Cisco recently presented at a Tech Field Day event at Cisco Live 2022. I attended a presentation on Cisco’s SecureX Extended Detection and Response (XDR) platform, which covered a feature called Device Insights. Here are my takeaways. You can also watch the presentation for yourself.
First, what’s an XDR? An XDR is essentially a giant bucket in which you’re supposed to pour all the thousands and tens of thousands of alerts and alarms that come from all your security products (firewalls, IPSs, endpoint software, etc.). Then you mix it up with information from your log collectors, NACs, mobile device managers (MDMs), SIEMs and other tools.
You might ask “Hey, wasn’t SIEM supposed to be the big bucket for aggregation, correlation, and normalization of security events?”
It was, but thanks to the ongoing ability of the security industry to one-up itself, XDR is the newer, bigger bucket. (I should note that an XDR isn’t meant to replace the long-term log and event storage capabilities of a SIEM or log collector. An XDR just uses relevant metadata already gathered by those products.)
Once you’ve poured all that information into the XDR, the XDR is then supposed to aggregate, consolidate, normalize, and visualize all of these disparate sources and turn them into meaningful dashboards that give you a high-level view of security alerts, threats, and incidents.
Cisco SecureX is Cisco’s entry in the XDR market. Like other XDR platforms, SecureX is provided as a cloud-based service. You can also get a SecureX VM that lives on premises and connects to the cloud service.
Apparently, if you already license a Cisco security product you can get SecureX at no cost. Note that features and capabilities may be limited.
What’s A Device Insight?
Device Insights is one feature in the broader SecureX service. What does Device Insights do? Device Insights aims to help security and network teams answer key questions about devices, including:
- What devices are on the network?
- Where are those devices located?
- What users are using or accessing those devices?
- Device details such as the presence of security agents, software versions, host firewall settings, and other context
Device Insights aggregates and visualizes third-party information about devices on your network. SecureX gathers this information from sources including device inventory systems, (MDM) software anti-virus/anti-malware endpoints, and endpoint detection and response (EDR) software.
What’s The Value Prop?
SecureX can ingest data from Cisco’s identity and endpoint products including Duo, Umbrella, Secure Endpoint, Orbital, and Cisco Secure Client. It also supports third-party products including JAMF, InTune, and AirWatch.
SecureX lets you track assets, run reports, and generally keep an eye on devices on the network. You can also use SecureX to create workflows to take actions. For instance, you can build a workflow so that with a click from SecureX, you can send a command to a CIsco Firepower firewall to remove a device, or reach out to a Cisco endpoint client to kill an executable.
SecureX also integrates with ServiceNow so if you take a security action from SecureX, SecureX can reach out to ServiceNow and enter a ticket.
Integrations
As you might’ve guessed, an XDR should be able to draw from a variety of sources. That’s its whole point. Cisco says SecureX already has integrations with most Cisco security products, as well as integrations with 46 third-party products, including SIEMs and log stores such as Splunk and Qradar.
There’s more details at cisco.com/go/secureX.
