This document is intended for Cisco Engineers and customers integrating CTA (Cognitive Threat Analytics) with Cisco Identity Services Engine (ISE 2.2) using Cisco Web Security Appliance (WSA). Supported WSA Async images are: WSA8.5.1 GD, WSA 8.0.8, WSA 7.7.5 and 9.1.1-074 and supported WSA hardware: WSA-S100V, WSA S160, and WSA 5300V and Virtual WSA. ISE requires an APEX license for the ability to subscribe to CTA cloud instance.
The readers should have some familiarity with ISE and WSA and it is assumed that all the licenses have been installed and the reader has accounts on the Cisco CTA cloud instance.
CTA leverages WSA telemetry to identify security breaches or identity infected devices leveraging web traffic behavior analysis, machine learning and anomaly detection. These incidents are then reported to ISE using MITRE’s Trusted Automated eXchange of Indicator Information (TAXII) as the transport protocol and reported incidents are in Structured Threat Information eXpression (STIX) language format and integrates with ISE via the Incident Response Feed (IRF) CTA adapter.
This provides visibility into the compromised endpoints in ISE. The ISE admin can take Adaptive Network Control (ANC) mitigation actions to automatically quarantine these compromised endpoints by configuring ISE CTA Course of Action authorization policies limiting network access or assigned Security Group Tags (SGT) or manually quarantining the endpoint by assigning the compromised endpoint to an ISE ANC quarantine policy.