Cisco Identity Services Engine (ISE) is relatively easy to deploy but can be kind of difficult to maintain properly. The keyword in the previous sentence was “properly”. This blog will go through everything required to get the most out of Cisco ISE and maintain the highest levels of actual, provable, and reliable security.
While I’m not an Active Directory expert, I assume some pitfalls of AD administration are very similar to the pitfalls of ISE administration. If it goes unchecked for long enough, the mess is simply too big to clean up. In addition, it's too easy to create a rule in ISE that simply bypasses all the security measures ISE is designed to provide. Frankly, I see this far too often. An individual or a site is down, the engineer is under pressure, and they create a “Temp” rule to get everyone up and running instantly. Of course, like most “temp” rules in any security product, somehow the rule is still in place years later. Now you don’t have any NAC Security whatsoever. It’s that easy.
Finally, a lot of ISE “mess” can be attributed to employee turnover. This holds particularly true when temporary employees were brought on board to bridge the staffing gaps during the recruitment, training, and onboarding process of a full-time employee (FTE).
Internal ISE Management
If your organization has the right expertise, an MSP doesn’t really do anything you can’t do yourself. There is no magic bullet or secret knowledge. The issue more times than not is security groups are simply understaffed and overworked. You have seen the news; security is not an easy gig, and many engineers spend all day putting out fires. There simply isn’t enough time in the day to be proactive and keep a close eye on your systems. This is where an MSP comes in, the MSP is paid to do this work exclusively and there is no higher priority.
What Does an ISE MSP do?
Well, let’s talk about what they should do.😊
Patching & Upgrades
This one probably goes without saying, but patching and upgrades take time and are easy to put off until “next quarter”. Enlisting the services of an MSP ensures that your ISE deployment remains consistently up to date, with swift attention to security patches and continuous maintenance to keep you on the most stable version of the software. This investment is invaluable, sparing your already-busy employees from the burden of dedicating 10 hours on a Saturday to perform an upgrade correctly.
Are your ISE rules doing what you think they are doing? This is the first question that should be asked, and it should be asked frequently. How do you know? How do you prove it?
After the initial review, every rule modification will generate an audit trail. Your ISE expert should review each change to confirm that it aligns with its intended purpose, does not conflict with any other rules, and is not too “generous” with the access permissions.
Endpoints and Profiling
This is another neglected aspect of ISE. If this is not monitored, you may have many endpoints on the network that are not profiled properly, which leads to inaccurate reporting, which leads to a false sense of security. Let’s say an engineer manually adds a Whatever Inc. camera to an Acme Inc. camera endpoint group manually to get it up and running quickly. When a security concern comes up that affects Whatever Inc. cameras, how do you know where these endpoints are? As far as the logs are concerned, you only have Acme Cameras.
In addition to the obvious security concerns, there should also be robust reporting and inventory. This is a great feature of ISE that allows you to know exactly what is on your network, what changed, what needs to be addressed, etc.…
Most ISE troubleshooting issues come down to a system that is not ISE. For example, an issue with Active Directory, NTP, or DNS will typically present as “I can’t log in to the network”, which points at ISE. For this reason, it is seldom appropriate to have an MSP do L1 Support. . I’d say 90% of level 1 calls are password issues, ISE doing exactly what it is supposed to do, or other training issues. However, when something really does go wrong, you certainly want to be able to call someone that is obligated and contracted to drop everything and help you.
Most changes should be included in the contract. The primary advantage here lies in the assurance that all changes are executed correctly on the first attempt and can and should be subject to real-time auditing. This is really MSP 101; Bob makes the change and Mary confirms it.
Are all of your ISE integrations working properly? The MSP can keep an eye on the ISE integration with Firepower, Stealthwatch, Splunk, SecureX, and more.
Finally, the MSP should provide full reports every month. These reports should include:
Changes for the period
A list of known issues
Security and administration audits
Resolved issues, and
A full health snapshot
How can an MSP assist in enhancing your network security?
Engaging a managed services partner offers numerous benefits for an organization. It guarantees that essential IT systems and services receive constant monitoring, maintenance, and updates from experts. Minimizing downtime and improving operational efficiency.
Additionally, MSP's provide access to a pool of specialized talent. Eliminating the need for extensive in-house training. MSP's can bolster cybersecurity measures, ensuring data protection and compliance.
Lastly, they provide cost predictability by offering fixed monthly fees. Simplifying budgeting and resource allocation.
If you're interested in making CDA your reliable Cisco ISE MSP, get in touch with us today!