At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software.
Cisco promised to quickly integrate the security technology it gained in its $28 billion Splunk acquisition, and it has set that process in motion by adding tie-ins to its extended detection and response (XDR) service, among other moves aimed at bolstering enterprise security operations centers (SOC).
Cisco aims to help customers reimagine SOC processes, move faster, and make more informed decisions with contextual insights and automated workflows, according to Jeetu Patel, executive vice president and general manager for security and collaboration at Cisco. “The combination of Cisco and Splunk is the most comprehensive security solution for threat prevention, detection, investigation and response for organizations of any size, utilizing cloud, endpoint traffic,” Patel said in a statement from the RSA security conference taking place this week in San Francisco.
Splunk’s technology includes wide-reaching software for searching, monitoring and analyzing system data. Network security teams can use this information to gain better visibility into and gather insights about network traffic, firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management (SIEM) systems, from on-premises or its cloud-based package, according to Splunk.
With Splunk software in place, network operations teams can monitor network traffic for signs of malware, log activity, and meld data from multiple sources to identify the root cause of security problems or more quickly spot abnormal traffic patterns, according to the company.
The first of the Cisco/Splunk integrations brings together Cisco’s XDR service with Splunk Enterprise Security (ES), the company’s SIEM platform. Splunk ES offers security search, reporting, and analytics across various data sources, including devices, systems, and applications. Cisco XDR, meanwhile, ties together myriad Cisco and third-party security products to control network access, analyze incidents, remediate threats, and automate response from a single cloud-based interface. The offering gathers data from six telemetry sources that SOC operators say are critical for XDR systems: endpoint, network, firewall, email, identity, and DNS, according to Cisco.
“Cisco XDR’s integration with Splunk ES allows us to apply Cisco’s unique analytics and promote those detections into Enterprise Security while providing the context needed for the SOC to operationalize them, without requiring sending high-volume telemetry to a SIEM that increases ingestion costs and slows down query performance,” wrote AJ Shipley, vice president of product management with Cisco’s Threat, Detection & Response group, in a blog about the news.
“And we don’t force the operator to leave their preferred security tool that their SOC is built around – it is the best of both worlds,” Shipley stated. “And for those organizations who are already Splunk ES users, the integration of Cisco XDR enables analytics on network, endpoint and cloud telemetry that were previously unavailable to them.”
In addition to the ES integration, Cisco’s XDR now adds Splunk’s Asset and Risk Intelligence package, which offers a constantly updated inventory of assets, such as devices, applications, cloud services and user identities, by correlating data across multiple sources within an organization. The idea is to offer customers proactive risk mitigation through continuous asset discovery and compliance monitoring, according to Splunk.
Cisco has also added an XDR AI Assistant to look over security information gathered by XDR and help customers coordinate and speed response decisions about evolving threats by tying together contextual insights, guided responses, recommended actions and automated workflows, Cisco stated.
Cisco bolsters Hypershield architecture, Duo software
Also at RSA, Cisco announced it has added the ability to detect and block attacks stemming from unknown vulnerabilities within runtime workload environments from its recently introduced Hypershield architecture. In addition, suspected workloads can be isolated to limit a vulnerability’s blast radius.
Hypershield basically implements a distributed security fabric that encompasses AI-based software, virtual machines, and other technology that Cisco says will ultimately be baked into core networking components, such as switches, routers or servers. The idea is that every network port can be made into a security policy-enforcement point, letting customers set security controls at the workload level and preventing lateral movement of threats, Cisco says.
In addition, Cisco its adding its Identity Intelligence technology to its Duo access-protection software. Cisco’s cloud-based Duo service helps protect organizations against cyber breaches by using adaptive multi-factor authentication (MFA) to verify the identity of users and the health of their devices before granting access to applications.
Identity Intelligence sits on top of customers’ disparate directories and identity tools to provide visibility into how identities are being actively used and automatically enforce policies. The goal with Identity Intelligence is to give enterprise security operators the ability, from a single dashboard, to see their entire network, spot and fix questionable accounts, detect questionable behaviors, and block access where necessary.
Now in limited availability, this Duo enhancement will allow customers to reduce security gaps and reinforce access management capabilities, Cisco said.