I would think that LEM could leverage NTA's data.
For people who are interested in this feature, what exactly would you like to see? Would you like to have the NTA data brought in to the LEM console? Where and how would you like to use it? The more examples and use cases the better we can do to track and possibly implement this.
Mav
I think this could extend pst NTA. It would be great if we could add resources to NPM that are LEM data. Things like, a device has flows that are unusual, so I click it or rt. click it and load a LEM screen specific to that activity.
Allowing the LEM product to integrate with the NTA product will provide a much needed gap of capabilities during forensic analysis. For example, during an incident investigation procedure 99% of the time the investigators want to know if the exploit has been contained. LEM's event correlation works very well for identifying the event if it took place on a device, a log was creatred and the logs were not compromised. Add the ability to qualify a system event with network level data and the qualification just turned to concrete evidence. A really nice automation feature would be to have LEM identify an incident and have an automated option to gather the LEM system events and the related NTA network traffic events as artifacts into one management console for analysis. Sorry for the late response:-)
I'm really surprised this hasn't seen more votes! Cisco has an integration between ISE, StealthWatch and FireSight that is really slick. Orion modules are already collecting a ton of the pieces, it's just a matter of putting it all together.
D
