Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to the Top Recommendations for your XDR Program in 2024 webinar. I'm Mark Watts, your Webex producer today. In a moment, I'll turn the session over to Gio Tan. But first, I have a few housekeeping notes to cover. Please note, your microphone has been automatically muted, so feel free to ask your questions in the Q&A panel throughout the session. [Operator Instructions] At the end of the session, a survey will automatically pop up in your browser. Please click continue to complete the survey. We really appreciate your feedback. With that, we are ready, so let's get started. Gio, in a few seconds, it's all yours.

Hi, everyone. Welcome to today's webinar. Thanks for being here with us. So our security leaders are under constant pressure today. So how do you actually keep your organization secure while making sure that you are seeing a breadth of new and emerging trends? And how does the tool like XDR fit into your broader security strategy? So Allie Mellen, our principal analyst at Forrester; as well as Dave Lewis, our Global Advisory CISO at Cisco Security, will be here to share with us more on their insights and how XDR can increase your ROI across multiple security tools and support your security teams and how generative AI can bolster your security strategy. So this session has been prerecorded ahead of time to ensure a good webinar experience for all. So in a few moments' time, Mark will play the recording. But if you have any questions, do drop it in the Q&A tool, and our experts will be here to help answer that. So Mark, can I get your help to play the recording, please?

Thank you, everyone, and it really is a great pleasure to have all of you here today for another talk where we're going to be discussing about XDR and things to that effect. I, myself, I'm Dave Lewis, a Global Advisory CISO here at Cisco Systems, and I've been doing security for 30 years. It pains me to be able to say that. But I am very, very fortunate today to be able to have this amazing special guest, Allie Mellen. So Allie is a Forrester analyst covering security operations, nation-state threats and all sorts of use of automation and machine learning. She's been in the technology industry for over a decade in various engineering roles, doing research at MIT, having her own engineering consultancy as well as being a hacker. My people. She now advises Fortune 500 CISOs and security teams on their detection and response practice and frequently speaks at industry-leading events and press. And it is very awesome to be able to share the stage with you today. How are you?

I'm doing great. Thank you so much for having me. I'm thrilled to be here.

Yes. This is going to be awesome. The really cool thing is, and you might be able to tell from my background, I'm a bit of a Patriots fan, so I'm going to diverge a little, slightly. And we found out today that, unfortunately, Bill Belichick is out as the coach, the most feared coach in football, after 24 seasons and 6 Super Bowls. Now I find this very analogous to talking about XDR because it really seemed that after Brady left, he did not have the tools he needed in order to have the visibility into his organization to get the job done. Now do you think that's a fair assessment? Or what is your take on this news that just broke today?

That was sneaky. I like that, the comparison. There's got to be something around like the focus or the targeting, on particular threats that Belichick wasn't able to have or something there. I like it.

Yes. There's no deflate gate or anything like that, but it's been a very interesting thing to watch unfold. And it's really interesting when we're looking at various types of things like XDR, one of the things that we have to level set right off the gate is what does it mean. And it would be great, Allie, if you would take a moment to explain. Like, last year, you got a great blog about how EDR is no longer enough to be effectively replaced by XDR. How do you think XDR is going to be developing going forward? Because I do run into a lot of people in discussions. We're like, oh, great, another acronym. But we don't understand the meat that's on the bone.

100%. No, this is so true. And actually, one of the first things that I was tasked of doing when I joined Forrester, now 3 years ago, was defining XDR and actually saying does this actually matter, is this something that our clients should even care about. It was a very challenging question, to be honest, because I ran into a lot of commentary like that, commentary like do we really need another acronym or is this the same thing as SIEM, how does this differ from what exists today. And they're all really valid questions. And to be honest, as I was going through the process of defining it and even now, as I continue to look at this, I often pause and step back and make sure that the way that it is being perceived and structured in the market is such that there is a difference from tools like SIEM or from tools like EDR because otherwise, there's no point in having a definition for this. There's no point in treating it as a separate market. Just as you mentioned, this actually has led to us retiring our EDR Wave coverage and replacing it entirely with XDR because this is the direction that we see pretty much all of the ER vendors in the market are moving towards and a lot of clients, which is kind of exciting. So the way that we define XDR is based in end point detection and response and extending out from that end point into other sources of telemetry, particularly sources of telemetry that are very high efficacy and that can deliver higher-quality detections. That was the thing as I was going through the first Wave, Forrester Wave, on XDR providers that struck me was that, more than anything else, when XDR was done well, it was delivering much higher quality detections than other tools we're capable of. And that included SIEM. That included EDR. Now different vendors do that very differently. We see some that are very focused on incorporating network telemetry. We see others that are really focused on, okay, how do we expand this into the cloud or into SaaS applications, things like that. And ultimately, it's actually important that different vendors do approach this differently because there are certain vendors who I wouldn't want doing network security, as an example, or I wouldn't want doing other types of security. And so having the focus area that leads to the best quality of detection is what's most important here. There are a couple of sources of telemetry we see more often than others. I mentioned network, e-mail security is another one, cloud security. But at the end of the day, it really is about using that base as an end point and building better and higher-quality detections becomes of it.

Very cool. So when we're talking about that and talking about extending out to these higher-quality detections, what sort of technology advancements in the field of XDR, do you think, are going to be a huge focus for this coming year? When we look at all -- there's really a wide array of different types of attacks and the consistent nonsense that we have to deal with. It's not like back in the day where it was like some kid was compromising a website and putting it up on an all-data server, attrition.org, saying greet all my friends. Now there's like real dollar value and, in some cases, there is quite literally the possible damage to human life.

Yes, unfortunately. So there's a couple of areas that are most interesting coming up this year. First off, I kind of bucket them into three. And I know I put up 4 fingers there, but you know what, it's 3. So one of the things that is important with XDR is that -- one of the reasons that we start with that basis in endpoint telemetry is because, ultimately, in the past, that's where a lot of the really important business data has been, right? Before we all made the shift to the cloud, a lot of the business data was on the end point. You had a lot of interesting visibility there that you were able to leverage in order to build better detections. Now that's great and all and was great for the EDR market, for the MDR market. But we experienced a big shift when all of that data decided to move to the cloud. And that meant that the end point's importance was actually not as strong as it had been in the past. And now the importance of understanding what's happening in the cloud becomes much more important. It's where a lot of attacks are moving. Having that context is really key. And so the first thing that we see with XDR is that it is moving towards trying to address some of the cloud attacks that we see most commonly happening. We see this with the MDR market already where there's a lot of focus around SaaS applications and some of the aspects of the control plane with CloudTrail logs and others. So that's the first piece, how do we address the cloud security problem so we can continue to protect where the business data is. The second piece is analyst experience, which is one of the most important things to me that I actually talk about and all. A couple of years ago, Jeff Pollard, who's one of my colleagues, and I defined analyst experience as security analysts, not me analyst experience, with the tools and processes and, honestly, entirety of their career that they work through on a day-to-day basis. The reason that we did this is because as any practitioner on this call knows, there are very few tools that are actually made for the practitioner. They're most often made for the economic buyer. It can be very difficult. There are a lot of tools where it throws up an alert and it's like I did a great job, I'd figured an alert for you. But there's so much more that happens after that by the practitioner: how can we actually make it easier for them to do those steps? How can we understand their workflow better so that when a security analyst goes into an alert, they can make a decision faster, they can triage faster, they can do that investigation and then they can quickly respond without having to go into a bunch of different tools and spend hours and hours trying to understand what's happening. So improvements in analyst experience is the second big thing that we've been seeing be prioritized over the last 2 years or so that I'm very hopeful we'll see even more of this year. And then the third has to be generative AI. Unfortunately, I think we made it like 10 minutes into this webinar without bringing up generative AI, so I'm proud of us. But we are just at the start of seeing what generative AI is going to do for security tools and for security practitioners. I have a lot of thoughts on this, as I'm sure you do as well. But yes, I'm sure we'll get more into this, that generative AI is going to change the way, hopefully, that we do certain parts of our work to make it better. What do you think?

I completely agree with you. And that's one of those things that really hits home for me because when I was working as a defense contractor in D.C. back in, oh, my, '99, one of the biggest frustrations was there was no single pane of glass. There was no visibility. SIMs, they weren't even a thing back then. And so I remember writing Perl scripts to harvest log files from Cisco PIX Firewalls and all the other different pieces and try and pull them together in a central console. And I remember in 2003, I had one vendor, who I'll remain nameless, said, "Oh, yes, we'll give you that single pane of glass." To this day, they still haven't actually delivered that particular product. And as an analyst, as somebody that was hands-on keyboards back then, it was really, really frustrating not being able to have that clear understanding as to what is, in fact, going on in our environment because we can buy all the widgets and put them in, but if we don't have that visibility, we are really hamstrung in a lot of ways. And you absolutely hit on it right there with the generative AI question. And when we look at this, and the reason that makes me giggle is because ChatGPT -- there, I said it -- has been a catalytic event. And it's been a catalytic event in that it's got people talking about AI. It has been fantastic for that. Even though ChatGPT is not AI, but it really got people having that conversation. And it's really amazing to see what is possible. Like, I did a course last year where they were talking about the ability for the analysts to log in, in the morning and all of a sudden, they have 7 different things that have been listed out by priority that they should have a look at. And this is really that sort of thing that I wish I had as a practitioner. Now from the AI perspective, when we're talking about these things, it's like, how will generative AI help bolster an organization's strategy. Like, I understand it being consolidating threats and things like that, but I want to get your perspective on how this can actually improve matters away from the fluff that we see in the news.

Yes. And I love your prioritization example, too, because I think that's one of the biggest challenges, right? It's like, when things are on fire, everything is a priority. But there has to be something that's prioritized more than others, and making that determination is difficult and important. So the more we can implement, or at least give the context and the tools to do that, the better. Generative AI is really interesting because a lot of the implementations that I've seen so far, and I've done a lot of research on generative AI applications and some security tools already, we released it last year with a bunch of different analysts on the team, it's interesting to see because, honestly, all I'm seeing right now are just a bunch of chatbots. And I can't tell you how little I want another chatbot to talk to. Although I do, to some extent, enjoy like interacting with ChatGPT. It's very novel, right? It's very novel. It's very interesting. But it only lasts for so long where that's interesting and novel. So the reason that I bring this up is because I actually think that generative AI has a lot of value to bring to security tools. It's just not in the chatbot use case, despite that being the immediate direction that a lot of tools are going. And this is because it doesn't fit into the analyst workflow. To me, pretty much everything in security comes back to the security analysts, especially since I cover detection and response. So it's very much so like how is this helping the analysts today. When I think about good use cases for generative AI, it's things like writing incident response reports, writing threat hunting reports. Who wants to be sitting there writing a report on all the cool work that they just got to do? No one. This can save them an hour of time that they would otherwise be spending writing this report. That's such a great use case. It's such a great use where analysts get to focus on what's really interesting to them and then leave the rest to the technology. Another use case that I really like is doing things like making scripts human-readable, so trying to understand what's going on in the script. That's a pretty cool use case. You don't necessarily want to spend all day trying to understand what's going on in the script. And then the last one that I really like is query language conversion, so taking it further than, say, human language and converting that into a query, but being able to convert queries between 2 languages. Because one of the things that I often find, especially when customers are considering switching to a new product, a big gap for them and something that's really limiting in their capability to make that transition is the fact that they have a bunch of work put into their existing tools. And. So being able to do that conversion between 2 different query languages helps them to make that transition faster. Stuff like that, I think, is this low-hanging fruit, super useful use cases that we haven't yet seen, but I do expect we're going to see more of this year. Are there any use cases that, like, stick out to you?

Well, yes, going back to what I was talking about earlier was like I wanted to be able to have that ability, and I have that clear understanding as to what was happening in the environment because XDR is a tool that I can see a lot of SoC practitioners are going to utilize rather there heavily because it's providing that visibility. I remember one company I was working at, we had an external pen test that was done. And the pen testers had reached one of the systems, and I was watching it on the intrusion detecting system, and I saw what they did. And I called them up and I said, oh, you did this and this. They're like, "How did you see that?" Because they didn't actually expect or was that sort of visibility, but that was only because I was completely paranoid and had a lot of free time, so I was able to track these things down. That's not something that scales. So we need to have that technology that's going to help. Because there's only so many people that are going to do these SOC analyst positions, unfortunately. It would be lovely if we could get more people into the field to be sure. And when we're looking at that and trying to see that build out and visibility, it also gets to the question like how do we consolidate the tools that we have. Because one case, one power company I worked that, we had 7 different logging and monitoring solutions and none of them talk to each other. Yes, it was a painful thing. And to add on top of that, there was the cost involved in that we were paying, I think it was 23% to 25% per annum on maintenance fees for these 7 different solutions. So it was like basically we were having a great big bonfire on the front lawn, we're just throwing money up. It was Canadian dollar, so it wasn't that bad, but yes. So do you see this as being beneficial for an organization going forward where they're going to able to consolidate tools by using technologies like XDR?

It's a good question. I actually do think so. One of the interesting things that I've seen, especially with XDR is that it's opened up a lot of opportunities for consolidation that make more sense to security leaders, right? A lot of vendors talk about consolidation of tools, how do we get CISOs to consolidate the tools that they're using. And CISOs are kind of like, "Yes, but I don't want that. You want me to want that, but I don't want that." And the difference that I've seen with XDR is that in a lot of cases, XDR has grown out of natural synergies between existing products that enable those better detections. And so it's not only an opportunity for better detection, it's also an opportunity for bundling, it's an opportunity for bringing some of those tools together in a unique way. And when it's done well, it actually improves the quality for the analysts. So I do think that there's opportunities here. I think that there are opposite cases where there are some vendors who are just going to try and consolidate as many of their products as possible and get you to buy into their portfolio because of it. And so it's important to be wary of those situations unless they fit for your use case. But it has been interesting to see more than many of the other opportunities for consolidation that I've seen in the space before, how this has actually been pretty successful in helping to reduce some of that vendors sprawl. Yes.

Yes, there's no shortage of that. And every organization I've worked at. Like, I spent 20 years as a defender before getting into the vendor space, so that is near and dear to my heart. I still wake up screaming, but that's another thing for another time. Now with XDR, the one thing that I find really amazing as a possibility going forward is something that was a giant hobgoblin for me when I was a defender, it was all these disparate data silos throughout an organization. It's amazing how often you have box hoggers. And to be fair, in the early part of my career, I was one. I was like, this is my data, you can't have it. But that really doesn't help an organization when they're trying to have that visibility. And like one story I had in one organization where you were going through and we're checking out all the databases because we have this lovely little database scanner. And we scan them and then I was like, "Wait, this hasn't had a service pack applied to it in 3 years." And I went to the DBA and I said, "Why on earth has this not been applied? It's my data." "I'm sorry, what? No, it is the organization's data." So when we talk about XDR, I see this potentially as being a great way to connect all these disparate data silos. And while it will help security teams, it can also help for planning and scaling out for the organization. Do you see this as being a beneficial thing to tear down these artificial silos between various groups within an organization, to have better visibility for data?

Where it makes sense, yes. I want to be clear, XDR is not going to solve the data silos problem. I think that a lot of technologies will try. And it's one of those things that's sole process and people oriented of an issue that it can be very difficult to solve with technology. At the same time, there's a ton of data that can be very useful to XDR that is often outlined by the vendor because especially with native XDR implementations, they're integrating data sources that are through the vendor themselves. So there's a lot of direction that you get from the vendor to help make those detections better, which is a huge positive. Now with third-party and some of these external data sources, there's value in bringing those in, too, but I'm always so cautious with some of my recommendations around that because I see a lot of teams that just bring in a bunch of data, and they're like, "Just throw it all in here. We'll figure it out later." And then they never figure it out later. So I think that like having the data is one thing, but having the data without operationalizing the data, there's no point in having the data at that point, unless it's for those other use cases.

I completely agree with you there. Now when we're talking about all of this data and having this all pulled together, like I have to go back to my earlier part of my career where I was in the late '90s, I was trying to write all these Perl scripts to get all the data to present. How important do you see prebuilt integrations for third-party tools being part of any XDR solution that is made available for organizations?

I think it's critically important. I think it's critically important that those integrations are done well, too. There's kind of two phases to this. I think that the breadth of the integrations is obviously very important, right? One of the biggest challenges there is that if you've got 30 different security tools in your SOC alone, then that's a lot of integrations, just for you, let alone all of the other customers that the vendor has to deal with. And so building those integration is one thing, maintaining them is a whole other thing. And my big fear with the integrations that we see today across a lot of security tools is they just don't have the maintenance that the client needs to make sure that they continue to be useful over time and don't cause a lot of headaches for the customer. So I highly recommend not only looking to see the breadth of integrations but also the depth and the quality of those integrations and how that fluctuates over time, whether or not there's a ton of work being put into that, whether it's from the vendor or the community that the vendor has. I mean there are a lot of different tools that have a big community behind them, and that leads to a lot of effort being done on the practitioner side to maintain those tools and to make sure that the integrations are working as effectively as possible. So that alone, I think, is something to look at very closely from a vendor because it's difficult to get the integrations that you need working the way that you want them. And if there's a vendor that does that, that's a huge win.

Yes. And to build on this, what is the value proposition that you see with integrating all these open and connected solutions? Like, there's no way to drop in a solution that's just going to do that company's single product. We want to be able to have that open and connected integration because, like you said, there is vendor sprawl, and these are the kind of things that we want to be able to provide organizations, the ability to utilize all of the tools that they have in place. So yes, I think we kind of actually really hit on that already, didn't we?

Well, I do think that the other thing that I've mentioned there, I mean we kind of talked about it, but intentionality is really important here. That's one of the things that I saw early on with XDR, is that limiting the ecosystem actually made a big difference to the quality of detections. And it sounds counterintuitive because we've been told for so long, okay, bring in whatever data you can. The more data, the more context. But if you're not doing anything with that context or that context is triggering a detection when it's actually a false positive, it's not really useful, right? It's actually causing issues for you. And so when we talk about XDR, we talk about it in the context of that limited ecosystem, even with the third-party data, to make sure that the quality is there. The important point here is that XDR is not removing the need for some of the other tools that you know and love to hate. Like, if you look at SIEM as an example, right, you still need to make sure that you're tuning in, in a lot of that third-party data for correlation and especially for custom detections. But having a balance between what you're able to accomplish and honestly get rid of an XDR and stop having to bring it to the SIEM versus what you're bringing into the SIEM and you're still doing some custom work on, that's where the sweet spot is from a balance perspective, from a resource perspective.

And as a previous defender, I really agree with that because it was one of my frustrations. I deployed 3 different SIEM solutions in 3 different organizations, none of which will be named, but it was absolutely frustrating. And being able to have a tool with prebuild integration, something that just works, something that's cloud-based, these are the kind of things that are really going to help organizations. And you know what, it's really going to help them, I believe that they will be able to leverage their costs on their previous installations of products. It's not a rip-and-replace conversation. It's like how we're going to get greater visibility on what's already deployed.

No, I completely agree. I mean when I first started as a practitioner, I opened up a SIEM for the first time, which shall remain nameless, I almost quit right there. I was like, "I cannot exist in this world. This is not the world for me." Thankfully, I stuck it out. But like, it's true. Like, that's where a lot of the analyst experience research has come from, is just the reality of what teams go through. We have so much work we can do to make that better.

Oh, yes, I completely agree with you on that point. And when we're looking at all these different types of telemetry sources and trying to get that unified view for an organization -- you ever have that moment where your brain just goes, no, we're not doing that. I just really just have that right now. So when we're talking about the benefits of implementing XDR within an organization and their security strategy, how does XDR fit into the broader security architecture and strategy for an organization going forward? So it's not a case of dropping the product and off you go. It really is a long game. And how would you approach that?

Yes. Awesome question. So there's a couple of different things that I'd highlight here. First off, luckily, implementation can be a little bit easier, especially for those teams who already have EDR in place. Since this is taking EDR, extending beyond the end point, you got EDR, you're already halfway there, right? Then it's just about integrating the right third-party or, depending on what the vendor offers, native telemetry sources into that system, especially those that make the most sense for your organization. So that's the first thing. One of the positives of this is, and one of the reasons that we were able to kind of understand and define this market better was because a lot of the budget was coming from EDR already and should be coming from EDR already, which simplifies things for you and your team and also means that you're not having to go in and say, great, now I have another attempt to the single pane of glass that I can put next to all my other single panes of glass. The other thing that's important here is that architecturally, where it fits into the rest of your products becomes a bit of a sticky question, right? The same thing has been true with EDR. And as you expand into XDR, honestly, the problem doesn't get better, which is there are a lot of adjacencies, especially like if you look at CSF, classically, we think of EDR as being detect/respond, right? But then you have the preventative features of end point prevention. And if you're incorporating that in, you have potentially like a VRM-like capability from your end point agent that you might be interested in using from the vendor consolidation perspective. There's a lot of vendors who are looking at like DLP use cases. So that is where things get very complicated.

Sorry, yes, just to build on that, what about it from a forensic perspective? Because I remember using a certain product that you'd start an analysis and it would be a white screen. You can go for coffee. I'm sure you know which one I'm referring to. But how would this help improve matters for an organization doing forensic analysis of an incident?

Yes. This is also very true, really. Not only are the integrations with forensics tools, one of the first to come into this picture, but most EDR vendors have put a ton of work into building forensics capabilities into the offering as either a feature or an add-on. So from both sides of that, addressing the detection and response use case is the priority. And then secondary are all these additional features that could serve as potential replacements for these other technologies. Now whether or not they're up to snuff for what you need to do, it's so dependent on the use case and you kind of have to go through it with each of those pieces in mind. But it sits solidly in that detection and response use case and perspective, bringing in things like sandboxing, things for forensics and all of that, and then used in conjunction with your SIEM to kind of have that balance between, okay, we're going to be doing our detection and response on specific use cases in XDR. We're going to know those detections are really high quality. And then if we want to do additional correlation or we want to do additional alerting, we can do that in our SIEM more manually or SOAR, in conjunction with SOAR.

Yes. So I'm going to shift slightly here. And I'm going to hit on the one thing that drove me bonkers when I was running a practice. It was the cost perspective. And like I talked about the 7 different logging and monitoring solutions at one company I worked at. How is XDR going to help improve that? Like, what is the material benefit for a CISO? Because let's be quite honest with ourselves, the vast majority of CISOs are never going to be hands-on keyboard at this point. They're going to be hands-on spreadsheet. And I may have sort of suffered through that. But when we're talking about it from a cost perspective, this is really the driving force for a lot of CISOs these days. And especially if you're in an organization that only has like 50 people. So you have to find tools that are going to help improve matters. So what's your take on that?

Great, great question because I totally agree. And sometimes I get so bogged down in being like, "We got to talk about the practitioner," that I don't talk about the CISO, even though I write to the CISO, so it's a whole other thing. But I totally agree. And the cost-benefit is one of the things that's been very interesting to see because, if we look at this from the perspective of, especially if you're looking at XDRs that maybe they have native network capabilities, network security capabilities, detection capabilities there, that can be a very expensive thing to bring into the SIEM, any type of network data. That can get real expensive real fast. If you're able to do that correlation within XDR and not have to bring in all those logs into the SIEM, that's an automatic cost-benefit. And so I see a lot of teams who are using XDR to try and do some of the correlation without having to do the ingest into the SIEM, so they can kind of balance both of those issues and reduce their costs in the SIEM because with a lot of these things, like is EDR expensive? Depending on which vendor you go with, yes. Is SIEM expensive? Yes, yes, yes. And it is the most frustrating thing for practitioners that I talk to CISOs about. And so looking for ways through other technology that we can potentially reduce that cost like we're seeing with XDR is where a ton of the value comes in. Now there are edge cases where this is not true, and it's important to be cognizant of that. If you're looking to bring in third-party telemetry, depending on the model with XDR, that could cause you a lot, too, because we're looking at basically going back to ingestion costs, like we had the SIEM. So finding the right balance is important. But coming back to the consolidation conversation, if you're thinking about areas you can consolidate as a CISO and potentially reduce costs, XDR is one area to look because you can start incorporating that telemetry into XDR instead of sending it out into the SIEM.

Yes. So I remember back in the day, like if there was a security incident in our organization, it was like drop everything, everybody scramble, you have operations, you have security. Legal would be standing in the background going, what's happening, all of these different moving pieces. And when you think about just the sheer cost of all of those people responding to an incident, it's one of those things where it's like where is XDR going to provide the best value within an organization. I don't mean just financially. But for example, what kind of cyber threats are best addressed by XDR? Because, like you were saying, it's not a magic solution that's going to solve all. But where is the best part of this where the value is going to be really significant for an organization?

Yes. The value is the highest when XDR is focused on end point attacks that need more context, especially those that touch the end point or those that touch the cloud. So any that are really focused around, okay, where the center of the business data is stored and kept and understood, that's where you're going to see XDR providing the most value. Now as I mentioned, for different vendors, this means different things. Like, if you're talking to a vendor that's combining the network security elements and the EDR elements, then you're probably going to be able to get a lot more of that scope from the network side coming in, which is really valuable, especially if you don't want it to be so end point centric. And so the flavors can kind of differ depending on which tool you're using. But overall, just to maintain the quality of detection, we see a huge focus on the end point piece and then on some of the cloud aspects as well.

Yes. So when we're looking at these different types of things and trying to see the value propositions, like the one thing that I really wanted to get, how does XDR handle the complexity of volume of data within a modern enterprise?

Good question. This is one of the reasons why the control and kind of specificity of data that XDR is bringing in, is so important, right? It's because one of the things that we talked about earlier is, okay, you don't want to just bring in all the data, you want to bring in the data that matters the most and is the most important for detection. That's the difference. And that is the crux of the difference that enables XDR to be able to build better detections, is understanding and contextualizing the data that it's choosing to bring in. It's also one of the reasons why we can address some of the cost issues that we would otherwise see with ingest-based pricing. It's more about the quality of the value of detections that you're building than it is about, okay, how much data can you bring into the system. Now that is fundamentally one of the most important pieces to this. The other piece that's important is that most of the XDR products in the market are cloud-native, and they are built for the cloud, they are built for the scale of the cloud. And so coming in and incorporating those components as well and thinking about this more as a cloud-native tool to be able to enable these use cases means that you're going to be able to do a lot from a scale perspective without having to have the team supporting it on the back end.

Absolutely agree with you there. So we've been talking about threats, we've been talking about how the data is processed, we've been talking about all those sort of key pieces. But one thing we have to always be cognizant of, the cybersecurity aspect of InfoSec, in general, is a very small component of it. Made a glib remark about policies and things like that. But there's that running joke of if you have 15 different standards and you write 16 standards to cover off all the standards, then you have 16 standards. So how can XDR help facilitate compliance as an example with all the different types of data protection and privacy regulations that we see not just in the United States, Canada and so on, but literally around the world?

Yes. XDR is largely a factor into addressing some of the compliance requirements that organizations have, but it's not the only piece, and it's not often the solution that we see to this problem. One of the things that is inherent in the name, thankfully, of XDR is detection and response, right? It's very focused on that use case. And this is a conversation that I have quite a bit with CISOs, which is, okay, but can it address my compliance use cases? Can it address my UBA use cases? Like, all these other use cases that ultimately, they want because they want to replace their SIEM. And in many cases, it can't. And what I try to explain is that that's actually okay, right? One of the things that got us here with the SIEM is because the SIEM is a multipurpose tool. It does a lot of stuff. It's one of the reasons why it's so hard for other vendors to break into that market is because a tool does a lot. That's not a small amount of things, of features and capabilities. And so having specificity on what you deliver from the vendor side, to the CISO, to the security team, means that you can do it potentially a lot better than if you have to be supporting a ton of different features and doing a ton of different work in a ton of different areas at once. So I'd like to highlight that, but I'm curious your thoughts on this one and where you see it fitting in from a compliance perspective.

Well, it's one of those pieces where that was something that came up for me time and again within our organizations, be it in finance or in power systems and things like that, is that we would have those individual types on compliance. And there was a lot of commonality between all of the different types of compliance regimes. And nowadays, it's like I'm very glad that I'm on the vendor side because that's a lot of work these days. But any tool like this to help reduce the complexity within the organization, I do see as hugely beneficial. And I'll be flat out honest. I wish I had anything like this back when the world was flat. But I did well with my cave painting. They worked for me. When we're looking at these types of scenarios and these types of solutions and trying to figure out how we can best improve the day-to-day for not only the security practitioner, but the program manager and the CISO, it's like we can talk about all these individual components, but quite honestly, if somebody walked up to you today and said, "Where do I start?" It's like what organizations would you -- or what advice, sorry, would you give organizations that are considering going to XDR? Because quite frankly, this is new for a lot of organizations. And obviously, we share the mutual understanding that this is usually beneficial. But how do we get organizations to understand the value proposition?

Yes. The biggest recommendation I have is slow is smooth and smooth is fast, right? This is not something where you want to rush in and start integrating as many different data sources as possible and basically recreate the SIEM. I think this has been my advice for some time with this, is take this piece by piece, look at what's going to be most critical to improve detections for your organization and choose what to integrate based on that. Because my biggest concern moving forward with the XDR market is how do we start to address more use cases without just becoming the same thing that the SIEM has become. Not that there's something wrong with what the SIEM has become because as we talked about, it addresses a lot of use cases. It has an important role. It's probably the most pivotal role within security operations, the most pivotal tool within security operations. But there are a lot of challenges that are difficult to address because of the scale and feature set that SIEM requires. So when looking at XDR, start with the base as an end point, that's the easiest approach, and then expand into other telemetry sources one at a time, seeing how they improve your detection capabilities. And if they don't, then it's probably time to cut them out and to not use them. If this tool is not improving detection quality, then there's no point in moving to XDR. And this is a part of a much broader topic that I talk a lot about with clients about detection engineering and taking the point of security operations and moving it from investigation and response to detection and response engineering and improving the quality of those to further investigation and response. But ultimately, as you think about how you want security operations to evolve, if you want it to move away from something that is very reactive into something that is basically a process of continuous improvement, focus on those detections and focus on those response playbooks and how you're building those better, whether it's with XDR or SIEM or SOAR and other components.

Yes. So you sort of hit on it right there about the evolution of going through this process. So yes, you don't want to just slap everything on it and hope for the best. Like with any technology, you've got to like gradually integrate everything smoothly. But I always love that question when you're having an interview or you're doing an annual review, it's like where do you see yourself in 5 years? So when you think that sort of question, apply it to XDR, where do you see the future of this? Where is it going?

Yes. So the first report that I released for Forrester on XDR, the title was XDR is on a Collision Course with SIEM and SOAR. A lot of people thought that, that meant a consolidation course, which it did not. Very importantly, it meant a collision. So in 5 years, XDR is going to be actively competing with the SIEM market. It already is, in some cases, in limited cases. Now that's happening in a couple of different ways, right? There are a couple of XDR vendors who have put together products that are able to start taking away some of the telemetry from the SIEM, particularly around things like network use cases, some of the cloud use cases. But the other thing that they're doing is having a SIEM or SIEM alternative capability that plugs in and has a similar user experience to their XDR. We see a number of different log replacements that are offered to us like a SIEM or log management as a SIEM replacement. We also see some that just have a SIEM, right? There are a lot of vendors that just have a SIEM and they have XDR together. Now within the next 5 years, what we're going to see is a continuation of improving XDR and making sure that, that detection engine is strong while also supporting the integration of third-party telemetry into this log management SIEM replacement style offering to ultimately try to replace SIEM entirely or at least find a balance and a synergy between what's being offered on the XDR side and the SIEM side. So CISO's security teams, you should expect, over the next 5 years, to see a lot more coming from XDR vendors to try to make that replacement, to try to make it very detection and response oriented and to start introducing additional telemetry into XDR that's going to further these use cases, particularly around cloud.

Awesome. Well, Allie, thank you so much for your time today. This has been actually lovely, and we got our little Bill Belichick dig in there as well. This has been absolutely lovely. I really do appreciate the audience sticking around for this, and I'm now going to pass it over to [ Katie ] to wrap this up.

We'd like to thank you all for attending the event. We hope you found it informative. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel. It will also pop up in your browser as you exit. Thank you for joining, and have a great day.