International Business Machines Corporation (IBM) Earnings Call Transcript & Summary

Hi, everyone. Welcome to today's webinar. I'm really excited to be here with you today. My name is Sarah Dudley, and I'm the Product Marketing Lead for our Cyber Threat Management services. Today, we are going to talk about a very important question. Does your security program suffer from piecemeal detection and response, also known as PDR. So today with me, I have 2 wonderful and distinguished Johns. We have John Velisaris, who leads up our Threat Detection and Response Services portfolio. And we also have John Henley who is the Head of Strategy for IBM X-Force. And today, they are going to talk [Audio Gap] What is PDR? What is the thing that we're talking about today? How do you know if your security program is suffering from PDR? What are the risks and consequences of having PDR in your security program? And what are some organizations, some real-life organizations doing to address that? Then we'll get into a little bit of some treatment goals to get you back on track if this is something that you think you're seeing in your organization. And then also, we will close out by introducing a new service offering that we have to help address this. Please put your questions in the Q&A box. As we go through the webinar, we will answer them throughout. And at the end, if we run out of time or don't get to your question, we will certainly follow up with you after, but please submit all of your questions as we go through today. So with that, I'm going to hand it over to John Velisaris, who's going to kick us off today.

Perfect. Thank you, Sarah. I know what all of you are saying, "Gosh, the industry has enough DRs already. From MDR, EDR, XDR. Wait a minute, what is PDR?" So the good news is it's not an official industry term. It's something that we came up with as kind of a playful way to say that there might be an issue here. So some of the characteristics. And if you read the blog, some of these will look familiar to you. We see, especially in the last year, with moves to cloud, cloud-native security controls, all those types of type of factors that are breaking organizations, enterprise detection and response in smaller components. Over the last year, we've seen this kind of move towards what we put a label on called piecemeal detection and response. And some of those characteristics are you say, am I losing that cohesive enterprise detection and response? The characteristics of that are things like if you're spending too much time integrating detection systems, right? If you've begun using technologies that you're like, "Oh man, the integration effort is as large as the time I spend." [Audio Gap] One is you say, "Okay, I've got the R in detection and response. I have that in my enterprise today." type of technology. That's not enterprise detection and response, right? An underperforming source system, and this is still unfortunately kind of characteristic of a lot of enterprises. SOAR promised us so much and has so many features, yet if you're using only a fraction of that SOAR capability, maybe you're just using it for playbooks. That's an underperforming detection and response capability. Anomaly detection in silos. Now in detection and response, we've got identity anomaly behavior. We've got our old user behavior analytics. We have agent-based end-point anomaly detection. If those things are not working in synchronization with each other, if you're not bringing that view together, that's another kind of piecemeal detection capability that you have. And then finally, unfortunately, this is -- we're kind of stuck as security practitioners like this last one, where you have multiple SIM tools. So for example, let's say, you move to Azure. You've got Sentinel, let's say, in your AWS, now you're looking at security like and you're using guard duty, and then you've got another SIM tool on-premise. And certainly, there's a brighter future for us when we get to federated security analytics. But right now, those SIMs still function in silos. And again, you've lost your enterprise view at that point. So if some of these things -- they may have happened for good reasons. You were putting a small Azure capability in the cloud. And so you're like, you know what, we can cover the single application that's in there with Sentinel without breaking enterprise detection and response. It was a good reason at the time. But unfortunately, the trend seems to be that these things grow out of control, right? They continue to grow in silos. So Slide 6 talks about the outcome, the result of this. The very first number there, the kind of 49% SOC team members only get to half the alerts they're supposed to review within a typical workday. That came out of our most recent IBM data security or SOC operations report. There's tool sprawl here, 80% of organizations use at least 10 disparate solutions to manage security hygiene. And the impact of having a non-cohesive detection and response continues to realize other outcomes like immaturity. More difficult to manage that system integration time goes up. They struggle to detect and respond to even those advanced threats that are hitting their organizations, because they're caught underwater in a landslide of alerts that they're trying to stitch together manually with human beings, right? So there's a lot of business outcomes from kind of a fractured detection and response capability. So how do organizations go about addressing PDR, right? How do we fix this enterprise, this lack of cohesive enterprise detection and response capability? And so I thought we'd start with a couple of slides to share some client success stories in part, to let everybody on the call today or on our webinar today know that you can be successful. You can get back to enterprise detection and response. If you look at Doosan, for example, Doosan had regional detection and response capabilities. So as a global multinational, they had more than just a tooling problem, more than just a telemetry and workflow problem. They had pockets that were siloed that did detection and response independently, while they operated as a single entity, a single enterprise, right? And so what happened is not only did we make improvements in their protective posture, some good proactive security was done to assess their risk from a cybersecurity perspective, but then retooling of their security operations into a global single SOC type of detection and response capability that gave them full visibility as well as the ability to orchestrate automated responses in the environment. So another one is ANDRITZ, and they didn't suffer from the same type of global multinational regional capability, the siloing that happened with Doosan. ANDRITZ had a different problem that many CSOs are now end up owning. OT, a brand new part of the business where cybersecurity risk was increasing, and certainly, we see this in other critical infrastructure industries, right? [Audio Gap] IT systems, but they wanted to apply the same type of detection and response capability that they have, the same workflow rather than creating a new workflow, right? To cover OT to integrate those 2 things together. And so I think maybe I'll ping John Henley here and ask him X-Force. And John is our Head of Strategy for our X-Force team that does everything from offensive security to incident response, to threat intelligence. X-Force publishes many of our intellectual properties that we pushed throughout the year. The cost of the data breach report, the threat intelligence and next. A lot of research comes out of X-Force. So maybe I'll ask John about the challenges that different industries face, ANDRITZ faced OT. But I'm sure there's more than just enterprise IT that organizations are having to tackle. John?

Yes. Thanks, John. So I'm really glad you brought that up, especially across multiple industries. When we look at ANDRITZ for example. OT, getting visibility in the OT networks, knowing where your risks are from not just a compliance perspective, but from a true cyber risk perspective, right? What are the adversaries? What are the threat actors trying to do? It is a problem that is common across all industries, right? Sometimes the technology is different and instead of talking about OT, we're talking about hybrid and multi-cloud that we have our clients working with. And the difficulties that are posed for organizations, for security teams, for SOC analysts to try to get visibility across all these disparate environments, networks, pieces of technology. It's difficult, right? For them to get that visibility. And so how did we solve it here? Well, starting from the offensive side, right? Getting that vulnerability management under control. Knowing, with the assets that you have, where are those areas of highest risk, what are the threat actors most likely to use from a vulnerability perspective to get into the environment, and then going and driving that remediation effort, right? Then going through and, of course, helping the SOC with their visibility across that network. Of course, having that preparedness piece there as well for the instant response team, so that if something were to be detected that, hey, we've got a plan, we've got a team. We're ready to go to execute on this. Because you mentioned the cost of data breach report, one of the main findings in that report is time is money. The longer it takes you to identify that there is an issue, the longer it takes you to contain, the more it's going to cost your organization in response -- breach response costs. So the sooner you can identify and contain, the more money you save your organization from operational costs, from reputational damage, from regulatory or compliance issues, which is kind of what was so great here with ANDRITZ is that we ended up getting that 100% visibility across that network, which goes a really long way, John, to help driving down those response costs.

Yes. I mean, John, you touched on a lot of things, we'll come back to a little bit later. But proactive security, proactive risk reduction. In addition to having a battle-hardened incident response plan. Those are things that are day-to-day, SOC, those are essential components, good hygiene. So we'll talk a little bit later about kind of the scope of what proactive security can be, but I'm super happy you brought it up here to talk about kind of the combination of those proactive security capabilities, in combination with doubling down on enterprise detection and response through visibility and the security operations improvement that ANDRITZ achieved there. So let's move on to 5 treatment goals to get you back on track if the piecemeal detection and response is resonating with you and you're like, "Yes, I have some of those symptoms. And yes, we're having fun with PDR. We're treating it kind of like a pharmaceutical. If you have PDR, you can get help. But when I thought about those treatment goals to kind of get you back on track is that, anybody can say, map your risk to [indiscernible] attack and all those other types of things. So what I -- I thought about this and I said, I should give them something a little bit out of the box. Now true, #1 here isn't that. Vendor tool and workflow consolidation. I had to put that in there. So many of you may be saying, "Gosh, that's just common sense." Well, I would challenge you to go back and truly understand how much sprawl we've seen over the last 1.5 years or 2 years in security operations. It's probably worse than you think, right? And so the -- many of you, if your security practitioners attending this, you know we go through kind of a pendulum of buying where we buy point solutions, we buy best of breed and then we buy integrated capabilities. What I'm positing here and what I'm challenging you to look at is whether or not you know it, the pendulum in your organization swung back to kind of best-in-breed, where you ended up buying point solutions, and that may have happened in that proactive security space that John and team work in, in attack surface management, attack path management of there are base tools out there, too, that you may have caught your organization's eye. So it may not have been inside your SOC where you've had kind of that sprawl or the lack of controlling your technology stack happens. So I challenge you that a consolidation effort is needed there. The next one is kind of a threat management architect. And I thought about this is more of an organizational horizontal across threat, because we've got our cloud security architects. We've got our DevSecOps specialists. We have our SOC architects, right? Really, what you need is somebody who can sit back and look holistically at the pro -- the architecture for the proactive tooling. How does that integrate with the security operations, detection and response tooling across those different towers, right? And [indiscernible] if I asked John Henley on this one, how well he sees vulnerability management integrated into security operations. John, would you still say that, that is a challenge that a lot of organizations are -- I mean, let alone Intel, right? I mean, I think there are probably several integration opportunities that are still out there for SOC teams, yes?

And here's the problem, is that if it was a static problem and if the organization never needed to grow, if we never need to innovate, if we did need to kind of push the business further, then yes, security becomes a pretty simple issue because it's static. But that's not the world that we live in, because the business is changing all the time. And because security's job is to enable that business to go out and take risks, it becomes kind of a never-ending challenge of saying, "Oh, so the business, we just found out that 3 months ago, they decided to move towards this cloud platform. And now we get to go and secure it when the business is already operating there. I see that type of stuff all the time. And so kind of having as much as you can, building in both that proactive, the reactive and building all the things that you see here, right? Getting that strategic planning where possible. That Zero Trust in the cloud is enormous from the perspective of securing those different platforms. It's still a challenge for a lot of folks.

Yes. And that Zero Trust in the cloud, I see that lots of our clients were kind of forced to let Zero Trust go, even if they were early adopters. Why? Because there are costs in replicating your Zero Trust capabilities that you built on-premise into the cloud that the organization wasn't ready to handle. Cloud-native tools to put Zero Trust to take that type of approach in a cloud, they weren't there yet. Well, cloud security controls have come a long way. And what I'm saying here is it's time for you to reposition or reevaluate your cloud capabilities with that Zero touch -- Zero Trust framework, sorry. If you have done the monumental organizational change necessary to get Zero Trust adopted, you owe yourself to go back to the cloud and make sure that, that approach lives out there as well. And then the proactive security, absolutely. Proactive security just as in a pen test. We'll talk about we have a little Infinity loop later. There's much more to proactive security that John will give us more on. And then strategic planning, let's put it this way. You're not going to be able to buy a tool to solve this. It is potentially a multiyear journey that -- and there are potential organizational conversations. If you're not securing clinical systems in a health care environment, not maybe an organizational conversation that you have to have. So this may be a multiyear journey in order to get back to an integrated enterprise detection and response capability. And so Sarah kind of teed up, we're going to get towards TDR here in a minute, which is the service that IBM cybersecurity services offers. But the point is you don't need to tackle PDR alone. You certainly can, but sometimes it's good to kind of get that third-party voice into an organization as well. Sometimes you have skill gaps that you can't leave so on and so forth. So you may want to turn to a partner. And what I would challenge to you is that there are some demands you should make when you're looking for a partner. And even if you have a partner today, you should demand certain things of them. And so delivering outcomes, and I know, gosh, that's kind of an overused term. Give me an outcome. But what you should talk about is rather what is that outcome? Is that outcome better security? What it should be is things like lowering your risk posture over time. If your partner isn't helping you on that journey, if your partner isn't helping you lower business risk, I would question that they are the right partner for you. You need to be able to respond quickly to remediate threats, and so there's a kind of hidden layer in here. That it's not just the identification of threats that they should be helping with or the detection of threats, it's making those bad things go away. And then certainly, practice and testing defenses. And this, you can say, yes, we do that. Well, do you do that often enough? Do you do that continuously? Are you running a tool? Is that tool really providing security validation? Hint and something John Henley's team has taught me, the testing controls. You can get a lot of lift through automation, but at the end of the day, a human being needs to be involved. John, is that still the case when it comes to testing defenses and testing security controls?

That's absolutely still the case. There's been really great strides over the last few years in automation, and helping to increase the speed at which we're able to go and test. But truly, there is no replacement for a human behind the keyboard at this point. Maybe in a decade, maybe in a couple of decades, we'll see. But for right now, human behind the keyboard is still your best bet.

Very cool. That's what I thought, just making sure. Workflow integration, this is another thing you should be demanding. So if the service provider is helping you integrate those hybrid multi-cloud environment, it's great. If they're not, they may not be right for you. And then outcomes within your workflow, right? The last thing that you want to do is put yourself into a swivel chair position, especially with the type of integration around workflow that exists today. The third piece here in workflow integration is super important. If you look at the way the analysts like Gartner, Forrester, KuppingerCole, IVC, all of them are defining detection and response these days. It includes adjacent services. It includes the ability for a forensic incident response team to seamlessly step into response situation. It includes things like we'll cover later, which is when you're doing that penetration testing or that adversary simulation, that your defensive capabilities informed and matured by that, right? The seamless delivery of those adjacent capabilities, I think, is something of that service provider that has that capability. And now I'll just toot my own horns -- our own horn since John Henley is on the call here. If you have an X-Force, right? That X-Force team works seamlessly with the people who are standing, defending and responding to threats in your environment. John, is there anything you want to add on that one?

Yes. I mean just that the whole piece of the seamless transition between teams, the flowing of data. As you look for that partner, have somebody that's ready to play ball, right? Someone who knows what they're doing, but it's also kind of like you're saying in the first point there, outcome-oriented. Someone who's driving towards a common goal with you and truly as a partner and not just a vendor.

Terrific. And then the final one is really double-clicking on what John covered there, which is that partnership, expertise to empower your team, partner and interact transparently. Again, we, as an industry, we go from, give me the result to I want to see how everything is done. I would argue we're back in the model where especially with knowledge transfer and skills transfer, that transparency from a partner is key for you. And then finally, somebody who understands your business and helps you improve. We do all kinds of things we have industry, comparative analytics for clients with geo comparisons as well to help you benchmark yourself and improve over time. I would wager that, that's I would say that, that is an essential capability in a partner. While I kind of sandbagged on that slide to lead into the pitch for detection and response. So bear with me until we -- to get to some of the value statements, but TDR is the new threat detection and response service. Hopefully, you're at our webinar today, because you saw some of the media coverage or the social media or everything that we've been pushing out into the world. We have an architecture here on the left-hand slide -- on the left-hand side of the slide that essentially, we don't care if we're your service partner. We don't care what type of alert it is anymore. It used to be that your services partner was like, "Oh, you have to use our platform, our technology. We support EDR, we support co-managed SIM, we support identity detection and response, cloud detection and response. Quite frankly, we don't care anymore. To us, a threat alert is an alert. Send it to us, we can bring it to that unified workflow that's informed by X-Force intelligence that can flow to that adjacent service of X-Force incident response, and can be informed by proactive security services targeting to lower your exposure, right? That's kind of the architecture there. But the one thing that I want everybody to walk away with, TDR isn't just 24/7 monitoring in response. If you believe everything that we've talked about today, and we'll give you a little bit more on, if you believe in the mantra of proactive security. If you believe in the mantra around lowering your risk posture over time, continually improving your enterprise detection and response and your SOC, right? Then the 3 drumbeats in TDR will resonate with you. Unifying detection response using AI, if you're not -- and we have a slide next that talks a little bit about how our AI, our platform adds value. But that detection and response needs to be unified. It needs to be empowered by AI and automation. That's kind of table stakes to say you're in the DR business, whether that's MDR or our variant TDR. But the real differentiators are TDR and those adjacent X-Force services of practicing product of security. And you know what, I take that back, they're not even adjacent. They're core to TDR. Because if you want to get away from piecemeal detection and response, you will do the proactive security hygiene that's necessary to reduce the risk to your business and better prepare you to respond when those incidents happen. And then finally, the third drumbeat, which is absolutely necessary is continuous improvement over time, right? If you are a stock director and you're listening to this, you probably ran into a time in your organization where you couldn't make improvements, because your team was constantly underwater, constantly firefighting. We need to make the commitment to continuously improve. John Henley talked about, we're not in a static body of water. Threat is a moving river. It's always changing. You need to commit to making continuous improvement, and those 3 things will get you away from PDR, get you back to a robust threat detection and response capability. So those are -- that's our core drumbeats around TDR. We'll talk a little bit about the platform, and then we'll also talk about those proactive security services. The one thing about the platform that we use to deliver TDR is you don't have to rip and replace any technology. The day where a vendor says, I can work -- I talked about it with the architecture there. I can work with this technology eye. That's gone, right? Any vendor that's providing detection and response service outcome should be able to work with any technology, period. #2, faster response using AI. And so I want to talk a little bit about AI here and my personal philosophy about AI is that if AI isn't making a decision, if AI isn't taking work away from ultimately that human being that needs to be involved, you're not using it the right way, period. I see tons of analysts, who they have all these AI or machine learning algorithms, generating a ton of context for them about an alert. Well, that you've just given the human being more work to do. You're not really helping them, you're just -- you're giving them more complex variables to do. So AI needs to make a decision. It needs to take work away from a human or you're not using AI appropriately in your workflow or your technology. The last 2 components that I'll cover here is wherever you are in the life cycle of detection and response, if you're building a new SOC, if you're trying to mature a SOC, if you need help with run state operations, IBM, cybersecurity services, we run that life cycle. And then finally, this goes for all of our capabilities. We can deliver globally, regionally, locally. If you need bodies on site, we can have those bodies on site, bring all of the goodness in our platform, along with that on-site capability. So I'm always passionate about how technology gets applied to the detection and response problem set. But with that, let's move kind of to the next drumbeat with proactive security. John, this is clearly where X-Force lives and breathes. And the infinity circle with the red and the blue and the purple teaming in the middle, doesn't do it justice. What more would you add here?

Yes. I think just understanding the whole life cycle of what you've done a great job describing through the rest of this presentation is really getting a good understanding. First from a proactive side of what do you actually care about from your business? Like that's in the discover and kind of assess phases. What is your minimum viable business? What are those systems that you care most about? I can't tell you the number of folks that I work with. Go into an organization for the first time and we'll say, okay, how is your CMDB? "Not great." is usually the answer that we get. And that's part of like those fundamental pieces of security that you got to figure out before you can hope to apply kind of some of these more advanced principles. And so doing the basics, eating your vegetables, so to speak, you still got to do it, right? You can go and exercise, you can take great vitamins and all this other stuff, but you're never going to be able to have -- eat a bad diet. And so you just -- you got to eat your vegetables and get those fundamentals done first. And once you do that, though, a whole world of possibilities opens up into how you can mature your security program. Once you have a great CMD, once you have a great asset classification discovery programs in place, now we can do all these things like the vulnerability management, like all of the kind of automation pieces that are put in there. Now we have kind of really great data set to train our AI on for anomalous behavior, right? And those kind of user behavior analytics pieces, and we can have better detection and response controls put in place there. And it's not to say that all hope is lost if you don't have that in there, because you're probably in pretty good company. When we look at -- sorry, 1 second. When we -- JV, you want to take over for a second?

Sure. Yes, absolutely. Maybe where you're going is that there are organizations out there who are sharing these same challenges, right? Of bringing these 2 worlds together. Certainly, organizations who -- I have a pen test once a year or I have a pen test twice a year or maybe good hygiene, I have a pen test every quarter. You may think I'm doing a great job, right? Where everything is moving is kind of to a continuous controls validation. And we've talked about in control validation, tools can only get you so far, right? And so really, if you want to get to lowering risk, if you want to get to managing that exposure, managing the risk to the business, pen testing and security control testing isn't enough. You need to start in code, right? You need to look at scanning code for vulnerabilities. You need to do threat hunting. You need to do vulnerability management. You need to do a tax surface discovery to integrate with that CMDB. There's a whole host of proactive security capabilities that not only do you need to do them, they need to come together and they need to inform your ability to detect and respond to threats, right?

So that's exactly right. And the only other thing I'd add to that is that it's all underpinned by threat intelligence. So when you have robust threat intel provider, they should be able to really help your detection response folks, your SOC analysts, your detection engineers. Go far above and beyond just kind of their baseline kind of hunt, right? So getting that robust threat until added in there really helps.

Yes. Terrific. All right. So we've been preaching, probably to the choir. But if it's -- if anybody on the call, this isn't the world that you live in, know that these are -- we're very passionate here at IBM Cybersecurity Services about this. We live and breathe this. Obviously, your security practitioners in your organization are probably passionate around it as well, too. But at the end of the day, passion aside, this delivers results, right? This -- and again, a lot of these data points are available in the cost of the data breach report that comes out from X Force or the threat intelligence Index or the cloud security report that just came out, right? So if you work with X-Force, for example, you can lower your incident -- security incident costs by $1.5 million, right? So we're not telling you to do proactive security, get battle-hardened incident response plan just because we're passionate about it. It can have a quantifiable outcome of beneficial outcome to your organization, right? You can cut the amount of time off a breach by 108 days. If you put the type of automation we've been preaching about on this webinar into your organization, right? And you can certainly do what every security team is on the hook to do, enable the business to move forward, right? Enable the business to do what it needs to do. 47% of this came from a Gartner study, but 47% of boards still see cybersecurity risk as a business inhibitor. That's a deal breaker for us as security practitioners, right? We need to -- going back to security being transparent and seamless and frictionless, right? Making these commitments to the good hygiene, the proactive security, the continuous improvement in addition to managing at the enterprise level. All of these things will help us deliver security to the organization that allows them to do what they need to do. So John, anything else from any of the X Force? I know you guys publish a lot. There's probably tons of other value and data points that we can put in terms of proactive security, enterprise integrated threat detection and response. Any other data points that are top of mind for you before we get to the close here?

Yes. I think the biggest piece of this is just to stay up to date with the research we do put out, because we put out quite a bit on a regular basis. So you've got that cost of a data breach report, which seeks to quantify what is the impact of data breaches from a financial perspective. Whenever I talk about that report with folks, it's always, hey, you might intuitively know a lot of what's in this report, but we're going to quantify it in terms of dollars and days for you. And that's really important information as you attempt to communicate risk outside of security to business stakeholders, right? So it's really important. Same with the threat intel index, right? How are you going to know who's targeting your industry, where your industry ranks, where your geography ranks as far as what we're seeing attacks from that perspective, what are the trends, what are rents reactors doing, all of that type of stuff. Check out that. So that's the Threat Intelligence Index produced by the X-Force team. And then last, what I would recommend is if you go to securityintelligence.com/x-force. If you're a CISO, your analyst teams are going to love it. If you are an analyst, you should go there yesterday to go and check it out, because we've got a lot of stuff from the offensive side, the defensive side and the threat intel side to arm you with a lot of the information, tactics, techniques, procedures gets very granular to help you do that kind of proactive work, to do all the stuff that John has been talking about this whole time, to give you some of those data points for what we're doing and to show you kind of what we're seeing.

Yes. John, thank you. X-Force. If you guys aren't familiar, we've been publishing intelligence around vulnerabilities for more than 20 years, and the reports that John are talking about will only cost you $10,000 a piece. No, I'm kidding. They're absolutely free! There what we -- as security practitioners, this is our give back to the community and believe me, they're not easy. There's a lot that goes into them. If you're not using that value, please do so. So let's talk a little bit more about next steps. If you find this compelling either now or at some point in the future, remember, we have a couple of links here, really easy to get to. You want a workshop with us. You want to say, "Hey, yes, I do have PDR, what are my treatment options?" We can do a half-day workshop, we can even get to 2-day if you want to do super deep. You can schedule an X-Force briefing. So if you -- everything that we talked about from a proactive security and risk reduction perspective, stuff John was talking about. I realize we're both John, so that's kind of easy to get both birds with one stone there. You can schedule an X-Force briefing or just go to the new TDR website on ibm.com. Bookmark that, keep that in your back pocket. And so with that, let's get on to the Q&A. Let's see. Sarah, have you been able to monitor that?

Yes. We have a couple of questions here. One of them being where can people find these reports? So we will plan to send out links to the reports mentioned on today's webinar, the cost of data breach in their intelligence index so that folks can easily access those. A couple of others is threat detection and response just to manage service.

Well, absolutely not. There is a managed component to it, and that 24/7 capability will stay up, so you don't have to. But everything that we talked about with the X-Force team, everything that we talked about with the commitment to continuous improvement, those aren't managed services per se. John, I think you would say either subscription or retained services or if you want to technically define those. But before John answers, the takeaway, however, is you can access all of these capabilities under a single contract, right? With IBM. So it is easy for you to do business with us. Again, we're not going to drive a solution based solely on disparate systems and technologies that you want to throw into scope. I don't want to get too deep into managed services versus the consulting or system integration. Just realize that TDR is the way that we've removed the scenes in parts of IBM that should be working together to your benefit as a client. That's the whole push behind TDR is bringing the necessary things closer together to achieve those client outcomes that we talked about earlier in the presentation.

Okay. Great. And then just one other. You talked a lot about different DRs today. How is TDR related to MDR?

Yes. That's -- that we, as a security community, I've done ourselves a disservice because certainly, there is good reason for confusion there. The definition of MDR is continuing to evolve. So I won't answer that my way, I'll answer that using analysts. If you look at IDC's definition of MDR, it now includes all those adjacent services. But again, I think a better term is integrated services is a better way to describe that. If you look at the way some of the software vendors talk about MDR, some of the formerly big EDR players, they'll talk about MDR as specific to their technology, right? Which I've already talked about, if that technology is right for you. And it does. It gets you to the outcomes that we talked about earlier in the deck. Great, but most likely, you have multiple technologies running in multiple silos. Most likely, you have PDR these days. And so MDR needs to move beyond a single technology or a single detection and response capability and be more holistic. So MDR is all technologies. And part of what shifted minds is XDR. And I know it's like, "Oh, gosh, why did he open the XDR box, right? What XDR said is DR is more than just EDR. EDR is now XDR that includes more sources of telemetry, more things that detect things. The big moves like security like, Palo Alto XSIAM like the new Qradar suite that go all encompassing, right? From a technology perspective. So data sources, alert sources, log telemetry sources, right? All of those things are now in the bucket of MDR, right? And so that's creating some confusion in the industry around that, there is no unified definition of MDR, to be clear. But MDR is more than a managed service. In TDR, our iteration to move away from that confusion is all encompassing. Although I -- with that answer, I just may have confused people.

[indiscernible] clarifying it. Thank you for that. So I think that's it for questions. We do have a few people asking if the slide will be available on demand? They will be, both the session and the slides will be available after the session ends, I think pretty much immediately on demand. So we'll send those out along with the report links to the 2 reports that were mentioned. So unless you have any other final thoughts or anything from either of the Johns, anything else, if we can wrap up?

Yes. If people want to read the blog, the PDR blog, John Henley talked securityintelligence.com. I think that's where the blog lives today, so you can head over there and read the blog in addition to consuming a lot of what John was talking about. I'll just say thank you to everybody for giving us your time today. I hope you had fun with PDR. I hope you walked away with a couple of nuggets of inspiration or at least walked away knowing, "Man, those guys, John over at IBM are super passionate about what they do." So thank you very much for all your time. John, anything else to add?

No, just thank you for kind of sharing all that thought leadership with us, and thank you, everyone, for sticking with us through a live presentation. You know we actually recorded this live. Here you go.

For sure.

Thank you, everyone, and enjoy the rest of your day.

All right. Thanks.