Security Threat Mitigation and Response Understanding Cisco Security MARS

Identify, manage, and counter security threats with the Cisco Security Monitoring, Analysis, and Response System Dale Tesch Greg Abelar While it is commonly understood that deploying network security devices is critical to the well-being of an organizationrs"s systems and data, all too often companies assume that simply having these devices is enough to maintain the integrity of network resources. To really provide effective protection for their networks, organizations need to take the next step by closely examining network infrastructure, host, application, and security events to determine if an attack has exploited devices on their networks. Ciscoreg; Security Monitoring, Analysis, and Response System (Cisco Security MARS) complements network and security infrastructure investment by delivering a security command and control solution that is easy to deploy, easy to use, and cost-effective. Cisco Security MARS fortifies deployed network devices and security countermeasures, empowering you to readily identify, manage, and eliminate network attacks and maintain compliance. Security Threat Mitigation and Response helps you understand this powerful new security paradigm that reduces your security risks and helps you comply with new data privacy standards. This book clearly presents the advantages of moving from a security reporting system to an all-inclusive security and network threat recognition and mitigation system. You will learn how Cisco Security MARS works, what the potential return on investment is for deploying Cisco Security MARS, and how to set up and configure Cisco Security MARS in your network. "Dealing with gigantic amounts of disparate data is the next big challenge in computer security; if yours"re a Cisco Security MARS user, this book is what yours"ve been looking for." Marcus J. Ranum, Chief of Security, Tenable Security, Inc. Dale Tesch is a product sales specialist for the Cisco Security MARS product line for the Cisco Systemsreg; United States AT Security team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005. Since then, he has had the primary responsibilities of training the Cisco sales and engineering team on SIM systems and Cisco Security MARS and for providing advanced sales support to Cisco customers. Greg Abelar has been an employee of Cisco Systems since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the teamrs"s engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco. bull; bull;Understand how to protect your network with a defense-in-depth strategy bull;Examine real-world examples of cost savings realized by Cisco Security MARS deployments bull;Evaluate the technology that underpins the Cisco Security MARS appliance bull;Set up and configure Cisco Security MARS devices and customize them for your environment bull;Configure Cisco Security MARS to communicate with your existing hosts, servers, network devices, security appliances, and other devices in your network bull;Investigate reported threats and use predefined reports and queries to get additional information about events and devices in your network bull;Use custom reports and custom queries to generate device and event information about your network and security events bull;Learn firsthand from real-world customer stories how Cisco Security MARS has thwarted network attacks This security book is part of the Cisco Pressreg; Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate

Greg Abelar has been an employee of Cisco Systems, Inc., since December 1996. He was an original member of the Cisco Technical Assistance Security Team, helping to hire and train many of the engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco. Greg is the primary founder and project manager of Cisco’s Written CCIE Security exam. Before his employment at Cisco, Greg worked at Apple Computer, Inc., for eight years as a TCP/IP, IPX, and AppleTalk cross-platform escalation engineer. At Apple, he also served as a project leader in the technical platform deployment for the Apple worldwide network. From 1991 to 1996, Greg worked as both a systems programmer and an IT manager for Plantronics, Inc. From 1985 to 1991, Greg was employed by the County Bank of Santa Cruz, where he worked as an applications programmer. This book is Greg’s second authorship of a technical publication; the first was a very successful and uniquely presented publication, also from Cisco Press, titled Securing Your Business with Cisco ASA and PIX Firewalls (2005). Besides authoring Cisco Press publications, he was a co-author of Version 2 of the premier Internet security architecture whitepaper, “SAFE: A Security Blueprint for Enterprise and Networks.” His credentials also include technical editing of five security publications by Cisco Press. Greg lives with his wife, Ellen, and three children, Jesse, Ethan, and Ryan, in Aptos, California.

 

Visit Greg's blog at http://security1a.blogspot.com/.

 

Dale Tesch is a product sales specialist for the CS-MARS product line for Cisco Systems’ US AT Security Team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005 and has held the primary responsibilities of training Cisco’s Sales and Engineering team on SIMS and CS-MARS and providing advanced sales support to Cisco customers. While at Protego Networks, he was responsible for sales and engineering in parts of the United States, Canada, and Europe. Before Protego Networks, he was an AT security engineer for Cisco Systems’ U.S. Channels Organization. Dale was the founding team leader of the U.S. Channels Security Technical Advisory Team and came to Cisco originally in 2000. Before Cisco, he was the senior systems engineer at Vitts Networks, a New England–based DSL provider. Previously, Dale spent ten years in the U.S. Navy Submarine Force and is a veteran of Desert Storm. He lives in Madbury, New Hampshire, with his fiancée, Janet, and their six children, Scott, Alex, Isabella, Douglas, Andrew, and Kristyn. Dale has published several articles on SIMs, security policy, and wireless security and has been a technical editor for Cisco Press. Dale also speaks as an industry expert and trainer for various technical seminars. He holds CCNP and CISSP certifications and is a graduate of Southern New Hampshire University.

Foreword Foreword Today's biggest challenge in computer security is dealing with the huge amounts of data that pour in from disparate and distributed sources. Gigabytes of firewall logs, intrusion detection system logs, and user activity logs are more than any human can expect to cope with or analyze; we need software layers to help sort through the mass of data and turn it into useful, actionable information. The notion of "actionable" information, in this context, is especially important. It's no longer enough to inform a security administrator, "Something suspicious happened on this host at 11:54 p.m." The threats are too complex and fast-moving for a human to be effective inside the response cycle. We need software that wraps the data analysis with a knowledge base of what are reasonable reactions to take to certain classes of events, so that an administrator is presented not merely with a problem diagnosis but also a resolution recommendation. That's what Cisco's MARS is all about--turning data into actionable information and recommendations. Typically a technical book's foreword is a chance for someone who has read the book to ramble for a couple pages about some high-level topic, then end with a ringing exhortation to "buy and read this book!" For most of us, that adds nothing (except for two or three pages you can flip past), so I thought I'd approach this foreword a bit differently. To me, one of the things lacking in most technical books is a feeling for the authors themselves. Who are these guys? What motivated them to write this book? Besides, you probably didn't pick up this book because you wanted to read my pontifications--you wanted to see what Dale and Greg haveto say! Instead of my opinions, I thought I'd use this space to interview the authors about some of the things you won't find elsewhere in the book. Dear reader, let me introduce Dale Tesch, Jr, and GregAbelar: Marcus: So CS-MARS is obviously a system in which you have a lot of time and energy invested. How did you first get involved with it, and what got you excited about it? Dale:I was first introduced to MARS while I was a security engineer for Cisco working with Channel Partners. I had a partner approach me looking for a solution that could help them deploy a security managed service to their customers. They had customers with all kinds of products and looked to Cisco to help them find a solution. Cisco did not have a product that could help them, so I started looking outside the Cisco product set. I turned to my fellow engineers in Cisco and discovered one of them left Cisco to start up Protego Networks. They had a product that may do what my Cisco Partners needed. I contacted him and fell in love with the product. As a security engineer I was very passionate about security technology that promised what it delivered, and MARS delivered what I needed and more. It filled a gap in the security market that no company was fulfilling. I knew it was going to take off! Protego MARS was so simple to operate yet very strong in SIM and behavioral analysis. It was making me so successful with our key security partners that I decided to leave Cisco and join Protego. Greg:I first experienced CS-MARS when it was still part of a company called Protego. I was deeply involved in network intrusion prevention systems (IPS) at the time. IPSs have their strengths, but their value is diminished by the huge volume of noise and false positive alerts they generate. A friend of mine called me asking about a company called Protego that had a device that could supposedly reduce false positive alerts. Intrigued, I set out to find out a little bit about this technology. As luck would have it, the next day I saw some engineers testing a Protego box in the lab, so I hung out to see what the big deal was. Big deal, indeed. I saw a demo where they ran an attack that triggered a group of IPS alerts, but CS-MARS consolidated those alerts to a single event and also recommended a command to mitigate the attack. It did multidevice event consolidation and event correlation. It was easy to use and also made and deployed mitigation recommendations. The rest is history. I was hooked. Cisco acquired Protego, and the daily nightmare that security responders faced dealing with several thousand alerts was significantly reduced. They suddenly had a tool that improved their efficiency to a level that was staggering. Marcus: You're talking about a technology that sits right in the middle of the entire computer/network security problem--it's a lot to get a handle on! How did you figure out where to start? Greg:On the surface CS-MARS appears to be a tame animal. You launch the GUI, configure it, then off you go, right? Well, right but also wrong. Your question indicates there is much more to it than that, and you are correct. You can configure CS-MARS with a basic configuration and get some valuable data that will help you respond to threats. But to get the most out of your CS-MARS appliance, you need to have a good understanding of your network topology, your security devices, and how attacks work. Then you need to understand the capabilities of the CS-MARS product. This book answers exactly this question. It not only addresses how to start working with CS-MARS, but it also addresses where you go after you have started. Looking at the book from a high level, we take the reader from the basics of security reporting and mitigation, explain any new terminology and technology used by CS-MARS, explain basic configurations, and then explain how to interpret incidents as they are reported. To simplify the learning experience for the reader, the book includes plenty of step-by-step guidelines as well as clearly explained technical tidbits to give you an excellent jumpstart into this technology. Dale:Good old trial and error worked for me! You can take all kinds of advice, training courses, or pointers from the pro's, but until you get your feet wet in real operational networks with the technology, you can never get the insight and experience on how to solve business problems with it. Marcus: Dale, you say it's important to experiment. Do you remember any "AHA!" moments that you've had that really made things click for you? I've found with many of the products I've worked, sometimes you use it in a way that nobody expects, and it works great. It's always fun when you talk to the designers and say, "It's great for doing blah blah blah," and they respond, "Really!!? We never thought of that!" Dale:When I first joined Protego and really started working with MARS, I discovered the product was schizophrenic. Meaning, it had many personalities. The appliance was built for security threat detection, analysis, and mitigation, yet it could play many other roles in a network. Shortly before the acquisition by Cisco, I was in a VARS SOC. I was rather impressed by the facility they had and how automated it was. They were bragging about how they could manage it remotely from anywhere via the web. Their HVAC system, physical security system, and lighting systems were all automated and sent log data via SNMP. Just for show and tell and a little experiment, we configured the systems to report to MARS and built rules outlining normal behavior of temperatures, lighting, and physical access control. We began to design rules and alarms to go off when temps went out of range, visitors checked in but not out, and even when certain lights were turned on during odd hours. The VAR then took this to the company that sold them the building systems and they bought one for themselves. They are now positioning it as a monitoring solution for their building automation products. They recently ins