Episode Transcript
[00:00:15] Speaker A: Welcome to KB on the Go. This week I'm coming to you From Cisco Live 2024 at the Melbourne Convention and Exhibition Centre where AI is taking center stage in driving the future of technology. Here in Melbourne, we're surrounded by the buzz of innovation and industry leaders all exploring how Cisco's latest technologies are enabling us to work faster, safer and smarter. Stay tuned for the inside scoop from some of the world's leading experts presenting at Cisco Live 2024 here in Melbourne as KBI Media brings you all of the highlight.
Joining me now in person is Tom Gillis, SVP and General Manager, Security Business Group at Cisco. And today we're discussing the steps to robust security. So, Tom, thanks for joining and welcome.
[00:01:06] Speaker B: Thanks Marissa, thanks for having me.
[00:01:08] Speaker A: Okay, so Tom, you talk about three steps to robust security as I've seen in your Cisco newsroom, in terms of detecting, preventing and remediating security threats. So tell us, what are the steps?
[00:01:20] Speaker B: Well, those are sort of the foundational steps that you need in security. First, you know, if you can't detect it, then, you know, there's really not much of a conversation. So. So detection is fundamental. Well, really I would argue the first thing is actually prevention, right? So we want to put in place safeguards to make sure that we can keep the bad guys out. But as good as we are, we know for a fact that stuff is going to slip through, right? That's just the way security has worked, you know, for decades and that's always going to continue. And so then detection will be the second step, right? Detect the stuff that leaked through and then how do we remediate that formula has been around for 20, 30 years. But the building blocks that we use to implement each one of those steps are changing at an explosive pace. I mean, unbelievably explosive. And I'll even be very practical when I look at the demos that some of the products we have in development. I periodically review the demos. I'm kind of busy, so it might be a month from when I see a demo to when I see it again in a course of 30 days. The capability that we can deliver is just a step function more advanced because of this AI capability. And AI helps in terms of our ability to code things, right? So the AI is doing the coding and we provide the logic, right? So we don't have to do the semantics of writing the software, but it also provides the ability to analyze and understand things that are happening in the infrastructure that just simply weren't possible, you know, a year ago. So it's A very, very interesting time when you have a period of significant change like the one we're heading into, there are always winners and losers, right? And so I think there are going to be opportunities for us to deliver both prevention, detection and remediation that is, you know, transformative in how customers experience it. But at the same time the adversary is using the same tool sets, right? And so if you look at that, you know, as good as we are, they're using the same kind of automation. And here's a way it really manifests itself. If you look at the time lag from when a vulnerability in an application is announced publicly to when we see being exploited, that time lag used to be weeks, a couple years ago, then it was days, now it's hours. So you announce a vulnerability within four hours, we see activity around it. You know, that can only happen with AI automation. And the challenge for customers, maybe the folks that are listening, practitioners that are listening to this, is just keeping up with known vulnerabilities. Forget the complicated exotic stuff, these are just vulnerabilities that are announced. It is simply not reasonable to patch all of your infrastructure, patch all your applications in hours. It's just not reasonable. So we have to think differently about how we can put security controls in place that are highly automated, that will create more resilience in the infrastructure without humans being involved.
[00:04:22] Speaker A: Okay, so prevention, detection, remedia, as you said, it's been around a long time. In your experience and your caliber of experience, more specifically, where do you think customers have the most like problem out of those three, would you say?
[00:04:35] Speaker B: Well, okay, if we did a really good job of prevention, then it's much easier to do detection and remediation. Less stuff gets through. And so I think Cisco's opportunity is to really focus on the first phase, which is build preventative controls that make it much, much harder for an adversary to get through. It's never impossible, but we can make it much, much harder. And there are many, many different facets to security. Where Cisco, where I'm personally focused, and Cisco, the company is focused where we point our investment resources, is leveraging the network specifically and the infrastructure a little more broadly. And so what we want to get to is a world where applications are highly declarative, right? So it's not random stuff that's running. We know exactly what's supposed to be running. And when we know exactly what's supposed to be running, we can lock down the infrastructure underneath it and make it immutable, if you're familiar with that term, right so immutability means it does what it's supposed to do and doesn't do anything else.
[00:05:33] Speaker A: Is that what you mean by random stuff?
[00:05:34] Speaker B: Yeah, that's what I mean by random stuff.
[00:05:36] Speaker A: Got it.
[00:05:36] Speaker B: Right. And so the concept of immutability is it only does what it's supposed to do and doesn't do anything else. Again, not a new idea. Immutability has been around for 20 years. It's not been practical to implement immutability because applications change.
[00:05:52] Speaker C: Right?
[00:05:52] Speaker B: And so all of a sudden it'll do something that is new, that might appear random, but it's not random at all. It's event driven.
[00:06:00] Speaker C: Right.
[00:06:00] Speaker B: Or it's an update to an application. AI allows us to have an interpretation and understanding of the context to start to drive closer to immutability. So I believe that we can, and I hope this isn't too much technical detail, but I believe that we can drive security preventative solutions that are much more approximating immutability and will make it very hard, not impossible, but very hard for an adversary to gain a foothold. You know, and then we can talk about advanced forms of doing detection and remediation on top of that. But long answer to a short question. Cisco needs to be great at preventative security controls.
[00:06:37] Speaker A: So then you mentioned before, Tom, you said there's winners and there's losers. So were you talking more around like the adversaries and then like customers or just.
[00:06:44] Speaker B: Unfortunately, that rule applies everywhere. So adversary versus defender. It applies to, you know, customers that are in the right side of this problem versus wrong. It also applies to the vendor landscape.
[00:06:53] Speaker C: Right.
[00:06:54] Speaker B: And that, that, that every vendor, I mean, you know this, you're in the business, every vendor you talk to is talking about AI. So it's a question of how you walk the walk, right? Not simply talking about, oh my God, AI this and AI that.
[00:07:04] Speaker A: Do you think people are doing that? Talking about doing AI and not really doing the walk?
[00:07:08] Speaker B: Well, you tell me. What do you think?
[00:07:09] Speaker A: Yes.
[00:07:10] Speaker B: Hell yeah.
[00:07:11] Speaker C: Right?
[00:07:11] Speaker B: You know, like it's almost to the point of absurdity. Like they talk about AI don't even make any sense. So I'm less interested in talking about AI. I'm more interested in delivering products that have AI in them. I can tell you right now I have products that you can use. Like imagine a network security device that can write its own rules, test its own rules, qualify its own rules, deploy its own rules, and then upgrade itself overnight. I got more than 20 customers that are using that system right now. And so yes, it's Young. Yes, it's formative. But this thing is transform. It's going to transform how we do that prevention of cybersecurity because it's just very, very high levels of automation. In fact, it wasn't even possible to build this thing without AI. It's not like I grafted AI onto it. Like we built this system taking advantage of AI to deliver that level of autonomy.
[00:08:01] Speaker A: Because of the velocity then as well.
[00:08:03] Speaker B: Yeah, exactly. And we're all trending towards just this notion of immutability. Right. Like stuff that's supposed to happen is allowed to happen and stuff that's not supposed to happen is detected and prevented. Like you're sorry, you can't do that because that's not normal.
[00:08:14] Speaker A: You mentioned before about like patch management. Like as you know, like we haven't got patch management. Right. For 20 plus years. So what happens now on that front?
[00:08:23] Speaker B: Yeah, yeah. So this is the first use case that we're tackling with Cisco's hypershield. So our view is vulnerabilities are going to continue to grow and it is not reasonable to patch these things. You know, the answer can't be, let's try harder. You know, let's be smarter about how we patch. That just is not going to work. So what we have the ability to do is to apply a compensating control that can shield those vulnerabilities while the application team is going through the process of testing and qualifying and updating a new patch. That process can take weeks. Right. A lot of these complex systems, you don't just patch them overnight. If it's a running database that's in production and you know it's going to take days and, you know, maybe longer. And so with hypershield, we have the ability to apply a compensating control that doesn't touch or modify the application, but can be that kind of finger in the dike that provides shielding from the vulnerability. The other thing I'll point out about a compensating control, it doesn't obviate the need to patch. You still need to patch this stuff. Because a good attacker can find a way to get around a compensating control.
[00:09:28] Speaker A: Sure.
[00:09:29] Speaker B: But it provides immediate protection that is driving us closer to that goal of immutability. Right. Don't change the stuff that's not supposed to change. We're going to observe the things that aren't supposed to change and prevent that.
[00:09:40] Speaker A: From happening on hypershield. So obviously, you know, it's pretty cool what you guys are doing. I spoke to one of your guys down on the demo floor. I can't remember his name, but he explained it in a way that made sense. But what was coming to my mind was, do you think in your experience that. Let's look at the CrowdStrike incident, could that have been prevented if there was the digital twin, the hypershield?
[00:10:01] Speaker B: Absolutely. Sort of like you can say that that's not a controversial answer. Absolutely, yes. So here's here. Now we're getting into a little bit of. This is very technical, but I think it's important there's a little bit of shape of the industry issue.
[00:10:14] Speaker A: What do you mean by that?
[00:10:15] Speaker B: Security processes need to update, you know, as often as possible. Like very, you know, you want to have the constantly churning.
[00:10:22] Speaker A: Sure.
[00:10:22] Speaker B: See something push a new rule. See something push a new rule. Right. The infrastructure. So the kernel of an operating system is exactly the opposite tempo. You almost want to never update that thing.
[00:10:33] Speaker C: Right.
[00:10:33] Speaker B: You want the Linux operating system or the Windows operating system, you want to nuclear harden and then just let it run, run, run, run, run, run, very carefully, very slowly upgrade it. So there's just an inherent different tempo to security processes versus infrastructure processes. And the problem that security has is that in order to do meaningful enforcement, you need to put stuff in the kernel called a kernel module. So what went wrong with CrowdStrike is they had a security update that went bad. Like, it's real easy for me as a vendor to sort of throw a rock at them and be like, oh, look at those guys. You know, they really screwed up. But the fact is, it could easily have been me. Like, that's what happens when you're pushing out security updates rapidly. Yes, they made some operational mistakes, but I think it's kind of the nature of the business. But where it got disastrous is you push those that bad update into a kernel module, it takes the whole system down. And that's a very widely deployed solution that took down a giant swath of infrastructure. So with this new modern operating system protocol called Extended Berkeley Packet Filter ebpf, and the reason this is what we're talking about is this is applicable broadly across infrastructure, not just os. But let's talk about the operating system. So the big deal with ebpf, Extended Berkeley Packet Filter is it allows a process running in user space to look into the beating heart of the os, the kernel, without actually running in the kernel.
[00:11:54] Speaker C: Right.
[00:11:55] Speaker B: So we can see every system call, every function call, you can see memory, you can see every IO operation. But if that security update goes kerfluy does that translate? You know what kerfluy means, right? If it goes sideways, the kernel keeps running.
[00:12:08] Speaker A: Sure.
[00:12:08] Speaker B: Okay, so this was developed for cloud native applications, which means it was done for Linux and for containers.
We own the commercial company behind ebpf. EBPF is open source. It's standards based. It needs to be standards based. It's always going to be standards based. The company behind it, sort of, sort of the red hat of EBPF is a company called Isovalent. Cisco owns Isovalent. We're going to continue to invest in it, we're going to continue to keep it open because it needs to be ubiquitous. But as owners of the platform, we get to shape the direction of it. And what we're focusing on is taking this thing that was born in the public cloud and bringing it back to private clouds, which means two things. It means support for Windows, which would solve the crowdstrike problem, and it means support for VMs, VM workloads as well as containers. So we're actively working on both those directions. But I do believe that ebpf, it's not an exaggeration, it's a little bit hyperbole, but it is the future of networking because it allows us to do magical things in the heart of the OS without actually being in the heart of the os. And it's going to allow us to drive towards the immutability that you and I talked about earlier.
[00:13:11] Speaker A: So what do you think then, moving forward? So, you know, we can't keep having crowdstrike incidents. And I spoke to G2 Patel specifically about this, on how much of an impact and a ripple effect it had within like a day across the world. So what do you think happens now?
[00:13:25] Speaker B: Yeah, it was a big deal in the us. I took my car in to get my oil change. I couldn't get my oil change because the crowdstrike thing was down. So, you know. Yep, that could. My oil change, in addition to like a lot of other more important things. So the world has learned and we're building this technical architecture that allows security and infrastructure to coexist, but they are. It's what I call tightly integrated, but loosely coupled. Okay, so think about a world where the security stuff can be updated constantly and the infrastructure stuff is very, very reliable and upgraded slowly and carefully. Let's apply that same concept to a network device. So for a long time people have talked about the intersection between security and networking, and people have done things like, oh, let's take a firewall and let's like sort of embed that into a switch or a router. And there's been two big challenges with it. One is performance. When you turn the firewall on, it makes the switch, like, grind to a halt. And the second is you need to update the security stuff constantly. And network infrastructure is not designed to be updated constantly. Right. It's more like the. It's like the kernel of an operating system. So with hypershield, and as we start to introduce it into Cisco switches, we have the same approach where it is tightly integrated but loosely coupled, which means there's a lump of silicon in one of these switches called a DPU Data Processing unit. A DPU is made by Nvidia intel amd, and it's an evolved version of a network interface card nic, and it's evolved to the point where it's a little tiny firewall on a chip. So these DPU chips are amazing. Yeah. I used to run the DPU team at VMware, so I spent years working on them. They're very, very powerful, very, very capable. But we want to be able to update the software on that DPU on a continuous basis. The network processor, the npu, is Cisco's chip, Silicon one. That's the thing that does the packet forwarding. You want to update that very carefully, very methodically, very slowly, because it's ultra stable, ultra reliable, and its only job is processing packets. So as we start to merge security functionality into the networking, it's going to look kind of like EBPF in the host, where there's a security thing that's constantly dynamically updating, and there's a networking thing which is ultra stable, ultra reliable, doing the packet forwarding. And if the security thing goes kerfluy, what happens? The network thing keeps working. Right. So. So that crowdstrike phenomenon of like, oops, Security took down the infrastructure. That can never happen again. And that is a problem that we can solve.
[00:16:04] Speaker A: Joining me now in person is A.J. shipley, Vice President, Product Management, Threat Detection and Response at Cisco. And today we're discussing the Cisco and Splunk acquisition. So, aj, thanks for joining in. Welcome.
[00:16:15] Speaker C: Yeah, absolutely. Thank you.
[00:16:16] Speaker A: Okay, so let's get into it. Splunk acquisition with Cisco. Talk me through it. What's going on?
[00:16:22] Speaker C: Yeah, so, fourth largest software acquisition in history. I think it's been going exceedingly well by all standards. Closed six months ahead of plan, which is really good news for our customers. They've had a lot of questions about what this means for them. If you look at, you know, obviously Splunk has been the market leader in the security operations center for a long time. And there can, you know, anytime there's a big acquisition, there can be a little bit of concern or trepidation about what's going to change, especially in something as critical as security operations.
But so far, the customers have been super, super thrilled about our plans for leveraging all of the telemetry and data sources that we have from a Cisco perspective in order to deliver better outcomes to those Splunk customers. Because ultimately, at the end of the day, I would argue we still have a lot of work to do in the security industry to deliver better outcomes, as evidenced by the fact that ransomware still continues to, you know, happen and proliferate across networks. And so I think that's what we're excited about, is the combination of Cisco and all of the network telemetry we have at Endpoint and hundreds of thousands of authentication records every single day. And then Splunk, you know, the world's best ability to get data in and apply analytics on it to derive insights. The combination of those two things, I think, is ultimately going to. Going to deliver superior outcomes for our customers.
[00:17:31] Speaker A: So you're right. There is, when there's an M and A, that sort of happens. There is this trepidation reservation. And part of my sort of job in inverted commas would be that I go and crowdsource questions that people have. And one of those was around, you know, people when this acquisition happened. Like, people sort of saying, like, that's unusual.
Why do you think people are, you know, is it because they didn't sort of expect Cisco to acquire Splunk? I mean, it seems obvious now in terms of, you know, the telemetry and then having sort of more of a single pane of glass and more of a holistic view. But why would people sort of, I don't know, be asking those questions in from your experience?
[00:18:09] Speaker C: I don't know. I haven't gotten that. It's unusual. I think, you know, if you just look at the size of the acquisition, there's very few vendors that, you know, could pull it off. I would even argue that, actually, if you look at some of the other security vendors in the space, and I won't name them, they probably would have loved to have been able to do the same thing, but they couldn't afford it.
[00:18:25] Speaker A: Candidly, I was just going to say, but they couldn't afford it.
[00:18:27] Speaker C: They couldn't afford it, and we could afford it. And so I think. And look, you saw Paolo kind of follow suit pretty quickly with Qradar and CrowdStrike bought Humio and obviously Microsoft has Sentinel and they've got Defender for xdr. I think there's a recognition by the industry broadly that there is a combination or a set of solutions that are necessary in order to be able to do threat detection, investigation and response broadly across the ecosystem. And that there's not a single product that can scale to meet the demand or sophistication levels of every customer from nation state level certs, all the way down to, you know, a small independent shop. And so the combination of solutions, whether it's an organic, you know, offering like Cisco xdr, along with a, you know, best in market SIM capability from Splunk, and then all of the threat intelligence that you can, you know, provide from a Talos perspective, you start to put those things together, recognizing that it's about the right product for the right problem, for the right, you know, sophistication level of that customer. At that point in time, you start to put those things together and it starts to get really, really compelling. Because I would argue we probably have the most complete solution set out there. But certainly we're not the only ones that are trying to put these solutions together, as evidenced by some of the other acquisitions that you've seen in the industry.
[00:19:37] Speaker A: Do you think it's just like anything though, like when someone starts to buy another company, there's always going to be people that question it or perhaps, you know, not sure exactly where that company is going to go that you mentioned before at the start of the interview saying, like when a company gets acquired, like people saying, are things going to change? Are things going to change? Would you say no?
[00:19:55] Speaker C: I mean, yeah, that old adage, right? Haters want to hate or something like that. I mean, there's always, there's always going to be the haters. Look, we are focused first and foremost and as somebody who was intimately involved in the due diligence and the investment thesis of the acquisition, one of the things that we identified early on as one of the most valuable assets that came along with this Splunk acquisition was just the really vibrant user community and, you know, kind of market perception of what is a premier asset, right? And if you talk to, you know, Splunk customers, and I've talked to a lot of them, I have yet to find a single Splunk customer that doesn't say, I love Splunk, right? Like, I love that product. And so that user community, we looked at it and said, man, if we can make sure that we don't alienate those folks that we really kind of embrace them and lift them up. They can also be one of the biggest advocates for what we're trying to do from a Cisco security perspective. Right. And so, first step in doing that is making sure that we don't alienate them, that we don't change all of the stuff that they've come to love about Splunk. But how do we make it better? How do we deliver better outcomes for the same level of investment, not deliver the same outcomes for less investment? And that's where I think we have a tremendous opportunity. Again, with all of the telemetry, with all of the threat intelligence, with all of the authentication records, all of those things that we can combine. I've heard some accounts that 80 to 85% of the world's digital traffic traverses a Cisco device of some type or another. Being able to take all of that telemetry and use Splunk, which has solved the problem of getting data in at scale and applying analytics to drive insights. Being able to do that in a way that lifts that community up and allows that community to advocate on behalf of what we're doing was one of the things that we identified early on. And we are laser focused on making sure that we don't deviate from that. So that's a very long winded answer to say everything you know and love about Splunk is going to stay the same. One of the reasons we cleared regulatory hurdles so quickly, because the question that came up from these different regions was, Cisco, when you close this acquisition, are you immediately going to shut down all of the third party integrations that exist with all of these 1300 other vendors out there as I to be a bad outcome for those customers. And we said no and no and no over and over and over again until we finally had to say, look, it would be the height of stupidity for us to spend this amount of money to buy this premier asset that was built on the foundation of an open, you know, vibrant ecosystem and immediately shut that down. We're not going to do it. And once the regulatory agencies understood that it would fundamentally destroy all of the value that we just spent a lot of money for, they got very comfortable with the fact that we were acquiring them because they knew that we weren't going to do that. So ultimately, I think that's just a point of proof that highlights the fact that Cisco is committed to maintaining and over time, enhancing the outcomes that we can deliver through this asset. But first and foremost, it is do no harm and do not Alienate that community that loves Splunk because it's an amazing product.
[00:22:40] Speaker A: So you said before, A.J. you don't want to deliver the same outcomes. You want to deliver better outcomes. How so?
[00:22:46] Speaker C: Take Cisco's own environment. Cisco is a big splunk user. Cisco has a relatively large Splunk license in terms of ingest, you know, terabytes of data.
And Cisco still sends a tiny fraction of the telemetry that we generate, you know, in a day to splunk because one, it is, you know, can be very expensive to send all of that data in, and two, if you could get all of that data in any way to a centralized location, the amount of compute that you would have to put on that data to be able to derive an insight is going to bump up against the bounds of, you know, what is possible.
Really, what we're focused on is how do we distribute analytics throughout the network so that we can detect things closer to where they're happening and be able to respond, you know, in much, you know, kind of shorter time periods. So an example of that is what Tom mentioned this week, Hypershield, where we're kind of melting security into the network. That analytics has to come from somewhere. Even if we distribute it through there, that analytics has to come from somewhere. Being able to process all of that telemetry has to happen, you know, throughout the network. You can't move all of that data to a centralized location. But if you could process all of that telemetry, and our own C CERT team says we would love to be able to process 100% of the telemetry that we generate, but we can't. If you could start to process it, to find the things that are lurking in an environment and be able to take action in a much shorter period of time, that's an example of how we can deliver better outcomes without having to move all of the data to a centralized location, which just isn't financially or even computationally possible.
[00:24:16] Speaker A: Okay, so that leads me to my next question. With that being said, what do you. What's your view, then on, like, defining the new SoC? And what does that look like in your eyes? Like, how we sort of traverse now moving forward as an industry, or more specifically, Cisco Splunk acquisition leading.
[00:24:31] Speaker C: So, look, I think what continues to be true is that this is a game of cat and mouse. You know, like you, I've been doing this, you know, a long time, and adversaries continue to adapt their tactics and techniques in order to try to exploit an organization. And unfortunately, people still make mistakes and build products and ship code with vulnerabilities in it. And the adversaries find ways to take advantage of that. So nothing's changed there. I think what has changed though, is just the massive amounts of data that are being generated and the ways that adversaries are finding ways to exploit organizations that effectively, you know, lives off the land, like, you know, they're called living off the land attacks. That lives off the things that exist in the environment and don't require somebody doing something stupid like clicking on a link or downloading a piece of malware. And so that constant like you know, kind of game with cat and mouse is only going to continue, but it's going to happen over orders of magnitude more data. And so how are we going to be able to mine that data in order to be able to detect and respond to those adversaries as they're getting more and more sophisticated, but they are not encumbered by rules of law or societal norms. Well, we now have technology at our disposal that we didn't have even a couple of years ago. Right? And you know, some people will say, you know, Gen AI is the most overhyped or under hyped technology in the last 20 years, depending on where you sit. What I do know though, is that we didn't have access to things like gen AI before October 2022. I do know that we are no longer really constrained by bandwidth limits or compute limits. In fact, the big constraint that we have now is power, right? You see, like I think Microsoft, you know, spinning up a nuclear reactor in order to power a data center, because power is the bottleneck. But compute's not the bottleneck, bandwidth is not the bottleneck. There's all kinds of data. What are the technologies that you have to apply on all of this data, knowing that the compute's no longer the bottleneck? And what can you then do with these technologies in order to be able to detect and respond to adversaries? That's where I think the SOC is going to go, is we have to automate more tasks that we can. You can't automate 100% of stuff, but there's probably 80% of the stuff that happens in an environment that you can automate. I give you a good example. Say I have two people in an organization. One is a summer intern, one's a CEO. Let's say I see reconnaissance activity on a summer intern's laptop, and I see reconnaissance activity on a CEO's laptop. I can probably, with a high degree of confidence Remote wipe that summer intern's laptop, open up a ticket in service now and tell it to go over there and reimage it and completely automate that whole process without too much concern. I'm not going to do the same thing on a CEO's laptop. Right. You want somebody to put eyes on glass, make sure that they understand what's happening. You might want to actually monitor to figure out how it got on there, who's doing it. Those are two relatively similar use cases. One I would argue you can fully automate with very little concern. And the other one you're going to want to let your smartest people go and put eyes on glass and figure out what to do next. I think we just got to start looking at the problem space a little bit more through that lens of what's the 80% of stuff that we can confidently automate. Leveraging some of this new technology, like AI, leveraging the massive amounts of compute and bandwidth that we have at our disposal so that we can then free our analysts up to go focus on the 20% of things that you really want a human in the loop on.
[00:27:37] Speaker A: Yeah, because that's always been like people talking about, oh, like AI is going to, you know, reduce jobs and all this type of stuff. And it's like, yeah, but then if you're automating trivial, mundane banal tasks, you can actually get the 20% to your point, AJ to actually do more strategic thinking.
[00:27:51] Speaker C: Yeah, I'll give you an. I mean, so we, we implemented a feature and you know, we're not, we're not unique here. I think other people have done this. One of the early uses of gen AI is in the summarization of large technical data sets and saying, you know, in three paragraphs or less, tell me what happened here. One of the things that every SOC analyst I talk to hates most about their job is having to write an after action report three weeks after an incident and try to remember what happened. And try and remember what they did. Cause they don't have time to do that during the middle of an incident.
[00:28:20] Speaker D: Right.
[00:28:21] Speaker C: They're in a war room. They're like responding in real. But at some point their boss or the board is going to want to know what happened. That's an area where gen AI actually can generate that executive summary action report of what's happening in kind of human readable format. Right. In a PDF or whatever at that moment, send that to your boss or send it up to the board so that they know what's going on. That analyst doesn't have to spend time typing stuff out. If they need to make some changes, they can edit it, right? But 98% of it is a pretty good representation of what's happening. Then meanwhile that analyst can go focus on the triage and the investigation and the remediation and then not have to worry about three weeks later coming back and writing that after action report. That's a really great use of generative AI to improve productivity. That analyst job isn't going anywhere. If anything, it's just allowing them to go focus on responding to more incidents. Letting the Jedi write the after action reports that somebody can go read at their leisure.
[00:29:13] Speaker A: Because they would have like their boss's CEO on their back saying what's happening, what's happening every two seconds standing over.
[00:29:18] Speaker C: Them like in the heat of the moment. And the last thing they want is like, what they really want to do is they want to say like, go away and let me do my job and I'll come back to you once we figured it out. But they can't say that right now. What they can do is they can hand them a PDF that gets generated by the AI based on all of the tactics and techniques and timestamps that we're seeing and with high degree of confidence say this is what's happening and here's what we're doing about it now let me go do my job.
[00:29:40] Speaker A: And would that sort of develop like a bit of a timeline then as well? Embedded into that in terms of these as chain of events is what happened?
[00:29:46] Speaker C: Oh yeah, it's amazing. Like if you actually look at it in a, in a product like sysdr, it'll, it'll break it down to right like you know, at, you know, 12:43 this process ran and you know, two minutes before that the user received an email with this, you know, kind of, you know, subject line. And two minutes after that it created an internal network connection. And that whole timeline gets generated by the AI based on the timestamps of the logs or the telemetry that's coming in the tactics and techniques that it sees, that it sees and then Sundays, hey, in three paragraphs or less, tell me what happened. And it puts it in sequential order and creates basically and writes out the entire attack chain for you. It's a pretty incredible what, what the technology can do.
[00:30:28] Speaker A: Do you think as well, if you're, then, if you're an analyst, stock analyst, for example, you're going to obviously speak in a different discourse to like a CISO or a cio. So can then Actually generate the right language and vernacular to speak to that executive.
[00:30:42] Speaker C: I think in the fullness of time. And the fullness of time is not, you know, years. It's probably not even months. It's. I mean, it is getting so much better so quickly. Right. I mean, the first one, GPT1, I think that came out in October versus what you see now is, I mean, it's orders of magnitude better. But if you read some of the reports, sometimes I look at it, I go like, nobody would ever talk that way. Right. Like it's very. You can tell that there's kind of a computer behind the scenes. Again, like I said, 98% of it's. Right. But that's also why we give the analyst the ability to edit some of this stuff. Right. Like you can go in there, scan it real quickly. Ah, let me change that word. Like that's not exactly how a human would talk. And so. And then when you do that, the gen AI learns and it gets better over time. Right. So it's going to continuously improve. Right. And ultimately I think we get to the point where. Hey, okay, you know, I've got my five paragraphs and then you feed it back in, you say up, level it for me. Right. Like I need the two sentence pithy report for the board member. Right. I don't need five paragraphs.
[00:31:41] Speaker A: The exact summary.
[00:31:42] Speaker C: Yeah, exactly.
[00:31:45] Speaker A: Joining me now in person is Tom Casey, senior Vice President and GM products and Technology at Splunk, a Cisco company. Today we're discussing full stack observability. So Tom, thanks for joining and welcome.
[00:31:58] Speaker D: Thank you. It is fantastic to talk to you, Carissa.
[00:32:01] Speaker A: Okay, so Tom, I. Before we got on here, I was saying that I stalked you. LinkedIn. I've just seen your keynote. I saw your keynote at Cisco Live in Vegas. So I'm familiar with some of the stuff that you've been talking about. But perhaps from what you're sort of seeing in the market about, you know, Splunk, there's. There's been the acquisition. So let's start with that first and I'd like to sort of get into that a little bit more.
[00:32:21] Speaker D: Sure. So I think, you know, some people are curious about the acquisition and what motivated the acquisition. And obviously when you spend, you know, almost $30 billion US on an acquisition, it's a pretty strategic, big bet for you. So, you know, at a simple high level, Splunk brings leadership and security and observability to Cisco and also brings the strength of the Splunk data platform. And at Cisco now, as One Cisco we really look at the value of the data, the criticality of data for advancing not only security and observability, but the strength of experiences that you get across the network, how you build that AI ready data center that we talk about, how you future proof that workplace and allow people to work anywhere and everywhere, but actually have a great experience doing it. And how you make sure you stay resilient across, you know, your applications, your services and your complex infrastructure in the cloud and on prem.
[00:33:19] Speaker A: So I have more of a perhaps a rudimentary question as in historically like Splunk, for my understanding, like spunk, logs are quite costly. So what this was historically working at a bank, that was some of the feedback. So what's sort of the vision now? Obviously you guys are going to be more integrated. We've spoken about that. Dave west spoke about that as well. Why it makes sense. Well, what do you sort of see now moving forward? What can people expect? Because obviously now cost is always a big thing that's coming up for CTO, CIOs, CISOs. Noah wants to pay for more things that they don't have to. So what's your view on that front?
[00:33:54] Speaker D: That's right. And so there is a common trend there around cost and cost management. If you consider that about 90% of the world's data was born in the last two years, what people need is more value per byte of data that they're operating on in the environment. And so while you're correct, some of the conversation comes at us when we talk to customers around just cost and the cost of managing logs, that's really fundamentally a value conversation. If am I getting adequate value out of it for what I'm doing and what happened somewhere along the line, Splunk's been a leader in this space for 20 plus years. Our particular approach to doing log management and allowing you to not have to pre structure it and we can search it all in a dynamic way is highly effective and valuable. However, people, policies, regulations and habits got to the point where people just started ingesting everything, right? And keeping it around for long periods of time. And so to keep around sometimes many, many years. I mean if you think about it, in highly regulated industries you have five, seven, up to 10 years in some instances, in some sectors where people have to keep things around. And historically people would put that in splunk and just keep it in splunk because of, because of the convenience and because most people want to get one thing done and get on to the next thing. Right. So now talk about where we're at in the industry, both security and observability. One of the most common trends in the environment is tools consolidation. And that's happening for two reasons. It's happening because of cost. As you talked about, people don't want to pay for so many tools with so many different vendors. And two, it's happening for a lack of kind of skilled labor. I mean, just having to have people specialized in so many different things. So what we've been doing at Splunk independently and now as part of one Cisco is turning that tools consolidation conversation into a data consolidation conversation.
[00:35:48] Speaker A: I want to flip over to the data consolidation, sorry, data. Every time I speak into an American person, I always say data.
No, it's totally fine. So before we cross over into that, going back to the tools, from my understanding, a large enterprise on average has 70 different tools. Most of those aren't being utilized.
[00:36:03] Speaker D: Some customers in the observability space have told me they have more than 150 tools.
[00:36:08] Speaker A: Wow, that's nuts.
[00:36:09] Speaker D: Yeah, you've. You said it.
[00:36:11] Speaker A: So how come no one's sitting there going, why are we paying for all these vendor products and no one's using them?
[00:36:17] Speaker D: They are, they actually are. That's an incredibly common conversation that comes to, to us and in fact it is one of the things that then we bring proactively to the customer where we say, look, it's not just about consolidating the tools within your environment, it's about revisiting your data management. You've got to get eyes on not just the traditional infrastructure applications and services that you're monitoring for security and for the experience people have. But you actually need to get eyes on what's happening on the network, the routes in the public Internet, what's happening between the managed services and the CSPs and the CSPs front doors. All of those things need to happen in the environment. And for you to do that, you need to start to get richer signal at each layer. So what we're guiding customers through is two different things. One, we're out having more strategic engagements with customers about how to categorize their data into kind of high value operational and analytics data for use in the soc and use in engineering and IT ops. And that conversation is about getting that ad hoc analytics and operational data at Splunk. And then we've invested to help them manage and federate their data out to their Data Lakes, Amazon S3 and in the future, a variety of others. So that's number One. So those are very active conversations around rethinking your telemetry data strategy. The second major trend that we see, an approach that we're taking is, as you've heard me talk about on stage here today, again, really recognizing in the security operations center that there are three or four things people need and they have to be a consolidated tool set. The siem, which for us is Enterprise Security, organizes the work of the SOC soar, orchestrates and allows you to apply your policies consistently. And consistency is a big deal as, you know, as someone who, you know, worked in a SOC environment for a long time. But then you also have to get safe and stay safe, report on your compliance on a regular basis. So we added asset and risk intelligence in our portfolio as well, where we discover and monitor the devices in the environment and that helps people report to the board, you know, keep track of ephemeral devices and other assets across the environment. And then finally, this is key. If people are already struggling with data overload, we can't just give them all the signal from the network unfiltered, unprocessed. And so we start to see specialized detections as kind of this fourth dimension. And there we have stuff we introduced last year like Splunk Attack Analyzer for phishing, helps automate phishing response and detection and remediate it fully. But that's where the power of Cisco's understanding of the network comes in. So we can take things like real time detections lower in the stack from XDR or for security, and we can turn that just a meaningful detection there into a notable event that flows up into Splunk. We can take a detected configuration. This is something we're working on now, a detected configuration change in thousandeyes that appears to be having latency impact on a route in the network that's going to affect, might affect your user performance and just send that as an interesting notable event up into Splunk so we don't have to look at all the two or three orders of magnitude of network traffic, which is normative.
We can look at the subset of that that's indicative of something and that's really key. And that in turn shifts the dialogue. Those two dimensions really shift the dialogue too. How do you get more value out of the data you have and how do you start to set yourself up to get higher fidelity signal from the entire digital footprint?
[00:39:46] Speaker A: Okay, there's a couple in there, a couple of things in there which is quite interesting. Okay, so more value from the data that you have. So again we've sort of seen a shift, I don't know, 12 years ago it was all about, you know, huge data lakes like Cloud Dare and Friends. And then it's been like, oh, now we're scared about having too much data, but it's like now we need all the data to be able to, you know, do the observability side of things. What would you say in your experience, people, as in your customers are most concerned about now? Because we've seen the shift, as I.
[00:40:14] Speaker D: Just explained specifically around kind of the shift in data and kind of where.
[00:40:17] Speaker A: Yeah, like having it all and not having too much in case we have a data breach. And now it's like all kind of needed again because we need to look at all the things.
[00:40:23] Speaker D: What you just said nails it. And so where people had historically been is into a model where they put their data in a tool like Splunk and then archive that data, you know, kind of unindex it, keep the raw around if you need it, reattach it, re index it, or give it to a third party to do your all of your forensic investigation.
[00:40:40] Speaker A: Sure.
[00:40:41] Speaker D: That's very resilient. That's not very efficient. It also leaves you, you know, sort of a layer of indirection where somebody else has to do a piece of that work for you instead. By us embracing Federation as a common thing, not just federated data management, but federated search and analytics, which is something you heard us announce this past summer.
[00:40:59] Speaker C: Yep.
[00:41:00] Speaker D: Now, directly from the Splunk platform, I can search my Amazon S3 buckets. But now directly from Splunk as of this summer. Sorry, as of I said summer, that's in North America as of just a few months ago, you can also, directly from Splunk's Enterprise Security product, start an investigation on the data that's in Splunk that's active, you've retained for 90 days or 12 months or whatever it is. And then you can extend that forensic investigation directly into the Amazon Security lake and we'll handle optimizing access to that data because what was retention only data for a while for you just suddenly became really interesting for a period of time.
[00:41:41] Speaker A: So as a result of doing that would then mean the cost would substantially.
[00:41:45] Speaker D: Be reduced because you're only accessing the stuff you need when you need it. And further, because you're in a tool like Splunk Enterprise Security, which understands the workflow of the SoC and it understands how that data relates to basically extending the search to this new data, the data it already has, we can effectively Fault in that data temporarily. So instead of using tool, different tools and swivel chairing over here to a console in Amazon or Azure or Databricks or whatever it is, and just using that to search, I don't have to learn anything new. I stay in enterprise security. And we can avoid multiple egress charges every time you go access that information. Right. I can just pull in and effectively temporarily cache what you need. And then we're working through with our customers as we understand their usage patterns of this, as many are starting to do this, we're working through with them to understand when and how they want to effectively release control of that data again. So again, it's still sitting there in your data lake, but we've made it hot for the period of time that it became critical to you.
[00:42:46] Speaker A: And do you think this is sort of like if you even in my, you know, my own thoughts sometimes going back to my experience of Splunk, like more so, you know, at the coal face of it, I would say that's people's reality of it. The old version of Splunk around, you know, the cost of the logs and all that, but now you obviously just spoken about how that's being significantly reduced.
[00:43:04] Speaker D: Yeah.
[00:43:05] Speaker A: Is that sort of now with the acquisition is sort of saying, okay, well now we're on this new evolution of what this sort of means? Yes, for observability, but also as Dave west was saying around, having all of the data has that value and having that holistic approach. So would you say that what does the future sort of now look like with the acquisition? Things that you're sort of seeing people moving away from the old version of Splunk with this new version with, you know, with Cisco powering it. What's your view?
[00:43:32] Speaker D: Well, so this is not a new thing for us, who we started a couple years ago down this journey of really embracing federation. You know, Splunk's been a leader in security and observability for a long time. And what we really wanted to do was underneath the covers, help customers with the overall data management and data value problem. And so we focused on that starting a couple of years ago. You saw us make some announcements. Well before the Cisco acquisition, we introduced federated search, gosh, 18 months ago in the core platform. Those, some of those very innovations are the things that really matched up super well with Cisco's desire to create better networking, get more value out of the networking and correlate that data with other information. And so it was the fact that we were headed down this path of federation and Cisco was beginning to think about the distribution of security into the network. As we talked about melting security into the network, those detections, melting optimizations with thousandeyes and exceeding into the network, those sorts of things are tremendous complement that allow us then we were already kind of moving in the same direction independently. We can now move in the same direction together and deliver the SOC of the future in a way that it is both federated in the way it manages data and responds to issues, but also distributed in the way it does detections and takes actions even down at the network layer. And those things are key that ultimately gives us a better networking experience, better security, better observability, better data, you know, better signal from the data as a whole for the organization. And then as we started this conversation, it gives you better economics because it's all working better. And you have this ability then, you know, to get it from one customer who has this vision of consolidating these things and making them or one vendor who has this, you know, idea of consolidating and making them complementary.
[00:45:23] Speaker A: So that's a, that's a good point that you raised. So again, going back to like the theme in terms of it, we all had like point solution for a long time. Well, sorry, we had like everyone outsourced to IBM. Then I was like, let's do point solution. Let's get specific specificity with specific vendors. Then it's like, okay, well now there's too many of them is 150 for example. It's all too much. We want that single pane of glass, for example. Buzzword. But then it's. Now we're moving back to what you're saying and I've spoken to G2 Patel who you know, around having, you know, limited people to actually sorry, limited vendors because therefore you don't want to move across different, you know, platforms, et cetera.
[00:46:01] Speaker D: You're also not going to have just one. Let's be really clear. There's a lot of value in going from 150 to say, you know, 10. And one of our commitments is Splunk. Even as part of Cisco, even as we're making all Cisco products better in the way they integrate with Splunk. We remain committed to meeting our customers where they are and being heterogeneous and open in everything we do. So I mentioned on stage a few minutes ago we've had a couple quarters of updating all Splunk kind of technical add ons. Sorry, all Cisco technical add ons for Splunk. To a new gold standard. We've also updated the top 10 non Cisco security kind of endpoint solution detection products and others to that same gold standard. So the world is a crazy mixed up, heterogeneous place and will continue to be that. We are not confused about that. We think that the more people consolidate, the more the complementary nature of these products will allow them to get again greater value per byte of data, greater value per dollar spent. But you just don't, you don't modernize everything in your world all at once. And that is another trend. Customers are recognizing that you have traditional applications that you need to connect and protect, that you need to optimize and have interact with the new things that you're trying to do. What you really want to do is, you know, continue to manage those at a log based level or with traditional APM with like AppDynamics, which we now call Splunk. Appdynamics that runs on premise in that environment is really optimized for traditional application performance management. But we are doing the lifting to natively connect that to Splunk Observability Cloud IT Service intelligence, the core Splunk platform, and making it seamless for the developers, the IT ops people to just drill back and forth across those experiences and see aggregated views across that stuff without having to come in and saying, you know what, Carissa? You just, yeah, you can have this great new experience, but just upgrade everything. That's not the story. The story is let's meet you where you are, let's meet you where you are and let's recognize that where you are has multiple different modalities for interacting with devices. You have old and new stuff and we're going to, we're going to be the ones that bring all that together for you. And the. As you modernize things with Cisco software and hardware, physical and virtual in the environments, you're going to get implicitly more value for networking, security and observability out of it.
[00:48:34] Speaker A: So going back to the gold, the new gold standard, to use your words, would you say the new gold standard is obviously the Cisco, Cisco and Splunk acquisition. What happens if people are on like a silver standard? What does that sort of look like?
[00:48:49] Speaker D: Well, let's. The gold standard is actually something we talk about from a technical add ons perspective, the way you connect and flow data into Splunk. So that was the context in which I was using that. And that's just trying to kind of differentiate and saying the best type of signal and the easiest to manage Connectivity in an environment when you have hundreds and thousands of data sources are going to do these sorts of things. So we published a new standard around those and we're encouraging everybody that writes a connector to. Right to that new gold standard. That's what I meant there. I. You know, when you, when you were asking about that in the context if I think you were implying, if using all the, everything from one vendor from Cisco gives you the greatest value, what's the next best thing? Is that what you were getting at?
[00:49:33] Speaker B: Yeah.
[00:49:33] Speaker A: And like, where do we go from here? And what if people aren't leveraging this? Are they the silver standard?
[00:49:38] Speaker D: No. And nobody's left behind. But for example, you, you know, it's probably not as likely that if you're, if you're using as, as we evolve something like Hyper fabric in the environment. Right. You're not going to get kind of automatic load balancing, a reconfiguration at your firewall layer. You may not get the value of a fabric that is detecting patterns and anomalous behavior and potentially sending notable events directly into Splunk. You're going to have to get all the data from that other vendor's firewall system solutions, flow it into Splunk. Splunk still lets you using the power Splunk cross correlate it. But you may not get as immediate response. You may have to do extra work in the SoC.
[00:50:21] Speaker A: And no one wants to do that.
[00:50:23] Speaker D: No people do want to do that and people will do that.
[00:50:25] Speaker A: But I mean the extra work because like people already burnt out. They're already, you know, alert fatigue. They got so many things going on all the time.
[00:50:33] Speaker D: Actually, that's not even it. It's back to our original conversation, its cost and its capability. And it's a bunch of work. And what's one of the biggest things affecting, talking about security specifically, what's one of the biggest things affecting, you know, the SOC today? It's a lack of skilled labor. Right. And so do I want to teach a bunch of people to do that or would I rather use assistive technology and things that are natively built in? And this is something with Cisco that's natively built in, that's built into the fabric of the network. That's where we're heading in terms of.
[00:51:06] Speaker A: Where we're heading, obviously, you know, with the acquisition, what do you sort of see moving forward as we now traverse into 2025? What can people expect?
[00:51:14] Speaker D: So we're. They can expect continued innovation across Cisco and Splunk, across our product lines independently I just announced today the general availability of Splunk Enterprise Security ao with a raft of new capability, including fully integrated SOAR capability, automated response, they can expect practical integrations that work with the products that they have today. So for example, in just our first six, eight months here together as one company, we've connected it service intelligence from Splunk, Splunk Observability Cloud, the Splunk platform together. Some of this stuff is kind of table stake stuff. You can use single sign on across all of it, which means you're not having extra admin burden. You can do the basic BI concepts of drilling up, down and across to do analytics and have these products interact with each other. And that speeds up troubleshooting so much. Right? You're not swivel doing swivel chair work or having to phone a friend. You can actually do this stuff seamlessly, which is incredible. And so really practical things like that you're going to see from us on the integration front. And then you're also going to see a whole bunch of these capabilities that won't exist anywhere except from Cisco, where we have a deep understanding of the network. So you'll see us take things like XDR. So in Q1 of next year, we'll be taking notable events, basically events detected from extended detection in a large enterprise, forwarding that into Splunk as sort of a already indicated notable event, a thing you should pay attention to because we detected a real time thing and took some action to isolate it. For example, XDR is part of the breach protection suite from Cisco. Maybe Tom is trying to access a trusted domain in the environment, but is failing a login to the source management system. Does that. Are we. Is that just. Tom doesn't do that very often because believe me, I'm not checking in a lot of code anymore. Or is it he's forgotten his password? Or is that maybe not Tom at that point? We don't know. We just know those two things are true. And I can have a rule that's sitting there with XDR that's saying, you know what I'm going to do? I'm going to snapshot the source management system services right now in case this is a ransomware attack, you know, come into play that now is a really interesting event that flows into the SOC natively into Splunk as a notable event where it can be cross correlated with other information and somebody can figure out whether Tom's just an idiot and forgot his password and he's doing a project that, you know, some IP research or something that he's trying to do in isolation for a little while to get a handle on something or is do we need to take broader steps and more remediation here to follow a potential bad actor? That sort of differentiated capability is something that we're melting into the network, but in a way where it doesn't disappear. We want to melt the activities of detection into the network and then surface and highlight the interesting things in the society as part of some splunk. And that same pattern follows with Thousandeyes integration with Splunk observability cloud, for example. It's the same pattern bringing insight from the depth of the network into the light of, you know, kind of centralized management and security and observability.
[00:54:29] Speaker A: So Tom, do you have any sort of final thoughts for our audience today?
[00:54:33] Speaker D: Yes, I think the tools consolidation opportunity is a serious one in the environment and the cost pressures in the environment are a big deal. The world's getting more complicated. You're going to have more third party solutions and services. You're going to have every one of them is going to have its own AI and machine learning baked into it. So you know that the environment's going to get more complicated. Get after those tools consolidation conversations, but turn them into a data consolidation conversation, turn them into a modernization conversation around your SOC and the way you do it operations and observability in the environment. And ultimately you're going to have the ability to engage us as a strategic partner in those conversations, knowing we have a longitudinal view around this. We want to help you build the sock of the future. We want to help you because we've, you know, we've, we've got industry leading capability. We recognize Gartner two years in a row as a leader in observability with Splunk observability cloud. But we also have differentiated and leading capability in app dynamics in traditional apm. And I can run on premise as well as in every cloud natively, not just monitoring those services, but I can run co located with where those signals, applications and data are and nobody else can do that. So the message I have fundamentally is lean into the primary things that are challenging you in the SoC in your IT operations and invite Cisco in because as one Cisco we have the ability to help you see north, south and east, west in a way nobody else can in the environment and enough experience to be strategic partners probably.
[00:56:13] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.
