cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How-To Integrate Cognitive Threat Analysis (CTA) and Cisco ISE using STIX Technology

3346
Views
4
Helpful
1
Comments

This document is intended for Cisco Engineers and customers integrating CTA (Cognitive Threat Analytics) with Cisco Identity Services Engine (ISE 2.2) using Cisco Web Security Appliance (WSA).  Supported WSA Async images are: WSA8.5.1 GD, WSA 8.0.8, WSA 7.7.5 and 9.1.1-074 and supported WSA hardware: WSA-S100V, WSA S160, and WSA 5300V and Virtual WSA.  ISE requires an APEX license for the ability to subscribe to CTA cloud instance.

The readers should have some familiarity with ISE and WSA and it is assumed that all the licenses have been installed and the reader has accounts on the Cisco CTA cloud instance.

CTA leverages WSA telemetry to identify security breaches or identity infected devices leveraging web traffic behavior analysis, machine learning and anomaly detection. These incidents are then reported to ISE using MITRE’s Trusted Automated eXchange of Indicator Information (TAXII) as the transport protocol and reported incidents are in Structured Threat Information eXpression (STIX) language format and integrates with ISE via the Incident Response Feed (IRF) CTA adapter.

This provides visibility into the compromised endpoints in ISE.  The ISE admin can take Adaptive Network Control (ANC) mitigation actions to automatically quarantine these compromised endpoints by configuring ISE CTA Course of Action authorization policies limiting network access or assigned Security Group Tags (SGT) or manually quarantining the endpoint by assigning the compromised endpoint to an ISE ANC quarantine policy.

Comments
Cisco Employee

I'm prospecting a customer who is interested in ANC on the ISE and the Stealthwatch. Stealthwatch now brings a CTA account and the customer is also considering TC-NAC to integrate with the CTA account. So let me ask some questions.
*Are the configuration task and the license requirements as same as the document about WSA/CTA you have attached here?
*What license should the customer purchase? You say "ISE requires an APEX license for the ability to subscribe to CTA cloud instance." My customer would use C1 bundled license(ISE Base and Plus) with the Catalyst 9K. In this condition, I assume they will have to purchase only an Apex license because the bundled license includes the Plus license which means they can are eligible to use ANC. They only need TC-NAC, they won't use MDM nor Posture.
*If the assumption above is right, how many Apex license shoud they purchase? Is the L-ISE-APX-[x]Y-S1 minimum for this scenario?