17 августа 2023

Cisco XDR: from detection and response to continuity after a cyberattack
Nick Biasini of Cisco Talos weighs in on the powerful AI-driven capabilities of Cisco’s extended detection and response solution.

These days, cybercriminals have a wide arsenal of sophisticated tools at their disposal. But as relentless as they are, Cisco is ensuring that more and more organizations (and not just the larger ones!) can fight back on an equal, if not superior footing.
Cisco’s extended detection and response (XDR) solution is a big part of this. Using unmatched research and telemetry from sources like the Cisco Talos Incident Response Team, while integrating seamlessly with other security tools, XDR offers far-reaching visibility and capabilities.
The result? Defenses that are simpler to deploy and manage yet more effective than ever before.
To learn more about Cisco XDR and the general state of security in 2023, we caught up with Nick Biasini, head of outreach at Cisco Talos, following his appearance last week at Black Hat in Las Vegas.
Thank you, Nick! Let’s start with a quick overview. From your vantage point at Cisco Talos, what are some key challenges security teams are grappling with in 2023?
???? Especially from a ransom/extortion perspective, we’re seeing two divergent paths right now. You have the very large cyber cartels that are more focused on extortion. Some organizations are hit with ransomware as well as data extortion, and you can’t roll back data leaving your network. So, that’s where the extortion focus comes in. On the flip side, over the last 12 to 18 months, we’ve seen an increase in activity from smaller groups popping up. These groups are hitting smaller businesses and asking for smaller ransoms.
And then from an advanced threat-detection perspective, mostly from the state-sponsored groups, there’s a lot of focus on access. That is far and away the most important thing for them, gaining and achieving legitimate access to the target networks in a variety of different ways. Most specifically we’ve seen a focus around network devices being attacked at the edge — things like routers, firewalls, VPN devices, things like that.
AI is enabling some of this added sophistication on the attackers’ side. How is it helping defenders?
???? AI is most helpful when it’s answering questions. Not necessarily the super-complex questions. But the ones that are tedious and monotonous and take up a lot of time. So, AI is helping you do it faster. And instead of using complex queries, it’s allowing you to ask more natural-language questions. Instead of some super-complex SQL query through a huge stack of data, it will show you the five unique IDs that are buried within.
So, essentially, it combs through all of that data complexity and finds the anomalies?
???? Yes, AI is not a holy grail to solve all your problems. But it’s definitely going to help you to operate in a more effective manner than you would otherwise.
Speaking of AI-powered solutions, tell us a bit about Cisco XDR, which was released earlier this year.
???? One of the biggest things about XDR is being able to manage threats across disparate locations and disparate systems running disparate stacks. So, we’re working very hard to do more cross-platform collaboration — like, working with our competitors to make sure that their security tools can help feed the vision and help protect customers, regardless of where their data comes from.

Cisco is very committed to cutting the layers of complexity that plague networking and security teams, starting with its platform strategy. Sounds like XDR fits right into that vision.

???? Yes, it speaks exactly to the complex challenges that organizations face. You may have 12 different pieces of technology that communicate in 10 different ways. And only six of them are compatible. So now you're trying to figure out, how do I get all these things to talk to each other? You're either doing a lot of development work, or you’re going to look to deploy something like XDR, which allows you to get aview into all of them at once.
And how big an advantage is Cisco Talos, given the scope of its telemetry and research?
???? Talos is one of the key sources of intelligence that powers XDR. It’s all about understanding the various adversaries, andou're seeing in your environment and mapping them accordingly. The way that a lot of those mappings are built is through the research and work that Talos does on analyzing growth, analyzing threat actors, how groups behave, and the types of techniques that they use in their attacks.

This week, Cisco XDR's capabilities were expanded from detection and response to include recovery from a breach. How can it help support business continuity if an organization is attacked?
???? This tends to be focused more specifically on the ransomware space. But what it provides to organizations is a kind of automated checklist and the capability to recover from your worst day, which in today’s world basically means a ransomware attack that cripples your business. This facilitates the remediation.
Cisco is committed to making world-class security available to more organizations. These automated responses in XDR are a big part of that, aren’t they?
???? Yes, the goal is to help spread that recovery around. So, more organizations are now able to harness the power of automated response, a benefit previously only accessible to larger, better funded organizations.
When we raise the security poverty line, as we call it at Cisco, everyone benefits.
???? Yes, it’s a big commitment. Because let’s be honest, most big businesses have small businesses as vendors or partners or customers. And it is very possible that a compromise between them could lead to a compromise of others. So, by helping raise that security poverty line, we’re helping ensure that there’s less of an attack surface for these bad actors to go after.
Bad actors never stop threatening, but Cisco never stops innovating. What excites you about what you and your teams can continue to accomplish?
???? The most exciting thing about my job is that, at Cisco, you can affect change on a very wide scale every single day — by influencing policy and influencing the way that organizations think about threats, not just our organization, but all organizations. It’s a huge and wonderful task that we all have, and we all take it very seriously.