StealthWatch and Cisco ISE Integration

Lancope provides tight integration with the Cisco Identity Services Engine (ISE) to help enterprises advance their security strategy in light of increasingly complex technology and threat environments. Cisco ISE is a powerful and flexible attribute-based access control solution that provides customized privileges for corporate resources based on user and endpoint identity. 

Making up a key component of the Cisco Cyber Threat Defense (CTD) Solution, Lancope’s StealthWatch® System conducts sophisticated behavioral analysis using NetFlow and other data from existing network infrastructure to deliver in-depth visibility for early threat detection. Cisco ISE provides the StealthWatch System with additional layers of valuable security context in the form of identity and device data. This information is combined with NetFlow data from Cisco and other devices, and is used to create a single, unified picture of everything happening on an enterprise network.

The StealthWatch System provides the comprehensive network insight and security analysis needed to uncover a wide range of threats on the network including APTs, insider threats, DDoS and zero-day malware. Advanced features such as application and identity awareness further enhance threat detection and incident response, as well as other efforts such as forensic investigations and compliance initiatives. Together, Lancope and Cisco offer an unmatched solution for obtaining maximum security context and responding faster and more effectively to today’s increasingly malicious threats. 

Incident Response Identity Awareness for Powerful Security Context

By integrating with the latest version of Cisco ISE, StealthWatch also enables security administrators to perform mitigation actions such as quarantining directly from the StealthWatch Management Console (SMC) by using Cisco ISE’s dynamic network control capabilities. Hosts can also be removed from quarantine and added as safe, and administrators can create new policies in response to a security threat or incident. Mitigation integration helps to significantly streamline incident response and shut down attacks before they result in devastating data breaches. 

How it Works

Through the integration with Cisco ISE, StealthWatch is able to supplement its in-depth security event analysis with relevant identity and device context information. This integration gives network and security analysts the ability to quickly and easily assess the significance of security events by correlating context with the security alarm, and if necessary, take mitigation actions directly from the SMC. Lancope is integrating with ISE through the Cisco Platform Exchange Grid (pxGrid), a unified framework that enables multivendor, cross-platform network technology collaboration. Cisco ISE delivers a wide range of identifying features including, but not limited to:

  • User identity
  • Network authorization
  • End device identification
  • Operating system and patch level
  • Device security posture
  • The location from which the user is trying to gain access
  • Which security group the user belongs to
  • Which resources the user is trying to access
  • The time of day
  • How the user is trying to obtain access – i.e., wired, wireless, VPN

Security administrators can also leverage this information to create new security analysis categories for high-risk user populations or devices. For example, policies can be created that are specific to mobile devices or users with access to highly sensitive information.