Cisco XDR 101
In August 2023, Cisco officially announced that is preparing to end SecureX. (The End of Support/End of Life date for ...
In August 2023, Cisco officially announced that is preparing to end SecureX. (The End of Support/End of Life date for SecureX is scheduled for July 31, 2024). From this day forward, organizations that want to make use of the integrative features in SecureX will have to adopt a new offering called Cisco XDR. Crucially, note that while SecureX was free to organizations that licensed a Cisco security product, Cisco XDR will not be; organizations will have to license this new offering.
Why might organizations consider purchasing XDR? While SecureX integrates all Cisco Security products, as well as third-party applications, it has no analytics capability, and so is unable to do any kind of detection. In comparison to SecureX, Cisco XDR has a number of new features that make it a sophisticated tool for analysis, prioritization, and guided response. The most important new features in XDR are a long-term data repository to enable security analytics and retroactive threat hunting, a security analytics capability leveraged from Secure Cloud Analytics that allows for detecting incidents using machine learning, as well as the ability to ingest endpoint netflow telemetry from the cloud to process network correlation.
In this blog post, we will briefly walk-through Cisco XDR.
We begin on the XDR Control Center.
The Control Center displays high-level metrics for your organization’s environment. It is fully customizable, so you only have to see the data that is most relevant to you.
Next, let's take a look at the Incidents tab.
The incidents tab is where you manage incidents. You can click on an individual incident for more information about it.
Incidents can come from different sources, like Secure Endpoint or Secure Cloud Analytics.
Notice that each incident has a priority metric associated with it. XDR prioritizes incidents so that the highest-priority incidents rise to the top of your feed. The priority value assigned to an incident is formulated based on a combination of detection risk and asset value risk.
Also, notice that you can assign specific incidents to individuals in your organization to manage.
This brings us to the Investigate tab.
Investigate is where you can search all the data available to XDR. This can help you learn if an IOC was seen in your environment.
The results of a query are displayed in a node graph and include additional details.
Next up is the Intelligence tab.
XDR is powered by intelligence from multiple sources, including Cisco Talos. In addition, organizations have the ability to create and store private intelligence here. Private intelligence can be shared with other security tools in your environment like a Firewall by creating a feed.
The next component in XDR is Automate.
XDR comes with an always-on cloud-native automation engine.
A library of over 70 pre-built workflows is available to be imported under the Exchange menu and can be configured with no programming required. Additionally, custom workflows are easy to create using hundreds of pre-built code blocks.
Workflows are triggered to execute if certain criteria are met. You can configure how workflows are triggered in the Triggers menu.
Devices is the next component of XDR.
This is where you have a comprehensive view of all of the assets in your organization. Endpoint data is enriched by collecting data from your Cisco security tools like Duo, Meraki, Umbrella, and Secure Client.
You can learn more about a particular device by clicking on it. Notice that you can adjust the device value associated with a particular endpoint. Adjusting this value affects the incident prioritization related to the device so that more important devices are at the top of the incidents list.
Of note, under the Devices component, is a Deployment option. This is where you can manage your Cisco Secure Client deployment from the cloud. I’ve written a blog post detailing this useful feature here.
The final component of XDR is Integrations.
This is where you can learn about all of the integrations available to you and in your environment. Your integration options include not just Cisco security products, but also third-party applications.
I hope this brief run-through of Cisco XDR has given you a sense of the scope of this exciting new security offering. If you would like to learn more about how to configure XDR in your environment, schedule some time to talk to one of our experts.