This is a guest post contributed by Gregory Kushto, Security Practice Director, Force 3.
Earlier this year, our team here at Force 3 made an appearance at the Inaugural Splunk GovSummit in Washington DC, on October 22, 2015. Together with Splunk and Cisco, our goal was to promote Cisco ISE on ice (quite literally, as you’ll see below), demonstrate how Splunk and Cisco ISE integrate and present the value behind combining the power of both technologies.
Thanks to the combined efforts of Force 3’s engineers, the alliance, sales and marketing teams, and teamwork with Splunk and Cisco, we were able to create a truly interactive and engaging customer experience at the event.
Force 3 was honored to have the opportunity to interact with the community at GovSummit and make new connections (a big thank you to all attendees!). After having the chance to present and engage some of our IT peers with the value that Splunk and Cisco ISE can generate, I think it’s important to follow up with conversation on Splunk and Cisco ISE deployments in the real world and why this integration is meaningful.
So, meet Cisco ISE: in short, ISE (Identity Services Engine) is a Cisco security tool that focuses on user and device access into the network and defining roles based on the user of the device and/or what type of device is being used. Splunk provides a platform for operational intelligence; customers use it to search, monitor, analyze and visualize machine data. What do you get when you combine the two? An immensely powerful solution; Cisco ISE makes your network more secure while Splunk gives you the ability to visually demonstrate to your auditors, security people and executives the operational security posture your organization has and the value it’s creating.
Check out the video demo that further demonstrates the power of Splunk and ISE in combination with a range of other Cisco security offerings…
Let’s elaborate on real-world applications:
The Cisco ISE interface is designed for network engineers to use to manage network security; while it does a fantastic job of giving engineering-level reports on enforcing policies and access, its intended function is not necessarily for higher-ups or executives to monitor progress, or for compliance folks to measure security. Here’s where Splunk comes in—Splunk allows your network team to clearly convey security metrics and extend a framework that presents information useful to your entire organization, rather than solely the engineer or administrator that’s making the operation work. Given that ISE was designed to be used exclusively as a network security tool, individuals who aren’t trained in ISE aren’t necessarily able to discern what ISE is expressing. By tying Splunk into ISE, your organization can bridge the gap between the engineering and executive team.
A common use case for a Splunk and ISE integration is in identifying and remediating rogue devices (Mac Authentication Bypass).
The goal of deploying Splunk and ISE for MAB is to identify, investigate and remediate all rogue network access (essentially, any device that doesn’t adhere to an established policy) with full visibility.
Here’s what can be gained when you use Splunk and ISE for MAB management:
- A complete view of the environment via an at-a-glance dashboard.
- Visibility into rogue devices, their owners and physical address using the ISE MAC Authentication Bypass Dashboard.
- Rapid drilldown to raw logs for supporting evidence and incident analysis.
- One-click automated remediation—when a device is identified as rogue, an admin can click a single button to launch a workflow action for ISE to take the device(s) off the network.
Intrigued? To learn more about Splunk and Cisco ISE, check out these great posts:
- Making Machine Data Personal with Cisco ISE (Splunk blogs)
- Using Cisco ISE data to drive enhanced event visibility in Splunk (Cisco blogs—Security)
- More than Just a Pretty Dashboard: Cisco ISE & Splunk turn event analysis into action(Cisco blogs—Security)
- End-to-End Protection and Threat Mitigation for Cisco Network Environments via Splunk ISE & pxGrid(Splunk blogs)
Our team feels really fortunate to have made an appearance at Splunk GovSummit this year, and we’d like to extend a warm thank you to all attendees and partners who made it possible. If you’re interested in learning more about the value Splunk and Cisco integrations can bring to your organization, please feel free to get in touch with Force 3 via our blog or on Twitter.