Cisco Identity Services Engine (Cisco ISE)/pxGrid combined with Fortra Vulnerability Management (Fortra VM), Web Application Scanning (WAS) and Active Threat Sweep (ATS) integrated modules helps reduce risk of potential network cyber-attacks by identifying vulnerable and infected assets and thwarting access of these devices that could compromise networks and eventually breach critical systems. Combining these technologies creates greater device visibility and network access control, building improved workflow and rapid responses to infrastructure threats.
Visualize
- Discover devices instantly without requiring agents
- Profile and classify devices, users, applications and operating systems
- Continuously monitor managed devices, including corporate, BYOD and IoT endpoints
Control
- Allow, deny or limit network access through Cisco ISE based on device posture and security policies
- Assess, prioritize and remediate malicious or high-risk endpoints
- Improve compliance with industry mandates and regulations
Automate and Orchestrate
- Share endpoint context from Cisco ISE via Cisco pxGrid with DDI's platform
- Create actionable workflows to have Cisco ISE automatically restore based on scans and associated risk management
- Create dynamic policy changes system-wide response to quickly mitigate risks
Prioritization and Automation Optimize Workflows
Digital Defense’s SaaS platform digitally fingerprints the hosts as contiguous entities, reconciles asset changes from scan to scan utilizing patented correlation algorithms (helping to minimize duplicates or unknown devices), prioritizes vulnerabilities, and automates workflow across the hybrid network to make better risk management decisions, quickly. The SaaS platform delivers unparalleled accurate network and host assessments all the way to intelligent integration with Cisco ISE, for automating security workflows and policies.
Restricts Devices that May Introduce Risk
Cisco ISE/pxGrid reduces risks and contain threats by dynamically controlling network access. ISE can assess vulnerabilities from the SaaS platform and apply threat intelligence. ISE monitors and denies network access to any device based on known information. United, Cisco ISE will use the vulnerability intel and Security GPA ® scoring intelligence as part of its access decision policies. Providing Cisco ISE with VM scanning intelligence data allows it to take more granular action by restricting access of a device that may potentially introduce risk into the network.
The integration offers a policy for when a new device which has not yet been assessed by the SaaS platform comes onto the network, ISE can request an immediate vulnerability scan. That same policy can restrict access for the given device, until ISE has received the data from Fortra VM, whereupon it would then fall to other policies to determine what actions to take based on the findings.
Visibility
- As an endpoint attempts to connect to the network, ISE is immediately aware of it
- ISE requests the most recent scan results for the endpoint from the SaaS platform
- Based on not having seen the device before, ISE can request the platform to scan endpoint for vulnerabilities
Automated Scanning
- ISE can launch a scan from the scan repository based on a condition (i.e. has not seen the preexisting device in 3 days on the network)
Policy Enforcement
- If critical vulnerabilities exist, ISE will quarantine or block the device so it does not become a launching point for advanced threats
- If vulnerabilities are present on the network for an extended time (e.g. 3 months), an ISE policy may quarantine or block the device
Automated Remediation
- ISE initializes automated remediation actions, or triggers external remediation via patch management