News flash: adversaries don’t care about vendor consolidation. In fact, they are counting on the lack of integration across your security stack to slip through the cracks and evade detection. At the same time, sophisticated exploits that were once the domain of nation-state threat actors have now become commoditized – making responding at a speed necessary to minimize exposure and limit risk very difficult. And I haven’t even mentioned new technologies like generative AI that are advancing at unprecedented speed and giving threat actors even more tactics and techniques to leverage. Security teams today are dealing with an extraordinary level of complexity both in their security environment and in an ecosystem of global supply chains, attackers, and defenders. The result? Breaches are more common and more costly than ever.
But it’s not all doom and gloom. This multi-vector, multi-vendor, hybrid work landscape just demands a robust detection and response solution that can help security analysts detect, prioritize and mitigate threats from every angle. The good news is that Cisco’s new extended detection and response (XDR) offering does just that. It allows SOC teams to quickly and efficiently move away from endless investigation and instead spend their time remediating the most critical incidents across their Cisco and 3rd party security stack.
What is XDR?
When we set out on this journey, we asked many of our customers for their definition of XDR, and what was universally true was that there was not a universal definition. They each defined it in their own way — largely because early vendors in this space had defined it in a way that placed their company or their product at the center of the definition and then bombarded the market with messaging to highlight their “differentiation,“ creating a lot of confusion.
Then we came across a definition from International Data Corporation (IDC), and we liked it for its conciseness, its clarity, and its completeness. IDC defines XDR as three things: 1) the collection of telemetry from multiple sources 2) the application of analytics on that collected telemetry to detect something malicious and 3) the response AND remediation of that maliciousness.
That may seem like a lot to unpack, but if you just start with the first one – collection of telemetry from multiple sources – it’s not just from your endpoint, which is what an Endpoint Detection and Response (EDR) solution does. It’s not just from your network, which is what a Network Detection and Response (NDR) solution does.
The promise of XDR is to combine your endpoint telemetry, your network telemetry (cloud and physical), your application telemetry, and your identity to be able to detect threats in your environment that your point products can’t detect in isolation. Not because those points products are not good, but because the adversary is very good.
New XDR Explainer Video
Cisco’s approach to XDR
Before deciding to move into this space, we had to step back and ask ourselves: Is there a problem going unsolved in the industry, and if so, could Cisco do a better job solving it than anyone else? Spoiler alert, we answered ‘Yes’ to both of those questions.
At Cisco, we have some unique advantages to advance the state of the art when it comes to XDR. Consider the aspect of XDR being a collection of telemetry from multiple sources – our portfolio natively covers ALL six telemetry sources that SOC operators say are necessary for an XDR solution: endpoint, network, firewall, email, identity, and DNS. No other XDR vendor in the market has native access to all six of these telemetry sources. And we are analyzing and correlating all this native telemetry to detect adversaries that operate in stealth and are able to evade point solutions.
In addition to our portfolio of security products, we have unique insight from the massive number of endpoints that currently have a Cisco agent deployed on them. Cisco Secure Client, formerly AnyConnect, is installed on roughly 200 million endpoints. The telemetry those endpoints generate that maps individual running process trees with the network connections they create is unmatched in the industry. To put it in perspective, that is 4-5x the number of endpoints that the leading Endpoint Detection & Response provider has deployed. Being able to correlate that endpoint telemetry with network-based flow telemetry from both public cloud providers and our own switches and routers puts us in a position to do things that only Cisco can do. And we are.
Prevention will always be our first principle at Cisco, but when everything else goes wrong and the adversary has found a way in, the network is the only system of record organizations have for understanding the extent of a breach and where to start remediating. Not only does Cisco have the best network detection and response (NDR) capability in the market, but we’re also correlating all these telemetry sources to detect sophisticated tactics and techniques, and more importantly, to automatically investigate, respond to and remediate the threat. Because to be clear, bad guys don’t land on your high-value assets in your data center. They land on your laptops and then move laterally through your network. If you’re relying on just your EDR solution to detect them or your firewall to keep them out, you’re going to have a very hard time.
Finally, Cisco XDR addresses one of the biggest challenges of keeping up with ever-evolving threats and a growing attack surface: it integrates with a selection of third-party products, including for the first time ever, competitive 3rd party EDR, NDR, firewall, and email solutions. Most organizations employ tools from multiple vendors and want those tools to interoperate. Unfortunately, there’s limited integration and little shared telemetry. But data and context shared across vendor lines and the application of advanced analytics on that telemetry across as many vectors as possible ensure we can rapidly detect and comprehensively respond to the world’s most sophisticated adversaries. Introducing Cisco XDR.
Visit us at RSA Conference 2023 to learn how to optimize your
existing security stack to maximize protection with Cisco XDR.
RELATED LINKS/RESOURCES
- Threatwise TV episode
- XDR Product Page
- Cisco XDR: Security Operations Simplified eBook
- An XDR Primer: The Promise of Simplifying Security Operations
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
CONNECT WITH US