On average, it takes 280 days for security teams to detect that a network has been compromised by an attack. Those teams are dealing with a tremendous volume of endless alerts, often making it difficult to identify serious threats among the constant false positives that impact networks every day. This results in harried security personnel, duplication of effort, and the potential for truly malignant threats to reside in the network for extended periods.
Many security teams rely on security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions, or perhaps a combination of the two, to address those concerns. But each of those solutions have limitations that may impact detection of and response to threats.
“SIEMs provide visibility, but they lack the orchestration and automation required to decrease response times,” writes Al Huger, Senior Vice President and General Manager of Cisco’s Security Platform & Response organization for Cisco Secure. “SOARs provide automation, but correlation is not straight forward and requires a lot of expertise. Neither option provides built-in response functionality.
“While larger companies can afford to do the lengthy process of calibrating and maintaining these solutions over time, it’s not possible for resource and time constrained teams,” Huger adds.
Integration and usability
Most organizations need a more integrated and usable approach that collects and correlates data across email, endpoints, servers, cloud workloads, and networks, enabling visibility and context into advanced threats. Those threats can then be better analyzed and prioritized. Security teams will be more prepared to hunt and remediate attacks, while more speedily reducing the severity and scope.
This more integrated approach has been categorized by Gartner as an extended detection and response (XDR) platform solution that “automatically collects and correlates data from multiple proprietary security components.”
XDR solutions aim to simplify detection and response processes, enabling security teams to turn weak signals into reliable alerts and act on them with confidence.
Cisco makes the case that it is essential to have three security components in balance to ensure a robust XDR solution:
- X - The solution must bring together many different control points and data sources
- D – The solution must make detection smarter and faster with cross-sensor analytics and automated triage that surfaces the highest priority alerts.
- R – The solution must reduce dwell times through easier investigations, faster responses, and more automation
Open APIs leverage existing tools
SecureX is a cloud-native Cisco platform that integrates data from the company’s own proprietary solutions and through open APIs with other solutions that may be in use within a customer environment. More than 170 third-party solution partners integrate with SecureX, ensuring that organizations don’t have to rip out and replace existing tools.
Forrester, in a total economic impact analysis of six organizations utilizing the Cisco solution concluded that, “SecureX enabled security analysts to aggregate and correlate intelligence and data across security infrastructure into a single view and codify best incident response practices into playbooks that allowed the teams to accelerate incident management. Security analysts at the composite organization spend an average of 75% less time per incident in Year 1 and 90% less time per incident in Year 2 and Year 3.”
The growth in remote work and the emergence of the hybrid workplace adds more complexity and noise for security teams to manage. Only with a more automated and reliable XDR solution can they hope to gain the advantage over today’s threat environment.
For insights into XDR and SecureX, download the Forrester report.