Video Transcript

   >> ANNOUNCER:  Please welcome Executive Vice President and General Manager, Security and Collaboration, Cisco, Jeetu Patel.

 

   >> JEETU PATEL:  All right. Can I start by asking a personal question? How many of you here like music, with a show of hands?

 

   Okay, thank goodness, because that would have been an awkward moment for Fred if, like, you folks didn't raise your hands.

 

   But it's great to be here. And imagine this, imagine this. Imagine that you are a conductor in a symphony orchestra and your primary job, your only job is to create a beautiful symphony. And what you have done is you have assembled an amazing group of world class musicians in the orchestra who have actually mastered the art and the craft of their own instrument. You know, every single section of the orchestra is perfected. The piano is amazing. Let's take a listen.

 

   There's four sections of woodwind. It’s sensational. It's really good.

 

   Orchestra without strings is no orchestra and the strings are mesmerizing.

 

   Lastly, the brass section is captivating.

 

   What we have done is we have actually taken four perfect segments, but we have one slight problem. The problem is, we have asked each one of these musicians to go in a separate room, they can't hear each other, and they have to play this section of music and then create a beautiful symphony. How do you think that goes? It's a disaster. People can't hear each other. It's uncoordinated sounds that you see everywhere.

 

   That – those were long five seconds. And this is, by the way, folks, exactly the problem that we have right now with security. What you have is, and what I am specifically referring to, is completely disjointed, out of sync kind of ways that security is actually being tied together.

 

   So, what I'm talking about over here is the ever increasing set of threats that we have for these sophisticated attacks. We can't rely on an isolated set of defenses. What we need to have is a very coordinated set of defenses.

 

   So, let's just take a look at the anatomy of an attack that you might have. So, as we see the MITRE Attack framework, the modern threats that you have of today actually don't start from the direct target attack. They start from an email.

 

   You get an email. It's got a link. You click on the link, it goes to a website. When you're in the website, it downloads some piece of code that's malware and it goes to your endpoint. Your endpoint then goes ahead and triggers off some kind of process and the process then starts to go out and have a complete lateral movement of that threat throughout your organization because packets just start going and moving on the network. That's typically what happens with an attack.

 

   Now, if you go out and look at this anatomy of an attack and you go out and try to go help solve that problem by looking at each one of those domains individually, you are going to see less than half the picture.

 

   Now, don't get me wrong. You’re going to have extremely capable vendors in the market that do a great job at each one of these domains. What they don't do is create harmony. It's just uncoordinated telemetry that that creates more noise in the market.

 

   So, the question we have to ask ourselves is what does the world need? What we need is a set of security defenses that are completely coordinated and synchronized.

 

   Here’s the amazing part. Those two clips that you heard, they were actually being played from the same base music; just the timing of them made a world of a difference, right? And they have to be synchronized.

 

   So, the question that we have to ask ourselves is, in security, how do we get there? What specifically do we do in security to be able to get that coordination?

 

   And there's two major breakthroughs that are going to define the next era of security defenses that I want to talk to you about. The first one is this notion of a cross domain native set of telemetry that's completely coordinated and correlated rather than just aggregated. And it's going to fundamentally change how we respond to threats.

 

   The second big area, the second big breakthrough, of course, is artificial intelligence. And this is going to change three key things for the security industry. The first one is it's going to change the experience that we have with security. The second thing it's going to change is the efficacy of security. And the third aspect that it's going to change is the practitioner's efficiency with how they can make their entire security platform more effective.

 

   So, those are the kind of three major areas that are going to change. Let's go drill into the cross domain architecture first, the cross domain native telemetry, and then we will jump into what we do with artificial intelligence.

 

   So, in cross domain native telemetry, what's the problem? The isolated defenses, the reason these isolated defenses don't work and the reason it's no longer tenable is because it's too hard to spot modern day attacks in a way that is any way differentiated from legitimate behavior that people have.

 

   Your normal course of action and the way that you go out and operate on a daily basis is exactly – it looks very similar to what an attack looks. So, what do you do to go out and create more of these robust defenses?

 

   Well, you have to make sure that you have to have a completely end-to-end integrated platform. And this platform needs to be there so you can actually see an end-to-end view rather than an isolated view.

 

   So, for example, you need a platform that shows you every single email and every forward. You also need a platform that shows you every single website connection that you make. You need a platform then that knows every single process that got instantiated on the endpoint. And you need a platform that knows exactly what packets are traversing through your network.

 

   Now, what's the best example of such a platform that we might actually think about today? Well, one of the great examples that we have right now of the platform is this notion of extended detection and response. And to talk more about that, I wanted to have my colleague, Tom Gillis, who last year, by the way, presented right after me, but this year he's actually joined Cisco, so he's just with a different badge, to talk to us a little bit more about XDR. So, Tom, come on up.

 

   >> TOM GILLIS:  Hey, everyone. I'm Tom. So, great to be back here. XDR is clearly going to be the talk of the show this year. And when you leave this event and walk around the show floor, you may find yourself hard pressed to find a vendor who is not telling some sort of XDR story. In fact, even the food vendors are getting in the game. On the way over here, I saw a hot dog vendor that was pitching extra-large dog with relish, which is a different kind of XDR, but it’s still kind of a thing.

 

   So, what's all the energy around XDR? Well, it's increasingly clear that attackers are getting really, really good at emulating both user and application behavior. So, this means that if you are only looking in one domain, if you are only looking at an email stream, or you're only looking at an end point, you are missing more than half the picture.

 

   So, if we have the ability to look at high fidelity data across email, web, endpoint, and network, these patterns become incredibly clear. Let me show you an example.

 

   This is an actual attack sequence that we have derived from Turla, which is one of the benchmarks used in this year's MITRE Attack Framework. The Turla sequence starts with a phishing email.

 

   At Cisco, we found that last year, 80% of the ransomware attacks that we saw started with a phishing email.

 

   Now, at this point, I hope everyone in this room knows that the Nigerian Prince, you know, the friendly fella who needs a bank account? I hope everyone knows not a real guy. Everybody knows that, right? Security professionals. The Nigerian Prince is not a real guy. But that's the good news. Pretty easy to spot those emails with the spelling mistakes and the grammatical errors.

 

   The bad news is the Prince has got his hands on AI powered tools. So, it's not unreasonable to expect to see a phishing email that's going to come from someone you know referencing something you did.

 

   Hey, Tom. Great seeing you on Saturday. I took some pictures of you and the kids and posted them here. Who is not going to click on that? Right? So, you click on the link. It takes you to a photo sharing site that looks just like a real photo sharing site except this site popped up forty-eight hours ago. You click to look at the pictures. Code downloads onto your machine. And now the fun begins.

 

   So, if we look under the covers in your machine, there's a PowerShell script running. PowerShell is a legitimate utility that's used by system administrators to update and patch your Windows machine. PowerShell spawns some new process we have never seen before.

 

   Again, at Cisco, 80% of the ransomware attacks we saw last year came from an unknown process that was spawned out of PowerShell. So, just because it's from PowerShell doesn't mean you can block it. But if you have that high fidelity data, you can see these things and say, you know what? That's suspicious.

 

   That process in turn makes connection to the network and begins to move laterally. It moves server to server looking for a customer database and then it asks for 500,000 credit card numbers.

 

   So, if you can lay these events right next to each other, an email from the Prince, a weird looking website, PowerShell, and 500,000 credit card numbers, it's very clear this is a ransomware attack. This is what we mean by cross domain telemetry.

 

   Now, you might be thinking to yourself, hey, I’ve heard this story before. This is what my SIEM vendors have been talking about for ten or maybe even twenty years. And I will argue that XDR has a fundamentally different design center than a SIEM.

 

   A SIEM was designed for log aggregation. So, a SIEM thinks in days, weeks, months, even years. Whereas an XDR wants to be as close to real-time as we possibly can be. We want to process the data and get rid of the data. The goal is not to store it.

 

   A SIEM is looking at summary data. Anyone who has paid for or managed the budget of a SIEM infrastructure knows it gets real expensive to store all those logs. So, you are looking to compact the data.

 

   An XDR, on the other hand, is looking for the highest fidelity data. I want to get as close to the data path as possible because I want to see every message, every click, every process, and every packet. A SIEM is designed for investigation response and an XDR is designed to automate response in an intelligent fashion. I'm going to talk about that a little bit.

 

   So, an XDR will not replace a SIEM. I want you to think about a continuum. On one end of the spectrum, we have the SIEM. It has a place in our tool chain, we need them. And it's going to have kind of a fuzzy view of what happened. It probably captured a couple of those events, maybe the email from the Prince and PowerShell.

 

   The industry realizes we need more resolution than just log data. So, the industry has created these open XDR initiatives. And at Cisco, we wholeheartedly support them and actively engage, looking at telemetry, particularly telemetry from email. So, that's going to give you a better picture.

 

   But you will never match the ability to have native telemetry where you are in the data path across email, web, endpoint and the network, and when you lay these things together, the patterns become very clear.

 

   Not only does this give us the ability to identify threats, it also gives us the ability to respond to these threats in a really intelligent way.

 

   So, let's think through a response to that sequence I just described. We see the email from the Prince. We are not going to block it. We are not even going to generate an alert. We are just going to take a snapshot of that machine and mark that snapshot. There's PowerShell running and it’s getting ready to approach the network. Again, we are not going to block it. We are not going to alert. But we’re going to turn on packet capture. It makes its way to the customer database. We are going to isolate that network to limit the blast radius. And then asks for the credit card numbers, there we block.

 

   What's interesting about this sequence is that we have now created an automated trail that can automate the ransomware recovery process in the event an attack gets through. And these integration into the infrastructure for packet capture and storage, these things exist.

 

   So, I'm going to make a prediction that when I come on this stage next year, we are going to be able to talk about how we have evolved this model of an automated response where we can recover back to an RPO of zero, which means even if you had a ransomware attack, we will say, you know what, one got through, but guess what? We made a snapshot and backed you up before one line of encrypted data was written. This would effectively be an antidote for the scourge that is ransomware.

 

   And this is what I mean when we hear us talk about security resilience. It's not just about stopping these threats but it's about automating the recovery so you can focus on getting back to business.

 

   This type of cross domain system is best implemented with a security platform. So, you're going to hear a lot of talk in the industry around platforms. You might be wondering, in fact you already heard it today, what exactly is a platform? Well, I will use a metaphor and tell you what a platform isn't.

 

  I went to Home Depot recently and I bought a gas grill and I got home and opened the box, I’m like, wait, it's a bunch of weird looking metal parts and screws and I'm putting this thing together like, what is this thing? That's not a platform, right? A platform is a grill shows up at your door, you plug it in, turn it on, you’ve cooked your hot dogs.

 

   A platform is not a bag of parts but it's a system that has individual components that can gather that telemetry from email, web, endpoint, and the network and put it together in a coherent way to identify and stop threats and orchestrate an intelligent response.

 

   If this approach works as well as I think it does, it is going to reshape the vendor landscape. So, this is something, this security platform and this cross domain telemetry, is something we will be talking about for years because it'll literally shape the industry.

 

   The other thing that I think is going to shape the industry is the role of AI in cybersecurity. To talk more about that, I'm going to ask Jeetu to come back out on stage and explain the role of cyber and AI.

 

   >> JEETU PATEL:  Thanks, man.

 

   All right. Let's talk about simplifying security next with AI. So, look, we are at an inflection point right now. Every company is rethinking how they are going to use AI. And every vendor is talking about it and you can't really kind of blame them because if you really think about the sophistication of security attacks, it no longer can be handled at human scale. You have to do it at machine scale or it doesn't work.

 

   Now, the question to ask is, what are the things that need to come together to make AI really a step function improvement on the insights it can deliver? In security specifically. And there are three things when you start thinking about AI that need to come together. One of them is the model. The second is the data. And third is the experience. Right?

 

   Now, the interesting part about the model is that the publicly available models that are out there right now, while they keep advancing, they actually don't give you domain specific data, you know. So, what you do get is a very generic set of insights but you don't really get insights that are specific to a domain, specific to a customer. They are generalized.

 

   What needs to happen is these models – what's going to happen is these models are going to get much more specialized by domain. In fact, for those of you that might have not – that might have missed the news, Bloomberg just launched Bloomberg GPT as a specific model for the financial services industry.

 

   Now, what you also have is the data that feeds the model is actually going to be very domain specific. You know, there's going to be domain specific telemetry across domain native telemetry that Tom talked about. But you are also going to have specific security knowledge, knowledge bases with years of threat intelligence. You are going to have security playbooks. Those will all get entered in into the new specific custom models for security so that they can actually be very, very specific.

 

   And then the third thing that you are going to need is a great experience.

 

   Now, for all of us that have been part of witnessing this massive shift that's happened with ChatGPT, the reason that they did so well was not just because they had a great model and because they had great data and great insights. The reason they did well is because they nailed the experience. Right? In sixty days, they had 100 million users that were active users using that system. Sixty days.

 

   Contrast that with some of the other exponential curves we have seen with adoption acceleration. Instagram. Anyone care to take a guess on how long it took them for getting 100 million users? Two and a half years.

 

   Facebook, four and a half years.

 

   So, the reality is, is you have to make sure that you nail the experience as well.

 

   Now, the question we have to ask ourselves in the domain for security is, what if we could have a 10X better experience for the SOC analysts by providing them with some sort of an assistant or an aide so that they can get their job done more effectively? What if we could bring the right things to your attention at exactly the right time? And what if we could provide recommendations for the right things to do? Frankly, the most important question to ask is, what if we could fundamentally reimagine the SOC analyst experience with AI in this particular domain? What would that do to the way in which we go out and calculate breaches, the way in which we can detect them, respond, and remediate them?

 

   So, we put together a concept of what this would look like in the future, which frankly is not going to be too far off from where we are today. I would like to show you that video. So, let's take a look.

 

  >> CARMEN:  The Security Operations Center detects and responds to threats in real-time. When an incident begins, time is critical, and SOC analysts are often swamped with rapid fire information and tasks. To help with this, let’s imagine that our SOC analysts can rely on an AI security assistant which we will call AMES.

 

   AMES uses a large language model to summarize emerging information, explain remediation options, and automate the workflows needed to neutralize threats.

 

   As a SOC analyst, this is the view that I have of the tsunami of information that comes to me. Fortunately, AMES is helping me.

 

   >> AMES:  Good morning, Carmen. I have noticed a suspicious incident that needs your attention.

 

   >> CARMEN: What’s happening, AMES?

 

   >> AMES:  Lee in Operations downloaded a file from his email that appear malicious. I see new processes starting up and several new files are being created and destroyed. It looks like an attacker is using PowerShell to create services and persistence on the system.

 

   >> CARMEN:  Bottom line it for me. What are we looking at?

 

   >> AMES:  Based on the TALOS Threat Database, I know that 80% of all ransomware attacks start with PowerShell. Given what is happening on Lee’s machine and other devices on the local network, the evidence is mounting up quickly. I can say with 90% confidence that we have a serious ransomware attack underway.

 

   >> CARMEN:  AMES, what’s my best option to respond to this?

 

   >> AMES:  I have already restricted access from Lee’s computer and network. There are seven other devices where we see suspicious activity. I recommend we setup a honeynet to collect additional information regarding these suspicious systems.

 

   >> CARMEN:  Let’s get Lee and the other impacted users up and running again in a safe way.

 

   >> AMES:  I have saved a snapshot of the last known good configuration of all the internet facing systems, so we’ll get impacted users back online shortly. The internal critical stakeholders have already been updated on the progress.

 

   >> CARMEN:  How do we prevent this from happening again?

 

   >> AMES:  We’ll analyze the information we get from the honeynet, review the incident analysis with the SOC team, and take any further steps needed.

 

   >> CARMEN:  Great. Good work, AMES.

 

   >> JEETU PATEL:  So, folks, what you just saw is a concept that's not too far away from reality. And the beauty about this concept is that when you use AI to augment humans in the job, there's amazing things that can happen because you are shortening the time to investigation and you are making sure that you can actually respond in near real-time.

 

   Now, there's another really important concept that shouldn't be missed as you start thinking about this, which is the experience is going to become much more natural. You know, the primary kind of interface mechanisms that we have used to go out and input, you know, instructions into the computer so far, other than the keyboard, has been the mouse. But now what you're going to start seeing is there's going to be much more of a move towards natural language, and not only is it going to be an input with natural language with prompts, but you actually have a back and forth dialogue that you can have with the machine, you know. And it's actually going to be pretty exciting for what this moves – what this means for the world of security at large.

 

   So, we are thrilled about what this can do and this future is not that far away. But before closing out, I want to take a step back and just summarize what we saw – what we heard over here today.

 

   There are two breakthroughs that we discussed today. The first one was this notion of cross domain native telemetry, because security is a data game. If you don't have the right data feeding the models, you are not going to be able to go out and identify exactly what's going on.

 

   And then the second one is artificial intelligence and how that's going to go out and augment what's happening within our environments right now to really accelerate productivity for people.

 

   So, thank you again. If we do this right, by the way, what you will have is the ability to create a perfect symphony of security defenses. Thank you.