Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
ISE_2.1_BDM_v3a.pptx
1. June 2016
See It All, Secure It Now
Identity Services Engine
(ISE)
2. How Many Devices Will Connect to Your
Network by 2030?
devices will be connected
worldwide
500B
of people currently use
personal devices at work,
regardless of BYOD policies
and lack of security
67%
3. It’s Harder Than Ever to See Who Is on Your
Network and What They Are Doing
?
And you can’t protect what you don’t see
?
of surveyed organizations are
not “fully aware” of the devices
accessing their network
90%
of companies say their mobile
devices were targeted by
malware in the last 12 months
75%
?
4. If Only You Had the Right Tools to…
See who and
what is on
your network
Grant access on a
“need to know” basis
Share information to
bolster security
Detect and respond
to threats
5. With Cisco Identity Services Engine You Can
Stop and contain threats
See and share rich user
and device details
Control all access
throughout the network
from one place
6. Introducing Cisco Identity Services Engine (ISE)
Network Resources
Access Policy
Traditional
Cisco
TrustSec®
BYOD Access
Threat Containment
Guest Access
Role-Based
Access
Identity Profiling
and Posture
A centralized security solution that automates context-aware access to network resources and shares
contextual data
Network
Door
Physical or VM
ISE pxGrid
Controller
Who
Compliant
What
When
Where
How
Context
Threat (New!)
Vulnerability (New!)
7. Context Enhances Protection Across the
Attack Continuum
• Gain visibility into who and
what is on your network
• Grant access on a
“need to know” basis
• Provide threat context to network
behavioral analysis
• Contain through network
elements and security ecosystem
• Get better forensics and prepare
for the next attack by sharing
information with ecosystem
partners
BEFORE
ISE
How What
Who
Where
When
DURING AFTER
8. With ISE You Can
Stop and contain threats
See and share rich user
and device details
Control all access
throughout the network
from one place
9. Control It All from a Single Location
Network, Data, and Applications
Remote User
Contractor
Guest
Wireless VPN
Wired
Branch
Headquarters
Secure access from any
location, regardless of
connection type
Apply access and usage
policies across the entire
network
Monitor access, activity,
and compliance of
noncorporate assets
Administrator
Enterprise
Mobility
Partner
10. Enable Faster and Easier Device Onboarding
without Any IT Support
Internal
Employee
Intranet
www
Confidential
HR Records
?
Device Profiling
Employee
Simplified device management
from self-service portal
Automated authentication and
access to business assets
Rapid device identification with
out-of-the-box profiles
IT Staff
11. SimplifyAccess Management While MaintainingSecurity
Easy Connect
Capabilities
• Active-session monitoring across
both AD and Network log-ins
• Session maintenance from Wired
MAB clients to NADs
• Directory notification publication
via pxGrid
• Address legacy and unsupported
NADs with TrustSec
• Assignment of VLANs, dACLs,
SGTs and more for users
authorized via Easy Connect
Most secure
with integrated 802.1X, supplicants
and certificates
Basic
with whitelisting
Access
Security
Better and flexible
with ISE Easy Connect
Benefits
What’s New for ISE 2.1?
Easy Connect is a quick, flexible user
authentication method that applies
when endpoints don’t support 802.1x.
Easy Connect monitors user login via
Active Directory and maps the user’s
identity to give access.
Increased visibility
into active network sessions
authenticated against AD
Immediate value
with no need to touch each
endpoint or require users to
authenticate again
Flexible deployment
that doesn’t require a supplicant
or PKI, allowing ISE to issue
COA for added security
Complexity
Access Security
Complexity
Access
Security Complexity
EasyConnect, a Secure Alternative to Whitelisting
Easy Connect merges RADIUS identity with AD
Login identity to deliver differentiated access
Identity
mapping
Active Directory
(AD) Login
Publish
to pxGrid
SXP
speaker
Publish
to pxGrid
MnT
Network
Access Device
w/o 802.1x
12. Improve Guest Experiences without
Compromising Security
Guest
Guest
Guest
Sponsor
Internet
Internet
Internet and
Network
Immediate,
uncredentialed Internet
access with Hotspot
Simple self-registration
Role-based access with
employee sponsorship
13. OS patches?
AV installed?
Registered?
Custom
criteria?
? Vulnerable?
Rest Assured That Cisco ISE Is Keeping Track
Enterprise Mobility
Management
(EMM) Integrations
Identifies Device Checks Posture
Verifies Policy
Compliance
Quarantines Non-
Compliant Devices
X
X X
Threat? X
MaaS360
AirWatch
SAP
MobileIron
Citrix
Microsoft
Good
14. Give the Right People on the Right Devices the Right
Access to the Right Resources with Cisco TrustSec
Internet
Confidential
Patient Records
Internal
Employee
Intranet
Who: Guest
What: iPad
Where: Office
Who: Receptionist
What: iPad
Where: Office
Who: Doctor
What: Laptop
Where: Office
Enforce business role policies
for all network services
and decisions
Define security groups and
access policies based on
business roles
Implement granular control on
traffic, users, and assets
16. With ISE You Can
Stop and contain threats
See and share rich user
and device details
Control all access
throughout the network
from one place
17. Make Fully Informed Decisions with Rich
Contextual Awareness
Context
Who
What
Where
When
How
IP address 192.168.1.51
Unknown
Unknown
Unknown
Unknown
Bob
Tablet, iOS, v. 9.1x
Building 200, first floor
11:00 a.m. EST on April 10
Wireless
The right user, on the right device, from the
right place is granted the right access
Any user, any device, anywhere gets on
the network
Result
Poor Context Awareness Extensive Context Awareness
18. Streamlined Visibility: Uncover Endpoints
and Potential Threats
192.168.24.3 192.168.24.13
192.168.24.5
192.168.24.11
192.168.24.12
No Access
X
Local
Network
X
Local
Network
File Server
Access
Employee
Portal
Internet
Access
Enterprise
Network
X
Surveillance
Analytics
IP Camera
Where: Room 12
When: 9/12/15
How: Automatic
Mobile Phone
Where: Lobby
When: 3:21 p.m.
How: Hotspot
Pen Drive
Where: Room 223
When: 12:31 p.m.
How: Unknown
IoT Security Camera
Where: Loading 223
When: 9/2/25
How: Automatic
Corporate Managed Tablet
Where: Commons
When: 9/8/15
How: VPN
Data Center
Access
19. With ISE You Can
Stop and contain threats
See and share rich user
and device details
Control all access
throughout the network
from one place
20. Enable Unified Threat Response by Sharing
Contextual Data
Cisco Platform Exchange Grid (pxGrid)
When
Where
Who
How
What
Cisco and Partner
Ecosystem
ISE
Cisco Network
pxGrid
Controller
Context
3
2
1
4
5
Cisco® ISE collects
contextual data from network
1
Context is shared via
pxGrid technology
2
Partners use context to
improve visibility to
detect threats
3
Partners can direct ISE to
rapidly contain threats
4
ISE uses partner data to
update context and
refine access policy
5
21. ISE Is the Cornerstone of Your
Cisco Security Solutions
NetFlow
NGIPS
StealthWatch®
AMP
AMP Threat Grid
FirePOWER Console
CWS
WSA
ESA
FirePOWER™ Services
DURING AFTER
BEFORE
ISE
How What
Who
Where
When
22. And Easily Integrates with Partner Solutions
ISE pxGrid
controller
How What
Who
Where
When
SIEM EMM/MDM Firewall
Vulnerability
Assessment
Threat
Defense
IoT IAM/SSO PCAP
Web
Security
CASB
Performance
Management
Cisco
Meraki
Lancope Splunk Emulex
Ping
Identity Bayshore Tenable
Network Security
Infoblox CheckPoint
23. See How Endpoints Act on the Network
with Better Visibility
Rapid Threat Containment
Data
StealthWatch
By Lancope
Network Sensor
• Cisco® ISE
• Cisco networking portfolio
• Cisco IOS® NetFlow
Network Sensor
• Cisco Stealthwatch
• Cisco Firepower Management Center
- Cisco NGFW
- Cisco NGIPS
- Cisco AMP
24. And Make Visibility Actionable Through
Segmentation and Automation
Network as an Enforcer
ADMIN
ZONE
ENTERPRISE
ZONE
POINT-OF-SALE
ZONE
VENDOR
ZONE
• Cisco® ISE
• Cisco networking portfolio
• Cisco IOS® NetFlow
• Cisco Stealthwatch®
• Cisco TrustSec® software-defined
segmentation
EMPLOYEE
ZONE
DEV
ZONE
25. Cisco ISE Delivers
1. Simplified access delivery
across wired, wireless, and
VPN connections
2. Visibility into who and what is on
your network that shared across
security and network solutions
3. Reduced risk and threat
containment by dynamically
controlling network access
ISE allows you to see it all
and secure it now
26. “Cisco ISE unifies and automates access control to proactively enforce role-based access to
enterprise networks and resources.”
— SC Company 2016
Don’t Just Take It from Us
Recognized as a LEADER, four years in a row
— Gartner Magic Quadrant for NAC: 2014, 2013, 2012, 2011
A CHAMPION in Info-Tech Vendor Landscape for NAC
— Info-Tech Research Group, 2014
Recipient of the 2016 Frost & Sullivan Global NAC Market Leadership Award
“In this generation NAC platform, Cisco wanted to make an easier, more intuitive platform
while adding features and functionality. Cisco has gone a long way toward achieving
these objectives.”
— Frost & Sullivan, 2016
SCRIPT: My name is <> and I’m a <> at Cisco. This presentation will go over the business case for ISE 2.0. Why it matters, what it can accomplish.
The enterprise network today extends around the globe—to wherever employees are and to wherever their data flows. These employees require access to enterprise resources in more ways than ever before – whether they’re inside or outside of the office and regardless of what device they’re using.
This shift towards greater flexibility for employees is forcing enterprises to face a rapidly changing environment that features a more dynamic threat landscape, a lot of fragmentation, and greatly increased complexity.
Think about it: mobility , cloud services, and the Internet of Everything (IoE) are fundamentally changing the way we live and work, and, as a result, enterprises are challenged to support a massive proliferation of new network-enabled devices.
Tack on all the cloud services being used – both approved and non-approved – across the modern enterprise and the forecast of 500 BILLION devices connecting to networks by 2030 (which I think is conservative), and you can see how important and how challenging it is to secure access in this constantly evolving enterprise network. http://www.cisco.com/c/r/en/us/internet-of-everything-ioe/internet-of-things-iot/index.html
Many of these devices are non-corporate assets—67% of people bring their own devices to work, often times ignoring BYOD policies and being completely unaware of the security risk they might pose. http://voicevault.com/three-frightening-mobile-security-statistics-will-make-believer-voice-biometrics/
T: But what does this mean for your network?
<click>
As more and more employees bring their personal devices onto the corporate network , organizations start to lose sight of exactly what and who is on their network. A recent report noted that 90% of surveyed organizations were not “fully aware” of the devices accessing their network. These “blind spots” in your network quickly translate to security threats. Basically, if you can’t even see what is accessing your network, its going to be an even bigger challenge to secure it across all devices and all users for proactive protection against threats.
And it’s not really a matter of “if” your company data will be face a security threat such as a data breach or malware attack, it’s a matter of “when”: According to the Ponemon Institute in the 2015 State of the Endpoint Report: User-Centric Risk, 75% of companies say their mobile devices were targeted by malware in the last 12 months. Data theft and targeted phishing campaigns are on the rise and are becoming increasingly sophisticated. Malware attacks are more sophisticated than the basic phishing attacks of 20 years ago. For example, the Stuxnet virus physically destroyed hundreds to thousands of uranium enrichment centrifuges. Recent breaches at high profile retailers resulted in tens of millions of credit card accounts being compromised and stolen. Devastating, to say the least.
Again, the problem enterprises are facing in an increasingly mobile environment is that <click> you can’t protect what you don’t see.
In fact, 66% of organizations simply, outright fail to detect a breach for months or even years. (Verizon Data Breach Report - http://www.secretservice.gov/Verizon_Data_Breach_2013.pdf).
Scarier still is that today’s advanced, persistent threats can sit quietly in an enterprise infrastructure, moving laterally, to find the right unprotected asset that allows it to elevate rights and gain access to the most important company data.
<click>
This is the scenario that is keeping business decision makers (like yourself) awake at night. The stakes are high, and the challenge is complex. But it doesn’t have to be . With the right solution, you could solve for mobile network security. The “right solution” would be one that gives you:
Visibility of who and what is on your network
The tools to grant access on a “need to know” basis, so that even people that get on the network can only access the information they are entitled to
The ability to share information and data with other components of your security solution
And the ability to better detect and respond to behavior that doesn’t belong anywhere on your network
T: But is it really possible to get all of these things from a single solution?
<click>
Yes, with Cisco Identity Services Engine. With this solution you can:
Control all access throughout the network, from one place
See and share rich user and device details
Stop and contain threats
Let’s look at ISE in more detail.
What is Cisco ISE? ISE is a centralized security solution that automates context-aware access to network resources and shares contextual data.
Here’s how it works…
In reality, you have many different types of users trying to get onto a network. In this case, not a an employee, but also not a guest. The contractor needs access, perhaps only temporarily, to certain network resources in order to do her job effectively and efficiently.
ISE collects contextual data from the network (like DHCP, NetFlow, etc.), the type of device, and the user identity (e.g., from Active Directory) and pulls that information in.
It also collects context from integrated partners when evaluating posture or compliance.
Now, with a contextual identity established, ISE is able to bring together these disparate pieces of data to a single location and make a more fully-informed decision regarding access. ISE now incorporates vulnerability assessment and threat incident intelligence to drive network policy. This also allows ISE to change network privileges dynamically in the event that an endpoint’s threat score changes.
Here, the contractor may get access to certain file servers and the employee intranet, but obviously not admin servers, etc.
Other examples include:
You’re a visitor…you get guest access.
You’re a corporate employee on an iPad…you get employee access that varies depending whether your device is a corporate or non-corporate managed asset. And different employees can get access to different parts on the network based on their specific business roles and data requirements. An HR employee will get access to employee personal records, while a finance executive will have access to financial data, but not necessarily HR records.
And of course, if you’re using a device that is compromised with malware or just not compliant…you get zero access to the network.
By eliminating these unknowns and ensuring device compliance, we’re able to provide the RIGHT level of access to the RIGHT user at the RIGHT time while reducing the overall attack surface by preventing compromised entities from gaining access in the first place. These role-based access policies enabled through segmentations, accomplished either traditionally, or with Cisco’s TrustSec, which allow you to dynamically segment your network without the complexity of VLANs and ACLs.
You can also share all the rich contextual information you gather with your other Cisco solutions and your partner ecosystem through pxGrid technology.
And the best part – you can deploy ISE with a single physical appliance or run it on a virtual machine.
T: With deeper visibility and context, we get more accurate identification, which ensures that users and devices are onboarded seamlessly with greater, more granular security, and your network is protected from threats.
<click>
And of course, ISE is full integrated with other Cisco products to enhance protection before, during, and after an attack.
It works before an attack to manage and define networks access, as described above.
It provides better visibility into an attack with its context sharing capabilities across platforms. It also provides better security during an attack through network segmentation, which prevents the lateral movements of threats across the network.
And finally, it promotes enhanced security after the attack by using the security event data to help fine tune secure access policies that better manage who and what can access the network and network resources.
T: Now, let’s dive into the details…
<click>
First, how ISE lets you control network access from one place.
Centralized policy management can control network access and usage policies from a single location. Customers have the flexibility to manage policies for a variety of use cases including secure access, guest management, TrustSec, and enterprise mobility.
ISE provides secure access management capabilities over all users, regardless of connection type. Wired, wireless and remote users can connect directly, or through VPNs, and receive the same unified access and control found when connected to the corporate Ethernet.
Centralized policy management controls access and usage policies across the entire network from a single location that can be managed either onsite or off. Customers can control individual branches or the entire business.
ISE also delivers guest and enterprise mobility management capabilities so customers can regulate access to internet, network, and company files. Customers can set up automatic rules or offer employee sponsorships to ensure that guests and contractors get the access they need while still maintaining overall company security.
T: ISE not only implements policies across the network from a single location, but uses superior visibility to provide device onboarding management.
<Click>
It used to be easy to secure corporate assets. They were managed and maintained by IT, and only the devices that were provisioned were allowed on the network. Today, the trend is to work on your personal smart device. Whether for financial reasons (i.e., cheaper for enterprises) or for productivity reasons (i.e., people want to use their own iPads), enterprise mobility on non-corporate assets is here to stay.
However, this creates a scenario where all these new devices are attempting to access the network. How do we control their access? How can we tell that they’re compliant with corporate policy? How do we know they’re secure and uncompromised?
Luckily, with Cisco ISE, there is full functionality out of the box that allows for full command over every aspect of managing and securing an enterprise mobility project.
ISE delivers fully customizable user experiences with themes and gives end users control to add and manage their devices. ISE also simplifies the task of managing certificates for non-corporate devices. In order to reduce the complexity and expense, ISE offers a native Certificate Authority, designed to work in concert as a self-contained solution or with existing Enterprise Public Key Infrastructure (PKI) to simplify these deployments: by managing endpoints and the certificates. When an endpoint is deleted ISE deletes the certificate.
T: This visibility also enables guests to quickly profile and onboard devices as well.
<click>
With ISE 2.1 we are introducing a feature called Easy Connect, which offers a quick, easy, and flexible method for user authentication that applies when endpoints don’t support 802.1x. We understand that 802.1x can be hard to deploy, and requires touching each endpoint. And we understand that users often complain about additional app authentications. We listened to the need for an option that doesn’t require 802.1x roll out and that doesn’t require touching each endpoint. Easy Connect addresses all of those concerns.
Unlike competitors who use a MAC address to give devices network access, Easy Connect permits access to the network with user information behind it. Easy Connect finds devices based on the user, and gives differentiated access with no 802.1x involved. The moment a user authenticates with Easy Connect, ISE maps the user’s identity and pushes a tag to the endpoint to enable policy enforcement, even if the network isn’t configured with TrustSec. ISE can be an SXP speaker that directly points back from the endpoint, enabling tags to be passed along for enforcement so that TrustSec can work with a broad set of devices (e.g. third-party devices like a non-supported access switch). ISE also publishes information using pxGrid.
The same great visibility available on employee devices is available with guests as well. Customers can see the who, what, when, and where of the connection to maintain security.
With support for a variety of browsers on both computers and mobile devices, ISE can identify the type of device that guests are using and send them an easy-to-use onboarding screen compatible with their machine.
In many instances, guests only have the ability to use the internet, rather than the company’s network. ISE provides guests with the right type of access immediately with internet access through a hotspot, or a brief, self-registration portal, which may allow registered users more access.
With ISE, employees can also sponsor guests so they can access the information they need, whether it be guests needing to access online services or contractors needing information to perform jobs. These sponsorships can be customized by administrators or by individual employees. Because of the variety of devices supported and the ease of onboarding, guests can often get up and going without the need for specialized assistance, reducing the burden on IT staff.
T: Of course, whether it is secure access, guest access, or enterprise mobility access, all devices must be compliant…
<click>
ISE first identifies and checks the posture of devices automatically whenever they access the network.
This ensures that all devices meet security requirements at all times. In addition, customers can create their own custom criteria that devices must have in order to gain network access. This enables business to maintain compliance with their own business policies, industry regulations and government compliance.
ISE can also implement quarantines on devices that do not meet regulations, whether preset or custom. Users can limit the access of such devices or even deny access completely. Oftentimes, these devices are denied network access but can still access the internet or IT services in order to remediate their deficiencies and maintain compliance.
In addition, ISE offers integrations with enterprise mobility management (EMM) platforms – including Cisco’s own Meraki Systems Manager Enterprise – to offer complete enterprise mobility control to administrators.
T: The robust identity and access control features of ISE are available on a variety of different licenses.
<Click>
The problem is this: As enterprises become more complex and more distributed, consistent network policy potentially becomes more complicated. Multiple SSIDs, different network segmentation, different sets of rules depending on how a user accesses the network.
Cisco TrustSec, controlled by ISE, delivers Simplified Access Management across the entire business. It works by categorizing and tagging devices and then using those tags to push policies and regulate access. While developers need access to developer databases and storage, the HR department needs access to employee documents and legal information. Neither group has any need to access the other’s information. Executives and management however, may need access to all categories. TrustSec tags can be set on the basis of device type, user role and a variety of other criteria.
This simplified access management brings accelerated security options. By categorizing users, customers can simplify firEasyConnectll administration, avoiding the common rule explosions that happen when new servers are onboarded. Creating rules based on tags results in fewer rules that are more easily maintained. Easier maintenance reduces the burden on IT staff and enables them to focus on other, more pressing issues instead.
In addition to accelerated security, the simplification also results in consistent policies. Users can control devices from a central location, regardless of device type or connection method. Individual tags can be customized and policies enforced separately to maintain the access your employees need without increased IT strain.
T: Next, let’s talk about how TrustSec enables you to easily segment your network…
<click>
TrustSec is a core technology for segmentation that ISE controls.
TrustSec uses abstract security policy by grouping source and destination objects based on context and/or role.
Think of Access Control List with ”Deny TCP Employee to HR Server eq HTTPS”. The employee could be anyone who’s classified as employee by using context / attributes. Same for HR servers. You are going to create a policy in matrix that looks like a spreadsheet. This addresses the segmentation complexity issue by having context behind the endpoint. When a customer has 200 new employees joining tomorrow worldwide, maybe admin can registers those employee in an Employee Active Directory Group. TrustSec takes care rest of the security policy enforcement.
TrustSec also distributes and provisions this abstracted policy to the network automatically, so customer network/security admins do not need to configure policy on every single segmentation point. Of course, you can use ISE to update all the policy centrally. This addresses the second segmentation complexity issue by simplifying maintenance operation.
Enforcement policy is only invoked when appropriate. If your switch has HR servers and finance servers, the switch automatically downloads and invokes policy for those servers only. When finance servers are decommissioned, policy is automatically removed from the switch. This helps customers to keep up-to-date security policy on their network devices all the time without creating any security holes.
The same concept applies when a new service needs to be provisioned. Once servers are classified in the right group, you just have to connect those servers to the network, and TrustSec automates the rest of the security policy enforcement.
T: And this is the perfect way to help introduce ISE’s second main benefit: Visibility…
<click>
Before ISE, the problem was a lack of context awareness. Even if a network administrator was about to get the different aspects of context information (the who, what, and where, for example), they were available from different places and could not be found in a single location to provide a complete picture of the type of network access request. There was no way to make an immediate, fully-informed access decision.
ISE provides intelligent profiling features and posture checking that are brought together to create a single point of decision. ISE has a more comprehensive set of probes to GET that contextual awareness needed to profile correctly.
Profiling is benefits your network because it provides better mobility policies, easier onboarding for users, less time spent by admins because of better access policy management. This increases the productivity of both users and admins alike.
And most importantly, it get the right user, on the right device, from the right place, the right network access.
T: And the best part, your ability to see more come right out of the box…
<click>
To make sure that enterprises stay up-to-date with all the new commercial and specialized devices that are brought to market every week, Cisco ISE offers a profile feed service that updates the profiling database with the latest and greatest profiles. This ensures that no matter the type of device, ISE can identify it and you can wrap a granular policy around it to control its network access.
ISE has a larger array of profiles right out of the box – more than double the competition. This means you can identify devices much more quickly, leading to easier and fast device onboarding policies. And ISE allows administrators to create their own custom profiles to fit whatever types of devices they imagine they might need.
This superior, market-leading profiling technology and feed service reduces unknown devices, on average, by 74%. (This number was calculated based on the ISE Device Profile Feed Service and a sample of our participating deployments, who went down, on average, from 35% unknown devices to 9% - garnering a 74% reduction in unknown devices. (35-9)/35 = 74%).
Enhanced out-of-box visibility to users and devices on the network through a simple, flexible and highly consumable interface. ISE also now stores a history of all endpoints that have been on the network and all the associated visibility. And the visibility setup wizard allows you to quickly stand up a proof of value before lunch and, by the time you’re back from lunch, you’ll have visibility into all the endpoints currently on the customer’s network.
T: Now, that covers visibility and control. What about stopping and containing threats?
<click>
Cisco Platform Exchange Grid (pxGrid) enables multivendor, cross-platform network system collaboration among parts of the IT infrastructure such as security monitoring and detection systems, network policy platforms, asset and configuration management, identity and access management platforms, and virtually any other IT operations platform.
When business or operational needs arise, ecosystem partners can use pxGrid to share contextual information with Cisco platforms that use pxGrid as well as any ecosystem partner system that uses pxGrid. Cisco pxGrid provides a unified framework that enables ecosystem partners to integrate to pxGrid once, then share context bidirectionally with many platforms without the need to adopt platform-specific APIs. Partners can also direct ISE to take remediation or other network action along the same channels of communication. Then, ISE can use the partner data to update context and refine access policies, resulting in tighter, more comprehensive security.
pxGrid is fully secured and customizable, enabling partners to share only what they want to share and consume only context relevant to their platform. This level of customizability ensures scalability when integrating with one or multiple systems. Furthermore, pxGrid enables ecosystem partner platforms to execute network actions with the Cisco network infrastructure.
T: pxGrid really turns ISE into an enabler of your overall security system…
<click>
ISE is an enabler of many other Cisco security solutions by providing them with better visibility, context, and control. With ISE, you can optimize downstream security services. It really serves as the cornerstone for a context and policy architecture, leveraging pxGrid technology to make security solutions context-aware. With the ability to connect these disparate solutions, ISE can help accelerate the security capabilities and reduce the overall time-to-attribution and time-to-remediation for advanced network threats – including containing malicious threats through dynamic segmentation with Cisco TrustSec-enabled hardware.
T: …
<click>
One of the major problems that enterprises face is that they have multiple security vendors and all of these disparate solutions work independently of each other. Cisco ISE and Cisco pxGrid are designed to confront that challenge head-on.
When partner platforms integrate with Cisco ISE, there are three powerful benefits to enterprises:
ISE makes partners context-aware Contextual awareness offers deeper insight into the context surrounding a security event. Many partner platforms provide IP or MAC addresses as key identifiers. How much easier would it be to triage security events if you knew that an event was tied to a person, device, and location?
Partner data improves ISE network access policy With more data from more places, it’s possible to fine-tune ISE access policy even more granularly to ensure that the right level of access is being provided at any given moment.
Partner platforms can take action with ISE Quickest way to minimize time-to-attribution and time-to-remediation? Link a partner platform with ISE. The partner platform gains the context to more accurately identify the threat as well as the capability to send a “signal” to ISE to take action to quarantine or kick off a delinquent actor on the network.
T: And the ISE story doesn’t stop here
<click>
ISE is a very important part of Cisco’s Network as a Sensor, which also includes Cisco StealthWatch.
StealthWatch enables context aware visibility, threat detection, incident response diagnostics, and user monitoring
It gives deeper visibility into the network and also accelerates the response of what to do with Netflow data, it analyzes the Netflow data and provides analytics on top of it.
StealthWatch can look at user behavior – copying files, moving places in the network and determine whether these behaviors are suspicious.
It allows you to provide analytics and gain insight from Netflow, you can gain visibility into user behavior, detect anomalies, collect and analyze network audit trails, and leverage Cisco Identity Services Engine, or Cisco ISE, to take action based on this visibility.
T: And on the other side of the same coin….
<click>
Cisco Network as an Enforcer works hand in hand with Network as a Sensor.
Network as an Enforcer uses all the same elements in the Cisco Network as a Sensor solution but then augments that solution with Cisco TrustSec.
Once you have used the Network as a Sensor solution to gain that deeper visibility and insight into traffic flows, user policy violations and malware, you can then leverage the Network as an Enforcer to take action.
Network as an Enforcer allows you to contain the scope of an attack in progress, quarantine threats, and implement policy controls to secure your network resources.
It allows you to not only quarantine threats but also reduce your time to remediation.
T: So are you seeing everything that ISE can do for you and your network?
<click>
Cisco ISE is the vital component for close to 7000 different customers to support THEIR Unified Access, manage THEIR BYOD deployments, and achieve THEIR overall security and compliance objectives of minimizing the overall attack surface, securing access, containing threats, and reducing overall risk.
By now, you can see for yourself how Cisco ISE provides deeper visibility, centralized control, and superior protection.
T: But it is not just about what WE say…
<click>
Cisco ISE is generally on the short list of vendors to be considered for NAC deployments…and for good reason. We’re perennially recognized for tech innovation and leadership by all of the major industry analysts following the market.
<click>
In order to learn more about our offerings, please go to www.cisco.com/go/ise, or contact your authorized Cisco partner.
We look forward to continuing the conversation!
