8 min Security

Not all XDR platforms are created equal: quality telemetry is critical

Insight: Security

Not all XDR platforms are created equal: quality telemetry is critical

Organizations are poorly prepared for cyber attacks, according to Cisco’s recent Cybersecurity Readiness Index. Surely now is the time to tackle security from a platform perspective, we hear from Cisco’s Tom Gillis.

Gillis joined Cisco at the beginning of this year, after a stint at VMware. Within Cisco, he is the SVP/GM Security and is therefore responsible for Cisco’s global strategy in this area. He has quite a job ahead of him, according to the results of the Cybersecurity Readiness Index. This survey, by the way, was not conducted by Cisco itself among its own customers. It was done by an independent agency among 6,700 security professionals. These may be Cisco customers, but there are also plenty of parties among them that are not customers. In addition, it is a so-called double-blind study, so there is not much to guide the results.

When we ask Gillis what he thinks of the outcomes, he has to admit that they are different from what he imagined beforehand: “The results are more pessimistic than I expected.” A lot of time and money is spent on improving the cyber resilience of organizations, he sees in practice. Then you expect slightly better results. However, some 85 percent of respondents feel unprepared for a cyber incident and 65 percent have experienced a cyber attack.

What went wrong?

The survey results raise the question where all of the extra investments went. It seems as if they were put mainly into buying more security tooling. However, that is not the right strategy, according to Gillis. “Just trying harder is not a winning strategy,” he points out. As the frequency of attacks and their severity have also grown at about the same pace, organizations have made very little progress.

In particular, ransomware is taking hold. What is striking here is that the size of the organization targeted by an attack does not seem to matter at all. Gillis mentions a small potato chips factory in Canada, but also the ferry service on Cape Cod, both of which suffered ransomware attacks. It’s ultimately very simple, he points out: “Most people pay the ransom, so it’s interesting.” Add to that the fact that the toolset for ransomware is now very mature, and the recipe is simple for the attackers.

In addition, this toolset is increasingly being used by so-called state actors, for attacks against the infrastructure of countries. That worries Gillis a lot more. The goal of that kind of attack is to disrupt and destroy. He has seen it happen in Ukraine. Remarkably, though, a lot less in the rest of Europe and North America. This may be because the attackers in Russia are being actively hunted from those regions. “Offense is the best defense,” he indicates. At the very least it creates more deterrence.

Anyway, back to the key question of this paragraph: what went wrong? Gillis’ answer to this question is that that looking at one domain doesn’t work (anymore). “The name of the game is a systems approach,” he adds. That is, we need to look across domains. So we should not just focus on the network, email, endpoint, application and so on, but on everything at once.

Platform approach is a must

In itself, insisting on a systems, or platform, approach is not a startling statement from someone who works for Cisco. After all, that is exactly what that company offers the market, we explained in a recent article. Yet we would be doing Gillis’ statements a disservice if we were to qualify them as purely marketing. To us at least, it makes perfect sense to take such an approach. In fact, it may even be a necessity. Virtually all components within an organization interact with each other, so it is only logical that a security strategy also takes this into account.

When you talk about an overarching approach to cybersecurity, you quickly end up at one of the buzzwords or rather buzzacronyms of the moment, XDR. Virtually every security vendor seems to offer it these days. “Just look for a vendor at RSA at the end of April that isn’t talking about XDR,” Gillis poses as a challenge. That’s going to be very difficult, he says. This will include Cisco as well, we expect. That is, we picked up various hints to that extent in recent months.

XDR is a broad concept

Not all XDRs are created the same, however. More specifically, “we [the cybersecurity industry, ed.] need to take a much more nuanced approach [regarding XDR, ed.],” he believes. “We can’t just rely on standard telemetry,” he continues. In saying this, he suggests that many XDR platforms do. Cisco also uses standard data. On top of that, however, Cisco has a lot of native telemetry. That is, data that Cisco’s own tools generate and provide.

As an example of this kind of telemetry, Gillis mentions the native telemetry that Cisco has in the area of email. In that, he says, they are still the global leader. Thanks to the telemetry that Cisco has, it can see all the transactions and processes that go to and from mailboxes. So that includes not only what is happening in that mailbox, but also things like DNS queries and the footprint of email on an endpoint. This approach allows them to see which processes are making which connections. “With this, we bridge the gap between endpoint and network,” he points out. Cisco’s platform picks up the telemetry and adds information. Based on this information, it can determine whether something is malicious or not. For example, if an unknown process starts a powershell script, chances are high that it’s ransomware.

Will native telemetry also become open telemetry?

The basis for Cisco’s XDR approach is the native telemetry it has in multiple areas. “Email, Web, process-to-network and NetFlow, those are the basic components for our XDR,” according to Gillis. There are very few companies that have native telemetry in all of these areas. Cisco has even more than Microsoft, he claims. For example, NetFlow is available to other vendors as well, but Cisco has added some additional features. The process-to-network piece has AnyConnect as its foundation. That’s called Cisco Secure Client these days, by the way. With that, Cisco adds things like VPN and EDR, but also integrates ThousandEyes data.

So with native telemetry, according to Gillis, Cisco can make a difference within the XDR market. On the other hand, however, the company says it is also pursuing an open approach to XDR. That is, it also makes room for integrations with third-party tools and even direct competitors. So how tenable is the emphasis on native telemetry? If you have your customers’ security best interests at heart, should you keep that telemetry to yourself? Gillis readily admits that this creates some “natural tension”. On the one hand, they obviously see this as well. On the other hand, Cisco runs a business, so competitive advantage is important as well. According to him, discussions are underway (internally) about which things they want to open up and which they don’t.

The network sees everything

Before his move to Cisco, Gillis worked at VMware, as we mentioned above, where he ran the security business. During a session of his in his VMware days, which we attended during an event of that company, he talked about the hypervisor as the “magic place” to do security. Obviously, that had to do primarily with application security. For that, there is no better place imaginable than the hypervisor, because everything goes through there, both north-south and east-west.

In his current role at Cisco, Gillis tells a similar story, but from the perspective of the network. This is not a contradiction, by the way. In fact, the impact of the network on security is even more significant than that of the hypervisor, he explains. “The network is the only system of record you can trust,” according to him. That’s where Cisco harvests its telemetry and/or directs it to, in various ways.

Telemetry alone, however, isn’t enough. It’s about what you do with it. So the question that Cisco’s security department faces is how to make optimal use of the telemetry provided by the network. With Gillis’ career in mind, one of the ways forward is to better connect the magical place that is the hypervisor to the only system of record we can trust. That would improve the cyber resilience of organizations substantially. By doing this (and many other improvements), future editions of the Cybersecurity Readiness Index hopefully present a less gloomy picture of cyber resilience in organizations.