Cisco Identity Services Engine and NetIQ Sentinel

At-A-Glance
Cisco Identity Services
Engine and NetIQ
Sentinel Integration
Identity- and Device-Aware Security Information and
Event Management
Figure 1. Cisco ISE + NetIQ Integration
Cisco ISE + NetIQ Sentinel Delivers
Identity/Device Aware Security & Threat Response
Use Cases
• Decrease time to event response –
NetIQ Sentinel utilizes Cisco ISE user,
device type, access level, and posture
information in combination with other
sources of identity context to expedite
the classification of and response to a
security event.
• Develop a comprehensive view of
mobile and device network activity
– NetIQ Sentinel utilizes Cisco ISE
device-type information to create
security analytic policies specific to
mobile devices.
• Monitor and control high-risk access
methods – NetIQ Sentinel can use Cisco
ISE contextual information to monitor
mobile users actions and permissions
for services and use that information to
find cases where users are attempting to
violate those policies.
• Improve security by differentiating
privileges of users and groups –
NetIQ Sentinel utilizes Cisco ISE user
information to create security policies
for specific users or groups and grant
them the appropriate levels of access.
• Decrease security risk from devices
with security posture failures – NetIQ
Sentinel utilizes Cisco ISE endpoint
posture information to create security
policies specific to endpoints that
have a noncompliant posture status.
These devices often represent a higher
security risk on the network.
Identity/Device Context from ISE
Cisco ISE
pxGrid
Context
Sharing
NetIQ
Threat Response Via ISE
Identity/Device Aware SIEM
The growing complexity of network environments, including the fact that
the average user has three mobile devices they want to connect to the
network, have increased management issues around security, analysis
and compliance. Network activity, used to be able to be sufficiently
analyzed with broad identifiers, such as an IP address. Today’s diverse
networks require effective security event visibility and integration with
accurate contextual data such as user identity, user privilege levels,
endpoint device type, and endpoint security posture in order to provide
a meaningful picture of network events and their significance.
The Cisco® Identity Services Engine (ISE) integrates with the NetIQ
Sentinel security information and event management (SIEM) platform
to deliver in-depth security event analysis supplemented with relevant
identity and device context. This integration provides network and
security analysts the ability to quickly and easily assess the significance
of security events by correlating context with the security alarm as well
as the ability to take action on the event in the network.
© 2014 Cisco and/or its affiliates. All rights reserved.
nce
At-A-Glance
Use Cases (Continued)
How It Works
• Improve visualization and analysis of
Cisco ISE telemetry and event data
– Utilize NetIQ Sentinel to specifically
analyze and alert on anomalies in
Cisco ISE event data, such as excess
authentication attempts.
Utilizing pxGrid integration with Cisco ISE enables NetIQ Sentinel to
supplement their security analytics and event visibility with information
from Cisco ISE about user identity, network authorization levels,
endpoint device identification, network access type, and security
posture. This provides a composite view of a security event from the
Sentinel management console. Sentinel operators can then utilize Cisco
ISE Dynamic Network Control capabilities to execute network mitigation
actions on users or device in response to a security threat directly from
the Sentinel management console.
Solution Highlights and
Components
This solution is composed of Cisco
ISE running the Platform Exchange
Grid (pxGrid) context exchange and
NetIQ Sentinel. Cisco pxGrid is a
unified framework that enables multivendor, cross-platform network system
collaboration among IT infrastructure
such as security monitoring and detection
systems, network policy platforms,
identity and access management
platforms, and virtually any other IT
operations platform.
Some of the key Cisco ISE attributes
available for use by NetIQ Sentinel for
user- and device-related context are:
• User name, IP address, authentication
status, location
• Authorization group, guest, quarantine
status
• Device manufacturer, model, OS, OS
version, MAC address, IP address,
network connection method (wired or
wireless), location
• Posture compliance status, antivirus
installed, antivirus version, OS
patch level, mobile device posture
compliance status (through MDM
ecosystem partners)
Supported Products
• Cisco ISE 1.3 or later
• NetIQ Sentinel 7.2 or later
Integration Details
Cisco ISE integration with NetIQ is accomplished through the following:
• Cisco ISE provides its user identity and device information to NetIQ
Sentinel.
• NetIQ Sentinel combines this information with other sources of
identity data – such as common identity management systems, asset
management systems, and CMDBs – to construct a holistic view
of the user, the accounts (network and application) that they own,
and the device(s) and service(s) they are accessing with any those
accounts.
• The combined contextual data is then attached to events collected
by NetIQ Sentinel including network-, system-, and application-layer
security events.
• Downstream security policies defined within NetIQ Sentinel can
then leverage that additional context as part of policy rule definition,
allowing you to write rules against classes of high-risk people
or devices such as mobile users with access to highly sensitive
information.
• Cisco ISE contextual data can itself be a source of security insight.
NetIQ Sentinel can trend Cisco ISE data to discover abnormal or
suspicious activity.
• NetIQ Sentinel utilizes Cisco ISE as a conduit for taking mitigation
actions within the Cisco network infrastructure. NetIQ Sentinel can
instruct Cisco ISE to undertake quarantine or access-block actions on
users and/or devices based on Cisco ISE policies that have been defined
for such actions.
Next Steps
Additional product information regarding this integration may be found
by searching for “NetIQ” in the Cisco Marketplace Solutions Catalog at:
http://marketplace.cisco.com/catalog.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C45-732858-00 10/14

Download Report