International Business Machines Corporation (IBM) Earnings Call Transcript & Summary

Hi, everyone. Thanks for joining today. I'm Connor Costello, your IBM Security facilitator for today's webinar. In this webinar, you will hear from Mike Lyons, Resilient Offering Manager; and Paola Miranda, Resilient Product Marketing Manager, as they provide an overview of how security teams can leverage a SOAR platform to improve investigation and response of phishing attacks. Before we get started, just a few housekeeping items in your audience console. There's a few widgets at the bottom. [Operator Instructions] We love your feedback. We love making these better. So please use the survey widget at the bottom of your console to help us improve future webinars. The resources widget on the right contains some important links. You can join the community, check out the App Exchange or learn more about Resilient there. It will take you directly to those pages. If you have any technical issues, sometimes I tell people just a refresh works, but you can also check out the question mark for the common problems and solutions at the bottom. So with that, all out of the way, let's get on to the presentation. I'll hand things over to Paola to get us going.

Thank you, Connor. Welcome, everyone, and thank you for joining us today. I hope you and your loved ones are doing well during these challenging times that we're facing together. But with that said, I'm going to kick it off. First, I just want to cover at a high level what we're going to cover during this webinar. And so first, we're going to level set, and I know you probably signed up for this because you know what is phishing, but to kind of like make sure that we are on the same page and you know why phishing is important and why we want to respond fast to that. We also then are going to talk about the importance of having an incident response time. And then we're going to talk about how do you bring this response plan for a phishing incident into SOAR and how SOAR platform can help you with that. And then I'm going to pass it over to Mike, who is going to show, like, how would you actually build a playbook for phishing and shows a demo of it. So with that said, let's get started and dive into it. So you all know what's phishing and whether it's bad or not. It is a practice of sending fraudulent communication, and it's usually done through e-mail. And when you look at these e-mails, they look like they are legit, like from a very reputable source. Attackers are getting very sophisticated on how they're crafting these e-mails, and it's getting harder to distinguish when they're real and when they're not. And of course, their ultimate goal is to steal sensitive information, and it could be credit cards or it could be your log-in information. But this stat appear on your screen here, but basically, our expert research team, which is an IBM internal group, they look at different attack vectors that are used for initial access. And 6 of them rose up to the top, which included phishing, [indiscernible], brute force and others. But 5 -- only phishing rose to -- like was the very top one at 31% of these 6 different attacks. So we know that phishing is most frequently used, and this opens the door to other attacks such as advanced persistent threats and ransomware. So this is just the beginning, but it can get more complicated down the line. And on top of it, we are definitely facing some unprecedented times, and COVID definitely brings some challenges. Our digital life has never been so central. I mean you probably have children at home with you right now that are taking online classes, and we're all shopping more online. And many of us are working from home, and none of this is new, but what's different is the urgency and the scale. This is unprecedented. And a lot of security teams out of us are monitoring more devices remotely, which before were connected into office networks, but now they're connected into home network with other devices. And they're also having to respond to a higher-than-usual e-mail phishing alerts. We've seen like a significant growth in our malicious domain based on expert research, too. So you also have to think that the security teams probably are working remotely, too. So they need a way to work consistently and collaborate, but also find ways to be more efficient, and automation really can help with that. So that brings me to the next question, do you have a plan for incident response? We know from research and this IBM experience protecting many customers and what we hear from our customers. We hear that being prepared and practicing really helps mitigate risk. And one of the ways you do this is by establishing a well-documented plan to respond to a specific incident. So I'm -- to make this one more engaging, I'm going to ask you a question. I'm not going to ask you if you have an incident response plan, but we work closely with the Ponemon Institute every year to better understand the organizations that are cyber-resilient, and we published this study that is called Study on the Cyber Resilient Organization, and we're getting close to releasing the 2020 edition. So we have a sneak peek preview of some of the data. And I'm going to put a poll question on the screen. So I'm going to put it up, and I'm just going to give you a couple of minutes for you to select an answer. But I want to take -- from what you know from the industry, what you read about it, to take an educated guess and things like what percentage of organizations have a specific incident response plan? So I'm going to put that question up on the screen, and I'm going to give it a minute for you all to put your answer in there. Okay. Connor, are we getting them? Okay. I see we're probably capturing up answers right now. So I'm going to move and see the results. Okay. So guess 70% was 25%, then 40%, then 50%. So 25% is not about guess. That was the actual percentage that we saw back in 2016. So glad to inform that, that number has improved in 2020 fast forward 4 years to 40%. So we're seeing -- from this study, we are seeing that 40% of organizations have specific incident response plan. This number is across different industries and geos, but this number changes depending on the maturity of those industries and geos. So I'm going to put another question up and a similar exercise. I'll let you know what's your guess. So this time, it's a little different. You think about like all these organizations that already have specific response plan. What percentage of those organizations do you think that have the plan specifically for phishing? So I'm going to put that poll question up and leave it up there for a minute for you to answer the question. Okay. So hopefully, that was enough time for us to capture some answers here. So I'm going to get you the results. Okay. Here, [indiscernible] percentages. So the high one was 37%, followed by 52%, 53%, 46% and 34%. So based on the research that we did with Ponemon, 46% of those organizations with specific response plan have a specific plan for phishing. And I guess the good news is that we've seen improvement. But as you can tell from the 40% of organizations that have incident response plan and only 46 plans -- 46% that have response plan for phishing, while it's good that we improved, we still have opportunities to continue to fight attackers that are crime gangsters. It's still not even half of all the organizations out there. With that, let's talk about why it's important to have an incident response plan. So the biggest thing is that it allows you to mitigate risk, and it's going to give your team that confidence that they need to resolve incidents under stress. So it's going to give them a starting point, and it's going to give them guidance, like, it's going to -- like, we're to going at a process for them that they can repeat over and over. And also, it's going to capture that firewall knowledge from your team. I think we are all aware here that talent and skill in cybersecurity are hard to find good personnel out there to work these roles. So if you can bring in these people into the room and help you build a response plan, you can capture that firewall knowledge, I mean, from more senior people, but it also can allow your junior people to kind of learn from them faster and being more confident when they respond to incidents. It's also going to help you engage other members, including executives and leadership from other departments. And what I mean by this is like we engage executives and even like members of the Board. This is going to allow them to understand the risks that phishing attacks or attacks in general put to your organization. And then bringing in leaders from other relevant functions like IT, HR, legal, communications, it's important for them to be aware that there's a risk, but also to understand what are the expectations when actually like you're resolving an incident, like, do we need to communicate this with our customers? How is the communications team going to respond to this? Do we have any legal implications that we need to bring up to speak to the legal team quickly? So this is going to allow you to bring all the different stakeholders that will help you make sure that you have a good response to that incident and mitigate the risk. So of course, like we know that it would be too easy if we just have the plan and put it out there. But we know that more we practice and the more we read through these incidents, the more we learn. So having an incident response plan established is going to allow you to have a baseline, that you can continue to go back and improve, refine, depending on how everything is evolving in your industry, what we're seeing out with attackers doing and just how your team is responding to incidents. So you're going to have this platform that you can go back and refine continuously. So now I'm going to walk through how our phishing remediation process looks like. And this is a graphic that was published by Gartner. So this is similar to a process that you want to lay out for your team. And you will start with you getting a suspicious e-mail. And you probably -- the next step from there is that you're going to want to have your team analyze this in detail, and that's going to happen by extracting the different indicators of compromise, and you're probably going to want to do some deeper investigation and correlate against threat intel or get results from sandbox of the indicators of compromise that you're seeing here. You're going to collect many different inputs that your analyst is going to take and then they're going to analyze. And you're going to get to a point where you're going to have to make a decision. Is this a malicious e-mail? Yes or no. So if it's a no, that's probably all you need to do and you can close that incident and move on to other investigations of other incidents. But if it's a yes, then you have to take action and you have to start remediating that incident. With that, you can probably see that throughout the process, there are many actions. And many of these actions right now we hear from our customers that we engage, like, they're being done manually, which is very time-consuming for the analysts. So when you start taking actions, you're probably going to want to make sure that e-mail is eliminated from other mailboxes before people can click on it. And you want to make sure that it hasn't impacted other systems and understand what's happened to the EDR level and if you have to take action there. Once those things have been taken care of, then you can completely close out that incident. And from Gartner report and just analyzing the different actions, we know that all these actions could add up to 4 hours, which is a lot of time. And we know our analysts in the security operation center are spread thin. So there's a lot of time just to focus on 1 phishing alert, which we know they are continuing to increase more and more and more the alert that we see if it is related to phishing. So the good news is that when you introduce this to our platform, this can definitely make a positive impact and introduce efficiency to this process. If you're not familiar with SOAR, SOAR stands for Security Orchestration, Automation and Response. And like the name says, it has orchestration and automation capabilities. But what does that mean? There -- you're probably thinking [indiscernible] to ensure we're on the same page when we are talking about orchestration and automation. So let's talk about orchestration first. Basically, orchestration, the way I try to explain it to myself is that ability to integrate with other security tools or technologies. And this is done via connectors or APIs, and it's going to allow your different tools to talk to each other and share information. The other key concept is automation. And automation is just the ability to execute a scripted action. It's like without a human involvement. And orchestration and automation together are very powerful because you not only can maximize your investments, but you can also bring this efficiency into your SOC to build playbook. So -- which is another concept that we want to briefly talk about. And the way that Gartner defines playbook is, it's used like logical [ wrappers ] for scripted actions to happen when certain conditions are met. But if you think how we talk about incident response plans, playbooks are basically taking that response plan and codifying it into workflows. So then when you layer orchestration and automation, that becomes really powerful for your security team. So let's relate that process that we saw in the previous slide. How this process [ official engagement ] look if you were to layer in as part of the SOAR platform. So as you can see from the beginning, we still have that suspicious e-mail that we received. And this could come from an integration with the same platform. So depending on your platform, you may be able to escalate that alert directly to your SOAR platform, and then you can run the phishing playbook for you to capture that incident response plan. And through automation and orchestration, your SOAR platform is going to bring all that information that you need for the analysis. It's going to enrich that incident by tapping your threat intel and all these other connected tools that you have that can bring more information for the analysts to then make the decision, like, is this malicious? Now we close the incident, but if it is malicious, then when you start to coordinate a remediation. And you could also do this very simple with automation, and then you can close the ticket, of course. But thinking about how we run through this first process that took us 4 hours, when you layer in a SOAR platform, it reduces the time significantly to minutes. In this case, we have it down through approximately 15 minutes, which is big difference considering all the alerts that your analysts have managed in SOC? So at IBM, we have a very comprehensive portfolio of security tools, which includes IBM Security Resilient, which is our SOAR platform. And Resilient allows your team to respond with confidence through this playbook creation, these processes that we're capturing for them to respond to incidents best. Our playbooks are unique in the sense that they are dynamic and additive, and Mike is going to talk more about that and show it to you. And also, going to the next one of automating with intelligence, Resilient has delivered and has very strong automation and orchestration capabilities. And with that said, it gives you a lot of opportunity to customize to what is going to work for your organization. Finally, collaborating with consistency. And we refer you to our very strong case management capabilities, which is going to give this ability to the tasks that the different team members have to complete to resolving this incident. They can see the task that they need to complete. They can assign tasks to different members and see who is working on what. And they can assign and do those and make sure that they're completing them by whenever it is needed to be completed. So it encompasses workbench where your analysts can go and do all the work from just one place. In addition, Resilient -- we have a -- we're proud of our very robust ecosystem that we have of integration applications. All these are available via the IBM App Exchange. We have IBM validated and supported applications. And these applications we partner with other third-party technology vendors, and they fully support customers that use this application can submit a ticket, and they will be supported as they work into this integration. But we also have community applications, and these are applications that are submitted by members of our community. So they're going to share what is working for them, best practices, think they are making their thought more efficient. And all these applications are available via the App Exchange. And today, we have 150, and that number keeps growing. And one of those integrations that I would like to highlight is Red Hat, and the reason we like to highlight Red Hat is not only because it breaks the silos between security and IT, but also because when you leverage Red Hat, it opens door to many other integrations. They have thousands of integrations. So this amplifies the number of integrations that you have access to. And if you want to know more about like current integrations, how you can use them or just due for releases, you can always go to our community, and you're going to find resources there, and we're going to be publishing new application releases there, too. So with that said, I'm going to pass it over to Mike and to the fun part of this webinar, where he's going to show us how to build the phishing playbook. So Mike, over to you.

Yes. Thank you so much, Paola. That was like a really good buildup for all of the needs of building a phishing playbook for your organization. And it's of particular importance and I think of particular interest because, especially during these times, users are clicking away at homes and all these remote locations, and it's really putting a strain on the security teams to make sure that they're ready with adequate phishing response plans to make sure that they're keeping their systems, their organization's data and the organization's employees and users safe during this time. And so when you think about building a playbook, I think the process that Paola and Gartner kind of outlined just earlier as part of their recent paper that they released is they kind of divide those tasks into investigative type functions and those remediation and containment type functions. And so for kind of our example today and how we're going to walk through this specific phishing example, I kind of trim that down to a simple example. And that example starts with discovery and identification of that actual phishing e-mail. And so that's going to be something that's usually reported, and we're going to have to bring that e-mail and that information into Resilient itself. And then from there, we're going to extract the various values from that particular e-mail, that's the IP addresses, the subject, the sender, receiver, whether it had any attachments or anything like that. And once we have that information inside of Resilient, we're then going to move on to do some enrichment and validation. And so for enrichment, we're really -- we're going to go out to our various security tools, whether those are threat feeds or SEM and other things like that and gather more information about what we've seen in this e-mail. And given all of the information that's in there, we're going to come to that very crucial point. And that is the one step that you most likely can't automate as part of this phishing playbook or any playbook for that matter is you need to make sure that you have some level of human validation in most use cases. And so you make sure to have someone look at the data, look at the various aspects of that, look at the scores and to assess whether the website or the attachment that was part of this particular reported e-mail is, in fact, malicious. And of course, if it's not, you can, of course, say, "Oh, it's a false positive," and you can close the case. However, if it is found to be malicious, that's when you start to move on to those remediation functions that is called out by Gartner. In our particular example here, what we have are a number of actions to go out and look at all of the e-mail throughout this organization and start to think about who else received this e-mail, who else clicked this e-mail. And since there is a malicious URL here, I have to go and create tickets or something like that to block that. And if any user accounts have been compromised throughout this process, I'm going to have to go and reset those accounts. And so when all that's done, I can then close that case and, as Paola was saying, that would take quite a long time to do. And so how do we go ahead and accelerate this process to really get us from hours to minutes? Well, we're going to go and take all of those various tasks and cloak them into our organization's tool chain. So for our example, the e-mail interface for us is going to be around exchange online from Microsoft. And a lot of the extraction of the IP addresses and things like that are going to be taken care of by internal scripting on our system. Then when we start to look at the enrichment phase, we're going to pull in URL scan, an IPVoid as free services that help us identify and give us known bad information about the IOCs or artifacts in our system. And we're also going to go out to our QRadars and proxy logs and pull in information there about perhaps who's clicked on it and whether that link has been loaded by various people or users within our infrastructure. And now once to that point, we're going to pivot over and take the remediation action with exchange online, create those tickets in ServiceNow and go ahead and reset those accounts using our LDAP interface. And so as part of Resilient's most recent release coming out in June for 37.1, we actually have an easy way to take that manual process I showed you, pair it up with all of those tools and technologies that was on the last slide and put them all together in an end-to-end process. And that deliverable is what we're calling App Host. And this is the ability to install and deploy apps within minutes through a guided installation process that allows you to configure those apps and deploy them in containerized deployments that allow for easy management. And so without further ado, I will move into the demo portion of this.

Mike, this is Connor here. I'll make sure your screen is good. And it's looking like it's shown up. So you're all set.

All right. Perfect. All right. So I have 2 systems here. And one of the systems is Resilient, and this is the one where I'm -- I've got that manual process. And so here's an incident that actually came in this morning, looking about trying to spear-phish one of my employees about their corporate Box log-in. And we can see here that Resilient has automatically populated a lot of these -- a lot of the tasks within the task list here. And so if I am an analyst and I have to go through that manual process, I'd have to go out to my exchange server, and I'd have to upload that e-mail file here. So what it did is that it closed that task out. And then once that e-mail file is in here, I'll then have to go through and extract the various aspects from that file. And so you can quickly see that as I start to go through this process, it becomes quite time-consuming, especially when I get down here to some of those automated actions around URLs and things like that. And so let's think about maybe how can we accelerate this process. Well, we can actually go ahead and start to think about bringing in some apps into our system to start automating the various aspects of this response plan. And we're going to start -- and one big, cool, powerful thing about Resilient is you can actually start to think about this in a very modular fashion and introduce automation piecemeal to slowly automate your process to start from a manual process and accelerate yourself to as much automation as your organization is comfortable with. And so over here on the App Host screen, I'm going to focus in on that I -- I'd like to start to automate my LDAP, resetting of my user accounts. I can see on my screen, on my apps list that I don't actually have that function yet. So I'm going to go ahead and I'm going to install that into my system here and I'm going to upload that file into my web UI here. It's going to give me a bunch of what's going to give me an API key for that particular interface. But it's also going to give me a lot of example content. A lot of the major use cases are oftentimes covered by the additive blocks apps that we have up on our App Exchange. And so I'll go ahead and I'll push this app into my system as well as all this configuration. It takes a second here to upload. And once that's done, I'll see that this has some executable. So I'm going to have to go ahead and do a few more steps. You can see them here as part of the app status. So I want to go over here to the configuration. I can see that my certificate has been generated for me for this particular messaging interface. I can see that I have this configuration file. So I'm going to go in here. I'm going to look over my file content and my configuration here. And I'm going to make sure that everything looks correct. And I can actually even test that configuration. This is just a demo for now. So I'm going to go ahead, and that configuration looks good for me now. So once that's all set, I can actually come over here, and click this Deploy button, and that will actually go out and deploy the container for this particular app. Now once we have the app installed for a particular use case, we're going to have to go and start to automate a certain part of our response process. And this goes over to our workflow engine. And within here, I already have my manual process here. And for this particular use case, I focused in on our first step of our remediation action. And so let me maximize this for you. And so for this particular use case, I have the reset of compromised user accounts. So now I'm going to try to utilize that app that I just installed. And so in our case here, we're going to put a little parallel gateway in here. And what this is going to do is this is going to allow us to insert some functions in here, which are Resilient's interfaces out to those various containers. And we're going to go ahead and we're going to drop some functions on here. So I'm going to do an LDAP. And what we're going to do is we're going to do a search. So we're going to search for -- after we validated as part of this incident, there's a list of users that have been identified that have clicked on this e-mail. And what I want to do is I'm going to go ahead and I'm going to search for those. I'm then going to interface with that LDAP again. And this time I'm going to set the password. And of course, you can see here that there's a little bit more configuration I have to do, actually kind of dictate the inputs. And I'll show you the example of that completed when we go over to the complete demo system. And then to kind of finish this up to completely automate this task, I'm going to go ahead and add a note to task that we have above. And what this does is it takes the results of these functions and adds them to this task. And so I can always come back to this particular incident and see what exactly was -- what were the users that had their passwords reset and be able to kind of understand the history of the automation that ran on this incident. And then the last thing we want to do is to make sure to close that task. We close that task here. And then what we'll do is we'll string these pieces together just like this. And this will create a small modular piece of automation, and this can be used across many different incident response processes within Resilient. And we really like to focus on the modular nature of pieces such that we can get the maximum amount of reuse as possible. Let's go ahead and save that. So that's how you build that component. So now I'm going to jump over to what is a system that has taken all of those components and technologies that I talked about in our slides earlier. I'm going to go ahead and I'm going to send myself a user-reported phishing e-mail. Sometimes it takes about a minute to do that. And so if we look down here, within this incident, it's very similar to the incident response process we saw in the other system that was purely manual. Now one thing you'll notice is that the tasks here are automatically starting to be finished off. If we look at the first task up here for attaching the e-mail, well, Resilient has been configured to interface with that exchange online integration, and it's automatically attached that e-mail to the incident. From there, our internal scripting has started to extract the various IOCs and other interesting aspects from that e-mail and started to attach them to the incident and started to work through the various enrichment activities as well. And so we can see down here that I've searched for some proxy logs. I'm gathering some threat intelligence, and in any moment now, we'll get through and gather stuff for the URL. And so if we go over here to our artifacts tab, we can actually start to investigate this particular incident. So as an analyst, I'll come in here and I'll see that, oh, looks like the URL for this particular incident is known to be malicious. I can actually go in here. I can see that there is an IBM X-Force. I hit on this particular incident. You can see it's a spam 0 day, and there's a number of other interesting aspects, and I can actually go out to the permalink here as well. I can also look at the attachment here and sort of analyze the various pieces. And so I'll come back here. And you'll see that the last part here on the enrichment phase is going to be the validation phase. And this is the part of the process that can't actually be automated. So this is the part where the analysts will have to come in, look at the various report aspects. And since I just looked at the attachments and the artifacts and some of the other data on this incident, I can actually say that, yes, there's a malicious URL; I can say that, no, there was no attachment; I can say that this was, indeed, a phishing e-mail; and I can confirm the incident disposition. And so as an analyst, I'm going to go ahead and save those aspects and complete and close this task. And what that's going to do is, it's going to close this task, and it's [indiscernible] back to the task list. And you can see here that since -- as an analyst, I've validated this particular incident. We've now started to kick off the various remediation actions that are going on here. And so a number of tasks have been automatically added. We can see here's finally that task for the reset compromised user accounts. And we can see a blacklist URL task. And we can see that this blacklist is already in progress because we've created these 2 tickets down here in ServiceNow automatically. And the cool thing about that is those tickets created in ServiceNow are now being synchronized between Resilient and ServiceNow. And so the onus is now on IT to make sure that they finish out those tasks. And once that's done, that will automatically close out this incident. And in fact, down here at the bottom is a table. I think I'll have to refresh to get the updates to that table. And that will actually show in this table the specific tickets in ServiceNow and what their current status is, so you can track that over time. You can also see as part of this containment and remediation that exchange online integration has identified and gathered additional e-mail recipients, removed all of those e-mails from the inboxes that they came into. And you can see that anyone who clicked on it has been notified that they didn't click on phishing and that they should really be careful about what they do further. And the last aspect that's pretty cool here is I can actually go here to the suspicious e-mail, and I can actually see the various exchange online message query results to other users. I get a confirmation that each of one of those e-mails has been deleted in the system. And I get to come down here and see all the compromised users. And this is the automation that we created in that other system. And this actually interfaces and resets all of the passwords of these particular users who had all their information compromised. And so as you can see, this task or this response plan that took probably an hour or 2 to accomplish in its simplified nature really came down to a few minutes and a couple of minutes of an analyst time to validate that this was indeed a malicious incident, confirmed that and took all the remediation action. Now the analyst can move on and -- move on to the next phishing incident or whatever else may be important there. And just to show this up, we'll go ahead and we'll show that last workflow for the compromised accounts just to see that in this system, it is indeed the same. So as you can see, here's the validate, I think here is the reset of that compromised user account, followed by the other [ utility ] search, the resetting of the password, the information added to that note, and the task utils now closes out that task and finishes up that modular automation action. And so that is the power of using IBM Security Resilient SOAR with its new App Host capability to build modular automation to bring response plans down from hours to just minutes. And with that, I will open it up for questions.

Awesome. Thanks, Mike. [Operator Instructions] So I post these to either Paola or Mike, how you want to take them. But one that came in from the audience was, can you automate a playbook end-to-end?

I can start it and, Mike, if you want to add anything on top, please do. But I think automation is a very powerful tool, but you also want to be strategic on how you use it. It's really going to depend on the use case that you're trying to automate. And considering the [indiscernible] your analysts are going to have to make decisions. Probably phishing is one of the use cases that we feel a lot like -- a lot of it can be automated like we saw in the demo today, but there's other more like ransomware where you have to want to make a decision in do I want to pay or not. And I think that's also important to consider as you're thinking about implementing automation. Mike, do you want to add anything else?

Yes. I mean you can certainly automate an end-to-end response process from end to end. But it really comes down to that malicious step that I was kind of showing in that demo, which is, you really want to make sure that at least a human typically is looking at that. For some organizations, they have narrowed down certain things to be kind of very high fidelity scores, that they trust their organization to automatically block and remediate certain actions. So it's really going to depend on your organization's confidence at certain decisions points in those end-to-end response processes. But typically, I see that keeping a human in the loop is the best practice.

Great. Thanks, guys. And you did -- you spoke -- obviously, it was -- the webinar was about phishing, right? So that's one of the main use cases when it comes to a SOAR platform. One of the questions is, are there other use cases that you've seen organizations prioritizing and implementing in kind of a similar fashion?

Yes. I've definitely seen things around malware and network investigation as well as a number of cloud use cases as well. So plugging into IBM's broader hybrid multi-cloud story, a lot of customers are going out to different cloud environments and deploying different application spending on the core business need and the core business aspects and then having that be kind of a stand-alone island. But once they plug that into a SOAR tool, they start to bring in all the information across all of those different cloud environments, and that tends to be a lot of information. And so that's typically where we see a lot of automation being brought in to bring in those alerts, triage them and start to really make use of the analyst time in the best way possible.

Great. And I know you spoke a little bit about App Host and upcoming features, Mike, but how does the App Host setup and interaction differ from the integration server solution that Resilient is used to having?

Yes, it's a good question. I mean I guess the one thing I'll say is that the integration server really was a command line centric view of automation and orchestration layer within Resilient. We've now migrated all of that functionality into the web UI. And so now you'll have a onetime setup upfront for that infrastructure and your networking. And after that, everything will be a point and click and deploy as you saw on this webinar demo today.

Great. I think we have time for 1 or 2 more. There is one that came in relevant to your answer just then, Mike. How do we get the App Host for Resilient?

That's a great question. We are GA'ing this App Host in mid-June, so 37.1, so be on the lookout for it.

Great. Yes. I just want to reiterate, we do have more upcoming webinars on Resilient. So like you said, keep an eye out for it. And with that, I think we're getting close to the top of the hour here. Paola and Mike, I leave it to closing statements from you 2. Is there anything you'd like to add?

No. Thank you, everyone, for joining us today. And if you want to learn more about App Host, there is a series of webinars going on in the community. I know Mike and Connor have been working really hard on those. So there is -- you can access on demand the ones already happened, but I know there's a couple of others scheduled, too. So definitely go check out the community for more information on App Host and phishing, too.

So with that, thank you for everyone joining. You can use this link, the registration link to watch a replay if you'd like to go back and watch. We hope to see you on the next one. So thank you to our presenters today, and thanks to everyone for joining.

Thank you.