Cisco XDR aims to reduce alert fatigue, increase signal to noise ratio

Cisco is working hard on the Cisco Security Cloud. Starting today, it is adding Cisco XDR to it. According to EVP/GM Security & Collaboration Jeetu Patel, it aims to provide concrete and actionable prevention, detection and response against cyber threats based on the anatomy of an attack.

Patel calls Cisco XDR “Cisco’s worst-kept secret.” It was only a matter of time before it formally hit the market. In recent conversations with Cisco people, they themselves were actually consistently talking about XDR, even though it still referred to the “old” SecureX. That framework already contained XDR tools, according to Cisco’s own Security Reference Architecture. These tools were just not yet available in a single XDR platform. As of today, they are.

Patel, by the way, was not at all uncomfortable with the rather transparent approach around Cisco XDR. “My fundamental belief is that ideas matter less than their execution,” he indicated when we spoke to him shortly before the launch of the XDR platform. In other words, he is confident that Cisco can market this well. With the enormous installed base and the huge amount of native telemetry that Cisco has, that confidence is certainly justifiable.

More than a new name for an existing offering

In principle, the building blocks for Cisco XDR are not new. In particular, the telemetry piece is something that Cisco has been working on for years. However, with Cisco XDR, Patel says the company is definitely offering something new. It’s going to make sure that all telemetry is actually correlated properly in order to carry out risk analysis. “When you look at telemetry in isolation, you only get half of the picture,” he points out. Cisco XDR promises the complete picture.

In itself, of course, XDR is nothing new. In fact, it’s virtually impossible to find a security vendor that doesn’t talk about it. Still, Cisco has an edge in this regard, Patel believes. Again, we come back to the large amount of native telemetry. That really is a common theme in Cisco’s security story. Telemetry itself could be called one of the company’s major goals. “We want to be the vendor with the most native telemetry,” he makes this explicit. “The question becomes how many sources you can get telemetry from,” he continues.

Aren’t you creating a huge data overload for security departments this way? That’s the question that comes up for us after hearing Patel’s statements above. It didn’t do SIEM solutions any favors, that’s for sure. It mainly created an overload of logs and alerts, causing alert fatigue. For XDR, Patel doesn’t see this problem looming, though. “XDR is near real-time, whereas a SIEM looks back. A SIEM aggregates, XDR correlates,” he points out. An XDR does all (or a lot of) the work for you. You won’t get superfluous alerts or false positives. At least, that’s the idea if all goes well.

Good XDR solution is indispensable

One of the reasons why XDR is so important today is that current market trends and developments call for it. “Everything is moving toward a hybrid multi-cloud environment, where organizations don’t want lock-in,” according to Patel. That means there needs to be some level of portability for workloads. To enable this, there needs to be a layer that provides this.

You can apply the above to the security market as well. That market is a “patchwork,” in Patel’s words. New tools keep coming onto the market in a steady stream. In total, there are now some 3,500. This proliferation does not create efficiency at the bottom line, rather the opposite. Looking toward the future, this approach is untenable, Patel points out. That’s why Cisco has developed the Security Cloud as its vision. This is an integrated platform that “on top of the various clouds”, so to speak. Cisco XDR is one of the first major updates to this.

Cisco XDR has the following integrations built-in present out-of-the-box at launch:

• Endpoint Detection and Response (EDR): Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, Trend Micro Vision One, SentinelOne Singularity
• Email Threat Defense: Microsoft Defender for Office, Proofpoint Email Protection
• Next-Generation Firewall (NGFW): Palo Alto Networks Next-Generation Firewall
• Network Detection and Response (NDR): ExtraHop Reveal(x)
• Security Information and Event Management (SIEM): Microsoft Sentinel

A platform without lock-in, is that possible?

When we hear a major company like Cisco talk about a platform approach, but at the same time talk about countering lock-in, it always causes confusion, at least in our head. In the end, one seems incompatible with the other. On the one hand, you want everyone on your platform, but on the other hand you also don’t want lock-in. There’s some friction there, at least. According to Patel, however, things are more nuanced: “There will not be fewer point solutions because of the platform approach we envision. Certain platforms are going to emerge that are connected to these point solutions.” Cisco clearly wants to be one of them.

So with the above nuance, Patel says the added value of Cisco XDR overwhelmingly lies much more in the aggregation and analysis of all telemetry, from its own sources and those of third parties, including competitors, than in the efficacy of Cisco’s own individual components. However, it then also becomes an additional layer, thus an additional investment, on top of existing security infrastructure. If the platform also allows organizations to increase the effectiveness of the other solutions, by providing much more visibility into telemetry, the investments for it may well come from optimizing the number of point solutions.

AI will become an important part of cybersecurity

The Cisco XDR platform announced today deals primarily with gathering as much native telemetry from as many different sources as possible, coupled with telemetry from third-party sources. With that, it’s going to send a lot of data toward the platform. Patel realizes that, too. “We need to think about how to reduce the amount of sophistication in order to help companies,” he points out. For that, AI is indispensable, because “security can no longer be handled at human scale.”

Based on Patel’s statement above, we can already sketch out part of the roadmap for Cisco XDR and for Cisco’s security approach in general. Cisco will be adding (more) AI to its products and platforms. At RSA this week, it is showing a demo of an automated SOC, for example. This is obviously far from a reality yet, but it’s a hugely interesting problem to solve, he indicates. After all, if all automated responses are always right, you can have employees working much more efficiently.

Cisco is going to look different moving forward

Finally, the Cisco Security Cloud as an overarching vision also indicates what Cisco is working toward in general. New products and services will have their place within such a suite. If we listen to Patel correctly, within now and a few years Cisco will consist of some of this cloud, more or less like we know this from Salesforce. In addition to a Security Cloud, there could then also be a Networking Cloud (Cisco laid the foundations for that that last year), and a Computing Cloud, among others. Mind you, we made up those new names ourselves, so it could look completely different. But there is no doubt that Cisco is going to structure its offerings in this way.

For now, Cisco’s focus is very much on cybersecurity, with Cisco XDR as its latest offering. It is in Beta as of today and will be generally available this July. In addition, there will be many more (major) innovations coming through the end of the year. Patel talks about a rolling thunder of innovations that is on its way. This story will no doubt be continued at Cisco Live in June.