Security Threat Mitigation and Response: Understanding Cisco Security MARS

Description

Identify, manage, and counter security threats with the Cisco Security Monitoring, Analysis, and Response System

 

Dale Tesch

Greg Abelar

 

While it is commonly understood that deploying network security devices is critical to the well-being of an organization’s systems and data, all too often companies assume that simply having these devices is enough to maintain the integrity of network resources. To really provide effective protection for their networks, organizations need to take the next step by closely examining network infrastructure, host, application, and security events to determine if an attack has exploited devices on their networks.

 

Cisco® Security Monitoring, Analysis, and Response System (Cisco Security MARS) complements network and security infrastructure investment by delivering a security command and control solution that is easy to deploy, easy to use, and cost-effective. Cisco Security MARS fortifies deployed network devices and security countermeasures, empowering you to readily identify, manage, and eliminate network attacks and maintain compliance.

 

Security Threat Mitigation and Response helps you understand this powerful new security paradigm that reduces your security risks and helps you comply with new data privacy standards. This book clearly presents the advantages of moving from a security reporting system to an all-inclusive security and network threat recognition and mitigation system. You will learn how Cisco Security MARS works, what the potential return on investment is for deploying Cisco Security MARS, and how to set up and configure Cisco Security MARS in your network.

 

“Dealing with gigantic amounts of disparate data is the next big challenge in computer security; if you’re a Cisco Security MARS user, this book is what you’ve been looking for.”

–Marcus J. Ranum, Chief of Security, Tenable Security, Inc.

 

Dale Tesch is a product sales specialist for the Cisco Security MARS product line for the Cisco Systems® United States AT Security team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005. Since then, he has had the primary responsibilities of training the Cisco sales and engineering team on SIM systems and Cisco Security MARS and for providing advanced sales support to Cisco customers. 

 

Greg Abelar has been an employee of Cisco Systems since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the team’s engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco.

 

• Understand how to protect your network with a defense-in-depth strategy
• Examine real-world examples of cost savings realized by Cisco Security MARS deployments
• Evaluate the technology that underpins the Cisco Security MARS appliance
• Set up and configure Cisco Security MARS devices and customize them for your environment
• Configure Cisco Security MARS to communicate with your existing hosts, servers, network devices, security appliances, and other devices in your network
• Investigate reported threats and use predefined reports and queries to get additional information about events and devices in your network
• Use custom reports and custom queries to generate device and event information about your network and security events
• Learn firsthand from real-world customer stories how Cisco Security MARS has thwarted network attacks

 

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

 

Table of Contents

Foreword

Introduction

Part I          The Security Threat Identification and Response Challenge

Chapter 1   Understanding SIM and STM

Understanding Security Information Management Legacy Threat Response

Understanding Security Information Management

Meeting the Needs of Industry Regulations

Understanding the Unified Security Platform

Introduction to Security Threat Mitigation

Leveraging Your Existing Environment

Summary

Chapter 2   Role of CS-MARS in Your Network

The Self-Defending Network and the Expanding Role of CS-MARS

Understanding the Self-Defending Network

Enhancing the Self-Defending Network

CS-MARS: Filling the Gaps in the Self-Defending Network

CS-MARS as an STM Solution

Reasons for an STM

Day-Zero Attacks, Viruses, and Worms

Monitoring and Enforcing Security Policy

Insight, Integration, and Control of Your Network

Auditing Controls

Monitoring Access Control

Using CS-MARS to Justify Security Investment

The STM Deployment

Summary

Chapter 3   Deriving TCO and ROI

Fact, FUD, and Fiction

FUD vs. Reality

Real Threats to Enterprises

Attack Impact

Tangible Costs

Intangible Costs

Emerging Threats

Impact of Attacks and Probability of Reoccurrence

Total Cost of Ownership

Using CS-MARS to Ensure ROI and Protect Your Assets

Cost of Recovery Without CS-MARS

Cost of Recovery Using CS-MARS

Summary

Part II         CS-MARS Theory and Configuration

Chapter 4   CS-MARS Technologies and Theory

Technical Introduction to the CS-MARS Appliance

CS-MARS at a Glance

CS-MARS Product Portfolio and Hardware Specifications

CS-MARS Terminology

CS-MARS Technologies

Database Storage and Utilization

CS-MARS Database Structure

CS-MARS Data Archiving

Network Topology Used for Forensic Analysis

CS-MARS Topology Information

Understanding Attack Diagrams and Attack Vectors

CS-MARS Network Discovery

NetFlow in CS-MARS

Understanding NetFlow

Using NetFlow in CS-MARS

Conducting Behavioral Profiling Using CS-MARS

Positive Alert Verification and Dynamic Vulnerability Scanning

Understanding False Positives

Understanding Vulnerability Analysis

Methodology of Communication

Communication Methods

Use of Agents

Incident Reporting and Notification Methods

Summary

Chapter 5   CS-MARS Appliance Setup and Configuration

Deploying CS-MARS in Your Network

Network Placement

CS-MARS Security Hardening

CS-MARS Initial Setup and Quick Install

Complete the Initial CS-MARS Configuration

Enter System Parameters Using the CS-MARS Web Interface

CS-MARS Reporting Device Setup

Adding Devices

Creating Users and Groups

Configuring NetFlow and Vulnerability Scanning

Configuring CS-MARS System Maintenance

Configuring System Parameters

Summary

Chapter 6         Reporting and Mitigative Device Configuration

Identifying CS-MARS–Supported Devices

Types of Devices and the Information They Provide

The Difference Between Reporting and Mitigation Devices

Table of CS-MARS–Supported Devices

Configuring Devices to Communicate with CS-MARS

Configuring Routers

Configuring Switches

Configuring Firewalls

Enabling IDS and IPS in a CS-MARS Environment

Operating Systems and Web Servers

Configure VPN 3000

Configure VPN 3000 Series Concentrators to Communicate with CS-MARS

Add VPN 3000 Series Concentrators to the CS-MARS Device Database

Antivirus Hosts and Servers

Database Servers

Oracle

Summary

Part III        CS-MARS Operation

Chapter 7   CS-MARS Basic Operation

Using the Summary Dashboard, Network Status Graphs, and My Reports Tab

Reading Incidents and Viewing Path Information

Using the HotSpot Graph and Attack Diagram

Interpreting Events and NetFlow Graphs and False Positive Graphs

Understanding Data on the Information Summary Column

Interpreting the X, Y Axis Graphs

Using the Network Status Tab

Using My Reports

Using the Incidents Page

Using the Incidents Page

Using the Incident ID to View Data

Simple Queries

Setting the Query Type

Instant Queries

On-Demand Queries and Manual Queries

Summary

Chapter 8   Advanced Operation and Security Analysis

Creating Reports

Report Formats

Using Predefined Reports

Creating Custom Reports

Methods of Report Delivery

Creating Rules

The Two Types of Rules

Active vs. Inactive Rules

Creating Custom System Inspection Rules

Using the Query Tool to Create a Rule

Complex and Behavioral Rule Creation

Summary

Part IV       CS-MARS in Action

Chapter 9   CS-MARS Uncovered

State Government

Detection

Action

Resolution

Large University

Detection

Action

Resolution

Hospital

Detection

Action

Resolution

Enterprise Financial Company

Detection

Action

Resolution

Small Business

Detection

Action

Resolution

Summary

Part VAppendixes

Appendix A      Useful Security Websites

Security Links and Descriptions

General Security

Governmental Security Controls and Information

Tools and Testing

Cisco Security Sites

Appendix B      CS-MARS Quick Data Sheets

Quick Hardware and Protocol Specifications for CS-MARS

CS-MARS Technology Facts

NetFlow Platform Guide

 NetFlow Performance Information

NetFlow Memory Allocation Information

V4.1 Product Support List

Appendix C      CS-MARS Supplements

CS-MARS Evaluation Worksheet

Security Threat Mitigation

Technical Evaluation Worksheet

Sample Seed File

ISS Configuration Scripts

ISS Network Sensor

ISS Server Sensor

IOS and CATOS NetFlow Quick Configuration Guide

Configuring NetFlow Export on a Cisco IOS Device

Configuring NetFlow on a Cisco CATOS Switch

Appendix D      Command-Line Interface

Complete Command Summary

CS-MARS Maintenance Commands

Appendix E      CS-MARS Reporting

CS-MARS V4.1 Reports

Appendix F      CS-MARS Console Access

Using Serial Console Access

Appendix G     CS-MARS Check Point Configuration

Configuring Check Point NG FP3/AI and CS-MARS

Check Point–Side Configuration

CS-MARS Configuration

Modifying the Communications to the SmartDashboard/CMA

Known Open and Closed Issues

Configuring Check Point Provider-1 R60

Index