Cisco SecureX Reviews

We are a managed service provider with a number of customers that have different Cisco security products. We utilize SecureX to give us a better, high level overview of all of those different security installations.

When considering how SecureX has improved our organization, things should be looked at holistically with an endeavor to see threat patterns across one's entire environment rather than individual products. We still haven't really explored the Orchestration side of the tool, but if we can start to leverage that it will help us do better with some of the security challenges that we face. Hackers use automation and this means we can only attempt to keep up if we use automation as well.

SecureX is both a security analytics product, as well as a security orchestration and remediation product. We've integrated it with a number of Cisco security technologies, though we're primarily using it for Network Analytics right now.

SecureX definitely provides us with contextual awareness throughout our security ecosystem, since it allows us to integrate multiple threat intelligence feeds, as well as multiple security appliances and platforms. This enables us to have all the threat intelligence and threat event data in one place.

The security orchestration aspects of the tool came out only about a month ago and we haven't yet moved forward with testing it. It does look like its Orchestration will prove quite powerful in terms of allowing me to have interaction with and control of all the systems. Whether this will be to create a ticket in ServiceNow, or to send security alerts to WebEx teams or something of that nature, it does look like it has some very powerful features.

This is a relatively new offering from Cisco and some time is needed for the evolutionary development of the platform. It's good that there are some third party integrations available and it would be a positive step to see more offered.

I also would like to see a full managed service provider addition to the platform. I would like to see a managed security service provider console just like there is for Cisco Umbrella and Cisco Secure Endpoint.

We have been using Cisco SecureX for around three months.

Overall, it seems to be really stable. I have noticed that sometimes there is a slight lag between when you do an integration with an API key and when you start seeing the data. But once the data starts flowing it all seems to be quite stable.

We've added multiple devices onto SecureX and this seems to be both stable and scalable. We can customize how the individual tiles are laid out, resize them, and play around with the spacing. We can have whatever we want on whichever dashboard tab we wish to create, so it provides us quite a lot of customization.

I see the Orchestration automation side of the tool as a very positive thing and one that will help us to scale as a managed service provider.

We raised a couple support cases for SecureX and these were worked through and resolved.

At the moment we're experimenting with SecureX. We will only do a full implementation for all our customers when a multi-tenant platform designed for MSPs or MSSPs becomes available hopefully sometime this year. We want to avoid creating a lot of configurations that have to be repeated later when a new platform is released. 

When it comes to the complexity of the initial setup, it depends what you're trying to do. At its basic level, integrating threat feeds or security appliances is really easy and only takes a couple of minutes to perform each task. The Orchestration automation side of the tool is a bit more complex and requires more time to understand and test. The basic side of the tool, meaning the security analytics that require you to integrate the threat intelligence feeds and then the security appliances, is really easy.

The security orchestration is a bit more difficult but not anymore so than what I would expect. What Cisco is trying to do is bridge the gap. You can either automate with programming-related skills, using Cisco's DevNet—which would require having special DevNet engineers in-house, or use Python or JSON—or you can use a SOAR tool. Although SecureX is not specifically a SOAR tool, it does have security orchestration and automation functionality. Rather than having to use specialist DevNet engineers, you can use people with more general network engineering skills or cyber security skills. You can use the tool to create workflows from the palette that is built into SecureX to create automations. It's not easy but it's easier than it would be if you had to use just Python or JSON. Cisco is definitely bridging the "skills gap" when it comes to programming. They're definitely making it easier than it would be otherwise.

We have five to six environments and most of them have at least one Firepower appliance and an email security appliance like Cisco Endpoint or Cisco Umbrella. Then we added threat intelligence feeds from VirusTotal and Have I Been Pwned. So we have enough to give us an idea of how it works, what kind of data we can see, and how we can use the tool going forward to automate.

The product is absolutely free to any customer that already has one Cisco security product. If one only wants to make use of the security analytics, this is super easy, as set up and integration of all the security appliances can be accomplished in a couple of hours. If one wishes to undertake the Orchestration automation side of the tool, it will take a bit more effort and time to understand and test. What should be taken into account is the number of different things one wishes to automate and the level of its complexity, but this is definitely easier than having to code everything in Python.

We didn't conduct a detailed product evaluation between SecureX and other vendors of this kind of product. As we are a Cisco partner and customers get this product for free if they have at least one Cisco security product, it seemed to make sense to explore this because of its level of integration across the entire Cisco security product range.

I think it's one of those things that's a "no brainer." It's a cloud service that you can turn on in two minutes and you can be up and running in an hour or so maximum, at least for the more basic side of the functionality. So I would say if you're already using one Cisco security product, it just makes sense to start using this because it increases the visibility of threats across your environment and allows you to start using automation.

The SecureX Ribbon feature integrates with a sister tool called Cisco Threat Response. This allows us to do threat hunting and build a kind of casebook from our threat hunting investigation. From what I see, it looks pretty good and it looks like it will help our business from a CyberOps perspective. We feel that SecureX Ribbon features will affect collaboration within our team or across teams. The ability to pivot between SecureX Cisco Threat Response and different Cisco security products from one location will make the business of investigating security events and threats easier.

As I have not personally evaluated similar products of SecureX, it would be difficult for me to properly rate this product on a scale of one to 10. Although I would score this product an eight, as it is very good. This takes into account that it has only been available for use for the past six months and the Orchestration feature has only come out of beta a month ago. The biggest sticking point is that the product is not being designed for multi-tenancy use at present, from an MSP perspective. If this can be resolved, the score will likely go up to a 10. Hopefully, this request will be accommodated in the next release.

We use it to investigate threat incidents. It lets us better manage security incidents.

We just use it for the security department.

It gives us more visibility into detected threats so we can determine their impacts.

Its cybersecurity and resilience have been extremely important for our organization. It helps us save our operations by protecting us against ransomware and most threats.

The automation and orchestration tools are the most valuable features.

It is good that it provides information. However, I think that there needs to be more actionable items for us based on the information provided.

Remediation stuff could be integrated into the product's automation.

I have been using the solution for a year.

It is really scalable. We are looking to increase usage in the future.

Overall, the technical support is great. I would rate it as eight out of 10.

Positive

We did not previously use another solution.

The initial setup was complex. It took about a month to deploy. The deployment took me about 20 hours overall of work.

I had to work with the SecureX engineer in order to get things rolling. It wasn't a very straightforward process when we rolled out the product.

We used an integrator for the deployment.

We have seen quicker response times. It took a few months to realize the benefits.

It comes free with all Cisco products. So, it is a good price.

We didn't evaluate other products.

Leaders in organizations should invest in IT, training, and staff.

The most beneficial feature of Cisco SecureX for cybersecurity efforts is its integration with other Cisco solutions and the environment. This sets it apart, as its APIs and overall integration capabilities are very strong. Additionally, its detection capabilities are commendable.

Integrating the product with most of the customers involved hasn't been difficult. There's enough documentation and support from Cisco to help put things together, making the process straightforward.

The playbooks provided with the product are great, although I would appreciate having more playbooks available. Threats are constantly evolving, so having access to updated playbooks is crucial.

The tool's technical support has always been good. I've never encountered any issues with them. While they may not always be the fastest, they respond and ensure that problems are resolved.

Positive

Cisco SecureX is more expensive than Trend Micro. However, considering the integration capabilities with other solutions and the quality of technical support, I believe there's justification for the price difference.

I rate the overall product a nine out of ten. 

We have a total of about 150 customers with about 6,500 users and we handle their IT. There are 300 sites all over the Netherlands from which we get all the intel and we feed it into SecureX. It's our central point where we collect everything very easily. When we see something happening we can take the security feed, look at the event in an organization, and SecureX shows us what's going on. It helps us analyze and understand things.

All the security solutions such as firewalls, email security, web security, endpoint security, and antivirus report into SecureX where we have a dashboard that shows everything that is happening.

The orchestration allows us to say, "Well, if this happens here, then we should take an automated action." For example, if an email is received on a machine and malware is being executed, it can be put into lockdown mode. It should only be accessible by the investigators. It cannot connect with any other resources within the company anymore. It cannot send or receive any files. SecureX takes all the separate pieces of security within your company, adds in intelligence from different sites and services on the internet, and makes them work together.

We're seeing and correlating things that we never expected to be able to put together. Before we had the SecureX dashboard, which ties everything together, we would have logs on some computer, or logs on a different system with timestamps. We would have to input search commands to see if there was anything happening on one machine that was also happening on another machine, or if there was anything happening in the firewall that was also happening with email.

We're also doing things with SecureX now that I didn't think were possible two years ago. The fact that you can have a single solution that combines endpoint intelligence with email intelligence, firewalls, and publicly available intelligence is really helpful. I didn't expect there to be a product in which you can so easily change between the different parts of your security with a single click, allowing you to go from publicly available security intelligence into, "How's it looking in my environment?" 

We can do things within seconds, things which we wouldn't even have thought about doing two years ago, just because we didn't think there would be anyone combining the different sources of information together and making it easy to correlate between what's happening in the rest of the world and what's happening within our environments.

Also, SecureX provides us with contextual awareness throughout our security ecosystem.

Before SecureX, things that were not possible, or that would take days, now literally take seconds to find out. 

You can also see not only what kind of malware you have, but what kind of damage or what kind of tech you're looking at. You can very easily see if there is somebody who is trying to find out if there's anything open or if it is somebody who has already established access and is trying to escalate from a user account to the administrator account. You can even focus on these kinds of privilege-escalation attacks and make other issues a second priority.

In addition, like every company, we have to deal with compliance. We have a compliance officer, but normally the compliance officer would not have access to the firewall logs, the email security appliance, endpoint security, etc. But he still has to get all the compliance information out of them, including details such as how are we doing, how many threats we are capturing, etc. I gave our compliance officer access to the SecureX dashboards and now, without having to log in to any of our security appliances, he has a live dashboard with an overview of what's going on. How many incidents? How have they been resolved? How much malware was seen within the company? What kind of compromises were there? Were they critical, high, medium, or low?

He can look at everything himself without him having to ask for me to create a report and without having to have access to the files themselves. He has a dashboard and can say, "I want to see the last week, last month, etc." He gets all the widgets and all the information for whatever period he wants. He can use that within his report to show the auditors how we're dealing with our security. Without any reporting, without emailing back and forth, he gets access to the live information. That's something I wasn't expecting and it has proven to be very valuable. He cannot mess anything up, however, he still has access to the live data on the entire network.

For me, the most valuable feature is the overview: seeing hundreds of sites and thousands of endpoints; everything in a single dashboard.

It can show me spam attacks, phishing attacks, malicious file transfers on our firewalls, and malicious activity on our endpoints. In addition to all the security solutions it takes in, you can add in other websites and services as well.

Threat-hunting is a specific module within SecureX. You can say, "I want to know what's been happening within my organization. I'm seeing some activity here and I want to know if this machine, which is doing something strange, has been in contact with any other suspicious machines. Has it been receiving any suspicious email? What's going on?" It can really dig into any indication you have within your network.

It also provides automatic messaging. For example, if there's malware activity, it will be automatically matched to a certain category of malware saying, "This is credential access,” or “This is a discovery,” or “This is the exfiltration of data,” or “This is privilege escalation."

There is also the possibility of integrating feeds from different products. SecureX will not only work with Cisco products, but you can also put in different kinds of feeds if you have a different type of firewall or antivirus, for example.You can get the same intel within the same dashboard. You don't need to have only Cisco products. 

SecureX integration between Cisco products and third-party solutions is very valuable due to the fact that you get the security feeds and everything on the internet. If you want to know, for example, if something is Orion malware, it will say, "Hey, I have this webpage showing me indicators of compromise. It gives me a button within my browser and I can check whatever is on this page against my live environment. If there's anything on any webpage saying, "You should pay attention to this, or you should be aware of these malicious files," with a single click I can check them against my environment. The intel you get and the different products all generate output. And you can use the toolbar within your browser to make it very easy to put anything you find into SecureX.

The ribbon feature is quite useful. The solution is great at helping you maintain context around incidents as you navigate different consoles. It's immensely valuable due to the fact that, as you navigate between products and between pages, the ribbon stays with you. I can open a case there and I can also share it with my colleagues. We're back in lockdown again here in Europe, so everybody's working from home again. I can start an investigation on my machine and share it with my colleague. He can work on the same stuff and he can add to the case. You can very easily scale up your investigation. All the notes you've been taking, all the indicators you've collected, all the interesting stuff you've noticed are logged within the ribbon and available for your colleagues to work on as well. You don't have to email back and forth saying, "I found this. Hey, did you see that?" It's all there. You can cooperate on the same issue.

It saves you a lot of time investigating. It will not just show you what's happening within your environment but also what's happening in the rest of the world. If I'm seeing a file for the first time, it's very unlikely it's the first time in the world this file has ever been scanned. I can check if it has been scanned in other antivirus engines and what they think about the file. There is the integration with the service called VirusTotal. It has about 60 or 80 different engines. If I'm seeing a file and not sure about it, with a single click I can get the opinion of 60 different antivirus products on that file to show me what the rest of the world thinks about it.

The automation and orchestration could be simpler. It could be that all the other parts are that easy to use so that these stick out as a negative, but that's the trickiest part for us. The workflows within the orchestration are just a bit more difficult. 

What would be really helpful is some sort of library from which you could pull out prefabricated actions. The tools are there to build your own, but it would be nice if there were a library saying, "If you have this and you want to do this, there's some prebuilt stuff here which you can tailor to your own environment." Right now, it's mostly a blank canvas saying, "Take whatever input you want and program your own response."

We've been using the solution for almost a year.

We've had zero issues. It's always available. There are no gaps in monitoring and no downtime.

If there are any limits, we haven't been able to find them yet. We have hundreds of sites reporting into it and I'm not seeing any limits, slowdown, or scalability issues.

I've only used the support resources during setup. There have been no issues or incidents for support so far.

That said, looking at the videos and the manuals they have, etc., there's a lot of support available to get you started. Due to the fact that it's a free add-on if you have any Cisco security products, there is no investment except for a bit of time to get it running.

We didn't previously use a different solution.

The solution's initial setup was very straightforward. It's an online service. You log in with your credentials and on the left-hand side you say, "I have this product, let me integrate." There's a guided setup that's pretty step-by-step. Then, you just go to the next component you want to integrate. It's a guided configuration.

In terms of deployment, the first integration was done within 15 minutes. With the extras we put in it was, let's say, an afternoon of work. It took maybe two or three hours to get everything set up, including all the users, and to get everything integrated and all the dashboards configured.

In terms of maintenance, we have about six people from the security team involved.

I handled the implementation myself. I did not need the assistance of a Cisco consultant.

We've reduced our workload by 20 to 30 percent just from being able to focus on the important things, as this product really does a lot of the grunt work for you. It has really increased the efficiency of the organization's security operations.

For example, if you see something and say, "This should be blocked," or "this is malicious," with SecureX, it will not only automatically block it on endpoint security, but it will also stop the malicious file from being sent or received via email. It will also stop the file from being downloaded or uploaded. That way, if I have a malicious attachment on a laptop somewhere, SecureX will block it everywhere, and it will also protect the users on the WiFi because the firewall, which is between them and the internet, will block it. I can protect devices such as guest devices in the guest WiFi, devices I don't have access to, because I have visibility of all the endpoints with a single click. It's 360-degree protection.

Without the integration, I would have to say, “Well, this email has a malicious attachment, and now I have to worry about it on 300 different firewalls. I have to put in a rule to block this attachment everywhere.” We'd need dozens of people working on that. Now, it's a simple mouse click.

On top of that, we're 50 to 70 percent more efficient in investigations. It really saves a huge amount of manual checking.

It has probably saved our compliance officer 10 percent of his time as well.

For the value you get, the pricing of the solution is excellent.

We didn't evaluate other options. There's really nothing with this type of huge scope. There were some basic logging solutions and some other incident response stuff, however, there was nothing that covers your entire security apparatus.

We haven't worked on automating all the manual processes in our security operations yet. We want to implement more of them, however, we're still looking into the details. This year we'll be starting to use the orchestration feature. That way, an end-user can forward an email and it will automatically be checked and he'll get a report back. Those are the kinds of automations we'll start using this year.

You only need two or three hours to get everything set up, to put things into it, and to see how it works, with zero impact onsite. You don't need any extra resources. There's nothing fancy to configure. It's very easy to integrate. I'd advise companies to try it and just see how it becomes the dashboard for your entire security operation.

I would rate this product at a nine out of ten due to the fact that the orchestration piece is a bit difficult. That said, everything else, especially for the price, is unbeatable.

One area for improvement in SecureX could be additional on-premises options for organizations like ours that require more control over certain aspects of the platform. I also think enhancing automation capabilities could further improve the product.

I've been using SecureX for about two months.

It has been stable with a rating of around nine out of ten for stability.

When it comes to scalability, I find SecureX easy to expand based on our needs.

Although we haven't directly contacted Cisco's technical support, I've heard positive feedback about their support services.

The setup process was straightforward, and we didn't require any third-party consultants.

Overall, I would rate SecureX at around eight out of ten for its valuable features, ease of use, and integration capabilities. It's a recommended solution for threat detection and security orchestration.