Safety automation with Cisco XDR

Safety Operations Facilities (SOC) proceed to face new and rising threats that check the boundaries of their tooling and workers. Attackers have easy, inexpensive entry to a plethora of cloud-based computing assets and may transfer faster than ever. Maintaining with threats is not about including extra individuals to the SOC to observe logs and queues. It’s about leveraging automation to match the pace of your attackers. This previous April, on the RSA Convention in San Francisco, Cisco introduced our new eXtended Detection and Response (XDR) product: Cisco XDR. Cisco XDR combines telemetry and enrichment from all kinds of merchandise, each Cisco and third social gathering, to present you a single place to correlate occasions, examine, and reply to robotically enriched incidents. No trendy XDR product is full with out automation, and Cisco XDR has a number of automation options inbuilt to speed up how your SOC battles their enemies.

Response Playbooks

Having visibility from an incident is the 1st step, however with the ability to shortly take significant response actions is significant. In Cisco XDR, the brand new incident supervisor has what we’re calling the response playbook. The response playbook is a collection of advised duties and actions damaged down into 4 phases (primarily based on SANS PICERL):

  • Identification – Evaluate the incident particulars and ensure {that a} breach of coverage has occurred.
  • Containment – Forestall malicious assets from persevering with to affect the surroundings.
  • Eradication – Take away the malicious artifacts from the surroundings.
  • Restoration – Validate eradication and recuperate or restore impacted techniques.

Every of those 4 phases has their very own duties that information the analyst via finishing related steps, however the one to give attention to from an automation perspective is containment. Let’s say you might have a couple of endpoints you wish to isolate however they’re managed by a number of totally different endpoint detection and response (EDR) merchandise. Two are managed by Cisco Safe Endpoint and one other is managed by CrowdStrike. With each of those merchandise built-in into Cisco XDR, all it’s essential to do is click on “Choose” on the “Include Incident: Belongings” process, choose the endpoints to include, and click on “Execute.” We’ll deal with the remainder from there utilizing an automatic workflow in Cisco XDR Automation (defined in additional element within the subsequent part). The workflow will examine which endpoints are through which EDR and take the corresponding actions in every product. Bettering the analyst’s potential to determine and execute a response motion from inside an incident is likely one of the some ways Cisco XDR helps your SOC speed up its operations.

Response playbook feature in Cisco XDR

Automated Workflows

With automation being a core element of how we obtain XDR outcomes, it ought to come as no shock that Cisco XDR has a totally featured automation engine inbuilt. Cisco XDR Automation is a no-to-low code, drag-and-drop workflow editor that permits your SOC to speed up the way it investigates and responds, amongst different issues. You are able to do this by importing workflows from Cisco or by writing your individual. To take automation to the following stage in Cisco XDR, we have now a brand new idea referred to as Automation Guidelines. These guidelines help you outline standards that decide when a workflow is executed. Listed below are some instance rule varieties and whenever you would possibly use them:

  • Approval Process – Take response actions after an approval process is accepted, or notify the group if a request is denied.
  • E mail – Examine suspicious or user-reported emails as they arrive in a spam or phishing investigation mailbox.
  • Incident – Enrich incidents with further context, take automated response actions, assign to an analyst, push information to different techniques like ServiceNow, and extra.
  • Schedule – Automate repetitive duties like auditing configurations, accumulating information, or producing studies.
  • Webhook – Combine with different techniques that may name a webhook when one thing fascinating occurs. A message being despatched to a bot in Webex, for instance.

Cisco XDR Automation lets you transfer information between techniques that don’t know the right way to talk with one another, use customized or third social gathering instruments to counterpoint incidents as they’re generated, or tailor how your analysts reply to threats primarily based in your normal working procedures.

Cisco XDR Automation


Lastly, the core of what powers a lot of Cisco XDR is its APIs. Cisco XDR has a sturdy set of APIs that help you prolong a lot of the performance you see within the product out to different techniques. You should use Cisco XDR APIs to scrape observables from a block of textual content (proven beneath in Postman), collect intelligence from built-in merchandise, conduct an investigation, take response actions utilizing built-in merchandise, and extra. The pliability to make use of Cisco XDR by way of APIs permits your SOC to customise your processes at a granular stage. Wish to enrich tickets in your ticketing platform with intelligence out of your safety merchandise? Now we have APIs for that. Wish to enable analysts to approve remediation actions by messaging a bot in Webex? We are able to try this too. Cisco XDR has a full suite of APIs that may aid you take your safety operations to the following stage.

Cisco XDR API call in Postman


The essential takeaway from this weblog is that automation is a key element of contemporary safety operations. The threats we face evolve always, transfer shortly, and lots of safety groups lack sufficient expert workers to observe all of their instruments. We have to use automation to maintain up and get forward of unhealthy actors. From an business perspective, we additionally acknowledge that many groups try to do extra work with fewer individuals. Automation might help with that too. We wish to allow your SOC to automate the issues they don’t wish to do and speed up the duties that really matter. All of this and extra will be finished with Cisco XDR.

Wish to be taught extra about the right way to automate and orchestrate your method to a simplified SOC? Take a look at our upcoming webinar on Tuesday, June twenty seventh at 1pm ET/10am PT! Click on right here for extra data and to register.


We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!

Cisco Safe Social Channels



Leave a Reply

Your email address will not be published. Required fields are marked *