Руководство По Настройке для Cisco Cisco Identity Services Engine 1.1
At-A-Glance
Cisco ISE + Splunk Delivers
Identity/Device Aware Security & Threat Response
Splunk
Cisco ISE
Identity/Device Context from ISE
Threat Response via ISE
pxGrid
Context
Sharing
Overview
Today’s diverse networks require effective security event visibility and
the integration of accurate contextual data such as user identity, user
privilege levels, endpoint device type, and endpoint security posture.
The Cisco® Identity Services Engine (ISE) provides contextual data while
Splunk provides the event visibility. It’s a powerful combination that
provides administrators with a meaningful, easily understandable picture
of security and other events on the network.
the integration of accurate contextual data such as user identity, user
privilege levels, endpoint device type, and endpoint security posture.
The Cisco® Identity Services Engine (ISE) provides contextual data while
Splunk provides the event visibility. It’s a powerful combination that
provides administrators with a meaningful, easily understandable picture
of security and other events on the network.
Splunk is a machine data platform that allows you to search, report,
alert, and visualize any data that it ingests. Cisco ISE brings an added
dimension to analyzing all this data. It attaches key contextual data (for
example, username, location, network policy status) to events and data
analyzed by Splunk. Meanwhile, Splunk brings an added dimension
to Cisco ISE event monitoring: It helps enable user-driven analysis of
that data to create customizable dashboards and reports. Furthermore,
Splunk administrators may also use Cisco ISE as a conduit for taking
mitigation actions on users or devices within the Cisco network
infrastructure in response to an event in Splunk.
alert, and visualize any data that it ingests. Cisco ISE brings an added
dimension to analyzing all this data. It attaches key contextual data (for
example, username, location, network policy status) to events and data
analyzed by Splunk. Meanwhile, Splunk brings an added dimension
to Cisco ISE event monitoring: It helps enable user-driven analysis of
that data to create customizable dashboards and reports. Furthermore,
Splunk administrators may also use Cisco ISE as a conduit for taking
mitigation actions on users or devices within the Cisco network
infrastructure in response to an event in Splunk.
Integrating Cisco ISE and Splunk data and analysis provides IT
operations with the context they need to quickly assess the significance
of network and security events. They can answer critical questions (for
example, Who is this event associated with? What level of access does
the user have?) all within the Splunk system. For Cisco ISE, Splunk
analysis of Cisco ISE data enables administrators to answer other key
questions (for example, How many users have been accessing the
network over the past six months? Are there noticeable trends?)
operations with the context they need to quickly assess the significance
of network and security events. They can answer critical questions (for
example, Who is this event associated with? What level of access does
the user have?) all within the Splunk system. For Cisco ISE, Splunk
analysis of Cisco ISE data enables administrators to answer other key
questions (for example, How many users have been accessing the
network over the past six months? Are there noticeable trends?)
Use Cases
• Prioritize important events: Use Cisco
ISE contextual information to answer
common questions needed to expedite
the Splunk classification of, and
response to, a security event.
common questions needed to expedite
the Splunk classification of, and
response to, a security event.
• Scrutinize mobile and device network
activity: Splunk uses Cisco ISE device-
type information to create security
analytic policies specific to mobile
devices for a comprehensive view of
their security and performance status.
analytic policies specific to mobile
devices for a comprehensive view of
their security and performance status.
• Scrutinize important users: Cisco ISE
user information helps enable Splunk
to create security policies for specific
users or groups, such as populations
with access to highly sensitive data or
less trusted populations (for example,
guests).
to create security policies for specific
users or groups, such as populations
with access to highly sensitive data or
less trusted populations (for example,
guests).
• Visualize and analyze Cisco ISE
telemetry and event data: Use Splunk
to analyze and create alerts based
on Cisco ISE event data, such as
authentication attempts and network
access trends.
on Cisco ISE event data, such as
authentication attempts and network
access trends.
• Turn event analysis into action:
Use Splunk to determine the threat
associated with event data, then use
Cisco ISE to take a network mitigation
action (for example, quarantining or
disconnecting a user).
associated with event data, then use
Cisco ISE to take a network mitigation
action (for example, quarantining or
disconnecting a user).
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE and Splunk
Integration
Identity and Device Awareness for Splunk Analytics