About the Book
Identify, manage, and counter security threats with the Cisco Security Monitoring, Analysis, and Response System
Dale Tesch
Greg Abelar
While it is commonly understood that deploying network security devices is critical to the well-being of an organization’s systems and data, all too often companies assume that simply having these devices is enough to maintain the integrity of network resources. To really provide effective protection for their networks, organizations need to take the next step by closely examining network infrastructure, host, application, and security events to determine if an attack has exploited devices on their networks.
Cisco® Security Monitoring, Analysis, and Response System (Cisco Security MARS) complements network and security infrastructure investment by delivering a security command and control solution that is easy to deploy, easy to use, and cost-effective. Cisco Security MARS fortifies deployed network devices and security countermeasures, empowering you to readily identify, manage, and eliminate network attacks and maintain compliance.
Security Threat Mitigation and Response helps you understand this powerful new security paradigm that reduces your security risks and helps you comply with new data privacy standards. This book clearly presents the advantages of moving from a security reporting system to an all-inclusive security and network threat recognition and mitigation system. You will learn how Cisco Security MARS works, what the potential return on investment is for deploying Cisco Security MARS, and how to set up and configure Cisco Security MARS in your network.
“Dealing with gigantic amounts of disparate data is the next big challenge in computer security; if you’re a Cisco Security MARS user, this book is what you’ve been looking for.”
–Marcus J. Ranum, Chief of Security, Tenable Security, Inc.
Dale Tesch is a product sales specialist for the Cisco Security MARS product line for the Cisco Systems® United States AT Security team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005. Since then, he has had the primary responsibilities of training the Cisco sales and engineering team on SIM systems and Cisco Security MARS and for providing advanced sales support to Cisco customers.
Greg Abelar has been an employee of Cisco Systems since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the team’s engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco.
Understand how to protect your network with a defense-in-depth strategy
Examine real-world examples of cost savings realized by Cisco Security MARS deployments
Evaluate the technology that underpins the Cisco Security MARS appliance
Set up and configure Cisco Security MARS devices and customize them for your environment
Configure Cisco Security MARS to communicate with your existing hosts, servers, network devices, security appliances, and other devices in your network
Investigate reported threats and use predefined reports and queries to get additional information about events and devices in your network
Use custom reports and custom queries to generate device and event information about your network and security events
Learn firsthand from real-world customer stories how Cisco Security MARS has thwarted network attacks
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Category: Cisco Press–Security
Covers: Security Threat Mitigation
Table of Contents:
Foreword
Introduction
Part I The Security Threat Identification and Response Challenge
Chapter 1 Understanding SIM and STM
Understanding Security Information Management Legacy Threat Response
Understanding Security Information Management
Meeting the Needs of Industry Regulations
Understanding the Unified Security Platform
Introduction to Security Threat Mitigation
Leveraging Your Existing Environment
Summary
Chapter 2 Role of CS-MARS in Your Network
The Self-Defending Network and the Expanding Role of CS-MARS
Understanding the Self-Defending Network
Enhancing the Self-Defending Network
CS-MARS: Filling the Gaps in the Self-Defending Network
CS-MARS as an STM Solution
Reasons for an STM
Day-Zero Attacks, Viruses, and Worms
Monitoring and Enforcing Security Policy
Insight, Integration, and Control of Your Network
Auditing Controls
Monitoring Access Control
Using CS-MARS to Justify Security Investment
The STM Deployment
Summary
Chapter 3 Deriving TCO and ROI
Fact, FUD, and Fiction
FUD vs. Reality
Real Threats to Enterprises
Attack Impact
Tangible Costs
Intangible Costs
Emerging Threats
Impact of Attacks and Probability of Reoccurrence
Total Cost of Ownership
Using CS-MARS to Ensure ROI and Protect Your Assets
Cost of Recovery Without CS-MARS
Cost of Recovery Using CS-MARS
Summary
Part II CS-MARS Theory and Configuration
Chapter 4 CS-MARS Technologies and Theory
Technical Introduction to the CS-MARS Appliance
CS-MARS at a Glance
CS-MARS Product Portfolio and Hardware Specifications
CS-MARS Terminology
CS-MARS Technologies
Database Storage and Utilization
CS-MARS Database Structure
CS-MARS Data Archiving
Network Topology Used for Forensic Analysis
CS-MARS Topology Information
Understanding Attack Diagrams and Attack Vectors
CS-MARS Network Discovery
NetFlow in CS-MARS
Understanding NetFlow
Using NetFlow in CS-MARS
Conducting Behavioral Profiling Using CS-MARS
Positive Alert Verification and Dynamic Vulnerability Scanning
Understanding False Positives
Understanding Vulnerability Analysis
Methodology of Communication
Communication Methods
Use of Agents
Incident Reporting and Notification Methods
Summary
Chapter 5 CS-MARS Appliance Setup and Configuration
Deploying CS-MARS in Your Network
Network Placement
CS-MARS Security Hardening
CS-MARS Initial Setup and Quick Install
Complete the Initial CS-MARS Configuration
Enter System Parameters Using the CS-MARS Web Interface
CS-MARS Reporting Device Setup
Adding Devices
Creating Users and Groups
Configuring NetFlow and Vulnerability Scanning
Configuring CS-MARS System Maintenance
Configuring System Parameters
Summary
Chapter 6 Reporting and Mitigative Device Configuration
Identifying CS-MARS–Supported Devices
Types of Devices and the Information They Provide
The Difference Between Reporting and Mitigation Devices
Table of CS-MARS–Supported Devices
Configuring Devices to Communicate with CS-MARS
Configuring Routers
Configuring Switches
Configuring Firewalls
Enabling IDS and IPS in a CS-MARS Environment
Operating Systems and Web Servers
Configure VPN 3000
Configure VPN 3000 Series Concentrators to Communicate with CS-MARS
Add VPN 3000 Series Concentrators to the CS-MARS Device Database
Antivirus Hosts and Servers
Database Servers
Oracle
Summary
Part III CS-MARS Operation
Chapter 7 CS-MARS Basic Operation
Using the Summary Dashboard, Network Status Graphs, and My Reports Tab
Reading Incidents and Viewing Path Information
Using the HotSpot Graph and Attack Diagram
Interpreting Events and NetFlow Graphs and False Positive Graphs
Understanding Data on the Information Summary Column
Interpreting the X, Y Axis Graphs
Using the Network Status Tab
Using My Reports
Using the Incidents Page
Using the Incidents Page
Using the Incident ID to View Data
Simple Queries
Setting the Query Type
Instant Queries
On-Demand Queries and Manual Queries
Summary
Chapter 8 Advanced Operation and Security Analysis
Creating Reports
Report Formats
Using Predefined Reports
Creating Custom Reports
Methods of Report Delivery
Creating Rules
The Two Types of Rules
Active vs. Inactive Rules
Creating Custom System Inspection Rules
Using the Query Tool to Create a Rule
Complex and Behavioral Rule Creation
Summary
Part IV CS-MARS in Action
Chapter 9 CS-MARS Uncovered
State Government
Detection
Action
Resolution
Large University
Detection
Action
Resolution
Hospital
Detection
Action
Resolution
Enterprise Financial Company
Detection
Action
Resolution
Small Business
Detection
Action
Resolution
Summary
Part VAppendixes
Appendix A Useful Security Websites
Security Links and Descriptions
General Security
Governmental Security Controls and Information
Tools and Testing
Cisco Security Sites
Appendix B CS-MARS Quick Data Sheets
Quick Hardware and Protocol Specifications for CS-MARS
CS-MARS Technology Facts
NetFlow Platform Guide
NetFlow Performance Information
NetFlow Memory Allocation Information
V4.1 Product Support List
Appendix C CS-MARS Supplements
CS-MARS Evaluation Worksheet
Security Threat Mitigation
Technical Evaluation Worksheet
Sample Seed File
ISS Configuration Scripts
ISS Network Sensor
ISS Server Sensor
IOS and CATOS NetFlow Quick Configuration Guide
Configuring NetFlow Export on a Cisco IOS Device
Configuring NetFlow on a Cisco CATOS Switch
Appendix D Command-Line Interface
Complete Command Summary
CS-MARS Maintenance Commands
Appendix E CS-MARS Reporting
CS-MARS V4.1 Reports
Appendix F CS-MARS Console Access
Using Serial Console Access
Appendix G CS-MARS Check Point Configuration
Configuring Check Point NG FP3/AI and CS-MARS
Check Point–Side Configuration
CS-MARS Configuration
Modifying the Communications to the SmartDashboard/CMA
Known Open and Closed Issues
Configuring Check Point Provider-1 R60
Index
About the Author :
Greg Abelar has been an employee of Cisco Systems, Inc., since December 1996. He was an original member of the Cisco Technical Assistance Security Team, helping to hire and train many of the engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco. Greg is the primary founder and project manager of Cisco’s Written CCIE Security exam. Before his employment at Cisco, Greg worked at Apple Computer, Inc., for eight years as a TCP/IP, IPX, and AppleTalk cross-platform escalation engineer. At Apple, he also served as a project leader in the technical platform deployment for the Apple worldwide network. From 1991 to 1996, Greg worked as both a systems programmer and an IT manager for Plantronics, Inc. From 1985 to 1991, Greg was employed by the County Bank of Santa Cruz, where he worked as an applications programmer. This book is Greg’s second authorship of a technical publication; the first was a very successful and uniquely presented publication, also from Cisco Press, titled Securing Your Business with Cisco ASA and PIX Firewalls (2005). Besides authoring Cisco Press publications, he was a co-author of Version 2 of the premier Internet security architecture whitepaper, “SAFE: A Security Blueprint for Enterprise and Networks.” His credentials also include technical editing of five security publications by Cisco Press. Greg lives with his wife, Ellen, and three children, Jesse, Ethan, and Ryan, in Aptos, California.
Visit Greg's blog at http://security1a.blogspot.com/.
Dale Tesch is a product sales specialist for the CS-MARS product line for Cisco Systems’ US AT Security Team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005 and has held the primary responsibilities of training Cisco’s Sales and Engineering team on SIMS and CS-MARS and providing advanced sales support to Cisco customers. While at Protego Networks, he was responsible for sales and engineering in parts of the United States, Canada, and Europe. Before Protego Networks, he was an AT security engineer for Cisco Systems’ U.S. Channels Organization. Dale was the founding team leader of the U.S. Channels Security Technical Advisory Team and came to Cisco originally in 2000. Before Cisco, he was the senior systems engineer at Vitts Networks, a New England–based DSL provider. Previously, Dale spent ten years in the U.S. Navy Submarine Force and is a veteran of Desert Storm. He lives in Madbury, New Hampshire, with his fiancée, Janet, and their six children, Scott, Alex, Isabella, Douglas, Andrew, and Kristyn. Dale has published several articles on SIMs, security policy, and wireless security and has been a technical editor for Cisco Press. Dale also speaks as an industry expert and trainer for various technical seminars. He holds CCNP and CISSP certifications and is a graduate of Southern New Hampshire University.
