SecureX is something that was a long-time-coming and very welcome now that it’s here. Cisco now has a centralized, cloud-based, integration platform to act as a hub for the plethora of security products in the Cisco portfolio as well as with non-Cisco security products as well!
With this centralized platform approach, there are many functions such as XDR: (eXtended Detection and Response), Automation & Orchestration, and Casebooks & Incident Management, which SecureX can help customers with and ensure that each integrated part of the platform only has to be integrated ONCE and all the components can share that integration.
Introducing SecureX Device Insights
When an incident responder is investigating, one of the things they often do is create scripts or write custom applications to go retrieve as much data about a possible “target” endpoint as possible. Think about it. There are many disparate solutions that all have their own database of the endpoints in your environment and a slew of attributes for those endpoints.
So, the IR investigator will often script out a solution that connects to the APIs of the Device Managers, EDR, Authentication Systems, etc. etc. etc. and combine all that information into a single file so they can get a more complete picture of the endpoint.
Well, device insights does that for the investigator now!
SecureX device insights provides a seamless, agentless, unified view of the devices in your organization for attack surface reductionMartin Nystrom, Director of SecureX Product Management
Device insights finds the endpoints that are common within all the disparate systems and merges them so you can be certain it’s the same endpoint across the products. It does this by using strong identifiers, not ephemeral addresses that change regularly (like IP addresses). This is critical for anyone who has ever tried to integrate more than one product! Relying on the IP address is one of the worst things you can possibly do when investigating; because they change, they overlap, and they are not reliable.
Here is a crude drawing to attempt to illustrate that concept. A single endpoint in SecureX device insights that has sources from Umbrella, Cisco Secure Endpoint, Duo Security, and InTune. There are different identifiers that might be used in each product, but a solution like device insights merges the endpoint based on certain attributes available in each source.
Leveraging that intelligence to merge on strong identifiers, in a priority order, device insights creates a unified and searchable inventory that gives you the complete picture of the devices in your environment for your investigations or for you to infer the overall attack surface from.
You can browse through and search through your inventory. There is a quick filter on the left-hand side allowing you to check off the items you are searching for, similar to how you might shop on Amazon. Clicking the graphs at the top also filters for you. For those that need more powerful search options, there is an advanced search function that allows for full Lucene Queries into the data, with a UI around those advanced queries coming soon.
When examining the endpoint, you are brought to the endpoint details page that has a tremendous amount of information displayed in it. Furthermore, this is not even all the information the system possesses about the device, just what customers have told Cisco they want to see, and can be changed/adjusted later.
The details page lists out known vulnerabilities (if any are known) including device information like hostname, serial number, and UUID. What the Windows Security Center reports as status for security settings and installed security products is displayed. The page also displays what information has been contributed from the different sources, including which policies are applied to the endpoint in many cases.
I would have killed for this back when I was doing IR [incident response]Scott D. – former incident responder
This information is being used both in manual investigations and also in Cisco Threat Response investigations as well; bringing the unified context of the endpoint to the fingertips of the investigator in the heat of the investigation. (coming soon to the beta near you).
Cisco is looking for Early Testers and Beta Participants
Cisco is looking for many people who use SecureX and want to get early access to this feature. The early access testers will need to be nominated by their Cisco account team, who will collect your information, including your SecureX OrgID and OrgName, and then the feature can be enabled. There will also be a managed Beta open to only 8-10 customers that will require weekly meetings.
If you are a user of SecureX and are interested in early access, please reach out to your Cisco Account Team.