Cisco Blogs
Share

Leveraging the Network as a Security Sensor and Policy Enforcer


June 8, 2015 - 0 Comments

The topic of cybersecurity has become so ubiquitous that it’s almost a daily occurrence to read or hear about security breaches in the news. Cisco understands this paradigm shift within the nature of computing, that the Digital Economy and the Internet of Everything now requires what we are calling Security Everywhere. Security has to span the extended network in order to protect against an ever growing array of attack vectors. Scott Harrell, Vice President Product Management has written a more detailed blog about this specific topic here .

The key point to note about Security Everywhere is that organizations are under unrelenting attack and breaches are happening every day. Attackers have also created sophisticated malware that can be launched into the network, gather information to intelligently understand exactly what, when and how to attack and then launch an extremely surgical and devastating attack against the network. Our Cisco 2015 Annual Security Report is an excellent resource for detailed research about the nature and frequency of attacks against the enterprise.

The rise in frequency and sophistication of attacks is also compounded by the fact that visibility into the network, with rising trends of mobility, BYOD, IoT and the use of cloud services, has become even more difficult and has compounded the complexity of defending the network from attacks.

Unfortunately many organizations try to defend against these attacks by continuously adding security solutions to their network. However, this creates more confusion and decreases visibility further since many of these disparate tools are not interoperable and it is time consuming and difficult to correlate their data.

Cisco leverages multiple security technologies to work together with Cisco networking and security devices to embed security into and across the extended network, from the data center out to the mobile endpoint, to leverage the network to be both a sensor and an enforcer against network attacks and provide visibility, context and potential cyber threat identification for anything that connects to the network.

Our Network as a Sensor solution allows the ability to leverage existing Cisco networking investments to act as a sensor to provide enhanced visibility into the network. The key benefit of Network as a Sensor is the ability to detect anomalous traffic flows, malware, identify user access policy violations and obtain broad visibility into all network traffic so action can be taken to protect the network against threats.

Network as a Sensor consists of the Cisco networking portfolio, Cisco NetFlow, Lancope StealthWatch and Cisco Identity Services Engine (ISE) working in concert. Netflow collects each and every network conversation from Cisco devices over time, Lancope StealthWatch conducts sophisticated behavioral analysis on these flows so you can begin to understand what the “network normal” is for your network and easily detect anomalies. Cisco ISE gathers real-time contextual information from networks, users, and devices and maps the who, what, how, where and when information for gaining network access. This contextual information is combined with NetFlow security analytics and sent to Lancope to map out conversations and flows on the network in order to identify anomalous behavior and potential threats on the network. Network as a Sensor allows for the detection of anomalous traffic flows and malware, the ability to identify user policy violations and the deep visibility needed into network traffic flows that can accelerate the identification of network threats, as well as reduce risk, by identifying unknown devices on the network.

Once threats are identified using Network as a Sensor, the network can be used as a conduit to take action against these threats, our Network as an Enforcer solution. Network as an Enforcer also leverages existing Cisco networking investments, it allows the network to enforce security policies, quarantine threats and segment network traffic and also provides the policy engine for making changes to enforce new policy based on detected threats.

Network as an Enforcer consists of the Cisco networking portfolio, Cisco NetFlow, Lancope StealthWatch and Cisco Identity Services Engine (ISE) working in concert with TrustSec software-defined segmentation. Cisco TrustSec is embedded technology in Cisco switches, routers, security devices and wireless controllers today and can be used with Cisco ISE to leverage the network as an enforcer. Cisco ISE doesn’t only collect the contextual information about network users and devices, it also can modify access policies based on the threats detected by Lancope. Cisco ISE can modify policy based on the threat detected, and then push the policy into the network that controls access via that segment of network traffic to CiscoTrustSec. Cisco TrustSec then classifies this incoming traffic and enforces the segmentation rules based on the policy created by ISE, using software-defined segmentation. Together Network as a Sensor and Network as an Enforcer enable not only visibility and threat detection but also actual enforcement of security policy once a threat is detected. If a resource is identified as breached, TrustSec can segment the network based on the identity and context provided by ISE so that the attack cannot move laterally across the network and can be contained.

For more information about Network as a Sensor and Network as an Enforcer solutions, visit the Enterprise Solutions and Security booths at Cisco Live US or learn more here.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.