problem with our policy, that we've admitted something, that we've made an error in our policy or an error in our configuration, again, that's going to feed back here to these policy elements where we can actually tweak our knowledge base to make sure we're up to date. And we also want to make sure if there's been an issue with the policy, any updates made are also reflected here in our knowledge base. So you can see here, we have quite the life cycle going on. And it's really important that we do actually maintain that because, as you know, threats change almost on a weekly basis. And people make mistakes, things change, systems have bugs in them, so it's really important that you have the ability to be able to have that feedback loop going on. So I guess, over here, we're talking about policy elements, getting these flows, getting this information in terms of our log outputs and sending them across to XDR. So one of the things that when looking at what XDR solution do I need, what is going to help me really validate the policy that I have to the best of its ability is this whole idea of how XDR actually handles or consumes logs and information. Just a quick aside here on policy elements and how do we get from policy elements into XDR. Well, it's through this process of normalization, that is collecting log information from our enforcement points in our network. For example, that information would come into your XDR system. And the concept here is XDR has support for being able to extract those particular elements of our security policy that are going to be needed for things like our detection engines. So I've just got a quick sample here of how generally this type of thing works and how, when choosing an XDR, you need to know if I've got vendor access solutions in my network because they're helping me enforce policy, if I want to be able to monitor how well that particular solution is doing, I need an XDR that's going to be able to consume telemetry and do normalization on that telemetry from that particular vendor because, as you know, if you've looked at different solutions, not all vendors handle everybody else's telemetry. So being able to understand which are the sources that you need in your solution are really critical when you go about actually going and purchasing a system. Being able to understand a little bit more about how do I actually look at the success of my policy when it comes to XDR and understanding the difference between consuming telemetry and doing normalization and looking at where those attributes that are extracted are used. There's a difference when you look at purchasing a system between attributes that used by detections and analytics. So for example, if we look back at the slide ahead there with the flow data, there's a lot of information that's consumed from a flow that can be fed into detection engines. So being strong on how you handle telemetry on what can be used to help determine what analytics are used, what detections are capable is important. There's also the need, though, to be able to bring in some of the information. So when we've looked at flow data and we said security policy, here's my flow data and also here's the context around my policy. And often some of this contextual information comes in through what we call attributes that are used for attribution, okay? So they add extra context. So if I've said I want to monitor flows between this source and this destination, but I have a bunch of other information around them like -- what's the user name associated with that flow? Do I have things like a trusted group that's been assigned to that? These are things that aren't necessarily valuable from a detection engine standpoint, but they are valuable from an additional context standpoint. And again, these map back to your security policy, so you want to make sure that you have visibility into that, so you have visibility into your policy. MITRE ATT&CK detections, again, detections that are based on behaviors, having your policy consumed into your XDR to be able to look at how some of your behaviors, what's acceptable behavior, what happens during a session, these type of things are all critical when selecting an XDR solution and making sure that you actually have your telemetry sources correctly sending data to XDR. Same thing with your analytics. Your security policy should be able to be normalized to the point where you can actually do your machine learning and have your analytics applied to those particular flows. One of the other things that's critical here is having a look at really more visibility. So when we start to point all of our telemetry towards XDR, we want visibility across all of those elements in our network. So think back to our topology diagram. Having all of our elements sending logs to XDR, really important because a lot of threats are more sophisticated these days. And often to determine whether something that's actually been successful or not in the network, we need to be able to start chaining alerts or linking like observables, things like I've seen the same IP addresses through multiple systems in my network. I want to correlate those together. And making sure that your XDR has the visibility from all of those components within your network. So this is where understanding what's in your network, understanding where specific flows transit in your network and making that information available is very critical to XDR. Talking about critical assets and initially with our organizational information being able to assign priorities, 2 different assets and asset values. We've got systems out there and it was a bit of a miss for me not saying that a lot of this information I'm giving you is from Cisco's XDR. So here, if you're looking at something that's going to help you with your security policy, having a look at what we've got here at Cisco is really key. Having the ability to be able to assign asset values to those critical assets is also going to help you reinforce your policy. The same with looking at how you respond to things. So when we talked about building processes around incident response and how we handle threats and how we react to things in the network. When you look at XDR systems, especially things like Cisco XDR, we've actually built the responses available through XDR based on the SANS Incident Response Framework. And if you're looking for ways to maybe go ahead and start planning responses when you're collecting your organizational knowledge, often folks will refer to some of these existing frameworks and standards to be able to help guide them to building those processes. And in this way, you're going to get a really good mapping between how you define and how you react from an organizational standpoint and having that mapped across to how XDR can actually go in and help do that on a more automated fashion. So it's important when selecting an XDR solution that if you have a specific policy in mind, you're able to have that policy and the process around enforcing that policy and recovering from issues, you have the ability to actually go and build those within XDR. Cisco XDR has the capability to define workflows that will allow you to customize or to really automate and orchestrate those processes that you've deemed important within your organization. So I've been rambling on a little bit. There is quite a bit of information here. But just before we close, I did want to touch on one other issue here. And that is how XDR can actually help validate your policy. And this is a bit of a use case. And earlier in the piece, I mentioned when you're defining your security policy, sometimes you might want to refer to frameworks and methodologies that are tried and tested to help you ensure that you are covered and you're doing everything according to security best practices. Now one of the most popular things around today is the whole concept of zero trust architectures. And really, we built your security policy around zero trust where you're really saying trust nobody to start with, and then you slowly start to open the door with specific rules around specific users based on where they're going. Then this really gives you a great way to start setting up your security policy. And when you look at the zero trust tenets which are documented in the NIST special publication, 800-207, there's a list of [ tenants though is ] there. And you can actually look at each of those tenants, and you can see how something like Cisco XDR will validate those tenants. So if we look at the first one here, all data sources and computing services are considered resources. So in order to make sure that you're properly tracking the resources and whose is accessing them and are they secure, looking at Cisco XDR, it allows you to have visibility into all resources because it supports a variety of telemetry sources. It supports the normalization that we need. It supports the workflows back into those resources. And it also consumes telemetry from whether it's cloud, whether it's on-prem, whether it's endpoint. So it does allow you to have that visibility into computing resources at all levels. It's able to categorize and prioritize your telemetry sources as well where we've looked at just briefly being able to assign an asset value to those. And when you're looking at an XDR, especially when you're looking at Cisco XDR, it has that ability to understand generally the behaviors associated with a particular device in a particular role. And that's because we're leveraging the MITRE ATT&CK framework, which also has a lot of information around how we expect particular devices to act and how those devices react and what happens on those devices when something goes outside of that normal baseline. So we're running a bit short on time, but you'll have access to the slides. But if we look at some of the other tenants here, being able to access individual enterprise is granted on a per session basis, XDR tracking user behaviors and understanding if somebody is, for example, logging into a device from a location that is generally not at, these are the types of detections that are really important. And having those available to you in your XDR solution is critical to be able to validate your policy. Measuring your security policy of all your owned and associated assets, being able to track what's going on in your assets, one of the cool things about Cisco XDR is it does have an asset database that will keep track of all of those different assets, whether they're endpoints, whether they're service, et cetera, keep those available to you, track the operating systems that they're running on, track the users that are associated with connecting to those devices. So it allows you to be able to keep your eye on the health and the security posture of all of the assets within your network. And accessing resources through dynamic policy. Again, where we're looking at how policies change, where people are attaching to the network from, what services they're using, what assets they're going to. These are, again, all things that we want to establish a baseline for and having Cisco XDR understand the baseline because we'll collect data over a certain period of time, establish that baseline that should map to your security policy. And whenever anything deviates from that, we're actually going to get flagged. There'll be a detection there, and you're able to go in there and investigate that particular incident. And again, by being able to have, let's say, a detection that fires on something that is behavior outside of the norm, we've got the ability to tie that into an automated response that says, hey, I'm going to go and isolate that endpoint at this point until I can go and do some further investigation as to what's going on. And finally, when we're looking at things like authentication and authorization and these type of things, if we have people that are attempting to log into systems, that are not using or trying to skirt the rules or in the enforcement techniques that are those that are set aside for those policies, we're actually going to have XDR flag those for us. So we're getting really close to time. Like I said, there's a bunch of information here, and I'm sorry that we kind of ran a little bit long. But I'm hoping that what this really has shown to you, and apologize again for having bloopers with my voice and everything else here, but there's a lot of information. And really, I guess, the gist of it is make sure that you actually do your planning. So XDR and Threat Detection Response are must-haves in any organization today. But the thing is before you go ahead and deploy or even start to determine what it is you need, you need to do your research, you need to understand what your requirements are and you need to plan for them. You need to understand your organization. Then you can make the best choice as to what technology you need to deploy to help you enforce and monitor your security policy and monitor how successful it is. And the great thing is with Cisco XDR, it actually is geared around that type of methodology or this type of thinking, and it does actually help you facilitate that process. So I think it's definitely worth a look, and I encourage folks to reach out on that. And one thing I wanted to mention, too, is we talk a lot about AI. And what -- really AI, it's a great tool. It can offer guidance and it can point you in the right direction, and it will help look for threats and handle data processing and it can be a great tool. But you should never replace a human's expertise. So when you're building your policy and collecting your knowledge bases and getting those set up, that requires human expertise. It requires somebody to connect those dots and to actually make sure that, that context is being applied properly. So I would always say, hey, don't skimp on spending the time to do that because it's really important that you as a person have the final say in how you handle particular situations. Obviously, building partners with trust advisers, folks at Cisco, like myself, like others that can help lead you through how do I build these documents? How do I gear up to zero trust? How do I evaluate XDR? There's folks at Cisco that can definitely help you with all of those activities. And hopefully, this has given you some food for thought as to what to do next. If you're interested more in XDR and what Cisco is doing there, please go to go/XDR, and there's a ton of information out there as to how these things can be of use. But that's it from me. I'm going to go have a look at some of the questions here. Mark, I don't know if there's others there that we need to quickly tackle.

There was one there, but I think you've answered it through the presentation and the others are just saying thank you.

Yes. Well, thanks, folks. We're a little bit over time, and we did get a bit rushed. But yes, it looks like my planning could have been a bit better in terms of my time management through the presentation, but yes, there we go. So always plan. Thanks, folks.

I would like to thank you all for attending the event. We hope you found it informative, and a special thank goes to Natalie for presenting today. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel. It will also pop up in your browser as you exit. Thank you for joining, and have a great day.