How Cisco DNA Fights Network Threats

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Cisco's Digital Network Architecture (DNA) offers automated network management, analytics and an array of network virtualization capabilities that enable enterprises to deploy network services practically on a whim. This week, the company announced updates to two components that also enable IT professionals to keep a more watchful eye on potential threats and isolates them when discovered.

Cisco Identity Services Engine (ISE) 2.2 now provides improved detection of anomalous application behavior on endpoints. Configurable DEFCON policy sets help ensure that an IT security team's response measures up to the severity of a given threat.

"You can't protect what you can't see," Kevin Skahill, senior director of Security Policy and Access at Cisco, told eSecurity Planet. "ISE provides visibility into who, what, where, when and how someone or something is attaching to the network, then correlates that with what's going on inside the network to give the security operator actionable intelligence." For example, ISE can alert security teams to the presence of "a PCI device that's exfiltrating data."

Meanwhile, Cisco TrustSec 6.1's software-defined segmentation capabilities can be used to box in network threats by restricting their movement or isolate attacks when if they gain a foothold on the network. According to Cisco's estimates this approach speeds security policy changes by 98 percent and slashes operational overhead by 80 percent.

"From a control perspective, TrustSec software-defined segmentation helps to carve up the attack surface so that when an attacker penetrates the perimeter, the scope of damages is reduced," explained Skahill. "Software-defined segmentation is a policy-driven way of specifying what users and systems can talk to other users and systems without having to rely on network topology for enforcement."

Compared to conventional methods of mitigating network threats, TrustSec can be major time-saver. "Striping a new VLAN and resubnetting the network is a major undertaking, especially when across a global infrastructure," said Skahill, noting that the process "can lead to a lot of inconsistencies if not performed pervasively."

Combined, ISE and TrustSec enable businesses to take an agile, software-defined approach to guarding their corporate networks and the valuable data that reside in them.

"TrustSec allows you to enforce compliance, automate security operations, and stop attacks before they start," Skahill said.  "With ISE as the controller, you can use a simple policy table to centrally manage communication flows, whether you have 10 network devices or 10,000."

In today's threat landscape, time is of the essence. "Need changes? No problem – what would have taken months, quarters or even years can be done in minutes because it's 'software-defined,'" Skahill said.