XDR Buyer’s Guide

 

Navigating the Extended Detection and Response market like a pro

Understanding Extended Detection and Response (XDR)

Why does the world need another security approach?

In today’s hybrid, multi-vendor, multi-vector landscape, complexity is the biggest challenge. Security teams must protect an ever-expanding ecosystem, running operations across dozens of tools with inconsistent integration. IoT and hybrid work have led to an expanded attack surface. Phishing, malware, and ransomware are doubling and even tripling year over year. At the same time, organizations are more hyper-connected than ever before. A security breach to one group can impact suppliers, partners, customers, and even whole sectors of the economy.

This new normal requires a new approach — the ability to protect the integrity of every aspect of the organization to withstand unpredictable threats or changes and emerge stronger.

What is the solution?

With threats becoming increasingly sophisticated, the old detection and response model, built upon self-contained point security solutions, doesn’t go far enough. This is where XDR comes in. XDR is a unified security incident detection and response tool that automatically collects and correlates telemetry from multiple security tools, applies analytics to detect malicious activity, then responds to and remediates threats. Effective XDR solutions are comprehensive, correlating data across all vectors — networks, cloud and SaaS applications, the web, endpoints, email, and cloud workloads — enabling visibility and context across your environment into even the most advanced threats.

Why XDR?

1. Allows teams to detect the most sophisticated threats with event correlation and multi-vendor detections across network, cloud, endpoint, email, and more.

2. Reduces alert fatigue by prioritizing threats based on impact, so teams know what to do first.

3. Elevates productivity with task automation and guided remediations to make more efficient use of SOC resources.

4. Allows organizations to enhance ROI by leveraging and corelating telemetry across the existing security stack, regardless of vendor or vector.

5 Key Elements of XDR Done Right

1. Provides prioritized and actionable telemetry, everywhere you need it

Can you efficiently sift through the sea of alerts to triage threats?

Breadth of visibility and depth of insight are foundational to XDR. Many sophisticated threats don’t just attack the endpoint, or the network alone – they attack across a variety of vectors, including email, endpoint, network, identity management, sandboxing and firewall. That’s why you need an XDR solution that correlates a broad range of telemetry and quality of data that can provide a holistic and complete view of what is happening across your environment.

But it’s not just about gathering insights — incident management is equally important. For XDR to have the impact it promises, these insights must be prioritized. An XDR solution that offers risk-based prioritization — ranking incidents by greatest material risk to your organization — will allow you to act on what truly matters, faster. It should also offer recommendations for next steps, so that you can make informed decisions on the best course of action.

Questions to ask vendors:

●     How does your solution provide me with visibility across all my environments and deployed solutions (endpoints, devices, network)?

●     How does your solution deliver insights? Does your solution provide prioritized telemetry?

●     How does your solution prioritize threats based on impact and risk to my organization?

●     What type of threat intelligence is feeding your detection? Where does that intelligence come from?

●     How do you validate the data sources you use in your solution?

●     How does this product handle sophisticated threats such as Wizard Spider, Volt Typhoon, and BlackTech?

2. Enables unified detection, regardless of vector or vendor

Does your XDR solution enable your existing security stack to work together as one coordinated unit, increasing your ROI?

Security teams today are dealing with an extraordinary level of complexity both in the security environment and an ecosystem of global supply chains, attackers, and defenders. As threats become more sophisticated, ensuring consistent detection across the environment has never been more critical. XDR solutions can help by aggregating, correlating, and prioritizing detections based on severity and potential impact. But in order to do this, your security stack needs to work in unison. By selecting an XDR solution that is open, extensible, and cloud-first, you’ll benefit from unified detection and event correlation across your environment. Each tool in your security stack has unique detection elements that become more powerful when brought together.

An effective XDR should encompass all six telemetry sources, including endpoint, network, firewall, email, identity, and DNS, to provide a comprehensive view of potential threats. Your XDR solution should easily integrate with your entire security stack with native backend to frontend integration, so coverage stays consistent even as vendors make portfolio changes. Finally, to optimize the threat detection capabilities of your security stack, it is worth exploring XDR solutions that can provide valuable local context and deliver accurate threat intelligence verdicts on which you can rely. All of which extends the value and improves the return on your security investments.

Questions to ask vendors:

●     How many of my existing investments can your XDR platform leverage?

●     Is your XDR platform compatible with my solutions, regardless of vendor?

●     Do your solutions have out-of-the-box integrations with one another?

●     How are your detection technologies better than others that are on the market?

●     What kind of threats does your solution help detect? Does it map alerts to the MITRE ATT&CK framework?

3. Supports fast, accurate threat response

Once identified, how fast can you confidently respond to threats?

Unifying insights from the network, endpoint, and email (to name a few) provides a more accurate understanding of what has happened, how it progressed, and what steps need to be taken in order to remediate the threat. Ideally, you should be able to view threat impact and scope from one location, taking actions with just a click or two. Effective XDR requires native response and remediation capabilities, such as isolating a host or deleting a malicious email out of all inboxes. XDR should also make it easy to create custom response actions with opportunities to automate so that teams can evolve their security as time goes on.

Questions to ask vendors:

●     What response actions does the product provide?

●     Can remediation be performed on the endpoint using an XDR solution in one location and scaled to others?

●     How does the product integrate with existing security tools that enable response?

●     How does your solution accelerate remediation?

●     From threat alert to remediation, what’s the response time (ex: for a phishing attack)?

4. Offers a single investigative viewpoint for a streamlined user experience

Is your threat detection, response, and remediation managed from a single interface?

When evaluating XDR solutions, it’s important to take the security analyst experience into account. SecOps teams have enough to manage — there’s no need to slow them down with dozens of tools and a plethora of consoles. That’s why we recommend XDR solutions that are designed to help analysts detect and respond to threats more quickly and effectively by providing a unified view of security data across multiple security tools and data sources. This can help streamline workflows and reduce the time and effort required to investigate and remediate security incidents. XDR solutions should provide a full lifecycle dashboard covering every threat vector and access point. It should facilitate threat hunting through models such as MITRE ATT&CK that will make hypothesis-driven threat hunting accessible for those new to the process — and make it easier to anticipate what’s next. Another factor to consider is the impact of design on the analyst experience. It should elevate productivity and improve decision making times associated with the key functions of detection, investigation, and response. This in turn should enable less experienced analysts to perform advanced SecOps tasks by providing better context for alerts, along with progressive disclosure to provide only as much detail as is needed to quickly determine the scope and severity of a potential threat. And it should provide recommended and guided remediation so analysts at any level can confidently contain the threat.

Questions to ask vendors:

●     How does your solution help improve the performance of my team in their threat hunting endeavors?

●     How does the solution integrate with existing tools in my security stack?

●     Can your XDR help me understand the potential impact of a threat, discover the scope of the breach, and take single-click actions from one interface?

●     Does your solution provide support for role-based security by restricting all or portions of system/sub-system access to authorized groups and individual users?

●     Can you centralize and analyze telemetry from all my existing security tools, regardless of vendor?

●     Does your solution streamline incident response workflows to bring down the overall investigation timeline?

5. Provides opportunities to elevate productivity and strengthen security posture

Does your XDR solution increase threat detection and response efficiency, with less overhead, to improve ROI?

An important element of building your organization’s security resilience is automation and orchestration. Your security staff have important tasks to complete. When faced with a security threat, there’s no need for their time to be swallowed up following convoluted, manual, and repetitive workflows. XDR solutions that elevate productivity by automating critical workflows

●     such as discovering an alert, correlating it, prioritizing and taking a response action quickly

●     will free up your team across the full lifecycle.

An effective XDR solution should reduce the Mean Time to Respond (MTTR) by enabling an investigation that presents clear decisions and actions to allow analysts to respond in an automated and consistent way according to their policy and procedures. This means your SecOps teams can invest their time and energy towards more strategic and proactive tasks, further strengthening your security posture and improving the ROI of your existing security investments.

Questions to ask vendors:

●     For third-party integrations, do vendors’ API changes break my automation scripts?

●     How does your solution support monitoring to and from cloud-based workloads?

●     Will I need to change environment or deploy new technology with the XDR solution?

●     Does your XDR solution offer pre-built, out-of- the-box integrations with third-party security technology?

●     Does your XDR solution reduce the analyst time needed to investigate and resolve an incident?

●     Does your XDR solution inform your policy management to build resilience?

Cisco XDR

XDR is a crucial component of security resilience

Today, uncertainty is a guarantee. In response, organizations are investing in resilience across every aspect from finance to supply chains. But these will fall short without investment in security resilience — the ability to protect against threats and disruption, and to respond confidently so you can emerge even stronger.

XDR is a crucial component of embracing security resilience. Doing XDR right will increase your security posture by empowering security teams to prioritize threats by impact, detect threats sooner, and accelerate response. Automation and orchestration capabilities facilitate this process, freeing up security teams so they can focus on what matters most.

Security Operations Simplified with Cisco XDR

At Cisco, we have proactively invested in creating the most comprehensive security portfolio on the market, anticipating the security needs of the future, and integrating the components to make effective security simple and accessible for all teams, regardless of vendor or vector. We understand that building an XDR approach is a process, and we want your teams to break out of the vicious cycle of patchwork coverage from an industry supersaturated with point solutions. With Cisco XDR, we aim to create the shortest path from detection to response with the least friction.

Designed by security practitioners for security practitioners, Cisco XDR simplifies SecOps to help analysts remain proactive and resilient against the most sophisticated threats. Our solution is open, extensible, and cloud-first, allowing you to leverage existing security investments to enhance your ROI and gain unified security detection across your entire environment.

At Cisco, we take the responsibility of protecting customers’ assets seriously, as we are also customers of our customers. We want to partner with you in your security journey through the Cisco Security Cloud, an open security platform that helps you protect your entire ecosystem, no matter what comes next. Join us and experience the power of comprehensive security.

Ready to build the security operations of tomorrow, today?

Explore Cisco XDR

Key XDR Elements and Capabilities

Use this table (pages 9-10) for quick reference during conversations with XDR vendors.