1 00:00:00,000 --> 00:00:06,680 Good afternoon everyone or if you're in the West Coast good morning to you today is Friday October 27th 2 00:00:06,680 --> 00:00:10,240 And welcome to our second session of security and 45 3 00:00:10,800 --> 00:00:13,680 Andre's like can't believe it's been a month since our last session 4 00:00:14,480 --> 00:00:18,540 But anyway each of these sessions in this webinar series 5 00:00:18,560 --> 00:00:24,960 It's gonna focus on unique security challenges in the industry and we want to talk about how to stay ahead of the game 6 00:00:25,200 --> 00:00:29,300 No slides just good conversation. That's the model for the show 7 00:00:29,300 --> 00:00:35,060 And again, we invite you to enjoy this however is best for you in terms of consuming 8 00:00:35,060 --> 00:00:36,940 So if you want to watch in 9 00:00:36,940 --> 00:00:41,020 Listen in on your headphones from your lunch break jam a walk around the neighborhood, whatever 10 00:00:41,020 --> 00:00:43,780 I hope you enjoyed the last session on 11 00:00:44,420 --> 00:00:51,420 Firewalls and if you missed that check out the recording it really covered some great information about the evolution of Cisco's firewalls 12 00:00:51,420 --> 00:00:54,220 All the way up to the latest and greatest in firepower 13 00:00:55,060 --> 00:00:57,460 I'll tell you what's on the agenda for today 14 00:00:57,460 --> 00:01:02,940 Well, I'm very excited to be here after one month. This is super awesome 15 00:01:03,820 --> 00:01:10,380 Today we have a really nice discussion about XDR. So I know everybody's excited about it, you know, we've been hearing 16 00:01:11,100 --> 00:01:16,420 So much about it for the last few months and today we're joined by three 17 00:01:17,020 --> 00:01:23,060 Incredible and talented and experienced security experts. So I'm super excited about that. I know we have Brianna 18 00:01:24,060 --> 00:01:26,060 She's the director of 19 00:01:26,060 --> 00:01:29,420 Product management for XDR. We have Nate Austin 20 00:01:29,420 --> 00:01:31,740 He said we shouldn't call him a legend 21 00:01:31,740 --> 00:01:38,940 But we know he's a legend and a technical solutions architect and then we also have Matt Robertson. He's a distinguished technical 22 00:01:39,660 --> 00:01:41,140 engineer 23 00:01:41,140 --> 00:01:48,060 Now the three of them bring a lot to the table and this is going to be the intention is going to be a very relevant 24 00:01:48,060 --> 00:01:54,620 Security conversation and we couldn't be more thrilled to get it started with you guys. So welcome 25 00:01:54,620 --> 00:01:56,620 Thanks, I'm good 26 00:01:56,620 --> 00:02:02,500 Brianna, I think the first question I'll kind of direct it to you just to start it off and then anyone can just chime in 27 00:02:03,300 --> 00:02:05,300 but you know 28 00:02:05,300 --> 00:02:07,300 XDR, you know 29 00:02:07,300 --> 00:02:13,660 That you know, what does that mean to the industry? Maybe not Cisco specific, but just when someone hears about XDR 30 00:02:13,660 --> 00:02:15,660 What are we talking about there? 31 00:02:16,220 --> 00:02:20,220 Thanks Mike and thanks again for the opportunity to be here today with such esteemed colleagues 32 00:02:20,220 --> 00:02:26,420 I think it's a great question and it's a great question not because people don't know how to break out an acronym 33 00:02:26,420 --> 00:02:33,620 But because the breaking out of that acronym has been interpreted so broadly over the last five at least years 34 00:02:33,620 --> 00:02:38,900 And that it's really important for us to take a pause and think through what XDR should mean for us today 35 00:02:38,900 --> 00:02:41,300 So I will start by breaking out the acronym 36 00:02:41,300 --> 00:02:48,140 It stands for extended detection and response and it's really important to think through those three words 37 00:02:48,140 --> 00:02:53,140 Almost separately and then what they should mean coming together 38 00:02:53,140 --> 00:03:00,140 So when we think of XDR, there are other letters or words that have come in front of the DR previously 39 00:03:00,140 --> 00:03:05,140 Endpoint detection and response for EDR, network detection and response for network and so forth 40 00:03:05,140 --> 00:03:11,140 And threat detection and response or detection and response and hunting is not a new concept at all 41 00:03:11,140 --> 00:03:18,140 The way that we do it, the way that we have to do it, the way that we respond to adversaries has changed over the years 42 00:03:18,140 --> 00:03:22,140 And has forced an evolution of our processes and then the tools 43 00:03:22,140 --> 00:03:27,140 But the tools have not always kept ahead of what is needed for catching these adversaries 44 00:03:27,140 --> 00:03:29,140 So the extended is the first piece 45 00:03:29,140 --> 00:03:36,140 It's how we think through extending that visibility and that detection capability through the entire environment 46 00:03:36,140 --> 00:03:39,140 So not just looking at it from an endpoint centric perspective 47 00:03:39,140 --> 00:03:47,140 Even though endpoint telemetry and endpoint detections are really rich and really critical into understanding really what's happening in an environment 48 00:03:47,140 --> 00:03:48,140 It's about going beyond that 49 00:03:48,140 --> 00:03:50,140 How can the email come into play? 50 00:03:50,140 --> 00:03:52,140 How can the network come into play? 51 00:03:52,140 --> 00:03:56,140 And some of the analysts out there right now are actually looking at it very much in that way 52 00:03:56,140 --> 00:04:02,140 There's definitions from Gartner, for example, around it being a unified security incident detection and response platform 53 00:04:02,140 --> 00:04:07,140 That is automatically collecting and correlating data from multiple security components 54 00:04:07,140 --> 00:04:15,140 IDC has a different definition, but it expands into saying that endpoint and network telemetry is critical in play 55 00:04:15,140 --> 00:04:18,140 And bringing those together in a same or similar correlated model 56 00:04:18,140 --> 00:04:25,140 So that extension is key and understanding how we extend through all of our vectors and all of our security components 57 00:04:25,140 --> 00:04:31,140 And then I need to detect what's happening in my environment and be able to equally respond to that 58 00:04:31,140 --> 00:04:40,140 So when we think about it today, XDR, our opinion, not just Cisco, but as practitioners, is that it's an expression of business needs 59 00:04:40,140 --> 00:04:48,140 I need to be able to detect and respond in a meaningful way across my extended environment and understanding what happened there 60 00:04:48,140 --> 00:04:54,140 By correlating, not just aggregating that information together to really understand what happened 61 00:04:54,140 --> 00:05:01,140 Amazing. That's excellent. Yeah, and as you were describing that, just in my mind, I was thinking 62 00:05:01,140 --> 00:05:09,140 If we have all this correlation together and we're talking about the X, the D, and the R components 63 00:05:09,140 --> 00:05:14,140 I'm just thinking about pain points that can be alleviated and we'll get to those here in a little bit 64 00:05:14,140 --> 00:05:24,140 But I'm just starting to go through my mind about the time savings and that nature of activities 65 00:05:24,140 --> 00:05:28,140 Where we only have maybe one or two people running our sock, for example 66 00:05:28,140 --> 00:05:33,140 So thank you for that great answer there. Yeah, thank you for that 67 00:05:33,140 --> 00:05:40,140 And now we do have another question and this one, Nate, I'm going to start with you on this one 68 00:05:40,140 --> 00:05:46,140 We've heard so much about XDR in the past few months 69 00:05:46,140 --> 00:05:54,140 But I guess our listeners and the people watching us today would like to know why do we need XDR 70 00:05:54,140 --> 00:06:03,140 And if I extend on that question also, what are the problems or challenges that XDR is going to solve for us today 71 00:06:03,140 --> 00:06:06,140 If you don't mind spending a little bit on that 72 00:06:06,140 --> 00:06:13,140 Sure, so starting off with just to tack on to what Brianna said, the definition is so vague 73 00:06:13,140 --> 00:06:18,140 And if you talk to five different people, you're going to get five different answers on what it is and why you need it 74 00:06:18,140 --> 00:06:23,140 If you talk to the identity team, they're going to say it starts and ends with identity 75 00:06:23,140 --> 00:06:26,140 If you talk to an endpoint team, they're going to say it starts with the endpoint 76 00:06:26,140 --> 00:06:30,140 Cisco is obviously a massive networking company and we believe the network has to be foundational to that 77 00:06:30,140 --> 00:06:32,140 As well as all the other components 78 00:06:32,140 --> 00:06:38,140 But I think we really need XDR because of the changing nature of the threats 79 00:06:38,140 --> 00:06:44,140 We're not going to catch a threat with a single solution, with a point product anymore 80 00:06:44,140 --> 00:06:48,140 The detection of malware isn't really reliable anymore 81 00:06:48,140 --> 00:06:56,140 The tools need to focus on the attacker, not the actual files and destinations that they're going to 82 00:06:56,140 --> 00:07:02,140 Because they're using a lot more advanced TTPs, tactics, techniques and protocol and procedures 83 00:07:02,140 --> 00:07:06,140 That they're using to try to evade traditional security tools 84 00:07:06,140 --> 00:07:12,140 So we can't just look at the file hash on the system anymore and say, oh yeah, that's malicious, we need to block it 85 00:07:12,140 --> 00:07:18,140 They're moving around that, they're using things like spearfishing, things like privilege escalation 86 00:07:18,140 --> 00:07:22,140 Other techniques, network connections discovery 87 00:07:22,140 --> 00:07:28,140 Those are things that a traditional tool may not catch, but when we aggregate all that data together 88 00:07:28,140 --> 00:07:35,140 And look at it from a more holistic point of view across the entire security environment that the customer has 89 00:07:35,140 --> 00:07:42,140 That gives us a lot more chance to detect these sorts of events and bubble them up to the right people to take action on them 90 00:07:42,140 --> 00:07:44,140 That's good call effects 91 00:07:44,140 --> 00:07:47,140 One more thing, there's also, this is hard, right? 92 00:07:47,140 --> 00:07:50,140 Being a security incident responder, there's hard work, right? 93 00:07:50,140 --> 00:07:53,140 There's a lot of turnover in the security space, right? 94 00:07:53,140 --> 00:07:59,140 Especially in tier one SOC analysts, they're moving up to tier two, tier three, they're moving on to new positions, right? 95 00:07:59,140 --> 00:08:06,140 So being able to kind of augment what they can deliver and help them be more effective at their job 96 00:08:06,140 --> 00:08:11,140 Provide the tools for them to up level their own skills and up level the organization's response 97 00:08:11,140 --> 00:08:13,140 That's also what XDR is trying to do, right? 98 00:08:13,140 --> 00:08:17,140 We don't want them spending their time on things that aren't going to make a difference 99 00:08:17,140 --> 00:08:22,140 We really want to bubble up the things that are going to make the biggest risk reduction to the enterprise 100 00:08:22,140 --> 00:08:24,140 That's a good call out 101 00:08:24,140 --> 00:08:31,140 Actually, yeah, for all the things that I've seen about XDR, you know, super excited about all that visibility 102 00:08:31,140 --> 00:08:39,140 All those things that we get to see with the tool, it's pretty cool, I will say that 103 00:08:39,140 --> 00:08:47,140 Just to add on to that, I think in my view, as Brianna was describing what XDR is for the industry 104 00:08:47,140 --> 00:08:53,140 And Nate, that quote unquote bubbling up effect, I mean that was one of the main pain points I was thinking about 105 00:08:53,140 --> 00:08:59,140 Just the massive amount of alerts coming from all these products and like where do we start? 106 00:08:59,140 --> 00:09:02,140 And Brianna, you were talking about correlating data together 107 00:09:02,140 --> 00:09:10,140 I guess if we can do that, then to your point, Nate, we could really bubble up the stuff that's more important to us there 108 00:09:10,140 --> 00:09:11,140 Especially for the... 109 00:09:11,140 --> 00:09:15,140 The end goal of security isn't to close as many tickets or incidents as we can, right? 110 00:09:15,140 --> 00:09:18,140 The end goal is to catch the attackers, right? To stop the malicious traffic 111 00:09:18,140 --> 00:09:26,140 So that's what we need to do is make the most relevant incidents bubble up so that we can take action and respond to them effectively 112 00:09:26,140 --> 00:09:32,140 Yes, and like Nate and Matt have probably heard this example from me a million times and won't be tired of hearing it 113 00:09:32,140 --> 00:09:39,140 But to Nate's point, I use an example of the time that if I come home and I see that my front door is unlocked 114 00:09:39,140 --> 00:09:43,140 I might think that that's a little weird because I'm used to locking my front door 115 00:09:43,140 --> 00:09:48,140 But in and of itself, it's an alert that I would have to track down with no additional context 116 00:09:48,140 --> 00:09:54,140 And no information on letting me know definitively that as an asset in my environment 117 00:09:54,140 --> 00:10:01,140 That door was definitely locked when I left or context that somebody else in my house came in and out and failed to unlock it in between 118 00:10:01,140 --> 00:10:03,140 So chasing that down would take a lot of effort, right? 119 00:10:03,140 --> 00:10:08,140 But if I now walk into my house and I see that it's not just that the door is unlocked 120 00:10:08,140 --> 00:10:12,140 Actually, it wasn't even closed, right? It wasn't closed on the threshold 121 00:10:12,140 --> 00:10:16,140 That gets a little weirder. I'm coming home like, hmm, I usually lock my door 122 00:10:16,140 --> 00:10:22,140 I don't think anybody in my house would leave it completely open even, you know, trying to be flush but open 123 00:10:22,140 --> 00:10:26,140 That's a little weird and still don't have any proof that anything happened 124 00:10:26,140 --> 00:10:31,140 But I might cautiously walk into my house being concerned about what's going on 125 00:10:31,140 --> 00:10:34,140 Maybe somebody's hurt. Is somebody broken in? 126 00:10:34,140 --> 00:10:40,140 As I move forward and I don't see anybody in the house, but I see something like my TV missing 127 00:10:40,140 --> 00:10:43,140 Now I have a lot more context to start to say, huh? 128 00:10:43,140 --> 00:10:46,140 Well, last time I checked we weren't moving our TV today 129 00:10:46,140 --> 00:10:53,140 And I don't think that somebody would have walked out without it and now I might even be more concerned that somebody's still in the house 130 00:10:53,140 --> 00:10:55,140 But maybe I checked that out and nobody's there 131 00:10:55,140 --> 00:11:01,140 The version of the story is with more information coming from additional sources of detail 132 00:11:01,140 --> 00:11:06,140 I can understand that I likely have had somebody break into my house and steal my TV 133 00:11:06,140 --> 00:11:12,140 And if I had something even more definitive start to think like endpoint level telemetry 134 00:11:12,140 --> 00:11:16,140 Like a camera in my house where I can now go to the video and see it happening 135 00:11:16,140 --> 00:11:22,140 I could potentially see somebody walking out of my house with my TV and now I would know 100% what happened 136 00:11:22,140 --> 00:11:27,140 But if I were just looking at those different sources, yes, the security camera might have given me that 137 00:11:27,140 --> 00:11:32,140 But if I only had a camera in one part of my house, it might not show me how they got it, right? 138 00:11:32,140 --> 00:11:38,140 So all of those little pieces together help me understand what Nate was saying quickly what happens 139 00:11:38,140 --> 00:11:46,140 I'm a sock engineer. It's an analyst. Excuse me. I don't have as much time to go through each of those individual items as maybe I once did 140 00:11:46,140 --> 00:11:53,140 Because there's thousands of them in a day putting all of that together and now having an understanding of a likely response 141 00:11:53,140 --> 00:11:55,140 I'm okay to stay in the house because nobody's in it 142 00:11:55,140 --> 00:12:04,140 But I should potentially call the police or at least my insurance company that guidance is what we're trying to look at people receiving with XDR 143 00:12:04,140 --> 00:12:10,140 I'm gonna sell that example. Unfortunately, in my case, my eight-year-old would have just left the door open and my dog would be running around 144 00:12:10,140 --> 00:12:14,140 You just have to augment it a little bit, Nate 145 00:12:14,140 --> 00:12:20,140 So my kid ran out and the dog went with them. Nobody was there to bark when somebody tried to steal my TV 146 00:12:20,140 --> 00:12:27,140 You know, in terms of the response part of that, it would be great if I could get notified that my TV was missing 147 00:12:27,140 --> 00:12:30,140 Because if there was an important sports game I was coming home to watch 148 00:12:30,140 --> 00:12:37,140 I would need to know to go straight to the bar after we involved the police and I will also like to use or maybe steal that example 149 00:12:37,140 --> 00:12:40,140 Because I think it outlines XDR pretty much 150 00:12:40,140 --> 00:12:42,140 I liked it 151 00:12:42,140 --> 00:12:44,140 All right, Matt 152 00:12:44,140 --> 00:12:52,140 We've covered XDR as a definition, general concepts of it and the pain points it addresses 153 00:12:52,140 --> 00:13:01,140 What about Cisco's involvement in XDR? How is Cisco taking an approach into XDR? 154 00:13:01,140 --> 00:13:03,140 I know there's a new thing called Cisco XDR 155 00:13:03,140 --> 00:13:09,140 I'm curious how we, being Cisco, align with that industry definition 156 00:13:09,140 --> 00:13:14,140 So that industry definition just kind of emerged as an idea 157 00:13:14,140 --> 00:13:19,140 As Brian was kind of saying, there's always been threat detection response products 158 00:13:19,140 --> 00:13:27,140 Extended detection response conceptually was just like, hey, we need to make random detection response better than it was 159 00:13:27,140 --> 00:13:30,140 We extend it, it's better 160 00:13:30,140 --> 00:13:37,140 So there's different ways you can approach that, which is we make an individual product better, which is what some vendors will do 161 00:13:37,140 --> 00:13:41,140 But we at Cisco are like, hey, we actually have a lot of products 162 00:13:41,140 --> 00:13:48,140 And then we can make each individual one better or what we could do is create a whole new product and call it XDR 163 00:13:48,140 --> 00:13:50,140 And that's what we have 164 00:13:50,140 --> 00:13:54,140 So Cisco XDR is actually a new product offer 165 00:13:54,140 --> 00:13:58,140 A new product offer that is built upon downstream data sets 166 00:13:58,140 --> 00:14:06,140 And then that really feeds into our strategy was like, we wanted to create a productivity tool for the Security Operations Center 167 00:14:06,140 --> 00:14:14,140 Our unofficial official guiding principle was make every tier one analyst as effective as a tier two 168 00:14:14,140 --> 00:14:24,140 Which really just means get all of the appropriate data presented to the user in such a way that they can make decisions faster and more effectively 169 00:14:24,140 --> 00:14:28,140 And that's what Cisco XDR is, it is a productivity tool 170 00:14:28,140 --> 00:14:32,140 It is not new, it is on top of all the other products 171 00:14:32,140 --> 00:14:39,140 And because we made that decision, it is a product on its own, it is not an enhancement to existing products, it's a new product 172 00:14:39,140 --> 00:14:52,140 That also fed into our strategy on the need to be open in the sense that Cisco XDR integrates with products that aren't ours, aren't Cisco products 173 00:14:52,140 --> 00:14:58,140 Regardless of what endpoint detection response product you own, you can get value out of Cisco XDR 174 00:14:58,140 --> 00:15:02,140 Regardless of what network detection response product you own, you can get value out of Cisco XDR 175 00:15:02,140 --> 00:15:05,140 Regardless of what firewalls you own, you can get more value out of it 176 00:15:05,140 --> 00:15:10,140 And so we have a list of strategic integrations that we're going to curate and we're going to bring forward 177 00:15:10,140 --> 00:15:13,140 And then there is the ability to build your own and all that fun stuff that you can do 178 00:15:13,140 --> 00:15:16,140 But we're looking at, we're an open ecosystem 179 00:15:16,140 --> 00:15:23,140 The XDR product is a thing that stands on its own, it is about providing efficiency to the Security Operations Center 180 00:15:23,140 --> 00:15:29,140 And so that was our first major decision, product needs to be open 181 00:15:29,140 --> 00:15:35,140 The other thing that we did is we were looking at what does it mean to be extended detection response? 182 00:15:35,140 --> 00:15:41,140 What are the most foundational pieces of data that a security operator needs to do their job? 183 00:15:41,140 --> 00:15:47,140 The easy one was endpoint, its foundational to the Security Operations Center 184 00:15:47,140 --> 00:15:53,140 The other one that was really high on the list is network data 185 00:15:53,140 --> 00:16:03,140 And not just firewall logs, network data, meaning network logs, flow logs, describing east-west communication in the environment 186 00:16:03,140 --> 00:16:10,140 And we looked at our products based on, hey, we're masters at network analytics already 187 00:16:10,140 --> 00:16:15,140 We've got great product sets here, we've got great data, we know exactly how to succeed in this 188 00:16:15,140 --> 00:16:24,140 And so we made network detection and response foundational to our entire product strategy, to our approach to XDR 189 00:16:24,140 --> 00:16:33,140 Endpoint and network and firewall are foundational first-class citizens in Cisco XDR 190 00:16:33,140 --> 00:16:40,140 Outstanding, I think it's pretty important about the open portion of that 191 00:16:40,140 --> 00:16:46,140 Because I think original attempts at XDR just didn't work that well 192 00:16:46,140 --> 00:16:51,140 They're going to work within their own vendor, but nothing external 193 00:16:51,140 --> 00:16:53,140 So that I think is pretty important 194 00:16:53,140 --> 00:16:57,140 And then certainly, yeah, that's a great point about the network foundation there 195 00:16:57,140 --> 00:17:02,140 Because Brianna, you were mentioning at the beginning about maybe even bringing in email 196 00:17:02,140 --> 00:17:09,140 And Matt, if we're really communicating across the network, I guess we're going to have a much better view just beyond just the endpoint 197 00:17:09,140 --> 00:17:14,140 Especially when it comes to correlating threats as they spread 198 00:17:14,140 --> 00:17:18,140 Absolutely. Email is a really good example of something 199 00:17:18,140 --> 00:17:24,140 I was just talking with a customer about an hour ago and showing them what XDR does 200 00:17:24,140 --> 00:17:28,140 And they're like, oh, can you block the email that that attachment came in on? 201 00:17:28,140 --> 00:17:31,140 I'm like, yeah, sure, you can work that out 202 00:17:31,140 --> 00:17:37,140 That's as a response, here's the badge, here's the example I was talking through 203 00:17:37,140 --> 00:17:43,140 The user had been, there was a phishing email had gone in, they'd executed it, gone to a bad domain and all that 204 00:17:43,140 --> 00:17:49,140 Worked through investigation backwards, he's like, hey, now can we just block that email next time it comes in, block that phishing 205 00:17:49,140 --> 00:17:52,140 That's the thing that we want to be able to do 206 00:17:52,140 --> 00:17:57,140 From detection backwards through to the original point of infiltration 207 00:17:57,140 --> 00:18:00,140 And then, hey, let's prevent that from going forward 208 00:18:00,140 --> 00:18:02,140 That's exactly it 209 00:18:02,140 --> 00:18:04,140 The response part is, oh, go ahead, Andre 210 00:18:04,140 --> 00:18:07,140 I was just going to say the response part is key there because correlating all this data 211 00:18:07,140 --> 00:18:10,140 But Brianna, you talked about that TV being stolen 212 00:18:10,140 --> 00:18:17,140 If you could respond by automatically calling the police or, Matt, your example just automatically block that host or that email account 213 00:18:17,140 --> 00:18:20,140 The response portion being key 214 00:18:20,140 --> 00:18:24,140 I was going to mention something very similar, Mike, on the response 215 00:18:24,140 --> 00:18:26,140 The response is very key 216 00:18:26,140 --> 00:18:36,140 We've seen a lot of products out there that they promise that the response is going to be the main part of the product 217 00:18:36,140 --> 00:18:39,140 But we haven't seen too much of that 218 00:18:39,140 --> 00:18:43,140 And I think this is bringing a lot of value to the product 219 00:18:43,140 --> 00:18:50,140 Just because we have multiple ways to respond, block that traffic, re-authenticate those ports 220 00:18:50,140 --> 00:18:57,140 There's many things that we can do and we'd like to see the action on what we see today 221 00:18:57,140 --> 00:18:58,140 Awesome, that was 222 00:18:58,140 --> 00:19:03,140 Before we move maybe to the next topic, if I could just really quickly jump in on something you said 223 00:19:03,140 --> 00:19:10,140 Mike, you mentioned what people were looking at for XDR previously and maybe what they might be looking for now 224 00:19:10,140 --> 00:19:15,140 I think it's important. Nobody's trying to trash what happened for XDR previously 225 00:19:15,140 --> 00:19:20,140 Or what vendors who were really innovative in that space brought up and started thinking through 226 00:19:20,140 --> 00:19:23,140 It's just the difference of what you need now and then 227 00:19:23,140 --> 00:19:26,140 People purchase new cell phones 228 00:19:26,140 --> 00:19:34,140 They purchase new cell phones because as much as I adore my BlackBerry, it probably wouldn't serve me in the way I think it would today 229 00:19:34,140 --> 00:19:37,140 I have fond memories of it. I still want one, I'm not going to lie 230 00:19:37,140 --> 00:19:41,140 But when I think through it, it wasn't going to do for me what my new phone will do 231 00:19:41,140 --> 00:19:47,140 So you need to think through what Matt was just saying and what you were just saying when you're looking for an XDR solution 232 00:19:47,140 --> 00:19:51,140 Don't look at XDR for what it was looked at five years ago 233 00:19:51,140 --> 00:19:55,140 Look at it for what you need now and five years from now 234 00:19:55,140 --> 00:20:01,140 That's a great point. I really miss my BlackBerry 235 00:20:01,140 --> 00:20:05,140 I just remember jamming all those keys into that one little keypad 236 00:20:05,140 --> 00:20:07,140 Did we just date ourselves? 237 00:20:07,140 --> 00:20:09,140 No, not at all 238 00:20:09,140 --> 00:20:11,140 It's okay 239 00:20:11,140 --> 00:20:15,140 We'll definitely have a few people on the cast who will be like, what's a BlackBerry? 240 00:20:15,140 --> 00:20:19,140 And that gives them a Googling event for later and then they can share something that we both know 241 00:20:19,140 --> 00:20:21,140 There you go, yes 242 00:20:21,140 --> 00:20:24,140 Yeah, so moving on to our next question 243 00:20:24,140 --> 00:20:32,140 I know we talked a lot about what it is, what is Cisco doing, how we approach it 244 00:20:32,140 --> 00:20:42,140 But I guess the one thing that I want to see is if we can see exactly who Cisco XDR is designed for 245 00:20:42,140 --> 00:20:50,140 And Nate, if you don't mind going through that and then we go through the room just to make sure that we get our perspectives 246 00:20:50,140 --> 00:20:55,140 And see who do you think XDR will be designed for today 247 00:20:55,140 --> 00:20:58,140 Yeah, sure. So I might have a little different perspective on this 248 00:20:58,140 --> 00:21:06,140 I'm in the field so I'm talking with customers on a regular basis so I kind of hear their input as well as what we think internally 249 00:21:06,140 --> 00:21:10,140 And I've kind of heard across the spectrum that it's for a lot of people 250 00:21:10,140 --> 00:21:16,140 I think if you are, absolutely if you're a customer that doesn't have a mature SOC 251 00:21:16,140 --> 00:21:18,140 That this is right up your alley 252 00:21:18,140 --> 00:21:24,140 This is a tool that can really provide an incident response kind of playbook for you 253 00:21:24,140 --> 00:21:29,140 There's Casebook's ability to kind of structure your response to an event 254 00:21:29,140 --> 00:21:34,140 And just correlate across multiple tools where you may not have the people that have the knowledge to do that 255 00:21:34,140 --> 00:21:37,140 Without a tool that will help them accomplish that 256 00:21:37,140 --> 00:21:44,140 So definitely with customers and users without a mature SOC will definitely see value from this product 257 00:21:44,140 --> 00:21:52,140 And I think that this is actually the first solution I think really that Cisco has had that really plays, is designed for the SOC 258 00:21:52,140 --> 00:21:57,140 In a way, most of the other things are kind of targeted at the prevention 259 00:21:57,140 --> 00:22:00,140 Which is great, if we can prevent something from happening, we want to do that 260 00:22:00,140 --> 00:22:04,140 But this is the first one where we're really taking a step back and saying, hey, there's going to be stuff that's going to get through 261 00:22:04,140 --> 00:22:07,140 We need to be able to correlate that and respond for you 262 00:22:07,140 --> 00:22:11,140 But I've also talked with larger customers with really mature SOC processes 263 00:22:11,140 --> 00:22:16,140 They have their own playbooks, they have their own automation and orchestration capabilities 264 00:22:16,140 --> 00:22:19,140 So some of those aspects they may not leverage in the system 265 00:22:19,140 --> 00:22:22,140 But there are some areas where it can still help 266 00:22:22,140 --> 00:22:28,140 It can still, that kind of tier one SOC analyst that are constantly turning over 267 00:22:28,140 --> 00:22:34,140 Maybe they don't have the same experience to go and do the complex queries that are needed for some of those playbooks 268 00:22:34,140 --> 00:22:39,140 Well, this can again help them look at some of those incidents and prioritize them from an early standpoint 269 00:22:39,140 --> 00:22:45,140 Threat hunting, they can still use it for threat hunting capabilities with the tool 270 00:22:45,140 --> 00:22:51,140 So even if you're not using the full functionality, there's still some benefit for larger customers with mature SOCs 271 00:22:51,140 --> 00:22:53,140 You're not Cisco shops, right? 272 00:22:53,140 --> 00:22:58,140 So that's another thing where in the past, if you had Cisco products, great, they'd work together 273 00:22:58,140 --> 00:23:00,140 We have native integrations with our solutions, right? 274 00:23:00,140 --> 00:23:04,140 But if you have a third party solution, maybe those integrations don't work so well, right? 275 00:23:04,140 --> 00:23:05,140 You have to code something custom 276 00:23:05,140 --> 00:23:07,140 Well, XDR is built with that in mind 277 00:23:07,140 --> 00:23:13,140 So if you are somebody with Microsoft Defender endpoint, right? 278 00:23:13,140 --> 00:23:21,140 We can still enrich and we can add endpoint context to those incidents from those applications, right? 279 00:23:21,140 --> 00:23:28,140 If you're using ExaBeam in your environment or CyberReason, we can enrich and decorate the incidents so that there's more information there for them 280 00:23:28,140 --> 00:23:30,140 If you're a Palo shop, right? 281 00:23:30,140 --> 00:23:35,140 You can actually automate and orchestrate responses from XDR to Palo Cortex 282 00:23:35,140 --> 00:23:38,140 So a lot of different things are if you're crowdstrike, we can create incidents 283 00:23:38,140 --> 00:23:44,140 We can generate incidents based off of your endpoint, this is a non-Cisco endpoint and then pull in our network telemetry 284 00:23:44,140 --> 00:23:47,140 And combine those together to build an attack chain 285 00:23:47,140 --> 00:23:51,140 So you don't have to be a Cisco shop to get value out of XDR, right? 286 00:23:51,140 --> 00:23:57,140 The security is a team sport, I think all vendors and we have to work together to... 287 00:23:57,140 --> 00:24:02,140 Our enemy is not other vendors, our enemy is the adversaries, right? 288 00:24:02,140 --> 00:24:07,140 Great point. I really like that last part because yeah, 289 00:24:07,140 --> 00:24:15,140 Preventing the threat is the key and it really doesn't matter which vendor or endpoint product you have 290 00:24:15,140 --> 00:24:20,140 If we can work with them to kind of integrate that across the board 291 00:24:20,140 --> 00:24:24,140 Yeah, I think anyone in security, you know, we're in it to stop them from bad guys, right? 292 00:24:24,140 --> 00:24:27,140 I mean, that's what we want to do, right? That's why I'm here at least, so... 293 00:24:27,140 --> 00:24:29,140 Excellent. Thank you, Nate. 294 00:24:29,140 --> 00:24:37,140 Now, in terms of the integrations, and Nate kind of just touched on one Microsoft Defender 295 00:24:37,140 --> 00:24:42,140 But can you tell me a little bit about the native integrations of Cisco XDR? 296 00:24:42,140 --> 00:24:46,140 I think for the audience, if you have an example of like a real-life use case 297 00:24:46,140 --> 00:24:52,140 Maybe something that Cisco XDR could detect in one product and maybe use another product to respond 298 00:24:52,140 --> 00:24:56,140 Anything along those lines, I think that'd be really cool to hear 299 00:24:56,140 --> 00:25:05,140 Yeah, so we have a number of native integrations in Cisco XDR 300 00:25:05,140 --> 00:25:11,140 We took their approach strategically, as I mentioned, foundational data sets like network and endpoint 301 00:25:11,140 --> 00:25:14,140 Are able to provide data into the analytics engine 302 00:25:14,140 --> 00:25:25,140 And we have a number that are in our near-term roadmap to continue to either provide data and or enrich existing incidents 303 00:25:25,140 --> 00:25:30,140 So what we're really, really good at is detecting some... 304 00:25:30,140 --> 00:25:35,140 Specifically in the network detection space, detecting things that you would otherwise have missed 305 00:25:35,140 --> 00:25:45,140 So things like repetitive malware outbreaks 306 00:25:45,140 --> 00:25:50,140 Where you don't necessarily have an endpoint detection response product on every asset 307 00:25:50,140 --> 00:25:58,140 So one of the reasons network is so foundational in my mind is everything is connected to the network 308 00:25:58,140 --> 00:26:01,140 But not everything necessarily has an endpoint agent on it 309 00:26:01,140 --> 00:26:09,140 By some stats, roughly 30% of assets inside of an enterprise might actually have an EDR on it 310 00:26:09,140 --> 00:26:14,140 Other assets, printers, phones, OT devices, servers, etc. 311 00:26:14,140 --> 00:26:17,140 They might not have endpoint agents 312 00:26:17,140 --> 00:26:21,140 And so one customer, this is a story from a few years ago 313 00:26:21,140 --> 00:26:25,140 We were working with, had a repetitive malware outbreak 314 00:26:25,140 --> 00:26:33,140 Same piece of malware, they find it, it kept popping up on AMP or Cisco Secure Endpoint, as we call it now 315 00:26:33,140 --> 00:26:39,140 They'd get these detections that, oh, we've got it, we'll clean it up, they were wiping assets on a regular basis 316 00:26:39,140 --> 00:26:45,140 They were finding these detections that were showing up, but they never could figure out who the patient's bureau was 317 00:26:45,140 --> 00:26:50,140 We deployed, at the time, Secure Cloud Analytics, now a foundational part of XDR 318 00:26:50,140 --> 00:26:55,140 To collect network flow data, run analytics, see what was happening inside of the department 319 00:26:55,140 --> 00:27:00,140 And fairly quickly we found that the patient's bureau, or the source of this malware outbreak 320 00:27:00,140 --> 00:27:05,140 Was actually an old network attached storage server that had been infected 321 00:27:05,140 --> 00:27:10,140 And then she said there was no agent on it, it was just sitting there, had this piece of malware that kept going 322 00:27:10,140 --> 00:27:16,140 Sending its little payload around, and eventually ran somewhere and the customer was having fun 323 00:27:16,140 --> 00:27:18,140 And not having fun with that particular outbreak 324 00:27:18,140 --> 00:27:21,140 But at patient's bureau, it was this old master who had featured this time 325 00:27:21,140 --> 00:27:28,140 Because we were able to trace the network activity back to this one particular asset and remediate that outbreak 326 00:27:28,140 --> 00:27:32,140 And this goes through for a number of different ways you want to look at it 327 00:27:32,140 --> 00:27:39,140 The only way to sometimes solve the advanced threat is you need data from multiple different domains 328 00:27:39,140 --> 00:27:45,140 Network, email, endpoint, cloud, all of these are native integrations that we have 329 00:27:45,140 --> 00:27:48,140 And you need data correlated throughout 330 00:27:48,140 --> 00:27:54,140 That's an amazing example of where Andreas and Mike before were talking about the response piece as well 331 00:27:54,140 --> 00:27:57,140 Because there's no response that's being taken on that NAS system 332 00:27:57,140 --> 00:28:00,140 Because it doesn't have anything on it to do that 333 00:28:00,140 --> 00:28:04,140 But by bringing that information together, we would be able to help orchestrate a response 334 00:28:04,140 --> 00:28:09,140 Or at least guide a response even if it was manual to close that loop to stop that from happening 335 00:28:09,140 --> 00:28:15,140 So that that malware didn't keep getting accessed or propagated or popping up 336 00:28:15,140 --> 00:28:20,140 And I think that's a great example about bringing the importance of that network telemetry 337 00:28:20,140 --> 00:28:22,140 As opposed to just the endpoint 338 00:28:22,140 --> 00:28:26,140 Without that, Matt, it sounds like maybe that would have gone unresolved 339 00:28:26,140 --> 00:28:30,140 It would go on for years is what would happen 340 00:28:30,140 --> 00:28:34,140 You can block it all you want on your, I'll use the 30% number 341 00:28:34,140 --> 00:28:39,140 You can block it all you want on 30% of the assets in your environment that have an effective EDR 342 00:28:39,140 --> 00:28:42,140 But the rest of them don't for whatever reason 343 00:28:42,140 --> 00:28:46,140 And it's crazy how those devices are overlooked today 344 00:28:46,140 --> 00:28:51,140 You don't think about it when you start thinking about that strategy 345 00:28:51,140 --> 00:28:55,140 So that's I think very impressive 346 00:28:55,140 --> 00:29:00,140 All right, I want to say something real interesting 347 00:29:00,140 --> 00:29:06,140 We've been 33 minutes without talking about AI and I'm about to break that record 348 00:29:06,140 --> 00:29:09,140 We could have gotten it 349 00:29:09,140 --> 00:29:12,140 I guess the AI algorithm just kicked in 350 00:29:12,140 --> 00:29:15,140 And like I've just been too long since, no one mentioned me 351 00:29:15,140 --> 00:29:17,140 Mind your jumping in 352 00:29:17,140 --> 00:29:19,140 It always wins 353 00:29:19,140 --> 00:29:21,140 Actually I wasn't 354 00:29:21,140 --> 00:29:26,140 Yeah, last week we went on a presentation that was 20 minutes without talking about AI 355 00:29:26,140 --> 00:29:30,140 So I actually feel very happy about that 356 00:29:30,140 --> 00:29:33,140 All right, so this question is for you, Brianna 357 00:29:33,140 --> 00:29:36,140 I know you love that subject 358 00:29:36,140 --> 00:29:42,140 And basically we want to know and I think all of our listeners want to know 359 00:29:42,140 --> 00:29:47,140 What is the role that we play in AI that Cisco XDR will play in AI? 360 00:29:47,140 --> 00:29:51,140 I know Cisco as a whole has a whole story behind that 361 00:29:51,140 --> 00:29:53,140 But what can you share about that? 362 00:29:53,140 --> 00:29:56,140 Actually, Andres, I'm changing my tune 363 00:29:56,140 --> 00:29:58,140 I love the question, right? 364 00:29:58,140 --> 00:30:02,140 The practitioner part of me is still looking for my German shepherd 365 00:30:02,140 --> 00:30:06,140 Another reference that people can Google every time I hear AI nowadays 366 00:30:06,140 --> 00:30:11,140 But at the same time we need to embrace the benefit that AI can provide 367 00:30:11,140 --> 00:30:14,140 But I think what's really important is to think through 368 00:30:14,140 --> 00:30:18,140 AI is more mainstream conversation now 369 00:30:18,140 --> 00:30:20,140 But that doesn't mean it's new 370 00:30:20,140 --> 00:30:24,140 And it doesn't mean that there aren't types of AI that have been in place for a while 371 00:30:24,140 --> 00:30:27,140 Or aspects to generating up to AI 372 00:30:27,140 --> 00:30:31,140 So in Cisco XDR, Nate mentioned alerts and alert chains previously 373 00:30:31,140 --> 00:30:35,140 That is not something that somebody is sitting there manually doing 374 00:30:35,140 --> 00:30:37,140 As your events come in, that would be insane 375 00:30:37,140 --> 00:30:42,140 We would never be able to provide you with an extended detection and response incident in a timely fashion 376 00:30:42,140 --> 00:30:46,140 So alerts coming in from different sources and being chained together 377 00:30:46,140 --> 00:30:52,140 And that correlation of did the event that happened on Mike's system and the event that happened on Andres' system 378 00:30:52,140 --> 00:30:54,140 Are those both part of the same event? 379 00:30:54,140 --> 00:30:58,140 That being correlated together is part of what we use AI for today 380 00:30:58,140 --> 00:31:02,140 Also, for when we look at things like dynamic and automated responses 381 00:31:02,140 --> 00:31:06,140 So our ability to say, here's a guidebook by which you can go through 382 00:31:06,140 --> 00:31:10,140 And yes, that's static, but as we continue to move forward in the development of XDR 383 00:31:10,140 --> 00:31:14,140 Making that more dynamic and saying something as simple as 384 00:31:14,140 --> 00:31:19,140 When I look at what has been presented, I want to guide you to take a response 385 00:31:19,140 --> 00:31:26,140 Maybe that response is to quarantine a system, maybe that response is to enact a quarantine rule on a firewall 386 00:31:26,140 --> 00:31:29,140 And when we do that, what sort of context do we give you? 387 00:31:29,140 --> 00:31:33,140 Well, I wouldn't want to present you as an analyst who has little time 388 00:31:33,140 --> 00:31:38,140 And is trying to respond quickly and may or may not have all same levels of knowledge 389 00:31:38,140 --> 00:31:44,140 I wouldn't want to present you with something that says block this IP when I'm not giving you an IP to do it with 390 00:31:44,140 --> 00:31:47,140 And that's a really small example, but those can get much more complex 391 00:31:47,140 --> 00:31:53,140 Related to what's in your environment and what assets would you be authorized to block and not block in the first place 392 00:31:53,140 --> 00:31:56,140 So that's another way that we're leveraging that 393 00:31:56,140 --> 00:32:02,140 It also is used to bring threat intelligence in, so not only to help create and combine threat intelligence 394 00:32:02,140 --> 00:32:05,140 We leverage our TELUS team and what they're bringing together for that 395 00:32:05,140 --> 00:32:10,140 But a lot of processing of more basic level threat intelligence comes at an AI layer 396 00:32:10,140 --> 00:32:13,140 But it enriches threat hunting in our investigations 397 00:32:13,140 --> 00:32:22,140 So being able to bring that enrichment in and understand what is happening or could have been related to a hunt or search that you have through your environment 398 00:32:22,140 --> 00:32:25,140 And then when we think about why AI is so prevalent nowadays 399 00:32:25,140 --> 00:32:32,140 We think of the boom that chat GPT brought and showed people the cool things that could come out of something like a generative AI 400 00:32:32,140 --> 00:32:36,140 And what we call a chat bot style usage of generative AI 401 00:32:36,140 --> 00:32:39,140 And without getting into too many technical terms 402 00:32:39,140 --> 00:32:43,140 There's concepts behind that called things like large language learning models 403 00:32:43,140 --> 00:32:45,140 Where a model is simply learning 404 00:32:45,140 --> 00:32:52,140 It could listen to Brianna speak all day and then try to understand not only how it would answer a question that you would ask Brianna 405 00:32:52,140 --> 00:32:54,140 But how Brianna would phrase her question 406 00:32:54,140 --> 00:32:56,140 What types of words would she use? 407 00:32:56,140 --> 00:32:58,140 How would she inflect upon that? 408 00:32:58,140 --> 00:33:00,140 So generative AI is not new 409 00:33:00,140 --> 00:33:03,140 All Cisco products have had AI for a long time 410 00:33:03,140 --> 00:33:06,140 And many of them are using things like large language learning models 411 00:33:06,140 --> 00:33:09,140 Including Cisco XDR Matt mentioned email previously 412 00:33:09,140 --> 00:33:11,140 That's definitely been using it 413 00:33:11,140 --> 00:33:13,140 When you think about how people write emails 414 00:33:13,140 --> 00:33:14,140 Right 415 00:33:14,140 --> 00:33:25,140 How do I confirm that the email that's sent from Brianna to Mike is from Brianna and not a business email compromise trying to trick Mike to do something because it sounds like Brianna 416 00:33:25,140 --> 00:33:31,140 So when you think about things like that, that has a lot of that back end AI modeling built in it 417 00:33:31,140 --> 00:33:38,140 And we will continue to assess AI and how to best use it and how to best present it in ways that's not just delightful for our customers 418 00:33:38,140 --> 00:33:42,140 And lets them interact the way that they would like to but in ways that are meaningful 419 00:33:42,140 --> 00:33:43,140 That's awesome 420 00:33:43,140 --> 00:33:44,140 That's awesome 421 00:33:44,140 --> 00:33:46,140 Yeah, we hear about AI so much 422 00:33:46,140 --> 00:33:53,140 And many people realize that we've been doing AI for the longest time for many, many different things 423 00:33:53,140 --> 00:33:57,140 Yeah, and credit in the industry so have others, right? 424 00:33:57,140 --> 00:34:02,140 I mean it's not, it's just something that is more relevant I think for common mainstream now that people may not realize 425 00:34:02,140 --> 00:34:04,140 It's in everything that you do 426 00:34:04,140 --> 00:34:10,140 You know, a large vendor that you may purchase a lot of things from online and might have a device in your house or on your phone that you talk to 427 00:34:10,140 --> 00:34:13,140 That's AI in the background 428 00:34:13,140 --> 00:34:16,140 Yes, it's going off 429 00:34:16,140 --> 00:34:25,140 So what about, now the next one and we might have to speed it up just a little bit for the sake of time for these next couple 430 00:34:25,140 --> 00:34:31,140 But what about, is Cisco XDR a seam? Matt, I'll give that one to you 431 00:34:31,140 --> 00:34:34,140 Like I hear that all the time, like cool this is a seam replacement, right? 432 00:34:34,140 --> 00:34:37,140 The answer is no, it's the short answer 433 00:34:37,140 --> 00:34:39,140 That's the TLDR one 434 00:34:39,140 --> 00:34:42,140 The longer one is 435 00:34:42,140 --> 00:34:49,140 So the fundamental difference is what data and visibility into data 436 00:34:49,140 --> 00:34:51,140 Cisco XDR is an analytics engine 437 00:34:51,140 --> 00:34:53,140 It is a soft productivity tool 438 00:34:53,140 --> 00:35:02,140 The objective is analytics on top of data to produce a detection, a prioritized detection and guided response to it 439 00:35:02,140 --> 00:35:11,140 Whereas a SIMS objective in life is to collect the data and provide that data to the user to build outcomes on top of it 440 00:35:11,140 --> 00:35:15,140 We're focused on the outcome, I suppose on the data itself 441 00:35:15,140 --> 00:35:21,140 So would it be safe to say that Cisco XDR works with a SIM? 442 00:35:21,140 --> 00:35:24,140 Absolutely, we are complimentary 443 00:35:24,140 --> 00:35:32,140 If you had a dime for every time that somebody asked you that question though, Matt, would you be able to retire by now? 444 00:35:32,140 --> 00:35:37,140 Yes, short answer, yes 445 00:35:37,140 --> 00:35:41,140 I'd keep working just because that's like free money 446 00:35:41,140 --> 00:35:48,140 Or a dime for every time someone's like, what does XDR stand for? 447 00:35:48,140 --> 00:35:50,140 Right 448 00:35:50,140 --> 00:35:52,140 So many 449 00:35:52,140 --> 00:35:54,140 Well, thank you for that 450 00:35:54,140 --> 00:35:56,140 Yeah, thank you for that 451 00:35:56,140 --> 00:35:59,140 Actually, I think we're running pretty short on time 452 00:35:59,140 --> 00:36:03,140 So we're going to fly through the next two questions 453 00:36:03,140 --> 00:36:10,140 I think this one's going to be important, our listeners are going to be very interested in this one 454 00:36:10,140 --> 00:36:13,140 This one's for you, Nate 455 00:36:13,140 --> 00:36:19,140 What is Cisco's plan for Secure X and Secure Cloud Analytics? 456 00:36:19,140 --> 00:36:22,140 If you don't mind just going a little bit on that 457 00:36:22,140 --> 00:36:24,140 Yeah, sure 458 00:36:24,140 --> 00:36:27,140 This actually came up in the Q&A as well, so very timely 459 00:36:27,140 --> 00:36:33,140 I think of XDR as really the evolution of both Secure X and Secure Cloud Analytics 460 00:36:33,140 --> 00:36:36,140 There are components of both that are in XDR 461 00:36:36,140 --> 00:36:44,140 The detection and analytics engine of, I think Matt mentioned this earlier, the detection and analytics engine of Secure Cloud Analytics is the backbone of XDR 462 00:36:44,140 --> 00:36:50,140 If you are an existing Secure Cloud Analytics customer, you are entitled to XDR 463 00:36:50,140 --> 00:36:54,140 So we're converting everyone's accounts, you'll get an XDR tenant 464 00:36:54,140 --> 00:37:00,140 And you'll be able to take advantage of some of the enhanced functionality that XDR can provide your organization 465 00:37:00,140 --> 00:37:02,140 Secure X was a little different 466 00:37:02,140 --> 00:37:06,140 Secure X was kind of our first foray into an XDR space 467 00:37:06,140 --> 00:37:17,140 I think that there were some benefits that Secure X provided around orchestration and automation capabilities that some users would like out of it 468 00:37:17,140 --> 00:37:25,140 But it didn't really deliver on the, and it wasn't necessarily meant to, deliver on the full prioritization of its 469 00:37:25,140 --> 00:37:28,140 So there's a lot more functionality in XDR than Secure X 470 00:37:28,140 --> 00:37:36,140 Secure X has been end of life, it was a solution that was granted an entitlement to everyone who had a Cisco security product 471 00:37:36,140 --> 00:37:43,140 But it is end of life at this point, which means that no new users are able to sign up for Secure X account 472 00:37:43,140 --> 00:37:50,140 If you do have a Secure X account, if you were using it, it will stay in place until I believe next July 473 00:37:50,140 --> 00:37:54,140 But at that point, it will essentially cease to exist 474 00:37:54,140 --> 00:38:00,140 So if there are functionality in Secure X that customers are using today 475 00:38:00,140 --> 00:38:08,140 It's time to maybe look at what XDR can provide, is that the right option, are those use cases that we can address with XDR as well? 476 00:38:08,140 --> 00:38:13,140 Good question, I think that's on a lot of people's minds, so thanks Nate for covering that 477 00:38:13,140 --> 00:38:19,140 Brianna, I don't know how deep you can get into this, and we really only got about 30 seconds anyway before we move on 478 00:38:19,140 --> 00:38:27,140 But is there anything you can tell us maybe that's up and coming for Cisco XDR, like any secrets or stuff on the roadmap? 479 00:38:27,140 --> 00:38:33,140 Yeah, I think I could tap in a little bit, so hopefully people have heard about our ORT acquisition, if you haven't 480 00:38:33,140 --> 00:38:40,140 It's in the identity threat detection and response space, so that piece is not secret, but what we can share is that up and coming 481 00:38:40,140 --> 00:38:50,140 We're looking at bringing that into XDR to bring identity as a source into XDR and really be able to respond and provide those meaningful capabilities, so that's really exciting 482 00:38:50,140 --> 00:39:01,140 Matt had mentioned the responsive capabilities and we had talked about those guided responses, guiding people more and more towards being comfortable accepting automated response, so truly automated response 483 00:39:01,140 --> 00:39:07,140 Hey, I'm going to lock the door, lock my robber in and call the cops when I see the TV come off the wall 484 00:39:07,140 --> 00:39:15,140 And being confident in doing that, things like that are what we're going to try to continue to gain customers trust in, and then more around AI 485 00:39:15,140 --> 00:39:24,140 So you have seen certain things around guided assistance through hunting and through investigations and incidents, that's forthcoming as well, and I think we will leave it there for today 486 00:39:24,140 --> 00:39:35,140 Awesome, awesome, and if the yeah, I didn't get to see a little bit of or hopefully I'm saying that correctly. No, it was pretty cool. All right, so 487 00:39:35,140 --> 00:39:45,140 Do you want to say anything about some certain changes that are coming out for endpoint integrations that might actually be in production today? 488 00:39:45,140 --> 00:39:57,140 So Nate snuck it in earlier, but yes, let's call it out. So as we look at the integrations for what we're doing around correlated incidents going beyond the responsive and the enrichment and hunting capabilities 489 00:39:57,140 --> 00:40:12,140 Our CrowdStrike endpoint integration that allows us to create new incidents or have those events be correlated into incidents is in progress and or deployed to Matt's point, so you're hearing it straight out of the gate live 490 00:40:12,140 --> 00:40:22,140 You should be seeing that ASAP if you are an existing customer or testing it out and if you're not and you're a CrowdStrike customer, come on have a conversation with us. We would love for you to see it 491 00:40:22,140 --> 00:40:38,140 We have this question on the agenda. I was not expecting this. This is great. Yeah, me as well. Now that's one thing people probably don't realize about the show is it's not scripted. So I literally just did all learn all that information. So thank you. That's great. 492 00:40:38,140 --> 00:40:51,140 All right, so we're up on time, but we did have three really serious questions. If you could just we're going to give you just each one just take 10 seconds to answer and then we'll kind of summarize this up and we'll get out of here. 493 00:40:51,140 --> 00:41:10,140 Matt, I'm going to give this one to you and just in 10 seconds or or less up. What what is what number is higher per day the number of times you get asked what XDR stands for or the number of cups of coffee you drink in a day number times they explain what XDR is. 494 00:41:10,140 --> 00:41:14,140 Is it even close. 495 00:41:14,140 --> 00:41:16,140 Okay, okay. 496 00:41:16,140 --> 00:41:17,140 All right. All right. 497 00:41:17,140 --> 00:41:29,140 All right, I'm going to go with the next one. And this is for you, Nate. If you could magically apply XDR to any routine of your life, what would it be. 498 00:41:29,140 --> 00:41:48,140 I mean, I guess the prioritization and risk reduction like the next year can provide you an incident. I guess I'd apply that to like my to do list at home, like which if I knock these things off, like which ones are going to get me yelled at less by my partner if I finish these. Right. So that's my risk score that I'm trying to reduce. 499 00:41:48,140 --> 00:41:51,140 I love that. 500 00:41:51,140 --> 00:42:08,140 Now poking a little bit of fun at ourselves about how Cisco is always changing our names of all of our products and everything. Brianna, would you bet yes or no on whether Cisco will change the name of Cisco XDR within a year from today's date. 501 00:42:08,140 --> 00:42:09,140 I would bet no. 502 00:42:09,140 --> 00:42:13,140 Okay, no, especially if Matt and I are still here. 503 00:42:13,140 --> 00:42:22,140 Okay, great. 504 00:42:22,140 --> 00:42:24,140 Excellent. Well, it's always fun to poke a little self fun there. 505 00:42:24,140 --> 00:42:28,140 Andres, what do you say we recap this and get on our way here. 506 00:42:28,140 --> 00:42:39,140 I'll tell you my big takeaways for today. We started off with that industry definition. I talked about a unified platform or correlating incidents. 507 00:42:39,140 --> 00:42:53,140 We talked about bubbling the ones up that are important. And then we had several examples of taking automated or manual responses. And I like Brianna's example about that TV thing. I think that's actually something I'll be using. 508 00:42:53,140 --> 00:43:07,140 Matt touched on Cisco's definition and how, you know, we're known as a network company. Why don't we use that ability when we're talking about the threat correlation and response. So we don't we can go beyond just the end point. 509 00:43:07,140 --> 00:43:10,140 And, and in terms of solving problems. 510 00:43:10,140 --> 00:43:30,140 They you talked about who uses Cisco XDR and just XDR in general for quicker detection, the remediation, the threat hunting. And you know, I really like to get that bubbling up so that we can just have some time back, especially for those teams that have just a couple people on their sock. 511 00:43:30,140 --> 00:43:44,140 The native integrations are great. Matt, I think it's really awesome that we've taken an open standard approach. Crowd strike right at the end. That little teaser was pretty cool. So that we can to Nate's point. It's about stopping the bad guy. We're not. And it really shouldn't matter. 512 00:43:44,140 --> 00:44:04,140 Kind of what what end point product you have. So those are the big takeaways for me. Andres. Also, Mike, thank you. In my case, I'm very excited about when we when we get to talk about AI, the artificial intelligence, when we get to talk about all those things. 513 00:44:04,140 --> 00:44:20,140 And still I feel something that I need to understand more. And it's, it's been there, kind of new, but it's exciting. So I always welcome that the XDR versus seeing capabilities. 514 00:44:20,140 --> 00:44:26,140 I know we, we get a lot of questions every day from customers on this one. And I think it was very clear. 515 00:44:26,140 --> 00:44:29,140 The, the vision that we have with the products. 516 00:44:29,140 --> 00:44:45,140 And I'm very excited about it. Now moving on to some things that we may not see in the future that we're seeing today. Secure X and secure cloud analytics. You know, what is their purpose in life in a few months coming. 517 00:44:45,140 --> 00:45:01,140 That's that was really good. And, and the other things I wasn't expecting the teaser on the cross right. So very excited about that. And, and yeah, that's that's my take on the whole session and just want to thank you all for for taking the time. 518 00:45:01,140 --> 00:45:12,140 Yeah, really big. Thank you. Brianna, Matt, Nate for your time and expertise and just generally the good you do in the security industry. Really much appreciated. 519 00:45:12,140 --> 00:45:31,140 Okay. So, the next call November 16th topics securing the user and the end point registration for that is open. I believe it is. Okay. All right. Well, I hope you've enjoyed the Sefin of security and 45 stay safe and secure everyone. 520 00:45:31,140 --> 00:45:36,140 And we will see you on the next episode. Bye. Thank you. Have a good one. 521 00:45:36,140 --> 00:45:46,140 Everyone. Thank you.