 Live from Barcelona, Spain, it's theCUBE. Covering Cisco Live 2020. Brought to you by Cisco and its ecosystem partners. Welcome back to Barcelona, Spain, everybody. This is theCUBE, the leader in live tech coverage, and we're here day one for us at Cisco Live Barcelona, even though we did a little game preview yesterday. My good friend Ken O'Reilly is here. He's the director of customer experience at Cisco, and he's joined by Kyle Winters, a technical marketing engineer for the customer experience technology and transformation group at Cisco. Guys, great to see you, thanks for coming on. We love talking customer experience. Cisco is a big company, big portfolio, there's a lot of complexity for clients, and so bringing it all together and customer experience is very important. Ken, we had a conversation with Alistair early today, and he was talking about Cisco's commitment from the top, Chuck Robbins on down, to really improve that customer experience, bring essentially a digital virtual experience to your customers, and you guys obviously fit into that. Right, absolutely, so about two years ago when Chuck brought in Maria Martinez, that was the first step into really pushing Cisco to focus more on successful outcomes for customers. So we had already always sold that way, but with the complexity of technology and how fast technology is moving, accelerating value realization for customers has never been bigger, especially in the security space, because as we've talked before, with everything that goes on today and the fact that the bad guys are trying to get data faster, quicker, and different, getting the technology in play, operational, and production has never been more important. And we're going to dig in with Kyle with some detail and double click into the life cycle specifically and the different points of that journey, but that's really important for any customer experience, is really understanding that life cycle, that maturity model, can you talk about that a little bit? Yeah, so with us, you know, we've been at it for about six years when we started as LandCope. So we've got a great model, and you know, our approach to getting outcomes for customers is completely in line with the strategy of our products and technologies and all of security. So it's really important that you align with that strategy because salespeople sell, and they sell you the what? We sell the how we're going to get you. And so you have to understand what it is that customers need and how that technology maps, because you don't want to shelf wear, and you don't want products or technology sitting there waiting to be implemented because, you know, these days, especially with the move to the cloud, it's got to get up and running, you know, within an hour. So our model has always been that way. We built our model with customer first, and so we are, you know, we are the security experts. We're the trusted security advisors. So when we go in and work with customers, we completely know exactly those outcomes that they need, and with all the sort of technologies and products that we have, not only with StealthWatch, but the other products that send telemetry to us, we have, and Kyle will talk about, how our services completely align with those outcomes and the journeys that we will take our customers on. Yeah, so faster adoption means faster time to value, obviously. Let's focus in on StealthWatch. You came in with the StealthWatch acquisitions, been very successful. I mean, Cisco's security business grew 22% last quarter. We'll talk more about the sort of umbrella, but let's drill in with Kyle to StealthWatch services specifically. Maybe you could sort of take us through, you know, at a high level what the areas are, and then we can sort of follow up on individual aspects. So our customer maturity model, when it comes to services, there's kind of three different stages to it. It starts with the visibility stage. So we have services around being able to deploy an operationalized StealthWatch. We'll bring in our best practices and help customers get up to speed and using the system quickly and efficiently. From there, we also have services around detection capabilities. So being able to use automation and integrations to further the detection capabilities of StealthWatch. Things like being able to classify host groups through automation from sources like IP address management systems. Things like asset discovery and classification service that help drive segmentation efforts. All of these things help improve the behavioral algorithms and processes that StealthWatch is using to detect these threats in real time. And then from there, we have an integration stage as well too, which is all about bridging the gap between StealthWatch and the rest of not only Cisco's portfolio, but the entirety of our customer security portfolio as well. And some of those services include things like SIM integrations, being able to integrate StealthWatch with Splunk. We have services such as our proxy integration service as well, a lot of different types of services that we're able to help get our customers to the next stage with their StealthWatch environments. All right, I got a lot of questions. So maybe we can take it to it and you guys can help us understand. So let's take it by stage. So you have the sort of visibility. That's where you start. That's where you do the discovery, right? So what are you discovering? How do you actually do that discovery? So a lot of that is about making sure that we've got all the flow and telemetry that we need from the various different sources of our network coming into StealthWatch, feeding into the processes and algorithms that are going on there. So a lot of things is not only net flow data, but getting ICE integrated in there as well, being able to pull that user attribution data in, being able to find sources of data where we maybe can convert it into net flow if it's not already net flow and be able to ingest that data as well. We also, in that phase, typically too, help set up customers with a lot of different best practices that kind of get them operationalized very quickly. And things like being able to build custom reports and dashboards for them, we'll work through them which is kind of understanding the system from a base level to more of a professional, fully operational level. A lot of times we come in during the stage too and customers don't even understand what's going on in their network. They're seeing things that maybe they've never seen before once StealthWatch turns on. A great example actually is we were at a large financial firm and we were able, within 30 minutes of being on site with them through our services team, we were able to identify rogue DNS servers, unsecured telnet going on, SQL injections, suspicious SMB and SSH traffic. This is all just within 30 minutes of us coming on there and taking a look at this. All the stuff you don't even want to look at sometimes, right? So who's doing this, Ken? I mean, is this sort of automated? You got professionals sort of overseeing it? From our side, yeah. So the team that we have, the technology transformation team, when we've talked about it before, that team is kind of on the bleeding edge of helping customers. And a lot of these services that Kyle talked about is we are building services that customers are consuming based on their needs today. And that's why the team is very flexible. We build a lot of these integrations with those requirements in mind. And then we take those and we can scale that. So these are all field engineers. We have developers. So in essence, it is like a mini development team that goes out and works on the specific things that customers need to protect themselves. Okay, and my understanding is there's an ongoing learning with the customers. It's sort of a transfer of knowledge from day one, right? The customer is with you in each of these phases and they're sort of learning as they go along. That's sort of part of the transfer of knowledge. And I would say even a two-way transfer of knowledge too because we're teaching them our best practices and how to best be successful with these systems. But we also learn from them what's going on, what are the trends that they're seeing? How can we help get them to the next stage? And that's where our technology and transformation group comes in. They're able to be on the cutting edge, hear the problems that the customers are talking about and be able to take StealthWatch to the next level. Okay, let's dig into the detection phase. This is where you're classifying things like host groups, et cetera. I'm interested in how that happens is that, you know, it used to be you'd get everybody in a room and you'd start drawing pictures and that just doesn't scale. It's too complicated today. So can you auto-classify stuff? How does that all work? Are you using like genius math to do that? So traditionally, it's a manual effort to classify your host group. Somebody who's very familiar with the network comes in and they say, okay, these are the DNS servers. These are the web servers. These are the network scanners. Joe, oh, Joe's out just today, this week, can't do that. But the problem is that today's networks are so dynamic and fluid that what the network looks like today is not necessarily going to be the same tomorrow. So there needs to be that relief from an analyst to be able to come in. There needs to be that automation that they can go in each day and know that their system is going to be classified accurately and meaningfully. That way, the behavioral detection that is built into StealthWatch is also driven and accurate and meaningful too. So we have this service, for example, our host group automation service. And through that, we're able to pull in telemetry and data from various different sources, such as IP address management systems, CMDBs. We can do threat feeds as well, external threat feeds. And we're able to drive the classification based off of the metadata that we see from these different sources. So we're able to write different types of automation rules that essentially pull this data in, detect the different patterns that we're seeing with that metadata and then drive that classification in StealthWatch. That way, when you come in that next day, you know that your network scanners are going to be classified as network scanners and your web servers are going to be web servers, et cetera, et cetera. So you got that integrity of data coming in every single day. Yeah, so a lot of different data sources, data quality, obviously really important. I mean, you'd love it if somebody had, like, you know, a single CMDB from ServiceNow, boom, pop it right in, but that's not always the case, right? It's never always the case. There's always a challenge and that's where kind of our services engineers come in, they're able to work through these different environments and understand what the metadata is, where we need to go and how we need to classify and drive that classification from there. So it does require a little bit of a human element on the front end, but once we get it worked out, it can be fully automated. You know, there's lots of different sources and the quality of the data is not always there. We've seen, for example, customers who have Excel spreadsheets and everything is just all over the place and we have to figure out a way to work with that and that's part of what our engineer success is. So before we get to the integration piece, Ken, you've been following this industry for a while. Security is really exciting space. It's growing like crazy. It's really hard. I did a breaking analysis piece a few weeks ago just talking about the fragmentation in the business. You see startups coming out like crazy, big valuations. At the same time, you see companies like Cisco with big portfolios. You mentioned Splunk before, they've kind of become a gold standard for log files, but very complex and you talk to security practitioners and they'll tell you our number one problem is just skill sets. So paint a picture of what's going on in the security world and how Cisco is trying to address that. So the security teams, the analysts all the way up the management chain to the CISO, they're under tremendous pressure. Their businesses are growing and so when their businesses are growing, the sort of attack space is growing and the business is growing faster than they can protect it. So with the sort of increase in the economy, more money, more investment to build more point products. So you've got a very stressed team, a lot of turnover, skill sets aren't great and what do we do as an industry? We just give them more technology, right? More tools. More tools, complexity avalanche, okay? They're buried, all right? So we feel and we've made great strides within the security group within Cisco is we're taking the products that we have and we're integrating them under one platform so that it isn't a bunch of point products. And so that the, and that's what everybody else is doing. I mean, the other guys are acquiring companies and they're trying to integrate those because the customers are saying, I don't need another point product. Uncle. Yeah, yeah, it's too much. So, you know, with us, that's the way we approach it. And now with the platform that's going to be launching this year, the Cisco threat response that we've launched, you're going to see later on in this year that we will be selling and positioning and implementing the entire platform. Yeah, so I gave a stat, I came up with this in one of my analyses. The worldwide economy is like 86 trillion. And we spend about 0.014% on security. So we're barely scratching the surface. So this sort of tools avalanche probably isn't going to change. So integration becomes an extremely important aspect of the customer journey. So take us through that. And to continue on that point you just made as well too. I believe in our Cisco cybersecurity report from 2017, only 57% of actual threats are being investigated and remediated. So there's always that need to kind of help build, bridge that gap, make it easier for people to understand these threats and mitigate this. Prioritize, know what to go after, right? Which the integration is going to help you do. So we do have a lot of different integration services as well too. For example, I mentioned our SIM integration service. One thing that we can really do, that's really awesome with that is we're able to deploy for example with Splunk, a full fledged StealthWatch for Splunk application that allows you to utilize StealthWatch's capabilities directly inside of Splunk without having to actually store and index any data inside of Splunk. So all these APIs are on demand inside of this app and available throughout the rest of the Splunk capabilities as well. So you can extend it into other search reporting, correlate that against other sets of data that you have in Splunk. You can do quite a bit with it. We also have other ways that- So if I interrupt, so the advantage of that is just obviously integration, you're not leaving the environment. Plus it's cost, right? I mean, you're saving customers money. A lot of customers kind of see their SIM as a single pane of glass. So being able to bring that StealthWatch value into that single pane is a huge win for our customers. Not to mention that reduction in licensing costs as well. We have other ways too that we can reduce licensing costs. Some customers like to send their flow data into their SIM for deeper analytics and long-term retention. And we have a service we called our FlowAdapter service. And through this service, we're essentially able to take by flow off of the StealthWatch flow collectors. And the by flow is essentially when the raw net flow hits the StealthWatch flow collectors, it's coming from multiple different routers and switches on the network. This gets converted into by flow, which is bi-directional, deduplicated, stitched together flow records. So right there, by sending that data into a SIM or a data lake, as opposed to raw net flow, we see data reduction costs anywhere from 15 to 80% depending on how the customer's network is architected. Great. Any favorite customer examples you have that you can share where you guys have gone in, provided these services and it's had an outcome that got the customer excited or you found some bad guys or share. There's one that's one of my favorites. So we have this service we called our asset discovery and classification service. And I mentioned the host group automation service. That's if you have some sort of authoritative source, we can pull that information in. But if a customer doesn't have that authoritative source, they don't know what's on their network. And a lot of times too, they want to do a segmentation effort. They're undergoing network segmentation, but they need to understand what's on their network, how these devices are communicating. And that's where our asset discovery and classification service comes in. We're able to pull in telemetry, not just from StealthWatch, but other sources such as ICE, Tetration, Active Directory, IPAMs again as well. And we're able to essentially profile these different devices based off of the nature of their behavior. So we were at a kind of a large technology company and we were essentially in this effort trying to segment their security cameras. And upon segmenting their security cameras, we were able to build this report where we can see the security camera and how it's communicating with the other parts of the network. And we noticed that there was essentially two IP addresses from inside of their network that were accessing all these different security cameras, but they were not authorized to. So with this service, we were able to see that these two hosts were unauthorized accessing these devices. They got reported up through the management chain. And ultimately those two employees were no longer at that technology permanence that was discovered. Nice, I love it. All right, Ken, bring us on. We're here in the DevNet zone, sort of all about infrastructure as code and software. And talk a little bit about the futures, where you see this all going. Yeah, so for us, for Cisco security, the future is really bright. We've either built or acquired a portfolio that the customers really need that get absolute outcomes that customers need. And through the customer experience organization, certainly StealthWatch is fitting into the broader play to get customers who have all those technologies get that operational and get them success. So when we talked last summer, I told you that the jury was still out, we would see how the journey's going to go. And the journey has started, it has gotten much better since the summer. And this year, I think we're going to be doing some great things for our customers. Just, we can't get into too much of the business, but StealthWatch customers are still expanding because I think we told you last time, customers can never get enough StealthWatch, okay? The attack surface is too big, right? So we feel really good about that. And the other technologies that they're building really fit into what customers need. We're going to the cloud. So they're going to be able to consume cloud, on-prem, hybrid, protect networks, or the campus, protect their cloud infrastructure. So we're really checking a lot of boxes and our group brings it all together and takes all the complexity out of that for customers, just to get them the outcomes that they need. I named Cisco as one of my four-star security companies for 2020, based on spending data that we share from our friends at ETR. And the reason was because Cisco has both a large presence in the market, but also you have spending momentum. I mentioned 22% growth last quarter in the security business, but you've also got the expertise. You put your money where your mouth is. The big portfolio, which helps, if you can bring it together and do these types of integrations, it simplifies the customer's environment. And so that's a winner in my book. So I named you along with some other high flyers. And you see some really interesting startups coming out and probably acquisition targets, probably some that aren't on your radar. But guys, thanks so much for coming on theCUBE. It was great to have you. Great to have you. Kyle, thank you. All right, keep it right there, everybody. We'll be back with our next guest. It's Dave Vellante for theCUBE. Miniman and John Furrier are also in the house at Cisco Live, Barcelona. Right back.