Cisco spoke at RSA 2023 to showcase expanded detection and response as the key to a unified cross-domain security platform, along with new Duo MFA features.
Day one of RSA 2023 set the thematic tone for the week at the event: Platforms with cross-domain telemetry serving security will be the game-changing technology. The RSA 2023 conference is being held April 24-27 in San Francisco.
In a keynote on Monday, Cisco’s Jeetu Patel, executive vice president and general manager of security and collaboration, and Tom Gillis, senior vice president and general manager of security, explained how and why these platforms -forms will advance the functions of the Security Operations Center.
Learn why extended detection and response was a focus of Cisco’s launch activities at RSA, including the company’s announcement of its cloud-based XDR service.
Jump to:
Cisco Spotlight on XDR at RSA
Patel said cross-domain telemetry, which is the ability to track an exploit in near real-time as it moves across enterprise domains, requires an end-to-end integrated platform because with isolated defenses, “It’s too hard to spot attacks that are in no way bounded by normal behavior,” he said. Patel explained that a platform can see what packages are traversing networks. The best example of that, he said, is XDR.
“XDR is going to be the talk of the show,” Gillis said. “You’ll be hard pressed to find a salesperson who doesn’t tell that story.”
He said that as it becomes increasingly clear that attackers are getting good at user and application behavior, looking at one domain or one incident means “you only get half the price.” ‘picture”. Essentially, Patel explained, XDR provides the ability to view high-fidelity data anywhere, whether from email or a PowerShell exploit.
XDR is not SIEM
Gillis explained that XDR serves a different purpose than traditional security information and event management. He said that while SIEMs are designed to record events aggregated over days or even months, XDR comes close to real-time telemetry. Additionally, while SIEMs look at summary data, XDR looks for the highest fidelity data, “every message, click, process, and package,” Gillis said. “The industry realizes that we need more event resolution than log data.”
He said relying on SIEM data or single domain analytics does not provide visibility and correlation between email, web, endpoint and network.
“And the latter – the network – is probably one of the most overlooked defense tools,” Gillis said.
SEE: Learn more about XDR in this TechRepublic article by Forrester Research.
Platform-Based Security Announcements Regarding XDR and Duo
Gillis touted the platform over multi-vendor approaches to security with this analogy: If you go to a big box store and buy what you think is a home grilling system, and open the box only to discover 1,000 parts and no manuals, you haven’t. t get what you paid for. You want the grill built, integrated and operational. He said that similarly, a platform approach to security enables a single functional framework. “A platform is not a bag of parts, but a system with individual components put together in a cohesive manner.”
The company’s platform-focused announcements included the following:
- Cisco XDR is now in beta, with general availability in July. It is designed to simplify incident investigations and speed up security operations center response times.
- To protect against multi-factor authentication attacks, Cisco offers advanced features in all editions of its Duo MFA platform.
- Starting next month, Cisco is integrating trusted endpoints into all paid Duo editions; it is currently only available in the highest tier of Duo. According to Cisco, Trusted Endpoints only allow registered or managed devices to access resources.
Cisco XDR: a turnkey solution that plays well with third parties
Cisco calls the cloud-based XDR service a turnkey, risk-based solution that applies analytics to prioritize detections. The company said XDR “…shifts the focus from endless investigations to resolving the highest priority incidents through evidence-based automation.”
According to Cisco, the security service analyzes six sources of telemetry that SOC operators say are critical for an XDR solution: endpoint, network, firewall, email, identity, and DNS.
Cisco says XDR integrates with major third-party vendors to “share telemetry, increase interoperability, and deliver consistent results regardless of vendor or technology.” These providers include the following:
- For endpoint detection and response: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity XDR, and Trend Micro Vision One.
- For Email Threat Defense: Microsoft Defender for Office 365 and Proofpoint Email Protection.
- For firewalls: Check Point Quantum Network Security and next-generation firewalls from Palo Alto Networks.
- For network detection and response: Darktrace DETECT, Darktrace RESPOND and Darktrace ExtraHop Reveal(x).
- For SIEM: Microsoft Sentinel.