The Network as a Security Sensor and Enforcer
The Digital Economy and the Internet of Everything means everything is now connected. Digitization is fundamentally transforming how we conduct business. It creates new opportunities to develop services and engage with employees, partners, and customers. It’s important to understand that digitization is also an opportunity for the hacking community, presenting new services, information, data, devices, and network traffic as attack targets. To take full advantage of the digitization opportunity, security must be everywhere, embedded into and across the extended network – from the data center to the mobile endpoints and onto the factory floor.
Today, Cisco is announcing enhanced and embedded security solutions across the extended network and into the intelligent network infrastructure. These solutions extend security capabilities to more control points than ever before with Cisco FirePOWER, Cisco Cloud Web Security or Cisco Advanced Malware Protection. This is highlighted in Scott Harrell’s blog. We are also transforming the Cisco network into two roles: as a sensor and as an enforcer of security.
The role of the Network as a Sensor The network provides broad and deep visibility into network traffic flow patterns and rich threat intelligence information that allows more rapid identification of security threats. Cisco IOS NetFlow is at the heart of the network as a sensor, capturing comprehensive network flow data. You can think of NetFlow as analogous to the detail you get in your monthly cellular phone bill. It tells you who talked to whom, for every device and user, for how long, and what amount of data was transferred – it’s metadata for your network traffic.
Visibility to network traffic through NetFlow is critical for security, as it serves as a valuable tool to identify anomalous traffic on your network. Watching NetFlow, we gain an understanding of the baseline traffic on the network, and can alert on traffic that is out of the ordinary. The network is generating NetFlow data from across the enterprise network all the way down to the virtual machines in the data center. This gives us visibility across the entire network, from the furthest branch office down to the east-west traffic in the data center.
Cisco Identity Services Engine (ISE) provides rich context to these network flows, identifying the Who, What, Where, When and How behind network traffic. Integrating NetFlow and ISE takes us from IP address based knowledge to understanding the user and device network traffic, so that we now know who is generating suspicious activity against network resources and who is being targeted for attack. This integration allows network and security administrators to more rapidly respond to threats in the network.
Lancope’s StealthWatch® System leverages the network as a sensor to deliver context-aware threat alerts. Now Lancope is integrated with NetFlow and ISE to monitor the network and detect suspicious network activity generated by users and devices on the network. Before the integration with ISE, Lancope alerts for malicious behavior included the IP addresses of the traffic, requiring the administrator to take the extra step to determine who or what was behind the activity. With ISE integration, administrators now also get context behind the IP address, including the user, device, and location.
The role of the Network as an Enforcer : Cisco uses the network to dynamically enforce security policy with software-defined segmentation designed to reduce the overall attack surface, contain attacks by preventing the lateral movement of threats across the network, and minimize the time needed to isolate threats when detected.
You can use Cisco TrustSec with Cisco ISE to divide the network into multiple logical segments. Instead of complicated VLAN, access control lists (ACLs), and firewall-rule engineering and administration, TrustSec uses plain-language policies so that highly secure access is consistently maintained regardless of network topology or mobility of the user or device. Cisco TrustSec is a technology embedded in Cisco switches, routers, wireless LAN controllers, and security devices. TrustSec interprets the ISE policy, and classifies traffic flows based on identity information to enforce software-defined segmentation rules across the entire network. TrustSec grants the right levels of access to the right users and devices, while preventing the lateral movement of network threats.
We are also integrating TrustSec identity-based software-defined segmentation with Cisco ACI application-based network provisioning in the data center. Available in 2016, this integration will further enable consistent segmentation policy from the enterprise network to the data center. This provides secure segmentation, access policy enforcement, and threat containment for physical and virtual infrastructure from the edge of the enterprise network to the data center.
My Advice? Keep using threat centric security, firewalls and advanced malware protection. But also, turn on the network’s embedded capabilities for security:
- Turn on NetFlow for visibility into the network flows on your network
- Leverage ISE for additional context to these flows
- Deploy Lancope’s StealthWatch to provide monitoring and alerting
- Enable TrustSec to enforce role based security policy with the network
Leverage the network as a sensor to identify malicious traffic faster with more context. Leverage the network as an enforcer to enforce access policy and contain threats.