Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to today's webinar. I'm Mark Watts, your Webex producer. In a moment, I'll turn the session over to Cam Dunn, but first, I have a few housekeeping notes to cover. [Operator Instructions] And at the end of the session, a survey will automatically pop up in your browser. Please click continue to complete the survey. We really appreciate your feedback. With that, we're ready so let's get started. Cam, in a few seconds, it's all yours.

Excellent. Thanks, Mark. Thank you, everyone, for taking the time. Welcome to the world's most longest named webinar, Expanding Cisco's Secure Endpoint to Effectively Manage Vulnerabilities with Cisco Vulnerability Management. Very, very long title. I'll explain what it all means as we go on. You're all obviously Secure Endpoint existing customers. And we're just going to talk to you today about how you can leverage Secure Endpoint with Cisco Vulnerability Management to actually enhance what you're doing with management -- with Vulnerability Management in your estate. Bit of an agenda. There is -- and I apologize up front, there is some PowerPoint slides. There's always PowerPoint slide, sorry, [indiscernible] presentation, everyone has them. We'll get through the PowerPoint slides. Hopefully, we're then about 20 to 25 minutes, maybe a bit longer, depending on how much I'll waffle. After that, there'll be a bit of a demo of the actual platform itself showing the integration and how we get the data into the platform and what it looks like. And then there'll be some time for Q&A at the end of that. So put your questions in the Q&A, I'll try and cover them off at the very end when we leave 10 to 15 minutes to do that. So the agenda for today is looking at the current vulnerability management landscape, looking at Cisco Vulnerability Management as a platform, looking at how we integrate the secure endpoint. And as I said, a summary, a demo and into Q&A. So the current vulnerability management landscape. As of -- there's a slide coming up, I talked about it. But as of mid-May, there's over 250,000 registered vulnerabilities in the National Vulnerability database, which is basically considered the source of all truth when it comes to vulnerabilities. They're the ones that allocate CVE IDs. They're the ones that do the CVSS scoring, on vulnerabilities. And you can see from this graph here that in the last 3 years since 2021, that roughly 1/3 of all known vulnerabilities out there in the world have been released. So you can see this growth is exponential year-on-year. And that expected figure, that's actually for 2024. That's actually been blown out of the water. We're actually well over 100 CVEs being released every single day now. So there's going to be a lot of CVE. So the problem becomes how do you manage all of those CVEs? How do you possibly know which vulnerabilities to go on the fix, which ones are priorities? Because if everything [indiscernible] nothing is important. And we'll touch on that a little bit further on as I get into the slide here. But looking at this, you can see the trend is just continuing upward and upward and upwards. So even just focusing on the vulnerabilities that are released in 1 year, organizations are struggling to cope with remediating just those on to [indiscernible], anything going back, and it actually goes back past 1999. I can tell you about vulnerabilities that were around at 1996 that is still around today. So that's where we are at the moment. Everybody is struggling. All these SecOps teams are finding all these vulnerabilities and then handing them over to IT ops or different teams, Windows teams, your server teams, your Mac team or whatever it is to again do the remediation, but the handing over basically a phone book of vulnerabilities to go and remediate, and then basically repeating the same process every month because those teams don't then have time to actually go and remediate or know which ones are the highest priorities to go and remediate the vulnerabilities. So this snapshot, I took this in mid-May -- it shows the vulnerabilities. So you can see there in the middle of there's total 250,000 vulnerabilities. You can see the NVD is actually -- they started a process to recategorize and look at all the existing vulnerabilities and recategorize them with CVSS 2 version -- sorry, CVSS version 2, CVS version 3, and now there is CVSS version 4. But that recategorization program is taking an awful long time. And if you look in the middle to the left there, you can see new CVEs analyzed in the day, the week, the month, a lot. There's very, very low numbers. There's not a lot actually getting done this year, this month. So they're not even keeping up with the new vulnerabilities that are being released, let alone vulnerabilities that have been released in the past and then having to go back and look at them. I think Log4j, for example, which came out in 2021. So they're struggling. So there's got to be better ways of doing things. And our research shows us that -- as I talked about earlier, we're over about 100 vulnerabilities every single day at the moment. But what we've also found, and this is in conjunction, it's not just Cisco, this is Cisco with the Scientia Institute in the U.S. 95% of assets in an organization have at least one highly exploitable vulnerability. And on average, organizations are only remediating 1 in 10 vulnerabilities on assets in any particular month. So how do you know that 1 in 10 vulnerability that you're remediating is that highly exploitable vulnerability that's on those assets? And that's where we come in with this. So which vulnerability is truly risky. So this is where we're getting to what Cisco Vulnerability Management is. So Cisco Vulnerability Management, a little bit of a history, a bit of sidebar here. It was a company called Kenna Security that Cisco purchased in 2020. It had a name change last year. It stayed Kenna Security for a while, but it had name change to Cisco Vulnerability Management last year. Cisco Vulnerability Management/Kenna invented the term risk base of vulnerability management. And what it is, is looking at vulnerabilities in terms of what is a risk to a customer organization, what vulnerabilities are truly risky. So you can see these blocks here on the screen. You see 51% in a gray box there. That 51% means there are 51% of all known vulnerabilities have not been seen in organizations and don't have an exploit for them. So immediately, we've got rid of half the vulnerability because there is no exploit for them. We haven't seen them in customer environments. So they don't need to be fixed. The 29% observed and not exploited. That means the vulnerabilities are out there. We've seen them on customers' environments. We've seen them on servers. We've seen them on routers, switches, firewalls, desktops, whatever it is. We've seen them, but there is no exploiting in existence for them. So again they are not at risk because nobody is exploiting them. The last one, 15% down green, we haven't seen the vulnerability, but the exploit has been published. So it is -- there is an exploit out there, but we haven't actually sent it in customer networks. So again, it's not a priority because it's not actually out there being exploited. The truly important vulnerabilities and that 5% in the light blue box set, and it's roughly 2% to 5%. These are vulnerabilities that have been seen in customer networks, have an exploit and are actively being exploited out there in the [indiscernible]. And again, think of Log4j. We've seen that exploded over 130 million times since 2021 when it was first released. So these are the ones that you need to focus on, 2% to 5%. So how our scoring works versus other strategies and I will get through all of the -- flashy bits. This is actual customer data. So this is a customer with over 180,000 vulnerabilities. And now we're using CVSS scoring mechanism and traditional scanners. And I'll cover what we do against traditional scanners, in a moment. But you can see that the figures over 180,000 vulnerabilities, CVSS was telling them over 100,000 of those vulnerabilities were considered high risk. The scanner, and I won't mention which scanner it was, there's 3 main scanning vendors, Rapid7, Tenable and Qualys. One of those scanning vendors was telling that over 136,000 of them were considered high priority. When we ran it through at the time Kenna, but Cisco Vulnerability Management, we actually found that only 2,000 of those 180,000-plus vulnerabilities were considered high risk, which means they had an exploit and we're out there actively being weapon [indiscernible] in the while. So that's only 1% of the total vulnerabilities. So if you're handing a list of vulnerabilities over to your remediations teams, and that list is 137,000 or it's 2,000, you can tell which one is going to be actioned a lot quicker. The other side of this is we actually found 111 CVEs that were not found by the scanner and 51 CVEs that were not found by CVSS. So they're false negatives. So scanners traditionally and CVSS, think of CVSS as a point of time. When that vulnerability is being released, it gets a score, a CVSS score now it's version 4. But it generally doesn't get changed. They don't generally go back and change that based on what happens to it. Sometimes it does happen. Sometimes it can go from a 3 to a 10 but most often it gets released with the score, and that score stays with it for its life. Scanners want you to go on and fix everything possible so that they don't miss anything. But what we're telling you -- and I'll get into the research and how we do that soon. But what we're telling you it is actually, in this instance, of those 180,000-plus vulnerabilities, only 2,000 of them are high priority and need [indiscernible] to be fixed immediately. That's not to say don't go and fix those other 182,000 vulnerabilities at a later date, but the ones you need to focus on, the ones that are actually a risk to the organization are those 2 things. And I'll touch on how we do that in a sec. How do we get through the noise? So we look at a whole lot of different things out there in the world. And there's a slide that covers this in a bit more detail soon. But we look at MITA, we look at the NVD, we understand the score and we look at ChatApp. So we look at -- I think there's 3,200 different sources that we look at out there in the world. Things like Twitter, dark web, all those sources that we're monitoring for chatter about vulnerabilities. That helps them inform our score of the vulnerabilities. We have 19-plus threat and exploit feeds, which I'll cover in this slide. We look at thread actors, malware families. And we also look at the volume and velocity of exploitation. What does that mean? How often have we seen that vulnerability being exploited in the last -- and you can see there on the screen, in the last 24 hours, we've seen this vulnerability exploited 7,240 times. So that, again, also informs our scoring. Obviously, the more volume and velocity that we see on a particular vulnerability, the higher that score is going to be. So this is all part of our patented machine learning and data science. There's 8 patents and another 4 patents depending on this. And we also incorporate the prediction of vulnerability exploitations. So what we're trying to do there is, instead of acting -- after they exploit, we're acting ahead of the exploit. So we're looking at vulnerabilities and going, okay, in the next 30 to 60 days, what is the likelihood that this vulnerability will be exploited? Now we tested this when it was first written. And again, our Chief Data Scientist that came from Kenna and is now at Cisco, helped create risk-based vulnerability management, also helped create something called EPSS, Exploit Predictive Scoring System, which looks at the risk of a vulnerability being exploited in the next 30 days. We're 96% accurate on that. EPSS has actually been licensed back to first [indiscernible] for anybody to use. So you can plug any vulnerability into that. If it hasn't got on an exploit already, it will give you a prediction on how likely that is to be exploited in the next 30 days. So how do we get all this together. You can see on the left-hand side all your enterprise data. So we take -- despite being a Cisco product, completely vendor agnostic. We'll take data from any tool that can give us vulnerability information and associated asset vulnerability -- asset information, sorry. So cloud and on-prem scanners, so Qualys, Rapid7, Tenable, we do endpoints. So obviously, Cisco Secure Endpoint is what we're talking about here, but we also do Carbon Black, CrowdStrike, Microsoft Defender, a whole lot of other different sources. We do see [indiscernible], we do network discovery tools. We do SaaS test, all those sorts of things pull all of that data in. If you -- as I said, if we can't have a native connector to it. You can give us a flat file without information in it in CSV format, we can still get that into the platform. From that, we have our global threat and Intel feeds. As I mentioned earlier, we've got MITA, we've got 19 plus threat and exploit feeds, malware families, all of that sort of stuff into our dashboard. From that, you get a unified dashboard. So we can consolidate all those sources of data, we deduplicate, we normalize that. So you get one coherent and standard score that everybody could then use. We get prioritization on which vulnerabilities to go and fix first. We give you guidance on if you have a 1-hour change window, what is the best use of your time? What are the top vulnerabilities to go and remediate in that 1 hour change window to reduce your risk score as quickly as possible. We also have integration with 4 major ticketing platforms, so you can create a ticket from directly within the platform that then will go out via an API call, create that ticket in that platform, bring the ticket ID back and associate it with the vulnerabilities. Then we're talking at the end, you can see 330, 740, 520. We work on a low, medium and high scoring system. So you can see green, low; amber, medium; and red is high. And everybody understands that score. So no matter who is logging into the platform or who's looking at the platform, they understand what the scoring means. These are where we get our telemetry front. So as I said, we're vendor agnostic, but we're also taking out data, it's not just Cisco telling you these things. It's [indiscernible] exploit DB reversing labs, [indiscernible], Secure Works. All of these different organizations, we pay money to every month to give us updates on all of this stuff. So these feeds are updated every 30 to 60 minutes. So we're basically not working in near real time on any vulnerability that all of a sudden becomes an active threat. So I think, again, Log4J back in -- what was it, 21st of December 2021, we scored that vulnerability. I think it was around about 25 at the start of the day, which is basically as low as we can score. By the end of the day, and our scoring it reached 93. A week later, it went to 100. It's been there ever since. Why did we change it on so quickly? Because these sources were telling us that Log4J had blown up. It was starting to be exploited out there in a while, and I'll actually show you that in the platform later on. But you can see all these sources are constantly telling us that what's going on with vulnerabilities out there in the world. So even if one source tells us that vulnerability is being weaponized, we then look at the other sources to back that data up so that you can rely on the fact that multiple sources are telling us that our vulnerability needs to be exploited out there in the world. And I threw in a quote there at the bottom there from Kevin Towns and its security, we're just saying that the NVD can no longer be considered a single source of truth on vulnerabilities, and that's because what's happened with the NVD and them trying to update it and things like that and then not taking into account the exploitability. There is an exploitability at a point in time, but whether it's been exploited out there in the world and how often it's been exploited out there in the world. We integrate with all of these different tools. This is a very, very in-your-face slide, but it just gives you an example of all of the different tool sets that we connect with. So most of our connectors are API driven. As I said, where we don't have a naive connector, we can bring that data in via flat file. We actually have a GitHub repository of connectors that haven't been built yet. We are fully SaaS based. So there's nothing to deploy. Obviously, you've already got Secure Endpoint out there in your organizations, but there's no other agents to deploy. You don't have to spin up of the NME where we live in IWS and we're actually pulling data from these platforms that you're already giving data to, into our platform to consolidate it into one place. So you can see Tenable, Rapid7, you can see all the DDR solutions there, you can see a whole lot of different other solutions in there. And this is just some of them. I mentioned native connector is API. The Open Source toolkit. So this is API connectors that haven't been released yet. They work or they haven't been through the full testing process or they might be niche vendors or vendors that we haven't had to deal with that much. So they haven't been fully released in the platform, but they're on the road map to get into the platform. And then for everything else, there's the data importer. How we do our scoring? So this is what I want to talk about how we differ from traditional scanning vendors in the way that they do risk-based vulnerability management. So all 3 of the major scanning members have been doing what they've been doing for quite a while. I used Qualys as an example, Qualys has been around for 20-plus years. They've been out there doing a great job with scanning. All the scanning vendors do a really good job of scanning. We're not here to replace them. We are here to make them better. So we still rely on them for getting data into the platform. If you're using Qualys internally or Qualys externally and Tenable internally, we will aggregate that, deduplicate that. The way they do their scoring there is floored. So they've come to risk-based vulnerability management like they've decided or hang on -- there's hundreds of thousands of vulnerability, some organizations, and we've seen this have millions of vulnerabilities within their organization, and they're just not coping with the volume. So they've tried to come out with their own versions of risk-based vulnerability management. All of them are based on tagging. So all of them start with the asset as their source of criticality. Now I don't know how many of you have dealt with Vulnerability Management platforms, but I can tell you again, using policies, for example, you tag an asset, and that tag then has a score on it from 1 to 5 in terms of criticality. 5 being the highest. But you can tag an asset with multiple different tags. Then with tag wars. And then somebody might who created the tag might leave and a new person comes in to replace and goes, I don't like that tagging scheme or I want to put my own. But they don't delete the old tag. So all of a sudden, you could have 20, 30 tags, all fighting to be the most important. And then saying my laptop here, which is very important to me. But in the overall scheme of things at Cisco isn't that important. So -- but it might be tag to 5, which is the same as what an Internet-facing Microsoft turbo would be. They're not the same. And they're not that as important, right? Mine's not important as the Internet-facing server. So the way we approach it is that the vulnerability is the source of truth here. The vulnerability -- remember, this is based on our 19-plus threat and exploit feeds, we score that vulnerability 0 to 100, 100 being as high as we can possibly go. Again, Log4j, 4j is 100, is a huge risk to organizations that have that within their environment. So we start with that scoring, then we wrap asset context around it. So the highest scored vulnerability on an asset win. So you can see there in the top -- in the bottom left, we have 3 assets, asset 1, 2 and 3, all of them have the same 3 CVEs on them. CVE 3 is scored 100 obviously, it is the highest priority. Then we wrap asset context around that. When we first ingest assets into our platform, every asset is given a priority of 10. Priorities range from 0 to 10. We give you the option of changing that afterwards, but everything is important until you tell us otherwise. So once you start breaking up all of your assets into logical constructs, and I'll talk about risk meters, and I'll show you risk meters when we get to the demo. But those logical constructs are, you could do any search you like, you could do it by a geographical region, you could do it by business unit, you could do it by all of my Windows desktops, all of my Windows servers, all of my Windows assets. Linux, Mac, whatever search criteria you can think of, you can search for an individual CVE like log4j, you can search for IP address ranges, all that sort of thing you can do. Those logical assets then become a risk meter. All assets within that risk meter, the average of the score gives you that score, and you can see they are at 100. But how do we get to that? So the priority multiplied by the high score vulnerability gives you that asset score. So asset 1 is priority 10, it's multiplied 10 by 100 gives you 1,000. Asset 2 is a priority 7, but it's got 100 squared vulnerability on that 7x100 is 700, but we know it's Internet facing. We don't see an RSE -- what is it 17, 19, 18, 17, 19, 17 -- one of those. We've automatically give it a 200-point bump because we know it's Internet facing. So it goes from 700 to a 900. Asset 3 is a priority 5, it's non-Internet facing, so 5x100 gives you 500. Add 1,000, 900 and 500 together, the average of them is 800. So that gives you a risk meter score. It's pretty simple system once you understand how it works. But there's a lot that goes into working those scores out. And that 0 to 100 takes into effect -- into account things like is it an active net breach? Is it a popular target? Is it easily exploitable? Is it a malware exploitable? All of these factors go into the scoring, with a little bit of CVSS, that's in there as well. And that all then informed us going from 0 to 100. So how does this work with secure endpoint? And I'll pause here just to give everybody time to digest what I've just done, but how do we work with Cisco Secure endpoint. So think of all those different sources that I just talked about, that all those different, the 3 major scanning vendors, all the other EDR sources. Secure Endpoint, whilst it's a Cisco product, is to Cisco Vulnerability Management, another source of asset and vulnerability information. How do we work with that? We can ingest. We actually have been for quite some time, and I'll digress a little bit here, informing Secure Endpoint as to the risk score -- and there's another slide that covers this later on, but the risk score of an actual end point comes from our data science and machine learning for every single asset in Windows and Mac at the moment, I think it is. But what we've done is built another connector that allows us to take secure endpoint with the orbital engine running underneath. That orbital engine can then scan that asset, tell us what the operating system is, what version of the operating system is, what patches of that operating system exists, what applications are on that particular asset and what version of those applications are. There's a detailed slide coming up, and I'll cover that. But just think of it as another source of adding into Cisco Vulnerability Management. So you probably already got some sort of Vulnerability Management scanner out there. You are using Cisco Secure Endpoint as your EDR. You may have other different sources that are giving you vulnerability or asset information. We can aggregate those all into the one place. I'll skip this slide because it basically talked about a lot of that what I've just talked about, but it's a continuous assessment. So it's not like think Qualys Cloud Agent. Qualys Cloud Agent checked in every 4 hours. It's near real time for secure endpoint in terms of feeding information back. What I will do is skip to the next slide where we talk about the data flow overview. So we have endpoint out there. The VM platform queries end point. It then produces a list in adjacent package of the applications installed on there, their versions, the operating system end versions, sticks out in the cloud storage bucket. We then pull that back into the platform through Cisco Vulnerability Management into our inference API. So all this is done by API calls. We then query for the list of vulnerabilities based on that information that we know. So we know the operating system inversions, we know the applications inversions. And from that, we can give you a list of all the known vulnerabilities that would be on that particular asset. That then gets fed back into the platform, which is step 5 and then step 6 shows you those vulnerabilities and associated assets within the platform. Hopefully, that all makes sense to everybody. On the left there, you can see Vulnerability Management. So this is the platform on the left. On the right, in the Secure Endpoint console, you can actually see -- and it's quite hard to see there, but here the Cisco Security risk score. So this is the risk score for that particular asset. Hopefully, that makes sense to everybody. So we can see what this particular asset is, and then we give you the risk score based on that. And then over here, we have the asset and associated vulnerabilities within the platform. So it just makes it easy for everybody to go and look at this particular endpoint and okay, this endpoint is a lower risk because it's while it's medium risk. And then once we're in Vulnerability Management, then you can set up with roll-based access control, say this one is a Windows 10 home build. We could have all of those Windows 10 assets in one particular group. Who was responsible for those who can log into the platform using role-based access control, only sees the assets that they're responsible for. Doesn't see the entire estate, doesn't see, say, 4,000 assets, only sees 100 assets that are their priority. So we filter there. And then you can identify filter and give you the riskiest standpoint. Then you can use, you can export that share with other teams. Other people can have access to it. We can send reports out. We can export into [indiscernible] and import into something else like Splunk. And then do whatever you like with that data. It's full API access back into the platform as well. So any data you can put into the platform in the CVM, you can pull out [indiscernible]. These -- I'm not going to bore you to death by reading through all of the detail in these, but you can see Secure Endpoint, everything Secure Endpoint gives you on the left. Then Secure Endpoint with Vulnerability Management on the right-hand side, you get an additional whole a lot of other different connectors. So there's actually no real theoretical limit on how many connectors you can have, depending on your licensing tier and how many assets you've purchased with Cisco Vulnerability Management to use it. You can create connectors to your hearts content to pull in all that sort of data. We give you information on all CVEs that are in your organization. So on the left there, we just Secure Endpoint, you only know about the CVEs and on that particular asset. And that's Windows 10, 11, macro S11 and 12 with integration with CVM and then other scanning sources, it doesn't matter what the asset is. If we've got asset and vulnerability -- and associated vulnerability information into the platform. And as I said earlier, that could be routers, switches, firewalls, printers anything Internet-enabled, anything could be scanned by a scanner and pulled into the platform, we can tell you the vulnerabilities and then prioritize those vulnerabilities. You can see the use cases and benefits. I'm not going to talk through all of those different ones, but it's prioritization, which of the vulnerabilities support the greatest risk, go and focus on those, which are the vulnerabilities that we predict are going to be riskiest, go and fix those next. You can do benchmarking against peers. So within your industries, you can look at how you're going against other -- obviously anonymized data, but others in your industry and it give your remediation guidance on what wants to go and fix as quickly as possible. There's a second page of that as well. Obviously, Secure Endpoint as a stand-alone doesn't give you risk meter scoring. It doesn't give you organization level scoring. It doesn't give you benchmarking guidance, ticketing integration, all that sort of stuff. We are, as I said, we are Cisco, but we're vendor agnostic, it makes sense, obviously, to integrate with all or as many as possible with the other Cisco tools that are out there. And obviously, Splunk will appear on here at some stage as you probably heard. We're integrating with AppDynamics. We're integrating with Firewall, Secure Workload, Panoptica, there is a partial integration with XDR. So what happens is -- and I don't know how many of you out there have gone and watched the release or the videos on Cisco Hyper Shield. But one of the 3 key pillars of Hyper Shield is risk, and risk scoring and that risk scoring comes from the machine learning and data science under the hood of Cisco Vulnerability Management. So that same scoring is informed in AppDynamics. That same scoring is informed in Panoptica, that same scoring is also in XDR. So it's being used across all the Cisco security tools. It's actually also being used internally. We used to use one of the scanning vendors. We've actually removed that. We're using -- we're drinking our own bathwater to put it a little bit crudely, but we've got secure endpoint out there, and we're using Cisco Vulnerability Management. So you can see there, there's a whole lot of stuff coming through the pipeline. So enough of me bothering. I think I'm pretty much bang on the half hour. What I'll do now is switch to a demo of the platform and show you how we get the data into the platform, how we can break that up into logical constructs and i.e., risk meters. And then from there, I'll show you how we go to [indiscernible] that up and then focus on risk, focus on the highest priority, focus on the remediation, things like that. Hopefully, this hasn't timed out on me. This is the homepage when you log in to the platform. It's a very simple user interface. And as I said, it's fully SaaS based. So again, nothing to deploy. You've already got Secure Endpoint out there. It's just feeding into the platform. So log in via URL to the nearest pod. This is the homepage that you'll see, which gives you a summary of your environment. So this is a demo environment. You can see my overall risk scores on organization is really high, 710. I obviously want to get that down. Over nearly 14,000 assets with nearly 1 million vulnerabilities. We have fixes. So we pull fixes from whatever scanning tool can tell us about it, we were also pulling from the ND. You can see the mean time to remediate and have [indiscernible] be days, and then there's a remediation score. Now remediation score is not the same as a risk score. They're not related. So remediation score, if I click on here, we'll show you it's composed of 4 separate areas, coverage capacity, efficiency and velocity. Are we fixing the right vulnerabilities? Are we fixing enough of the right vulnerabilities? Are we fixing enough of the right vulnerabilities quickly enough? That's what it's a measure of. At the moment, it's as an organization. So you can see as an organization, our remediation score is 51. The higher that score, the better. We will be introducing that as a remediation score risk meters. So to say you had a Windows risk meter and a Mac risk meter, you've got 2 different teams, you can almost gamify their scores higher than mine. Why is that and track how they're doing against each other. It is not related to the risk score. The lower the risk score, the better. So it's basically the opposite of the remediation score. Remediation scoring is part of our premier tier licensing. So remediation score, access to our VI, which is Vulnerability Intelligence and Cisco Talos integration for 0 days are the 3 benefits of moving to the premier tier. Step back, how do we get data into the platform? So Connect is the way that we do this. If I click on Connect, as you can see in my demo environment here, I've got 54 different connectors because a lot of people use the demo environment. But to create a new one, it's simply a matter of clicking and connecting. And you can see all the [indiscernible] are in there. You can see we have Bug Bounty discovery, DAS, Open Source, SaaS ticketing, Vulnerability Management. Obviously, Cisco Secure Endpoint, we're talking about it here. If I click on that, I tell us what service I'm using and then the cloud ID, I can set an asset in activity limit. Why you would do that is if I say -- I think the default is 30. If I say after 20 days, if I don't see this asset from a regular connector run, mark it as inactive. And then another 20 days after that, if I don't see it again in that time, I'll actually delete it from the platform, and free up that license to be used somewhere else. So that's why we set an inactivity limit. Once we save that, it goes out -- does an API call check that can connect to using the credential that I've given it, and we're good, and then it will appear in that list that you can see way down here. With other connectors, we can do the similar thing. So say I wanted to do Qualys, I can set Qualys to go, give it a name, tell it what region and give it credentials. Obviously, we recommend you create credentials that are valid to the particular vendor that you're using. So in this case, it wouldn't be my Cisco e-mail address. It would be something like CVM user at [indiscernible] or CVM quality user, et cetera. And then you can actually set a schedule on when it runs. But by default, the connected to Cisco Secure Endpoint runs every -- correct me if I'm wrong, Bradley, but I think it's every 4 hours, but it might be sooner than that. With the scanning vendors, you can set it daily, weekly, monthly. We find most customers are doing virtual scanning weekly. So recommendation is to run the connector run after that scan, set time to process. The results are [indiscernible] at the end, we can then run the API call going for them in the latest data. The very first time the connector runs, it will pull all your data from that particular platform. So all of the assets, all the associated vulnerabilities, tagging -- we understand tags, so we pull all those tags in as well. Every time it runs after that, it's just a delta. So what's changed since the last time we ran? What new assets are there, what assets have been removed, what new vulnerabilities are there, what vulnerabilities have been remediated? So there's actually not a huge amount of data being pulled after the initial run. Also, all data is encrypted 256 bit end-to-end. So during transit and also at rest within AWS, all AWS instances are kept isolated from each other. So you're never going to see another customer's data in your instance. So once we've built all of those, we save them, we verify them, then we're getting data into the platform. So if I go to VM Explore, this is where we see all of our data. That summary page that I showed you earlier, you'll see the same thing here once it finishes loading. We've got 13,000 assets, nearly 1 million vulnerabilities and 10,000 fixes. So from here, what do I do? How do I start divvying up this data? How do I start looking at what -- ones are a priority? What vulnerabilities are priority? I would just start clicking and randomly looking at things like I look at this asset. It's a priority [indiscernible] service. I want to leave that as a priority 10. But the next one down might not be or how do I start filtering that? So a really quick and -- and obviously, wouldn't do this in a production environment, but a way to show you how quickly we can hone in and how quickly we can produce that number. I've got 975,000 vulnerabilities, but I only want to focus on the vulnerabilities that are considered high risk. So I do risk for 70 to 100. We see this number will drop rapidly. So from 975,000, we're down to 23,000. Out of nearly 1 million vulnerabilities, only less than 25,000 of them are considered high risk. Why are they considered high risk? If I click on the vulnerabilities themselves, you'll see this particular one here. It happens to be a WebEx one, so we might get past that one. This Java 1 here. If I click on this and one back from 2013, we give you a description, we give you a fix for it, but we tell you the known exploits. So there's 28 known exploits out there in the world for this. And that's not -- again, not just Cisco telling you this. It's [indiscernible] reversing labs. All these different sources are telling us about it. Where possible, we'll give you a link to it. You can see the score here 100 out of 100. There's 708 known pieces of malware for this particular vulnerability. Where do we see it from? We saw it from Qualys [indiscernible]. If there's multiple sources that we saw that vulnerability from, say, using multiple different scanning tools plus endpoint like Cisco Secure Endpoint, they would appear listed here as well. So it's not just Cisco telling you this. We're backing this up with third-party data and multiple sources of third-party data. So even if I click back here, and still waiting for it to come back -- all away. If I come back here, even if this vulnerability was -- we list the CVSS score there. So -- and we also listed the scanner scores where it's available. So even if this vulnerability was less, CVSS 5, we would still score that highly because of those different sources that are telling us about that. So that was a really quick and dirty way of showing you if I reset those filters we go back to where we were. What we want to do is break that data up into more logical construct. So I might want to create a risk -- particular risk mean adjustment based on secure endpoint. So I've seen all these assets via secure endpoint. How do I do that? So we have a full custom query string in here. We can use a whole lot of different asset terms. And as I mentioned earlier, we can sort by IP address, we could sort by operating system. We could sort it by a particular asset idea if we know it. We understand [indiscernible], and we understand [indiscernible], Ocean, et cetera, et cetera. We can use scoring term -- date terms any of those. You can use vulnerability terms. So you look for a specific CVE. We can look for a CWE. We can look for a vendor. So you could do all Microsoft, things like that. We understand CVSS score. We understand scanner scoring. So you can filter as well. So you could do what we consider CVM high risk and also scanner high risk and match them up or scan a low risk or you can just do all CVM high risk and start filtering that way. We also give you ability because we have all these drop down to you. So you can use any or all of these asset filters. So I could do Windows or Linux or Windows Server 2008 just by clicking that and it would filter down. What we're focusing on now here is how we're using Cisco's Secure Endpoint. So what is my connector-type? Cisco Secure Endpoint. So if I click on that, I'm filtering my 975,000 vulnerabilities down to 2,000 vulnerabilities on 18 assets. So you can see here, all of these assets have come in via that. See I've checked that little box there for Cisco Secure Endpoint. So these assets have all been brought into the platform. And you can see this in tag in there as well, you can see the locator ID which is the host name and then you can see the associated vulnerabilities. Now I can save this group. And remember, I talked earlier about scoring. You can see for this group, the score is 690. So I could say this as Cisco Secure Endpoint assets and create that group. What the more [indiscernible] of you will have high risk is I've created this, still got the same numbers here, you still have the same number up here, but not [indiscernible]. So every time I create a risk meter, [indiscernible] 30 buttons. And what these buttons are is what we're talking about earlier, guided remediation. So you can see there's 916 fixes there. But if I click the top fixes button, it goes and works out. What are the best use of my time or what are the biggest bang for [indiscernible] vulnerabilities to go and remediate. So in this case, it hasn't had time to fully process, but you can see there is a score reduction of 19 by going and fixing this security update. How do we do that? Well, we give you the diagnosis. We give you the consequence solution. What CVEs have to address it, what assets effect. With our ticketing integration, we can click on a ServiceNow ticket fully populated with all of the details of it. You can use templating, you can assign it to a particular group, create that ServiceNow ticket. It will go off and do that, bring the ticket ID back and associate it with the CVEs. It will reduce the risk score, but it won't close the vulnerabilities. We won't close these vulnerabilities until the source or sources that told us about the vulnerability, confirm that the vulnerability has actually been remediated. It's kind of a double check because anybody could close the ticket off without actually doing the work. So we're kind of covering that there. So that is our guided remediation. This is saying, okay, go and fix these ones to reduce your risk scores as quickly as possible. The second button in there is a reporting button. So again, every risk meeting that it create has its own reporting. So if I click on that, it will give me a summary of this. And now I just created it, so it doesn't have last week, last month and 90 days ago. But it gives me a summary of the assets, the vulnerabilities, unique fixes. I'll come back and talk about top priority active Internet rate, et cetera, et cetera, but it gives you the figures for those. It gives me the current score, what the highest score has been, what the lowest score has been and the vulnerability density, which is the average number of vulnerabilities per asset within that group. There's a whole lot of graphs that you can see, trend lines. And as I said, we just created it. So the trend lines aren't in there yet, but you can see the current risk information. Of the 2,621 vulnerabilities in that, only 43 of them are high risk. You can see the different types of vulnerabilities by tag, by operating system, you can see the scoring. Traditional scanning and CVSS will have these columns high, not these ones. There's a whole lot of different ones in there about how we're doing due date form. So we have SLAs in here, how we've gone 9 months, oldest vulnerability, et cetera, et cetera, et cetera. We give you the ability to export the indoor PDF. So you can give that to the team and go this is your current state this month. What we also give you the ability to do is create your own template based on any or all of those particular graphs that you can see down the bottom there. So you can include or exclude any of those [indiscernible] in Custom One, that can then be used across the entire platform. Of course, we're both there. I'll step back. So we've created our risk meeting here, and you can see the name of it up here. All these buttons are available up here. Now what I can do is further filter based on those buttons. So you can see there's no 0 day. If I had a -- this demo environment is a premier tier license, but if there was a 0 day that when would be highlighted, I can click on that. And then identify CVEs that considered 0 days by Cisco Talos. But what I can also do is filtered by these. So out of my 2,621 vulnerabilities, 32 were on active net [indiscernible]. So I can click that button and it will filter down to just the 32 vulnerabilities. Or I could use combinations so I could use active network easily exploited, which would give me [indiscernible] based on those. So what I could also do is say, use the query string, 66, and then this will filter within here just those high-risk vulnerabilities that I talked about earlier. Remember, there was 43. There it is. So if I save this, I can say that as secure endpoint assets high risk. I won't do it because I think I've already created that money out there. But now we're focusing on just the 43 vulnerabilities that are considered high priority and there they are there. We'll give you a list of them. We wish the CVSS score. So in this case, they match. If you were doing at and above, this would be a miss, but we're scoring that 90. This one's an 85, even though CVSS says it's a 4.3. Why? I'll click on it, we can show you. There's 49 exports for out there. Metasploit Exploit DB, our own Cisco research tells to stack. So we're telling you it's out there being exploited, which is why it scores higher. So again, that would be a false negative by CVSS scoring standards. So you can use any of those filters there to further filter in. You can see with this one, there was a ticket created for this particular vulnerability, and that's come back and associated with it. You can also see these little buttons down here. Match up with these ones. So we know there's a fix available. We know that it's an active net purchase exploit or more on a [indiscernible] popular target. The last one I'll focus on is predictive exploitable, which is, remember, I mentioned during the slide where EPSS, exploit predictability scoring system. So this hasn't been exploited yet but we predict with high confidence that it's going to be exploited very soon. So what we're suggesting is that when customers use this, when we bought in all your information from Secure Endpoint, you can then look at those particular vulnerabilities and go, okay, I fixed all of my high priority ones. Now I'll come back and look at my predictive one. So then you're working ahead of threat actors to actually go, okay I am fixing this vulnerability before it gets exploited. And with a high confidence we're actually 96% accurate. That vulnerability is going to be exploited in the next 30 to 60 days. So if you're remediating it before that time, then you're working ahead of the attack and you're actually less risk. That's pretty much it for the demo. I wanted to just jump back to Slide where -- just quickly, just to cover a couple of other things. In summary, the use cases that I wanted to talk about, prioritization of vulnerability, focusing on the vulnerabilities of the highest risk, centralization of vulnerability. So bringing in every different source of vulnerability management year out there. We found that customers were using 20, 30 different tools within the security space. How many of them have Vulnerability Management tools? We don't know but often they have pen test data. They have scanner data or they're using scanners for this or they're using something else for that. Getting all of that aggregated into the one place. It's trickier than you think, and a lot of people are struggling to do it. So centralized agnostically into their platform to be able to look at all of that data. And then looking at predictability of explosion -- exploitation using EPSS to go, these vulnerabilities are going to be exploited in the next 30 to 60 days. Out of that, out of the use cases, we get -- we see a 2 to 5x improvement in risk reduction and we can do more with less. You can see the figures here on the right-hand side. The last one, cost reduction. So if you already got Secure Endpoint deployed and you're using quality and you've got cloud agents deployed, there's a couple of things here. First, you've got agent [indiscernible]. You've got multiple agents on our assets, and that using up resources and often they don't work together. I've always seen an instance where a vendor -- scanning vendors endpoint actually took down a customer network because they turn on a feature. It didn't play well with another endpoint that was already running on there. Whole thing fell over and they had to back it out. So if you can reduce the number of agents, great. What you can also do if you're reducing the number of scanning agents on there and using secure endpoint that's already deployed, you are saving money by not using those licenses for those all those endpoints you have deployed. So that's a cost benefit. By utilizing secure endpoint with CVM, you don't need to pay for those scanning licenses on all those end points you've already got to say Qualys agent. There's a couple of cost benefit analysis. So there was a Forrester report that came out in April of 2023 that says there's a return on investment with CVM within 6 months, 125%. There's an Onvia report, which talks about who's doing well. So most people use Gartner. Gartner doesn't actually have a risk-based vulnerability management map yet. So we're using Onvia because it's the one that does. If you look there, Cisco is very high, just behind Vulcan and Nucleus. But most customers focus on us. Everybody is trying to catch up to where we are. There's some more info there that you can go and look at. I think this will be made available to everybody. I'll stop there because I realize it's 10 minutes to go, so I want to focus on Q&A. If there's any questions, then feel free to...

No outstanding questions at the moment, Cam. But please, everybody, if you've got any questions. Now is the time to get them into the Q&A panel.

Please, you must be sick of listening to me grab it on, so please feel free to ask questions.

Thank you. You've covered everything very well, Cam.

Hopefully, I have. You are still free to reach out with questions. If you think of questions afterwards, if you go back and watch the replay and you think of more questions or you think of some questions that you would have liked to have asked and forgot to or didn't think of at the time, feel free to reach out to us. If there's no questions, I'll wrap it up and hand it back to Mark.

Thank you. We'd like to thank you all for attending the event. We hope you found it informative. Especially thank you to the speakers and panelists for presenting today. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel. And it will also pop up in your browser as you exit. Thank you for joining, and have a great day.

Thank you very much.