Extended Detection and Response (XDR) is an emerging security category with a lot of hype, and a lot of differing opinions on what outcomes it will deliver. New market categories emerge when there are inherent, unmet needs, which cannot be achieved with the existing technology or toolsets. At Cisco, we believe XDR must solve real-world problems in the SOC, many of which have plagued teams for decades. It’s a new category and a new acronym because a new approach is needed by our customers.
Some vendors, and even some industry analysts, seem to believe that XDR is a replacement for SIEM, or simply a new set of features built upon an Endpoint Detection and Response (EDR) solution. We see it differently…
The True Promise of XDR
XDR solutions need to embrace a customer’s current complex ecosystem of security tools, streamline processes in the SOC, identify the threats that matter most, and provide automation and orchestration capabilities to facilitate a rapid response.
- XDR should ingest telemetry and security findings from multiple sources: network, cloud, endpoint, identity, email, and applications.
- XDR should treat all of these sources as critical context, analyzing these data sets with ML and AI in order to find threats earlier in the lifecycle with higher confidence.
- XDR should correlate and chain these findings together to demonstrate the pattern of the attack as it unfolds, and provide meaningful prioritization based on potential business impact.
- XDR should guide a security analyst through the investigation and response using progressive disclosure (show your work – we security pros are skeptics – we need to see what you’ve put together as an incident, and why!).
- XDR should provide automation that’s agnostic of the underlying security stack so users can respond quickly and confidently from a single console.
Next-Gen SIEM and EDR++
XDR, SIEM, and EDR are complimentary. First, XDR platforms are not intended to be large data warehouses used for threat hunting, complex queries, observability, long-term storage, or compliance. XDR consumes the precise telemetry it needs to find threat activity as quickly as possible. To be both fast and cost effective, while applying the most advanced analytics and artificial intelligence, you must be selective about the data you ingest, and be restrictive on the additional queries you let the user run. The good news is: SIEM is perfectly poised to allow to robust queries against comprehensive data sets. At Cisco, our SOC of the Future vision marries the market leading capabilities of Splunk’s Enterprise Security SIEM to our innovative XDR solution, providing an end-to-end security operations platform that can meet an organization where they are today, and grow with them to meet their needs in the future.
XDR also isn’t simply an evolution of EDR solutions. Identity, email, network, cloud, and application telemetry are all critical vantage points, especially if you want to detect and respond to an adversary before they’ve compromised a managed endpoint. EDR provides tremendous visibility for managed endpoints and is a critical capability that XDR must leverage, but a great XDR can be agnostic to the endpoint solution, instead of requiring another agent competing on your end user systems.
Market Validation and Shared Viewpoints
In the 10 months since Cisco XDR GA, we’ve acquired more than 450 customers who are excited about our XDR capabilities and vision, and product adoption continues to accelerate! We talk to our customers and prospects every single day, and we incorporate their ideas and new ways to deliver on the outcomes they need.
In the “GigaOm Radar for Extended Detection and Response,” you’ll find a comprehensive overview of the XDR market and GigaOm’s view on the role of XDR in the security ecosystem. We don’t just agree with GigaOm’s research because we’re a Notable Leader… we simply agree on the most important use cases and opportunities that XDR can and should solve!
XDR as a category is still being defined, but we’re positively optimistic that it changes the game for the Security Operations Center. Advancements in AI and ML allow us to accelerate threat detection and response like never before, and we must, because the adversaries aren’t slowing down either.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: