Ensuring detection and response capabilities across all devices — managed and unmanaged — is a key need for all organizations, especially during times when work conditions are in flux and moving remote. Cisco’s EDR technology gives detailed visibility, tracking, and control over all managed devices and then uses NDR to manage the rest.
NDR uses entity modeling to classify any device or entity within the network or cloud — servers, printers, MRI machines, thermal controllers, containers, etc. — and establishes a baseline of normal behavior using over 100 different behavioral models and more than 400 machine learning classifiers.
Once classified, it can detect rogue, alarming, abnormal entities, and suspicious traffic flows, even in encrypted traffic. And because SecureX offers visibility into both managed and unmanaged devices, we’re able to detect and block malicious activity that involves both — like if an HVAC system used a laptop to send information. Additionally, all device activity is monitored and recorded for future investigation, so that in the event of a breach, all historical information at the network, device, and file level is instantly available to teams.
Teams that have adopted SecureX have reported an 85% reduction in the time required to remediate attacks, saving themselves 4-6 hours per week for investigation or 100 hours per workflow for automation.
Time is always of the essence when security is concerned. Cisco Secure solutions deliver extended detection in both passive and active ways by combining weak signals from multiple security components into strong signals of malicious intent to alert you to threats that would have otherwise been missed. Multilayered machine learning engines (supervised, unsupervised, statistical, and behavioral) run in the environment at all times. To classify entities against threat actor models, these engines detect anomalies and correlate them with attack patterns and known campaigns, even within encrypted traffic. The activity descriptions and behavioral and forensic profiles for emerging threats you’ll see from these machine learning engines also provide the layers of inference used to reach the verdict.
The net of this is that you are able to identify suspicious behaviors that you didn’t even know you should have been looking for — like scanning, beaconing hosts, data hoarding and more — in real-time and respond to them immediately. Furthermore, when you need to accelerate specific investigations, you can proactively threat hunt for malicious, hidden artifacts in real time, quickly telling incident responders a narrative of how an attack was spotted, how it evolved, and what to do next to remediate the situation before it becomes a real problem. Simply type the name of an artifact into the search engine of our security platform and explore detailed context, logs, and telemetry from the entire network down to the endpoint level. You’ll immediately know if that artifact has been seen within your environment, what geographies it’s associated with, the communications related to it, which devices were involved, and more. Customers have reported that with these XDR capabilities in their environments, detection times were reduced by 95% and dwell times by 85%.
SecureX and the Cisco Secure portfolio optimize your team’s bandwidth to make the waves of useless alerts that typically burden security teams a thing of the past with one of the lowest false positive rates in the industry. Before any alerts are created, Cisco Secure indexes a detailed view of the environment — network, endpoint and cloud — running continuous file and traffic analyses to understand every asset, including its posture, associated user identity, relevant policy settings, and typical behavior patterns.
This information is augmented via a detailed view of all activities that took place on each endpoint — including when files first appeared, how they have behaved since arrival and all relevant interconnections with other security layers connected to the platform. Multi-layered machine learning then correlates threat behaviors seen in the environment with those seen globally to discover anomalous and malicious network or cloud activity that is indicative of a breach. When an alert is generated, all this information is available in a consistent location and with just a few clicks, teams can explore a full picture of the situation.
It’s difficult to understand something that isn’t laid out in a way that makes exploration easy. SecureX delivers a clear, easy-to-read interface that surfaces possible compromises by event and hosts, displays alerts that are prioritized with threat severity scores, and recommended remediation efforts. Drill down into an alert and you’ll see visual forensics showing every device, traffic flows, and a file trajectory that shows all associated artifacts – from email attachments to web requests.
Now that you see the root cause, you can easily control the outbreak. Check out use case 6 to see how we help you do that.
Because our patented retrospective security technology tracks the movement of every file and flow, forensic data is available at any time. With this continuous monitoring, new threat information is correlated with historical data to automatically quarantine files the moment they start to exhibit malicious behavior. This automated response to the latest threats means faster time to detection and greatly reduces the proliferation of malware. In the event of a breach, security teams can see when it started, when it was discovered, what type of tactics were used, and a summary of the malware — or fileless malware or a malicious insider — behind the actions. Additionally, they can explore what type of information was exfiltrated, when and where it was sent, and are given recommended steps for remediation.
Choosing the right alert to investigate is one part of the battle that we make easier with more nuanced and more accurate alerting. But that’s just step one — next you must determine precisely WHAT is happening and HOW to act, which isn’t always easy. This is why we’ve mapped our security solutions and key functionalities to MITRE ATT&CK — a framework focused on understanding the specific tactics, techniques, and procedures used by attackers to infiltrate systems. This makes it easy for teams to see the type of mitigations they have available, which ones to use, and when to use them.
For instance, when you click on an alert you can see any associated artifacts, where they fall in the MITRE ATT&CK framework and get recommendations on how to respond to the situation. You can also run global queries that map to specific MITRE categories so you can easily assess your security posture and remediate areas of hidden compromise.
These queries can be inserted into broader security playbooks that are run on regular intervals. Because of the tremendous amount of work that Cisco has done, and continues to do, to map existing IoCs to MITRE ATT&CK, your team doesn’t need to have expertise on how different malware strains behave, the specific remediation steps, or MITRE itself. They’ll be able leverage the knowledge that we’ve coded into our security portfolio to make smarter decisions faster.
Additionally, SecureX offers threat hunting that leverages the expertise of Talos and our Research and Efficacy team to proactively identify threats in customer environments. The combination of these elements deliver high-fidelity alerting from automated, human-driven hunts. The 20 years of experience can more than make up for any lack of security knowledge or personnel.
ATT&CK is a collection of the methods used by cyber attackers to get access to your environment. MITRE took these the hundreds of tactics and mapped them to a relatively short list of 41 mitigations.
These mitigations make it easier to have security conversations and discuss mitigations like “restricting web-based content” rather than asking a litany of questions such as “how do we prevent access token theft?” or “how do you stop a drive-by compromise?"
To learn more check out this blog, this recent whitepaper, or visit cisco.com.
A key component of XDR is its ability to accelerate and automate security responses. No team, no matter the size, has the time to follow up on every alert, leading to the dwell times that we see today. But with exfiltration happening within 3 hours of a breach, the moment a detection occurs, it’s a race against the clock. With our security platform’s orchestration feature, we share pre-designed workflows for threat hunting (SecOps), vulnerability management (SecOps and ITOps), or traffic optimization (SecOps and NetOps) with your teams. This means your teams don’t need to create them from scratch and can learn by example. This way, when you need to build your own automated playbook or customize your samples, you can use our drag-drop canvas with an extensive library of built-in activities including response actions and approvals.
Now, remediation is simpler, and more process driven. With detailed file tracking across every endpoint and correlated with network, email and web activity, you can configure automated file blocking and exploit prevention via analysis results before execution or retrospectively. We’ve also automated policy actions like taking forensic snapshots, running file analyses, blocking files and domains, and moving entities to a more aggressive protection stance such as network access shutdown or quarantine, meaning your teams have more time to focus on making timely decisions. All of this is brought together into a single view so that you aren’t jumping between consoles when time matters most. Our customers have reported that our security platform has helped them reduce time to remediate by 97%.
A significant benefit of integrated security layers, a huge global customer base, and the largest non-governmental threat research organization in the world is the ability to act quickly and completely when something does get through. The moment a threat is detected and blocked in your environment, it is automatically removed from other compromised endpoints and blocked across the network, all endpoints, email, web and cloud — across 500,000 Cisco Secure customers. For example, if an endpoint device visits a URL and is compromised, the moment that URL is recognized as malicious, the domain is blocked for all devices and the compromised endpoint is isolated to prevent further proliferation.
Storing, aggregating, and analyzing logs at scale is an extremely difficult proposition even for highly seasoned security teams. To make this easier and to deliver the speed of access required for modern security teams, Cisco Secure solutions offload key elements to the cloud. Traffic logs, analysis, historical data on endpoints, file names, file movements, and other patterns are all available at any time, yet are stored off your environment. In addition, our threat intelligence is also powered by the cloud, providing a massive repository of information that is available in real-time.
One example of this scale is how we keep track of every file seen on endpoints, attached in emails, downloaded via the web, or traversing the network or cloud. We continuously analyze any file that is unknown — those without a known good or known bad reputation — since files can initially appear benign but later behave maliciously. Cisco uses our cloud-native malware analytics to retrospectively alert teams when this happens. And in tandem with use cases #3 and #7, show the teams where we saw this file in the past and offer automated or single-click response workflows to remediate the situation.
Compliance is a complex issue for many organizations, both to define and achieve. Rules are easy enough to configure in a firewall but determining when and if there is a disconnect is a different story. Human error, lack of expertise and troubleshooting can and will easily lead to gaps in your compliance posture. With built-in analytics across the network, cloud and into endpoints, you’ll get visibility into every communication occurring within and outside of your environment. This visibility exposes configuration risks by detecting permissive rules, aging API keys and native compliance alerts in cloud infrastructures. It also provides audit trails and policy violation alarms that can be tuned to business logic.
Because visibility extends to all individual endpoints, it’s easy to check systems’ statuses like OS versions, software vulnerabilities, and recent patches to assess risk exposure. What’s more, these types of device and policy checks can be automated in SecureX through live device queries (using a Secure Endpoint feature called Orbital). Additionally, we’re able to unify user and endpoint protection to enforce compliance in real time and achieve zero trust. By sharing telemetry from our endpoint agent to analytics and access solutions, we can take information like location, device, posture, and more, into account immediately and automatically adjust access accordingly. This ensures that the right people, have the right access, to the right information – without putting your company at risk.
Cisco is a two-time zero-trust leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers. Forrester gave Cisco the highest scores possible in the criteria of ZTX vision and strategy, market approach, ZTX advocacy and the future state of zero-trust infrastructure.
One of the most understandable concerns that Gartner puts forward in their analysis of XDR products is vendor lock-in. Rightly so. Integration is a difficult task in and of itself – making integrations that accommodate competitor technologies is difficult in a unique way. But the priority is, and always should be, the security of the customer.
SecureX was built with openness in mind and gives you the flexibility to bring your tools together, whether it’s with integrations that are built-in, pre-packaged, or custom.
Built-in integrations - Developed by Cisco and select third-party technology partners, customers can instantly configure built-in integrations in SecureX.
Pre-packaged integrations - With Cisco or partner-developed packages, customers use ready-made scripts and customer-provisioned cloud infrastructure to configure integrations.
Custom integrations - Customers can leverage SecureX threat response APIs and APIs of other technology vendors for any custom integration.
Many tools integrate in one of these three ways, but we also have a browser extension available that enables you to take the integrated functionality of SecureX and extend it to any 3rd party, browser-based tool. Our technology partner ecosystem already includes intelligence sources, operational tools like SIEMs and SOARs, and visibility and protection solutions which help to augment the threat hunting and incident response power built in to SecureX. In fact, 82% of our current customer base agrees that our 3rd party integrations are already adding meaningful value to their investigative capabilities.
