This post is going to go over the integration of ISE 2.1 and AMP for Endpoints. ISE 2.1 introduces the concept of a "Threat Centric NAC" which allows you to configure vulnerabiltiy and threat adapters to send high fidelity Indicators of Compromise (IoC), Threat Detected events, and CVSS scores to ISE so that threat-centric access policies can be created to change the privilege of the endpoint accordingly.
One thing to note: ISE 2.1 also allows for the integration of Qualys and the ability to create policies based on threat attributes. If you configure it with Qualys, you can configure the following conditions in your policy:
if Qualys-CVSS_Base_Score is <num> then <result> if Qualys-CVSS_Temporal_Score is <num> then <result>
In this post, I'm going to just go over integration with AMP for Endpoints since that's what I have access to.
To begin the configuration, navigate to Administration>Threat Centric NAC in the ISE GUI
Click Add to add a new vendor instance. On this page, you are asked to select a vendor and give it a name. In my case, I chose AMP:THREAT and named it FireAMP. Click Save.
Now that it's saved, you should have a link under Status that says Ready to configure. Click on that. If you don't it, click the refresh button.
You will be taken to the following page:
Note: If your ISE instance is behind a proxy, you need to configure a SOCKS proxy that ISE will be able to navigate through to speak to the AMP cloud.
Just to give you an idea on how to configure a SOCKS proxy, I am going to configure it through my WSA instance. Log into your WSA and navigate to Security Services>SOCKS Proxy and click Edit Settings. Make sure you check the box to Enable SOCKS Proxy and choose a port that works for you or keep it at the default and click Submit.
Then navigate to Web Security Manager>SOCKS Policies and you can either add a policy based on the specific host (ISE) or edit the global policy. Click on the Destination Ports policy:
You can put in specific ports or all of them. In this case, I'm just going to put in all of them since this is a lab. Click Submit when done.
Click Commit when you are done configuring on your proxy.
Going back to the ISE Threat Centric and enter in your SOCKS proxy information and then click Next.
On the next page, you'll have a drop-down to choose what AMP cloud for this ISE instance to reach out to. In this case, I'm going to choose the US Cloud and click Next.
On the next page, you'll have a redirect link to click on to take you to the AMP cloud. Click on it.
On this page, you can approve this adapter and even specify specific groups that will be allowed for event exporting in the bottom. When you are done, click Allow and you will be taken back to ISE.
Click Finish
Back at the Vendor Instance page, check the box next to your instance and click Edit to see some of the types of events that ISE will be receiving reporting for.
Now that we've set this up, I'm going to download some test malware from EICAR. In my AMP policy, I had an audit policy on my computers so it'll detect the malware but not quarantine it so it should send an alert to ISE.
After downloading this, If I go to the Home>Threat dashboard, I should see one compromised endpoint:
You can click on the endpoint in the Top Threats graph to be taken to the filtered page for threats detected or you can just navigate to Context Visbility>Compromised Endpoints:
On this page, you can click on the MAC address of the endpoint to pull up more information on the host:
Back in the Compromised Endpoints page, if you want to quarantine this device, you can check the box next to the endpoint and click on ANC>Assign a Policy:
From there, you can assign it any ANC policy you want including Quarantine, Shutdown, or Port Bounce.
This can give you enough time to remediation and preventing the spread of malware and after you are done, you can unquarantine the device the same way you quarantined by clicking on ANC>Revoke a Policy
Note: For the ANC policy to work, you have to predefine the policy. It's pretty easy to do. In order to do so in ISE, navigate to Operations>Adaptive Network Control>Policy List and create all or some of the following policies:
Then you would add your new ANC policy to the Global Exceptions list by navigating to Policy>Policy Sets>Global Exceptions and create the policy rules as such:
if Session:ANCPolicy Equals Quarantine then Quarantine (or whatever your authorization profile is for limited access)
There you go - AMP is now integrated and you can quarantine and unquarantine based on the alerts you received from AMP. I went through probably a bit more of the extra detail like setting up the ANC policy or the SOCK proxy but I wanted to give you guys a good overview on how to set it up from scratch in a lab or even in production in the event you are putting ISE behind a proxy.