The RSA security show kicked off this week in San Francisco. One of the biggest news announcements came from Cisco, the industry’s biggest network vendor. At the show, the company unveiled its XDR offering, which is a cloud-delivered integrated platform that gets its data from six core components:
It’s important to note that with Cisco’s XDR solution, the “X” means “all” versus “eXtended," which is in line with the way I defined it five years ago.
A brief history of XDR solutions
I believe I was the first analyst to use the term XDR in a 2018 post titled, “EDR is dead! Long live XDR!” and while I was somewhat tongue in cheek with the proclamation, my point was that any kind of detection and response tool is not effective in isolation.
XDR’s value proposition
A simple example can help illustrate the value. Consider the scenario where a user receives a phishing e-mail prompting them to click on some kind of executable. Now that the machine is infected, the malware spreads laterally and affects other computers. On one of the worker's machines, the EDR solution detects the malware, and the company thinks the threat has been responded to. But how is the company to know everywhere the malware spreads? The answer is they can't unless they have the necessary telemetry information to trace the malware back to the source.
XDR vs. EDR
It’s for this reason that I defined XDR not as EDR on steroids but rather a complete rethink of detection and response where at a minimum, the “X” aggregated from the network, endpoint, and DNS. Cisco also includes identity, firewall, and e-mail, which gives them an even broader data set to work with.
EDR tools have been around for a while, and many security pros I have talked to have told me they do a great job of the "D," which is detecting a breach but struggle with the "R," which is the response. This is because of the problem I outlined, where the tool can only see one small part of the overall attack surface.
Cisco’s XDR service announcement – why now?
The new Cisco XDR service will be available in July and aggregates information from Cisco's products but also third parties. The cloud-based service combines the telemetry information to analyze data, control network access, respond to threats, and automate responses from a cloud-based portal. Cisco recognizes that most customers run multiple security vendors, so they build in integration with a number of third parties, including Palo Alto Networks XDR, Microsoft Defender, Trend Micro Vision One, ExtraHop Reveal, and SentinalOne Singularity.
It's fair to say that Cisco is late to the XDR game, but on a pre-brief with analysts, AJ Shipley, VP of Product Management for Threat, Detection, and Response, talked about the importance of getting XDR right versus coming to market quickly. He told us, “We wanted to deliver a product that was a single detection and response platform that was automated and cloud-first. The reality is that detection without response is insufficient, but response without detection is impossible. Investigation is the bridge between the two, and we had to shrink the investigation time as much as possible to get customers proactive response actions that are backed with evidence but are automated to get them back up and running as quickly as possible.”
Shipley added, “The goal is to enable security operations teams to find threats and remediate them before they cause significant damage to the company. Our XDR uses high fidelity data and is much more fine-grained than one could achieve with EDR alone or with a SIEM”. This distinction from Cisco is critical today as fraudsters are using modern tools like generative AI to replicate legitimate user behavior or to mimic validated applications, so the SOC needs tools to look below the surface and correlate data to find a needle in a stack of needles.
The success of any vendor's XDR solution will be based on the data it has, and that should give Cisco an edge as it has a massive installed base of technology. It is the dominant network vendor with over 50% share, and its AnyConnect mobile client is deployed on over 200 million endpoints.
The next wave of growth
For Cisco, the release of XDR is long overdue and presents the company's best growth opportunity. Cisco has the dominant share in networking, so share gains there will be difficult. Collaboration is getting tougher to compete in because of Microsoft's licensing strategy. Security, however, is currently wide open, with no vendor having double-digit shares. XDR allows Cisco to leverage the network and solve security challenges that have historically been nearly impossible to keep up with, and if they get this right, it could fuel the company's next wave of growth.
Zeus Kerravala is the founder and principal analyst with ZK Research.
Read his other Network Computing articles here.