Cisco ISE Overview

Summary:

The "At-A-Glance" solution for Cisco Identity Services Engine (ISE) is designed to integrate with a Security Information and Event Management (SIEM) or Threat Defense (TD) platform from one of the vendor's partners, such as HP (ArcSight), IBM (QRadar), Lancope, LogRhythm, Splunk, Symantec, or Tibco (LogLogic). This setup aims to address the complexities of modern network environments by providing a "single pane of glass" view of security events with contextual information about users, devices, and their security status. The solution enhances traditional network-wide event visibility with detailed user identity and device context, enabling mobility-aware analytics and more effective threat detection. Additionally, it allows for remediation actions directly from the SIEM/TD partner platform through ISE, providing comprehensive security monitoring, analysis, and compliance assessment.

Details:

The "At-A-Glance" solution for Cisco Identity Services Engine (ISE) includes a combination of Cisco ISE with an Advanced Feature License and a Security Information and Event Management (SIEM) or Threat Defense (TD) platform from one of their integration partners. This setup aims to address the complexities of modern network environments by providing comprehensive security monitoring, threat analysis, and compliance assessment. With the rise in "bring your own device" (BYOD), mobility, virtualization, and software as a service (SaaS) usage, traditional security tools that rely solely on network-wide events are no longer sufficient. The solution emphasizes the need for accurate contextual data such as user identity, network authorization levels, endpoint device identification, and security posture to effectively monitor and analyze security events. Cisco ISE integrates with leading SIEM/TD platforms to offer a "single pane of glass" view of security events by providing contextual information about users, devices, and their security status. This integration allows partners to supplement traditional network-wide event visibility with detailed user identity and device context. The solution not only offers complete visibility into the security events but also enables contextual assessments and provides remediation capabilities directly from the SIEM/TD partner platform through ISE. By integrating Cisco ISE with these platforms, users gain a more meaningful understanding of the significance of network-wide security events. The provided text discusses how contextual data from devices and users within a SIEM (Security Information and Event Management) or TD (Threat Detection) system can be used to assess the significance of security events more effectively. This is achieved by answering questions such as "who" and "what type of device" are involved in the event, which helps create specific analytic policies tailored for mobile devices or users with access to highly sensitive information. The text highlights several key points: 1. **Enhanced Security Analysis**: By providing contextual data related to user and device details, analysts can better understand the significance of a security incident. This includes understanding who is involved (user identification) and what kind of device is generating the event. 2. **Cisco ISE Integration**: The text mentions that Cisco Identity Service Engine (ISE) can be used as a partner with SIEM/TD systems to append user and device context, which in turn enables mobility-aware analytics and more effective threat detection. 3. **Remediation Actions**: ISE contextual data allows for specific actions like quarantine or blocking access based on pre-defined policies, all of which can be logged and reported within the SIEM/TD platform, ensuring a unified and network-wide security reporting mechanism. 4. **Security Insight**: The trend of ISE data in SIEM platforms can reveal abnormal or suspicious activity that might indicate potential security threats. 5. **Technological Partnerships**: Third-party systems like SIEM/TD partners may use Cisco ISE to implement mitigation actions within the Cisco network infrastructure, leveraging the contextual data for more targeted and efficient threat management. 6. **Compliance and Reporting**: All these functions contribute to a comprehensive security framework that includes logging, reporting, and compliance with regulatory standards, providing a unified view of network-wide security events. In summary, this text underscores the importance of integrating contextual data from devices and users in SIEM/TD systems for enhanced security analysis, enabling more informed decision-making and quicker threat detection through tailored analytics and actionable insights derived from user and device specific information. The summary focuses on how Cisco Identity Service Engine (ISE) integrates with Security Information and Event Management (SIEM) or Threat Defense partner platforms to enhance network security. Key attributes collected by these platforms include user details like name, authentication status, location; device information such as manufacturer, model, OS, version, MAC address, IP address, connection method, and location; and endpoint posture data detailing compliance with antivirus software, OS patch levels, and mobile device management (MDM) compliance. The integration helps in several ways: it improves the effectiveness of SIEM/Threat Defense deployments by allowing for more efficient detection, assessment, and response to security events; reduces time-to-event classification through better visibility into user behavior and device posture; and provides comprehensive visibility and control over both users and devices on the network. Supported SIEM/TD partners include those that scrutinize mobile and device network activity, leveraging ISE's capabilities to create specific analytic policies for mobile devices. This approach is based on Cisco ISE Release 1.2 as of the mentioned date. This summary provides an overview of the various SIEM (Security Information and Event Management) / TD (Threat Detection) platforms from different vendors, including HP (ArcSight), IBM (QRadar), Lancope, LogRhythm, Splunk, Symantec, and Tibco (LogLogic). The primary focus is on their integration with Cisco Identity Service Engine (ISE), which allows for the differentiation of user privileges based on specific security analytic policies. Key points include:

• All platforms support versions 1.1 and 1.2 of ISE.

• They offer different release dates, such as Q4R1 (November 2013) for some and July or September 2013 for others.

• These SIEM/TD platforms are designed to create security analytic policies tailored to users with access to sensitive data or less trusted populations.

• Additional product information regarding each partner is available on the Cisco Developer Network Marketplace, providing links to vendor collateral.

• The summary highlights the release versions of the software and their integration capabilities with ISE.

Overall, this overview provides a technical snapshot of how these platforms support security measures in an environment where user privileges are differentiated based on specific needs for data sensitivity and trust level. This summary discusses various features and capabilities supported by TIBCO Iris software in relation to SIEM, TD Analytics, and Endpoint Security Posture Management (ESPM). The software is designed to integrate with Cisco Identity Service Engine (ISE) for enhanced security analytics. Key highlights include:

• Comprehensive data integration from ISE including Device Type, Username/Identity, Endpoint Security Posture Status, User Network Privilege Level, Authorization Group, Authentication Status/Attempts, and more.

• Ability to combine all these contexts for detailed analysis and visualization.

• Support for scrutinizing specific device types (e.g., mobile devices), user types (e.g., guest users, sensitive users), classes of users (e.g., IT administrators), and devices with posture failures.

• Visualization of ISE context data through TIBCO Iris 2.0.0, released in Q1 2014, which enables better understanding and analysis of network security events.

• Detection of anomalous patterns in ISE context data using TIBCO Iris 3.0.0, available from Q3 2014, to proactively identify potential threats.

• Long-term storage and reporting capabilities for comprehensive insights into the collected ISE context data.

• Network actions such as blocking network access and quarantining devices can be executed from a partner platform, though this feature has limitations indicated by "YES NO 2H13" which are not fully clear in the provided text.

• The software also includes basic support for generating ISE-specific dashboards using TIBCO Iris 2.0.0 and collecting detailed logging information directly from Cisco's ISE, available through a link to their user guide.

Overall, TIBCO Iris offers robust capabilities in the field of SIEM/TD Analytics, ESPM, and network security posture management, providing valuable insights for organizations aiming to enhance their IT security infrastructure.