Cisco is taking its first major step into Extended Detection and Response (XDR) with a SaaS-delivered integrated system of endpoint, network, firewall, email and identity software aimed at protecting enterprise resources.
Cisco’s XDR service, which will be available July, brings together myriad Cisco and third-party security products to control network access, analyze incidents, remediate threats, and automate response all from a single cloud-based interface. The offering gathers six telemetry sources that Security Operations Center (SOC) operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS, Cisco stated.
The third-party products include support for Microsoft Defender for Endpoint and Office, Palo Alto Networks Cortex XDR and its Next-Generation Firewall, Trend Micro Vision One, SentinelOne Singularity, and ExtraHop Reveal. The service also supports security information and event management (SIEM) systems including Microsoft Sentinel Zero Trust and Access Management
“Despite the wide adoption of all of the security point solutions out there, customers are finding cybersecurity incidents—in particular ransomware cases which are growing uncontrollably—are getting through the defenses, but when you bring together these tools under one system that can look at email, web traffic, access control and other metrics with analytics, telemetry, and other tools in one place that’s where customers will see a clearer picture of security patterns emerge,” said Tom Gillis, senior vice president and general manager of Cisco’s Security Business Group.
The idea is to enable security teams to detect threats and remediate them before they have a chance to cause significant damage to the network and business, Gillis said.
In contrast to SEIM systems to which XDR packages are often compared, most SEIM products are log-aggregation systems designed to investigate historical forensics analysis, Gillis said.
The difference comes down to XDR systems being real-time or near real-time. “An XDR needs much more fine-grained and much higher fidelity data,” Gillis said. “Attackers are using legitimate application pathways to mimic legitimate user or legitimate application behavior. So the SOC needs to look really deeply into that behavior to figure out friend from foe today.”
Cisco plans to use data gathered from its base of security customers, which includes its AnyConnect mobility client on 200 million enterprise endpoints, he said.
That data was already available to Cisco’s its SecureX cloud-native service for detecting and remediating threats from a single interface. IT security teams can then automate and orchestrate security management across enterprise cloud, network, applications, and end points.
“SecureX was the fabric that all Cisco products drew threat-intelligence information from,” said Chris Kissel, IDC Research vice president, Security & Trust Products. “That is if the customer had Cisco Web/email, Cisco Security Analytics, firewall, endpoint, etc. – the telemetry was shared with other Cisco products.”
There were essentially two problems with this approach. First, XDR is more than shared telemetry from multiple security point products, Kissel said. “XDR includes a unified workflow, more sophisticated detection—better prioritization and/or finding the root cause of an incident —and more security-specific outcomes, such as ransomware mitigation, defenses against phishing attacks,” he said.
“Second, Cisco has about as strong detection capabilities as anybody, but the SecureX idea was not leading to opportunities to monetize its capabilities. An XDR add-on becomes a way for an endpoint customer (for instance) to realize additional capabilities.”
XDR is the current attempt at an all-in-one detection-and-response platform, but in terms of functionality, it is not too different from a SIEM, he said.
“Cybersecurity is a constant game of adjustments. The detection aspect leads to response. When there is a response, the hope is that the remediation not only solves this specific set of problems, it leads to a better understanding of the cybersecurity posture a company has and helps shore that up proactively,” Kissel said. “The largest security companies in the world, like Cisco, IBM, Palo Alto networks, and Microsoft, have to offer holistic, comprehensive platform capabilities to remain relevant.”
XDR was a marketing concept about four years ago with a few companies out front, and has been a mainstream consideration for a little better two years, Kissel said.
“That means Cisco is essentially several years behind Palo Alto Networks, CrowdStrike, TrendMicro. The endpoint detection-and-response players such as Sophos, TrendMicro, and SentinelOne have moved their XDR maturity beyond enhanced endpoint detection and response,” Kissel said.
In addition to tghe XDR service, Cisco also said that as of May 1 it would add Trusted Endpoints support to all its paid Duo Editions access-protection software users. Previously Trusted Endpoints was available only in Duo’s highest tier. Trusted Endpoints allows only registered or managed devices to access resources.
The cloud-based Duo service helps protect against cyber breaches by using adaptive multi-factor authentication to verify the identity of users and the health of their devices before granting access to applications.
Next read this: