Unveiling the new Zero Trust Access. Identity-first. Anywhere. - [Americas Session]
![Unveiling the new Zero Trust Access. Identity-first. Anywhere. - [Americas Session]](/pic/unveiling_the_new_zero_trust_access_identity-first_anywhere_-_americas_session_/YzhEYnZ3TzlFSVk_.jpeg "Unveiling the new Zero Trust Access. Identity-first. Anywhere. - [Americas Session]")
bridge to possible humans and nature we're in this together but to keep coexisting we need to do more to protect our planet Cisco smart Building Solutions and our partners technology can benefit both humans and nature helping us make the best use of space and optimize energy consumption for the changing way we work making connections that deliver power and enable automation creating efficiencies that can help the workplace and the planet and freeing teams to work from anywhere while creating engaging experiences thanks to AI driven collaboration tools sustainability initiatives are part of powering an inclusive future for all with Cisco smart Building Solutions we believe all businesses can better optimize their energy use between meeting human needs and a sustainable future there's a bridge Cisco the bridge to possible at Cisco We Believe inclusion isn't just the right thing to do it's the Innovative thing to do because every in vention every Improvement every achievement every small step and giant leap inside our company and in the history of the world started when a different perspective was invited a different voice was elevated a different opinion was accepted to us inclusion is progress and it's why we're reimagining how people come together changing the system system tearing down barriers respecting and honoring each other's identities promoting equality and fairness using technology to create more opportunities empowering a more inclusive future for each other for good for all heol spee a Cyber attack can grind everything to a halt Cisco security keeps your network and your company moving forward because if it's connected it's protected Cisco so what do you think here C seven it needs to carry 150 right y should be perfect Cisco's purpose is to power an inclusive future for all that's why we're working with the apga and the USGA to make golf more inclusive shot thanks appreciate it thank you we're teeing up tomorrow because the more of us who play the better golf is for all of us yeah great but great butt nice job there you go a hacker doesn't always look look like a hacker a hackers at home everywhere comes in many forms he's interested in everything he can work alone but with a crew so much better a hacker is free with Cisco protecting your business from cyber attackers is simple if it's connected you're protected at Cisco our purpose is to power an inclusive future for all and in that future Mother Nature has a voice how have things been at work it's Groundhog Day you know just always the Builder never the architect the thing is is I've got ideas big ideas about better products new revenue streams smarter Investments but right but the thing is is I can't focus on any of that because here I am too busy like playing whack-a-mole all day it's a lot of metaphors today thank you so it sounds like you need a platform that drastically reduces the amount of confusion caused by zillions of analytics tools and focuses the data for you something that allows me to spend time thinking big picture something that would reduce the amount of apps system errors pinpoint areas of improvement and proactively suggest fixes exactly why do you know that don't know it's a new day for the new era AI is everywhere so are we we have the infrastructure AI needs and now the breath of data AI craves we'll use AI to help the world see more do more and we'll secure it like never before you've all heard the AI hype now you want ai's help that's exactly what we'll give you Cisco making AI work for you where will you be in 5 years where will we be in 5 years in 25 in 50 let's be here and here with her and him and they let's connect them let's connect everyone let's deliver technology that gives them access to power opportunity let's set a new standard for data security and personal privacy let's change the system promote equality and fairness in the workplace let's tear down the barriers to social justice for a more inclusive world let's clean house zero carbon zero waste because the health of our family is tied to the future of our home let's gather resources and partners steer toward our greatest challenges and accelerate for the benefit for all Cisco has made it its purpose to power an inclusive future for all where will we be in 50 years let's go see Cisco the bridge to possible humans and nature we're in this together but to keep coexisting we need to do more to protect our planet Cisco smart Building Solutions and our partners technology can benefit both humans and nature helping us make the best use of space and optimize energy consumption for the changing way we work making connections that deliver power and enable automation creating efficiencies that can help the workplace and the planet and freeing teams to work from anywhere while creating engaging experiences thanks to AI driven collaboration tools sustainability initiatives are part of powering and inclusive future for all with Cisco smart Building Solutions we believe all businesses can better optimize their energy use between meeting human needs and a sustainable future there's a bridge Cisco the bridge to possible at Cisco We Believe inclusion isn't just the right thing to do it's the Innovative thing to do because every invention every Improvement every achievement every small step and giant leap inside our company and in the history of the world started when a different perspective was invited a different voice was elevated a different opinion was accepted to us inclusion is progress and it's why we're reimagining how people come together changing the system tearing down barriers respecting and honoring each other's identities promoting equality and fairness using technology to create more opportunities empowering a more inclusive future for each other for good for all heyee spe a Cyber attack can grind everything to a halt Cisco security keeps your network and your company moving forward because if it's connected it's protected Cisco so what do you think here can seven it needs to carry 150 right yeah should be perfect Cisco's purpose is to power an inclusive future for all that's why we're working with the apga and the USGA to make golf more inclusive shot thanks appreciate it thank you we're teeing up tomorrow because the more of us who play the better golf is for all of us yeah great but great butt job a hacker doesn't always look like a hacker the Hacker's at home everywhere a hacker comes in many forms he's interested in everything he can work alone but with a crew so much better a hacker is free with Cisco protecting your business from cyber attackers is simple if it's connected you're protected at Cisco our purpose is to power an inclusive future for all and in that future Mother Nature has a voice how have things been at work it's Groundhog Day you know just always the Builder never the architect the thing is is I've got ideas ideas big ideas about better products new revenue streams smarter Investments but right but the thing is is I can't focus on any of that because here I am too busy like playing whacka all day it's a lot of metaphors today thank you so it sounds like you need a platform that drastically reduces the amount of confusion caused by zillions of analytics tools and focuses the data for you something that allows me to spend time I'm thinking big picture something that would reduce the amount of app system errors pinpoint areas of improvement and proactively suggest fixes exactly why do you know that don't know it's a new day for the new era AI is everywhere so are we we have the infrastructure AI needs and now the breath of data AI craves we'll use AI to help the world see more do more and we'll secure it like never before you've all heard the AI hype now you want ai's help that's exactly what we'll give you Cisco making AI work for you I'm Derek Shaw I'm the CIO and ceso for HB Fuller we have almost 8,000 employees and those employees could be working from a hotel they could working from a restaurant from an airplane from anywhere I'm Alan Anderson the director of it infrastructure engineering at s Coca-Cola one of the largest most recognized brands in the world we've got a Workforce of over 8,000 employees spread across 56 offices in 13 states the art network is wherever our employees are whether that be on an airplane traveling between SES or out on the road with our truck drivers our merchandisers Jack clutch's senior director for Enterprise information security we've got well over 130,000 users whether those are full-time or contractors we've got hundreds of thousands of devices we've got millions of sensors it's a really complicated World hackers are are no longer just hacking their way into systems they're using stolen credentials we need solutions that allow us to verify and validate the behaviors of the users to me authentication and access are two sides of the same coin they can't be thought of separately the easiest way for an attacker to get in is to steal someone's credentials unlock the door we have multiple idps in our environment for both our users as well our customers each one of those has really interesting Telemetry and data that we need to mine to really understand the behavior of those users you can't trust a username and pass password combination is the person that you think it is we really have to focus on what we do to guarantee that the person who's using the username and password is the actual person that is supposed to be using that username and password when we think about overlaying zero trust Concepts into the iot space we leverage our ice technology to profile those devices segment those off from the network for example a connected light bulb should never be reaching out to Amazon the employee experience matters a lot to us but also the it experience we have technology that when we first implemented had a core set of functionality and features and over time vendors have tried to add additional things to adapt to the way the world operates today that has made that technology much too complicated to administer and to maintain we've got to find solutions that are easier to manage one of the key pieces that I always talk to my employees about is simplify standardize and automate The Cisco secure access client really embodies that by bringing so many parts and pieces into one simple client zero trust is not a product zero trust is an architecture it's about identity access a response not many vendors are able to pull all those things together people connect from their home from a hotel from an airplane from anywhere and we don't control that infrastructure it's important that if we do have any type of disruption that we can recover from it quickly our products are used to assemble airplanes to assemble cars to put roofs on new data centers our products are used in solar panels in diapers and closed wounds if we're not able to produce our products it will impact daily life around the world we have several production lines where we're producing the different beverages that we distribute and each of these lines are producing 2,000 cans per minute we can't afford to have a line go down the majority of our outages aren't from failed Hardware but they're from changes made by the users that didn't go as planned having the ability to validate and verify things before implementing them is a game changer as we apply new policy one of the things that I would love to have is the ability to go use synthetic data to test our policies to make sure we're not unintentionally breaking anyone it's going to allow us to do something frankly that no one in the industry is doing today success to me is when we're able to architect and engineer solutions that free up our time because they're working well all of a sudden our teams are no longer playing firefighter every day and they're able to innovate at the end of the day my team's job is to help Cisco manage risk for all the systems that we run on and keep from breaking the business we're rethinking our entire techn techology stack what do we need moving forward making sure that the employee experience has always an exceptional experience to make sure that we keep our technology online so we don't impact Life as We Know It hi I'm Tom Gillis I'm the general manager for security products here at Cisco and I'm going to talk about some advancements we've made around Zer trust access now virtually every customer I talk to already has some sort of a zero trust network access initiative in place so the story I'm going to tell you now is maybe something you've heard before but we just rote it now I'm a car buff and I like to think about the Auto industry you see one manufacturer with Leap Frog the other one introduces the turbocharger then we see anti-locking brakes then we see keyless entry then we see electric vehicles so it's just this constant series of Innovations the same thing is true in the security industry I'll argue that Cisco was an early mover in this space with our open DNS and umbrella service and then some of our competitors came out with more integrated web proxy based Solutions what we've introduced with Cisco secure access is another leap forward ahead of the competition that has some really unique capabilities I'm going to describe them so what all starts with the endpoint so we have a single client with multiple functions and really I think one of the more interesting things that Cisco has done is we took our traditional VPN client and a modern zero trust client and we fused them together now we also added a lot of observability and security functionality and I'll get to that in a little bit but let's think about the core function of providing zero trust network access this integrated client allows us to make the tagline that the company that brought you the VPN is killing the VPN now we're not actually killing the VPN but what we have done is we have turned this client into a transparent connection broker and so if your employees are accessing a modern app that's in a zero trust framework it will open an https connection and terminate that in the zero trust Gateway but if it's a traditional app that needs uh VPN support it will open an IP set connection and terminate that either premise based concentrator or in a cloud delivered service or if it's a SAS based app it will open a connection to the SAS app and do a SLE assertion in for single signon the point of this is that the choice of protocol and termination Point that's Plumbing we're plumbers so let us handle that all the user knows is it just works a great and user experience right out of the box on day one and this is something that many customers have said to me is a real point of friction they've tried to put in a zero trust solution and retire their VPN but they find they can't and there's a reason for this and the reason is for almost every company in the world we've been writing applications that power the business and those applications have been built over a course of 20 maybe 30 years and those applications were all built in what I'm going to call the original Network model so the original Network model says there's a trust boundary and when you're behind the firewall you go directly to your application now we want to implement least privileged controls that would say it people can go to it apps and sales people can go to sales apps but you don't want sales people in the it apps right kind of Common Sense the way every vendor out there implements this is they have this thing called an app connector an app connector is a fancy name for web proxy and what we see is that when you implement this approach for all those different applications you have in your Enterprise about a third of the time when you stick a proxy between the user and the application it breaks and so it breaks for a number of different reasons it breaks if the the application is expecting to see the IP address of the client because it won't it'll see the proxy it breaks if it's uh multi- Channel like sap it breaks if it's peer-to-peer but my favorite category is like I don't know it just breaks because the app was not written to talk to a proxy it wasn't tested and developed to talk to a proxy so by fusing together traditional VPN and these modern zero trust capabilities we The Cisco secure access solution will meet you where you are on your journey to zero trust so one by one you can start to move applications into this zero trust least privilege framework but the user knows is it just works nothing changes right that great end user experience is delivered on day one and bit by bit you can go and put Tighter and Tighter least privileged controls in place around your applications what's even better is if for some reason the zero trust access fails to connect it can fall back to the VPN access so you have a very very robust solution with redundancy built in all from a single vendor and we're able to do this because not only do we have this unique integrated client we built a completely new architecture in our Pops so it's a hybrid architecture that'll run either in the public cloud in our hosted data center for private cloud or really interestingly in your data center as an appliance it's optimized for connectivity so very high performance connections it's all done in single pass and it has very low latency all that stuff adds up to a great enduser experience and because we built this on the back of Cisco's VP PN it has very very broad support for pretty much every device that you could imagine that wants to access uh Enterprise applications this is particularly true of mobile devices so with both Apple iOS devices and Android devices we have worked with those vendors to integrate this functionality into the device itself you don't need to download a client or a special app there's a little button on there you just turn on private relay and it'll automatically find those ixes connect and all the user knows is it just works now what's even better is many customers are thinking about I've got a combination of managed devices where I can put a client but I also have unmanaged devices where maybe I can't put a client and here we're doing something really Innovative so we're working with Google and Google Chrome to be able to take advantage of the advanced security capabilities that are native in Chrome so there's a segment of the industry that are is saying Hey I want to create a special version of Chrome that I'm going to call an Enterprise browser and put those security features in and what we're saying is I don't think the world wants an Enterprise browser I think the world just wants a browser so you can just use the same old Chrome that you know and love it has all your bookmarks and all your settings for temporary workers for unmanaged devices it's a very very powerful and very very complete set of solutions so any device any access any operating system managed or unmanaged we've got got a great opportunity so we are plumbers right and we manage those connections in a smooth and seamless way but because we see the connections in great detail with great context we also know an awful lot about the security of those connections and one of the most interesting things we look at is who is the source of origination of a particular network connection and this is important because identity is become a major attack factor and I like to think in the industry identity has become the new spam and what I mean by this it is a ubiquitous problem and it's a hard problem to solve in fact our incident response teams last year they said 80% of the attacks that they saw involved a stolen credential or session hijacking and so the tagline we say is attackers have figured out why bother a hack in when you can just log in and so traditional Security Solutions that are out there all these zero trust Solutions that people are trying to implement they're really not set up to solve this very hard problem because they're built on a concept of blind trust once you authenticate once you have a password you get access to the network and way we go so how would a solution like that stop an attacker that has stolen a user's password they have a legitimate password they move right through the network in order to stop this problem we have to look more intelligently at both the user who they say they are and what what they're trying to do and this is what we do with Cisco's identity intelligence it is a very unique system that is constantly assessing are you really who you say you are and if we see Flags about some sort of unusual behavior we look for ways to make sure just tell me that it's really you Tom I really want to know that's you and then on the other end of the wire we look at what is it that you're accessing and if we see things that are unusual again we're going to say let's make sure it's really you and it's not an attacker with the stolen credential so when we think about doing identity-based security one of the immediate problems customers have is they don't have a single source of identity in fact it's a hodgepodge it's all these different puddles of identity that exist in multiple different identity stores and what Cisco does fairly well is we've created an abstraction layer that sits on top of that it's actually a graph database so we pull in identities from all these heterogeneous different sources and we know who you are what device you're on and what applications are out there and we're constantly monitoring this in real time so we can see activity that would say here's a user that's accessing this application from this machine and doing it in a way that makes sense this is how these patterns emerge let me give you a real world example of this so let's think about Samantha Samantha is an administrator at a hospital and Samantha has a login it's a login with a legitimate password so her trust score is very high now all of a sudden we see that Samantha has access to to a policy change where she's going to put herself into an executive group with extra privileges this trust score drops to neutral now with those privileges she logs into oh I don't know a customer database trust score drops very very bad that's a pattern that doesn't look good if you saw only one of those transactions it's going to look legitimate but when you correlate them together that's when these anomalies stick out like a sore Thum now the focus tends to be on people let's identify users that are doing things that are bad but we often forget that things are people too and what I mean by this is that things can be used to compromise a network and they too need to have a zero trust access so let's imagine a world where a camera suddenly finds a printer that is very vulnerable really not protected and it's got a little operating system and so the camera finds a way to connect to the printer the printer has rights to get to the HR System the system can access the customer payroll that's incredibly bad right but one of the things that Cisco does I believe very uniquely is we apply packet tags to all of these unmanaged nonhuman devices and so it allows you to create segmentation of the network so that the camera can talk to the camera app the printer can talk to the printer app but you certainly don't want a camera talking to a printer or to any of your customer databases and so putting in place zero trust for objects and iot devices and things I'll argue is as important or possibly even more important than doing it for your employees so the way to think about all of these authentication Technologies is that you've got this big strong entry into your network but if you don't understand who a user is and can analyze these identities you're trying to secure that huge door with a paperclip and so one of the things that is really unique about Cisco secur access is that we have this smart authentication that we inherited from our friends at Duo and Duo has a vision of modern authentication that is very focused on frictionless access it makes extensive use of Biometrics it makes extensive use of understanding who you are and also understands what workload you're trying to connect to and one of the areas where we uniquely shine is that a customer say I want these zero trust privileges everywhere I want to use multiactor authentication but I want to use it on a Legacy application that doesn't support MFA we can wrap that with a wrapper that allows us to implement multiactor authentication on top of a legacy application without making any changes to the app it's these type of details that make that duo technology so beloved by customers and so powerful now another capability that we've implemented is what we call Duo passport and this is again a unique capability in the industry passport allows us to authenticate at the OS layer and so what this means if that nurse were to go access a web-based application we will ask that person to authenticate one time and then if they launch a thick client let's say uh an Outlook client we recognize that it's hey nothing has changed on this machine we're not going to ask that person to authenticate again and so authenticating at the OS layer creates a very very good end user experience but we're constantly monitoring it so that if something changes on that device all of a sudden we notice host spased firewalls just had a configuration change or they were turned off that's interesting right we're going to notice that we're going to say hey wait a minute user is that really you or if that device the posture doesn't change but we notice it changes location let's imagine she uh had a coffee break and went down to the local Starbucks turned the machine back on we can detect hey it's in a new network we're going to ask her to reauthenticate one time okay and then it's off to that friction experience so the goal here is to frustrate the attackers but not frustrate the users and I think this is something that Cisco with Duo does beautifully well and we've integrated all this capability into Cisco secure access so if you think about that analogy of car companies jumping one ahead of the other I will argue that Cisco's fusing together of a VPN and zero trust into one single smooth solution is a leap ahead of the competition so the industry talks about zero trust network access but I believe with these capabilities integrated into that endpoint we can talk about both zero trust and zero downtime network access let me explain so we're very focused on delivering a great end user experience and we measure it so we can tell you if there's a problem does that problem reside on the client is it a problem with their Wi-Fi is their Broadband provider having a bad day is there a cable cut deeper in the network or maybe Amazon or their data center is having an outage not only can we tell you this problem is happening we can pinpoint it is the problem with the browser is the browser Behaving Badly or if the problems in the network infrastructure the whole point of this capability is that we can show you exactly where that problem is occurring both on owned and unowned network infrastructure so if it's a network that you don't own we can still identify exactly where the trouble spot is we also have historical performance analysis so we keep track of this Behavior over time so it can help you to troubleshoot understand what a normal Baseline is and then look for anomalies what I think is particularly interesting about this thousand eyes client is it allows you to rapidly determine is there a problem in the network or is it a problem in the application and this allows you to achieve rapidly meantime to innocence figuring out where the problem is so that you can go ahead and rapidly resolve it now the same integrated client also has very unique security capabilities with every single connection coming off of a device we can see which process initiated that connection and the capability I'm going to describe is available it is in Market but it's still it's I'm going to describe it as young we're still maturing and refining it but it is transformative and what it can do so if we see a process on a machine that let's say for example is just spawned out a Powershell and the EDR that's running on that machine says Hey we've never seen this process before let's imagine that there's a 10% probability this process is malicious when that process goes to make a connection to the network we see in real time what application it's connecting to and so what we're able to do with Cisco xdr is we integrate with your backup vendors they all have apis and we will say look at a 10% confidence there's no way we're going to block that connection in fact we're not even going to alert on that at 10% confidence because 90% of the time we're wrong but a snapshot computationally is almost free and so what we do is we say huh that was a funnyl looking connection on a funnyl looking machine connecting to a customer database let's take a snapshot so we back up that machine and then we watch and if it turns out oh that was just a Windows update well we took a snapshot and we didn't bug anyone we throw it away but if it turns out that was ransomware then we just backed up arguably before one line of encrypted data could be written so what this effectively is is it is like a vaccine for ransomware yes you might have had an infection but you didn't get sick because we were able to automate that ransomware recovery process and this is what we mean when we talk about digital resilience now all of this is built around the idea that Cisco is doing what Cisco does particularly well which is leveraging the power of the network so let's take a step back and zoom out and think about how this architecture Works broadly security used to come in a box and that box used to live in a place in the network that we called the DMZ right the perimeter and what we've effectively done is we've taken the functions that lived in that box we've defined them in software and we've broken them into hundreds of thousands or even millions of pieces let's think about how we break them for services to protect a user differently for services to protect an application okay we break them up and we distribute them if it's a user we want to be close to that user wherever that user may be so we distribute them in hundreds of points of presence around the internet but for protecting an application I want to put security controls right next to every VM every kubernetes cluster in fact every switch Port gets its own little mini security stack and so there we can create hundreds of thousands or possibly even Millions of these distributed enforcement points this is our vision at Cisco is putting security into the fabric of the network now for secure access what this translates into is a network of points of presence where security enforcement happens so we break the security enforcement up and we place it into hundreds of points of presence close to the end user wherever the user may be in each one of these points of presence we run a host of services in a very integrated fashion we have what we call Essential Security Services and frankly these are the same services that you'll find from some of our competitors but what sets Cisco apart is we have a very rich set of extended services services that go into advanced Security Services that look at observability and and reachability all the networking and Assurance capabilities that I've talked about all integrated into this single stack that we put in our points of presence there are two services that I want to call out because I think they're unique the first is we have remote browser isolation this is a very very powerful capability because it puts effectively an air gap between a user's browser and the executable code that's running in a website so it has a very very very high level of fancy it's effectively 100% catch rate we've integrated this into the solution for security conscious applications the other is we've put security for AI applications so understanding the queries that are being made to the apis for AI based apps is an increasingly interesting area for us and we're able to safeguard your intellectual property by understanding and speaking AI so those are just two really special capabilities that we have in each one of these points of presence so at this point I'd like to introduce our CTO Craig Connors to talk a little bit more about this architecture and how we can achieve these magical goals Craig hey thanks Tom let's go through those four architectural precepts that you called out earlier in your presentation our hybrid pop architecture our optimized connectivity our low latency and our single pass Pipeline and it starts with the pop architecture so we have a cloud agnostic pop architecture that allows us to bring security closer to the user rather than back calling the user to security a lot of vendors choose one way of deploying their pops it could be in private data centers could be in service providers could be in the public Cloud only Cisco secure access stretches across all of these with a modern kubernetes based solution that is both flexible and horizontally scalable now we optimize the connectivity to those points of presence in a very unique way first from the user to the pop now we do this with socket intercept and what socket intercept allows us to do is essentially take over the packet from the operating system Tom talked about trans transparently having multiple connectivity types and Cisco handling the plumbing and that's what happens here because both VPN and ztna are integrated into the same client we use this technique called socket intercept we take the packet over if ztna is working for this application at this time we're able to use the ztna proxy to access that application if it's not working we're able to automatically fall back to the VPN client that's part of Cisco secure client so the user doesn't have to think about it or do anything we can automatically fall back to that VPN use case because we all know sometimes proxies just don't work Tom I'm sure you've heard this from customers yourself I sure have and in fact Craig many customers have said to me in order to achieve their digital resilience they're looking at implementing two zero trust vendor Solutions side by side and looking for some sort of like failover that is a very very difficult thing to achieve with two vendors very hard to manage policies are inconsistent and there's no graceful failover what we're talking about here is a solution that can achieve digital resilience with this built-in failover all from a single vendor and then on the other side of the pop from the pop to the application Cisco's got a Global Network interconnecting more than 1100 bgp asns that provides optimized performance across providers cloud interconnects and different SAS application services so think about a user in London accessing a private app in San Jose they get that optimized connectivity from their device to the London point of presence and then they get take advantage of Cisco's optimized networking to reach from London all the way back to that private application running across their sdwan Network in San Jose they get all of the network optimization and all of the security services all bundled into one the third precept low latency so Cisco has a Global anycast Network of DNS resolvers running across our 45 Edge data centers and these are recursive resolvers that are running Open DNS cache this is something that we have optimized for nearly 20 years of operating at scale and we do this with Native encryption support so you're not trading off performance for security you're getting a higher uh more effective and more efficient DNS connectivity that is fully encrypted natively we also deliver low latency using modern protocols for proxying the traffic so Cisco has been active in the ietf and an early adopter along with Google Apple and meta uh and others of some Modern protocols quick which is a tunneling protocol and mask which is a proxy proxying protocol that we run inside it if you think about most ztna solutions today they're built on Legacy VPN Technologies it's only Cisco that is built on leveraging these modern protocols that allow us to deliver lower latency and more resilience in lossy environments by delivering this connectivity using mask and quick now if you've experienced the frustration of trying to connect to a VPN on something like an airplane where the latency is really high you know why this matters Craig you know it's funny you mention this I was recently on a trip with our head of product management he had the new secure access and beta form I was running older software and we both needed to access the same document and you know that the experience of accessing the internet from a plane it's kind of sketchy right it's it's at best it's not great and at worst it's a disaster so side by side he was able to load the document mine never actually loaded so you know his loaded in a pretty timely fashion so that's just one little data point not exactly a scientific test but I'm telling you I watched this thing work and it took that airplane connection and made it usable right is that magic yeah and that's the power behind Quick and mask Tom and the reason it works is because the negotiation overhead is lower so the number of exchanges required to do a handshake for every proxy connection has been reduced and optimized inside these protocols and that means that it takes fewer round trips to log in it takes fewer round trips to pull up that document on an airplane and when you have really high latency connections like like those satellite connections on airplanes that makes a big difference it also makes a big difference in collaborative applications like Microsoft 365 lots of SEC vendors will tell you bypass the proxy when you're accessing Microsoft 365 because the latency will hurt your connectivity that's not true with Cisco secure access because of the advancements in these protocols even Microsoft 365 works just as well running through secure access as if you were accessing the application directly so this is why quick is so great for remote users wherever they are but of course quick is a new emerging protocol what happens if Quick's blocked in the network no problem Cisco secure access simply falls back to TLS so we still provide the same level of connectivity and and compatibility that our competitors offer but only as a fallback when these new modern highspeed protocols don't work the last piece I want to touch on is our single pass pipeline much more efficient way of delivering Security Services to run them in parallel versus running them sequentially often times not only our services run sequentially but we end up decrypting and reac crypting packets at each hop along the pipeline and that means that not only do I have high latency and inefficiencies in running through these services but often times depending on the way the traffic comes in whether it comes in through ztna or VPN or direct direct through an internet proxy we're able to offer different Services we're not able to offer a consistent security experience and so what we do is a single pass that allows all the different access types to get the same set of Security Services again executed in parallel we take this one step further by building it on top of Cisco Vector packet processing this is technology originally developed by Cisco of course it's open source this is how we build modern highspeed pipelines in software and so if you think about vendors that have told you 250 megabits per tunnel 400 megabits per tunnel one gigabit per tunnel these can be really big limitations when you try to drive Enterprise scale security through your network so Craig these capabilities are amazing but we all know in Security Management is the name of the game talk to me about how do we ma integrate the management experience yeah so everything that you've heard about today is integrated into a single Management console all of the security features as well as the digital experience monitoring with thousand eyes and that means that capabilities that some vendors require as many as seven consoles for you to manage we're delivering out of a single pane of glass Craig it's it's that integration that I think is so interesting and this is very much a trend in the industry you cited maybe it was seven different products that you would need to achieve the result you get with secure access you know as I keep count I think it might have been 9 10 11 different products each one of which have to be managed separately and we do all of that with a single integrated solution that we call secure access but our integration doesn't stop there we've integrated secure access in with our sdw Solutions so if you want a single sassy solution we have both Advanced security capabilities we've been talking about and our sd1 cap cap abilities with integration like common policy objects so if you set up a VLAN in your sdwan you can read that in your secure access console and then taking it one step further we're integrating observability from Splunk so you have a complete solution that looks at security networking and observability and really focuses on delivering better outcome with greater operational efficiency okay so let's go back to that analogy I talked about car compy jumping across one versus the other and then I talked about with the things we're doing with thousand eyes imagine we could make a car that would fly well I think the next Frontier that I'm going to talk about would be making a car that could go into space now that's a long ride to go into space but I think that we could actually do this so we talked about the really powerful and strategically important aspects of this unified client it's a single client that does VPN it does zero trust it does all that posture checking it understands who you are as a user it does the Thousand eyes digital experience monitoring but what it also does which I think is really interesting is it provides deep insight into the behavior of the endpoint itself and allows us to correlate that with behavior that we see on the network remember I talked about every single connection coming off a laptop we see which process is initiating that connection and we see a bunch of stuff about where did that process come from has it had a privilege escalation uh what is the parent process we see that both on the laptop and with what we're doing with hypershield and our investments in psyllium and ebpf we have that same level of visibility on the server and I'll argue there are few if any companies in the world that have that endtoend view where we can see in great detail what's happening from the user side to the application side at that process level so when we think about the problem that we're trying to solve in security with a Sim Zer trust says you have to assume that your network is compromised and these days that's a pretty good assumption so assuming that the attackers are already in your network identifying lateral movement is the name of the game and having the ability to see who you are as a user what is the status of your device and most importantly which process is initiating a connection both on the send side and the receive side that is very high fidelity that will allow us to identify lateral movement I'm going to argue an order of magnitude a Leap Forward versus any other security analytics platform in the industry here's the challenge that much data could be a 100 or possibly even a thousand times three orders of magnitude more data than you're ingesting today and so it's a little little bit of a story my dad used to always say son you can't have everything because where would you put all that stuff right so we have all this data but you simply it is not practical to stick all of that data into a single data Lake for analytics and so what we're working on together with the Splunk team is we're taking those analytics and rather than moving the data to the analytics we're defining them as software breaking into pieces just like we did with firewalls right breaking into pieces and we're moving the analytics closer to the data so by infusing the analytics into the fabric of the network and taking advantage of this array of increasingly intelligent distributed processing that resides in the network fabric we can identify that lateral movement of an attack far more accurately than any other combination of companies in the industry yes this is a future capability yes these are some very hard computer science problems that we're trying to solve but I will argue that they are solvable and this unique combination of Cisco plus Splunk this is really our mission is to go solve this problem and identify lateral movement of an attack now a key asset that we have on our side is our deep understanding of threats so our Talos threat research team has more than 500 very technical threat research people we use AI to process all of this information we have more than 800 billion events per day coming in and this gives us the context to figure out friend from fo so the goal here is to take this Advanced security capability Leverage The Power of the network make sure that you're delivering a better security outcome and at the same time a great end user experience because we want our it and security customers when you go to the company picnic we want you to be a hero we don't want you to be the one sitting off of the side we want you to be the one that says look I delivered a better end user experience and a user experience that users will cheer and at the same time you can ensure that you're keeping your infrastructure and your data safe from these sophisticated attackers Cisco secure access is this integrated platform that pulls all these pieces together thanks very much for listening let's gather resources and partners steer toward our greatest challenges and accelerate for the benefit for all Cisco has made it its purpose to power and inclusive future for all where will we be in 50 years let's go see Cisco the bridge to possible humans and nature we're in this together but to keep coexisting we need to do more to protect our planet Cisco smart Building Solutions and our partners technology can benefit both humans and nature helping us make the best use of space and optimize energy consumption for the changing way we work
2024-10-09 22:09
