Cisco XDR

My main use case for Cisco XDR  is to collect all the logs from the use cases of how users try to explore and perform their tasks. We are threat hunting to prevent, detect, and respond to threats, collecting from different systems such as M365 and others, correlating them into one central location, and trying to correlate between different kinds of logs to provide whether the alert is a true positive or not.

A simple example of how I used Cisco XDR  to connect all these logs and coordinate between different systems is that we have M365 connected to Cisco XDR , as well as browser security connected. Many users use client applications including Outlook, but many use cases go wrong when they are using it via a browser. So what we did was correlate all the source logs from the browser and XDR  and try to correlate them with the user's reactions as well as their daily usage. This helps us understand their daily perspective of how they are behaving. Behavioral analysis was easier when we connected all these systems.

From the malware detection perspective, Cisco XDR can actually find out if there is any malware present, and we can lock down the system as well, which we call isolation. That is a great add-on for me.

From the SOC perspective, the best features Cisco XDR offers are the ease of use and the ability to understand the logs and log aggregation. It is one of a kind. What stands out for me about the log analysis and the user interface in Cisco XDR is that Cisco has an AI assistant that we can utilize to understand the correlation. The main intent of the integration architecture allows us to integrate easily without any cumbersome processes. We can simply specify what should be integrated with what. They have an open integration architecture already present with third-party tools such as CrowdStrike, Palo Alto Networks, and AWS . Additionally, the automated response workflow can actually automate the flows and tell me the response automatically, indicating whether something is an issue or not. All these features make my daily work and log analysis easier.

Cisco XDR has positively impacted my organization because instead of ten people working on one event, Cisco XDR can do many things an analyst can do, reducing the human effort required and coordinating everything. The mean time to respond has improved for the company, and we have automated many processes. A severe incident would typically take my engineer one or two days to solve, but Cisco XDR would have already completed almost half of that work. The engineer can then review the incident and understand whatever analysis has already been provided.

The features of Cisco XDR are a great add-on for the SOC team, and the security has increased by using Cisco XDR.

There are no significant improvements needed for Cisco XDR. The inclusion of new incident mechanisms and the ability to automate them automatically would make things easier.

I have been using Cisco XDR for almost one year.

In my experience, Cisco XDR is stable.

Since Cisco XDR is on a cloud-native architecture, I believe it is significantly scalable.

Customer support for Cisco XDR is a bit slow in the initial stages, but I believe it has improved nowadays.

Before Cisco XDR, I previously used SecureWorks and switched due to problems.

I have seen a return on investment with Cisco XDR. I can share that I save time and people. For money saved, I do not see much improvement, but time saved is significant.

My experience with pricing, setup cost, and licensing for Cisco XDR was good.

Before choosing Cisco XDR, I evaluated options including SecureWorks and SentinelOne.

With the functionality and support Cisco XDR provides, I advise others to go for Cisco XDR, whether for a small company or a large company. I rate this product 7 out of 10.

I have used Cisco XDR  to detect and respond to malicious activities on my client's endpoint. For instance, the last time I used it was when a client downloaded a malicious executable file, and when the endpoint picked it up as suspicious activity, I investigated and discovered using a threat intelligence platform, VirusTotal , that the hash of the executable file is malicious. I quarantined the endpoint and deleted the malicious executable file afterward, using it to block the malware.

It has positively affected our incident management process because Cisco XDR  helps with early detection and does not allow room for escalation of malicious activities before remediation starts.

One function that Cisco XDR  streamlines incident response through is its containment feature, which speeds up response time and demonstrates how it is useful in incident response.

For data loss prevention, I find it really helpful because it monitors email activities for some clients and reports suspicious data exfiltration activities, capturing and reporting instances when there is communication to a public IP suspicious for data exfiltration, allowing me to verify legitimacy with the client.

I find Cisco XDR really useful and interesting, and I believe that with time, it is going to get even better.

I appreciate the fact that Cisco XDR detects malicious activity as fast as it can and notifies me when suspicious executable files are downloaded in the client's environment, providing all the information needed for investigation, which is a feature I really enjoy.

When the alerts come in, they bring context, which is helpful. The alert comes in with context such as the file hash, sometimes with the source IP address or the destination IP address, and this context helps bring a suspicious activity to resolution quickly.

Before using Cisco XDR, I sometimes did not detect malicious activities in my client's environment, but since implementing this solution, my mean time to detect has actually reduced, and my mean time to respond has fallen within the acceptable threshold, positively impacting my organization as I can detect and respond to threats in time.

At the moment, I am still exploring Cisco XDR, and while it seems well built and the team has done good work on it, I cannot point out any specific errors or make generic suggestions for now, but I believe in six months I will be able to detail improvements.

For now, I really cannot think of anything that needs improvement because what I need for investigation comes with the alert, and I perform remediation activities on the solution.

The interface of Cisco XDR can be improved. I can navigate it, but I am still exploring and believe it can be made easier to interact with.

I have been using Cisco XDR for about close to eight months.

Cisco XDR is stable in my experience.

Cisco XDR is really scalable. For example, you can start with less than 10 endpoints and expand as results appear, and it is applicable not only to endpoints but can also be used on servers.

The customer support for Cisco XDR is fantastic. I have not had a reason to call them, but based on client information, they seem readily available whenever needed.

For this specific client, they have not used an XDR before, so Cisco XDR is the first one they are using in their environment.

They were convinced to try Cisco XDR due to the value they received from other Cisco products, such as Cisco ISE  and Cisco ASA  Firewall.

Regarding pricing, setup cost, and licensing for Cisco XDR, it was my client that did the licensing and costing, so I cannot speak much about that as I only manage the solution on their behalf.

Based on feedback from my client, they seem very satisfied with the output of Cisco XDR solution, so I assume they are content.

I recommend Cisco XDR to any client that may be interested because I have used a number of Cisco products and have no negative reservations at this point.

I would rate this product an 8 out of 10.

I use Cisco XDR  for detection and response. I have an Insight license from Cisco XDR , which provides me with a powerful GUI on the cloud where I can see comprehensive insights from my machines. I also have an MDR service license from Cisco.

I use Cisco XDR  for prioritizing incidents across multiple security controls. The second-best technical feature is incident correlation, which provides me centralized visibility and a single place to review incidents and investigate IPs, URLs, and domains. All log data is visible on one dashboard for managing incidents and taking actions with integrations and connectors to other products in my organization.

I have not yet run the DLP  feature in Cisco XDR , but the XDR forensics capability provides evidence collection and forensics visibility, which works very well with incident correlation. Regarding DLP , I run an endpoint from Kaspersky, not Cisco. The integrations are strong, and I have purchased integrations from Cisco.

I have used the automation feature in Cisco XDR to improve workflows. I have connectors and direct integrations that allow Cisco to integrate with my firewalls using predefined integrations. I enable collectors and have connected firewalls, endpoints, and email systems, which allows me to take actions. For example, during a phishing incident, I run automations to investigate domains that trigger a phishing email, and I can block this domain on my email system through integration with Cisco XDR.

Cisco XDR has helped expose gaps in my security coverage. Since implementing it, I did not have NDR, and I opened a conversation with Cisco to implement the Cisco NDR module, which will be very useful to integrate with Cisco XDR. I receive detailed reports on traffic flow, so I can see on the Cisco XDR dashboard when user X attempts to connect to a malicious domain, for example.

The best feature of Cisco XDR, on which I based my decision to purchase it, is that Cisco XDR does not require an endpoint from Cisco. It can work with any endpoint. In my situation, I have an endpoint from Kaspersky, and Cisco XDR can integrate with it. It has predefined integrations based on the licensing model, so there is no need to have a Cisco endpoint to use Cisco XDR. This is not the typical use case for other XDR solutions like Trend Micro or Palo Alto Cortex , where you must obtain the endpoint from the same vendor.

In just four months, I have seen a good return on investment with Cisco XDR. I have reduced incidents and saved time because previously, if I encountered any incident, I would have spent considerably more time and effort reaching out to every security control on my network and checking logs across multiple systems. With Cisco XDR, I gain visibility on one dashboard where I can see extensive logs, resulting in time saved and reduced security incidents, which provides a strong return on my investment.

I believe the advanced insights module in Cisco XDR has room for improvement because it requires a separate license. If Cisco allowed me to access full data with a basic license, it would benefit many customers.

I have used Cisco XDR for four months.

I assess the stability of Cisco XDR as ten out of ten.

Although I have not yet tested scalability, I can say that theoretically it appears to support scalability, so I would rate it as ten out of ten.

I rate the technical support from Cisco as very professional with a strong support team. It is Cisco TAC, so I would rate it as ten out of ten.

The deployment of Cisco XDR is very simple and straightforward. I access the service, check the service, configure it, and I obtain the dashboard to begin configuring integrations. I receive logs and can take actions based on incidents easily.

In just four months, I have seen a good return on investment with Cisco XDR. I have reduced incidents and saved time because previously, if I encountered any incident, I would have spent considerably more time and effort reaching out to every security control on my network and checking logs across multiple systems. With Cisco XDR, I gain visibility on one dashboard where I can see extensive logs, resulting in time saved and reduced security incidents, which provides a strong return on my investment.

I believe the pricing of Cisco XDR is affordable compared to other solutions.

I believe Cisco XDR compares favorably with other XDR solutions such as Cortex XDR  and Trend Micro Vision One . The best feature, as I mentioned earlier, is that Cisco XDR does not require its own endpoint. I have a Kaspersky endpoint, and I did not need an endpoint from Cisco to use Cisco XDR. In contrast, with other vendors such as Cortex  or Trend Micro, you must obtain the same vendor endpoint.

My advice for others looking to implement Cisco XDR is to establish licensing agreements beforehand and list your products for integration with Cisco XDR. You need to know which email systems, DLP solutions, firewalls, and vendors you will use, as this helps identify the best licensing for your needs.

Regarding how many people use the solution, I can say that we are running it on our SOC, which has multiple shifts and approximately eight SOC analysts.

Cisco XDR does not require any maintenance, as this is provided by Cisco. My overall rating for Cisco XDR is ten out of ten.

We are system integrators working in a consultancy mode with a team of implementation engineers. Over the last two years, we have worked on several Cisco XDR  cases. In data centers, Cisco XDR  is definitely the primary requirement. Our first choice is always Cisco, and while one or two other solutions have come our way, Cisco cases primarily come to us. In a certain segment, Cisco XDR  is definitely the first priority. I would say that about 80% of my customer base relies on Cisco XDR . We are partners of Cisco and we focus particularly on the implementation aspect, while also taking care of services.

Cisco XDR is one of the most matured systems available. It is quite user-friendly. The system has been very effective, and our customers receive sufficient reports demonstrating visible benefits. This helps maintain customer confidence, particularly in secure data center implementations. With the implementation we have deployed, our customers gain confidence in having their data center secure. The reporting capabilities are pretty extensive. Cisco XDR is keeping our customers protected.

It would be difficult for me to identify specific improvements at this moment. We have not really foreseen exactly what additional benefits might be needed. Given more thought, something could potentially come out, but we have not found any requirements for additional features.

The solution is working well for our needs.

There were some challenges initially, but with the technical support provided, we were able to resolve them and move forward successfully.

Scalability has been a consideration for our implementations.

The technical support has been very helpful. During implementation, we receive assistance from the technical support team and have obtained proper support from their side.

In a certain segment, Cisco XDR is definitely the first priority. I would say that about 80% of my customer base relies on Cisco XDR as the way to go.

We are partners of Cisco and focus particularly on the implementation aspect. We also take care of the services.

Cisco XDR has helped our customers achieve positive returns on their investment.

I strongly feel that Cisco XDR is more proactive rather than reactive compared to alternate solutions.

It would be difficult for me to provide additional advice at this moment. I would give Cisco XDR a nine out of ten. I would definitely recommend it. I

Cisco XDR  serves as the main platform for threat detection and threat response in my organization.

We have integrated all of our internal devices including firewalls, servers, EDRs, and endpoints into Cisco XDR . In typical scenarios, we find blacklisted IP communication detected by our firewall, and Cisco XDR  blocks these particular attempts made by blacklisted IPs, thereby helping us secure our environment from potential cyber threats.

We focus on the alerts generated by Cisco XDR  and the threat intelligence reports available on the platform. Our security team reads through those reports and proactively blocks those IPs and the IOCs on our firewall rather than waiting for Cisco XDR to raise an alert about a particular IP or IOC attempting to communicate with the environment. The threat intelligence information available on the platform is quite useful for us to proactively take actions to better secure our environment and reduce our attack surface for potential cyber threats.

Cisco XDR offers a wide range of integrations and connectors where we can integrate a whole range of devices available in our on-premises environment as well as cloud sources which we have primarily on AWS  and Azure . Those environment log sources are integrated with Cisco XDR and it helps provide a single pane of glass view in terms of our security posture, giving us visibility within a single platform rather than focusing on individual security devices such as firewalls or EDRs which would typically be working in silos.

These integrations are straightforward. Cloud workloads are easier to integrate compared to on-premises devices, primarily because the cloud workloads have readymade connectors and integration standard operating procedures for us to integrate with Cisco XDR. We have typically not faced challenges with integrations with Cisco XDR. There may be certain OEMs which are not well known and cannot be directly integrated without the help of vendor support or OEM support, which we were able to connect with and ensure they are integrated with Cisco XDR.

From the reporting perspective, the dashboards offer quite a lot of predefined and useful options which help with live threat monitoring and provide a high-level view of the current threats, incident reporting metrics, mean time to detect, and mean time to respond. These sorts of dashboards are available on the platform and help provide a good view even for someone at the leadership level.

Cisco XDR has definitely improved our security posture and our visualization, ensuring that we are protected and providing greater visibility for our SOC team.

Cisco XDR has definitely reduced our mean time to respond. Previously it used to be more than 24 hours, but we have been able to reduce it to less than 16 hours due to all the various integrations and automation capabilities.

Cisco XDR has been useful for us to gain visibility into gaps in our security posture and how those can be improved by conducting analysis on the platform itself. We have utilized the platform to improve our security posture and reduce blind spots.

Cisco XDR can be improved in terms of out-of-the-box integrations and standard operating procedures available on the platform where we would not have to refer to documents outside of the platform to integrate. Having these standard operating procedures or integration methods available within the platform for most devices will help improve our experience with Cisco XDR.

The primary area for improvement is the integrations itself.

I have been working in my current field for about ten plus years.

Cisco XDR is stable in our environment and we have not found major issues in terms of downtime or lack of monitoring coverage.

In terms of scalability, Cisco XDR is quite scalable in terms of a licensing model and the number of assets we have integrated with it. It is seamless.

The customer support has been quite good. When we raise a ticket on technical support, they reach out to us within a couple of hours to listen to our issue and provide us with solutions. I would rate customer support at nine out of ten.

We used IBM QRadar  before we switched to Cisco XDR primarily because IBM QRadar  was more a legacy system and customizations, connector building, parser building, and integrations were taking a long time where we had to reach out to IBM for support. With Cisco XDR, we found a quicker turnaround time.

Our team required extra training and onboarding support during the initial phase, but as of now they are using it seamlessly. I would rate it at approximately eight out of ten.

We have experienced return on investment since we have been utilizing this platform for the last five years. Over time as the platform has evolved and more automations have been put in place, the number of human resources required has drastically reduced. Previously, we used to require four people in each shift to manage all of the incidents and workloads, which would essentially be about twelve people per day. We have been able to cut them down to six people per day, which is roughly half the team size required as of now. This helps in saving cost and time.

In terms of licensing and support cost, it is quite seamless. Based on the number of users we require, we have purchased as many licenses, and the setup is also a one-time cost which we received support for from Cisco's technical support team.

Before choosing Cisco XDR, we evaluated Splunk, IBM QRadar which was already existing in the environment, and Microsoft Sentinel . Cisco XDR was the best option in terms of overall feature capabilities and pricing.

In terms of DLP , Cisco XDR is quite useful. We are using a different DLP  as well within our organization, so we are not extensively relying upon Cisco XDR for DLP, but it is a good solution to fall back upon. In terms of pricing, it is not the cheapest but it is also not the most expensive compared to other products we have experienced in the past.

Cisco XDR is hosted on private cloud.

We are typically deployed on AWS  and have utilized automation workflows to improve our mean time to respond, reducing it from over 24 hours to less than 16 hours.

We prioritize incidents based on its criticality in terms of which devices or environments are affected that we have integrated with this platform. This has definitely helped in prioritizing incidents and ensuring that we have good coverage twenty-four hours a day, seven days a week across business hours and non-business hours by looking at the trend of what incident types occur and how often they occur, as well as what kind of team support is required across multiple shifts during the day and night.

The platform helps our SOC team access the platform across the entire shifts. We follow three shifts, and it helps with the shift handover when we transition from the morning shift to the afternoon shift or from the afternoon shift to the night shift. The platform helps seamlessly hand over from the previous analyst in the previous shift to the new analyst in the next shift.

My advice to other potential buyers of Cisco XDR would be to always conduct an evaluation or a proof of concept before actually purchasing because each environment is different and while Cisco XDR may be useful in most environments, there are potentially some environments where it may not be useful. It is always good to try before you buy. I would rate this product an eight out of ten.