Security Monitoring with Cisco Security MARS
Customer Reviews: 1 Average Customer Rating:   Write a Review and tell the world about this title! People who purchase this book frequently purchase: - Cisco NAC Appliance: Enforcing Host Security with Clean Access; Jamey Heary, et al, $50.50, 22% Off!
- Cisco ASA, PIX, and FWSM Firewall Handbook; David Hucaby, $50.50, 22% Off!
- Security Threat Mitigation and Response: Understanding Cisco Security MARS; Dale Tesch, et al, $42.50, 23% Off!
- End-to-End Network Security: Defense-in-Depth; Omar Santos, $42.95, 22% Off!
Books on similar topics, in best-seller order:Books from the same publisher, in best-seller order:
Networks and hosts are probed hundreds or thousands
of times a day in an attempt to discover vulnerabilities. An even greater
number of automated attacks from worms and viruses stress the same devices.
The sheer volume of log messages or events generated by these attacks and
probes, combined with the complexity of an analyst needing to use multiple
monitoring tools, often makes it impossible to adequately investigate what
is happening.
Cisco Security Monitoring, Analysis, and Response
System (MARS) is a next-generation Security Threat Mitigation system (STM).
Cisco Security MARS receives raw network and security data and performs
correlation and investigation of host and network information to provide
you with actionable intelligence. This easy-to-use family of threat mitigation
appliances enables you to centralize, detect, mitigate, and report on priority
threats by leveraging the network and security devices already deployed
in a network, even if the devices are from multiple vendors.
Security Monitoring with Cisco Security MARS
helps you plan a MARS deployment and learn the installation and administration
tasks you can expect to face. Additionally, this book teaches you how to
use the advanced features of the product, such as the custom parser, Network
Admission Control (NAC), and global controller operations. Through the use
of real-world deployment examples, this book leads you through all the steps
necessary for proper design and sizing, installation and troubleshooting,
forensic analysis of security events, report creation and archiving, and
integration of the appliance with Cisco and third-party vulnerability assessment
tools.
"In many modern enterprise networks, Security Information
Management tools are crucial in helping to manage, analyze, and correlate
a mountain of event data. Greg Kellogg and Gary Halleen have distilled an
immense amount of extremely valuable knowledge in these pages. By relying
on the wisdom of Kellogg and Halleen embedded in this book, you will vastly
improve your MARS deployment."
-- Ed Skoudis, Vice President of Security Strategy,
Predictive Systems
Gary Halleen is a security consulting systems engineer
with Cisco. He has in-depth knowledge of security systems as well as remote-access
and routing/switching technology. Gary is a CISSP and ISSAP. His diligence
was responsible for the first successful computer crimes conviction in the
state of Oregon. Gary is a regular speaker at security events and presents
at Cisco Networkers conferences.
Greg Kellogg is the vice president of security solutions
for Calence, LLC. He is responsible for managing the company's overall
security strategy. Greg has more than 15 years of networking industry experience,
including serving as a senior security business consultant for the Cisco
Enterprise Channel organization. Additionally, Greg worked for Protego Networks,
Inc. (where MARS was originally developed). There he was responsible for
developing channel partner programs and helped solution providers increase
their security revenue.
Learn the differences between various log aggregation
and correlation systems
- Examine regulatory and industry requirements
- Evaluate various deployment scenarios
- Properly size your deployment
- Protect the Cisco Security MARS appliance from attack
- Generate reports, archive data, and implement disaster recovery plans
- Investigate incidents when Cisco Security MARS detects an attack
- Troubleshoot Cisco Security MARS operation
- Integrate Cisco Security MARS with Cisco Security Manager, NAC, and
third-party devices
- Manage groups of MARS controllers with global controller operations
This security book is part of the Cisco Press Networking
Technology Series. Security titles from Cisco Press help networking professionals
secure critical data and resources, prevent and mitigate network attacks,
and build end-to-end self-defending networks.
Table of Contents
Foreword
Introduction
Part I Introduction to CS-MARS and Security Threat
Mitigation
Chapter 1 Introducing CS-MARS
Introduction to Security Information Management
The Role of a SIM in Today's
Network
Common Features for SIM Products
Desirable Features for SIM Products
Challenges in Security Monitoring
Types of Events Messages
Understanding CS-MARS
Security Threat Mitigation System
Topology and Visualization
Robust Reporting and Rules Engine
Alerts and Mitigation
Description of Terminology
CS-MARS User Interface
Dashboard
Network Status
My Reports
Summary
Chapter 2 Regulatory Challenges in Depth
Health Insurance Portability and Accountability Act
of 1996 (HIPAA)
Who Is Affected by HIPAA?
What Are the Penalties for Noncompliance?
HIPAA Security Rule
HIPAA Security Rule and Security
Monitoring
Gramm-Leach-Bliley Act of 1999 (GLB Act)
Who Is Affected by the GLB Act?
What Are the Penalties for Noncompliance
with GLB?
The GLB Act Safeguards Rule
The GLB Safeguards Rule and Security
Monitoring
The Sarbanes-Oxley Act of 2002 (SOX)
Who Is Affected by Sarbanes-Oxley?
What Are the Penalties for Noncompliance
with Sarbanes-Oxley?
Sarbanes-Oxley Internal Controls
Payment Card Industry Data Security Standard (PCI-DSS)
Who Is Affected by the PCI Data
Security Standard?
What Are the Penalties for Noncompliance
with PCI-DSS?
The PCI Data Security Standard
Compliance Validation Requirements
Summary
Chapter 3 CS-MARS Deployment Scenarios
Deployment Types
Local and Standalone Controllers
Global Controllers
Sizing a CS-MARS Deployment
Special Considerations for Cisco
IPSs
Determining Your Events per Second
Determining Your Storage Requirements
Considerations for Reporting Performance
Considerations for Future Growth
and Flood Conditions
Planning for Topology Awareness
CS-MARS Sizing Case Studies
Retail Chain Example
State Government Example
Healthcare Example
Summary
Part II CS-MARS Operations and Forensics
Chapter 4 Securing CS-MARS
Physical Security
Inherent Security of MARS Appliances
Security Management Network
MARS Communications Requirements
Network Security Recommendations
Ingress Firewall Rules
Egress Firewall Rules
Network-Based IDS and IPS Issues
Summary
Chapter 5 Rules, Reports, and Queries
Built-In Reports
Understanding the Reporting Interface
Reporting Methods
The Query Interface
Creating an On-Demand Report
Batch Reports and the Report Wizard
Creating a Rule
About Rules
Creating the Rule
Creating Drop Rules
About Drop Rules
Creating the Drop Rule
Summary
Chapter 6 Incident Investigation and Forensics
Incident Handling and Forensic Techniques
Initial Incident Investigation
Viewing Incident Details
Finishing Your Investigation
False-Positive Tuning
Deciding Where to Tune
Tuning False Positives in MARS
Summary
Chapter 7 Archiving and Disaster Recovery
Understanding CS-MARS Archiving
Planning and Selecting the Archive
Server
Configuring the Archiving Server
Configuring CS-MARS for Archiving
Using the Archives
Restoring from Archive
Restoring to a Reporting Appliance
Direct Access of Archived Events
Retrieving Raw Events from Archive
Summary
Part III CS-MARS Advanced Topics
Chapter 8 Integration with Cisco Security Manager
Configuring CS-Manager to Support CS-MARS
Configuring CS-MARS to Integrate with CS-Manager
Using CS-Manager Within CS-MARS
Summary
Chapter 9 Troubleshooting CS-MARS
Be Prepared
Troubleshooting MARS Hardware
Beeping Noises
Degraded RAID Array
Troubleshooting Software and Devices
Unknown Reporting Device IP
Check Point or Other Logs Are Incorrectly
Parsed
New Monitored Device Logs Still
Not Parsed
How Much Storage Is Being Used,
and How Long Will It Last?
E-Mail Notifications Sent to Admin
Group Never Arrive
MARS Is Not Receiving Events from
Devices
Summary
Chapter 10 Network Admission Control
Types of Cisco NAC
NAC Framework Host Conditions
Understanding NAC Framework Communications
Configuration of CS-MARS for NAC
Framework Reporting
Information Available on CS-MARS
Summary
Chapter 11 CS-MARS Custom Parser
Getting Messages to CS-MARS
Determining What to Parse
Adding the Device or Application Type
Adding Log Templates
First Log Template
Second and Third Log Templates
Fourth and Fifth Log Templates
Additional Messages
Adding Monitored Device or Software
Queries, Reports, and Rules
Queries
Reports
Rules
Custom Parser for Cisco CSC Module
Summary
Chapter 12 CS-MARS Global Controller
Understanding the Global Controller
Zones
Installing the Global Controller
Enabling Communications Between
Controllers
Troubleshooting
Using the Global Controller Interface
Logging In to the Controller
Dashboard
Drilling Down into an Incident
Query/Reports
Local Versus Global Rules
Security and Monitor Devices
Custom Parser
Software Upgrades
Global Controller Recovery
Summary
Part IV Appendixes
Appendix A Querying the Archive
Appendix B CS-MARS Command Reference
Appendix C Useful Websites
Index
Customer Reviews
Customer Reviews: 1 Average Customer Rating: Jul 24, 2007 Dr. Akpose from Bltimore
In all, its a great buy
Ok, you recently purchased Cisco MARS appliance, now what? Or better yet, you are in the market for a Security Incident Management (SIM) solution or a Security Threat Mitigation (STM) Solution, and are already considering a Cisco solution; you may even be a Cisco network shop. How do you decide, without the pressure of the overbearing sales people over your neck? Well the best answer is to do your research. Read everything you can find online about SIM and STM technologies and research the various vendor solutions out there. You may even take note of Gartners reports on the technology or simply hire Gartner. However, one tool you will appreciate in your arsenal is the book by Gary Hellene and Greg Kellogg, Security Monitoring with Cisco Security MARS.
As you may well know, the product now called MARS did not originate in any of Ciscos R&D lab, but was a product from Perigee Network bought by Cisco in the fall of 2005. The product itself has undergone various upgrades, as has its documentation. But when you need quick answers, or compressed answers about SIM, STM or specifically MARS, the pages of this compact, under 300 pages, book will be your best bet in most cases, as I quickly found out.
The book came in at an opportune times, when I was just fidgeting with our newly installed MARS appliance, and answers that were taking quite long to find, wadding though jungles of pages that constitute the Cisco user manuals and the internet, were soon available after a few minutes of riffling though the book.
Reading the entire book took much less time than to read through the latest Harry Porter release, but it also brought into perspectives many components and nuances of the MARS appliance.
Organized into parts (like most Cisco press books), the book's content is outlined into an introductory section, an operations and forensic section, and what it calls an advanced topic section. The first three chapters that make up the introduction section provide essential background and rationale for deploying an STM or SIM solution in any network. This is one part any prospective SIM solution shopper should be acquainted with. It kind of helps you make the case for the expenditure. Not that you wont find it useful if you already made the purchase, you will be better served if you are fully briefed on the content in this section, as it lays out what you are getting into in some detail. Of course the emphasis is on MARS, a Cisco product, there is enough material here for everyone.
If you are a techie, you already own a MARS box (so you have to live with what you got), and you are not so worried about the business case for security, then, section 2 (Operations and Forensic) is a good place to start. The section begins with basics of securing the appliance itself; runs through rules, reports and queries; details incident investigation and forensics and ends with pertinent instructions on log data archiving and recovery in case something goes wrong with the appliance. Given that the section covers so much materials and is made up of four chapters, its one page volume is a great refresher to the security engineer who just wants to get adequate information to quickly get up and running. You will not become an expert by reading these four chapters, but your understanding of the appliance and appreciation for what can be done will grow after you read it. Also, you should be able to carry out at least 50% of the tasks you will need to carry out with the appliance.
The last section is probably the most fun, but you will do well reading it last. While the book outlines the last section to include just 4 chapters, the three appendices can easily be considered a direct appendage of the materials in this section. The section provides basic instructions on how to integrate MARS with other Cisco security products including the Cisco Security Manager (CSM) in chapter 8, the Cisco Network Admission Control (NAC) solutions in chapter 10, and Cisco MARS enterprise deployment framework in chapter 12. Chapters 9 and 11 present additional operational information on troubleshooting and log management. The appendices includes various system level and command line tools for managing and getting more out of the MARS appliance.
In all, the book is a great buy.
|
