Day one of RSA 2023 set what is likely to be the week’s thematic tone at the event: Platforms with cross-domain telemetry in the service of security will be the breakthrough tech. The RSA 2023 conference is held April 24-27 in San Francisco.
During a keynote speech on Monday, Cisco’s Jeetu Patel, the executive vice president and general manager of security and collaboration, and Tom Gillis, the senior vice president and general manager of security, explained how and why these platforms will advance security operations center functions.
Find out why extended detection and response was at the center of Cisco’s launch activities at RSA, including the company’s announcement about its cloud-based XDR service.
- Cisco’s spotlight on XDR at RSA
- Platform-based security announcements about XDR and Duo
- Cisco XDR: A turnkey solution that plays nice with third parties
Cisco’s spotlight on XDR at RSA
Patel said that cross-domain telemetry, which is the ability to track an exploit in near real-time as it moves across an enterprise’s domains, requires an end-to-end integrated platform because with isolated defenses, “It’s too hard to spot modern attacks that are in any way delineated from normal behavior,” he said. Patel explained that a platform can see what packages are traversing through networks. The best example of this, he said, is XDR.
“XDR is going to be the talk of the show,” said Gillis. “You’ll be hard-pressed to find a vendor who is not telling that story.”
He said as it becomes increasingly clear attackers are getting good at user and application behavior, looking at one domain or incident means “you are only getting half the picture.” In essence, Patel explained, XDR confers the ability to look at high-fidelity data everywhere, whether from email or a PowerShell exploitation.
XDR is not SIEM
Gillis explained that XDR serves a different purpose than traditional security information and event management. He said that, while SIEMs are designed to log aggregated events over days or even months, XDR is close to real-time telemetry. Also, while SIEMs look at summary data, XDR looks for highest fidelity data, “every message, click, process and package,” Gillis said. “The industry realizes we need more resolution of events than log data.”
He said relying on SIEM data or single domain analytics does not provide visibility and correlation across email, the web, endpoint and the network.
“And that last one – the network – is probably one of the most overlooked defense tools,” Gillis said.
SEE: Learn more about XDR in this TechRepublic article by Forrester Research.
Platform-based security announcements about XDR and Duo
Gillis touted the platform versus multi-vendor approaches to security with this analogy: If you go to a big box store and buy what you think is a home grilling system, and open the box only to discover 1,000 pieces and no manual, you didn’t get what you paid for. You want the grill to be built, integrated and operational. He said that, similarly, a platform approach to security allows for a single, functional framework. “A platform is not a bag of parts, but a system with individual components put together in a coherent way.”
The company’s platform-focused announcements included the following:
- Cisco XDR is now in beta, with general availability in July. It is designed to simplify investigating incidents and quicken security operations center response times.
- To protect against multifactor authentication attacks, Cisco is offering advanced features in all editions of its Duo MFA platform.
- Beginning next month, Cisco is incorporating Trusted Endpoints into all paid Duo editions; it is currently only available in Duo’s highest tier. According to Cisco, Trusted Endpoints allows only registered or managed devices to access resources.
Cisco XDR: A turnkey solution that plays nice with third parties
Cisco calls the cloud-based XDR service a turnkey, risk-based solution that applies analytics to prioritize detections. The company stated XDR “…moves the focus from endless investigations to remediating the highest priority incidents with evidence-based automation.”
Per Cisco, the security service analyzes six telemetry sources that SOC operators say are critical for an XDR solution: endpoint, network, firewall, email, identity and DNS.
Cisco states that XDR integrates with leading third-party vendors to “share telemetry, increase interoperability and deliver consistent outcomes regardless of vendor or technology.” These vendors include the following:
- For endpoint detection and response: CrowdStrike Falcon Insight XDR, Cybereason Endpoint Detection and Response, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, SentinelOne Singularity XDR and Trend Micro Vision One.
- For email threat defense: Microsoft Defender for Office 365 and Proofpoint Email Protection.
- For firewalls: Check Point Quantum Network Security and Palo Alto Networks Next-Generation Firewalls.
- For network detection and response: Darktrace DETECT, Darktrace RESPOND and Darktrace ExtraHop Reveal(x).
- For SIEM: Microsoft Sentinel.