You are previewing Security Threat Mitigation and Response: Understanding Cisco Security MARS.
O'Reilly logo
Security Threat Mitigation and Response: Understanding Cisco Security MARS

Book Description

Identify, manage, and counter security threats with the Cisco Security Monitoring, Analysis, and Response System

Dale Tesch

Greg Abelar

While it is commonly understood that deploying network security devices is critical to the well-being of an organization’s systems and data, all too often companies assume that simply having these devices is enough to maintain the integrity of network resources. To really provide effective protection for their networks, organizations need to take the next step by closely examining network infrastructure, host, application, and security events to determine if an attack has exploited devices on their networks.

Cisco® Security Monitoring, Analysis, and Response System (Cisco Security MARS) complements network and security infrastructure investment by delivering a security command and control solution that is easy to deploy, easy to use, and cost-effective. Cisco Security MARS fortifies deployed network devices and security countermeasures, empowering you to readily identify, manage, and eliminate network attacks and maintain compliance.

Security Threat Mitigation and Response helps you understand this powerful new security paradigm that reduces your security risks and helps you comply with new data privacy standards. This book clearly presents the advantages of moving from a security reporting system to an all-inclusive security and network threat recognition and mitigation system. You will learn how Cisco Security MARS works, what the potential return on investment is for deploying Cisco Security MARS, and how to set up and configure Cisco Security MARS in your network.

“Dealing with gigantic amounts of disparate data is the next big challenge in computer security; if you’re a Cisco Security MARS user, this book is what you’ve been looking for.”

–Marcus J. Ranum, Chief of Security, Tenable Security, Inc.

Dale Tesch is a product sales specialist for the Cisco Security MARS product line for the Cisco Systems® United States AT Security team. Dale came to Cisco Systems through the acquisition of Protego Networks in February 2005. Since then, he has had the primary responsibilities of training the Cisco sales and engineering team on SIM systems and Cisco Security MARS and for providing advanced sales support to Cisco customers. 

Greg Abelar has been an employee of Cisco Systems since December 1996. He was an original member of the Cisco Technical Assistance Security team, helping to hire and train many of the team’s engineers. He has held various positions in both the Security Architecture and Security Technical Marketing Engineering teams at Cisco.

  • Understand how to protect your network with a defense-in-depth strategy

  • Examine real-world examples of cost savings realized by Cisco Security MARS deployments

  • Evaluate the technology that underpins the Cisco Security MARS appliance

  • Set up and configure Cisco Security MARS devices and customize them for your environment

  • Configure Cisco Security MARS to communicate with your existing hosts, servers, network devices, security appliances, and other devices in your network

  • Investigate reported threats and use predefined reports and queries to get additional information about events and devices in your network

  • Use custom reports and custom queries to generate device and event information about your network and security events

  • Learn firsthand from real-world customer stories how Cisco Security MARS has thwarted network attacks

  • This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Category: Cisco Press–Security

    Covers: Security Threat Mitigation

    Table of Contents

    1. Copyright
      1. Dedications
    2. About the Authors
    3. About the Technical Reviewers
    4. Acknowledgments
    5. Foreword
    6. Introduction
      1. Goals and Methods
      2. Who Should Read This Book?
      3. How This Book Is Organized
    7. I. The Security Threat Identification and Response Challenge
      1. 1. Understanding SIM and STM
        1. Understanding Security Information Management Legacy Threat Response
          1. Understanding Security Information Management
          2. Meeting the Needs of Industry Regulations
            1. The Sarbanes-Oxley Act
            2. Gramm-Leach-Bliley Act
            3. Health Insurance Portability and Accountability Act
        2. Understanding the Unified Security Platform
          1. Introduction to Security Threat Mitigation
            1. Benefits of Moving from SIM to STM
            2. Understanding a Mitigation, Analysis, and Response System
            3. Advantages of a Proactive Security Framework
            4. Collaboration of Security Events
            5. False-Positive Reduction
            6. Incident Notification
            7. Attack Mitigation or Remediation
          2. Leveraging Your Existing Environment
            1. Small-to-Medium Business Networks
            2. Enterprise Networks
            3. The Multivendor Approach and Associated Challenges
        3. Summary
      2. 2. Role of CS-MARS in Your Network
        1. The Self-Defending Network and the Expanding Role of CS-MARS
          1. Understanding the Self-Defending Network
            1. Defense-in-Depth and the Self-Defending Network
              1. Authentication Layer
              2. Perimeter-Layer Defenses
              3. Network Intrusion Prevention
              4. Host Intrusion-Prevention Layer
              5. Security Best Practices
          2. Enhancing the Self-Defending Network
            1. Automated Log Correlation
            2. Automated Threat Response
            3. Automated Mitigation
          3. CS-MARS: Filling the Gaps in the Self-Defending Network
            1. CS-MARS Log Integration
            2. CS-MARS Automated Threat Response
            3. CS-MARS Automated Mitigation
        2. CS-MARS as an STM Solution
          1. Reasons for an STM
            1. Day-Zero Attacks, Viruses, and Worms
            2. Monitoring and Enforcing Security Policy
            3. Insight, Integration, and Control of Your Network
            4. Auditing Controls
            5. Monitoring Access Control
            6. Using CS-MARS to Justify Security Investment
          2. The STM Deployment
        3. Summary
      3. 3. Deriving TCO and ROI
        1. Fact, FUD, and Fiction
          1. FUD vs. Reality
            1. Example 1: The 2005 FBI Cybercrime Reports
            2. Example 2: The U.S. Critical Infrastructure Is Vulnerable
        2. Real Threats to Enterprises
        3. Attack Impact
          1. Tangible Costs
          2. Intangible Costs
          3. Emerging Threats
            1. Extortion
            2. Zero-Day Exploits for Sale
            3. Botnets and Botnet Rental
          4. Impact of Attacks and Probability of Reoccurrence
        4. Total Cost of Ownership
        5. Using CS-MARS to Ensure ROI and Protect Your Assets
          1. Cost of Recovery Without CS-MARS
          2. Cost of Recovery Using CS-MARS
        6. Summary
    8. II. CS-MARS Theory and Configuration
      1. 4. CS-MARS Technologies and Theory
        1. Technical Introduction to the CS-MARS Appliance
          1. CS-MARS at a Glance
          2. CS-MARS Product Portfolio and Hardware Specifications
            1. Local Controller (LC)
            2. Global Controller (GC)
          3. CS-MARS Terminology
            1. Event
            2. Parser
            3. Session
            4. Incident
            5. Rule
          4. CS-MARS Technologies
            1. ContextCorrelation
            2. SureVector Analysis
            3. AutoMitigate
        2. Database Storage and Utilization
          1. CS-MARS Database Structure
          2. CS-MARS Data Archiving
        3. Network Topology Used for Forensic Analysis
          1. CS-MARS Topology Information
          2. Understanding Attack Diagrams and Attack Vectors
            1. Sequential Incident Vector Information
            2. Sequential Path Information
            3. Standard Attack Vector Diagram
            4. Standard Path Analysis
          3. CS-MARS Network Discovery
            1. SNMP Discovery
            2. Seed File Input
            3. Manual Entry
            4. Device Event Reporting
        4. NetFlow in CS-MARS
          1. Understanding NetFlow
          2. Using NetFlow in CS-MARS
          3. Conducting Behavioral Profiling Using CS-MARS
        5. Positive Alert Verification and Dynamic Vulnerability Scanning
          1. Understanding False Positives
            1. System Determined
            2. Unconfirmed
          2. Understanding Vulnerability Analysis
            1. Built-in Nessus utility
            2. Third-Party VA Tool
        6. Methodology of Communication
          1. Communication Methods
          2. Use of Agents
          3. Incident Reporting and Notification Methods
        7. Summary
      2. 5. CS-MARS Appliance Setup and Configuration
        1. Deploying CS-MARS in Your Network
          1. Network Placement
          2. CS-MARS Security Hardening
            1. Protocol Security Hardening
              1. Enforcing Directional Control
              2. Allowing Local Protocol Access Only
              3. Selectively Allowing Protocol Access Using Device Authentication
              4. Sandboxing Your Command-Line Execution
        2. CS-MARS Initial Setup and Quick Install
          1. Complete the Initial CS-MARS Configuration
          2. Enter System Parameters Using the CS-MARS Web Interface
            1. Enter System Parameters to Activate Your CS-MARS Appliance
        3. CS-MARS Reporting Device Setup
          1. Adding Devices
            1. Manual Device Entry
            2. CSV File Import
              1. Using a CSV Device Import File (Seed File)
        4. Creating Users and Groups
        5. Configuring NetFlow and Vulnerability Scanning
          1. NetFlow Configuration
          2. Dynamic Vulnerability Scanning Configuration
        6. Configuring CS-MARS System Maintenance
          1. License keys
          2. Upgrades
          3. Certificates
          4. Runtime Logging Levels
          5. Viewing of the Appliance’s Log Files
          6. Viewing of the Audit Trail
          7. Retrieval of Raw Messages
          8. Data Archiving
        7. Configuring System Parameters
          1. Windows Event Log Pulling Time Interval
          2. TACACS/AAA Server Prompts
          3. Oracle Event Log Pulling Time Interval
          4. Distributed Threat Mitigation (DTM) Settings
          5. Proxy Settings
        8. Summary
      3. 6. Reporting and Mitigative Device Configuration
        1. Identifying CS-MARS–Supported Devices
          1. Types of Devices and the Information They Provide
          2. The Difference Between Reporting and Mitigation Devices
            1. Reporting Devices
            2. Mitigation Devices
          3. Table of CS-MARS–Supported Devices
        2. Configuring Devices to Communicate with CS-MARS
          1. Configuring Routers
            1. Configuring SNMP on Cisco IOS Routers
            2. Configuring NetFlow on Cisco IOS Routers
            3. Configuring Syslog on Cisco IOS Routers
            4. Configuring NAC-Specific Reporting
            5. Generic Router Support
          2. Configuring Switches
            1. Configuring Switches to Enable L2 Discovery
              1. Cisco IOS 12.2 Switches—Enabling L2 Discovery SNMP
              2. CATOS Switches—Enabling L2 Discovery SNMP
            2. Configuring Switches to Enable Syslog
              1. IOS Switches—Enabling Syslog
              2. CATOS Switches—Enabling Syslog
            3. Configuring Switches to Enable NAC-Specific Messages
              1. IOS Switches—Enabling NAC-Specific Messages
              2. CATOS Switches—Enabling NAC-Specific Messages
            4. Configuring Switches to Enable NetFlow
              1. IOS Switches—Enabling NetFlow
              2. CATOS Switches—Enabling NetFlow
            5. Configuring Extreme Network Switches
              1. Configuring ExtremeWare SNMP and Syslog
              2. Add ExtremeWare to the CS-MARS Device Database
          3. Configuring Firewalls
            1. Cisco PIX, ASA, and Firewall Service Module
              1. Configuring Telnet on Your Cisco Firewall Device
              2. Configuring SSH on Your Cisco Firewall Device
              3. Configuring SNMP on Your Cisco Firewall Device
              4. Adding a Cisco Firewall Device to CS-MARS
            2. Configuring a Juniper NetScreen Firewall
              1. Enable Juniper NetScreen Firewall for CS-MARS Access
              2. Enable Juniper NetScreen Firewall for Syslog Reporting
              3. Adding the Juniper NetScreen Firewall to CS-MARS
            3. Check Point Firewall and Check Point Nokia Firewall Appliances
              1. Adding the Check Point Firewall to CS-MARS
            4. Configuring Web Caches to Work with CS-MARS
              1. Configuring Network Appliances NetCache
              2. Adding Network Appliances NetCache to the CS-MARS Device
          4. Enabling IDS and IPS in a CS-MARS Environment
            1. Cisco IPS Appliance Configuration
              1. Configuring a Cisco IPS 3.x Appliance
              2. Configuring a Cisco IPS 4.x Appliance
              3. Configuring a Cisco IPS 5.x Appliance
              4. Adding Cisco IPS Appliances to CS-MARS
            2. Cisco IPS Catalyst Switch Modules
            3. Cisco IPS Enable Routers (Integrated Security Routers)
            4. Cisco Security Service Modules (IPS Modules) for ASA (ASA/SSM)
            5. IntruVert IntruShield V1.8
              1. Configuring IntruShield to Communicate with CS-MARS
              2. Adding an IntruShield Device to CS-MARS
            6. Juniper NetScreen IDP
              1. Configuring Juniper NetScreen IDP to Communicate with CS-MARS
              2. Adding a Juniper NetScreen IDP Device to CS-MARS
            7. Symantec ManHunt
              1. Configuring Symantec ManHunt to Communicate with CS-MARS
              2. Adding a Symantec ManHunt Device to CS-MARS
            8. ISS RealSecure Sensor
              1. Configuring a RealSecure Sensor to Communicate with CS-MARS
              2. Adding a RealSecure Network Sensor to CS-MARS
              3. Adding a RealSecure Host Sensor to CS-MARS
            9. Snort IPS Sensor
              1. Configuring a Snort IPS Sensor to Communicate with CS-MARS
              2. Adding a Snort IPS Sensor to CS-MARS
            10. Enterasys Dragon
          5. Operating Systems and Web Servers
            1. Microsoft Windows Operating Systems
              1. Configure Microsoft Windows to Allow CS-MARS to Pull Security Event Logs
              2. Configure CS-MARS to Pull Microsoft Windows Event Logs
              3. Configure Microsoft Windows to Push Event Logs to CS-MARS
              4. Enable CS-MARS to Receive Pushed Windows Security Event Logs
            2. Sun Solaris and Generic Linux Operating Systems
              1. Configure Solaris or Linux to Communicate with CS-MARS
              2. Add Solaris or Linux to the CS-MARS Device Database
            3. Microsoft Internet Information Web Server
              1. Configure Microsoft IIS Web Server to Communicate with CS-MARS
              2. Add Microsoft IIS Web Server to the CS-MARS Device Database
            4. iPlanet Web Server
            5. Apache Web Server
              1. Configure the UNIX Apache Web Server and iPlanet Web Server to Communicate with CS-MARS
              2. Add Apache Web Server and iPlanet Web Server to the CS-MARS Device Database
          6. VPN Concentrators
            1. Configure VPN 3000 Series Concentrators to Communicate with CS-MARS
            2. Add VPN 3000 Series Concentrators to the CS-MARS Device Database
          7. Antivirus Hosts and Servers
          8. Database Servers
          9. Oracle
            1. Configure an Oracle Database Server to Communicate with CS-MARS
            2. Add an Oracle Database Server to the CS-MARS Device Database
        3. Summary
    9. III. CS-MARS Operation
      1. 7. CS-MARS Basic Operation
        1. Using the Summary Dashboard, Network Status Graphs, and My Reports Tab
          1. Reading Incidents and Viewing Path Information
            1. Path Information
            2. Incident Vector Information
          2. Using the HotSpot Graph and Attack Diagram
            1. HotSpot Graph
            2. Attack Diagram
          3. Interpreting Events and NetFlow Graphs and False Positive Graphs
          4. Understanding Data on the Information Summary Column
            1. Page refresh rate
            2. 24-hour events
            3. 24-hour incidents
            4. All false positives
            5. To-do list
            6. My Reports
          5. Interpreting the X, Y Axis Graphs
          6. Using the Network Status Tab
            1. Incidents
            2. Attacks: All—Top Rules Fired
            3. Activity: All—Top Event Types
            4. Activity: All—Top Reporting Device
            5. Activity: All—Top Sources
            6. Activity: All—Top Destinations
          7. Using My Reports
        2. Using the Incidents Page
          1. Using the Incidents Page
            1. Incidents Tab
            2. False Positives Tab
            3. Cases Tab
            4. Incidents Tab
            5. False Positives Tab
            6. Cases Tab
          2. Using the Incident ID to View Data
        3. Simple Queries
          1. Setting the Query Type
            1. Result Format
            2. Order/Rank By
            3. Filter by Time
            4. Use Only Firing Events
            5. Maximum Rank Returned
          2. Instant Queries
          3. On-Demand Queries and Manual Queries
            1. On-Demand Queries
            2. Manual Queries
              1. Source IP
              2. Destination IP
              3. Service
              4. Events
              5. Device
              6. Reported User
              7. Keyword
              8. Operation
              9. Rule
              10. Action
        4. Summary
      2. 8. Advanced Operation and Security Analysis
        1. Creating Reports
          1. Report Formats
            1. Query Result Format and Filters
            2. Time Range of Report
            3. View Type
          2. Using Predefined Reports
            1. Using the Report Tab
            2. Loading Reports as an On-Demand Query
          3. Creating Custom Reports
          4. Methods of Report Delivery
        2. Creating Rules
          1. The Two Types of Rules
            1. Inspection Rules
            2. Drop Rules
              1. False Positive Link
              2. Manually
          2. Active vs. Inactive Rules
          3. Creating Custom System Inspection Rules
            1. Custom Rule Creation—Additional Considerations
              1. Severity Level
              2. Count
              3. Time Range
          4. Using the Query Tool to Create a Rule
          5. Complex and Behavioral Rule Creation
        3. Summary
    10. IV. CS-MARS in Action
      1. 9. CS-MARS Uncovered
        1. State Government
          1. Detection
          2. Action
          3. Resolution
        2. Large University
          1. Detection
          2. Action
          3. Resolution
        3. Hospital
          1. Detection
          2. Action
          3. Resolution
        4. Enterprise Financial Company
          1. Detection
          2. Action
          3. Resolution
        5. Small Business
          1. Detection
          2. Action
          3. Resolution
        6. Summary
    11. V. Appendixes
      1. A. Useful Security Websites
        1. Security Links and Descriptions
          1. General Security
          2. Governmental Security Controls and Information
          3. Tools and Testing
          4. Cisco Security Sites
      2. B. CS-MARS Quick Data Sheets
        1. Quick Hardware and Protocol Specifications for CS-MARS
          1. CS-MARS Technology Facts
        2. NetFlow Platform Guide
          1. NetFlow Performance Information
          2. NetFlow Memory Allocation Information
        3. V4.1 Product Support List
      3. C. CS-MARS Supplements
        1. CS-MARS Evaluation Worksheet
        2. Security Threat Mitigation
          1. Technical Evaluation Worksheet
        3. Sample Seed File
        4. ISS Configuration Scripts
          1. ISS Network Sensor
          2. ISS Server Sensor
        5. IOS and CATOS NetFlow Quick Configuration Guide
          1. Configuring NetFlow Export on a Cisco IOS Device
        6. Configuring NetFlow on a Cisco CATOS Switch
      4. D. Command-Line Interface
        1. Complete Command Summary
        2. CS-MARS Maintenance Commands
        3. hotswap
        4. pnlog
        5. pnreset
        6. pnrestore
        7. pnstart
        8. pnstatus
        9. pnstop
        10. pnupgrade
      5. E. CS-MARS Reporting
        1. CS-MARS V4.1 Reports
      6. F. CS-MARS Console Access
        1. Using Serial Console Access
      7. G. CS-MARS Check Point Configuration
        1. Configuring Check Point NG FP3/AI and CS-MARS
          1. Check Point–Side Configuration
          2. CS-MARS Configuration
          3. Modifying the Communications to the SmartDashboard/CMA
          4. Known Open and Closed Issues
          5. Configuring Check Point Provider-1 R60