Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and
vulnerability attributes received from the threat and vulnerability adapters.
Threat severity levels and vulnerability assessment results can be used to dynamically control the access level of an endpoint
or a user.
You can configure the vulnerability and threat adapters to send high-fidelity Indications of Compromise (IoC), Threat Detected
events, and CVSS scores to Cisco ISE, so that threat-centric access policies can be created to change the privilege and context
of an endpoint accordingly.
Cisco ISE supports the following adapters:
When a threat event is detected for an endpoint, you can select the MAC address of the endpoint on the Compromised Endpoints window and apply an ANC policy, such as Quarantine. Cisco ISE triggers CoA for that endpoint and applies the corresponding
ANC policy. If ANC policy is not available, Cisco ISE triggers CoA for that endpoint and applies the original authorization
policy. You can use the Clear Threat and Vulnerabilities option on the Compromised Endpoints window to clear the threat and vulnerabilities associated with an endpoint (from Cisco ISE system database).
The following attributes are listed under the Threat dictionary:
-
CTA-Course_Of_Action (values can be Internal Blocking, Eradication, or Monitoring)
-
Qualys-CVSS_Base_Score
-
Qualys-CVSS_Temporal_Score
-
Rapid7 Nexpose-CVSS_Base_Score
-
Tenable Security Center-CVSS_Base_Score
-
Tenable Security Center-CVSS_Temporal_Score
The valid range is from 0 to 10 for both Base Score and Temporal Score attributes.
When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. However, CoA is not triggered
when a threat event is received.
You can create an authorization policy by using the vulnerability attributes to automatically quarantine the vulnerable endpoints
based on the attribute values. For example:
Any Identity Group & Threat:Qualys-CVSS_Base_Score > 7.0 -> Quarantine
To view the logs of an endpoint that is automatically quarantined during CoA events, choose . To view the logs of an endpoint that is quarantined manually, choose .
Note the following points while enabling the Threat Centric NAC service:
-
The Threat Centric NAC service requires a Cisco ISE Apex license.
-
Threat Centric NAC service can be enabled on only one node in a deployment.
-
You can add only one instance of an adapter per vendor for Vulnerability Assessment service. However, you can add multiple
instances of FireAMP adapter.
-
You can stop and restart an adapter without losing its configuration. After configuring an adapter, you can stop the adapter
at any point of time. The adapter would remain in this state even when the ISE services are restarted. Select the adapter
and click Restart to start the adapter again.
Note
|
When an adapter is in Stopped state, you can edit only the name of the adapter instance; you cannot edit the adapter configuration
or the advanced settings.
|
You can view the threat information for the endpoints on the following pages:
The following alarms are triggered by the Threat Centric NAC service:
-
Adapter not reachable (syslog ID: 91002): Indicates that the adapter cannot be reached.
-
Adapter Connection Failed (syslog ID: 91018): Indicates that the adapter is reachable but the connection between the adapter
and source server is down.
-
Adapter Stopped Due to Error (syslog ID: 91006): This alarm is triggered if the adapter is not in the desired state. If this
alarm is displayed, check the adapter configuration and server connectivity. Refer to the adapter logs for more details.
-
Adapter Error (syslog ID: 91009): Indicates that the Qualys adapter is unable to establish a connection with or download information
from the Qualys site.
The following reports are available for the Threat Centric NAC service:
-
Adapter Status: The Adapter Status report displays the status of the threat and vulnerability adapters.
-
COA Events: When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. The CoA Events report
displays the status of these CoA events. It also displays the old and new authorization rules and the profile details for
these endpoints.
-
Threat Events: The Threat Events report provides a list of all the threat events that Cisco ISE receives from the various adapters that
you have configured. Vulnerability Assessment events are not included in this report.
-
Vulnerability Assessment: The Vulnerability Assessment report provides information about the assessments that are happening for your endpoints. You
can view this report to check if the assessment is happening based on the configured policy.
You can view the following information from Operations > Reports > Diagnostics > ISE Counters > Threshold Counter Trends:
-
Total number of events received
-
Total number of threat events
-
Total number of vulnerability events
-
Total number of CoAs issued (to PSN)
The values for these attributes are collected every 5 minutes, so these values represent the count for the last 5 minutes.
The Threat dashboard contains the following dashlets:
-
Total Compromised Endpoints dashlet displays the total number of endpoints (both connected and disconnected endpoints) that are currently impacted on
the network.
-
Compromised Endpoints Over Time dashlet displays a historical view of the impact on endpoints for the specified time period.
-
Top Threats dashlet displays the top threats based on the number of endpoints impacted and the severity of the threat.
-
You can use the Threats Watchlist dashlet to analyze the trend of selected events.
The size of the bubbles in the Top Threats dashlet indicates the number of endpoints impacted and the light shaded area indicates the number of disconnected endpoints.
The color as well as the vertical scale indicate the severity of the threat. There are two categories of threat—Indicators
and Incidents. The severity attribute for Indicator is "Likely_Impact" and the severity attribute for Incident is "Impact_Qualification".
The Compromised Endpoint window displays the matrix view of the endpoints that are impacted and the severity of the impact
for each threat category. You can click on the device link to view the detailed threat information for an endpoint.
The Course Of Action chart displays the action taken (Internal Blocking, Eradication, or Monitoring) for the threat incidents
based on the CTA-Course_Of_Action attribute received from the CTA adapter.
The Vulnerability dashboard on the Home page contains the following dashlets:
-
Total Vulnerable Endpoints dashlet displays the total number of endpoints that have a CVSS score greater than the specified value. Also displays the
total number of connected and disconnected endpoints that have a CVSS score greater than the specified value.
-
Top Vulnerability dashlet displays the top vulnerabilities based on the number of endpoints impacted or the severity of the vulnerability.
The size of the bubbles in the Top Vulnerability dashlet indicates the number of endpoints impacted and the light shaded area
indicates the number of disconnected endpoints. The color as well as the vertical scale indicates the severity of the vulnerability.
-
You can use the Vulnerability Watchlist dashlet to analyze the trend of selected vulnerabilities over a period of time. Click the search icon in the dashlet and
enter the vendor-specific id ("qid" for Qualys ID number) to select and view the trend for that particular ID number.
-
The Vulnerable Endpoints Over Time dashlet displays a historical view of the impact on endpoints over time.
The Endpoint Count By CVSS graph on the Vulnerable Endpoints window shows the number of endpoints that are affected and their CVSS scores. You can also view the list of affected endpoints
on the Vulnerable Endpoints window. You can click the device link to view the detailed vulnerability information for each endpoint.
Threat Centric NAC service logs are included in the support bundle. Threat Centric NAC service logs are located at support/logs/TC-NAC/