Video - Cisco ISE and SIEMThreat-Defense Integration (4 min)

Well, the situation is is that a lot of organizations are faced with a huge influx of devices, personal devices,
and these can present threats to their network and their operations. And one of the challenges organizations
have now is that these devices are less trusted than they were in the past. They require a better detail as to
the context of each one of those devices. Meaning, who's the owner? What's their policy level? What do they
actually allow it to do when they're on the network itself? In traditional SIEM, security information and event
management, solutions don't typically allow them to drive that level of context that they require.
Oftentimes they'll want to know, "Well, what kind of device is this?" Okay, I see that this device is trying to
access a certain file or go into a specific area. That's questionable. Does this person have authorization?
Okay, they have to go to another system, another solution active directory to decide who is this person, what
is their role. They have to go to another system to go, "What of device is this?" And in another to determine
what the policy is that we apply to that person. So collecting this data can be time-consuming and a bit
challenging.
At Cisco, we have a solution called the Identity Services Engine. The Identity Services Engine actually
creates context around virtually all devices that would be attached to the network in an operation. So I can
see who it is, what they're doing, what their policy level is, and then I can determine what the threat level is to
my organization. We now give the threat defense system the ability to respond or take action to a user by
either kicking them off the network or forcing some form of quarantine or remediation. What's really great to
the customer is, now, I don't have to go to this screen, this screen, this screen, this screen. I can pull
everything together under one pane of glass. We've given a lot of new horsepower to the SIEM systems,
allowing them to do things that would have been very difficult and challenging for them to do before: quick and
clear visibility into the threats in their organization and the ability to quickly take action on them.
Let's say, for instance, I'm a security analyst and I'm looking at my SIEM system and I see that there's a
device that's accessing financial systems. With the integration between ISE and SIEM and threat defense
systems, I see this device; I see that's an iPad. Now, iPad on financial systems, that might be an issue. I
wonder who the user is. Well, I can this user is an executive. I know who that is. I wonder what their policy
level is. Are they allowed to do this? Yes, they are. But I still categorize this as suspicious behavior, so I want
to watch this; I'm gonna pay attention to this. So I've derived all that context immediately from a single pane of
glass. Now, if I also determine, well, "This is an unusual behavior for them and this is actually a violation of
the policy" and they somehow got access to the system, I can take immediate action. I can take them right off
the network. We're taking this rich contextual information that we have and helping the SIEM vendors with the
technology they have to really advance the defense systems that organizations have in a way that was very
difficult to do before and very time-consuming. They can determine the treat, determine the threat level, follow
the threats in specific detail, and also take action. And this is something that, as far as we know, wasn't
available before.

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 1