An Expert-Guided Primer on Cisco XDR
by Robert Keblusek, Chad Richards, and Chris Yacoumakis
Extended Detection and Response (XDR) has become an increasingly hot topic in the world of IT over the past year. With the recent launch of Cisco’s XDR solution, Sentinel assembled a panel of our top experts for a Q&A to share their thoughts on what it is, why you should be paying attention, and how Cisco XDR can enhance your organization.
What is XDR?
Robert Keblusek, Sentinel Chief Innovation and Technology Officer: XDR (Extended Detection and Response) is really a game-changing technology for detecting threats within an organization. You'll see a lot of vendors coming out with XDR, oftentimes as an extension to the EDR (Endpoint Detection and Response). XDR aims to aggregate different pieces of signal in a customer environment to give you a better view and a more instant threat alert when you have bad things happening within your systems. A lot of the XDR systems start with endpoint. They're bringing in cloud security components. They're also bringing in firewalls, network analytics, and threat intelligence. But they're bringing this all together and handing it to us in ways that weren't available in previous products.
Why is XDR for everyone?
Robert Keblusek: I believe XDR is important for pretty much everyone. Analysts are predicting that over the next 2-3 years, you're going to see less than a 2% rate of adoption suddenly jump to well over 30% in most enterprises. And the reason for that is people have to find threats in the environment faster. Current tools don't provide the automation necessary. They don't provide the instantaneous or near real-time alerting that's available with the new XDR platforms. It's taking it from select pieces of signal that would easily identify a compromise within your organization. So a lot of people have different approaches on it. I really love Cisco's approach to this, where they're combining cloud analytics, along with a great platform, endpoint, firewall, email - all those important pieces of signal in the environment to identify threats very quickly, let you know very quickly, and make it easy for your security operations team to take action. I think that's why it's been really important for organizations to take a look at XDR and figure out how it fits into their defenses.
What happened to EDR (Endpoint Detection and Response)?
Chad Richards, Senior Director of Technical Sales for Fortis by Sentinel: EDR is still around. What really happened is there was an evolution not much dissimilar to having a standard firewall turned into a next generation firewall. We took an IPS, we took application security, and we smashed it together for the next generation firewall. Similarly, the EDR component is still there, but now resides inside of the XDR, along with cloud and network telemetry to work together to be able to speed up the actual collaboration and alerting on it.
Tell me about Cisco XDR
Chad Richards: We're really excited about Cisco XDR. There's a lot of XDR solutions on the market today, but the challenge they have is a lot of them are handcuffed to the EDR component. Cisco XDR is agnostic in its approach with a lot of different technologies, and it allows flexibility within an environment. You don't have one single architecture throughout the entire environment. It allows you to have those pivot points. That's quite important in security to be able to be able to change. Sometimes products don't don't always work out. Sometimes you need to shift because of your direction as a company and the outcomes you're looking for. Cisco really allows you to have that flexibility and not be tied into one single product.
How does Fortis by Sentinel leverage XDR?
Robert Keblusek: You can combine XDR with a SIEM, because Fortis has the advantage of both. So the beauty is we can better address your organization's security needs - whether it's XDR that's going to solve that problem for you, deliver an outcome you're looking for, and/or identify threats very quickly in your environment. We can solve that with XDR. We can also apply a SIEM to solve that, with additional use cases such as long-term searching, long-term log retention, additional log sources that really just don't fit into XDR and may be more risk centric, as well as extensive reporting. So Fortis has both tools available to the analysts. We offer managed services on both. And our team of experts, along with our technical sales specialists, can help you identify which one(s) fit best for you.
How is XDR affecting Security Operations?
Chris Yacoumakis, Technical Product Manager for Fortis by Sentinel: XDR is changing Sec Ops in a few different ways. The first one is really enabling a security analyst during a threat triage to be able to actually take action without needing to understand the configuration pieces of the source tool that generated alerts or where the isolation needs to take place. The second one would be correlating all the various alerts into one incident that an analyst can quickly go through without getting bombarded by all the noise and things that don't matter for that specific alert. And the last one is really bringing network detection and response components into the solution. So typically you'll be able to see lateral movement within your environment, which includes cloud environments as well. Those are really big key plays of XDR enhancing security operations.
Final thoughts on XDR
Chad Richards: The XDR platform is not a marketing gimmick. This is something that is truly needed as a next-generation tool for everybody in the market. Your endpoints, your network, and your cloud come together and allow the telemetry to be collaborative much quicker than anything we've seen before. No tool in the market should be left unmonitored. So make sure there's no "set it and forget it" mentality on anything you put into place. There's no solution like that in the industry, so make sure you have 24-hour monitoring on everything you add into your environment.