The multiple layer aspect of network security is easy enough; just multiple different security products. But the overlap between them is often manual, leading to swivel-chair aerobics for security admins: that is, the need to constantly switch between the control panels of different products to first gain a complete oversight of the incident, and then chose and enact the right remediation. Put bluntly, for example, a SIEM product may detect a potential threat, but doesn’t on its own have sufficient contextual information to enact the correct and immediate remediation.
The danger is that although SIEM can detect a potential threat, by the time contextual information is sufficiently gathered and analyzed for effective remediation – which can take days or weeks or more – the threat actor is gone or moved to a different part of the network. What is needed for SIEM to be truly effective is rich, deep and granular knowledge into the who, what, where and when of a potential threat in real time – a need made all the greater and more difficult by the growing presence of local and remote consumer devices on the network, and the increasing danger of longterm, evasive APT-style intrusions.
Cisco already has a rich and deep contextual knowledge of devices on the network held within its Identity Services Engine (ISE) – a unified source of identity and device context and network control. Its new pxGrid is designed to allow the sharing of information, two-way, with other security products such as SIEMs. ISE can give contextual understanding to SIEMs via pxGrid, and receive remedial instruction from the SIEM, such as quarantining or blocking devices, users or groups.
“Until now,” explains Dave Frampton, VP of the Cisco security technology and government group, “SIEM/threat defense systems have lacked a complete picture of mobility and BYOD security risks, but with our new ecosystem they can use ISE network telemetry to correlate user, device, and policy context with their traditional threat defense data sets. In addition to identifying new categories of possible threats on the network, they can now also target suspicious mobile devices and start creating device- or user- or group-specific analytics for additional scrutiny. By incorporating unique real time network and device context from ISE they now have a single source of truth all from one screen - this consolidation helps them sort through suspicious events faster and take focused remediation action.”
Cisco is currently working with a number of different security providers, such as ArcSight, IBM, Lancope and Symantec for SIEMs; and AirWatch, Citrix and MobileIron for mobile device management (MDMs). CareFusion is one early adopter, combining Cisco’s NetFlow and ISE with Lancope’s SIEM. It is a cyber defense trifecta, comments Bart Lauwers, VP of IT infrastructure, “that gives CareFusion the network visibility and security context to respond to security threats much more efficiently. We now have a single pane of glass that tells us the ‘who/what/when/where/how’ associated with a potential threat, which helps us prioritize the most serious events and respond to them quickly.”
Integrations of ISE, pxGrid and Cisco’s partner products are expected to be available to customers during the first quarter of 2014.