A long time ago, when I was a CISO at a large Service Provider, I was ingrained early and often about the concept of “security rings”. Unlike the common belief among younger information security professionals, the term “security ring” was coined not by information security people, but instead by physical security people. In fact, it is a term commonly used for over a hundred years, much before we used terms like “firewall” (which is actually a wall or a barrier intended to prevent, strangely, the spread of fire).
A security ring is when you need to protect a critical physical asset, let’s say an army base. You don’t need to be a special forces soldier to understand that you probably need a guard or two at the gate, a couple of guards patrolling the area, and you better also throw in another guard in a watchtower, or even better, maybe a specialized sniper. More importantly, if you look at any of these guards, what binds them is the form of communication that allows them to pass and receive information from other security rings when under attack. So for example, when the observer in the watchtower identifies a couple of adversaries running towards the gate, not only will he try to take them down, he will also radio in a message so the guard at the gate can get ready and the patrol can run over to the gate area and act as an important backup to the guard. The benefit? Twofold – one is the fact that if one ring fails (the sniper didn’t take out the adversary), another ring can step in and continue the defense and the second is the fact that you can use multiple rings to protect a larger area without compromise.
This concept of security rings can also be analogous to how information security administrators manage their corporate networks. Given the growing frequency and sophistication of cyberattacks, it is vital for businesses to protect their networks by ensuring that every entry point is as well secured as possible. Most organizations would employ a standard approach when protecting their networks that entails using a firewall as your gate guard, a network traffic behavioral analysis tool as your watchtower, and an endpoint protection system to patrol your files. While information security experts think they are employing the same mechanisms found in security rings such as placing different security technologies to guard different posts, the real truth is that there is one significant difference that can undermine their best efforts.
Complexity created by vendors in orchestration
So what seems to be the weak spot?
The answer is the lack of integrated communication amongst siloed security solutions.
When “we”, information security specialists, migrated the physical security rings to logical ones, we “forgot” to migrate to just one type of technology, but rather we migrated to using multiple siloed security tools.
According to Cisco’s 2018 Annual Cybersecurity Report, 21% of surveyed security professionals use anywhere between 21 to 50 security vendors[1]. Ironically, having more security vendors, not less, can often lead to what we refer to as “the swivel chair effect” – depicting a situation where whenever you have an attack, you need a swivel chair in order to be able to look at all of the screens of the different applications (I’m sure you’re imaging this as you read). As the number of vendors increases, so does the challenge of orchestrating alerts from these many vendor solutions. In fact, more than 54% of security professionals said that managing multiple vendor alerts is somewhat challenging, while 20% said it is very challenging[2]. With the amount of cyber-attacks increasing in frequency and sophistication, security administrators can feel overwhelmed from just having to manage alerts from multiple security sources. So much so that an average of 44% of security threats aren’t investigated which exposes your network to more security risks. This cannot scale. This cannot succeed. This must change.
As vendors increase, so does the challenge of orchestrating security alerts
Source: Cisco 2018 Security Capabilities Benchmark Study
ISE and the power of an integrated security network
Cisco’s Identity Services Engine (ISE) resolves this growing complexity by offering security network administrators something that others do not do well: A centerpiece that seamlessly integrates the disjointed security rings that are comprised of different security vendors together in a central location. ISE empowers customers to maximize their network security capabilities by serving as a kind of a “walkie-talkie” that communicates between the different security rings. This is accomplished through pxGrid, which enables ISE to send and receive vital contextual information of all devices and users on the network such as user and device identities, threats, and vulnerabilities to Cisco ecosystem security partners so that you can identify, contain, and remediate threats faster.
For example, when your firewall detects a user trying to attack an asset, the firewall will reach out to the Identity Services Engine (ISE) installed in your network, ask ISE to quarantine this user, thus removing the risk from the network and allowing your red team or helpdesk to take care of this user or endpoint. When your vulnerability assessment system (Rapid7, Tenable or Qualys) detects a vulnerability on any device connected to the network, it will seamlessly report this vulnerability (together with its CVSS score) to ISE, allowing it to re-evaluate its policy and see if the user or device should stay in the network or not (for example, you can define a policy that says that any user with a vulnerability that has a CVSS higher than 6 will be quarantined and higher than 9 will be disconnected). And when you are in a manufacturing setting that has an abundance of IoT devices, leveraging pxGrid’s integration with Cisco’s Industrial Network Director can provide ISE with vital contextual identity of the profiled IoT devices in a centralized location that will make it easier for any network administrator to manage security.
These are just a few of the many examples that illustrate the benefits that having an integrated security network can provide to customers. Just like in the army base example, when ISE takes the different security rings that are your firewall, vulnerability assessment, and network behavior analysis tools and organizes them into as a cohesive force of multiple rings that seamlessly work together, it transforms your network into that harmonious security ring that can rapidly prevent, detect and contain attackers from causing damage to your business.
To learn more about ISE, visit www.cisco.com/go/ise or visit here.
good reading, very interesting
Well done and interesting!
Good blog, thank you.