Driving Greater Event Clarityecrm.logrhythm.com/rs/logrhythm/images/03_26_14_LogRhythm...LogRhythm Takes Action Network quarantine users & devices via ISE BENEFITS • Clarify what

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved.

Driving Greater Event Clarity

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Solution Overview

• LogRhythm Overview

• Cisco ISE Overview

• ISE+LogRhythm = Taking Security Visibility to a New Level!

• Demo

• Q&A


Visibility & Policy is More than Just an IP Address

NETWORK ALERT!

SRC/65.32.7.45

DST/165.1.4.9 : HTTP

Is this event important?

I need more info…





Cisco ISE Network Access Policy

LogRhythm Threat Visibility

Clarity Among the Threat Noise

Associate Users, Roles, Devices with Security Events


Identity User

Posture Privilege

Device type

External Context Threat Intelligence

IP Reputation GeoLocation

Application Access

Transactions Error

Behavior

Host Process Access

File Activity Resources

Internal Context Business Value

Asset Classification Risk Rating Vulnerability

Network Connection Direction Content Volume

Manual discovery of what’s

normal network activity is

impractical due to the sheer

volume of data across multiple

types of dimensions.

An unmanageable volume of

false positives based on benign

anomalies

Significant blind spots / false

negatives

Need an automated technology

to learn behavioral attributes

across multiple dimensions

Normal


Networking Devices Security Devices Systems & Applications Industry Specific Devices

FORENSIC DATA

ANALYSIS CONDITIONING

ANALYSIS

Identity Services


Correlation and Pattern

Matching

• User account is created and deleted

• Process is killed and not restarted

• Multiple authentication failures followed by success

Whitelisting

• Create whitelist of processes on web servers.

• Create whitelist of countries with VPN logins

• Create whitelist of logins to production systems

Trending –Average

• Monitor average bytes per packet sent to a web server

• Monitor average authentications over time

Trending - Rate

• Monitor rate of logs per log source.

• Monitor rate of failed VPN logins

Trending – Histogram

• Monitor the number of unique server connections.

• Monitor the number of guest access and access denies during the day

Corroborated

Activities


Cisco ISE: Controlling Who, What and How Users & Devices Access the Network

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Identity (802.1X)-Enabled Network

IDENTITY

CONTEXT

WHO WHAT WHERE WHEN HOW

Guest Access

Profiling

Posture

802.1X

MAB

WebAuth CISCO SWITCHES, ROUTERS, WIRELESS ACCESS POINTS

Vicky Sanchez Frank Lee

Security Camera G/W Francois Didier Personal iPad

Employee, Marketing

Wireline

3 p.m.

Guest

Wireless

9 a.m.

Agentless Asset

Chicago Branch

Consultant

HQ—Strategy

Remote Access

6 p.m.

Employee Owned

Wireless HQ


All-in-One Enterprise Policy Control


Who What Where When How

Virtual machine client, IP device, guest, employee, and remote user

Cisco ISE

Wired Wireless VPN

Business-Relevant

Policies

Policy Management Increases Operational Efficiency

Onboarding & Remediation

Increases Productivity and

Improves User Experience

Device Profiling & Posture Provides Comprehensive Secure

Access

Network Enforcement Decreases Operational Costs

Intelligent Identity Ensures Consistent Policies

Cisco® ISE

IT Infrastructure

NET

MGMT

Cisco Network

Network Control Cisco ISE

Context Sharing

• Consistent source of identity

• Endpoint device-type awareness

• Posture, access level, network location context

• Enable ecosystem partner platform to share context for use in ISE network policy

• Enable ecosystem partner to take network actions via ISE

The Unified Directory of User/Device Context & Network Control

Identity & Device Context

Unified Context/Control Makes IT Platforms More Effective


CISCO ISE

ISE Provides Context Identity, Device-Type, Posture,

Authorization Level, Location

LogRhythm Takes Action Network quarantine users & devices via ISE

IDENTITY & DEVICE-AWARE SECURITY ANALYTICS

“Increase severity of security alarms associated with mobile devices access

finance data”

“Create security dashboard for guest user security

activity”

“Monitor IT admin groups accessing directory services

databases”

CORRELATE IDENTITY & DEVICE TO SECURITY EVENTS

“This breach event is associated with

Scott Smith”

“…and it is from Scott Smith’s MacBook with OSX

v10.6.2”

“…and Scott Smith has access to our IT admin

systems”

TAKE NETWORK MITIGATION ACTION

LogRhythm Quarantines Scott Smith

ISE Matches to “Quarantine”

Policy

Cisco Switch Executes Authorization

Change

Scott Smith Re-Assigned to

“Restricted Access”


CISCO ISE

ISE Provides Context Identity, Device-Type, Posture,

Authorization Level, Location

LogRhythm Takes Action Network quarantine users & devices via ISE

BENEFITS

• Clarify what security events to focus on

• Device, user and group driven security analytics enable LogRhythm to

scrutinize specific environments like BYOD or high-risk user groups

• Make security events actionable in the network


Potential Breach Event

Associate User to Event

Check Endpoint Posture

How Do I Mitigate?

Where is it on the Network?

What Kind of Device is it?

Associate User to Authorization

MANY SCREENS, MISSING DATA

COMPLICATED MITIGATION

SIEM

AAA Logs

IAM NAC ??

??

??


Potential Breach Event

Associate User to Event

Mitigate in Network

Check Network Location

Check Device Type

CISCO ISE

LogRhythm

Security Event

ISE User and Device Context Related to

Security Event

Check Endpoint Posture

Associate User to Authorization

Endpoint Network Action

USER

DEVICE – IP or MAC ADDRESS

Quarantine

Integrated Mitigation

ONE SCREEN, ALL DATA

INTEGRATED MITIGATION


1. All data collected from Cisco Identity Services Engine SE via Syslog

2. LogRhythm:

Collects

Normalizes

GeoTags

Recognizes Events

Assigns Risk Prioritization

Stores log and event data for long term retention

3. Applies behavioral analysis techniques

4. Performs correlation across data sources

5. Triggers SmartResponse™ actions back to Cisco ISE when applicable

Use Cases:

• Sophisticated Intrusions

• Mobile and Guest Device

Access Violations

• Enhanced Investigation and

root cause analysis


Identify Rogue Mobile Device

Identify Suspicious

Guest Activity

Identify Compromised User Accounts

Identify Operational

Issues

Identifies Device Type:

Mobile

Histogram of Peer Group

Activity Alert on

Deviation from Group

Identifies User Role: Guest

Model Access Attempts Alert on

excessive failed access attempts

Reports Network

Access Switch

Geolocates each

Authentication

Alerts when same account

used in different Geos

Audits authentication

process

Learns standard

authentication

Recognizes unusual amount

of errors or warnings

DEMO

Q&A


ISE Integration for Threat Defense Whitepaper: bit.ly/ise-siem-whitepaper

ISE+SIEM Integration Video to Share with Your Colleagues: bit.ly/ISE-SIEM-Video

More on LogRhythm’s Security Intelligence: http://www.logrhythm.com

//localhost/hhtp/::bit.ly:ise-siem-whitepaper






http://bit.ly/ISE-SIEM-Video






http://www.logrhythm.com/

Documents

Driving Greater Event Clarityecrm.logrhythm.com/rs/logrhythm/images/03_26_14_LogRhythm...LogRhythm Takes Action Network quarantine users & devices via ISE BENEFITS • Clarify what