Security teams face an expanding threat landscape and an environment that is rife with complexity—making security efficacy increasingly elusive. The theory behind simplification is simple in theory but can often be difficult to achieve. Security teams need to be able to turn weak signals into reliable alerts and act on them with confidence. This confidence should be based on context gathered from every corner of their environment consolidated into a single view that is easy to explore. To increase efficacy and respond faster in the future, they need orchestrated detection and response capabilities that are easy to enable and help them enhance the capabilities of their products and talent.
In reality, many approaches fall short of solving these challenges. Some security teams deploy SIEM and/or SOAR solutions to unite a siloed environment, reduce their alerts, and drive cross-detection and response efforts. While these solutions are very good at their respective tasks, they don’t work for every organization and can come with some additional hurdles. SIEMs provide visibility, but they lack the orchestration and automation required to decrease response times. SOARs provide automation, but correlation is not straight forward and requires a lot of expertise. Neither option provides built-in response functionality. While larger companies can afford to do the lengthy process of calibrating and maintaining these solutions over time, it’s not possible for resource and time constrained teams. Most need something that is far more usable and already integrated.
This leads many security teams to look for capable solutions to help them correlate context and achieve visibility without the hassle and expense. Endpoint detection and response (EDR) and network detection and response (NDR) solutions are an accessible way to deliver exceptional security in their respective areas of coverage. But at the end of the day, these parallel efforts can still leave siloes and any point of failure doesn’t allow security teams to easily see and protect everywhere. No individual solutions will be able to outperform a unified end-to-end detection and response approach.
Over the last few years, the industry has seen security vendors attempt to tackle these issues as they began to build unified incident detection and response platforms that automatically collect and correlate data from security components and simplify decision making. Last year, Gartner labeled these solutions as Extended Detection and Response (XDR) platforms.
As is often the case when it comes to new methodologies and security practices, nailing down a precise definition can often be its own challenge. Defining what is and is not considered XDR has been something of a tricky subject for a lot of the industry over the last few years. Some vendors and analysts say that XDR absolutely MUST be rooted in endpoint detection and response (EDR) and/or network detection and response (NDR). Some say it’s more like a state of being in that you either have XDR or you don’t. Some companies and analysts don’t even agree on what the “X” in XDR stands for, with some favoring “extended” while others prefer “cross-based.”
In an effort to help cut through the confusion and provide those interested in learning more about XDR and what kinds of security outcomes it can provide them with, we want to share a more clear and concise definition. With that in mind, Cisco’s definition of XDR falls in line with that of lead Gartner analyst for XDR, Peter Firstbrook:
“A unified security incident detection and response platform that automatically collects and correlates data from multiple proprietary security components.”
We at Cisco believe that one of the most important aspects of this definition is the element of unity. As mentioned earlier, a big problem security teams face is trying to make a slew of siloed products work together to provide them with the full scope and context they need in order to effectively detect and remediate threats. To be effective, an extended detection and response platform needs to provide the following:
If you look at the current market space, many vendors claim to deliver XDR functionality in various ways – some with a new product, some by repackaging existing products, and others by using industry partnerships. While these solutions and approaches will likely yield some dividends in time, they will fundamentally fall short of delivering the above key XDR functionalities in the near term because the deep integrations required to unite a security environment take time to build. Much like how Rome wasn’t built in a day, XDR is a process that takes time to build and improve on. However, no matter where you might be on the road to implementing XDR, Cisco can help.
Our approach to XDR starts with our cloud-native platform, SecureX, which provides the focal point for all integration. SecureX is already built into Cisco security products and easily integrates with solutions in your environment using open APIs. This provides accessible integrations with more 3rd party solutions than any security vendor –from more than 170 partners and counting. So, security teams can plug in their favorite solutions—whether from Cisco or 3rd party—and gain XDR capabilities without the need to rip and replace existing toolsets.
This results in unified detection and response that correlates telemetry from all control points and makes taking actions easier. High-fidelity alerting with risk-based scoring helps you prioritize incidents. A single investigative viewpoint helps you do root cause analysis and informs the right next action, which you can take with one click. Built-in orchestration enables you to automate responses and offload routine tasks. This allows your teams to do more proactive and effective security without more hassle.
We also support every layer of detection with the latest comprehensive intelligence, which increases detection accuracy. Cisco Talos has more visibility than any other security vendor in the world, strengthening alert fidelity and detection across all threat vectors. With the sheer size and breadth of the Cisco Secure portfolio and the incoming telemetry from Cisco’s customers and products, security teams have the most comprehensive threat assessments at their fingertips.
With Cisco, customers get more value from their individual security products because we have superior telemetry capabilities. When a customer connects any solution to SecureX, we automatically correlate that solution data with telemetry from more than 200 million natively integrated data inputs –more than any other vendor. Without requiring customers to use a costly data lake, products like Cisco Telemetry Broker combined with features like SecureX device insights can turn data from across an environment—firewalls, email, endpoint, network, and more—into intelligent insights that security teams can use to validate detections.
Cisco delivers on the promise of XDR today through unified context, correlated detections, and faster responses. SecureX is the most widely deployed XDR solution in the market today. More than 13,000 organizations are already enjoying the benefits of XDR with SecureX and Cisco Secure solutions together with third-party solutions.
When security teams spend less time devoted to manual tasks like correlating alerts, they can focus on finding was to improve overall security efficiency. SecureX enables organizations to detect, investigate, and resolve security incidents faster, and with more complete insight, it reduces the risk of a data breach by about 50%, and the cost of a data breach by 45%.
To maximize these outcomes, we’ve built in workflows that offer automated solutions to human-scale problems. They can radically reduce threat dwell times with retrospective security and playbook-driven automation. In fact, customers have reported that, with our XDR capabilities in their environments, dwell times were reduced by 85%. With the time saved, teams can focus on more nuanced and skill-based tasks like threat hunting.
Whether you’re just starting your journey into implementing an XDR approach, or if you’re looking for ways to take your current XDR platform to greater heights, the Cisco team is here to help you build that bridge to a more unified approach to extended detection and response.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels