Cisco Blogs
Share

Joining Forces for Cybersecurity Openness – Cisco pxGrid and McAfee OpenDXL


October 18, 2017 - 1 Comment

Interoperation of two leading security integration frameworks delivers unprecedented breadth in multi-vendor collaboration.  Simplifies security vendor integration for customers.

There is strength in numbers.  Here the strength is in the number 2, because it equals almost 100.  Funny math you say?  Well let me explain.

Here the “2” is Cisco and McAfee, two leaders in cybersecurity.  Our respective leadership areas in the industry are attributable in no small part to our openness to integration with 3rd party security platforms.  We have each forged a broad path for cross-vendor integration via our respective security fabrics, Cisco pxGrid and McAfee OpenDXL.  As cybersecurity industry analyst Eric Parizo of IT analyst firm GlobalData (formerly Current Analysis) put it in his report on Security Product Integration Frameworks, “Security product integration frameworks (SPIF) have the potential to change the game.”  He has also intimated throughout his research that cybersecurity practitioners would be best served if Cisco and McAfee would just work together on this stuff.  This is where the “100” comes in.

Cisco and McAfee agree with GlobalData, and the joint customers who have told us the same… that we should enable pxGrid and OpenDXL to interoperate so we can better solve cybersecurity issues they face.  A key component of that is enabling the components of multi-vendor security networks to coordinate their information sharing and threat response.  Interoperation of pxGrid and OpenDXL provides a hefty down payment on that by bringing together our respective cybersecurity ecosystems.  And that is where “100” comes in.  Because the collaboration of “2” with Cisco and McAfee delivers just shy of 100 (98 at last count) pxGrid and OpenDXL partner products that can interoperate via each framework.

While we think bringing pxGrid and OpenDXL together enables material long-term impact on cybersecurity operations and effectiveness, it also has immediate positive impact.  Here’s what it does today:

Employ a Vendor Ecosystem for Threat Response

The “100” can be put to work today on network and endpoint threat response.  Integration between pxGrid and OpenDXL enables our respective threat response ecosystems to collaborate via Cisco® Identity Services Engine (ISE) and McAfee® ePolicy Orchestrator® (ePO).  When a threat response partner takes an automated or manual threat response action via pxGrid or OpenDXL, that response is captured and relayed between ISE and ePO for appropriate Rapid Threat Containment action on the Cisco network or remediation at the McAfee ePO-managed endpoint.  This enables a broad threat response ecosystem composed of almost 100 vendors from every type of security technology.

A common use-case for this is threat response from a SIEM console.  A security analyst decides that a threat event in her SIEM requires immediate action.  If that SIEM vendor is either a pxGrid or DXL partner (pretty much all are), a threat mitigation or investigation action can be launched directly from the SIEM console and executed on both the network via Cisco ISE and on the endpoint via McAfee ePO.  Pretty powerful.

SIEM partner using pxGrid/DXL interoperability to execute threat response actions.

Integration of Cisco ISE and McAfee ePO for Threat Response

Similar to above, ISE and ePO can directly collaborate on threat response by informing each other when one has taken a threat response action so that the other can take an appropriate action according to its respective policy.  This delivers more effective threat response by allowing the endpoint and network to take automated or manual actions as appropriate for the threat conditions. 

Consistent Network Access and Endpoint Control Policy with Cisco ISE and McAfee ePO

Collaboration between ISE and ePO also enables comprehensive network-attached endpoint visibility and network access policy.  ISE, by serving as a gatekeeper for every user/device trying to access the network, possesses a wealth of user identity, endpoint device and network context.  ISE can share via pxGrid its network-attached endpoint session inventory with McAfee OpenDXL, which then relays the information to McAfee ePO.  This provides ePO with visibility to endpoints that it may not know about thus allowing ePO to make determinations about whether or not to bring those newly discovered endpoints under management.  Similarly, Cisco ISE can detect whether an endpoint has McAfee ePO installed and create network access policy based on its presence.

Looking more broadly beyond these specific integrations, Cisco continues to be active in the IETF Security Automation and Continuous Monitoring (SACM) and Managed Incident Lightweight Exchange (MILE) workgroups to drive standardized methods of enabling exchange of monitoring telemetry between security platforms.   Furthermore Cisco continues to drive a “simple, open, automated” approach to security by implementing integrations based on pxGrid and other methods within the Cisco Security portfolio.  Coordinated threat detection, investigation and containment are enabled through Cisco architectural integrations like Talos threat intelligence leveraged across our portfolio, system-wide malware protection with AMP Everywhere, Umbrella Enforcement from the cloud, and Cisco’s own Rapid Threat Containment solutions–between ISE, Firepower NGFW, Stealthwatch, and AMP.

Cross-platform integration is critical to securing the networks that run our schools, businesses, government…our world.  Whether you are a customer deploying security platforms, a vendor partner or start-up integrating security platforms, or a services integration partner building unique security service offerings an open integration environment is a necessity.  Collaboration between Cisco pxGrid and McAfee OpenDXL helps toward those ends.

Read McAfee’s press release

Learn more about how to integrate to Cisco Security as a tech partner: Cisco DevNet Security Developer Center

Learn more about multi-vendor security integrations deployable today: Cisco Security Technical Alliance program



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

  1. Great post Scott. It's very exciting to see this level of collaboration between different vendors security products. Increasing visibility into both policy and activity on the end point is important to customers truly securing their networks.