Safety automation with Cisco XDR


Safety Operations Facilities (SOC) proceed to face new and rising threats that take a look at the bounds of their tooling and workers. Attackers have easy, reasonably priced entry to a plethora of cloud-based computing sources and may transfer faster than ever. Maintaining with threats is now not about including extra folks to the SOC to look at logs and queues. It’s about leveraging automation to match the velocity of your attackers. This previous April, on the RSA Convention in San Francisco, Cisco introduced our new eXtended Detection and Response (XDR) product: Cisco XDR. Cisco XDR combines telemetry and enrichment from all kinds of merchandise, each Cisco and third celebration, to provide you a single place to correlate occasions, examine, and reply to routinely enriched incidents. No fashionable XDR product is full with out automation, and Cisco XDR has a number of automation options inbuilt to speed up how your SOC battles their enemies.

Response Playbooks

Having visibility from an incident is the 1st step, however having the ability to shortly take significant response actions is significant. In Cisco XDR, the brand new incident supervisor has what we’re calling the response playbook. The response playbook is a collection of instructed duties and actions damaged down into 4 phases (based mostly on SANS PICERL):

  • Identification – Evaluation the incident particulars and ensure {that a} breach of coverage has occurred.
  • Containment – Stop malicious sources from persevering with to influence the atmosphere.
  • Eradication – Take away the malicious artifacts from the atmosphere.
  • Restoration – Validate eradication and recuperate or restore impacted techniques.

Every of those 4 phases has their very own duties that information the analyst by means of finishing related steps, however the one to give attention to from an automation perspective is containment. Let’s say you’ve gotten a couple of endpoints you need to isolate however they’re managed by a number of completely different endpoint detection and response (EDR) merchandise. Two are managed by Cisco Safe Endpoint and one other is managed by CrowdStrike. With each of those merchandise built-in into Cisco XDR, all you must do is click on “Choose” on the “Include Incident: Property” activity, choose the endpoints to include, and click on “Execute.” We’ll deal with the remainder from there utilizing an automatic workflow in Cisco XDR Automation (defined in additional element within the subsequent part). The workflow will test which endpoints are through which EDR and take the corresponding actions in every product. Bettering the analyst’s capability to establish and execute a response motion from inside an incident is without doubt one of the some ways Cisco XDR helps your SOC speed up its operations.

Response playbook feature in Cisco XDR

Automated Workflows

With automation being a core element of how we obtain XDR outcomes, it ought to come as no shock that Cisco XDR has a totally featured automation engine inbuilt. Cisco XDR Automation is a no-to-low code, drag-and-drop workflow editor that permits your SOC to speed up the way it investigates and responds, amongst different issues. You are able to do this by importing workflows from Cisco or by writing your personal. To take automation to the following degree in Cisco XDR, we have now a brand new idea known as Automation Guidelines. These guidelines assist you to outline standards that decide when a workflow is executed. Listed below are some instance rule varieties and while you would possibly use them:

  • Approval Activity – Take response actions after an approval activity is authorized, or notify the group if a request is denied.
  • Electronic mail – Examine suspicious or user-reported emails as they arrive in a spam or phishing investigation mailbox.
  • Incident – Enrich incidents with extra context, take automated response actions, assign to an analyst, push knowledge to different techniques like ServiceNow, and extra.
  • Schedule – Automate repetitive duties like auditing configurations, accumulating knowledge, or producing studies.
  • Webhook – Combine with different techniques that may name a webhook when one thing attention-grabbing occurs. A message being despatched to a bot in Webex, for instance.

Cisco XDR Automation permits you to transfer knowledge between techniques that don’t know find out how to talk with one another, use customized or third celebration instruments to counterpoint incidents as they’re generated, or tailor how your analysts reply to threats based mostly in your customary working procedures.

Cisco XDR Automation


Lastly, the core of what powers a lot of Cisco XDR is its APIs. Cisco XDR has a strong set of APIs that assist you to lengthen a lot of the performance you see within the product out to different techniques. You need to use Cisco XDR APIs to scrape observables from a block of textual content (proven under in Postman), collect intelligence from built-in merchandise, conduct an investigation, take response actions utilizing built-in merchandise, and extra. The pliability to make use of Cisco XDR by way of APIs permits your SOC to customise your processes at a granular degree. Wish to enrich tickets in your ticketing platform with intelligence out of your safety merchandise? Now we have APIs for that. Wish to permit analysts to approve remediation actions by messaging a bot in Webex? We are able to do this too. Cisco XDR has a full suite of APIs that may allow you to take your safety operations to the following degree.

Cisco XDR API call in Postman


The essential takeaway from this weblog is that automation is a key element of recent safety operations. The threats we face evolve always, transfer shortly, and plenty of safety groups lack sufficient expert workers to watch all of their instruments. We have to use automation to maintain up and get forward of unhealthy actors. From an trade perspective, we additionally acknowledge that many groups are attempting to do extra work with fewer folks. Automation can assist with that too. We need to allow your SOC to automate the issues they don’t need to do and speed up the duties that actually matter. All of this and extra may be performed with Cisco XDR.

Wish to be taught extra about find out how to automate and orchestrate your solution to a simplified SOC? Try our upcoming webinar on Tuesday, June twenty seventh at 1pm ET/10am PT! Click on right here for extra info and to register.


We’d love to listen to what you suppose. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!

Cisco Safe Social Channels