Upon detecting a flagrant threat on an endpoint, which two technologies instruct Cisco Identity Services Engine to contain the infected endpoint either manually or automatically? (Choose two.)
Upon detecting a flagrant threat on an endpoint, which two technologies instruct Cisco Identity Services Engine to contain the infected endpoint either manually or automatically? (Choose two.)
The two technologies that can instruct Cisco Identity Services Engine (ISE) to contain an infected endpoint, either manually or automatically, upon detecting a flagrant threat are Cisco FMC and Cisco AMP. Cisco FMC can trigger actions through ISE upon detecting indicators of compromise or threats. Cisco AMP for Endpoints integrates with ISE to automate the quarantine or isolation of the endpoint upon detecting a threat.
The two technologies that can instruct Cisco Identity Services Engine (ISE) to contain an infected endpoint, either manually or automatically, upon detecting a flagrant threat on the endpoint are: C. Cisco FMC E. Cisco AMP for Endpoints
AE : Both Cisco STEALTHWATCH and AMP can instruct ISE to take appropriate actions base on the endpoint compliance status
RTC w/ FMC & ISE is the ability for the FMC to quarantine end points through ISE. So, when the FMC sees some indicators of compromise, certain Snort IPS signatures are fired, or malware is discovered through AMP, the FMC can trigger actions to occur through ISE. ISE, in turn, can determine what to do when that trigger occurs. ISE could kick the user off the network or change the context of the user and endpoint so that different actions are taken within the network infrastructure.
A and E are correct !!! If you read FMC white paper you know that FMC can instruct ISE to shutdown, Quarantine host. And this can also be done with stealthwatch: https://cisco.bravais.com/s/O3aQkU0OU6fNYhUrsuES If you think, why would AMP do that, when AMP can already block threat on the host itself ?
Stealthwatch and FirePOWER are both on-prem network solutions that have integration with ISE. AMP, as a cloud solution, doesn't have an integration with ISE, as far as I know of. I'm going with A & C
https://community.cisco.com/t5/network-access-control/cisco-ise-amp-for-endpoints-integration/td-p/4273949
FMC through pxGrid integration with ISE - yes possible. Stealwatch is also possible. So my answer is A and C. Cisco Stealthwatch has the capability to take automated actions to block threats or suspicious behavior on endpoints. Here are the relevant features: Adaptive Network Control (ANC): When integrated with Cisco Identity Services Engine (ISE), Stealthwatch can trigger ANC policy changes. These changes modify or limit an endpoint’s level of access to the network. In other words, if Stealthwatch detects a threat, it can automatically quarantine the compromised endpoint by adjusting network access through authorization policies or Security Group Tags (SGT)
I meant the correct answer is C-E
Its not C, becque FMC does not instruct ISE. Its the other way around: FMC can enforce an organization’s security policy based on ISE session attribute information available through pxGrid.
Looks like A and C https://www.cisco.com/c/m/en_uk/products/security/identity-services-engine/use-case-threat-containment.html#~onboard
Cisco Stealthwatch is not a technology that instructs Cisco Identity Services Engine (ISE) to contain the infected endpoint either manually or automatically. Cisco Stealthwatch is a network visibility and security analytics platform that uses NetFlow, telemetry, and machine learning to detect threats across the network, including advanced malware and insider threats. It provides network behavior analysis (NBA) to identify anomalies, threat hunting to investigate incidents, and network segmentation to limit the attack surface.
he two technologies that can instruct Cisco Identity Services Engine to contain the infected endpoint either manually or automatically are: Cisco Stealthwatch Cisco AMP Both Cisco Stealthwatch and Cisco AMP have integration with Cisco Identity Services Engine to automate the quarantine or isolation of the endpoint upon detecting a threat.
E cannot be correct here if the answer to question 212 is correct (Who tells ISE to contain the endpoint? Correct answer at 212 is FMC) So I go with A and C here