At-A-Glance
Cisco Identity Services
Engine and Lancope
StealthWatch Integration
Identify/Device Aware Threat Defense
Summary
Use Cases
• Decrease the time to event
classification: StealthWatch uses
Cisco ISE information about the
user, device type, access level,
and posture to expedite the
classification of, and response to,
a security event.
• Scrutinize mobile and device
network activity: StealthWatch uses
Cisco ISE device-type information
to create security analytic policies
specific to mobile devices.
• Differentiate privileges of users
and groups: StealthWatch uses
Cisco ISE information to create
security policies for specific users
or groups.
• Decrease the risk from devices
with security posture failures:
StealthWatch uses Cisco ISE
endpoint posture information to
create security policies specific to
endpoints that have a noncompliant
posture status.
• Improve the visibility and analysis
of Cisco ISE telemetry and event
data: StealthWatch can analyze
and generate alerts on anomalies
in Cisco ISE event data, such as
excess authentication attempts.
Many devices access network applications and data today, leading
to security concerns. Once broad identifiers such as an IP address
were sufficient to see and analyze network activity. However, bringyour-own-device (BYOD) initiatives, software as a service (SaaS), and
virtualization have increased the need for deeper network security
visibility, analysis, and compliance. Today’s diverse networks require
effective security-event visibility. They also need integration with
accurate contextual data of user identities, user privilege levels,
endpoint device types, and endpoint security postures.
The Cisco® Identity Services Engine (ISE) integrates with Lancope®
StealthWatch to deliver in-depth security event analysis supplemented
with relevant identity and device context information. This integration
gives network and security analysts the ability to quickly and easily
assess the significance of security events by correlating context with the
security alarm.
How It Works
Cisco ISE enables the Lancope StealthWatch Management Console
to display contextual information around an event, such as the identity
of the users and their level of access as well as what type of device
they are using. An analyst can quickly determine where the event is
coming from and whether it needs further investigation. Cisco ISE can
then be used to take mitigation actions against a threat. This integration
is available for existing Lancope StealthWatch deployments or as a
combined solution from Cisco that makes use of the Cisco Cyber Threat
Defense Solution. The solution focuses on providing extensive visibility
into advanced threats by identifying suspicious network traffic patterns
within the network interior.
Providing Cisco ISE user and device context to the StealthWatch
platform also enables a new suite of security monitoring capabilities
such as mobility-aware security analytics. StealthWatch can also use
Cisco ISE dynamic network control capabilities to take mitigation actions
in the Cisco network infrastructure. This suite of capabilities helps IT
organizations detect threats more quickly and simplifies the threat
response.
© 2014 Cisco and/or its affiliates. All rights reserved.
nce
At-A-Glance
Next Steps
Solution Highlights and Components
Additional product information
regarding this integration may be found
by searching for “Lancope” in the
Cisco Marketplace Solutions Catalog at:
http://marketplace.cisco.com/catalog.
This solution is composed of Cisco ISE (Release 1.2 or later, and 1.3
or later for mitigation capabilities) running the Cisco Platform Exchange
Grid (pxGrid) context exchange capabilities; and Lancope StealthWatch
(Release 6.4 or later, and 6.6 or later for mitigation capabilities). Cisco
pxGrid is a unified framework that enables multivendor, cross-platform
network system collaboration within the IT infrastructure. Elements of
the infrastructure that can share information include security monitoring
and detection systems, network policy platforms, identity and access
management platforms, and nearly any other IT operations platform.
Using Cisco pxGrid with Cisco ISE helps StealthWatch supplement
its security analytics and event visibility with information from Cisco
ISE about user identity, network authorization levels, endpoint device
identification, network access type, and security posture. This
information provides a composite view of a security threat from the
StealthWatch Management Console. StealthWatch users may utilize
the integration with Cisco ISE to implement network mitigation actions
on users or devices in response to a security threat directly from the
console.
Integration Details
Cisco ISE integration with Lancope StealthWatch is accomplished
through the following:
• Cisco ISE provides its user identity and device information to the
Lancope StealthWatch Management Console.
• This contextual data is used to create new security analysis classes
for high-risk user populations or devices. For example, policies can
be created that are specific to mobile devices or users with access to
highly sensitive information.
• Cisco ISE contextual data is also appended to associated events in
StealthWatch to provide the additional information about the user,
device, and access level, so analysts can better understand the
significance of a security event.
• Cisco ISE contextual data can itself be a source of security insight.
StealthWatch can uncover trends based on Cisco ISE data to discover
abnormal or suspicious activity.
• StealthWatch uses Cisco ISE as a conduit for mitigation actions within
the Cisco network infrastructure based on Cisco ISE policies that
have been defined for such actions.
• All these functions can be logged and reported on within the
StealthWatch Management Console for unified threat reporting.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-732761-00 09/14