ThreatConnect and Cisco Identity Services Engine (ISE): Streamline Security Policy Updates

ThreatConnect and Cisco have partnered to deliver a Playbook app for joint customers to leverage. With this Playbook app, you can control the network status of an endpoint in Cisco ISE.

The Cisco Identity Services Engine (ISE) is your one-stop solution to streamline security policy management and reduce operating costs. With ISE, you can see users and devices controlling access across wired, wireless, and VPN connections to the corporate network. Combined with the power of ThreatConnect Playbooks, you can now fully automate endpoint status actions as part of security workflows.

The following actions are now available:

• Quarantine a host
• Unquarantine a host

Cisco ISE for Playbooks allows you to use ISE actions as part of a greater security automation or orchestration. Playbooks allow you to respond to events within your environment such as notifications from a SIEM, suspected phishing emails, or alerts from asset monitoring. Additionally, you can also automate tasks as part of an incident response Workflow. These situations provide an excellent opportunity to automatically employ Cisco ISE for Playbooks to take immediate action with your endpoints.

Configuration

Configuration Within Cisco ISE

In order to configure Cisco ISE to use the Cisco ISE for ThreatConnect Playbooks app, you must first enable Adaptive Network Control and configure the network access settings. Follow these steps from Cisco for this configuration.

Configuration Within ThreatConnect

In order to configure Cisco ISE for ThreatConnect Playbooks, follow these steps once you’ve placed the app into your Playbook and have opened it for editing:

1. On the Edit App screen, you will see a wizard used to configure this app. From the Action section of the wizard, select the Action you wish to use. Select Next.
2. From the Connection section of the wizard, enter the following details:
   1. Cisco ISE URL – The URL of the instance of Cisco ISE you wish to update.
   2. Cisco ISE Username – The username that should be used for Playbook actions that is authorized to make changes to the ANC policies.
   3. Cisco ISE Password – The password associated with the username you used in the field above.
   4. (Optional): Select to Verify SSL for Cisco ISE connections – This will check the validity of the certificate on the system located at the URL you specified above. If the certificate is not valid against what is configured for ThreatConnect Playbooks, the connection will fail.
3. From the Configuration section of the wizard, enter the following details:
   1. Mac Address – The Mac Address you wish to perform the Playbook action against.
   2. IP Address – The IP Address you wish to perform the Playbook action against.
   3. Policy Name – The ANC policy name where you wish to apply the Playbook action.

You should ensure that you specify at least a Mac Address or IP Address in the configuration wizard in order for the Playbook action to be effective. Click Save on the wizard to commit the changes and close the wizard. The integration is now configured and ready to be used.

Getting Started

Together, ThreatConnect and Cisco help security teams streamline their policy management and work more efficiently through the use of Playbooks. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on utilizing the Cisco ISE Playbook App. If you’re not yet a customer and are interested in ThreatConnect, contact sales@threatconnect.com.