Following my previous blog post about identity and device aware IT platforms making IT operations easier and more effective, I wanted to delve a little deeper into a specific element of the IT infrastructure: Security Event & Information Management (SIEM) and Threat Defense (TD) systems.
See a brief video on ISE and SIEM/Threat-Defense Integration
SIEMs are a standard part of any enterprise security architecture. In fact, many Cisco customers I talk with actually have more than one SIEM system installed because different vendors focus on different areas of security monitoring, such as policy/regulatory compliance, forensics or active threat detection. And then there are what I call "threat defense" systems, which are laser focused on detecting the most difficult cyber threats... an area of even further specialization.
But all of these systems have something in common. They rely upon data they collect from other systems to comprise their view of security events. And, with few exceptions, that data is based upon the common networking 5-tuple: source/dest IP address, source/dest port, and protocol. What's missing here? Well, many things, but most notably and information answering the basic questions that arise around most any security threat event:
Some SIEM/TD systems have links to Active Directory or LDAP to provide some identity information, but those are not good sources of real-time association of IP address-to-user and have no knowledge of device types or posture. So where to source this identity and device-type intelligence?
That is what Cisco ISE integration with SIEM/TD platforms accomplishes. ISE has a real-time session repository of every user and every device on the network. Doesn't matter if the device is wired or wireless, has a user behind it or is just a machine like a printer. ISE will track each of these devices and users in real time and capture a variety of information including what IP address they are at, who it is, device type, MAC address, authorization group, network location, and so on. This real-time session repository can then source SIEM/TD platforms with reliable, accurate identity and device information.
So that is great. We've connected some dots-security event in SIEM/TD system with user, device-type, posture status, user authorization level, etc. from ISE. Now, how does that make threat visibility from SIEM/TD platforms more effective? Let us count the ways...
So all of this nets out to a basic result: customers can serve more use cases with the SIEM/TD systems they have in place, with less human intervention, and evaluate what security events require immediate attention more accurately and quickly. That is "more effective threat visibility" in a nutshell.