Cisco (News - Alert) this week is rolling a new partner program aimed at letting threat management and security information event management (SIEM) vendors share rich databases of security information.
The overriding concept is no security vendor can really go it alone, not if the customer wants to be truly safe. That is especially true today as the attacks are ever aggressive and just as ever varied. And with BYOD, the devices that need protection are more numerous as well.
The strategy is a bit complex and comes in a few layers.
To begin with, the new approach revolves around Cisco Identity Services Engine (ISE). This tool is about context. Instead of just looking at an end-user or a device in isolation, ISE looks at the deeper context to define a security posture.
For instance, an end-user also uses a specific device from a certain location, and has particular access rights. And he or she is using a set of applications and network access approaches such as LAN or Wi-Fi, and they may be coming over a VPN. IT can then develop policies as to how to deal with these particular postures.
“ISE delivers a unified, real-time source of identity and endpoint device, policy context and network control across a customer’s network, expanding the intelligence the customer can use en concert with their IT infrastructure to discover, defend and remediate threats,” explained Cisco.
All this information feeds into a database that covers all users and network devices.
The Cisco plan is to integrate more third parties into these context databases, and share them from partner to market, creating an entire security ecosystem that all has access to the same rich contextual data.
This last part is where the Cisco Security Technology Partner Ecosystem comes in. This group includes the third parties that make the integration happen. And having key security third parties share security information is what the Cisco plan is all about.
“Cisco Security Ecosystem partners that integrate with ISE increase efficiency of operations and accelerate the ability of IT organizations to resolve network issues, while also extending to partner products the ability to reach into the Cisco network infrastructure to execute policy actions on users and devices — such as quarantine and blocking network access,” Cisco said.
Cisco first brought in Mobile Device Management (MDM) vendors into the fold. The next move was SIEM and threat management companies who are joining the Cisco Security Threat Defense Ecosystem.
Now in the program are HP ArcSight, IBM (News - Alert), Lancope, TIBCO LogRhythm, Tibco LogLogic, Splunk and Symantec. These partner integrations should bear fruit in the first quarter of next year.
“Like many network systems, SIEM/threat defense systems often have limited insight to real-time user identity or endpoint device type in their security analyses. This is critical because these are among key attributes for effectively handling things like employees bringing their own mobile devices to work,” Cisco said. “Through ISE, the Cisco Security Threat Defense Ecosystem provides this context, integrating with SIEM/threat defense systems to create policies and analytics based not just on network patterns, but also on type of device and class of user. The Threat Defense Ecosystem also makes security more actionable, integrating SIEM/threat defense with a central policy point instead of being another silo.”
The Underlying Database
The database, or contextual information-sharing framework is knows as Platform Exchange Grid (pxGrid). pxGrid is really a set of APIs and techniques that operation within ISE and store this contextual data. While databases are the first to implement it, Cisco hopes that other integrations soon do the same. “An innovative approach, the pxGrid platform-independent framework enables customizable, many-to-many sharing between any third-party platform that adopts pxGrid,” Cisco said.
So, Why Now?
Part of the need for this kind of tool, this kind of integration and this kind of industry cooperation is the need to secure more devices, such as the now ubiquitous tablets and smartphones that end users tote. “Until now, SIEM/threat defense systems have lacked a complete picture of mobility and BYOD security risks, but with our new ecosystem they can use ISE network telemetry to correlate user, device, and policy context with their traditional threat defense data sets. In addition to identifying new categories of possible threats on the network, they can now also target suspicious mobile devices and start creating device- or user- or group-specific analytics for additional scrutiny,” said Dave Frampton, vice president, Cisco Security Technology and Government Group. “By incorporating unique real time network & device context from ISE they now have a single source of truth all from one screen - this consolidation helps them sort through suspicious events faster and take focused remediation action versus having to literally look at five different screens and manually connect the dots.”
One customer, CareFusion, has ISE in test in its labs, and the tool – integrated with Lancope’s WebThreat – covers the corporate headquarters campus, said Bart Lauwers, VP IT Infrastructure, EA, & InfoSec, CareFusion.
Currently, CareFusion has a traditional reaction to being compromised. It detects an attack or intrusion, then reaches for a variety of tools to mitigate the threat. This all takes time and by the time it’s done, the threat actor is likely long gone.
With ISE integrated with Lancope’s StealthWatch, the reaction is more immediate. The company can capture something happening immediately and do real-time response and forensics. And the company can set up rules to make sure this kind of incident isn’t allowed to happen again.
“NetFlow, ISE and Lancope together represent the cyber defense trifecta that gives CareFusion the network visibility and security context to respond to security threats much more efficiently. We now have a single pane of glass that tells us the ‘who/what/when/where/how’ associated with a potential threat, which helps us prioritize the most serious events and respond to them quickly,” Lauwers said. “The ability to leverage the network as a virtual sensor grid and reference ISE as an identity- and device-contextual information root for the network creates a single source of data security intelligence, compared to cumbersome management of incident response across multiple, non-integrated endpoint solutions.”
Edited by Jamie Epstein