Avatar

Hint: ISE 2.3 Plays Key Role

We recently announced the Network Intuitive architecture, a new era of networking that removes complexity and enables automation, assurance, and security. With built-in security, you get dynamic protection that enables your business to evolve at the breakneck pace the market demands. Recent events highlight the criticality of securing the digital network against today’s AND tomorrow’s threats.

Wannacry accentuates how quickly attackers can move laterally once inside the network perimeter, and how damaging the attacks can be. For example, some healthcare providers’ patient care systems were encrypted, which impacted their ability to deliver services. And this attack was not even intentionally targeting critical infrastructure. But WannaCry was not the first ransomware attack, and there are certainly more to come. Criminals have a strong economic motivation and frankly, it’s just too easy.

In late June a South Korean firm reportedly paid a one million dollar ransom, the largest reported ransomware payout to date, to recover systems and data that were encrypted. It impacted not only the business but also that of its customers. As ransomware attackers get more sophisticated, they will become more targeted, and more judicious in the price of the ransom.  When they are able to ascertain the value of an asset, then they are able to extract maximum value for it.

These examples show why securing the business is critical and co-equal with growth initiatives. With an intent-based network, the two don’t have to be mutually exclusive but are in fact complementary. The Cisco Identity Services Engine (ISE) and TrustSec software-defined segmentation are integral to the intuitive network, helping embed security into the network fabric for automation and scale.  Key aspects of the new ISE 2.3 release center around visibility, automated control, and simplicity. All of these improvements were designed with the ultimate purpose of enabling your business to excel with the intuitive network.

1. Visibility: The scale and complexity of devices connecting to the network continues to grow at a rapid pace. You can’t protect what you can’t see, so getting detailed, actionable device context is critical to ensure compliance against vulnerabilities and other policy violations. ISE in conjunction with Cisco AnyConnect now provides additional endpoint visibility, including BIOS-level details such as the computer’s serial number, USB attachments, and resource utilization, including disk and memory usage. There’s also never been more ways to realize this level of visibility. ISE can now use a temporal agent that does not require endpoint administrative privileges or browser plugins. This includes the option for a stealth agent to display flexible notifications via OS messaging frameworks.

2. Automated Control:  Defining network security policy can be highly manual and prone to human error. But automating policy functions allows you to focus on business intent and not the minutiae of implementing security controls. And now you can automate your network security policy for the Intuitive network, thanks to ISE, because it is a critical pillar of the Cisco Software-Defined Access solution, integrating with Cisco DNA Center.  ISE allows you to define security policies (who can talk to whom, what systems can talk to other systems, and on what ports and protocols) based on security classifications that you define for your business needs. It dynamically assigns endpoints and systems to those classifications using rich contextual data (who, what, where, when, and how someone or something is attaching to the network), allowing the network to automatically enforce who and what gets access to business resources. This level of controls helps you easily segment the network to limit the scope of damages from an attack – including preventing lateral movement of threats — as well as dynamically respond to those threats.

3. Simplicity: ISE can potentially save admins hundreds of hours managing network security policy. Its new policy interface makes the process of policy creation and maintenance much easier. It does this through simplified policy sets that are more readable and with built-in authentication and authorization rules that allow you to easily create and reuse conditions. After upgrading, your policies will work as before, even though additional policy sets have been created. The new policy UI also includes a hit counter for each policy set. Finally, we have added the option for guests to use Facebook login for guest portals. Social login provides seamless access to the guest network without exposing corporate assets.

Learn more about ISE @ cisco.com/go/ise. You can also learn about how ISE specifically can address ransomware like WannaCry here.



Authors

Kevin Skahill

Senior Director for Security Policy & Access

Secure Access and Mobility Product Group