User and device attribution comes to EndaceVision: Empowering network and security incident analysis

We’ve all heard that the application is now the network. This paradigm shift moved us from the simple port-based definition of applications that was prevalent up until the end of the last decade, to the more awkward reality that applications are much more complex and no longer conformed to such a simple scheme. For network operators, understanding the applications on the networks was paramount and Endace responded to this by incorporating deep packet inspection (DPI) technology into its EndaceProbeTM Network Recorders in 2012.

More recently, the network is being reshaped by Bring Your Own Device (BYOD). No longer are statically addressed laptops and desktops the only ways that users interact with the corporate network. Reverse lookups are no longer enough to identify the device or the user accessing the network. Large dynamic address pools are used fleetingly by a myriad of portable devices, thwarting network and security operations attempts to understand what and who is using the network. Managing and securing the network under such circumstances is a Sisyphean task which ultimately impacts the enterprise’s bottom line.

In 2011, Cisco introduced the Cisco Identity Services Engine (ISE) to address this problem. By mapping an IP address to user authentication events, a persistent correlation between network address and user identity was made available for policy-based network access control decisions. Through subsequent integrations with Mobile Device Management (MDM) products, Cisco ISE was extended to provide mobile device attribution as well.

With the release of ISE 1.3, Endace has brought all of the power of Cisco ISE’s user and device attribution to network and security monitoring operators through integration with EndaceVisionTM.  By leveraging the Platform Exchange pxGrid API provided by Cisco ISE, EndaceVision can now provide real user attribution and mobile device type information alongside the integrated application detection capability. This provides operators the ability to seamlessly drill down into network events and pivot and filter on user names, device and application types.

This capability provides real-time context about who is using the network, what they are using to access it and what they are doing while they are on it – all critical pieces of actionable intelligence in network and security incident response workflows. Freed from the churn of ever-changing IP addresses, analysts now gain immediate clarity and insight into user behavior, allowing rapid and accurate issue diagnosis and resolution. This makes analysts more efficient and effective, which translates to better networks and in the end, better business.

We’ll be providing the Cisco ISE 1.3 integration with EndaceProbe OSm 5.2.3 in December and we are excited to bring this new user and device centric perspective to our EndaceVision users. Stay tuned…

Leave a Reply