Cisco's New XDR Tool Emphasizes Robust Telemetry CorrelationJeetu Patel Says Native Visibility Into Network, Endpoint, Email Benefit Cisco XDR
A double-blind survey of 300 Cisco security customers pinpointed an under-addressed problem in the market: remediating threats with telemetry from multiple domains and sources.
See Also: 2022 Unit 42 Incident Response Report
Cisco Security Executive Vice President and General Manager Jeetu Patel said the industry has struggled to address multifaceted attacks that originate in email and include bad links, malware downloads to a device, the use of PowerShell and lateral movement of malicious packets on the network. To date, the approach has been very isolated as email, endpoint and network experts work in silos to comprehend what happened.
"What you don't have is a holistic view that says: Can I have telemetry that's being looked at and correlated across domains?" Patel told Information Security Media Group. "If I could do that, I'd be able to be much better at finding breaches."
Correlating native telemetry allows organizations to get much better at distinguishing a malicious attack from a regular course of activity on a normal day, according to Patel. Customers also want a platform that ranks vulnerabilities based on risk, automatically remediates as much as possible and provides SOC analysts with a completely fresh user interface and experience, he said (see: Jeetu Patel on Having a Consistent Design at Cisco Security).
Cisco has doubled down on correlating data from different telemetry points to assess the severity of a security incident, better understand how the incident originated and get details on what was happening on a particular node such as email when the incident was taking place, according to Patel. He sees this as the biggest benefit of Cisco XDR, which was announced at RSA Conference 2023 and will be generally available in July.
Catching the Competition
Forrester in October 2021 ranked Cisco's XDR offering 13th out of the 14 vendors evaluated, beating only FireEye. The market research firm said at the time that Cisco's offering lacked cross-telemetry detection and investigation capabilities and was more of a SOAR solution than a true XDR. Forrester said Cisco's product architecture and vision, investigation, threat hunting and commercial model all needed improvement.
"Microsoft might be good on the endpoint, but we're going to be better on the network."
– Jeetu Patel, Cisco
Despite having a lot of catching up to do, Patel said Cisco XDR will benefit from the breadth and scale of the company's telemetry. Cisco today secures 200 million endpoints. It is one of the only XDR vendors - aside from Microsoft and Sophos - with native visibility into email, and it can analyze network flow data better than anyone else, Patel said. Forrester in 2021 named Trend Micro and Microsoft as XDR leaders.
"Microsoft might be good on the endpoint, but we're going to be better on the network," Patel said. "We've got a very broad implementation on the endpoint, but we've got network and they don't even have that. It's nonexistent on their side."
To do XDR effectively, Patel said, providers need native telemetry that can get correlated rather than summary data obtained through a partnership with another technology supplier. Patel said Cisco benefits from having visibility into every customer email and email forward, every web request, every process that gets spawned on the endpoint and every packet that traverses the network (see: Panel: Threat Response Needs New Thinking).
At the same time, Patel said, the company pulls telemetry from 13 competitors - including SentinelOne, CrowdStrike, Proofpoint and Palo Alto Networks - to get visibility into IT environments where Cisco isn't present. Cisco will both pursue integrations with market leaders in security technology categories, such as CrowdStrike, and offer open APIs for security products where Cisco hasn't done an integration itself.
Maximizing the Market Opportunity
The company doesn't plan to make its XDR offering available at the onset for direct purchase by small businesses via online transactions or e-commerce, but Patel said Cisco XDR fits any organization with at least 2,000 employees. Businesses today will get the most value from Cisco XDR if they have a SOC analyst and some level of sophistication in their internal security functions, he said.
The company plans to track the number of breaches detected, the number of remediations carried out and the number of SOC analysts using Cisco XDR on a daily or regular basis to assess the effectiveness of the new product, Patel said. The total addressable market for Cisco XDR is "massive" since any organization with at least one Cisco control point and an EDR product would benefit from it, he said.
"I've never seen in my career a greater number of customers come to us and say, 'We really want Cisco to be one of our key security vendors,'" Patel said. "We've completely revamped our leadership. The innovation velocity has accelerated quite a bit. I expect that there's going to be displacement revenue that comes from this."