Cisco has pledged to rapidly incorporate the security technology obtained through its $28 billion Splunk purchase. The process has begun with the introduction of connections to its extended detection and response (XDR) service, among other initiatives aimed at enhancing security operations centers (SOC) in businesses.
Jeetu Patel, executive vice president and general manager for security and collaboration at Cisco, stated that they are focused on helping clients reinvent SOC processes, accelerate their pace, and make better informed decisions with contextual insights and automated workflows. According to him, “the Cisco and Splunk combination constitutes the most thorough security solution for threat prevention, detection, investigation, and response for organizations of any size, making use of cloud, endpoint traffic.”
Splunk’s technology includes extensive software for searching, monitoring, and analyzing system data. Network security teams can leverage this information to gain better visibility into and gather insights about network traffic, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management (SIEM) systems, whether on-premises or from its cloud-based package, as per Splunk.
By deploying Splunk software, network operations teams are capable of monitoring network traffic for signs of malware, keeping a log of activities, and combining data from various sources to identify the root cause of security issues or detect unusual traffic patterns more quickly, according to the company.
Cisco and Splunk’s first integration melds Cisco’s XDR service with Splunk’s Enterprise Security, a SIEM platform. This platform, provided by Splunk, allows for the analysis, reporting, and searching of security across an array of data sources, including system applications and devices. Cisco XDR aims to synchronize both Cisco’s security products and those of third parties, with a single point of access via a cloud-based interface. It grants network access control, analysis of incidents, threat remediation and automated response. This service gathers crucial data from six key sources, referred to as telemetry sources by SOC operators: network, endpoint, identity, DNS, firewall, and email, as stated by Cisco.
AJ Shipley, who is notably the vice president of Cisco’s Threat, Detection & Response group, stated in his blog post that the blending of Cisco XDR with Splunk’s ES allows Cisco to apply its unique analytics. He clarified that these detections can be promoted into Enterprise Security, providing necessary context for SOC operation, while avoiding the need to send a high-volume SIEM telemetry that could increase ingestion costs and hamper query performance.
Furthermore, he commented that they don’t require an operator to switch from their favored security tool, emphasizing that it allows users the best of both worlds. In his remarks, he emphasized that those who already use Splunk’s ES will be able to analyze endpoint, cloud and network telemetry via the integration of Cisco XDR, a feature that was previously not available to them.
Beyond just the ES integration, Splunk’s Asset and Risk Intelligence package is now incorporated into Cisco’s XDR. This package offers an ongoing updated inventory, which includes user identities, cloud services, applications, and devices. It achieves this by correlating data from numerous sources within a given organization. Splunk states that the overarching goal is to offer clients a means of proactive risk mitigation, done through ongoing asset discovery and compliance monitoring.
Cisco has introduced an XDR AI Assistant to review security data collected by XDR and aid customers in making quick response decisions to emerging threats. This is achieved by integrating contextual insights, guided responses, suggested actions, and automated workflows, according to Cisco.
At the same RSA event, Cisco revealed that it has incorporated the capability to detect and block attacks emanating from undisclosed vulnerabilities in runtime workload environments in its newly launched Hypershield architecture. Furthermore, workloads that are suspected can be quarantined to reduce the impact radius of a vulnerability.
The essence of Hypershield is that it establishes a distributed security fabric, including AI-based software, virtual machines, and other technology, that Cisco claims will ultimately be embedded into fundamental networking components such as switches, routers, or servers. The aim is to configure every network port into a security policy enforcement point, allowing customers to establish security controls at the workload level and prevent the spread of threats, according to Cisco.
Also, Cisco is incorporating its Identity Intelligence technology into its Duo access-protection software. Cisco’s cloud-based Duo service aids organizations in preventing cyber breaches by employing adaptive multi-factor authentication (MFA) to confirm the identities of users and the condition of their devices prior to providing access to applications.
Identity Intelligence is designed to overlay customers’ diverse directories and identity tools to offer insight into how identities are being utilised and automatically enforce policies. The purpose of Identity Intelligence is to equip enterprise security operators with the capability, from a single dashboard, to view their entire network, identify and rectify dubious accounts, recognise questionable behaviors, and implement access restrictions when required.
Currently in limited availability, this improvement to Duo is set to enable customers to decrease security holes and strengthen access management abilities, according to Cisco.