Cisco’s Unified Cybersecurity Strategy: XDR, Duo, Umbrella, and Partner Ecosystem

As the market becomes flooded with specialized security solutions, an important question arises: Who can effectively integrate and manage all these different solutions? Cisco is making changes to position itself as a leading contender. As a comprehensive solution provider, Cisco can fill gaps in the cybersecurity landscape and ensure a cohesive approach to security, especially cloud security. It is building and integrating its portfolio of offerings, for example, XDR, Umbrella, Duo, Talos, many others, and now Armorblox.

As threats evolve, security efforts have shifted from solely preventing incidents to investigating them quickly and anticipating future risks. With IT environments now comprising interconnected networks, communication tools, mobile devices, cloud applications, and more, security is a top priority. Techaisle data shows that security is an IT priority for 74% of small businesses, 85% of SMBs, and 100% of midmarket firms. Endpoint security is already relatively widely adopted by SMBs. In addition, security suppliers have made headway in gaining customers for mobile hardware and access control security services. While Endpoint Detection and Response (EDR) tools are helpful, their capabilities are limited to detecting and responding to threats on endpoints and servers. Prevention remains the best approach to security, but detection is essential.

Cisco’s new XDR technology presents exciting opportunities for business growth by leveraging its vast network infrastructure and customer data to tackle security challenges. To strengthen its position in the security industry, Cisco is streamlining its go-to-market strategy and investing in partnerships to unify its cybersecurity offerings. Its partner growth strategy includes upgrading firewalls and refreshing products for existing customers, offering competitive pricing and margins to win new business, and introducing new partner offers for Security Operations Centers, such as Managed Detection and Response using Cisco XDR.

Cyberattacks targeting small and medium-sized businesses (SMBs) have increased, particularly ransomware and DDoS attacks. Implementing multi-factor authentication (MFA) safeguards employee identities and credentials. However, only 16% of SMBs and 25% of midmarket firms use MFA enterprise-wide. Similarly, only 13% of SMBs and 16% of midmarket firms have adopted single sign-on. However, the intent to adopt is significantly higher. Cisco offers MFA and single-sign-on (SSO) through its Duo offering, introducing innovations such as passwordless and risk-based authentication and Verified Duo Push. In addition, Duo has made security more accessible by integrating its Duo Trusted Endpoints capability into all service tiers, allowing users to restrict access only from corporate-managed devices or devices registered with Duo. This helps prevent unauthorized access attempts from unknown devices. In the advanced tiers, users can also assess the devices’ health before granting access and block risky or non-compliant devices, such as those running out-of-date software.

Securing endpoints and servers is essential for organizations, but cybercriminals are finding ways to bypass these measures through covert attacks. Instead of directly targeting high-value assets in data centers, they gain access through laptops and move laterally through the network. As a result, relying solely on an EDR solution or a firewall is not enough to detect and prevent cyberattacks. To fully protect IT infrastructure, it’s necessary to integrate prevention, detection, and response technologies into a single solution. This is where Extended Detection and Response (XDR) comes in, providing a comprehensive approach to security.

XDR builds upon the concept of EDR and expands its scope. It goes beyond the endpoint and server by integrating data from various security tools, including firewalls, email gateways, endpoint, network, identity, DNS, public cloud tools, and mobile threat management solutions. While it is possible to connect these components manually, a comprehensive XDR solution is designed to function as a unified system wherein components are interconnected and work together seamlessly to optimize threat detection and response workflows. Cisco's XDR solution in one such system.

Cisco's Strategic Approach to XDR: Prioritizing Quality and Rapid Response

Cisco XDR is a cloud-based solution designed to enhance security operations, empowering security teams to detect, prioritize, and respond to sophisticated threats. The unified XDR solution is unique because it is not built upon an EDR solution. Instead, it focuses on risk assessment and streamlines incident investigations by leveraging Cisco's expertise and comprehensive visibility across networks, endpoints, email, cloud, identity, etc. It enables security operations centers (SOCs) to detect, understand, and address threats quickly, accelerating the remediation process with automation and guided remediation. Using machine learning and analytics, it correlates multiple telemetry sources and prioritizes detections, allowing for efficient resolution of critical incidents through guidance on response and automation. This enables the team to go from endless investigation to remediating the highest-priority incidents with greater speed, efficiency, and confidence. In contrast to traditional security information and event management (SIEM) technology, which primarily manages log-centric data and delivers outcomes/results in days, Cisco XDR focuses on cross-domain telemetry and delivers outcomes within minutes.

Although some may say that Cisco was late to enter the XDR market, the company has focused on developing a robust XDR solution rather than rushing to the market. As a result, Cisco’s XDR solution is one of the most comprehensive and flexible options available, due to its integration with Cisco’s extensive security portfolio and key third-party offerings. Cisco XDR is expected to be generally available in July 2023 after its beta phase.

Maximizing Competitive Edge: Cisco's XDR Offering and its Key Differentiators

Cisco believes in open ecosystems as essential criteria for XDR and therefore has a unique advantage in providing cutting-edge XDR solutions because it can gather telemetry from multiple sources. This enables Cisco’s security portfolio to cover all six essential telemetry sources for an XDR solution: endpoint, network, firewall, email, identity, and DNS. Furthermore, by analyzing and correlating this telemetry data, Cisco can effectively detect covert attacks that single-point solutions may miss.
Cisco benefits from the vast number of endpoints that use Cisco agents. With around 200 million endpoints running Cisco Secure Client (formerly called AnyConnect), Cisco has access to unparalleled telemetry data. This includes detailed information about individual process trees and network connections, which exceeds the endpoint offerings of leading EDR providers by four to five times.

Cisco is prioritizing prevention but recognizes the importance of network infrastructure in responding to security incidents when other measures fail. Cisco has integrated Network Detection and Response (NDR) capabilities into its XDR solution to address this. Cisco can identify sophisticated attack tactics and techniques by correlating data from multiple telemetry sources. When threats are detected, Cisco automates the investigation, response, and remediation processes to quickly and effectively address the issue.

Cisco XDR addresses a significant challenge in the ever-evolving threat landscape and the increasing number of potential vulnerabilities: integration with third-party products. For the first time, Cisco integrates with competitive third-party solutions, including EDR, NDR, firewall, and email solutions. Realizing that organizations often use tools from multiple vendors and require interoperability, Cisco overcomes the issues associated with limited integration and lack of shared telemetry.

In addition to its XDR solution, Cisco has made significant advancements in its other security offerings.

Securing SMBs: Cisco Duo's Access Management Enhancements

According to Techaisle research, 56% of SMBs and 88% of midmarket firms have experienced at least one security breach in the past year. Ransomware and Distributed Denial of Service (DDoS) attacks have become more common as many SMBs have moved to the cloud. Despite this, SMBs often underestimate their vulnerability and assume they are too small to be targeted. However, IT security vendors should take notice with SMB and midmarket security spending projected to reach US$84B in 2023. While security has been a top priority for SMBs for several years, it has only recently gained the attention of C-level executives. IT infrastructure is now considered business-critical infrastructure, with IT-dependent processes throughout SMB operations.

Small and midmarket firms recognize that the cloud increases the potential for security breaches but are confident – overly so, in Techaisle’s view – in their ability to cope with this expanded risk profile. Most SMBs rely on core security practices and technologies to address cloud-specific threats, but many are underinvested in cloud security solutions. Increasingly password compromise, identity and access management, and ransomware are coming into sharp focus.

To safeguard the identities and credentials of their employees, implementing multi-factor authentication (MFA) is one of the most effective measures that SMBs can take. Cisco offers MFA and single sign-on through its Duo offering, which has introduced numerous security innovations over the past year. These include passwordless and risk-based authentication and Verified Duo Push– all aimed at directly combating attacks. In addition, recognizing the limited resources of SMBs, Duo has made security more accessible and has redefined access management by making advanced protection available to all customers, not just those in the highest tier. For example, Cisco now offers its Duo Trusted Endpoints capability to all service tiers, including the essentials and advantage levels. Previously, this feature was only available at the premier level. Duo Trusted Endpoints allow users to restrict access only from corporate-managed devices or devices registered with Duo. This helps prevent unauthorized access attempts from unknown devices. Duo performs this device authentication at the time of authentication and at the application layer, eliminating any dependency on the network to enforce device-based access controls. In the advanced tiers, users can also assess these trusted devices' health.

Furthermore, Cisco has addressed the issue of MFA fatigue by enhancing Duo's Push functionality. For example, when Verified Duo Push is enabled, users no longer receive vanilla push notifications during login attempts, which can mistakenly be approved, compromising MFA’s effectiveness. Instead, with Verified Duo Push, Duo provides a numerical code that users must enter in the Duo mobile app before approving the MFA request, thereby eliminating MFA fatigue and enhancing overall security.

DNS Protection: Proactive Defense with Cisco Umbrella's DNS-layer Security

Cisco Umbrella is a cloud-delivered edge threat defense and compliance capability. It is available as both a DNS-layer offering and as a comprehensive secure internet gateway (SIG) platform with secure web gateway, firewall, remote browser isolation, DNS-layer security, data loss prevention, and cloud access security broker (CASB) functionality to safeguard users on and off the corporate network, plus systems.

For SMBs seeking efficient resource management, it is crucial to implement security measures that offer comprehensive, measurable, simple-to-deploy, and cost-effective protection. Unfortunately, only 15% of small businesses are currently using DNS-layer security. In contrast, 70% of core midmarket and 81% of upper midmarket firms have adopted some DNS-layer security. Therefore, SMBs should prioritize security measures that address vulnerabilities and threats at the foundational levels of their network infrastructure. One highly effective measure is DNS protection, and that's where Umbrella comes in. Umbrella offers four main packages for DNS: DNS Security Essentials, DNS Security Advantage, SIG Essentials, and SIG Advantage. SMBs should consider these packages to strengthen their security measures.

Traditional security methods typically detect and block malware at the network appliance or endpoint layer after it has already entered the network. However, with Umbrella’s DNS-layer security, SMBs can intercept attacks earlier by preventing threats from reaching the network or endpoints. Umbrella analyzes internet activity patterns to identify infrastructure associated with threats and proactively blocks requests to malicious destinations before a connection is established, effectively preventing harm or compromise before it can occur.

Strengthening Partnerships: Cisco's Commitment to Partner Success

Channel partners have played a crucial role in Cisco's success. Nearly 30 years ago, the company adopted a partner-led business model, and today, approximately 90% of its revenue is generated through partners. Therefore, Cisco continues strengthening its programs, offerings, and ecosystem and expanding into additional routes to market to empower and support its partners. For example, Umbrella is not only sold through partners, but some partners provide Umbrella as a managed service.

The network has traditionally been a significant area of security focus, and data confirms that it represents an active market for security-as-a-service providers, with 68% of midmarket businesses currently using network security-as-a-service. Techaisle believes this will remain a robust market as new networking and security requirements (e.g., Edge connectivity and Zero Trust network access) increase the scope and criticality of corporate networks.

Recognizing the vital role played by partners, Cisco is committed to establishing solid alliances that benefit all parties involved and contribute to collective success. To achieve this, Cisco is streamlining its go-to-market strategy and making significant investments in its partners to unify its cybersecurity portfolio and strengthen its position in the security industry.
Cisco’s partner growth strategy focuses on three key areas: Secure and Grow the Base, Secure the Platform, and Secure the SOC (Security Operations Center). The first area, Secure and Grow the Base, involves partner offers related to firewall upgrades and sales. Partners are encouraged to promote upgraded firewall solutions to existing customers. The second area, Secure the Platform, includes initiatives such as ‘Connect and Protect’ and ‘One Year on Us,’ which offer competitive pricing and differentiated margins to help partners close new deals. The third area, Secure the SOC, will focus on Cisco’s XDR offering, with more details to be revealed in the coming months.

Cisco has also introduced the “Security Step-Up” promotion, which incentivizes partners who sell Duo, Umbrella Secure Internet Gateway, and Email Threat Defense together. This allows partners to enhance their customers’ overall security posture.

Cisco recognizes that its security offerings have become complex for its partners and is taking steps to simplify them. It is consolidating its 27 cybersecurity solutions into three suites and reducing the number of its sales teams from twelve to four. These changes will streamline the sales approach and decrease partner and customer engagement complexity.
Overall, Cisco’s actions demonstrate its commitment to improving the experience for its partners and end-customers.

Cisco’s Security Cloud to be strengthened by Armorblox acquisition

At the time of writing this article, Cisco announced its intention to acquire Armorblox, a company that uses Large Language Models (LLMs) and natural language understanding in cybersecurity. This acquisition aims to enhance Cisco’s AI-first Security Cloud by incorporating Armorblox’s Predictive and Generative AI. Armorblox initially applied its advanced techniques to secure email, a common attack vector for businesses. However, Cisco sees many potential security use cases through this acquisition. According to Techaisle’s latest data, 32% of midmarket and upper-midmarket firms are interested in AI-based cybersecurity solutions.

Final Techaisle Take

The launch of XDR represents a significant opportunity for Cisco to expand its business. While Cisco already has a strong position in networking, gaining more market share will be difficult due to competition. The security field, however, is wide open, with no single vendor holding a significant market share.

With XDR, Cisco can leverage its extensive network infrastructure to address security challenges that were previously difficult to manage. If successful, this could drive the company’s next phase of growth. One advantage Cisco has is the vast amount of data it possesses due to its large customer base and dominance in networking.

As the market becomes flooded with specialized security solutions, an important question arises: Who can effectively integrate and manage all these different solutions? Cisco is making changes to position itself as a leading contender. As a comprehensive solution provider, Cisco can fill gaps in the cybersecurity landscape and ensure a cohesive approach to security, especially cloud security.