Next-Gen Security Operations Center Services

Managed Detection and Response

Table of Contents
BACKGROUND ................................................................................................................................................................3

OVERVIEW .....................................................................................................................................................................3

ROAD TO MDR ..............................................................................................................................................................4

KEY CAPABILITIES FOR MDR ............................................................................................................................................5

SERVICE OFFERINGS........................................................................................................................................................7

SOC – TOOLS DEPLOYMENT ARCHITECTURE .....................................................................................................................7

INCIDENT RESPONSE AND THREAT HUNTING ......................................................................................................................8

WHY CISCO?.................................................................................................................................................................9

ACCELERATE YOUR SOC WITH CISCO SECURITY ............................................................................................................ 10

ANNEXURE-I: COMMON TOOLS FRAMEWORK FOR MDR SERVICE OFFERINGS WITH SIEM AND SOAR PLATFORMS ................. 13
Background
Security attacks are becoming increasingly complex and exhibiting increasingly sophisticated
capabilities. Investments in preventive security solutions are not enough. Addressing such complexity
and sophistication in attacks require development of intelligent and integrated monitoring capabilities
incorporated into an incident response program. Arguably, getting compromised at some point is
inevitable. Former CEO of Cisco Systems, John Chambers, once said, “There are two types of
companies: those who have been hacked and those who don’t yet know they have been hacked.”
So, be warned: A security breach is not an if but a when. The good news is that a breach does not
necessarily mean that the business will immediately experience negative impact. Attackers usually
need time to accomplish their objectives beyond gaining unauthorized access to the network.
Discovering and preventing this type of behavior is just one of the many reasons organizations develop
a SOC.

Our understanding of Security Operations Center and its expected services has changed over time.
This is a reflection to the number of cyber security incidents we see and hear around the world which
is changing our perception on the criticality of information assurance and security operations. This
transformation comes in response to the ever-changing security threat landscape, in addition to our
increasingly adopting formal information security standards, requiring the establishment and
management of a formal security operations model and review processes.

The SOC’s journey for the past 15 years can be broken into incremental generations. This whitepaper
discusses the design and operational needs of the next-generation SOC and its capabilities in
response to the dynamic threat landscape.

Overview
Security teams know their environments are being targeted by advanced threats, but often lack the
bandwidth, tools, and budget to adequately respond. As a result, organizations of all sizes are
choosing to augment their in-house IT security with managed security services.

Enterprises have the unique opportunity to alleviate many of the burdens when it comes to security.
Partnering with the right security vendor, security services become a profitable way to differentiate
from the competition and strengthen existing customer relationships.

Research from IDC shows that in the last 12 months alone, up to 70% of companies worldwide have
engaged with a service provider for security services.

Typical Enterprises monitor network security controls and may send alerts when anomalies are
identified. This does not help investigate the anomalies to eliminate false positives, nor do they
respond to real threats. This means that abnormalities in network usage are forwarded to IT personnel
who must then dig through the data to determine if there is a real threat and what to do about it. But
that’s not enough, enterprises must graduate from typical incident response services to Managed
Detection and Response (MDR) services.

What is MDR?

Organizations are moving from consuming standard MSSP services building SIEM-centric solutions,
to what the market refers to as Managed Detection and Response (MDR) services which extends the
legacy MSSP and SOC offerings by gaining context and deep knowledge to achieve higher threat
detection success. The figure below shows the additional capabilities an MDR provider would deliver
to achieve the objectives of higher fidelity and deeper analysis.

MSSP
Managed Security Service Provider
MDR
Managed Detection &Response
Unknown +
Known Threats
(Advanced Analytics)
Incident Response
Customer
Owned Devices
Proactive Threat Hunting
Health- Welfare
Monitoring Forensic Investigators
& Data Scientists
Threat
Rule- based
Detection correlation Full- Packet Capture
(Approach)
Advanced Security Analytics
Limited Log Data
Continuous Monitoring
Sensor fired Technology Stack Provided
notification
Intelligence

Known Threats
(Rules Based)

Low Depth of Context &Knowledge High

Additional capabilities that an MDR introduces include high-value threat intelligence consumption and
research, provisioning of an advanced technology stack with adaptive and continuous monitoring
supporting detection and response to perform proactive threat hunting, with integrated automation
and orchestration capabilities.

As enterprises prepare to adapt MDR service capabilities, it is important to identify the right tools
covering the key telemetry data and its tools. These tools serve as sensors in the ground feeding
threat-centric telemetry to their SOC helping to prevent, detect and respond continuously to eliminate
real-world threats.

Road to MDR
In the past, as enterprises built their SOC services, there was a heavy reliance on SIEM tools. They
were built to collect log data from various sources and correlate them to deliver alerts to SOC
dashboard. Integrating different vendor systems with varied set of log formats was the biggest
challenge for SOC to bring-up a fully scoped and converged system. Once scoped and fully
integrated, SOC analysts would then pick-up and analyse those alerts in the pipeline for threats. There
were challenges with the increasing number of alerts thrown by such systems leading to alert fatigue.
It was a trivial for the SOC to prioritize those critical alerts amongst a flood which inherently reduced
the efficacy of such systems. Arguably the event telemetry and content from disparate, siloed systems
could not deliver the results the systems were built for. The underlying sensors and enforcement
solutions were limited in capability and therefore ineffective without integration for contextual and
threat-intelligence data-points. Moreover, the sensors and policy enforcement solutions relied on a
prevention-centric approach, missing detection and response capabilities and therefore failed to
cover all the seven stages of an attack kill-chain.
Key capabilities for MDR
SOC strategy for MDR services should address Threat Detection and Hunting in addition to basic
Incident Response capabilities. At the bottom of these tools, sensors for telemetry should be deployed
to address all major attack vectors. Key capabilities should include,

• End-point Detection and Response – Data is the crown-jewel security solutions protect, and
in most cases, it is end-point (client or server workload) hosting this data which has to
monitored and protected continuously to protect those crown-jewels.

• Security Analytics – With the prevalence of transactional and contextual telemetry available
for analytics, usage of analytic tools employing machine learning techniques such as
unsupervised learning and entity modelling are essential to analyse and correlate data at scale
and to derive observations from millions of events to tens of actionable alarms. Usage of
Network Behavioural Anomaly Detection correlating application-driven insights and workload
process inventory helps deliver the results.

• DNS Security intelligence – DNS is the most useful and most ignored vector to monitor for
cyber security attacks. DNS security helps to detect zero-days as most of the malware and
phishing attacks tend to use domain-name resolution to reach out. DNS security should be
enforced to monitor all recursive DNS calls to catch those bad ones and to monitor for
patterns that correlate based on historical trends to predict and isolate those attacks lurking
in the dark.

• Next-Gen security visibility and control across network, end-point and cloud – Gain visibility
through tools that enable continuous monitoring of file and process hashes, user identities,
application visibility, workload monitoring across bare-metal, multi-cloud, containers, SaaS
apps and shadow-IT systems.

• Software-defined segmentation - Reduces attack surface from user – applications combining

user-trust, device-trust, application-trust and workload-trust with threat-context at all levels
deriving policy decisions per transaction. This is an ideal zero-trust segmentation strategy to
reduce the attack surface.

• Threat Intelligence based dynamic policy correlation and control – Integrated Security
intelligence to correlate transactions matching white-listed policies for threat-centric access
controls using reputation feeds on domains, URL, files and file hashes and system-driven,
tuned and context-aware intrusion policies.

• Integrated security controls for automated response – Integrated controls between end-point,
network and cloud security solutions triggering mitigation workflows upon detection
momentarily offloading the work involving security analysts and SOC tools.

• Security Orchestration, Automation and Reporting tools – Threat defence beyond prevention
requires an incident response workflow to be triggered. With SOAR tools, much of it can be
automated beyond integrated response actions the underlying tools could accomplish. SOAR
tools are required to build those SOC IR workflows with a logical flow of tasks, including both
automated ones and those that requires a human intervention using ITSM ticketing process
modules.

As a provider of MDR services, the MSSP will deploy tools and systems catering to its customer needs
delivering Incident Response, Threat hunting, Threat Intelligence, SOAR etc. The outcome from these
tools would depend on the visibility and the richness in the telemetry data made available as input. In
that context, telemetry sensors play a critical role in MDR services. You can’t protect what you can’t
see. Enterprises must deploy threat detection sensors acting as a sensor for SOC to protect, detect,
respond, investigate and remediate those threats identified in the process. Such tools also deliver
functional outcome such as EDR, DNS based protection and NGFW controls at the perimeter for the
IT systems in scope.

S.no Tools & Systems Security Operations - MDR IT Security - Functional

Capabilities Outcome
1 Security Information and Incident Response, Threat Log Management
Event Management Correlation and Analysis, Security Incident
(SIEM) Investigation and Case Management
Management
2 Security Orchestration SecOps Incident Response & Security workflow automation
Automation and Response Remediation workflow
(SOAR) automation & orchestration
3 Endpoint Detection and Endpoint threat detection, Endpoint security
Response (EDR) response and remediation tool
4 DNS Security Monitoring, DNS telemetry sensors DNS based security policy
Intelligence and monitoring threats using DNS enforcement
Enforcement recursive lookups; Global DNS
threat intelligence feeds
5 Security Analytics using Security Analytics using Flow data collection and
network flow and other Machine Learning for entity retention for forensics
contextual telemetry modelling, unsupervised
including application, learning delivering actionable
workload, device and user incidents derived from millions
insights of observables.
6 Threat intelligence Global threat telemetry for NA
platform correlation of threats against
industry renowned sources for
enrichment and impact
analysis
7 Software-defined NA (Preventive measure for Trusted access using user-
segmentation/access SecOps – Segmentation device context and workload-
reduces blast radius reducing apps context, governing
the attack surface) policy control using software-
discovered intelligence than
mere admin-defined white-
black list policies.
8 Next-Gen Firewalls at the Network-based sensors for Perimeter Security with
perimeter with deep threats crossing perimeters at Deep-packet inspection
insights including the multi-cloud environments,
application visibility and with correlated and enriched
control, file inspection events (Can be deployed in
and intelligence driven passive mode too for sensor
dynamic threat correlation only functions)

Amongst those tools/systems described above, some have a shared business outcome as a generic
IT security deliverable. When considering deployment of tools for MDR, should take due care in
identifying those tools to scope the environment under monitoring. Some of the tools deployed in a
customer environment can be leveraged as a sensor. For example, NGFW deployed for perimeter
security can be used to source the relevant data feeds. It could also be deployed in a passive mode
to act as a sensor for MDR services without impacting normal operations. This would be applicable
for cases where the customers continue to use first-gen firewalls with basic L4 control lists.

Service offerings
SOC services have been in the market for more than a decade now and with MDR, MSSPs are making
it more relevant to the prevailing cybersecurity threat landscape by adding proactive threat hunting
with incident response. They choose to offer services that are scoped to end-points such as Managed
EDR focusing on threats reaching the end-point systems. This modular approach will set a roadmap
for customer to take up fully featured MDR services as they mature and transition from the current
state of operations.

Following table describes some of the service offerings MSSPs can offer,

Service Scope of service Key Performance Indicators

1. Managed Endpoint
Detection and Response
services
2. Multi-cloud security with
EDR + DNS Security +
Security Analytics
3. Fully featured Managed
Detection and Response
4. NG-SOC covering
traditional IT Security
Management and MDR
Endpoint and workload focused Time to Detect
threat detection and response Time to Respond
services Time to Recover
Time to Remediate
Proactive threats hunts
Protection lattice extending Time to Detect
from endpoint/workloads to Time to Respond
multi-cloud environments with Time to Recover
DNS Security and Security Time to Remediate
Analytics Proactive threats hunts
Identify, detect, protect, Time to Detect
respond and remediate across Time to Respond
all threat vectors with proactive Time to Recover
threat hunting Time to Remediate
Proactive threats hunts
Fully featured SOC services Time to Detect
with IT Security Administration Time to Respond
and Threat Response through Time to Recover
analysis and hunting processes Time to Remediate
Proactive threats hunts
+ Regular KPIs for IT Security
Management

SOC – Tools deployment architecture

MSSPs leverage tools and systems across their customer footprint deployed in a multi-tenant form
supporting segregation of data between customer tenants. It enables the MSSPs to deliver services
such as log collection, correlation, incident response and threat hunting within the realm of a customer
environment. At the same time, it also enables their shared pool of SOC analysts, incident responder
and threat hunters to triage an incident, investigate, respond and remediate them by pivoting from a
MSSP console showing multi-customer data points to a customer-specific console for deeper
analysis.
 Fig: SOC Architecture overview for MDR

Incident Response and Threat Hunting

In the past, data sources were configured to export logs of security events and it continues to be in
SOCs with SIEM driven incident response processes leaning heavily on log management and reactive
threat response. For MDR service to be effective MSSPs need to build an active and rich set of sensor
feeds from Endpoints, networks, DNS, Web and Email inspection systems to derive observables
based on threat and behavioural analytics. Context based enrichments are done using identity,
application and user-agent data to get actionable insights using different sources. Threat Intelligence
based correlation enables SOC analysts to perform threat hunting exercises taking references from
various threat intel sources. This can lead to response and remediation by means of policy change.

Following schematic shows the pipeline for Incident response and threat hunting workflows in a typical
SOC using Cisco Security portfolio.
Why Cisco?
The possibility of cyberthreats shouldn’t restrain the speed of business. Better security empowers
companies to go faster and be more innovative. The simpler the integration of security, the more your
customers can concentrate on what matters the most.

How is Cisco different? Most of the security tools today work in isolation. Cisco security solutions are
well-integrated, have threat intelligence built-in, and leverage your existing IT infrastructure. When
every tool in your arsenal presents a consistent story about the threat you are seeing, it makes it
easier to respond to it effectively. Another big differentiator is Cisco Talos, which underpins the entire
portfolio. They are the largest non-governmental threat intelligence organization on the planet
analyzing 1.5 million unique malware samples a day. And you can get access to the expertise of the
Talos team, and their most up-to-date threat feed at no additional cost.

Does it work with other vendor security tools? Cisco Security products can be integrated with other
non-Cisco solutions easily. As part of our efforts under the Cisco Security Technology Alliance
(CSTA), we have over 160 partners (such as IBM, Apple, etc.) representing 280+ product platform
integrations, that leverage our open APIs and SDKs. These integrations span over 15 technology
areas from Security Orchestration, Analytics & Reporting (SOAR) systems, to deception technologies
to IoT Visibility platforms that together bolster a customer’s cyber defenses. Additionally, solutions like
Stealthwatch are vendor-agnostic and can be deployed to collect and analyze telemetry from any
network infrastructure. Our solutions including, Threat Response, also integrate with your existing
SIEM deployments and can further optimize it. There are a number of APIs made available, for
example, by Threat Grid and Umbrella Investigate, to customize workflows according to your business
logic.

Are we talking about more products and new dashboards? Not at all, Cisco Security solutions are
built to reduce the burden on the analyst. That means that we aren’t going to raise a bunch of alerts
and leave it to the analysts to connect the dots. The alarms are supplemented with contextual
information, infused with threat intelligence, powered by industry-leading security analytics, and
prioritized by threat severity. As an example, 95% of Stealthwatch Cloud alerts are consistently
marked helpful by users. And we have recently introduced an exciting new innovation, Cisco Threat
Response, that integrates our security solutions, graphically illustrates the extent of a compromise,
and allows investigation and response, all from one place.
Accelerate your SOC with Cisco Security
Cisco empowers the modern SOC for faster incident response
Defending an organization from security threats is tougher than it’s ever been. Security Operation
Centers (SOCs) are understaffed, and at the same time, analysts are overwhelmed with alerts from
disparate products that don’t work together, all while struggling to keep pace with the latest threats.
According to the 2018 Cisco Annual Cybersecurity Report, only a little more than half of the alerts an
organization receives daily are investigated. And of those that are found to be legitimate, only 51%
are remediated.

Also, the role of the SOC is constantly expanding. Gartner projects that by 2022, 50% of all SOCs will
transform into modern SOCs with integrated incident response, threat intelligence and threat hunting
1
capabilities, up from less than 10% in 2015 . This transformation creates more work for SOC
managers and analysts, and Cisco can help customers transform in a way that is simpler to execute
and more effective to use as an end-to-end solution for all of their workflows.

Security professionals in the SOC have a need for speed. They want to discover and get to the root
of problems faster, so they can quickly mitigate them and move on to the next potential issue. Cisco,
with specialty tools designed for the SOC that actually work well together, is in a great position to help
SOCs respond faster!

Cisco Security Portfolio for SOC

Cisco’s security portfolio spans across Network, End-point and Cloud. Following products play a
crucial role in accelerating the SOC by improving the efficacy and by reducing time to detect and
investigate threats.

Stealthwatch
Detect threats faster across the network and in public cloud infrastructure…even in encrypted traffic!

Key Features
• Continuous network behavior monitoring, on-premises and in the cloud
• Advanced security analytics including machine learning to reduce alerts to critical threats
• Unmatched control to fine-tune security alarms based on business logic
• Host reports and network audit trails for faster investigations.
For more details, visit http://www.cisco.com/go/stealthwatch
AMP for Endpoints
Detect and respond to threats on the endpoint faster with continuous file monitoring

Key Features
• Cloud-based analytics to detect and stop advanced malware
• Holistic view of endpoints, regardless of operating system
• Dynamic file analysis and sandboxing to discover unknown threats
• Latest threat intelligence from Talos and Threat Grid
• Automated remediation across all attack vectors
For more details visit, http://www.cisco.com/go/ampendpoint

Threat Grid
Analyze suspicious files faster and safer

Key Features
• Correlation against millions of samples and billions of malware artifacts
• Threat score and behavioral indicators for prioritized malware response
• Suspicious files are automatically analyzed
• Premium feeds can be easily integrated into existing security technologies
For more details visit, http://www.cisco.com/go/threatgrid

Umbrella Investigate
Analyze suspicious domains, IPs and malware across the internet faster with greater context

Key Features
• Intelligence about domains, IPs, and malware across the internet
• Live graph of DNS requests and other contextual data
• Correlated against statistical models
• Discover and predict malicious domains and IPs
• Enrich security data with global intelligence
For more details, visit http://www.cisco.com/go/umbrellainvestigate
Cisco Threat Response - Security that works together
Cisco Threat Response is an exciting new innovation and key pillar of our integrated security
architecture. It automates integrations across Cisco Security products and threat intelligence sources,
accelerating critical security operations functions. Thus, it addresses the key SOC challenges
mentioned earlier: it’s a solution the industry is crying out for!

• Out of Box integrations – Customers get more from their Cisco Security investments when
they are already working together
• Designed for the SOC - Reduces the burden on other security products and makes them
work better
• Save time and effort - Speeds cyber investigations significantly to take corrective action
immediately
• No additional cost - Customers can get it today with integrated Cisco Security product
licenses. For more details, visit http://www.cisco.com/go/ctr
Annexure-I: Common tools framework for MDR service offerings with
SIEM and SOAR platforms
Whether it is a fully developed MDR system covering all threat vectors or EDR driven SOC, enterprises
need a common tools and process framework; preferably one that can fit-in incremental threat
detection capabilities over a period of time. The tools framework depicted below is based on Cisco
security portfolio for MDR SOC supported by integrations with SIEM and SOAR systems for incident
response orchestration and automation.

Telemetry sensors (Threat detectors)

Visibility is key for security operations for continuous monitoring leading to threat detection
investigation and response. Telemetry sensors lined up here are a key source for this overall tool
framework feeding into SIEM with enriched, actionable event data and some cases automatically
remediated action and its corresponding data feeds. These sensors can be deployed in sensor-only
mode delivering detection capabilities for MDR services. In such a case, it will be configured in
audit/log mode without interfering in regular IT operations. IT security admins can then run the
remediation workflows to recover and remediate the systems affected by investigated incidents. In
cases where these sensors double up as policy enforcement tool, the remediation action can be
automated as threats get detection and it can be triggered post-investigation. Open APIs supported
in these systems allow us to execute remediation through a feedback loop. It also allows us to initiate
tickets in ITSM to trigger appropriate remediation workflows such patching and reimaging etc.

Within these sensor platforms, there are many capabilities for threat detection and continuous
monitoring of file, user, process and network activity in a typical IT environment that eliminates the
need for manual correlation rules to be built in SIEMs for majority of the use-cases. Some of the inbuilt
capabilities includes,

1. Endpoint threat sensors for Anti Malware and File Analysis

a. System Process Protection – Protecting key system processes in windows from memory
injection attacks
b. Exploit Prevention – Making the memory unpredictable with a decoy to identify file-less
malware automatically
c. Malicious Activity Protection – Continuously monitor for abnormal behaviour of programs
running on windows endpoints; helps detect ransomware and quarantine automatically
 d. Automated file analysis based on low prevalence – automates file analysis across
organization that have lower prevalence and quarantine those malicious ones
e. Signature matching, fuzzy finger-printing for file hashes against global threat intelligence
database – perform hash lookup for files that are downloaded to disk, copied or moved
to identify malware.
f. AV signature scanning – Scan files against AV signature data downloaded to the agents
locally and quarantine malicious files.
g. Custom Detection for outbreak control – Gives control to security analysts to apply filters
for files and apps upon detection during an outbreak
h. Device flow correlation – Monitor all network flows in and out of the device to detect post-
infection activities, serving as a breach detection mechanism
i. Cloud Indicators of Compromise mapping for post infection detections – correlate
behaviours to cloud delivered behavioural IOCs to detect breach situations
j. Cognitive Threat Analytics performed on web proxy transactions based on machine
learning driven algorithms to detect threats in client-less environments

2. DNS security monitoring, enforcement & Intelligence

k. DNS Monitoring delivers complete visibility into internet activity across the enterprise
devices and users and blocks threats as a first-line of defense.
l. Intelligently proxies for outbound traffic based on the maliciousness of domain being
accessed.
m. Stop phishing and malware infections and identify breach conditions to prevent data
exfiltration.
n. Intelligence provides complete view of the relationships and evolution of domains, IPs,
ASNs and file hashes.
o. Discover applications used in the environment as shadow IT and validate the risk. Extend
monitoring of user activity and data stored for those sanctioned applications.

3. Security Analytics across network and multicloud using flow telemetry and log data
p. Dynamic entity modelling and device flow correlation to detect threats enterprise wide
including datacentre, branch and campus, virtual private cloud and public cloud
environments.
q. Monitors public cloud using flow telemetry analytics and configuration changes, machine-
machine calls and admin actions through API integration.
r. Correlated alarms from millions of observables to detect recon, data exfiltration, data
hoarding, privilege escalations, Denial of Service etc.
s. Context-aware visibility, threat detection and incident response capabilities without
defining any rules.
t. Encrypted traffic analysis for compliance and threat detection without having to decrypt
any payload, using supervised machine learning algorithms.

4. Deep network visibility for applications, encrypted traffic and intrusions correlated with
vulnerabilities
u. Application visibility and control for investigation and remediation through network traffic
data
v. Configurable decrypted traffic inspection and intrusion detections correlated with CVE
database and host profiles.
w. Correlated event visibility and event prioritization based on user identity and user-agent
data.
 5. Application flow analytics using workload sensors for policy compliance, and continuous
integrity and vulnerability monitoring
x. Application workload vulnerability data and integrity monitoring
y. Detection of lateral movements using east-west policy control and compliance
z. Behavioural data leak detection and application dependency mapping

With the telemetry sensors delivering threat detection, investigation and hunting capabilities across
threat vectors, Cisco’s CTR enables security analysts with a threat hunting tool to accelerate threat
investigations.

Cisco Threat Response

Unlike other siloed security vendor providing syslogs and API access to its security systems, Cisco
has innovated a unique Threat investigation and hunting platform to serve as a workbench for its
customers available from cloud at no additional costs. This system is provided at no cost for Cisco
Security customers with inbuilt threat intelligence, threat investigation and response capabilities. SOC
Analysts can use this platform three simple ways as shown in the diagram below to aggregate and
correlate security incidents across network, end-point and cloud, simplify investigations via
automation and remediate incidents across network, end-point and cloud.

Key benefits
Aggregated Threat Intelligence - Cisco Threat Response integrates threat intelligence from Cisco
Talos and third-party sources to automatically research Indicators of Compromise (IOCs) and confirm
threats quickly.

Automated Enrichment - Cisco Threat Response adds context from integrated Cisco Security
products automatically so that you know instantly which of your systems were targeted and how.

Incident Tracking - Cisco Threat Response provides the capability you need to collect and store key
investigation information, and to manage and document your progress and findings.

Seamless Drill-Down - Cisco Threat Response makes it easy to continue deeper investigations into
integrated Cisco Security products. For example, with one click, you’re inside Cisco AMP for
Endpoints with detailed information on how suspicious files travelled through your network.

Intuitive, Interactive Visualizations - Cisco Threat Response shows your results on intuitive,
configurable graphs and timelines for better situational awareness and quick conclusions.
Direct Remediation - Cisco Threat Response lets you to take corrective action directly from its
interface. Block suspicious files, domains, and more - without having to login to another product first.

When using Cisco Security for Telemetry sensors in their MDR solution framework, enterprise can get
Cisco Threat Response in the pipeline and reduce the burden on SOC Analysts. With No additional
cost for operations, it helps in saving time and effort for incident investigations and remediations. It
comes with out-of-box integrations to help deliver results right from day-1.

While a NG-SOC with continuous monitoring, detection and response for advanced SOCs is being
deployed customers with hybrid solutions will have the need to ingest all event data into SIEM for
cross-correlation and to cover other non-cisco delivered capabilities. At this stage the event data
from all those data sources and those of cisco security can be ingested into the SIEM for cross-
correlation as necessary. The resulting alarms can be logged for digitally signed storage in addition
to the raw logs in SIEM.

With the number of automated detection techniques using a combination of heuristics, behavioural,
dynamic entity modelling and other machine learning algorithms, we can expect to see handful of
alarms for analysts to work with. This can then be prioritized based on a risk-driven approach as
always. SOC playbooks built to handle various incident response situations can now be identified for
those situations that are automatically remediated, remediation through inter-domain workflow and
an analyst driven remediation. Orchestration and automation capabilities of SOAR can be used for
second and third category of incidents to build workflows and to trigger either a machine-machine or
an analyst driven response action through Incident management systems.

With Cisco’s integrated security architecture SOCs can be deployed with threat-centric Cisco security
portfolio that helps in delivering three key capabilities to improve efficacy of the overall solution,

Visibility and control – Enable visibility across the spectrum of IT systems from network,
endpoint and cloud

Segmentation – Helps to reduce the attack surface using software-defined policy discovery
and enforcement

Threat detection – Enables security teams in reducing the time to detect threat