The deeper integration between IT, cloud, and industrial networks is exposing your Industrial Control Systems (ICS) to cyber threats. As you begin to capture the benefits of your industry digitization efforts and start deploying Industrial Internet of Things (IIoT) technologies, you need a cybersecurity solution to help you ensure the continuity, resilience, and safety of your industrial operations.
Cisco Cyber Vision has been specifically designed for industrial organizations to gain full visibility into their industrial networks, providing precise information on their OT security posture so they can build secure infrastructures, drive regulatory compliance, and enforce security policies to control risks.
Cisco Cyber Vision combines a unique edge monitoring architecture and deep integration with Cisco’s leading security portfolio. Built into your Cisco industrial network equipment, it can be easily deployed at scale to monitor your industrial assets and their application flows in real time. It is the ideal solution to feed your IT Security Operations Center (SOC) with OT context, so you can build a unified IT/OT cybersecurity architecture.
Cisco® Cyber Vision enables organizations to ensure the continuity, resilience, and safety of their industrial operations by providing continuous visibility into their Industrial Control Systems (ICS) to understand their security posture, improve their industrial networks efficiency, and extend IT security to their industrial operations.
Security built into your industrial network
Cisco Cyber Vision’s unique edge computing architecture embeds security monitoring components within our industrial network equipment. There’s no need to source dedicated appliances and think about how to install them. There’s no need to build an out-of-band network to send industrial network flows to a central security platform. Cyber Vision enables the industrial network to collect the information required to provide comprehensive visibility, analytics, and threat detection. Network managers will appreciate the unique simplicity and lower costs of the Cyber Vision architecture for deploying OT security at scale.
Comprehensive visibility
Cyber Vision leverages passive and active discovery mechanisms to identify all your assets, their characteristics, and their communications. Active discovery queries are extremely precise and nondisruptive. They use the semantic of the protocols at play to gather details on all your industrial assets, including Windows-based systems. Because queries are initiated from Cyber Vision sensors embedded in Cisco network equipment forming the industrial network, they are not blocked by firewalls or NAT boundaries, resulting in comprehensive visibility.
This wealth of information on assets, communication maps, and operational and security events can be access by local OT and IT team members. It can also be aggregated in a Cyber Vision Global Center, for large organizations to gain global visibility across all sites and drive governance and compliance.
Security posture
Cisco Cyber Vision combines protocol analysis, intrusion detection, vulnerability detection and behavioral analysis to help you understand your security posture. It automatically calculates risk scores for each component, device and any specific parts of your operations to highlight critical issues so you can prioritize what needs to be fixed. Each score comes with guidance on how to reduce your exposure so you can be proactive and build an improvement process to address risks.
Cyber Vision’s detection engine leverages threat intelligence from Cisco Talos, one of the world’s leading cybersecurity research team and the official developer of Snort signature files. The Cyber Vision threat knowledge base is updated every week to include the latest list of asset vulnerabilities and IDS signatures.
Operational insights
Cisco Cyber Vision automatically uncovers the smallest details of the production infrastructure: vendor references, firmware and hardware versions, serial numbers, rack slot configuration, etc. It identifies asset relationships, communication patterns, and more. Information is shown in various types of maps, tables, and reports.
Cisco Cyber Vision gives OT engineers real-time insight into the actual status of industrial processes, such as unexpected variable changes or controller modifications, so they can quickly troubleshoot production issues and maintain uptime. Cyber experts can easily dive into all this data to investigate security events. Chief information security officers have all the necessary information to document incident reports and drive regulatory compliance.
The product uses tags to highlight asset roles and communication contexts, so that any OT and IT team member can easily understand the industrial infrastructure and operational events, regardless of the asset brand or references. IT teams can then work with OT staff to drive best practices such as patching vulnerable assets, tracking default password uses, improving network segmentation, and more.
T security integrations
Cyber Vision’s detailed asset inventory and visibility into OT events provide value to both operations and IT security teams. Out-of-the-box integrations with Cisco’s security portfolio, as well as with a broad set of third-party solutions, extend Cyber Vision’s insight to risk and compliance monitoring and reporting, security policy enforcement, and much more. It extends the IT SOC to the OT domain.
Cyber Vision integrates seamlessly with leading SIEM systems such as IBM QRadar or SPLUNK so security analysts can trace industrial events in their existing tools and start correlating OT/IT events. Leveraging Cyber Vision’s rich API, IT and OT teams can feed any existing tool with deep knowledge on industrial assets, network traffic, and security posture.
Cisco XDR
Are you seeing an abnormal behavior in Cisco Cyber Vision? Just click the “Report to XDR” button to create a case in Cisco XDR for an analyst to investigate and launch remediation via specific playbooks and custom workflows. The XDR ribbon always available on the Cyber Vision user interface makes it even easier to trigger remediation workflows and quickly contain threats. The ribbon highlights all observables Cyber Vision has detected (IP and MAC addresses, usernames, hostnames, URLs, and more) so you can easily pivot to XDR with OT context and launch detailed investigations. Cisco XDR leverages intelligence from Cisco Secure Endpoint, Secure Network Analytics, Secure Firewall, Umbrella, Talos intelligence feeds, and other connected technologies (Cisco and third party) to give you a complete view of threats and activities across your IT and OT networks.
To learn more about how Cyber Vision and Cisco XDR work together, please read the solution brief.
Cisco Secure Firewall
Network segmentation is a key pillar to securing your network and protecting critical processes. Cyber Vision can share asset groups created by control engineers with Firewall Management Center (FMC) to influence access control policies managed by Cisco Secure Firewall and restrict communications within the industrial network. Because OT asset groups are shared as dynamic objects via the Cisco Secure Dynamic Attribute Connector (CSDAC), any change made in Cyber Vision is automatically reflected in FMC, keeping rules up-to-date without tedious manual updates and policy deployment.
For more information on using dynamic attributes in Cisco Secure Firewall policies, please read this documentation.
Cisco Identity Services Engine (ISE)
Extend software-based network segmentation policies to your industrial control network and start enforcing zero trust security. Cyber Vision shares discovered hosts, protocols, communications patterns, and more with Cisco ISE through pxGrid to extend ISE’s awareness and policy enforcement into the control network. Cisco ISE can also leverage asset groups created by control engineers in Cyber Vision to automatically build secure zones and drive dynamic micro-segmentation of the industrial network. Just move an asset to another group in Cyber Vision to have ISE automatically apply the corresponding security policy to this asset.
To learn more about how Cyber Vision and ISE work together, please read the solution brief.
Cisco Secure Network Analytics
Extend behavioral analytics by looking at telemetry from your network infrastructure. Cisco Secure Network Analytics uses Cyber Vision insights to add context to the network flows it monitors and speed up incident response and forensics by pinpointing ICS assets on alarms.
REST API
Cyber Vision exposes functionality and data access through a REST API. This allows for custom integration of third-party and homegrown applications for compliance and risk reporting, system and event monitoring, dashboards, and more. The built-in API Explorer offers a friendly user interface to build your own API calls, test them, and generate code easily. Out-of-the-box integrations are available such as with ServiceNow OT Management.
Common Event Format (CEF)
Cyber Vision discovery and event data may be output in Common Event Format (CEF) syslog for consumption by any number of third-party applications such as SIEM solutions, Security Orchestration, Automation, and Response (SOAR) platforms, and more. Free add-ons are available for easy integration with IBM QRadar and Splunk OT.
Cisco Cyber Vision is built on a unique edge architecture consisting of multiple sensor devices that perform deep packet inspection, protocol analysis, and intrusion detection within your industrial network and an aggregation platform known as Cyber Vision Center. Cyber Vision Center stores data coming from the sensors and provides the user interface, analytics, behavioral analysis, reporting, API, and more. It may be run on a hardware appliance or as a virtual machine. The sensors are supported on the platforms listed in the table below.