What is Cisco XDR?

Overview of Cisco XDR

What is Cisco XDR?

Cisco XDR (Extended Detection and Response) is a cloud-based security solution that helps teams detect, prioritise, and respond to threats across multiple security layers. It aggregates data and telemetry from endpoints, networks, email, cloud workloads, and more to provide a unified security posture view.

Key Features of Cisco XDR

Utilising AI and machine learning, Cisco XDR correlates detections to reduce alert fatigue and align security risk with business risk. This improves security operations by accelerating detection, investigation, remediation, and automating workflows.

Benefits of Cisco XDR

• 90% of users report reduced analyst effort per incident, enhancing performance
• 90% report increased security operations efficiency, enabling faster response
• 85% see reduced attack dwell times for better security
• 50% experience decreased breach risk and costs, improving the bottom line

Exploring the Cisco XDR Platform

Control Center and Dashboards

Upon logging into Cisco XDR, users are presented with customisable dashboards. These dashboards can be tailored to show relevant information from any integrations set up in the XDR instance, allowing organisations to view data pertinent to their needs.

MITRE ATT&CK Coverage Map

The platform features a heatmap of tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework. This map displays how various products and integrations impact the security posture, allowing users to drill down into details on specific vulnerabilities.

Incident Management in Cisco XDR

Multi-Source Incident View

Incidents in Cisco XDR aggregate alerts from multiple sources into a single prioritised view. Incidents are ranked by business impact and asset value, enabling security teams to focus on the most critical threats.

Progressive Disclosure for Analysts

Cisco XDR uses progressive disclosure to avoid overwhelming analysts. Initial panels provide summary information, with the option to dive deeper into incident details as needed.

Incident Details Panel

The incident panel displays connected MITRE tactics and techniques to map the attack chain, priority scores based on detection risk and asset value, and an AI-generated summary explaining the incident's nature.

Assets and Sources

The incident details include affected assets, such as devices and users, alongside source integrations like Cisco Secure Endpoint and Network Analytics that contributed data to the incident.

Deep Dive into Incident Detail

Clicking "View Incident Detail" opens a comprehensive screen featuring a spider diagram of involved entities including IP addresses, users, and processes. Analysts can explore observables and source integrations that led to the incident's creation.

Next Steps in Incident Analysis

Detection Tab Overview

The detection tab presents all individual events Cisco XDR has correlated to form the incident, enabling detailed investigation and response planning.

Incident Response Workflow in Cisco XDR

Events and Indicators Overview

The event list displays key details including date and time when an event was first seen, its severity, source, associated indicators, connected observables, and impacted assets. This information helps analysts understand why XDR flagged the event as suspicious.

Response Playbook and Identification

The response tab features a playbook structured into phases such as identification, containment, eradication, and recovery. Each phase presents steps pre-populated by AI, allowing analysts to generate AI notes or manually add observations.

Playbook Execution and Automation

Actions like confirming an incident trigger predefined automated workflows to streamline response. Analysts proceed through containment steps to isolate threats, followed by eradication to remove them, and finally recovery to restore normal operations.

Worklog and Incident Reporting

Throughout the response, a worklog compiles AI-generated and analyst-added notes. At the conclusion, XDR can generate a comprehensive AI-driven incident report summarising all response activities, which can be downloaded and shared with stakeholders.

Threat Intelligence Integration

Intel from Cisco Talos

The intelligence tab provides up-to-date threat information from Cisco Talos, Cisco’s in-house threat intelligence team of over 500 personnel. This world-class feed offers vital context for threat detection and prioritisation.

Customisable Intelligence Feeds

Users can add third-party threat intelligence sources to augment Cisco Talos data, creating a broader and richer threat picture tailored to their environment.

Detailed Intelligence Overview

The interface shows judgements, indicators, producers, and related events linked to intelligence items. Multiple intelligence feeds can be combined for enhanced detection capabilities.

Integration Capabilities of Cisco XDR

Cisco Product Integrations

XDR seamlessly integrates with the full Cisco security product suite, allowing easy onboarding and trial of additional Cisco products to enhance security coverage.

Third-Party Integrations

A wide array of third-party security tools, including Elastic Cloud and CrowdStrike, can be integrated to provide a unified security management experience within the XDR platform.