[Music] he's interested in [Music] everything you can work alone but with a crew so much [Music] better a hacker is free with Cisco protecting your business from cyber attackers is simple if it's connected you're protected [Music] [Music] [Music] a [Music] [Music] at Cisco our purpose is to power an inclusive future for all and in that future Mother Nature has a [Music] voice how have things been at work it's Groundhog Day you know just always the Builder never the architect the thing is is I've got ideas big ideas about better products new revenue streams smarter Investments but right but the thing is is I can't focus on any of that because here I am too busy like playing whack-a-mole all day it's a lot of metaphors today thank you so it sounds like you need a platform that drastically reduces the amount of confusion caused by zillions of analytics tools and focuses the data for you something that allows me to spend time thinking big picture something that would reduce the amount of app system errors pinpoint areas of improvement and proactively suggest fixes exactly why do you know that don't [Music] know it's a new day for the new era [Music] AI is everywhere so are we we have the infrastructure AI needs and now the breath of data AI craves we'll use AI to help the world see more do more and we'll secure it like never before you've all heard the AI hype now you want ai's help that's exactly what we'll give you Cisco making AI work for you where will you be in 5 years where will we be in 5 years in 25 in 50 let's be here and here with her and him and they let's connect them let's connect everyone let's deliver technology that gives them access to power opportunity let's set a new standard for data security and personal privacy let's change the system promote equality and fairness in the workplace let's tear down the barriers to social justice for a more inclusive world let's clean house zero carbon zero waste because the health of our family is tied to the future of our home let's gather resources and partners steer toward our greatest challenges and accelerate for the benefit for all Cisco has made it its purpose to power an inclusive future for all where will we be in 50 years let's go see Cisco the bridge to possible humans and nature we're in this together but to keep coexisting we need to do more to protect our planet Cisco smart Building Solutions and our partners technology can benefit both humans and nature helping us make the best use of space and optimize energy consumption for the changing way we work making connections that deliver power and enable automation creating efficiencies that can help the workplace and the planet and freeing teams to work from anywhere while creating engaging experiences thanks to AI driven collaboration tools sustainability initiatives are part of powering an inclusive future for all with Cisco smart Building Solutions we believe all businesses can better optimize their energy use between meeting human needs and a sustainable future there's a bridge Cisco the bridge to [Music] possible at Cisco We Believe inclusion is isn't just the right thing to do it's the Innovative thing to do because every invention every Improvement every achievement every small step and giant leap inside our company and in the history of the world started when a different perspective was invited a different voice was elevated a different opinion was accepted to us inclusion is progress and it's why we're reimagining how people come together changing the system tearing down barriers respecting and honoring each other's identities promoting equality and fairness using technology to create more opportunities empowering a more inclusive future for each other for good for all [Music] heye [Music] [Music] [Music] spe [Music] [Music] a Cyber attack can grind everything to a halt Cisco security keeps your network and your company moving forward because if it's connected it's protected Cisco [Music] so what do you think here can seven it needs to carry 150 right yeah should be perfect Cisco's purpose is to power an inclusive future for all that's why we're working with the apga and the USGA to make golf more inclusive shot thanks appreciate it thank you we're teeing up tomorrow because the more of us who play the better golf is for all of us yeah great great butt nice job there you go [Music] a hacker doesn't always look like a [Music] hacker the Hacker's at home everywhere [Music] comes in many forms he's interested in [Music] everything you can work alone but with a crew so much [Applause] [Music] better a hacker is free with Cisco protecting your business from cyber attackers is simple if it's connected you're protected [Music] [Music] [Music] [Music] [Music] at Cisco our purpose is to power an inclusive future for all and in that future Mother Nature has a [Music] voice how have things been at work it's Groundhog Day you know just always the Builder never the architect the thing is is I've got ideas big ideas about better products new revenue streams smarter Investments but right but the thing is is I can't focus on any of that because here I am too busy like playing whack-a-mole all day it's a lot of metaphors today thank you so it sounds like you need a platform that drastically reduces the amount of confusion caused by zillions of analytics tools and focuses the data for you something that allows me to spend time thinking big picture something that would reduce the amount of app system errors pinpoint areas of improvement and proactively suggest fixes exactly why do you know that don't [Music] know it's a new day for the new era [Music] AI is everywhere so are we we have the infrastructure AI needs and now the breath of data AI craves we'll use AI to help the world see more do more and we'll secure it like never before you've all heard the AI hype now you want ai's help that's exactly what we'll give you Cisco making AI work for you [Music] [Music] thanks everyone for joining um in silic Valley The Innovation engine is alive and well and it is being really accelerated by the movement around Ai and so um as we think about this revolution it's happening at the silicon level all the way up to the applications themselves and it is really driving a Resurgence in how we think about our data centers and the architecture that supports this revolution now this isn't the first time we've been through a revolution in the data center so we saw a similar type of Revolution as we went from the private Cloud to the public cloud and in that transition private clouds used to be built out of things that came in boxes so your servers were in a box your load balancers were in box your firewalls your networking devices are all Appliance devices and as we transitioned to the hyperscale cloud what we the industry did is we took those boxes we defined those services in software and we broke them up into hundreds or maybe thousands of pieces and so we created a distributed architecture where we get that stuff out of the box running in software on this grid of compute and this is what created the elasticity that we now take for granted in the public cloud and so what we're doing at Cisco is we're thinking about that same type of approach with security how can we take security take it out of the box break it up into lots of little pieces and deploy it close to the workload in very very fine grain detail so what do those enforcement points look like of course a traditional firewall which comes in an appliance will always be part of the mix and aisco we've been focusing our effort on on reinvigorating our firewall so we've refreshed all of the hardware at the from the top to the bottom which has very um powerful price performance advantages we've also put Innovative new features in to handle encrypted traffic so we have the encrypted visibility engine I'll talk a little bit about that we're using ml in snort which is the industry leading threat defense capability and these Innovations have been recognized with industry leadership from analysts such as the Forester wave which put uh put Cisco in a a leading position now firewalls will not be your only enforcement Point having the ability to put enforcement into the host itself is something that we think is really really important so with Cisco secure workload we have a relatively mature offering that can handle very large scale host-based deployments so we can handle up to 2 million flows per second we have Rich support for both windows and Linux workloads and it can run in both private and public clouds now there's some new entrance into the family and this is the way to think of this is that you've got a single po polic enforcement capability and then those multiple enforcement points underneath it that represent a network security family one of the new entrance to that family is psyllium psyllium is by many measures the default container network interface cni that's used in public cloud workloads and so celium is is widely deployed in your Cloud native applications what we've been working on is bringing that functionality back into private Cloud architecture and then one of the most interesting projects that I've worked on is Cisco's hypers shield and hypers shield is a distributed security solution that is built on top of the Agents of selum Enterprise but then we extend that into other form factors because as good as the um uh these modern agents in uh oyum and uh uh ebpf I'll talk about that as good as these agents are there simply are some workloads you can't put an agent in and so having the ability to deploy enforcement in a different form factor using a type of silicon that we call a dpu data processing unit so dpus are chips that are made by um Intel AMD and Nvidia it's an involved version of a Nick a network interface card and it's a little tiny system on a chip so they've got multiple cores they've got Hardware acceleration for connection handling encryption Etc and you can think of it as a little tiny baby firewall that can run on a chip now dpus have been in the industry for years but they are almost exclusively used by those hyperscale data centers that we talked about earlier and the reason hyperscalers use a dpu is because that little baby firewall running on the chip is in a different memory space than the host and so it allows you to create very high isolation between two VMS or high isolation between tenants and this is what the cloud providers need is they need to keep Coke from Pepsi right separate the the tenants from each other so a cloud provider might run 40 or 50 dpus in every rack of servers and dpus cost money and dpus use power and so a couple of years ago these hyperscalers came to us and said hey Cisco we would rather put a smaller number of dpus into a topof rack switch and so we started the hardware engineering work to have our switching A6 silicon 1 have a high-speed interface to up to eight of these dpus and deliver that in the form factor of a switch this is a radical new approach because what it means is that every switch Port can become a high performance layer 7 firewall so as we think back to that family of enforcement points you could have enforcement points that could live in the host they could live in in a server with a dpu they could live in a switch with a dpu and over time we can actually put those enforcement into third party firewalls no rip and replace we want to be able to work with the infrastructure that you have so let's think about what that might look like in Practical terms for many customers firewalls would live in a concentration in a small number of places in the network let's think of the DMZ maybe we're putting them at VLAN boundaries so you'd have a stack of appliances that could live there with security Cloud control which is our Cloud delivered Management console you'll be able to define the policies for these devices and then start to think about migrating away from this concentrated deployment of security at the edge of the network in the fence model and adopt more to the fabric Model where we're going to start to put little tiny enforcement points everywhere and those enforcement points may vary so you may have a Windows workload where you want to deploy secure workload which is our host based solution or you've got a more modern Linux based workload where you can use ebpf and things like Cisco's hypers Shield these two can coexist side by side with that cloud delivered Management console that ties it all together as you go through and refresh your infrastructure you may say oh I need to put compensating controls in front of this particular database which is vulnerable but I can't put an agent in the database maybe I'm going to put one of those dpu enabled switches right in front of that database and now I can put compensating controls that protect that particular workload so you can see that over time your security strategy can begin to inform your hard drive refresh right the policies don't change the enforcement points will change over time and this is going to give us a fundamentally new approach for how we think about protecting the applications in our data center this solves problems that are real world problems that customers are facing right now and I think many of the are are problems that you're facing let's hear from some of those customers about some of the challenges that they're facing in their data center you know our clients are people in you know trading and asset management and successes just providing that that service and being able to manage the risks around us what's at the top of our mind every single day we walk into our building it's taking care of our patients are we controlling the right risks and not breaking the business while we do it we have to put a heavy focus on segmentation because first and foremost um you know we're a regulated industry so there's uh the demand to keep uh private data private then there's also just the threat profile just clicking on an email will set off a chain reaction at a firm like ours that could end up in Data Destruction or ransomware we have to segment things out so that that blast radius becomes smaller and smaller when we talk about the application set at Goldman it's so complex and it runs so much of our firm's intelligence and risk making decisions we'll just say it's like a cartisian product it's everywhere so the complexity now and the scale of what you need to do it's just not human no vul vulnerabilities are a critical component to managing security risk today the total number of vulnerabilities that have been submitted to the National vulnerability database just in the first 3 months of this year it's over 7,000 known vulnerabilities from the time um you hear about the vulnerability there's a lapse between that time when it's published to when the patch is available there are some that comes up very quick there are some that takes 6 months I'm not kidding you it depends on the device if I can apply a compensating control such that I don't have to bring down those systems so that we continue to give the best care to our patient that to me it's the kind of solution we've been we've been looking for today when you think about the compensating controls that we have they require us to take a big action across a large swath of an environment and I think the things that we're really pushing for is more places to put more granular controls inside of our environment teams are slowed down at putting these risk management things in place because they're afraid and they don't have time to test it the exciting thing here with the Dual path is to have you know two different versions possibly of the actual firewall or control code um running the same policy and having them qualify against each other and actually comparing those things live feeling perfect about that and switching over to the new the new code base I don't think that's been done in in the security landscape we have a very robust test lab uh but the lab itself doesn't have all the necessary devices we would love to have there because these are very expensive devices being able to test in line in real time the control uh that we want to put in place is a really essential concept for us to move forward with today there's a promise of automation which is it makes it more quick more timely more efficient but then there's also the fear that goes along with it which is you press the button the automation happens and everything breaks and so this notion of being able to earn trust in the context of automation is really essential for any new initiative we're working on how do we secure this right from start and how do we automate just the dispersion uh and distributed nature of things requires that non-human large scale automated infrastructure you just can't operate without it you heard it from customers I think you hear it from your teams every day things like patching how do you keep up to date with the infrastructure itself how do you keep your applications up to date things like segmentation which I'm going to argue is a foundational capability even just visibility what's happening how are these things communicating these are these are fundamental problems that are difficult to solve and I think that we have an approach here that's giving you a platform right a more broad approach to security that is going to solve these problems in a really unique way so it's starts with visibility into the workload itself so if you think about the needle and a hay stack we're looking for that one little anomalous behavior in a very very large Hy stack right so we've got high volume of data and a relatively infrequent occurrence of these anomalies we need very fine grain detailed to be able to determine and find that needle in the hay stack so as we think about this security platform we want to be able to understand a workload in that fine grain detailed I want to look at just not just the workload I want to look at the services that make up the workload I want to know what processes are running in the services that make up that workload and then I want to be able to understand how these individual processes are interacting with each other and where the known vulnerabilities are so it starts with drawing a picture of that interaction show me all the services that make up an application show me how they communicate show me where the weak spots are then I want to think about how I put those controls in place compensating controls protecting controls on that workload wherever the workload may be whether it's running in a private cloud or a public Cloud right so having the ability to Define this stuff in software is really really important now a key capability that we have in the industry to help solve this problem is advancements in modern operating systems called extended Berkeley packet filter ebpf you're going to hear us talk a lot more about that it's it's not a Snappy name but it's a remarkably powerful capability what ebpf allows us to do is it allows a process that's running in user space to be able to peer Into the Heart of the operating system into the kernel without actually being in the kernel and the advantage of this approach is that we can be updating the security algorithms on a near continuous basis but we not actually disrupting the kernel now you may not know but it is this is open source and standards based we own the commercial company behind that so we're kind of the red hat the ebpf space so the company's called isov veent um it's part of Cisco and the reason we invested in this is that we view this is literally the future of networking and security because it allows us to do all the magic that we do in the fabric of the network and we can extend it right up into the host so what is that magic it allows us to see every process that's running we can see every IO operation we can see every container talking to every other container every VM talking to every other VM so it's a really really powerful insight into your workload now this is makes perfect sense when we think about a workload in a traditional sense of what's running in the data center but more and more our data centers and where those workloads are that's changing right and so in this room that we're sitting in right here there are hundreds of little computers right so as we think about a world where computers are everywhere and we have distributed iot environments we need a way to be able to protect those computers as well as what we protect in the data center and this is another place where Cisco really shines so having the ability to apply tags to every single object gives us the ability to manage security in a highly distributed environment like an iot or OT environment and a Cisco we call this identity Services engine or ice and it allows us to put tags on things like a camera or a telephone or a printer and then en Force what are almost Common Sense policies which would say I want my camera to be able to talk to the camera app but I do not want my camera trying to talk to a customer database right why would a printer need to access our sales database it doesn't but that can be a very hard problem to solve so having the ability to apply these tags and this identity to any device anywhere is something that customers really value and I think this is something that is unique to uh Cisco which is we we focus on where security meets the network so segmentation I want to argue is a foundational capability and that was driven home by a vulnerability that we saw in the US where there was a a credit rating agency that was compromised and they had a single instance of an Apache server that was not up to date it wasn't a zero day it was like more than a month old attackers found that vulnerability landed code on the box and that was of no consequence in and of itself where the damage was done is from that one landing spot attackers made more than 40 lateral moves over the course of about a year and that's where they collected more than 200 million credit card numbers right so so segmentation is like a common sense defense which says assume the attackers are in let's make it hard for them to get around everyone understands this and people have been embarking on segmentation projects but the challenge that we find is that understanding the behavior of an application can be tricky applications can appear like kind of like a big jumble of spaghetti they appear sort of random right they do things in in strange ways now it turns out applications are not at all random but they are asynchronous and so one of the challenges we see in the industry with segmentation Solutions is that segmentation Solutions have tried to characterize the behavior of an application over time let's think about an app that might schedule the delivery of sheet metal in a factory if you watch this application for 90 days you would say oh I fully understand how this works and so but if it turns out that you run out of uh sheet metal on day 91 the app is going to do a bunch of things that look random they're not random but it's event driven it's not time driven and so having the ability to have a more continuous approach and a dynamic approach to segmentation this is the answer so the way we think about delivering segmentation for you that's actually going to work at scale is we start in very coarse chunks let's do macro segmentation this is not a radically new idea let's separate Dev from prod okay we can do this and we can do this in the fabric of the network separate these two instances now as we start to understand your production environment let's start to create successively tighter levels of controls on a continuous basis and we can do this using really two points of observation the first is flow analytics and In fairness this is what the industry has been doing our competitors do this as well so understanding this service talking to that service looking at the network flows but a much more interesting capability is to do process-based analytics to say this application server is talking to this database server using SQL okay that's an appropriate language but what process is initiated in the connection and what process is termina the connection if it's not a process that we know associated with a SQL uh database that's going to cause an alarm so process level visibility is super super interesting we have this ability to observe this on a fine grain basis and with AI we've adopted a continuous learning model so we go through and we look at each individual transaction each East West communication and we score it based on risk so there's some stuff that should obviously never happen right a web server should never SSH into a database let's turn that off but as we get more fine Grand understanding of the individual flows we can look at each transaction on a statistical basis and say what is our confidence that this is a legitimate flow so we can successively tighten and tighten and tighten these segmentation policies now because we're resident in the host we can tell if an application has been modified or updated when an application changes even if like it's been moved we'll relax those restrictions recalibrate relearn and then tighten them back up again so you can think of this as a more dynamic system that opens and closes based on our understanding and our confidence of our characterization of the workload and it allows us to put these controls in place for both traditional workloads as well as for modern workloads such as kubernetes based workloads that might be running in a public Cloud as well as your private Cloud infrastructure so it's a little bit of a good news bad news okay the good news is we can deliver the segmentation at scale the bad news is attackers are expecting that you have segmentation in place and one of the trends that we're seeing is that attackers have figured out you know what it's a lot easier to just log in than it is to hack in and so understanding the applications and the vulnerabilities of those applications is really really important so one of the trends that we're seeing is all of the tools that I've been talking about that automate your ability to defend against attacks the attackers are using similar tools on the offensive side so when a vulnerability is announced it used to take weeks before we' see activity around it then it was days now we're seeing it when a vulnerability is announced Within hours we seeing it being exploded I'm sure you're seeing the same thing so when you think about the scale of the vulnerabilities in your infrastructure many customers have hundreds or maybe thousands of apps that means on a given week you could have several thousand cves that need to be to be addressed every single week it is simply not reasonable to patch all of these applications within hours that's just not a reasonable thing and so what we've been focusing on is then we create an automated system that can provide compensating controls that can help you close this Gap so it starts by taking the output of your existing vulnerability scanners qualus tenable Red Seal whiz whatever you're using to assess the vulnerability of those applications and to create that long list of CVS that need to be addressed and then we use AI to take that list and process it intelligently so we ask a few questions the first question we ask is for the vulnerability in question is the code module resident in memory not is it on the Manifest is it actually running in memory if it's running in memory we want to look more closely second question we ask is do we see activity around this so we're constantly monitoring the dark web we look at chat boards we look at our incident response logs are we seeing anything about this this vulnerability or maybe it's even being discussed that's a good indicator that something might be happening we roll that up into a score and we say look across your entire Fleet of inventory you might have thousands of servers but there's 10 that need special attention this is a real vulnerability that was affecting the the cicd tool chain very very very high impact vulnerability we give you that report that you can then pass to your colleagues on the appside and say look we've got to go patch this vulnerability but while we're working on that patch don't worry we are applying a compensating control now an important thing about compensating controls is it does not obviate the need to patch a compensating control it's a finger in the Dyke we see this vulnerability and we're going to say ah we're going to put a shield in place that can stop this from being exploited as good as a shield is an attacker may find ways around it so we still need to go do the patching but we have the ability to apply this in a very very automated fashion which means a very timely fashion and then when the app team gets to qualifying the patch and rolling that out which might take a week right we know that right it might take a lot more than a week when that vulnerability is remediated we detect that and we will automatically remove the compensated control so we build the life cycle management into this system you can see very very high levels of automation to make this work at scale now one of the challenges with this approach is you might say this is cool except we're looking at at traffic that's encrypted how do you know what's what's in the payload and one of the more interesting observations and we're going to talk about this in more detail is that we have the ability to understand encrypted traffic without actually decrypting the payload so there's a huge amount of information that we can learn by just looking at the metadata around that encrypted traffic we can fingerprint the size of the payload the nature of the flow and we can be able to say h even though this is encrypted this doesn't look right this is what we call the encrypted visibility engine that's built into our network security devices and a very effective way of dealing with encrypted traffic so what we're talking about is a platform approach to Data Center security and so it starts with that cloud delivered Management console that I talked about and then we have the ability to give you the visibility into the workload to do very coar grain segmentation things like Zone firewalling let's put a security control at the edges of those VLAN boundaries then let's create more tighter fine grain controls for micro segmentation let's do more advanced things like providing the compensating controls in an automated fashion and this is just the beginning as we look forward we're thinking about additional controls that can protect AI based workloads other types of controls that we built into this Platform One Central Management console multiple different enforcement points so at this point I'd like to uh invite Craig Connors our CTO and my friend to come up good to see you thank you be here yep so Craig Central management is essential to all of this and so at Cisco we've been working on what we call security Cloud control which is our Central Management console can you walk us through the specifics how is this going to show what how's this going to manifest to customers yeah absolutely I mean first and foremost we've got to bring the management of different products together right I think we've all lived in a world where I've got a different console for s a different console for firewall a different console for the next new product that comes and so we wanted to break that model and so security Cloud control you can think of it as multiple different phases from a technical execution perspective it starts with how do we build an architecture that allows us to bring these products together and bring them together seamlessly so that's a kubernetes style interface on the bottom with shared common services that allows us to easily plug the different products together centralize the identity access management and give you all of your products in a single place right so that's a great first step but that's not actual integration that's just saving you logging in more than once and we have this vision of building complete integration moving from product Centric views to outcome Centric views right so I don't think about the product underneath I think about you know I want to do segmentation I want to do exploit protection again that's a journey that we have to go on to get there to make sure we're not disrupting what your teams are doing making them relearn everything at a rapid Pace as we do that we have this amazing Advantage which is AI so inside security Cloud control with all of these products sharing a common foundation and common Services one of those common Services is Cisco's AI assistant yeah and that allows us to have a bridge between all of these different products on day Zero so the AI assistant understands ssse it understands firewalls it understands hypers Shield it ties all of those things together for your team to make sure that you're delivering consistent security outcomes as we evolve the UI itself to also those products you interact with it like you're talking to one of your colleagues yeah so one of the biggest challenges we have is is understanding what a rule means what is the actual intent behind a rule what will happen if I remove this Rule and does this conflict with other rules that I have in the system that used to that used to require a huge amount of skill a huge amount of time we've got a skills Gap in the industry we've got limited resources we're working with on our teams the AI assistant allows us to bridge some of those challenges I think of the AI assistant as a a huge step forward in that you're putting a new interface on an existing technology or product which is cool and really really interesting but what gets even more interesting in my opinion is when we start thinking about these AI management capabilities and we think about how we build products themselves this is the difference between an AI assistant and what I call an AI native product a product that from the beginning has been built using Ai and I think you know you and I have both been working on a product hypers Shield that is truly not possible without AI can you talk a little bit more about that most of the application that we've seen the in the industry to date in networking and security has been just like the AI assistant how can I layer AI on top of an existing product to make it better how can it help me sort my firewall rules how can it help me threat hunt and xdr and those are very valuable things but AI native is this notion of okay I have this massively transformational technology What If instead of thinking about how I made a product better I thought about how could I solve a problem that I could never solve before in the industry something like the patching problem something like the upgrade problem and so that's what hypers Shield tried to Envision and I think that's something you're going to see more and more from the industry where you're going to see really really mindblowing innovation that come because when we take the opportunity to go back with a clean sheet of paper and rethink what's possible with the technology we have today we can do some pretty amazing things you know I I think when I talk to customers about this and I describe this world where every switch Port can become a high performance firewall I can see in the eyes of the customer they glaze over they're like oh my god I've got a million switch ports right I can't manage a 100 firewalls how could I possibly manage a million of these little baby firewalls and so the answer is you don't manage them this AI gives us the ability to introduce a whole new management Paradigm what we're introducing is a model here where imagine a firewall that writes its own rules tests its own rules deploys its own rules life cycle manages its own rules and then almost magically it upgrades itself while you sleep that's what we're talking about and I know that sounds that sounds uh aspirational but you can actually put hands on on the system you can actually see this this working now any firewall administrator would be like whoa wait a minute I don't want to let the AI write the firewall rules right and so we understand that and we built this system to operate in a semi-automatic mode where it's going to say here's what I think I should do and here's why I think I should do that is this okay and so it earns your trust you let this system write its own rules and test and after a little while you're like this thing is amazing right it has the ability to make decisions based on data that a human doesn't have right we're looking at every single packet every single process and be able to determine should we make this change or not make this change and so this becomes increasingly important because one of the more disturbing trends that we're seeing in the industry and I'm sure you're seeing it in your environment is that attackers are targeting the infrastructure itself and the reason they're targeting infrastructure is that these are high performance highly engineered devices that are in line which means they're hard to upgrade so they get upgraded during a change control window which for many customers you know there's only a handful of those Change Control Windows you know you've got one at the Fourth of July and maybe Christmas so for many customers is infrastructure software running out there that might be 12 might be 18 months old and that's where the attackers are focusing so with this architecture we're introducing a fundamentally new paradigm right which is infrastructure that can upgrade itself can you walk us through Craig how that could possibly work yeah absolutely so I've spent a lot of my career building routers and sdw devices and firewalls and they all have the same problem we we upgrade them all the same way we set up a Saturday night maintenance window we do a bunch of pretests we do an upgrade we do post test to make sure that everything still works the same way if it fails we hope we hope if it fails we roll it back we call TAC we open a case right uh and then Monday morning we cross our fingers when production traffic load hits and hope that everything works and the reason that is because it's impossible for us to test everything that could happen in the real world right right everyone's network is different everyone's combination of traffic types are different everyone's set of policies is different everyone's combination of features is different and even across geographies the the type of network traffic that you see in APAC versus the type of network traffic you see in a Mia is often different and so for us in system test trying to test all these combinations is really really hard and I always said my whole career like wouldn't it be great if like we could just use customers networks as a test bed because we could see every possible combination of what might happen AI has made it possible for us to do that so before you get scared about using your your network as a test bed what we've done is inside every agent inside hypers Shields it's got a digital twin inside that means that when we're running software when we have a new software release we actually run it in parallel to the production software load that you're running so that little tiny baby firewall we talked about there's two they're running side by side so all of your production traffic mirrored through the new version of the code and we're comparing them we're comparing CPU usage memory usage packet traversal times across the data path we're looking for crashes we're looking for issues with policy match all of the things that we would do in QA are happening automatically on the system transparently but for your specific environment and your specific combination of of features and policiy and this is important it's not in a sample of your traffic it's not running in a staging environment or a little slice it's the entire traff trffic of your environment right your whole infrastructure becomes a digital twin that's right and so then we're going to give you a test report so instead of a notification of a new software release being an email from marketing saying version two is available hypers Shield console's going to say version 2 is available and here's the test results to show that it will work in your environment and here's an AI assistant that you can discuss those test results with to talk about whether it worked properly or not and then when you're comfortable moving forward with the upgrade you go ahead and deploy it and that deployment is zero downtime because that new code is already running all of your traffic through it we simply move the exit Point Flow by flow from the old version to the new version we keep the old version around in case we need to roll back and you get a zero downtime pre-qualified way of moving from the previous generation of software to the new generation of software so solving this upgrade problem is something that frankly when we we first started talking about this I thought geez this is transformational what's interesting is when we put it in front of customers they said Ah that's really cool but what about could I use the same capability for policy changes yeah so I'd like to take credit for this but um credit to to Goldman I think Simon's here and other folks that that had this idea for us but they were like hey if you have two versions of the code running in parallel couldn't we test policies too and so now imagine those two digital the digital twin and the the original data plane are running the same version of code but instead of modeling what will happen when we roll a new version of software we model what will happen with a new set of policies so with your production traffic in real time telling you if you make this policy change this is exactly what's going to happen you can generate any type of test traffic you want right who's the mo who are the VIP users who are the VIP use cases what are the things that don't happen periodically you can actually run those intentionally during the test phase and then see the test results to see what's going to happen in your production Network when you make that policy change I I hope everyone in this room knows what Jenga is that game where you stack the blocks up and then you have to pull the block out if you're a firewall administrator making a policy change on a million firewall rules it's like Jenga you know you make a change you're like oh my God I hope I didn't take the whole thing down we solve that problem now any change that you make you push into the shadow data path and we're going to verify it on live traffic not a sample of traffic all the traffic and so it creates a level of confidence and a level of automation it's never been done before so should we show a demo yeah let's let let's make it live all right so I'm going to walk through a couple of these new things for you uh first is some of that AI assistant capab we talked about and the second is some of the distributed exploit protection everything I show you in this demo is real and exists today so let's start with the a system right so we're in our security Cloud control we've got a lot going on in my network I've got 30,000 firewall policies right and we talked about the complexity of managing firewall policies one of you yesterday was telling me you have 200,000 I know some of you have a million or more firewall policies and the is you can't take them out because you don't know what the impact will be when you take them out right also for your admin team add a new firewall policy is not simple anymore because add a new firewall policy means figure out where in this list of a million policies is the right place to put it Jenga so yes let's go look at our AI assistant and look at our policy Optimizer to start right what can I do about these 30,000 policies do I actually need all 30,000 policies that I have by the way I didn't say this before but this is on the screen right in front of you so you don't have to look up up at the board around so I'm going to go into my policy analyzer and again using natural language I'm going to ask a question show me all my firewall rules that can be optimized for edcp and I get a list and an output from the AI assistant so it tells me which rules are redundant meaning rules that are exactly the same or identical like uh an IP address within a prefix also what rules are shadowed right this could be more complicated like uh I've got a rule about an Sgt tag and I've got a rule for an application underneath but the system knows that that application always has that Sgt tag so that rule is impossible to be hit based on where it is in the priority order so quickly identifying those duplicate or shadowed rules and letting you with one click disable or delete them and optimize your file rules so we've removed thousands of rules that were completely unnecessary and we don't have to worry about what is the impact to our Network because we know those rules could never be hit right what else can we do with the AI assistant well there's a whole bunch of other AI Ops use cases that we have that exist within the system rules are just one level of complexity we have have right so let's talk about elephant flows are really really big flows right flows that grow to a high high throughput over time and we're running these through a firewall and because we're running them through the firewall and we're running them through IPS it's affecting the performance of the system and so there's two things that we can do we could throttle the flow right we could slow it down but we could also bypass IPS directly but we need some contextual information about what is the right approach for this so again being able to tie the intelligence of all these different products together and say not only that there is an elephant flow but what is this flow what is the risk Matrix associated with it and should I bypass IPS or should I throttle the traffic for this specific flow to remediate the problem in my network work you're getting that all of that contextual information built together and making this intelligent recommendation for you and then automatically remediating the problem right the other cool thing that we've done is this one is inside of hypers Shield distributed exploit protection yeah um you know this is a problem that hasn't really been solved before yeah everything we talked about before was sort of a better job of managing that which exists today this is net new right right so vulnerabilities right Tom talked about vulnerabilities uh vulnerabilities are right rising at a rate that's faster than ever before and that's in large part due to generative AI generative AI is being used to discover vulnerabilities by scanning open source libraries by running automated penetration tests generative AI is being used to exploit vulnerabilities so just stock GPT 4 if you pick any vulnerability with a cve CVSs score of 9.0 or above there's a greater than 50% chance that GPT 4 can successfully write exploit code that will allow you to exploit that vulnerability that's not getting into 01 which is like nine times better at writing code than gbd4 right and that's not getting into some attacker building retrieval algor generation specifically designed to exploit vulnerabilities so all of that to say it's a really scary time because attackers are getting really really really fast but today Defenders are doing the same thing as we always did right we're we're waiting for the patch to come we're testing the patch we're rolling out the patch yeah weeks weeks I mean in the in the best case the best case the bug is in a in a software vendor program because that software vendor is incentivized to go fix it for us right because we pay them money but in many cases the bug is an open source right and it's the bug is in Project Falco and my buddy Dave in DC is on the golf course and he's like oh yeah I'll get to that when I finish my round right like there's no incentive to fix these things rapidly and log 4J taught us we rely a lot on open source right and a slow remediation can be devastating yep so what we wanted to do with distributed exploit protection was give Defenders the same agility and speed that attackers have using AI it starts with understanding the estate that you have so this is a chart that seems really confusing the first time you see it and then gets really really cool and interesting the more you understand it think of this like a Gartner magic quadrant up and the right is good down into the left is bad yeah right right is bad green is good so we're giving you a real-time view of all of the applications that exist inside your ecosystem and how trusted are they right now and how risky is it if an exploit was to happen so this is a mix of the actual security of the of the level of vulnerabilities that exist and the business risk of exploitation and now when I think about how I need to improve my security posture it's very easy for me to think about starting with what's down on the lower left and looking at the most critical vulnerability that exists in my system so once again in our demo it's the same vulnerability that Tom talked about earlier this is a vulnerability that exists inside a cicd product and the reason why that's critical kind of goes without saying but if an attacker can take control of my CCD pipeline they can now push vulnerabilities across the fleet of applications that are being delivered through that cic ecosystem so this is obviously a very critical vulnerability and we can ask AI to tell us about it so we get a description of the vulnerability we can see the CVSs score we can see Cisco's vulnerability score which is us taking not just the CVSs score but that data that Tom talked about from Cisco vulnerability management about is this being exploited in the wild the data that we have in hypers Shield about how it's being used in your system is it active and also any any information that you've told us about the business criticality of assets and so we're telling you this is 100% 100 out of a 100 the most critical vulnerability that you could have so we take the complexity of the vulnerability and we try to present it in a way that's simple and digestible easy to understand right we tell you everything that's affected right these are the these the assets that are impacted these are the zones obviously in cicd it's going to affect Dev and prod because cicd spreads both types of zones and then we can dig in to the actual remediation itself now Tom talked about ebpf one of the really really powerful things about ebpf is it allows us to put code very very safe code so ebpf uh programs allow us to extend the functionality of the kernel at runtime and we we do this in two-step process first they go through adjust in time compilation so we've got guard rails built into the programming language of ebpf to make sure that we can't have a memory leak we can't have a a point or D reference things like that and then those programs are executed in a sandbox before they're actually instantiated in the kernel so the first is ebpf is very safe from an ecosystem perspective the second is that that it allows us to be very targeted because we can attach to any function call any system call any K probe anything that happens so if I look at this exploit Shield what is hypers Shield actually doing to stop this vulnerability it's blocking one process which is Java from opening a file in a single directory that we know is not a normal directory for the application to be using so the the critical thing here is that the odds of this compensating control having a negative effect on the running system are very very small because of the high level of precision right of the compensating control that we've put in place right and that's I think that's a theme we were talking about it's these fine grain controls that allow us to stop these new vulnerabilities in ways that wasn't possible even a few years earlier right and then we talked about digital twins right so whether this is going into the network path and we're going to test it in our dual data place plane or whether this is an ebpf policy and we're going to test it in our AI graph engine and model your actual function calls and system calls against the new version of the policies we're going to give you a confidence score of how sure we are that this compensating control is not going to disrupt the application from running normally as expected and then again automated or manual you click deploy and it starts roll rolling the shields out to your various systems what we've been able to achieve with this system is when a vulnerability is discovered we identify it in the ecosystem we find where your ecosystem is impacted we have built our own retrieval augmented generation system to automatically generate these compensating controls we then automatically can deploy them into your system and so for critical vulnerabilities the Leaky vessels the regression the xzs the big ones that you've heard about this year within 15 minutes of disclosure hypers Shield can protect you from exploitation in your network and that is completely transformative and obviously using AI we envision getting this to all of those thousands of vulnerabilities that are being disclosed every year all of the ones that are possible to block at the application Level right all of the server side vulnerabilities awesome Tom Craig thank you so much yep so everything everything that we just talked about that we've showed you this is all stuff that you can touch right now today right some of it's new and emerging some of it's mature and uh quite widely deployed but it's all stuff that you can touch today now I'm going to talk a little bit about sort of near-term Direction so if we think about hypers Shield as the control plane for a distributed analytics system where you're putting lots of little enforcement points into the fabric of the network and you have the ability to understand very fine grain detail of an individual flow where I want to think about who a user is I want to think about what is the status of the user's machine and I want to think about what process on that machine is initiating a flow and the same thing on the on the reive side I want to see what is the application and what process in that application is terminating the flow that level of detail is what gives us the ability to think about security controls that I believe would be an order magnit more effective we have this visibility into the process and the flow at at every point in your infrastructure the challenge is this can be two or three orders of magnitude more data than you're ingesting into a security analytics platform like a Sim today thousand times increase my dad used to always say son you can't have everything where would you put it and this is one of those situations we have this data the data exists but it's not practical to ingest all of this data so what we think about with the combination of Cisco plus Splunk is how do we take the powerful analytics of Splunk and rather than bringing all that data to the analytics how do we distribute it so we move the analytics closer to the data and if we think about this distributed system where we're putting dpus into the fabric of the network we're certainly not limited to a dpu in a switch form factor we could be putting a CPU or a GPU so whatever the flavor of silicon that's underneath there that can do the security processing it's going to allow us to do distributed analytics that can understand that east west traffic they can understand it at a process level at a flow level much more accurately than was ever done before without driving some gigantic ingestion bill because you're trying to suck all that data into a data Leake right so pushing the analytics out closer to the data wherever the data may live and that is what I believe is the most interesting part of the combination of Cisco plus blunk together so what we're talking about at Cisco is a vision forred security where it's much more fine grained much more distributed Central Management console multiple enforcement points and those enforcement points will change over time as you go through and refresh your infrastructure so it's a continuous movement with new enforcement points the polic never changes we're really excited about it thank you very much for taking the time where will you be in 5 years where will we be in 5 years in 25 in 50 let
2024-12-26 00:06