Two U.S. men have been charged with hacking into a U.S. Drug Enforcement Agency (DEA) online portal that taps into 16 different federal law enforcement databases. Both are alleged to be part of a larger criminal organization that specializes in using fake emergency data requests from compromised police and government email accounts to publicly threaten and extort their victims.
Prosecutors for the Eastern District of New York today unsealed criminal complaints against Sagar Steven Singh — a.k.a “Weep” — a 19-year-old from Pawtucket, Rhode Island; and Nicholas Ceraolo, 25, of Queens, NY, who allegedly went by the handles “Convict” and “Ominus.”
The Justice Department says Singh and Ceraolo belong to a group of cybercriminals known to its members as “ViLE,” who specialize in obtaining personal information about third-party victims, which they then use to harass, threaten or extort the victims, a practice known as “doxing.”
“ViLE is collaborative, and the members routinely share tactics and illicitly obtained information with each other,” prosecutors charged.
The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:
-tricking customer service employees;
-submitting fraudulent legal process to social media companies to elicit users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a nonpublic United States government database without authorization
-unlawfully using official email accounts belonging to other countries.
The complaint says once they obtained a victim’s information, Singh and Ceraolo would post the information in an online forum. The government refers to this community only as “Forum-1,” saying that it is administered by the leader of ViLE (referenced in the complaint as “CC-1”).
“Victims are extorted into paying CC-1 to have their information removed from Forum-1,” prosecutors allege. “Singh also uses the threat of revealing personal information to extort victims into giving him access to their social media accounts, which Singh then resells.”
Sources tell KrebsOnSecurity in addition to being members of ViLE, both Weep and Ominous are or were staff members for Doxbin, a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly. This is supported by the Doxbin administrator’s claimed responsibility for a high-profile intrusion at the DEA’s law enforcement data sharing portal last year.
A screenshot of alleged access to the Drug Enforcement Agency’s intelligence sharing portal, shared by “KT,” the current administrator of the doxing and harassment community Doxbin.
The government alleges that on May 7, 2022, Singh used stolen credentials to log into a U.S. federal government portal without authorization. The complaint doesn’t specify which agency portal was hacked, but it does state that the portal included access to law enforcement databases that track narcotics seizures in the United States.
On May 12, 2022, KrebsOnSecurity broke the news that hackers had gained access to a DEA portal that taps into 16 different federal law enforcement databases. As reported at the time, the inside scoop on how that hack went down came from KT, the current administrator of the Doxbin and the individual referenced in the government’s complaint as “CC-1.”
Indeed, a screenshot of the ViLE group website includes the group’s official roster, which lists KT at the top, followed by Weep and Ominus.
A screenshot of the website for the cybercriminal group “ViLE.” Image: USDOJ.
In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
That story showed that the previous owner of the Doxbin also was part of a teenage hacking group that specialized in offering fake EDRs as a service on the dark web.
Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”
The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.
“In these communications, Ceraolo requested personal information about users of these platforms, under the false pretense that the users were committing crimes or in life-threatening danger,” the complaint states.
For example, on or about March 13, 2022, Ceraolo allegedly used the Bangladeshi police email account to falsely claim that the target of the EDR had sent bomb threats, distributed child pornography and threatened officials of the Bangladeshi government.
On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed on the Doxbin and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address.
“Look familiar?” Singh allegedly wrote to the victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.”
Neither of the defendants could be immediately reached for comment. KT, the current administrator of Doxbin, declined a request for comment on the charges.
Ceraolo is a self-described security researcher who has been credited in many news stories over the years with discovering security vulnerabilities at AT&T, T-Mobile, Comcast and Cox Communications.
Ceraolo’s stated partner in most of these discoveries — a 30-year-old Connecticut man named Ryan “Phobia” Stevenson — was charged in 2019 with being part of a group that stole millions of dollars worth of cryptocurrencies via SIM-swapping, a crime that involves tricking a mobile provider into routing a target’s calls and text messages to another device.
In 2018, KrebsOnSecurity detailed how Stevenson earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their websites, all the while secretly peddling those same vulnerabilities to cybercriminals.
According to the Justice Department, if convicted Ceraolo faces up to 20 years’ imprisonment for conspiracy to commit wire fraud; both Ceraolo and Singh face five years’ imprisonment for conspiracy to commit computer intrusions.
A copy of the complaint against Ceraolo and Singh is here (PDF).
The use of unmanaged and IoT devices in enterprises is growing exponentially, and will account for 55.7 billion connected devices by the end of 2025. A critical concern is deploying IoT devices without requisite security controls.
While these numbers are numbing, their reality is undeniable. 90% of customers believe digitization has accelerated the importance placed upon security. The World Economic Forum now lists cybersecurity failure as a critical threat, and estimates a gap of more than 3 million security experts worldwide, hindering secure deployments at scale. Furthermore, 83% of IoT-based transactions happen over plaintext channels and not SSL, making them especially risky.
Securing an IoT device can be achieved either through securing the IoT device itself, or hardening the network it accesses. Securing devices can be cumbersome, requiring complex manufacturing partnerships and increasing unit prices, thereby reducing adoption. On the other hand, securing the network is always desirable as it helps secure access, encrypt traffic, and ease management.
Being a leader in both security and networking, Cisco continues to bring security closer to networking, providing the network with built-in security, and enabling the network to act both as sensor and as an enforcer. The convergence of security and networking leverages the network’s intelligence and visibility to enable more-informed decisions on policy and threats.
Cisco uniquely integrates security and networking, for instance we recently integrated Cisco Secure Firewall to operate on Cisco Catalyst 9000 Series switches. Additionally, Secure Firewall can be deployed in a containerized form, on-premises and in clouds. Cisco Secure Firewall classifies traffic and protects applications while stopping exploitation of vulnerable systems. Additionally, we offer Identity Services Engine with AI Endpoint Analytics to passively identify IoT devices and apply segmentation policies. Furthermore, Cisco offers management flexibility by integrating with Cisco Defense Orchestrator and DNA Center and with existing customer tools like SIEMs and XDRs.
Let’s look at three use cases where the addition of Secure Firewall capability on Catalyst 9000 Series switches solves real world problems:
Use case 1: Securing the Smart Building: This solution is ideal to secure smart buildings, converging various IoT systems into a single IT-managed network infrastructure. Smart buildings lower the operational and energy costs. Smarter building systems, however, pose serious security risks as these include so many unmanaged devices such as window shades, lighting, tailored HVAC, and more. One of the methods to secure smart buildings is to control access to avoid manipulation of sensors. Such control is attained with a networking switch with enhanced firewall capability. The firewall ensures granular segmentation, directing policies for traffic generated out of IoT devices, providing access to the right users. This integration also brings security closer to endpoints, making policy orchestration simpler.
Use Case 2: Centrally manage isolated IoT network clusters: IoT devices which communicate with each other in the same subnet typically cannot be routed, which is a challenge. By default, most IoT networks are configured in the same subnet, making it difficult to manage them centrally. Administrators are forced to physically connect to the IoT network to manage and collect telemetry. Furthermore, IoT vendors often charge hefty amounts to update IP addresses of devices. Cisco Secure Firewall, hosted on the Catalyst switch, solves this problem and not only inspects traffic from the IoT network but also translates duplicate IoT IP addresses to unique global IP addresses using NAT for centralized management of isolated IoT networks.
Use Case 3: Securely encrypt IoT traffic passing through a shared IT network: At airports, for example, multiple vendors manage unique systems such as baggage, air quality, biometric access control, etc, which share a common network. IoT traffic is usually in plain text, making it susceptible to packet sniffing, eavesdropping, man-in-the-middle attacks, and other such exploits. The IPSec capability on Cisco Secure Firewall encrypts IoT traffic, securing data transfer and reducing risk.
Cisco’s IoT initiatives join the once disconnected worlds of IT and IoT, unifying networking and security. For further details refer to the At-A Glance and see how and an Australian oil company, Ampol, fortified its retail IoT with Cisco Secure!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
It’s been my pleasure to work alongside the Centre for Information Policy Leadership (CIPL) for over a decade to advocate for privacy to be respected as a fundamental human right and managed by organizations as a business imperative. CIPL works with industry leaders, regulators, and policymakers to deliver leading practices and solutions for privacy and responsible data use around the world.
Our organizations share the belief that privacy is key to trust and provides a critical competitive advantage for those who get it right. As privacy professionals, we live and breathe the importance of privacy every day and understand its value. We must help business leaders and other key stakeholders recognize and realize data privacy’s true worth and invest appropriately — beyond just meeting legal or compliance requirements.
We’re excited today to share this new, jointly-published research report Business Benefits of Investing in Data Privacy Management Programs. This report offers insights into the material business benefits that organizations are realizing from the time, monetary, and resource investments they have applied to building their Data Privacy Management Programs (DPMPs).
Here are some of the key findings:
Customers want accountability. While organizations are expected to meet their legal, compliance, and data security requirements, customers also demand organizations to be responsible stewards of their personal data. DPMPs not only enable organizations to gain a competitive edge, they empower them to earn and grow confidence and trust in the business.
Significant benefits from investing in DPMPs. Risk mitigation and compliance benefits, like avoiding regulatory scrutiny and fines, minimizing breaches, and evading damage to reputation, are among the most substantial benefits experienced by organizations that implement a DPMP. Other tangible benefits include greater agility, operational efficiency, and making the organization more attractive to investors.
Strong, attractive returns from DPMPs. More than half of organizations surveyed experienced at least $1 million in benefit from investing in privacy over the past year, with 28% realizing over $10 million in benefit.
Widespread Use of Privacy Maturity Models. Most organizations are using some form of a privacy maturity model to show accountability, including the CIPL Accountability Framework, ISO standards, Generally Accepted Privacy Principles, and the NIST Privacy Framework, among others. And CIPL members had an average score of 4.13 out of 5 with respect to implementing the seven elements of organizational accountability as described in the report.
There is considerable interest in further understanding the value DPMPs bring to their organization. Discussions about privacy and how DPMPs positively impact organizations will continue to be an increasing area of focus for corporate leadership, including the C-suite and at the Board level.
These findings offer valuable information and perspective for those building and operationalizing privacy. We’ll continue to research and share other qualitative and quantitative evidence that highlights privacy’s growing priority and value for organizations and the individuals they serve.
Check out this report Business Benefits of Investing in Data Privacy Management Programs and more related privacy research on consumer and organizational perspectives on the Cisco Trust Center.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.”
Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn’t long before James discovered multiple vulnerabilities in the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.
In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed.
This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code.
“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James said.
But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B’s referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists.
In a blog post published today to coincide with a Black Hat talk on their discoveries, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofit and charity organizations.
“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the two wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”
The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.
“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”
Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.
A typical Zeppelin ransomware note.
Jon is another grateful Zeppelin ransomware victim who was aided by Unit 221B’s decryption efforts. Like Peter, Jon asked that his last name and that of his employer be omitted from the story, but he’s in charge of IT for a mid-sized managed service provider that got hit with Zeppelin in July 2020.
The attackers that savaged Jon’s company managed to phish credentials and a multi-factor authentication token for some tools the company used to support customers, and in short order they’d seized control over the servers and backups for a healthcare provider customer.
Jon said his company was reluctant to pay a ransom in part because it wasn’t clear from the hackers’ demands whether the ransom amount they demanded would provide a key to unlock all systems, and that it would do so safely.
“They want you to unlock your data with their software, but you can’t trust that,” Jon said. “You want to use your own software or someone else who’s trusted to do it.”
In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”
The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”
The FBI and CISA say the Zeppelin actors gain access to victim networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, the alert notes.
Jon said he felt so lucky after connecting with James and hearing about their decryption work, that he toyed with the idea of buying a lottery ticket that day.
“This just doesn’t usually happen,” Jon said. “It’s 100 percent like winning the lottery.”
By the time Jon’s company got around to decrypting their data, they were forced by regulators to prove that no patient data had been exfiltrated from their systems. All told, it took his employer two months to fully recover from the attack.
“I definitely feel like I was ill-prepared for this attack,” Jon said. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”
A more technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is available here.
bs-1200
New level unlocked. The next step for Kenna.VM users who are maturing their risk-based vulnerability management program is Kenna.VM Premier—and it’s live.
The Cisco Kenna team is excited to release a new tier of the Kenna Security platform designed specifically for customers or prospects that have reached a point of maturity in which they can and want to do more with their vulnerability management program.
In addition to the existing Kenna features and functionality you know and love, the new Kenna.VM Premier tier includes:
We’re particularly excited about the new features that are debuting with this tier. So, let’s take a closer look at everything that’s included.
On the Kenna.VM homepage, a new metric will appear at the top right corner (Figure 1). The Remediation Score, as this measurement is known, quantifies how well an organization is addressing risk overall.
The Remediation Score itself encompasses four key measurements (Figure 2), which may sound familiar to you if you’ve been reading any of the Prioritization to Prediction reports produced by Kenna and the Cyentia Institute:
These new remediation insights will allow organizations to shift away from relying on just the Risk Score itself as a measurement to assess the performance of remediation teams. While many organizations opt to use the Risk Score in this manner, there are inherent problems with evaluating performance based on the Risk Score—particularly for mature programs. A Risk Score can spike at any moment due to a suddenly high-risk vulnerability—a spike that isn’t a reflection on the remediation team themselves. And as organizations mature, they’re likely to reach a ‘steady state’ with their Risk Score, which makes it a difficult metric to use to measure progress.
Ultimately, these performance metrics will help customers better understand what areas of their remediation efforts are doing well and which might need to be adjusted.
Another new addition to the Kenna.VM platform is zero-day vulnerability intelligence powered by Cisco Talos. Talos regularly identifies high-priority security vulnerabilities in commonly used operating systems and software. The team works with vendors to disclose more than 200 vulnerabilities every year.
This new integration with Talos gives Kenna.VM users access to information on zero-day vulnerabilities documented by the Talos research team (and likely to be in their environment). With the “Zero Days” filter in Kenna.VM, users can isolate zero-day vulnerabilities, investigate, and take action leveraging Snort rule IDs provided by Talos, when applicable (Figure 3).
The last (but certainly not least) piece of the Kenna.VM Premier puzzle is the inclusion of Kenna’s recently enhanced vulnerability intelligence User Interface and API. Kenna is known for its risk scoring, but what people may not realize is just how much data we consume and turn into finished, actionable intelligence. There are more than 18+ threat and exploit intelligence feeds that power our understanding of vulnerabilities, and our vulnerability intel API and UI make of this information available to customers.
The UI provides a dashboard to research any CVE—regardless of whether or not a scanner found that vulnerability in the customer’s environment. Meanwhile, the API allows customers to query Kenna and export as much of our vulnerability intelligence on as many vulnerabilities as they wish, and use that data to enrich any existing IT, dev or security workflows, including Cisco’s very own SecureX. The data in this set includes descriptions, publication dates, CVSS data, available exploits and fixes, insight into remote exploitable vulnerabilities, and much more. Also provided is the Kenna Risk Score for each vulnerability and an indication of whether it is predicted to be exploitable—unique data points derived by Kenna’s data science.
This intelligence, combined with our new remediation scoring and Talos zero-day intelligence, rounds out the Kenna.VM Premier tier as the ideal package for any customer or prospect who is looking to take their vulnerability management program to the next stage of maturity.
Kenna.VM Premier is available today. If you’re interested in learning more, contact your sales representatives or send us a demo request to unlock the next level of your vulnerability management journey.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In the second part of this blog series on Unscrambling Cybersecurity Acronyms, we covered Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR) solutions, which included an overview of the evolution of endpoint security solutions. In this blog, we’ll go over Managed Detection and Response (MDR) and Extended Detection and Response (XDR) solutions in more depth.
MDR solutions are a security technology stack delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). They’re similar to Managed Endpoint Detection and Response (MEDR) solutions since both solutions are managed cybersecurity services that use Security Operations Center (SOC) experts to monitor, detect, and respond to threats targeting your organization. However, the main difference between these two offerings is that MEDR solutions monitor only your endpoints while MDR solutions monitor a broader environment.
While MDR security solutions don’t have an exact definition for the types of infrastructure they monitor and the underlying security stack that powers them, they often monitor your endpoint, network, and cloud environments via a ‘follow the sun’ approach that uses multiple security teams distributed around the world to continually defend your environment. These security analysts monitor your environment 24/7 for threats, analyze and prioritize threats, investigate potential incidents, and offer guided remediation of attacks. This enables you to quickly detect advanced threats, effectively contain attacks, and rapidly respond to incidents.
More importantly, MDR security solutions allow you to augment or outsource your security to cybersecurity experts. While nearly every organization must defend their environment from cyberattacks, not every organization has the time, expertise, or personnel to run their own security solution. These organizations can benefit from outsourcing their security to MDR services, which enable them to focus on their core business while getting the security expertise they need. In addition, some organizations don’t have the budget or resources to monitor their environment 24/7 or they may have a small security team that struggles to investigate every threat. MDR security services can also help these organizations by giving them always-on security operations while enabling them to address every threat to their organization.
One drawback to deploying an MDR security service is that you become dependent on a third-party for your security needs. While many organizations don’t have any issues with this, some organizations may be hesitant to hand over control of their cybersecurity to a third-party vendor. In addition, organizations such as larger, more-risk averse companies may not desire an MDR service because they’ve already made cybersecurity investments such as developing their own SOC. Finally, MDR security solutions don’t have truly unified detection and response capabilities since they’re typically powered by heterogenous security technology stacks that lack consolidated telemetry, correlated detections, and holistic incident response. This is where XDR solutions shine.
XDR solutions unify threat monitoring, detection, and response across your entire environment by centralizing visibility, delivering contextual insights, and coordinating response. While ‘XDR’ means different things to different people because it’s a fairly nascent technology, XDR solutions usually consolidate security telemetry from multiple security products into a single solution. Moreover, XDR security solutions provide enriched context by correlating alerts from different security solutions. Finally, comprehensive XDR solutions can simplify incident response by allowing you to automate and orchestrate threat response across your environment.
These solutions speed up threat detection and response by providing a single pane of glass for gaining visibility into threats as well as detecting and responding to attacks. Furthermore, XDR security solutions reduce alert fatigue and false positives with actionable, contextual insights from higher-fidelity detections that mean you spend less time sifting through endless alerts and can focus on the most critical threats. Finally, XDR solutions enable you to streamline your security operations with improved efficiency from automated, orchestrated response across your entire security stack from one unified console.
A major downside to XDR security solutions is that you typically have to deploy and manage these solutions yourself versus having a third-party vendor run them for you. While Managed XDR (MXDR) services are growing, these solutions are still very much in their infancy. In addition, not every organization will want or need a full-fledged XDR solution. For instance, organizations with a higher risk threshold may be satisfied with using an EDR solution and/or an MDR service to defend their organization from threats.
As I mentioned in the first and second parts of this blog series, you shouldn’t take a ‘one-size-fits-all’ approach to cybersecurity since every organization has different needs, goals, risk appetites, staffing levels, and more. This logic holds true for MDR and XDR solutions, with these solutions working well for certain organizations and not so well for other organizations. Regardless, there are a few aspects to consider when evaluating MDR and XDR security solutions.
One factor to keep in mind is if you already have or are planning on building out your own SOC. This is important to think about because developing and operating a SOC can require large investments in cybersecurity, which includes having the right expertise on your security teams. Organizations unwilling to make these commitments usually end up choosing managed security services such as MDR solutions, which allows them to protect their organization without considerable upfront investments.
Other critical factors to consider are your existing security maturity and overall goals. For instance, organizations who have already made significant commitments to cybersecurity often think about ways to improve the operational efficiency of their security teams. These organizations frequently turn to XDR tools since these solutions reduce threat detection and response times, provide better visibility and context while decreasing alert fatigue. Moreover, organizations with substantial security investments should consider open and extensible XDR solutions that integrate with their existing tools to avoid having to ‘rip and replace’ security tools, which can be costly and cumbersome.
I hope this blog series on the different threat detection and response solutions help you make sense of the different cybersecurity acronyms while guiding you in your decision on the right security solution for your organization. For more information on MDR solutions, read about how Cisco Secure Managed Detection and Response (MDR) rapidly detects and contains threats with an elite team of security experts. For more information on XDR solutions, learn how the Cisco XDR offering finds and remediates threats faster with increased visibility and critical context to automate threat response.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels