CyberMDX-Cisco Integration:
Complete Control, Complete Visibility

Schedule a Demo

Medical Devices in IoT Environments


image-1To contend with the wide range of structural disadvantages, human error, and misconfiguration threats that creep up daily in hospitals and clinics around the world, a dynamic, integrative, continuous, and multi-layered solution is required for comprehensive medical device cybersecurity.


Unlike legacy perimeter security paradigms, micro-segmentation assumes threats are everywhere. This model aims to manage the cybersecurity risks even where a threat passes your perimeter defenses and now lurks inside the network. A micro-segmentation approach to security essentially redraws new perimeters concentrically within the network around strategic network segments. In a medical environment, this should be configured around each asset. These “individual” perimeters limit access to each service inside each and every asset — hence reducing the attack surface.


When micro-segmentation is properly implemented, worm-like attacks, such as a Server Message Block exploit like the one that the WannaCry attack famously leveraged, can be stopped when the segmentation regime flags and blocks the traffic patterns of the worm that are incongruous with normal device use.

image-1This type of approach is widely acknowledged to constitute the most robust and ironclad network security paradigm; at the same time, it does not come without costs.


To implement a proper micro-segmentation solution, one needs to identify and classify all devices, maintain a view of service-aware traffic flows to and from assets, establish nuanced normal use baselines, define deviation thresholds, and decide what to let in and what to block. 


Doing this for a lot of devices of various vendors is not an easy task and maintaining it along the entire network life cycle is even harder.


Control at Scale with Cisco


image-1Cisco TrustSec provides a scalable way to implement micro-segmentation. What makes it scalable is the possibility to define the policies based on logical groupings, called Security Groups, decoupled from traditional network topology such as IP addresses or VLANs. 

The defined policy is managed by Cisco ISE and pushed to network switches, routers and firewalls as enforcers — bringing the perimeter as close as possible to the assets.


image-1Of course, one of the main challenges in securing medical ecosystems is understanding the network infrastructure and medical device communication protocols enough to know how to properly classify the devices, form security groups, and define suitable access rules (SG-ACLs) between them.

In this sense, for hospital administrators, Cisco ISE gives you the controls needed to solve your problem but none of the clarity required to wield those controls effectively. 




A Better Way: The MDefend-Cisco Integration

Enriched network visibility and enhanced segmentation processes — automatically and scalably. 


Data Enrichment and Sharing

Leveraging deep packet inspection, optional active scanning and, AI engine, MDefend auto identifies and classifies all medical devices and assets deployed with a network to form an accurate, live inventory.

This granular visibility includes the device's type, vendor, model, as well as version and hardware IDs (MAC, SN).

The system provides further visibility into the traffic flows of the devices and its interactions with its own ecosystem. Device-specific risk assessments are conducted based on known vulnerabilities detected threats, and the assembled insights are used to stitch together a composite view, assessing the risk of the business as a whole. 

This data is then pushed by MDefend into Cisco ISE, boosting its classification capabilities and providing a single porthole from which all network devices can be monitored and managed. Both systems — MDefend and Cisco ISE — continuously communicate with each other, creating a sort of data feedback loop that refines and enriches their shared functionality.


Smart Isolation

MDefend doesn't only provide real-time visibility into devices, their workflows, and concomitant risk levels, but leverages that insight to the tune of effective attack prevention. In effect, Cisco ISE executes and enforces rules according to the security policies generated by MDefend. The result is that attacks are torpedoed before they can ever take hold. 

In two words, this advantage can be described as “smart Isolation”. Smart isolation intelligently segments a fleet of medical devices into groups, and provides an access policy for each of those groups. Smart isolation is predicated on access policies tailored to each group so as to permit legitimate and operationally justified network access to the devices in that group, while blocking all other attempts to connect to, communicate with, or otherwise remotely interface with those devices. 

Personalized Firewall

Comprehensive Visibility

The Cisco ISE-MDefend integration provides a single point of view (Cisco ISE) from which to manage all devices, replete with clinical device classifications, courtesy of CyberMDX’s AI engine.

What's more, bringing these two platforms together delivers a purpose-specific solution designed specifically for clinical engineers, as well as healthcare security and IT teams; providing in-depth visibility into medical device behaviors, risk profiles, and threat landscapes.

AI-Based Containment & Response

Accelerated Segmentation Processes

For non-TrustSec infrastructure, MDefend groups devices to VLANs and ACL assignments per algorithmic insights refined by years of industry expertise. In this way, a medical network can be duly segmented and layers of protection can be imposed beyond the perimeter.

For TrustSec based infrastructures, MDefend sorts assets into Security Groups, working through Cisco ISE to create and maintain the Security Group Tags, map assets to Security Groups and compile Security Group-Access Control Lists.

A group of SIEMENS MRIs, for example, will consist of MRI machines by Siemens. The SGACL between this group and other groups will allow DICOM communication corresponding to various SGs of Workflow and PACS servers, and CDPs, and incoming management traffic (such as ssh, ftp, telnet) corresponding to privileged SGs. No other communication will be allowed between members of this group nor to other groups (such as Ultrasound machines or infusion pumps).

In this manner, the security apparatus is designed and refined to shield specific (usually high risk) devices using discretionary Access Control Lists. In parallel, MDefend continuously monitors the hygiene of the network, making sure that segmentation and governance doesn't degrade over time.

Centralized Dashboard

Attack Response at a Click

Of course, preventative controls are of little use if your system has already been infiltrated or compromised — or if the preventative solution is rolled out piecemeal or deployed incompletely. For that, you're going to require rapid detection and response capabilities. Here too, CyberMDX and Cisco have you covered.

Empowered by MDefend insights and Cisco controls, you can be in real time when an active threat is detected and be guided through the process of quarantine the affected device(s) in response to an attack (via Change of Authorization).

Download the

MDefend Brochure


Key Features

  • Data sharing between Cisco ISE and CyberMDX of classification and risk assessment data focusing on medical assets.
  • Network segmentation planning based on TrustSec or legacy VLAN/ACL
  • Grouping of devices by their attributes and risk level.
  • Generating access policies between the groups.
  • Enforcing the policies via pushing them to Cisco ISE.

Key Benefits

  • Superior visibility into clinical networks.
  • Improved micro-segmentation processes.
  • More and more actionable network profile data insights.
  • Expanded opportunities for smart automation using MDefend's device classification and behavior baselining – saving labor resources and reducing human errors.
  • Enhanced network hygiene and response rates – firing alerts instantly whenever anomalies or unauthorized changes are detected.

How It Works

The following diagram illustrates the integrative architecture of Cisco ISE and CyberMDX's MDefend:

screen shot 2

The segmentation algorithm used by CyberMDX utilizes both domain knowledge, device classifications, and current risk assessments to define the "map of trust" that lies at the heart of the access policy.

Both blacklists and whitelists are used to provide an optimal policy enforcement regime, minimizing the attack surface, while still considering the operational risks associated with breaking a needed flow.