Cisco Cisco Identity Services Engine 1.3 White Paper
White Paper:
Cisco Systems and the Migration from NAC to EVAS
8
© 2014 by The Enterprise Strategy Group, Inc. All Rights Reserved.
Enforcing granular network access policies. As previously described, EVAS provides contextual information
for granular policy creation and enforcement. Once again, this can help decrease the attack surface by
limiting access to sensitive content, assets, or network segments.
for granular policy creation and enforcement. Once again, this can help decrease the attack surface by
limiting access to sensitive content, assets, or network segments.
EVAS Use Case: During an Attack
When anomalous or suspicious behavior is detected, EVAS can help security analysts determine and limit the scope
of an attack. This is accomplished by:
of an attack. This is accomplished by:
Integrating into advanced network-based threat defense systems. Network-based threat defense systems
can analyze network behaviors and malicious activity, but they lack contextual knowledge about the
presence or state of actual endpoints on the network. EVAS can fill this gap with its robust database on
network endpoints. By sharing contextual knowledge with the threat defense systems, when malicious
activity is detected, attack data can be correlated with endpoint connections, configurations, and behavior
patterns over time. This can help organizations accelerate their detection and response processes.
can analyze network behaviors and malicious activity, but they lack contextual knowledge about the
presence or state of actual endpoints on the network. EVAS can fill this gap with its robust database on
network endpoints. By sharing contextual knowledge with the threat defense systems, when malicious
activity is detected, attack data can be correlated with endpoint connections, configurations, and behavior
patterns over time. This can help organizations accelerate their detection and response processes.
Blocking “kill chain” tactics emanating from compromised systems. Attacks tend to follow a “kill chain”
where a compromised system reaches out to other network assets to steal credentials, escalate privileges,
and exfiltrate valuable data. EVAS granular access controls can help mitigate this risk by blocking kill chain
activities as they occur. For example, granular access policies may preclude a system from connecting to
sensitive network segments or systems housing sensitive data. Beyond blocking these malicious activities,
EVAS can also send the data on to SIEM systems for further analysis or to generate immediate security
alerts.
where a compromised system reaches out to other network assets to steal credentials, escalate privileges,
and exfiltrate valuable data. EVAS granular access controls can help mitigate this risk by blocking kill chain
activities as they occur. For example, granular access policies may preclude a system from connecting to
sensitive network segments or systems housing sensitive data. Beyond blocking these malicious activities,
EVAS can also send the data on to SIEM systems for further analysis or to generate immediate security
alerts.
Taking remediation actions to limit the scope of an attack. When an attack is discovered, the security
operations team can use EVAS policies to minimize the potential impact. When a system exhibits
anomalous behavior, it can be removed from the network, quarantined, or connected to a remediation
VLAN or context-based segmentation. EVAS can also integrate with PCAP tools. Once a capture is taken and
the additional context is provided as part of this PCAP, an administrator could decide to mirror network
traffic coming from the suspect system to a honeypot/honeynet for further forensic analysis.
operations team can use EVAS policies to minimize the potential impact. When a system exhibits
anomalous behavior, it can be removed from the network, quarantined, or connected to a remediation
VLAN or context-based segmentation. EVAS can also integrate with PCAP tools. Once a capture is taken and
the additional context is provided as part of this PCAP, an administrator could decide to mirror network
traffic coming from the suspect system to a honeypot/honeynet for further forensic analysis.
EVAS Use Case: After an Attack
After an attack is detected, EVAS can be used for:
Assessing endpoint profiles for vulnerabilities. Information from the EVAS database can be shared with
vulnerability analysis tools to better and more quickly discover compromised systems. Vulnerability analysis
tools can then assign a “high-priority” trouble ticket classification so that IT operations can prioritize a fix.
vulnerability analysis tools to better and more quickly discover compromised systems. Vulnerability analysis
tools can then assign a “high-priority” trouble ticket classification so that IT operations can prioritize a fix.
Remediating compromised systems. Many EVAS systems are integrated with MDM, patch management,
and endpoint security systems. Once vulnerable systems are identified, EVAS can act as part of the fabric to
automate fixes and monitor progress.
and endpoint security systems. Once vulnerable systems are identified, EVAS can act as part of the fabric to
automate fixes and monitor progress.
Fine-tuning access policies and security controls. Based upon attack analysis or threat intelligence, EVAS
can be used to fine-tune access policies for blocking attack vectors or preventing the spread of attacks. For
example, EVAS can work with networking and security equipment to segment application traffic or add new
firewall rules or IPS signatures.
can be used to fine-tune access policies for blocking attack vectors or preventing the spread of attacks. For
example, EVAS can work with networking and security equipment to segment application traffic or add new
firewall rules or IPS signatures.