The spend-time-to-save-time dilemma 

We’ve all heard that “it takes money to make money,” and similarly that “it takes time to save time.” David Pogue, a former New York Times tech columnist, once wrote that “not all of us have that kind of time.” Pogue was aware that he was at the far end of the “spend time to save time” spectrum, and that there simply weren’t enough hours in his day to learn how to exploit all his time-saving devices.  

Check out his now fifteen-year-old examples – many of which still hold true today. So how would the ordinary person cope? Pogue faulted not his readers, but the software companies for marketing time-saving features that are not simply realized. Fast forward to today’s security technology, and the same dilemma exists for ordinary security leaders and practitioners: 

I’ll save time if I can simplify threat response with aggregated intelligence, automated enrichment, interactive visualizations, incident tracking, and direct remediation.
I’ll save time if I can enable automation for my workflows, including threat response playbooks, changing access policies, receiving approval from collaborators, or even provisioning security controls.
I’ll save time if I can unify visibility across my security environment in one place rather than pivoting to multiple consoles. 

Why aren’t APIs enough?  

To gain these time-saving security experiences, you need to integrate your security together. Most security vendors market how their products’ open APIs enable integration with any third party to save time. While it’s definitely true, APIs fall into this “spend time to save time” quandary. Even before you write, host, install, and maintain your integration, learning multiple products’ APIs is a complex, time-consuming experience. Based on your level of expertise, your time commitment will vary.  

One approach to overcome this dilemma is not new – shift the time burden from customers to vendors. The vendors’ developers learn the APIs as well as write, host, install, and maintain the scripts and infrastructure that are required for integration. Cisco has done this for years, building 300+ solution-level integrations across the Cisco Security portfolio with 170+ partners. Yet, too many solutions still lead to an unsustainable level of complexity. 

Why are two-product integrations not enough? 

All technologies across your security infrastructure must work as one team to: (1) improve the maturity of your security program, (2) know the impact of attacks across your environment, and (3) measure the effectiveness of security controls. The reality is that implementing integrations two products at a time results in 10 or more fragmented solutions arguing over who knows the answer best. Cisco recognized that a new approach was needed.  

Cisco SecureX integrates security to save you time 

In February, we announced Cisco SecureX as the industry’s broadest, most integrated security platform. Bold claims in an industry rife with incompatibility and hyperbole. Cisco is committed to being open with your security infrastructure, including third parties. So, in addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. Cisco is not just saving security practitioners time, but also eliminating the complexity that security leaders face. So, let’s discuss a few details before SecureX becomes commercially available this June.  

Our platform-level integrations fall into three buckets:

Built-in integrations are developed by Cisco together with select technology partners for customers to instantly configure. Some examples are Google VirusTotal for threat response or ServiceNow for automation. 
Pre-packaged integrations are developed by Cisco or technology partners for customers to use ready-made scripts that they install into cloud infrastructure, which they maintain. The time spent is radically minimized, as you don’t need to learn any APIs or write any code. Some examples are Qualys IOC or Microsoft Graph Security for threat response. 
Custom integrations can be created by customers leveraging Cisco and technology partners’ open APIs. The time spent on integration is reduced by using our resources on DevNet to quickly get started. 

Some use cases we’ve heard from our technology partners and community include: 

  • As an intelligence producer or consumer, I would like to publish or ingest my actionable threat content. The intelligence can be from Cisco, a third party, or open source.  
  • As a visibility or protection device vendor, I would like to provide context for why an observable (e.g., IP, domain, file) is malicious or add sightings of an observable. The device can be from Cisco or a third party. 
  • As an operational tool provider, I would like to query verdicts or targets for an observable or import only high-fidelity alerts as incidents. Cisco SecureX or a third-party platform can be performing the operations. 

These use cases are primarily threat response focused, which was Cisco’s first platform feature released more than a year ago. 

SecureX Integration Model 

Cisco SecureX simplifies threat response 

Today, our threat response feature includes built-in integrations across the Cisco Security portfolio. Just as important, it includes pre-packaged integrations with 21 other vendor products – a few are even built in. Check out this new cisco.com page that lists the integrations and partners.  

By June, we’re speeding up detection, investigation, and remediation across your environment with many more pre-packaged integrations. After the platform’s commercial release, not only will the number of built-in or pre-packaged integrations continue increasing, but we’re working on making those pre-packaged integrations even simpler by shifting more of the steps from customers to Cisco.  

Some tasks we hear from SecOps teams working with these integrations include:

  • As an incident responder, I would like to know what malware is associated with an observable (e.g., IP, domain, file, email, user, device).
  • As a threat hunter, I would like to add observables on an actor even if they’re not malicious.
  • As a security operator, I would like to act on the sources (e.g., domain, sender) or targets (e.g., devices, users) of attacks and whitelist my internal observables (e.g., IP, file).  

Cisco SecureX enables automation 

The new orchestration feature simplifies these SecOps tasks and as well broader SecOps, ITOps and NetOps use cases. This feature relies on built-in and custom workflows leveraging built-in integrations. A workflow is a series of activities, such as you might find in an incident response playbook. It can be initiated by a trigger, an API call, a different workflow, or manual input. A trigger can be based on monitoring external events across the customer’s security environment (e.g., data exfiltration alert) or system conditions (e.g., scheduled time). And event context can even change how a workflow is executed.

  • Built-in workflows will include phishing investigation, threat or indicator hunting, incident enrichment, response orchestration, and remediation approval for instant configuration.
  • Custom workflows support drag-drop, auto-save editing with no or very little code required using built-in integrations to radically minimize the time spent.

The built-in integrations for the automation feature include:

  • Security infrastructure covering Cisco and non-Cisco products (e.g., Splunk).
  • Other infrastructure supporting security such as IT systems (e.g., ServiceNow, Webex Teams), multi-cloud (e.g., AWS), and networking (e.g., VMware). 

The full list of orchestration integrations will be published in June. And as a cloud-native platform, Cisco SecureX releases will frequently add workflows and interoperability with your existing investments to save you time.  

Cisco SecureX unifies visibility 

The visibility feature saves you time by showing you what you need to know in one place, and following you around to maintain contextual awareness — whether that’s a dashboard of ROI metrics and operational measures, a feed of new activity (e.g., workflow initiated, new incident, new threat research), or aggregated views for an incident.  

In June, built-in integrations will be available with the Cisco Security portfolio. In some cases, this visibility can include metrics, measures or insights from the 170 partners across the Cisco Security Technical Alliance, but it depends on the solution-level integration. And in the future, we anticipate enabling direct third-party integrations for this visibility feature. 

A stitch in time saves nine 

Don’t delay in signing up for our SecureX waitlist and learning how Cisco can already integrate with your existing security investments to save you time without you spending time. Or if this is your first time hearing about Cisco SecureX, click here for more information.



Barry Fisher

Senior Manager

Security Solution Marketing