Corporate Network Security: Is It In Your DNA?

If you were driving a race car without brakes, chances are you were controlling your speed. If not, how could you handle the corners? Pushing the pedal to the metal on the straights and getting the car to peak performance would only end badly when the road bends. The same can be said for corporate network security: only proper security capabilities can allow you to run your digital business at breakneck speed.

This breakneck speed is fueled by the growth of mobility, IoT devices, and private and public clouds, all of which massively increase the attack surface for threat actors. Meanwhile, the top recommendation of Cisco’s recently released Cybersecurity Annual Report 2017 is that “as the attack surface grows, defenders need to focus on their most important objective: shrinking the operating space.” of their adversaries.

Fortunately, you can keep your feet on the floor while reducing your adversaries’ operating space by building security capabilities into the very fabric of your network. The network can provide deep visibility into network traffic patterns and detailed threat information. With Cisco DNA, the network can be used to quickly detect cybersecurity threats and then automatically take action to stop them.

baked, not bolted

Identity Services Engine (ISE) and Cisco TrustSec can help turn the network into a sensor and performer. ISE provides visibility and control of users and devices on the network, while TrustSec provides software-defined segmentation to isolate attacks and restrict the movement of threats across the network. Together they form a dynamic duo.

At Cisco Live Berlin, we’re announcing the latest advancements in Cisco DNA Security, including the latest releases of ISE and TrustSec.

Deeper Visibility, More Granular Control: Cisco ISE 2.2

ISE 2.2 provides much deeper application visibility on endpoints and more granular control. But the feature that’s really floating on my boat is the ability to define “DEFCON” policy sets that allow customers to escalate their response to prolific threats.

Rapid Threat Containment is extremely powerful for dealing with a handful of systems at once. But what if many systems are simultaneously “exploded” and a threat spreads in real time? This is where the ISE DEFCON rule sets come in.

DEFCON powerfully enhances your incident response playbook with the ability to switch to predefined responses to systemic attacks. Rather than altering the authorization of individual users and devices, or implementing policy changes manually, changing the DEFCON state modifies TrustSec policies defining how users, devices, and systems can talk to others – essentially increasing “network drawbridges” to protect your critical data and maintain essential services. For example, you can set DEFCON 4 to kick all guests from the network, DEFCON 3 to kick all BYOD users from the network, DEFCON 2 to restrict peer-to-peer traffic, and DEFCON 1 to severely limit access to your ” crown jewels”. .”

ISE 2.2 also provides simplified workflows that include guest, secure access, and BYOD setup with Cisco wireless LAN controllers in as little as 10 minutes. This approach also extends to customers migrating from the Cisco Access Control System (ACS), which Cisco recently announced will no longer be sold. An improved ISE migration tool now streamlines ACS replacement so you get the same ACS benefits combined with advanced secure access, profiling, and posture capabilities offered with ISE.

And it’s not just us. SC Magazine recently awarded Cisco ISE the Best NAC Solution 2017 award. If you want to know more, you can prepare this tech blog.

Dynamic Segmentation: Cisco TrustSec 6.1

TrustSec software-defined segmentation reduces risk and limits the lateral movement of threats in a network, allowing these segmentation policies to be activated and changed without reconfiguring network devices. This proven technology can enable security policy changes 98% faster and with 80% less operational effort than traditional VLAN-based segmentation.

TrustSec has now been extended to Cisco Access Points, WAN Routers, Cloud Services Routers and Industrial Ethernet Switches which now work seamlessly with existing TrustSec enabled Catalyst and Nexus switches. Coupled with a new integration with Cisco ACI, TrustSec now enables dynamic segmentation anywhere on the network, from the network edge to the data center to the cloud.

Among the many use cases, Mondi uses TrustSec to quickly integrate new acquisitions into its security architecture and dramatically simplify firewall policy management. At Cisco, we use TrustSec to segregate high-risk labs and simplify security during divestitures. Banks use TrustSec to meet regulator segmentation requirements and ensure that only authorized users have access to financially regulated applications. And security-conscious government agencies use TrustSec to restrict peer-to-peer communications that could lead to lateral movement of threats.

With these new features on ISE and TrustSec, Cisco is now the first in the industry to offer software-defined segmentation across the entire network, from network to endpoint to cloud, with complete application visibility.

This is important because you can only drive at digital speed if you have the right security. And by turning the network into sensor and performer, Cisco helps customers accelerate their digital journey.


Kevin M. Risinger