(844) 773-7734 mk@mkss.us

Going on-premise with SecureX orchestration remote

Cisco SecureX has been enabling customers to build more secure, integrated infrastructure for over a year now. Leveraging both Cisco and third-party integrations, you can centralize visibility and aggregate intelligence while conducting incident investigation and response. SecureX orchestration allows you to take these integrations to the next level by creating custom workflows that enable your products to interact with each other in entirely new ways. However, since the SecureX platform is cloud-based, integration with on-premise resources has proven to be a challenge. Many of our customers have expressed interest in these types of integrations and now it’s possible!

SecureX orchestration remote

With SecureX orchestration remote, you can start to integrate on-premise resources into your orchestration workflows. The remote is a virtual appliance that you run behind your firewall to broker requests from the cloud. Once it’s up and running, SecureX orchestration can send requests to your on-premise resources through the remote. You can even have multiple remotes if you want them inside different networks or data centers. Cisco provides the remote as an easy to deploy OVA for VMware ESXi version 5.5 (or newer) and the appliance’s compute requirements are minimal. We recommend 2 vCPU, 2 GB of RAM, and 30 GB of disk. The remote also requires outbound connectivity to the internet over TCPS port 8883 to the SecureX cloud.

Configuring your orchestration targets to use a remote is as simple as selecting the remote you want to use from a drop down list when creating or modifying a target:

The drop down box used to add an Orchestration remote to a Target

On-premise use cases

Now that we have the ability to integrate with on-premise resources, let’s talk about some new orchestration use cases. Alongside the release of SecureX orchestration remote, we’re releasing our first workflows and atomic actions for two on-premise products: Cisco Secure Firewall and Cisco Identity Services Engine (ISE). These workflows include:

Spotlight: ISE – Quarantine endpoint

A screenshot of the SecureX pivot menu showing Cisco ISE response actions Let’s say you’re conducting an investigation in Cisco SecureX and notice an endpoint exhibiting suspicious behavior. To be safe, you decide to move the endpoint to quarantine until a full investigation can be completed. In your SecureX incident, you already have the endpoint’s MAC address so all you have to do is pivot on it and select the ISE – Quarantine Endpoint action. This will trigger the workflow in SecureX orchestration and, since the Cisco ISE target is configured to use a remote, the necessary API calls will be forwarded to your on-premise ISE deployment. In two clicks, the endpoint is added to an Adaptive Network Control policy and put in quarantine.

Spotlight: Secure Firewall – Microsoft Online Dynamic Object update

SecureX workflow to automatically update Cisco Secure Firewall dynamic object groups using a feed from Microsoft Keeping up with lists of IP addresses for cloud services like Microsoft Online can be a challenge. If you have remote workers who are using split tunneling, it’s critical you have accurate lists of networks for these types of services to make sure traffic flows properly. To help with this, we’ve developed a workflow that can automatically update your Cisco Secure Firewall dynamic object groups using a feed from Microsoft. This allows you to have an always-updated list of IP addresses for the Microsoft cloud without having to “stare and compare” piles of addresses.

Resources

Ready to get started with SecureX orchestration remote? The best place to start is our SecureX orchestration remote documentation. In these docs, you’ll learn how to set up a remote and how you can use it in your workflows.