October 2, 2024 • 45 mins
Meeting summary AI-generated
The meeting discussed technical challenges with editing webinar links, the concept of zero trust as a security approach, the importance of multi-factor authentication and endpoint protection in implementing zero trust, and the need for careful planning and a multi-vendor approach in achieving comprehensive security solutions.
The participants discuss technical issues and difficulties with editing links for a webinar. They talk about their busy schedules and inability to say no to requests. They also have casual conversations about their backgrounds, camping experiences, and military service.
The concept of zero trust originated more than 20 years ago as a way to define a better and closer concept of security. Zero trust is not a product, but an industry concept that vendors contribute to with their products and capabilities.
Everyday examples of zero trust include configuring social media privacy settings and setting parental controls on devices for children. In the industry, examples of zero trust can be seen in multi-factor authentication for banking access and limiting access to specific servers based on individual roles.
Zero trust is a journey and requires the adoption of technologies and tools. Implementing multi-factor authentication (MFA) is essential as relying solely on usernames and passwords is risky.
Endpoint protection and segmentation are important steps in the zero trust journey. Balancing security and usability is crucial, and implementing hidden technologies can frustrate attackers while providing a consistent user experience. Zero trust is a continuous journey and requires ongoing effort and improvement. Implementing zero trust involves careful planning, identifying areas of improvement, and seeking help from experts. It is important to avoid rushing into implementing security measures without considering the specific needs of the company. Zero trust requires a multi-vendor approach and no single vendor can provide a complete solution.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Good afternoon everyone or if you're in the West Coast good morning to you today is Friday October 27th
(00:06):
And welcome to our second session of security and 45
Andre's like can't believe it's been a month since our last session
But anyway each of these sessions in this webinar series
It's gonna focus on unique security challenges in the industry and we want to talk about how to stay ahead of the game
No slides just good conversation. That's the model for the show
(00:29):
And again, we invite you to enjoy this however is best for you in terms of consuming
So if you want to watch in
Listen in on your headphones from your lunch break jam a walk around the neighborhood, whatever
I hope you enjoyed the last session on
Firewalls and if you missed that check out the recording it really covered some great information about the evolution of Cisco's firewalls
(00:51):
All the way up to the latest and greatest in firepower
I'll tell you what's on the agenda for today
Well, I'm very excited to be here after one month. This is super awesome
Today we have a really nice discussion about XDR. So I know everybody's excited about it, you know, we've been hearing
So much about it for the last few months and today we're joined by three
(01:17):
Incredible and talented and experienced security experts. So I'm super excited about that. I know we have Brianna
She's the director of
Product management for XDR. We have Nate Austin
He said we shouldn't call him a legend
But we know he's a legend and a technical solutions architect and then we also have Matt Robertson. He's a distinguished technical
(01:39):
engineer
Now the three of them bring a lot to the table and this is going to be the intention is going to be a very relevant
Security conversation and we couldn't be more thrilled to get it started with you guys. So welcome
Thanks, I'm good
Brianna, I think the first question I'll kind of direct it to you just to start it off and then anyone can just chime in
(02:03):
but you know
XDR, you know
That you know, what does that mean to the industry? Maybe not Cisco specific, but just when someone hears about XDR
What are we talking about there?
Thanks Mike and thanks again for the opportunity to be here today with such esteemed colleagues
I think it's a great question and it's a great question not because people don't know how to break out an acronym
(02:26):
But because the breaking out of that acronym has been interpreted so broadly over the last five at least years
And that it's really important for us to take a pause and think through what XDR should mean for us today
So I will start by breaking out the acronym
It stands for extended detection and response and it's really important to think through those three words
(02:48):
Almost separately and then what they should mean coming together
So when we think of XDR, there are other letters or words that have come in front of the DR previously
Endpoint detection and response for EDR, network detection and response for network and so forth
And threat detection and response or detection and response and hunting is not a new concept at all
(03:11):
The way that we do it, the way that we have to do it, the way that we respond to adversaries has changed over the years
And has forced an evolution of our processes and then the tools
But the tools have not always kept ahead of what is needed for catching these adversaries
So the extended is the first piece
It's how we think through extending that visibility and that detection capability through the entire environment
(03:36):
So not just looking at it from an endpoint centric perspective
Even though endpoint telemetry and endpoint detections are really rich and really critical into understanding really what's happening in an environment
It's about going beyond that
How can the email come into play?
How can the network come into play?
And some of the analysts out there right now are actually looking at it very much in that way
There's definitions from Gartner, for example, around it being a unified security incident detection and response platform
(04:02):
That is automatically collecting and correlating data from multiple security components
IDC has a different definition, but it expands into saying that endpoint and network telemetry is critical in play
And bringing those together in a same or similar correlated model
So that extension is key and understanding how we extend through all of our vectors and all of our security components
(04:25):
And then I need to detect what's happening in my environment and be able to equally respond to that
So when we think about it today, XDR, our opinion, not just Cisco, but as practitioners, is that it's an expression of business needs
I need to be able to detect and respond in a meaningful way across my extended environment and understanding what happened there
(04:48):
By correlating, not just aggregating that information together to really understand what happened
Amazing. That's excellent. Yeah, and as you were describing that, just in my mind, I was thinking
If we have all this correlation together and we're talking about the X, the D, and the R components
(05:09):
I'm just thinking about pain points that can be alleviated and we'll get to those here in a little bit
But I'm just starting to go through my mind about the time savings and that nature of activities
Where we only have maybe one or two people running our sock, for example
So thank you for that great answer there. Yeah, thank you for that
(05:33):
And now we do have another question and this one, Nate, I'm going to start with you on this one
We've heard so much about XDR in the past few months
But I guess our listeners and the people watching us today would like to know why do we need XDR
(05:54):
And if I extend on that question also, what are the problems or challenges that XDR is going to solve for us today
If you don't mind spending a little bit on that
Sure, so starting off with just to tack on to what Brianna said, the definition is so vague
And if you talk to five different people, you're going to get five different answers on what it is and why you need it
(06:18):
If you talk to the identity team, they're going to say it starts and ends with identity
If you talk to an endpoint team, they're going to say it starts with the endpoint
Cisco is obviously a massive networking company and we believe the network has to be foundational to that
As well as all the other components
But I think we really need XDR because of the changing nature of the threats
We're not going to catch a threat with a single solution, with a point product anymore
(06:44):
The detection of malware isn't really reliable anymore
The tools need to focus on the attacker, not the actual files and destinations that they're going to
Because they're using a lot more advanced TTPs, tactics, techniques and protocol and procedures
That they're using to try to evade traditional security tools
(07:06):
So we can't just look at the file hash on the system anymore and say, oh yeah, that's malicious, we need to block it
They're moving around that, they're using things like spearfishing, things like privilege escalation
Other techniques, network connections discovery
Those are things that a traditional tool may not catch, but when we aggregate all that data together
(07:28):
And look at it from a more holistic point of view across the entire security environment that the customer has
That gives us a lot more chance to detect these sorts of events and bubble them up to the right people to take action on them
That's good call effects
One more thing, there's also, this is hard, right?
Being a security incident responder, there's hard work, right?
(07:50):
There's a lot of turnover in the security space, right?
Especially in tier one SOC analysts, they're moving up to tier two, tier three, they're moving on to new positions, right?
So being able to kind of augment what they can deliver and help them be more effective at their job
Provide the tools for them to up level their own skills and up level the organization's response
(08:11):
That's also what XDR is trying to do, right?
We don't want them spending their time on things that aren't going to make a difference
We really want to bubble up the things that are going to make the biggest risk reduction to the enterprise
That's a good call out
Actually, yeah, for all the things that I've seen about XDR, you know, super excited about all that visibility
All those things that we get to see with the tool, it's pretty cool, I will say that
(08:39):
Just to add on to that, I think in my view, as Brianna was describing what XDR is for the industry
And Nate, that quote unquote bubbling up effect, I mean that was one of the main pain points I was thinking about
Just the massive amount of alerts coming from all these products and like where do we start?
And Brianna, you were talking about correlating data together
(09:02):
I guess if we can do that, then to your point, Nate, we could really bubble up the stuff that's more important to us there
Especially for the...
The end goal of security isn't to close as many tickets or incidents as we can, right?
The end goal is to catch the attackers, right? To stop the malicious traffic
So that's what we need to do is make the most relevant incidents bubble up so that we can take action and respond to them effectively
(09:26):
Yes, and like Nate and Matt have probably heard this example from me a million times and won't be tired of hearing it
But to Nate's point, I use an example of the time that if I come home and I see that my front door is unlocked
I might think that that's a little weird because I'm used to locking my front door
But in and of itself, it's an alert that I would have to track down with no additional context
(09:48):
And no information on letting me know definitively that as an asset in my environment
That door was definitely locked when I left or context that somebody else in my house came in and out and failed to unlock it in between
So chasing that down would take a lot of effort, right?
But if I now walk into my house and I see that it's not just that the door is unlocked
Actually, it wasn't even closed, right? It wasn't closed on the threshold
(10:12):
That gets a little weirder. I'm coming home like, hmm, I usually lock my door
I don't think anybody in my house would leave it completely open even, you know, trying to be flush but open
That's a little weird and still don't have any proof that anything happened
But I might cautiously walk into my house being concerned about what's going on
Maybe somebody's hurt. Is somebody broken in?
(10:34):
As I move forward and I don't see anybody in the house, but I see something like my TV missing
Now I have a lot more context to start to say, huh?
Well, last time I checked we weren't moving our TV today
And I don't think that somebody would have walked out without it and now I might even be more concerned that somebody's still in the house
But maybe I checked that out and nobody's there
(10:55):
The version of the story is with more information coming from additional sources of detail
I can understand that I likely have had somebody break into my house and steal my TV
And if I had something even more definitive start to think like endpoint level telemetry
Like a camera in my house where I can now go to the video and see it happening
(11:16):
I could potentially see somebody walking out of my house with my TV and now I would know 100% what happened
But if I were just looking at those different sources, yes, the security camera might have given me that
But if I only had a camera in one part of my house, it might not show me how they got it, right?
So all of those little pieces together help me understand what Nate was saying quickly what happens
(11:38):
I'm a sock engineer. It's an analyst. Excuse me. I don't have as much time to go through each of those individual items as maybe I once did
Because there's thousands of them in a day putting all of that together and now having an understanding of a likely response
I'm okay to stay in the house because nobody's in it
But I should potentially call the police or at least my insurance company that guidance is what we're trying to look at people receiving with XDR
(12:04):
I'm gonna sell that example. Unfortunately, in my case, my eight-year-old would have just left the door open and my dog would be running around
You just have to augment it a little bit, Nate
So my kid ran out and the dog went with them. Nobody was there to bark when somebody tried to steal my TV
You know, in terms of the response part of that, it would be great if I could get notified that my TV was missing
(12:27):
Because if there was an important sports game I was coming home to watch
I would need to know to go straight to the bar after we involved the police and I will also like to use or maybe steal that example
Because I think it outlines XDR pretty much
I liked it
All right, Matt
We've covered XDR as a definition, general concepts of it and the pain points it addresses
(12:52):
What about Cisco's involvement in XDR? How is Cisco taking an approach into XDR?
I know there's a new thing called Cisco XDR
I'm curious how we, being Cisco, align with that industry definition
So that industry definition just kind of emerged as an idea
(13:14):
As Brian was kind of saying, there's always been threat detection response products
Extended detection response conceptually was just like, hey, we need to make random detection response better than it was
We extend it, it's better
So there's different ways you can approach that, which is we make an individual product better, which is what some vendors will do
(13:37):
But we at Cisco are like, hey, we actually have a lot of products
And then we can make each individual one better or what we could do is create a whole new product and call it XDR
And that's what we have
So Cisco XDR is actually a new product offer
A new product offer that is built upon downstream data sets
(13:58):
And then that really feeds into our strategy was like, we wanted to create a productivity tool for the Security Operations Center
Our unofficial official guiding principle was make every tier one analyst as effective as a tier two
Which really just means get all of the appropriate data presented to the user in such a way that they can make decisions faster and more effectively
(14:24):
And that's what Cisco XDR is, it is a productivity tool
It is not new, it is on top of all the other products
And because we made that decision, it is a product on its own, it is not an enhancement to existing products, it's a new product
That also fed into our strategy on the need to be open in the sense that Cisco XDR integrates with products that aren't ours, aren't Cisco products
(14:52):
Regardless of what endpoint detection response product you own, you can get value out of Cisco XDR
Regardless of what network detection response product you own, you can get value out of Cisco XDR
Regardless of what firewalls you own, you can get more value out of it
And so we have a list of strategic integrations that we're going to curate and we're going to bring forward
And then there is the ability to build your own and all that fun stuff that you can do
(15:13):
But we're looking at, we're an open ecosystem
The XDR product is a thing that stands on its own, it is about providing efficiency to the Security Operations Center
And so that was our first major decision, product needs to be open
The other thing that we did is we were looking at what does it mean to be extended detection response?
(15:35):
What are the most foundational pieces of data that a security operator needs to do their job?
The easy one was endpoint, its foundational to the Security Operations Center
The other one that was really high on the list is network data
And not just firewall logs, network data, meaning network logs, flow logs, describing east-west communication in the environment
(16:03):
And we looked at our products based on, hey, we're masters at network analytics already
We've got great product sets here, we've got great data, we know exactly how to succeed in this
And so we made network detection and response foundational to our entire product strategy, to our approach to XDR
(16:24):
Endpoint and network and firewall are foundational first-class citizens in Cisco XDR
Outstanding, I think it's pretty important about the open portion of that
Because I think original attempts at XDR just didn't work that well
(16:46):
They're going to work within their own vendor, but nothing external
So that I think is pretty important
And then certainly, yeah, that's a great point about the network foundation there
Because Brianna, you were mentioning at the beginning about maybe even bringing in email
And Matt, if we're really communicating across the network, I guess we're going to have a much better view just beyond just the endpoint
(17:09):
Especially when it comes to correlating threats as they spread
Absolutely. Email is a really good example of something
I was just talking with a customer about an hour ago and showing them what XDR does
And they're like, oh, can you block the email that that attachment came in on?
I'm like, yeah, sure, you can work that out
(17:31):
That's as a response, here's the badge, here's the example I was talking through
The user had been, there was a phishing email had gone in, they'd executed it, gone to a bad domain and all that
Worked through investigation backwards, he's like, hey, now can we just block that email next time it comes in, block that phishing
That's the thing that we want to be able to do
(17:52):
From detection backwards through to the original point of infiltration
And then, hey, let's prevent that from going forward
That's exactly it
The response part is, oh, go ahead, Andre
I was just going to say the response part is key there because correlating all this data
But Brianna, you talked about that TV being stolen
If you could respond by automatically calling the police or, Matt, your example just automatically block that host or that email account
(18:17):
The response portion being key
I was going to mention something very similar, Mike, on the response
The response is very key
We've seen a lot of products out there that they promise that the response is going to be the main part of the product
But we haven't seen too much of that
(18:39):
And I think this is bringing a lot of value to the product
Just because we have multiple ways to respond, block that traffic, re-authenticate those ports
There's many things that we can do and we'd like to see the action on what we see today
Awesome, that was
Before we move maybe to the next topic, if I could just really quickly jump in on something you said
(19:03):
Mike, you mentioned what people were looking at for XDR previously and maybe what they might be looking for now
I think it's important. Nobody's trying to trash what happened for XDR previously
Or what vendors who were really innovative in that space brought up and started thinking through
It's just the difference of what you need now and then
People purchase new cell phones
(19:26):
They purchase new cell phones because as much as I adore my BlackBerry, it probably wouldn't serve me in the way I think it would today
I have fond memories of it. I still want one, I'm not going to lie
But when I think through it, it wasn't going to do for me what my new phone will do
So you need to think through what Matt was just saying and what you were just saying when you're looking for an XDR solution
(19:47):
Don't look at XDR for what it was looked at five years ago
Look at it for what you need now and five years from now
That's a great point. I really miss my BlackBerry
I just remember jamming all those keys into that one little keypad
Did we just date ourselves?
No, not at all
(20:09):
It's okay
We'll definitely have a few people on the cast who will be like, what's a BlackBerry?
And that gives them a Googling event for later and then they can share something that we both know
There you go, yes
Yeah, so moving on to our next question
I know we talked a lot about what it is, what is Cisco doing, how we approach it
(20:32):
But I guess the one thing that I want to see is if we can see exactly who Cisco XDR is designed for
And Nate, if you don't mind going through that and then we go through the room just to make sure that we get our perspectives
And see who do you think XDR will be designed for today
(20:55):
Yeah, sure. So I might have a little different perspective on this
I'm in the field so I'm talking with customers on a regular basis so I kind of hear their input as well as what we think internally
And I've kind of heard across the spectrum that it's for a lot of people
I think if you are, absolutely if you're a customer that doesn't have a mature SOC
(21:16):
That this is right up your alley
This is a tool that can really provide an incident response kind of playbook for you
There's Casebook's ability to kind of structure your response to an event
And just correlate across multiple tools where you may not have the people that have the knowledge to do that
Without a tool that will help them accomplish that
(21:37):
So definitely with customers and users without a mature SOC will definitely see value from this product
And I think that this is actually the first solution I think really that Cisco has had that really plays, is designed for the SOC
In a way, most of the other things are kind of targeted at the prevention
Which is great, if we can prevent something from happening, we want to do that
(22:00):
But this is the first one where we're really taking a step back and saying, hey, there's going to be stuff that's going to get through
We need to be able to correlate that and respond for you
But I've also talked with larger customers with really mature SOC processes
They have their own playbooks, they have their own automation and orchestration capabilities
So some of those aspects they may not leverage in the system
But there are some areas where it can still help
(22:22):
It can still, that kind of tier one SOC analyst that are constantly turning over
Maybe they don't have the same experience to go and do the complex queries that are needed for some of those playbooks
Well, this can again help them look at some of those incidents and prioritize them from an early standpoint
Threat hunting, they can still use it for threat hunting capabilities with the tool
(22:45):
So even if you're not using the full functionality, there's still some benefit for larger customers with mature SOCs
You're not Cisco shops, right?
So that's another thing where in the past, if you had Cisco products, great, they'd work together
We have native integrations with our solutions, right?
But if you have a third party solution, maybe those integrations don't work so well, right?
You have to code something custom
Well, XDR is built with that in mind
(23:07):
So if you are somebody with Microsoft Defender endpoint, right?
We can still enrich and we can add endpoint context to those incidents from those applications, right?
If you're using ExaBeam in your environment or CyberReason, we can enrich and decorate the incidents so that there's more information there for them
(23:28):
If you're a Palo shop, right?
You can actually automate and orchestrate responses from XDR to Palo Cortex
So a lot of different things are if you're crowdstrike, we can create incidents
We can generate incidents based off of your endpoint, this is a non-Cisco endpoint and then pull in our network telemetry
And combine those together to build an attack chain
So you don't have to be a Cisco shop to get value out of XDR, right?
(23:51):
The security is a team sport, I think all vendors and we have to work together to...
Our enemy is not other vendors, our enemy is the adversaries, right?
Great point. I really like that last part because yeah,
Preventing the threat is the key and it really doesn't matter which vendor or endpoint product you have
(24:15):
If we can work with them to kind of integrate that across the board
Yeah, I think anyone in security, you know, we're in it to stop them from bad guys, right?
I mean, that's what we want to do, right? That's why I'm here at least, so...
Excellent. Thank you, Nate.
Now, in terms of the integrations, and Nate kind of just touched on one Microsoft Defender
(24:37):
But can you tell me a little bit about the native integrations of Cisco XDR?
I think for the audience, if you have an example of like a real-life use case
Maybe something that Cisco XDR could detect in one product and maybe use another product to respond
Anything along those lines, I think that'd be really cool to hear
Yeah, so we have a number of native integrations in Cisco XDR
(25:05):
We took their approach strategically, as I mentioned, foundational data sets like network and endpoint
Are able to provide data into the analytics engine
And we have a number that are in our near-term roadmap to continue to either provide data and or enrich existing incidents
So what we're really, really good at is detecting some...
(25:30):
Specifically in the network detection space, detecting things that you would otherwise have missed
So things like repetitive malware outbreaks
Where you don't necessarily have an endpoint detection response product on every asset
So one of the reasons network is so foundational in my mind is everything is connected to the network
(25:58):
But not everything necessarily has an endpoint agent on it
By some stats, roughly 30% of assets inside of an enterprise might actually have an EDR on it
Other assets, printers, phones, OT devices, servers, etc.
They might not have endpoint agents
And so one customer, this is a story from a few years ago
(26:21):
We were working with, had a repetitive malware outbreak
Same piece of malware, they find it, it kept popping up on AMP or Cisco Secure Endpoint, as we call it now
They'd get these detections that, oh, we've got it, we'll clean it up, they were wiping assets on a regular basis
They were finding these detections that were showing up, but they never could figure out who the patient's bureau was
(26:45):
We deployed, at the time, Secure Cloud Analytics, now a foundational part of XDR
To collect network flow data, run analytics, see what was happening inside of the department
And fairly quickly we found that the patient's bureau, or the source of this malware outbreak
Was actually an old network attached storage server that had been infected
And then she said there was no agent on it, it was just sitting there, had this piece of malware that kept going
(27:10):
Sending its little payload around, and eventually ran somewhere and the customer was having fun
And not having fun with that particular outbreak
But at patient's bureau, it was this old master who had featured this time
Because we were able to trace the network activity back to this one particular asset and remediate that outbreak
And this goes through for a number of different ways you want to look at it
(27:32):
The only way to sometimes solve the advanced threat is you need data from multiple different domains
Network, email, endpoint, cloud, all of these are native integrations that we have
And you need data correlated throughout
That's an amazing example of where Andreas and Mike before were talking about the response piece as well
(27:54):
Because there's no response that's being taken on that NAS system
Because it doesn't have anything on it to do that
But by bringing that information together, we would be able to help orchestrate a response
Or at least guide a response even if it was manual to close that loop to stop that from happening
So that that malware didn't keep getting accessed or propagated or popping up
(28:15):
And I think that's a great example about bringing the importance of that network telemetry
As opposed to just the endpoint
Without that, Matt, it sounds like maybe that would have gone unresolved
It would go on for years is what would happen
You can block it all you want on your, I'll use the 30% number
You can block it all you want on 30% of the assets in your environment that have an effective EDR
(28:39):
But the rest of them don't for whatever reason
And it's crazy how those devices are overlooked today
You don't think about it when you start thinking about that strategy
So that's I think very impressive
All right, I want to say something real interesting
(29:00):
We've been 33 minutes without talking about AI and I'm about to break that record
We could have gotten it
I guess the AI algorithm just kicked in
And like I've just been too long since, no one mentioned me
Mind your jumping in
It always wins
Actually I wasn't
(29:21):
Yeah, last week we went on a presentation that was 20 minutes without talking about AI
So I actually feel very happy about that
All right, so this question is for you, Brianna
I know you love that subject
And basically we want to know and I think all of our listeners want to know
(29:42):
What is the role that we play in AI that Cisco XDR will play in AI?
I know Cisco as a whole has a whole story behind that
But what can you share about that?
Actually, Andres, I'm changing my tune
I love the question, right?
The practitioner part of me is still looking for my German shepherd
Another reference that people can Google every time I hear AI nowadays
(30:06):
But at the same time we need to embrace the benefit that AI can provide
But I think what's really important is to think through
AI is more mainstream conversation now
But that doesn't mean it's new
And it doesn't mean that there aren't types of AI that have been in place for a while
Or aspects to generating up to AI
(30:27):
So in Cisco XDR, Nate mentioned alerts and alert chains previously
That is not something that somebody is sitting there manually doing
As your events come in, that would be insane
We would never be able to provide you with an extended detection and response incident in a timely fashion
So alerts coming in from different sources and being chained together
And that correlation of did the event that happened on Mike's system and the event that happened on Andres' system
(30:52):
Are those both part of the same event?
That being correlated together is part of what we use AI for today
Also, for when we look at things like dynamic and automated responses
So our ability to say, here's a guidebook by which you can go through
And yes, that's static, but as we continue to move forward in the development of XDR
Making that more dynamic and saying something as simple as
(31:14):
When I look at what has been presented, I want to guide you to take a response
Maybe that response is to quarantine a system, maybe that response is to enact a quarantine rule on a firewall
And when we do that, what sort of context do we give you?
Well, I wouldn't want to present you as an analyst who has little time
And is trying to respond quickly and may or may not have all same levels of knowledge
(31:38):
I wouldn't want to present you with something that says block this IP when I'm not giving you an IP to do it with
And that's a really small example, but those can get much more complex
Related to what's in your environment and what assets would you be authorized to block and not block in the first place
So that's another way that we're leveraging that
It also is used to bring threat intelligence in, so not only to help create and combine threat intelligence
(32:02):
We leverage our TELUS team and what they're bringing together for that
But a lot of processing of more basic level threat intelligence comes at an AI layer
But it enriches threat hunting in our investigations
So being able to bring that enrichment in and understand what is happening or could have been related to a hunt or search that you have through your environment
And then when we think about why AI is so prevalent nowadays
(32:25):
We think of the boom that chat GPT brought and showed people the cool things that could come out of something like a generative AI
And what we call a chat bot style usage of generative AI
And without getting into too many technical terms
There's concepts behind that called things like large language learning models
Where a model is simply learning
It could listen to Brianna speak all day and then try to understand not only how it would answer a question that you would ask Brianna
(32:52):
But how Brianna would phrase her question
What types of words would she use?
How would she inflect upon that?
So generative AI is not new
All Cisco products have had AI for a long time
And many of them are using things like large language learning models
Including Cisco XDR Matt mentioned email previously
That's definitely been using it
When you think about how people write emails
(33:13):
Right
How do I confirm that the email that's sent from Brianna to Mike is from Brianna and not a business email compromise trying to trick Mike to do something because it sounds like Brianna
So when you think about things like that, that has a lot of that back end AI modeling built in it
And we will continue to assess AI and how to best use it and how to best present it in ways that's not just delightful for our customers
(33:38):
And lets them interact the way that they would like to but in ways that are meaningful
That's awesome
That's awesome
Yeah, we hear about AI so much
And many people realize that we've been doing AI for the longest time for many, many different things
Yeah, and credit in the industry so have others, right?
I mean it's not, it's just something that is more relevant I think for common mainstream now that people may not realize
(34:02):
It's in everything that you do
You know, a large vendor that you may purchase a lot of things from online and might have a device in your house or on your phone that you talk to
That's AI in the background
Yes, it's going off
So what about, now the next one and we might have to speed it up just a little bit for the sake of time for these next couple
(34:25):
But what about, is Cisco XDR a seam? Matt, I'll give that one to you
Like I hear that all the time, like cool this is a seam replacement, right?
The answer is no, it's the short answer
That's the TLDR one
The longer one is
So the fundamental difference is what data and visibility into data
(34:49):
Cisco XDR is an analytics engine
It is a soft productivity tool
The objective is analytics on top of data to produce a detection, a prioritized detection and guided response to it
Whereas a SIMS objective in life is to collect the data and provide that data to the user to build outcomes on top of it
(35:11):
We're focused on the outcome, I suppose on the data itself
So would it be safe to say that Cisco XDR works with a SIM?
Absolutely, we are complimentary
If you had a dime for every time that somebody asked you that question though, Matt, would you be able to retire by now?
(35:32):
Yes, short answer, yes
I'd keep working just because that's like free money
Or a dime for every time someone's like, what does XDR stand for?
Right
So many
Well, thank you for that
(35:54):
Yeah, thank you for that
Actually, I think we're running pretty short on time
So we're going to fly through the next two questions
I think this one's going to be important, our listeners are going to be very interested in this one
This one's for you, Nate
What is Cisco's plan for Secure X and Secure Cloud Analytics?
(36:19):
If you don't mind just going a little bit on that
Yeah, sure
This actually came up in the Q&A as well, so very timely
I think of XDR as really the evolution of both Secure X and Secure Cloud Analytics
There are components of both that are in XDR
The detection and analytics engine of, I think Matt mentioned this earlier, the detection and analytics engine of Secure Cloud Analytics is the backbone of XDR
(36:44):
If you are an existing Secure Cloud Analytics customer, you are entitled to XDR
So we're converting everyone's accounts, you'll get an XDR tenant
And you'll be able to take advantage of some of the enhanced functionality that XDR can provide your organization
Secure X was a little different
Secure X was kind of our first foray into an XDR space
(37:06):
I think that there were some benefits that Secure X provided around orchestration and automation capabilities that some users would like out of it
But it didn't really deliver on the, and it wasn't necessarily meant to, deliver on the full prioritization of its
So there's a lot more functionality in XDR than Secure X
(37:28):
Secure X has been end of life, it was a solution that was granted an entitlement to everyone who had a Cisco security product
But it is end of life at this point, which means that no new users are able to sign up for Secure X account
If you do have a Secure X account, if you were using it, it will stay in place until I believe next July
(37:50):
But at that point, it will essentially cease to exist
So if there are functionality in Secure X that customers are using today
It's time to maybe look at what XDR can provide, is that the right option, are those use cases that we can address with XDR as well?
Good question, I think that's on a lot of people's minds, so thanks Nate for covering that
(38:13):
Brianna, I don't know how deep you can get into this, and we really only got about 30 seconds anyway before we move on
But is there anything you can tell us maybe that's up and coming for Cisco XDR, like any secrets or stuff on the roadmap?
Yeah, I think I could tap in a little bit, so hopefully people have heard about our ORT acquisition, if you haven't
It's in the identity threat detection and response space, so that piece is not secret, but what we can share is that up and coming
(38:40):
We're looking at bringing that into XDR to bring identity as a source into XDR and really be able to respond and provide those meaningful capabilities, so that's really exciting
Matt had mentioned the responsive capabilities and we had talked about those guided responses, guiding people more and more towards being comfortable accepting automated response, so truly automated response
(39:01):
Hey, I'm going to lock the door, lock my robber in and call the cops when I see the TV come off the wall
And being confident in doing that, things like that are what we're going to try to continue to gain customers trust in, and then more around AI
So you have seen certain things around guided assistance through hunting and through investigations and incidents, that's forthcoming as well, and I think we will leave it there for today
(39:24):
Awesome, awesome, and if the yeah, I didn't get to see a little bit of or hopefully I'm saying that correctly. No, it was pretty cool. All right, so
Do you want to say anything about some certain changes that are coming out for endpoint integrations that might actually be in production today?
(39:45):
So Nate snuck it in earlier, but yes, let's call it out. So as we look at the integrations for what we're doing around correlated incidents going beyond the responsive and the enrichment and hunting capabilities
Our CrowdStrike endpoint integration that allows us to create new incidents or have those events be correlated into incidents is in progress and or deployed to Matt's point, so you're hearing it straight out of the gate live
(40:12):
You should be seeing that ASAP if you are an existing customer or testing it out and if you're not and you're a CrowdStrike customer, come on have a conversation with us. We would love for you to see it
We have this question on the agenda. I was not expecting this. This is great. Yeah, me as well. Now that's one thing people probably don't realize about the show is it's not scripted. So I literally just did all learn all that information. So thank you. That's great.
(40:38):
All right, so we're up on time, but we did have three really serious questions. If you could just we're going to give you just each one just take 10 seconds to answer and then we'll kind of summarize this up and we'll get out of here.
Matt, I'm going to give this one to you and just in 10 seconds or or less up. What what is what number is higher per day the number of times you get asked what XDR stands for or the number of cups of coffee you drink in a day number times they explain what XDR is.
(41:10):
Is it even close.
Okay, okay.
All right. All right.
All right, I'm going to go with the next one. And this is for you, Nate. If you could magically apply XDR to any routine of your life, what would it be.
I mean, I guess the prioritization and risk reduction like the next year can provide you an incident. I guess I'd apply that to like my to do list at home, like which if I knock these things off, like which ones are going to get me yelled at less by my partner if I finish these. Right. So that's my risk score that I'm trying to reduce.
(41:48):
I love that.
Now poking a little bit of fun at ourselves about how Cisco is always changing our names of all of our products and everything. Brianna, would you bet yes or no on whether Cisco will change the name of Cisco XDR within a year from today's date.
I would bet no.
(42:09):
Okay, no, especially if Matt and I are still here.
Okay, great.
Excellent. Well, it's always fun to poke a little self fun there.
Andres, what do you say we recap this and get on our way here.
I'll tell you my big takeaways for today. We started off with that industry definition. I talked about a unified platform or correlating incidents.
(42:39):
We talked about bubbling the ones up that are important. And then we had several examples of taking automated or manual responses. And I like Brianna's example about that TV thing. I think that's actually something I'll be using.
Matt touched on Cisco's definition and how, you know, we're known as a network company. Why don't we use that ability when we're talking about the threat correlation and response. So we don't we can go beyond just the end point.
(43:07):
And, and in terms of solving problems.
They you talked about who uses Cisco XDR and just XDR in general for quicker detection, the remediation, the threat hunting. And you know, I really like to get that bubbling up so that we can just have some time back, especially for those teams that have just a couple people on their sock.
(43:30):
The native integrations are great. Matt, I think it's really awesome that we've taken an open standard approach. Crowd strike right at the end. That little teaser was pretty cool. So that we can to Nate's point. It's about stopping the bad guy. We're not. And it really shouldn't matter.
Kind of what what end point product you have. So those are the big takeaways for me. Andres. Also, Mike, thank you. In my case, I'm very excited about when we when we get to talk about AI, the artificial intelligence, when we get to talk about all those things.
(44:04):
And still I feel something that I need to understand more. And it's, it's been there, kind of new, but it's exciting. So I always welcome that the XDR versus seeing capabilities.
I know we, we get a lot of questions every day from customers on this one. And I think it was very clear.
(44:26):
The, the vision that we have with the products.
And I'm very excited about it. Now moving on to some things that we may not see in the future that we're seeing today. Secure X and secure cloud analytics. You know, what is their purpose in life in a few months coming.
That's that was really good. And, and the other things I wasn't expecting the teaser on the cross right. So very excited about that. And, and yeah, that's that's my take on the whole session and just want to thank you all for for taking the time.
(45:01):
Yeah, really big. Thank you. Brianna, Matt, Nate for your time and expertise and just generally the good you do in the security industry. Really much appreciated.
Okay. So, the next call November 16th topics securing the user and the end point registration for that is open. I believe it is. Okay. All right. Well, I hope you've enjoyed the Sefin of security and 45 stay safe and secure everyone.
(45:31):
And we will see you on the next episode. Bye. Thank you. Have a good one.
Everyone. Thank you.
Good afternoon everyone or if you're in the West Coast good morning to you today is Friday October 27th
(00:06):
And welcome to our second session of security and 45
Andre's like can't believe it's been a month since our last session
But anyway each of these sessions in this webinar series
It's gonna focus on unique security challenges in the industry and we want to talk about how to stay ahead of the game
No slides just good conversation. That's the model for the show
(00:29):
And again, we invite you to enjoy this however is best for you in terms of consuming
So if you want to watch in
Listen in on your headphones from your lunch break jam a walk around the neighborhood, whatever
I hope you enjoyed the last session on
Firewalls and if you missed that check out the recording it really covered some great information about the evolution of Cisco's firewalls
(00:51):
All the way up to the latest and greatest in firepower
I'll tell you what's on the agenda for today
Well, I'm very excited to be here after one month. This is super awesome
Today we have a really nice discussion about XDR. So I know everybody's excited about it, you know, we've been hearing
So much about it for the last few months and today we're joined by three
(01:17):
Incredible and talented and experienced security experts. So I'm super excited about that. I know we have Brianna
She's the director of
Product management for XDR. We have Nate Austin
He said we shouldn't call him a legend
But we know he's a legend and a technical solutions architect and then we also have Matt Robertson. He's a distinguished technical
(01:39):
engineer
Now the three of them bring a lot to the table and this is going to be the intention is going to be a very relevant
Security conversation and we couldn't be more thrilled to get it started with you guys. So welcome
Thanks, I'm good
Brianna, I think the first question I'll kind of direct it to you just to start it off and then anyone can just chime in
(02:03):
but you know
XDR, you know
That you know, what does that mean to the industry? Maybe not Cisco specific, but just when someone hears about XDR
What are we talking about there?
Thanks Mike and thanks again for the opportunity to be here today with such esteemed colleagues
I think it's a great question and it's a great question not because people don't know how to break out an acronym
(02:26):
But because the breaking out of that acronym has been interpreted so broadly over the last five at least years
And that it's really important for us to take a pause and think through what XDR should mean for us today
So I will start by breaking out the acronym
It stands for extended detection and response and it's really important to think through those three words
(02:48):
Almost separately and then what they should mean coming together
So when we think of XDR, there are other letters or words that have come in front of the DR previously
Endpoint detection and response for EDR, network detection and response for network and so forth
And threat detection and response or detection and response and hunting is not a new concept at all
(03:11):
The way that we do it, the way that we have to do it, the way that we respond to adversaries has changed over the years
And has forced an evolution of our processes and then the tools
But the tools have not always kept ahead of what is needed for catching these adversaries
So the extended is the first piece
It's how we think through extending that visibility and that detection capability through the entire environment
(03:36):
So not just looking at it from an endpoint centric perspective
Even though endpoint telemetry and endpoint detections are really rich and really critical into understanding really what's happening in an environment
It's about going beyond that
How can the email come into play?
How can the network come into play?
And some of the analysts out there right now are actually looking at it very much in that way
There's definitions from Gartner, for example, around it being a unified security incident detection and response platform
(04:02):
That is automatically collecting and correlating data from multiple security components
IDC has a different definition, but it expands into saying that endpoint and network telemetry is critical in play
And bringing those together in a same or similar correlated model
So that extension is key and understanding how we extend through all of our vectors and all of our security components
(04:25):
And then I need to detect what's happening in my environment and be able to equally respond to that
So when we think about it today, XDR, our opinion, not just Cisco, but as practitioners, is that it's an expression of business needs
I need to be able to detect and respond in a meaningful way across my extended environment and understanding what happened there
(04:48):
By correlating, not just aggregating that information together to really understand what happened
Amazing. That's excellent. Yeah, and as you were describing that, just in my mind, I was thinking
If we have all this correlation together and we're talking about the X, the D, and the R components
(05:09):
I'm just thinking about pain points that can be alleviated and we'll get to those here in a little bit
But I'm just starting to go through my mind about the time savings and that nature of activities
Where we only have maybe one or two people running our sock, for example
So thank you for that great answer there. Yeah, thank you for that
(05:33):
And now we do have another question and this one, Nate, I'm going to start with you on this one
We've heard so much about XDR in the past few months
But I guess our listeners and the people watching us today would like to know why do we need XDR
(05:54):
And if I extend on that question also, what are the problems or challenges that XDR is going to solve for us today
If you don't mind spending a little bit on that
Sure, so starting off with just to tack on to what Brianna said, the definition is so vague
And if you talk to five different people, you're going to get five different answers on what it is and why you need it
(06:18):
If you talk to the identity team, they're going to say it starts and ends with identity
If you talk to an endpoint team, they're going to say it starts with the endpoint
Cisco is obviously a massive networking company and we believe the network has to be foundational to that
As well as all the other components
But I think we really need XDR because of the changing nature of the threats
We're not going to catch a threat with a single solution, with a point product anymore
(06:44):
The detection of malware isn't really reliable anymore
The tools need to focus on the attacker, not the actual files and destinations that they're going to
Because they're using a lot more advanced TTPs, tactics, techniques and protocol and procedures
That they're using to try to evade traditional security tools
(07:06):
So we can't just look at the file hash on the system anymore and say, oh yeah, that's malicious, we need to block it
They're moving around that, they're using things like spearfishing, things like privilege escalation
Other techniques, network connections discovery
Those are things that a traditional tool may not catch, but when we aggregate all that data together
(07:28):
And look at it from a more holistic point of view across the entire security environment that the customer has
That gives us a lot more chance to detect these sorts of events and bubble them up to the right people to take action on them
That's good call effects
One more thing, there's also, this is hard, right?
Being a security incident responder, there's hard work, right?
(07:50):
There's a lot of turnover in the security space, right?
Especially in tier one SOC analysts, they're moving up to tier two, tier three, they're moving on to new positions, right?
So being able to kind of augment what they can deliver and help them be more effective at their job
Provide the tools for them to up level their own skills and up level the organization's response
(08:11):
That's also what XDR is trying to do, right?
We don't want them spending their time on things that aren't going to make a difference
We really want to bubble up the things that are going to make the biggest risk reduction to the enterprise
That's a good call out
Actually, yeah, for all the things that I've seen about XDR, you know, super excited about all that visibility
All those things that we get to see with the tool, it's pretty cool, I will say that
(08:39):
Just to add on to that, I think in my view, as Brianna was describing what XDR is for the industry
And Nate, that quote unquote bubbling up effect, I mean that was one of the main pain points I was thinking about
Just the massive amount of alerts coming from all these products and like where do we start?
And Brianna, you were talking about correlating data together
(09:02):
I guess if we can do that, then to your point, Nate, we could really bubble up the stuff that's more important to us there
Especially for the...
The end goal of security isn't to close as many tickets or incidents as we can, right?
The end goal is to catch the attackers, right? To stop the malicious traffic
So that's what we need to do is make the most relevant incidents bubble up so that we can take action and respond to them effectively
(09:26):
Yes, and like Nate and Matt have probably heard this example from me a million times and won't be tired of hearing it
But to Nate's point, I use an example of the time that if I come home and I see that my front door is unlocked
I might think that that's a little weird because I'm used to locking my front door
But in and of itself, it's an alert that I would have to track down with no additional context
(09:48):
And no information on letting me know definitively that as an asset in my environment
That door was definitely locked when I left or context that somebody else in my house came in and out and failed to unlock it in between
So chasing that down would take a lot of effort, right?
But if I now walk into my house and I see that it's not just that the door is unlocked
Actually, it wasn't even closed, right? It wasn't closed on the threshold
(10:12):
That gets a little weirder. I'm coming home like, hmm, I usually lock my door
I don't think anybody in my house would leave it completely open even, you know, trying to be flush but open
That's a little weird and still don't have any proof that anything happened
But I might cautiously walk into my house being concerned about what's going on
Maybe somebody's hurt. Is somebody broken in?
(10:34):
As I move forward and I don't see anybody in the house, but I see something like my TV missing
Now I have a lot more context to start to say, huh?
Well, last time I checked we weren't moving our TV today
And I don't think that somebody would have walked out without it and now I might even be more concerned that somebody's still in the house
But maybe I checked that out and nobody's there
(10:55):
The version of the story is with more information coming from additional sources of detail
I can understand that I likely have had somebody break into my house and steal my TV
And if I had something even more definitive start to think like endpoint level telemetry
Like a camera in my house where I can now go to the video and see it happening
(11:16):
I could potentially see somebody walking out of my house with my TV and now I would know 100% what happened
But if I were just looking at those different sources, yes, the security camera might have given me that
But if I only had a camera in one part of my house, it might not show me how they got it, right?
So all of those little pieces together help me understand what Nate was saying quickly what happens
(11:38):
I'm a sock engineer. It's an analyst. Excuse me. I don't have as much time to go through each of those individual items as maybe I once did
Because there's thousands of them in a day putting all of that together and now having an understanding of a likely response
I'm okay to stay in the house because nobody's in it
But I should potentially call the police or at least my insurance company that guidance is what we're trying to look at people receiving with XDR
(12:04):
I'm gonna sell that example. Unfortunately, in my case, my eight-year-old would have just left the door open and my dog would be running around
You just have to augment it a little bit, Nate
So my kid ran out and the dog went with them. Nobody was there to bark when somebody tried to steal my TV
You know, in terms of the response part of that, it would be great if I could get notified that my TV was missing
(12:27):
Because if there was an important sports game I was coming home to watch
I would need to know to go straight to the bar after we involved the police and I will also like to use or maybe steal that example
Because I think it outlines XDR pretty much
I liked it
All right, Matt
We've covered XDR as a definition, general concepts of it and the pain points it addresses
(12:52):
What about Cisco's involvement in XDR? How is Cisco taking an approach into XDR?
I know there's a new thing called Cisco XDR
I'm curious how we, being Cisco, align with that industry definition
So that industry definition just kind of emerged as an idea
(13:14):
As Brian was kind of saying, there's always been threat detection response products
Extended detection response conceptually was just like, hey, we need to make random detection response better than it was
We extend it, it's better
So there's different ways you can approach that, which is we make an individual product better, which is what some vendors will do
(13:37):
But we at Cisco are like, hey, we actually have a lot of products
And then we can make each individual one better or what we could do is create a whole new product and call it XDR
And that's what we have
So Cisco XDR is actually a new product offer
A new product offer that is built upon downstream data sets
(13:58):
And then that really feeds into our strategy was like, we wanted to create a productivity tool for the Security Operations Center
Our unofficial official guiding principle was make every tier one analyst as effective as a tier two
Which really just means get all of the appropriate data presented to the user in such a way that they can make decisions faster and more effectively
(14:24):
And that's what Cisco XDR is, it is a productivity tool
It is not new, it is on top of all the other products
And because we made that decision, it is a product on its own, it is not an enhancement to existing products, it's a new product
That also fed into our strategy on the need to be open in the sense that Cisco XDR integrates with products that aren't ours, aren't Cisco products
(14:52):
Regardless of what endpoint detection response product you own, you can get value out of Cisco XDR
Regardless of what network detection response product you own, you can get value out of Cisco XDR
Regardless of what firewalls you own, you can get more value out of it
And so we have a list of strategic integrations that we're going to curate and we're going to bring forward
And then there is the ability to build your own and all that fun stuff that you can do
(15:13):
But we're looking at, we're an open ecosystem
The XDR product is a thing that stands on its own, it is about providing efficiency to the Security Operations Center
And so that was our first major decision, product needs to be open
The other thing that we did is we were looking at what does it mean to be extended detection response?
(15:35):
What are the most foundational pieces of data that a security operator needs to do their job?
The easy one was endpoint, its foundational to the Security Operations Center
The other one that was really high on the list is network data
And not just firewall logs, network data, meaning network logs, flow logs, describing east-west communication in the environment
(16:03):
And we looked at our products based on, hey, we're masters at network analytics already
We've got great product sets here, we've got great data, we know exactly how to succeed in this
And so we made network detection and response foundational to our entire product strategy, to our approach to XDR
(16:24):
Endpoint and network and firewall are foundational first-class citizens in Cisco XDR
Outstanding, I think it's pretty important about the open portion of that
Because I think original attempts at XDR just didn't work that well
(16:46):
They're going to work within their own vendor, but nothing external
So that I think is pretty important
And then certainly, yeah, that's a great point about the network foundation there
Because Brianna, you were mentioning at the beginning about maybe even bringing in email
And Matt, if we're really communicating across the network, I guess we're going to have a much better view just beyond just the endpoint
(17:09):
Especially when it comes to correlating threats as they spread
Absolutely. Email is a really good example of something
I was just talking with a customer about an hour ago and showing them what XDR does
And they're like, oh, can you block the email that that attachment came in on?
I'm like, yeah, sure, you can work that out
(17:31):
That's as a response, here's the badge, here's the example I was talking through
The user had been, there was a phishing email had gone in, they'd executed it, gone to a bad domain and all that
Worked through investigation backwards, he's like, hey, now can we just block that email next time it comes in, block that phishing
That's the thing that we want to be able to do
(17:52):
From detection backwards through to the original point of infiltration
And then, hey, let's prevent that from going forward
That's exactly it
The response part is, oh, go ahead, Andre
I was just going to say the response part is key there because correlating all this data
But Brianna, you talked about that TV being stolen
If you could respond by automatically calling the police or, Matt, your example just automatically block that host or that email account
(18:17):
The response portion being key
I was going to mention something very similar, Mike, on the response
The response is very key
We've seen a lot of products out there that they promise that the response is going to be the main part of the product
But we haven't seen too much of that
(18:39):
And I think this is bringing a lot of value to the product
Just because we have multiple ways to respond, block that traffic, re-authenticate those ports
There's many things that we can do and we'd like to see the action on what we see today
Awesome, that was
Before we move maybe to the next topic, if I could just really quickly jump in on something you said
(19:03):
Mike, you mentioned what people were looking at for XDR previously and maybe what they might be looking for now
I think it's important. Nobody's trying to trash what happened for XDR previously
Or what vendors who were really innovative in that space brought up and started thinking through
It's just the difference of what you need now and then
People purchase new cell phones
(19:26):
They purchase new cell phones because as much as I adore my BlackBerry, it probably wouldn't serve me in the way I think it would today
I have fond memories of it. I still want one, I'm not going to lie
But when I think through it, it wasn't going to do for me what my new phone will do
So you need to think through what Matt was just saying and what you were just saying when you're looking for an XDR solution
(19:47):
Don't look at XDR for what it was looked at five years ago
Look at it for what you need now and five years from now
That's a great point. I really miss my BlackBerry
I just remember jamming all those keys into that one little keypad
Did we just date ourselves?
No, not at all
(20:09):
It's okay
We'll definitely have a few people on the cast who will be like, what's a BlackBerry?
And that gives them a Googling event for later and then they can share something that we both know
There you go, yes
Yeah, so moving on to our next question
I know we talked a lot about what it is, what is Cisco doing, how we approach it
(20:32):
But I guess the one thing that I want to see is if we can see exactly who Cisco XDR is designed for
And Nate, if you don't mind going through that and then we go through the room just to make sure that we get our perspectives
And see who do you think XDR will be designed for today
(20:55):
Yeah, sure. So I might have a little different perspective on this
I'm in the field so I'm talking with customers on a regular basis so I kind of hear their input as well as what we think internally
And I've kind of heard across the spectrum that it's for a lot of people
I think if you are, absolutely if you're a customer that doesn't have a mature SOC
(21:16):
That this is right up your alley
This is a tool that can really provide an incident response kind of playbook for you
There's Casebook's ability to kind of structure your response to an event
And just correlate across multiple tools where you may not have the people that have the knowledge to do that
Without a tool that will help them accomplish that
(21:37):
So definitely with customers and users without a mature SOC will definitely see value from this product
And I think that this is actually the first solution I think really that Cisco has had that really plays, is designed for the SOC
In a way, most of the other things are kind of targeted at the prevention
Which is great, if we can prevent something from happening, we want to do that
(22:00):
But this is the first one where we're really taking a step back and saying, hey, there's going to be stuff that's going to get through
We need to be able to correlate that and respond for you
But I've also talked with larger customers with really mature SOC processes
They have their own playbooks, they have their own automation and orchestration capabilities
So some of those aspects they may not leverage in the system
But there are some areas where it can still help
(22:22):
It can still, that kind of tier one SOC analyst that are constantly turning over
Maybe they don't have the same experience to go and do the complex queries that are needed for some of those playbooks
Well, this can again help them look at some of those incidents and prioritize them from an early standpoint
Threat hunting, they can still use it for threat hunting capabilities with the tool
(22:45):
So even if you're not using the full functionality, there's still some benefit for larger customers with mature SOCs
You're not Cisco shops, right?
So that's another thing where in the past, if you had Cisco products, great, they'd work together
We have native integrations with our solutions, right?
But if you have a third party solution, maybe those integrations don't work so well, right?
You have to code something custom
Well, XDR is built with that in mind
(23:07):
So if you are somebody with Microsoft Defender endpoint, right?
We can still enrich and we can add endpoint context to those incidents from those applications, right?
If you're using ExaBeam in your environment or CyberReason, we can enrich and decorate the incidents so that there's more information there for them
(23:28):
If you're a Palo shop, right?
You can actually automate and orchestrate responses from XDR to Palo Cortex
So a lot of different things are if you're crowdstrike, we can create incidents
We can generate incidents based off of your endpoint, this is a non-Cisco endpoint and then pull in our network telemetry
And combine those together to build an attack chain
So you don't have to be a Cisco shop to get value out of XDR, right?
(23:51):
The security is a team sport, I think all vendors and we have to work together to...
Our enemy is not other vendors, our enemy is the adversaries, right?
Great point. I really like that last part because yeah,
Preventing the threat is the key and it really doesn't matter which vendor or endpoint product you have
(24:15):
If we can work with them to kind of integrate that across the board
Yeah, I think anyone in security, you know, we're in it to stop them from bad guys, right?
I mean, that's what we want to do, right? That's why I'm here at least, so...
Excellent. Thank you, Nate.
Now, in terms of the integrations, and Nate kind of just touched on one Microsoft Defender
(24:37):
But can you tell me a little bit about the native integrations of Cisco XDR?
I think for the audience, if you have an example of like a real-life use case
Maybe something that Cisco XDR could detect in one product and maybe use another product to respond
Anything along those lines, I think that'd be really cool to hear
Yeah, so we have a number of native integrations in Cisco XDR
(25:05):
We took their approach strategically, as I mentioned, foundational data sets like network and endpoint
Are able to provide data into the analytics engine
And we have a number that are in our near-term roadmap to continue to either provide data and or enrich existing incidents
So what we're really, really good at is detecting some...
(25:30):
Specifically in the network detection space, detecting things that you would otherwise have missed
So things like repetitive malware outbreaks
Where you don't necessarily have an endpoint detection response product on every asset
So one of the reasons network is so foundational in my mind is everything is connected to the network
(25:58):
But not everything necessarily has an endpoint agent on it
By some stats, roughly 30% of assets inside of an enterprise might actually have an EDR on it
Other assets, printers, phones, OT devices, servers, etc.
They might not have endpoint agents
And so one customer, this is a story from a few years ago
(26:21):
We were working with, had a repetitive malware outbreak
Same piece of malware, they find it, it kept popping up on AMP or Cisco Secure Endpoint, as we call it now
They'd get these detections that, oh, we've got it, we'll clean it up, they were wiping assets on a regular basis
They were finding these detections that were showing up, but they never could figure out who the patient's bureau was
(26:45):
We deployed, at the time, Secure Cloud Analytics, now a foundational part of XDR
To collect network flow data, run analytics, see what was happening inside of the department
And fairly quickly we found that the patient's bureau, or the source of this malware outbreak
Was actually an old network attached storage server that had been infected
And then she said there was no agent on it, it was just sitting there, had this piece of malware that kept going
(27:10):
Sending its little payload around, and eventually ran somewhere and the customer was having fun
And not having fun with that particular outbreak
But at patient's bureau, it was this old master who had featured this time
Because we were able to trace the network activity back to this one particular asset and remediate that outbreak
And this goes through for a number of different ways you want to look at it
(27:32):
The only way to sometimes solve the advanced threat is you need data from multiple different domains
Network, email, endpoint, cloud, all of these are native integrations that we have
And you need data correlated throughout
That's an amazing example of where Andreas and Mike before were talking about the response piece as well
(27:54):
Because there's no response that's being taken on that NAS system
Because it doesn't have anything on it to do that
But by bringing that information together, we would be able to help orchestrate a response
Or at least guide a response even if it was manual to close that loop to stop that from happening
So that that malware didn't keep getting accessed or propagated or popping up
(28:15):
And I think that's a great example about bringing the importance of that network telemetry
As opposed to just the endpoint
Without that, Matt, it sounds like maybe that would have gone unresolved
It would go on for years is what would happen
You can block it all you want on your, I'll use the 30% number
You can block it all you want on 30% of the assets in your environment that have an effective EDR
(28:39):
But the rest of them don't for whatever reason
And it's crazy how those devices are overlooked today
You don't think about it when you start thinking about that strategy
So that's I think very impressive
All right, I want to say something real interesting
(29:00):
We've been 33 minutes without talking about AI and I'm about to break that record
We could have gotten it
I guess the AI algorithm just kicked in
And like I've just been too long since, no one mentioned me
Mind your jumping in
It always wins
Actually I wasn't
(29:21):
Yeah, last week we went on a presentation that was 20 minutes without talking about AI
So I actually feel very happy about that
All right, so this question is for you, Brianna
I know you love that subject
And basically we want to know and I think all of our listeners want to know
(29:42):
What is the role that we play in AI that Cisco XDR will play in AI?
I know Cisco as a whole has a whole story behind that
But what can you share about that?
Actually, Andres, I'm changing my tune
I love the question, right?
The practitioner part of me is still looking for my German shepherd
Another reference that people can Google every time I hear AI nowadays
(30:06):
But at the same time we need to embrace the benefit that AI can provide
But I think what's really important is to think through
AI is more mainstream conversation now
But that doesn't mean it's new
And it doesn't mean that there aren't types of AI that have been in place for a while
Or aspects to generating up to AI
(30:27):
So in Cisco XDR, Nate mentioned alerts and alert chains previously
That is not something that somebody is sitting there manually doing
As your events come in, that would be insane
We would never be able to provide you with an extended detection and response incident in a timely fashion
So alerts coming in from different sources and being chained together
And that correlation of did the event that happened on Mike's system and the event that happened on Andres' system
(30:52):
Are those both part of the same event?
That being correlated together is part of what we use AI for today
Also, for when we look at things like dynamic and automated responses
So our ability to say, here's a guidebook by which you can go through
And yes, that's static, but as we continue to move forward in the development of XDR
Making that more dynamic and saying something as simple as
(31:14):
When I look at what has been presented, I want to guide you to take a response
Maybe that response is to quarantine a system, maybe that response is to enact a quarantine rule on a firewall
And when we do that, what sort of context do we give you?
Well, I wouldn't want to present you as an analyst who has little time
And is trying to respond quickly and may or may not have all same levels of knowledge
(31:38):
I wouldn't want to present you with something that says block this IP when I'm not giving you an IP to do it with
And that's a really small example, but those can get much more complex
Related to what's in your environment and what assets would you be authorized to block and not block in the first place
So that's another way that we're leveraging that
It also is used to bring threat intelligence in, so not only to help create and combine threat intelligence
(32:02):
We leverage our TELUS team and what they're bringing together for that
But a lot of processing of more basic level threat intelligence comes at an AI layer
But it enriches threat hunting in our investigations
So being able to bring that enrichment in and understand what is happening or could have been related to a hunt or search that you have through your environment
And then when we think about why AI is so prevalent nowadays
(32:25):
We think of the boom that chat GPT brought and showed people the cool things that could come out of something like a generative AI
And what we call a chat bot style usage of generative AI
And without getting into too many technical terms
There's concepts behind that called things like large language learning models
Where a model is simply learning
It could listen to Brianna speak all day and then try to understand not only how it would answer a question that you would ask Brianna
(32:52):
But how Brianna would phrase her question
What types of words would she use?
How would she inflect upon that?
So generative AI is not new
All Cisco products have had AI for a long time
And many of them are using things like large language learning models
Including Cisco XDR Matt mentioned email previously
That's definitely been using it
When you think about how people write emails
(33:13):
Right
How do I confirm that the email that's sent from Brianna to Mike is from Brianna and not a business email compromise trying to trick Mike to do something because it sounds like Brianna
So when you think about things like that, that has a lot of that back end AI modeling built in it
And we will continue to assess AI and how to best use it and how to best present it in ways that's not just delightful for our customers
(33:38):
And lets them interact the way that they would like to but in ways that are meaningful
That's awesome
That's awesome
Yeah, we hear about AI so much
And many people realize that we've been doing AI for the longest time for many, many different things
Yeah, and credit in the industry so have others, right?
I mean it's not, it's just something that is more relevant I think for common mainstream now that people may not realize
(34:02):
It's in everything that you do
You know, a large vendor that you may purchase a lot of things from online and might have a device in your house or on your phone that you talk to
That's AI in the background
Yes, it's going off
So what about, now the next one and we might have to speed it up just a little bit for the sake of time for these next couple
(34:25):
But what about, is Cisco XDR a seam? Matt, I'll give that one to you
Like I hear that all the time, like cool this is a seam replacement, right?
The answer is no, it's the short answer
That's the TLDR one
The longer one is
So the fundamental difference is what data and visibility into data
(34:49):
Cisco XDR is an analytics engine
It is a soft productivity tool
The objective is analytics on top of data to produce a detection, a prioritized detection and guided response to it
Whereas a SIMS objective in life is to collect the data and provide that data to the user to build outcomes on top of it
(35:11):
We're focused on the outcome, I suppose on the data itself
So would it be safe to say that Cisco XDR works with a SIM?
Absolutely, we are complimentary
If you had a dime for every time that somebody asked you that question though, Matt, would you be able to retire by now?
(35:32):
Yes, short answer, yes
I'd keep working just because that's like free money
Or a dime for every time someone's like, what does XDR stand for?
Right
So many
Well, thank you for that
(35:54):
Yeah, thank you for that
Actually, I think we're running pretty short on time
So we're going to fly through the next two questions
I think this one's going to be important, our listeners are going to be very interested in this one
This one's for you, Nate
What is Cisco's plan for Secure X and Secure Cloud Analytics?
(36:19):
If you don't mind just going a little bit on that
Yeah, sure
This actually came up in the Q&A as well, so very timely
I think of XDR as really the evolution of both Secure X and Secure Cloud Analytics
There are components of both that are in XDR
The detection and analytics engine of, I think Matt mentioned this earlier, the detection and analytics engine of Secure Cloud Analytics is the backbone of XDR
(36:44):
If you are an existing Secure Cloud Analytics customer, you are entitled to XDR
So we're converting everyone's accounts, you'll get an XDR tenant
And you'll be able to take advantage of some of the enhanced functionality that XDR can provide your organization
Secure X was a little different
Secure X was kind of our first foray into an XDR space
(37:06):
I think that there were some benefits that Secure X provided around orchestration and automation capabilities that some users would like out of it
But it didn't really deliver on the, and it wasn't necessarily meant to, deliver on the full prioritization of its
So there's a lot more functionality in XDR than Secure X
(37:28):
Secure X has been end of life, it was a solution that was granted an entitlement to everyone who had a Cisco security product
But it is end of life at this point, which means that no new users are able to sign up for Secure X account
If you do have a Secure X account, if you were using it, it will stay in place until I believe next July
(37:50):
But at that point, it will essentially cease to exist
So if there are functionality in Secure X that customers are using today
It's time to maybe look at what XDR can provide, is that the right option, are those use cases that we can address with XDR as well?
Good question, I think that's on a lot of people's minds, so thanks Nate for covering that
(38:13):
Brianna, I don't know how deep you can get into this, and we really only got about 30 seconds anyway before we move on
But is there anything you can tell us maybe that's up and coming for Cisco XDR, like any secrets or stuff on the roadmap?
Yeah, I think I could tap in a little bit, so hopefully people have heard about our ORT acquisition, if you haven't
It's in the identity threat detection and response space, so that piece is not secret, but what we can share is that up and coming
(38:40):
We're looking at bringing that into XDR to bring identity as a source into XDR and really be able to respond and provide those meaningful capabilities, so that's really exciting
Matt had mentioned the responsive capabilities and we had talked about those guided responses, guiding people more and more towards being comfortable accepting automated response, so truly automated response
(39:01):
Hey, I'm going to lock the door, lock my robber in and call the cops when I see the TV come off the wall
And being confident in doing that, things like that are what we're going to try to continue to gain customers trust in, and then more around AI
So you have seen certain things around guided assistance through hunting and through investigations and incidents, that's forthcoming as well, and I think we will leave it there for today
(39:24):
Awesome, awesome, and if the yeah, I didn't get to see a little bit of or hopefully I'm saying that correctly. No, it was pretty cool. All right, so
Do you want to say anything about some certain changes that are coming out for endpoint integrations that might actually be in production today?
(39:45):
So Nate snuck it in earlier, but yes, let's call it out. So as we look at the integrations for what we're doing around correlated incidents going beyond the responsive and the enrichment and hunting capabilities
Our CrowdStrike endpoint integration that allows us to create new incidents or have those events be correlated into incidents is in progress and or deployed to Matt's point, so you're hearing it straight out of the gate live
(40:12):
You should be seeing that ASAP if you are an existing customer or testing it out and if you're not and you're a CrowdStrike customer, come on have a conversation with us. We would love for you to see it
We have this question on the agenda. I was not expecting this. This is great. Yeah, me as well. Now that's one thing people probably don't realize about the show is it's not scripted. So I literally just did all learn all that information. So thank you. That's great.
(40:38):
All right, so we're up on time, but we did have three really serious questions. If you could just we're going to give you just each one just take 10 seconds to answer and then we'll kind of summarize this up and we'll get out of here.
Matt, I'm going to give this one to you and just in 10 seconds or or less up. What what is what number is higher per day the number of times you get asked what XDR stands for or the number of cups of coffee you drink in a day number times they explain what XDR is.
(41:10):
Is it even close.
Okay, okay.
All right. All right.
All right, I'm going to go with the next one. And this is for you, Nate. If you could magically apply XDR to any routine of your life, what would it be.
I mean, I guess the prioritization and risk reduction like the next year can provide you an incident. I guess I'd apply that to like my to do list at home, like which if I knock these things off, like which ones are going to get me yelled at less by my partner if I finish these. Right. So that's my risk score that I'm trying to reduce.
(41:48):
I love that.
Now poking a little bit of fun at ourselves about how Cisco is always changing our names of all of our products and everything. Brianna, would you bet yes or no on whether Cisco will change the name of Cisco XDR within a year from today's date.
I would bet no.
(42:09):
Okay, no, especially if Matt and I are still here.
Okay, great.
Excellent. Well, it's always fun to poke a little self fun there.
Andres, what do you say we recap this and get on our way here.
I'll tell you my big takeaways for today. We started off with that industry definition. I talked about a unified platform or correlating incidents.
(42:39):
We talked about bubbling the ones up that are important. And then we had several examples of taking automated or manual responses. And I like Brianna's example about that TV thing. I think that's actually something I'll be using.
Matt touched on Cisco's definition and how, you know, we're known as a network company. Why don't we use that ability when we're talking about the threat correlation and response. So we don't we can go beyond just the end point.
(43:07):
And, and in terms of solving problems.
They you talked about who uses Cisco XDR and just XDR in general for quicker detection, the remediation, the threat hunting. And you know, I really like to get that bubbling up so that we can just have some time back, especially for those teams that have just a couple people on their sock.
(43:30):
The native integrations are great. Matt, I think it's really awesome that we've taken an open standard approach. Crowd strike right at the end. That little teaser was pretty cool. So that we can to Nate's point. It's about stopping the bad guy. We're not. And it really shouldn't matter.
Kind of what what end point product you have. So those are the big takeaways for me. Andres. Also, Mike, thank you. In my case, I'm very excited about when we when we get to talk about AI, the artificial intelligence, when we get to talk about all those things.
(44:04):
And still I feel something that I need to understand more. And it's, it's been there, kind of new, but it's exciting. So I always welcome that the XDR versus seeing capabilities.
I know we, we get a lot of questions every day from customers on this one. And I think it was very clear.
(44:26):
The, the vision that we have with the products.
And I'm very excited about it. Now moving on to some things that we may not see in the future that we're seeing today. Secure X and secure cloud analytics. You know, what is their purpose in life in a few months coming.
That's that was really good. And, and the other things I wasn't expecting the teaser on the cross right. So very excited about that. And, and yeah, that's that's my take on the whole session and just want to thank you all for for taking the time.
(45:01):
Yeah, really big. Thank you. Brianna, Matt, Nate for your time and expertise and just generally the good you do in the security industry. Really much appreciated.
Okay. So, the next call November 16th topics securing the user and the end point registration for that is open. I believe it is. Okay. All right. Well, I hope you've enjoyed the Sefin of security and 45 stay safe and secure everyone.
(45:31):
And we will see you on the next episode. Bye. Thank you. Have a good one.
Everyone. Thank you.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com