Security Monitoring with Cisco Security MARS

( 1 )

Overview

Security Monitoring with Cisco Security MARS

Threat mitigation system deployment

Gary Halleen

Greg Kellogg

Networks and hosts are probed hundreds or thousands of times a day in an attempt to discover vulnerabilities. An even greater number of automated attacks from worms and viruses stress the same devices. The sheer volume of log messages ...

See more details below
Paperback (New Edition)
$60.07
BN.com price
(Save 7%)$65.00 List Price
Other sellers (Paperback)
  • All (13) from $1.99   
  • New (6) from $42.50   
  • Used (7) from $1.99   
Security Monitoring with Cisco Security MARS

Available on NOOK devices and apps  
  • NOOK Devices
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK Study

Want a NOOK? Explore Now

NOOK Book (eBook)
$29.99
BN.com price
(Save 42%)$51.99 List Price

Overview

Security Monitoring with Cisco Security MARS

Threat mitigation system deployment

Gary Halleen

Greg Kellogg

Networks and hosts are probed hundreds or thousands of times a day in an attempt to discover vulnerabilities. An even greater number of automated attacks from worms and viruses stress the same devices. The sheer volume of log messages or events generated by these attacks and probes, combined with the complexity of an analyst needing to use multiple monitoring tools, often makes it impossible to adequately investigate what is happening.

Cisco® Security Monitoring, Analysis, and Response System (MARS) is a next-generation Security Threat Mitigation system (STM). Cisco Security MARS receives raw network and security data and performs correlation and investigation of host and network information to provide you with actionable intelligence. This easy-to-use family of threat mitigation appliances enables you to centralize, detect, mitigate, and report on priority threats by leveraging the network and security devices already deployed in a network, even if the devices are from multiple vendors.

Security Monitoring with Cisco Security MARS helps you plan a MARS deployment and learn the installation and administration tasks you can expect to face. Additionally, this book teaches you how to use the advanced features of the product, such as the custom parser, Network Admission Control (NAC), and global controller operations. Through the use of real-world deployment examples, this book leads you through all the steps necessary for proper design and sizing, installation and troubleshooting, forensic analysis of security events, report creation and archiving, and integration of the appliance with Cisco and third-party vulnerability assessment tools.

“In many modern enterprise networks, Security Information Management tools are crucial in helping to manage, analyze, and correlate a mountain of event data. Greg Kellogg and Gary Halleen have distilled an immense amount of extremely valuable knowledge in these pages. By relying on the wisdom of Kellogg and Halleen embedded in this book, you will vastly improve your MARS deployment.”

—Ed Skoudis, Vice President of Security Strategy, Predictive Systems

Gary Halleen is a security consulting systems engineer with Cisco. He has in-depth knowledge of security systems as well as remote-access and routing/switching technology. Gary is a CISSP and ISSAP. His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Gary is a regular speaker at security events and presents at Cisco Networkers conferences.

Greg Kellogg is the vice president of security solutions for Calence, LLC. He is responsible for managing the company’s overall security strategy. Greg has more than 15 years of networking industry experience, including serving as a senior security business consultant for the Cisco Enterprise Channel organization. Additionally, Greg worked for Protego Networks, Inc. (where MARS was originally developed). There he was responsible for developing channel partner programs and helped solution providers increase their security revenue.

Learn the differences between various log aggregation and correlation systems

  • Examine regulatory and industry requirements
  • Evaluate various deployment scenarios
  • Properly size your deployment
  • Protect the Cisco Security MARS appliance from attack
  • Generate reports, archive data, and implement disaster recovery plans
  • Investigate incidents when Cisco Security MARS detects an attack
  • Troubleshoot Cisco Security MARS operation
  • Integrate Cisco Security MARS with Cisco Security Manager, NAC, and third-party devices
  • Manage groups of MARS controllers with global controller operations

This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Cisco Press—Security

Covers: Security Threat Mitigation

Read More Show Less

Product Details

  • ISBN-13: 9781587052705
  • Publisher: Cisco Press
  • Publication date: 7/12/2007
  • Series: Networking Technology: Security Series
  • Edition description: New Edition
  • Pages: 316
  • Product dimensions: 7.30 (w) x 9.01 (h) x 0.73 (d)

Meet the Author

Gary Halleen is a security consulting systems engineer with Cisco. He has in-depth knowledge of security systems, remote access, and routing/switching technology. Gary is a CISSP and ISSAP and has been a technical editor for Cisco Press. Before working at Cisco, he wrote web-based software, owned an Internet service provider, worked in Information Technology at a college, and taught computer science courses. His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Gary is a regular speaker at security events, and he presents at Cisco Networkers conferences. He lives in Salem, Oregon, with his wife and children.

Greg Kellogg is the vice president of security solutions for Calence, LLC, which is based out of Tempe, Arizona. He is responsible for managing the company’s overall security strategy, as well as developing new security solutions and service offerings, establishing strategic partnerships, managing strategic client engagements, and supporting business development efforts. Greg has more than 15 years of networking industry experience, including serving as a senior security business consultant for the Cisco Systems Enterprise Channel organization. While at Cisco, Greg helped organizations understand regulatory compliance, policy creation, and risk analysis to guide their security implementations. He was recognized for his commitment to service with the Cisco Technology Leader of the Year award. Additionally, Greg worked for Protego Networks, Inc. (where MARS was originally developed). While there, he was responsible for developing channel partner programs and helping solution providers increase their security revenue. Greg currently resides in Spring Branch, Texas, with his wife and four children.

Read More Show Less

Table of Contents

Foreword

Introduction

Part I Introduction to CS-MARS and Security Threat Mitigation

Chapter 1 Introducing CS-MARS

Introduction to Security Information Management

The Role of a SIM in Today’s Network

Common Features for SIM Products

Desirable Features for SIM Products

Challenges in Security Monitoring

Types of Events Messages

Understanding CS-MARS

Security Threat Mitigation System

Topology and Visualization

Robust Reporting and Rules Engine

Alerts and Mitigation

Description of Terminology

CS-MARS User Interface

Dashboard

Network Status

My Reports

Summary

Chapter 2 Regulatory Challenges in Depth

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Who Is Affected by HIPAA?

What Are the Penalties for Noncompliance?

HIPAA Security Rule

HIPAA Security Rule and Security Monitoring

Gramm-Leach-Bliley Act of 1999 (GLB Act)

Who Is Affected by the GLB Act?

What Are the Penalties for Noncompliance with GLB?

The GLB Act Safeguards Rule

The GLB Safeguards Rule and Security Monitoring

The Sarbanes-Oxley Act of 2002 (SOX)

Who Is Affected by Sarbanes-Oxley?

What Are the Penalties for Noncompliance with Sarbanes-Oxley?

Sarbanes-Oxley Internal Controls

Payment Card Industry Data Security Standard (PCI-DSS)

Who Is Affected by the PCI Data Security Standard?

What Are the Penalties for Noncompliance with PCI-DSS?

The PCI Data Security Standard

Compliance Validation Requirements

Summary

Chapter 3 CS-MARS Deployment Scenarios

Deployment Types

Local and Standalone Controllers

Global Controllers

Sizing a CS-MARS Deployment

Special Considerations for Cisco IPSs

Determining Your Events per Second

Determining Your Storage Requirements

Considerations for Reporting Performance

Considerations for Future Growth and Flood Conditions

Planning for Topology Awareness

CS-MARS Sizing Case Studies

Retail Chain Example

State Government Example

Healthcare Example

Summary

Part II CS-MARS Operations and Forensics

Chapter 4 Securing CS-MARS

Physical Security

Inherent Security of MARS Appliances

Security Management Network

MARS Communications Requirements

Network Security Recommendations

Ingress Firewall Rules

Egress Firewall Rules

Network-Based IDS and IPS Issues

Summary

Chapter 5 Rules, Reports, and Queries

Built-In Reports

Understanding the Reporting Interface

Reporting Methods

The Query Interface

Creating an On-Demand Report

Batch Reports and the Report Wizard

Creating a Rule

About Rules

Creating the Rule

Creating Drop Rules

About Drop Rules

Creating the Drop Rule

Summary

Chapter 6 Incident Investigation and Forensics

Incident Handling and Forensic Techniques

Initial Incident Investigation

Viewing Incident Details

Finishing Your Investigation

False-Positive Tuning

Deciding Where to Tune

Tuning False Positives in MARS

Summary

Chapter 7 Archiving and Disaster Recovery

Understanding CS-MARS Archiving

Planning and Selecting the Archive Server

Configuring the Archiving Server

Configuring CS-MARS for Archiving

Using the Archives

Restoring from Archive

Restoring to a Reporting Appliance

Direct Access of Archived Events

Retrieving Raw Events from Archive

Summary

Part III CS-MARS Advanced Topics

Chapter 8 Integration with Cisco Security Manager

Configuring CS-Manager to Support CS-MARS

Configuring CS-MARS to Integrate with CS-Manager

Using CS-Manager Within CS-MARS

Summary

Chapter 9 Troubleshooting CS-MARS

Be Prepared

Troubleshooting MARS Hardware

Beeping Noises

Degraded RAID Array

Troubleshooting Software and Devices

Unknown Reporting Device IP

Check Point or Other Logs Are Incorrectly Parsed

New Monitored Device Logs Still Not Parsed

How Much Storage Is Being Used, and How Long Will It Last?

E-Mail Notifications Sent to Admin Group Never Arrive

MARS Is Not Receiving Events from Devices

Summary

Chapter 10 Network Admission Control

Types of Cisco NAC

NAC Framework Host Conditions

Understanding NAC Framework Communications

Configuration of CS-MARS for NAC

Framework Reporting

Information Available on CS-MARS

Summary

Chapter 11 CS-MARS Custom Parser

Getting Messages to CS-MARS

Determining What to Parse

Adding the Device or Application Type

Adding Log Templates

First Log Template

Second and Third Log Templates

Fourth and Fifth Log Templates

Additional Messages

Adding Monitored Device or Software

Queries, Reports, and Rules

Queries

Reports

Rules

Custom Parser for Cisco CSC Module

Summary

Chapter 12 CS-MARS Global Controller

Understanding the Global Controller

Zones

Installing the Global Controller

Enabling Communications Between Controllers

Troubleshooting

Using the Global Controller Interface

Logging In to the Controller

Dashboard

Drilling Down into an Incident

Query/Reports

Local Versus Global Rules

Security and Monitor Devices

Custom Parser

Software Upgrades

Global Controller Recovery

Summary

Part IV Appendixes

Appendix A Querying the Archive

Appendix B CS-MARS Command Reference

Appendix C Useful Websites

Index

1587052709 TOC 6/11/2007

Read More Show Less

Customer Reviews

Average Rating 3
( 1 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(1)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted July 24, 2007

    in all, the book in a street buy

    Ok, you recently purchased Cisco MARS appliance, now what? Or better yet, you are in the market for a Security Incident Management (SIM) solution or a Security Threat Mitigation (STM) Solution, and are already considering a Cisco solution you may even be a Cisco network shop. How do you decide, without the pressure of the overbearing sales people over your neck? Well the best answer is to do your research. Read everything you can find online about SIM and STM technologies and research the various vendor solutions out there. You may even take note of Gartner¿s reports on the technology or simply hire Gartner. However, one tool you will appreciate in your arsenal is the book by Gary Hellene and Greg Kellogg, Security Monitoring with Cisco Security MARS. As you may well know, the product now called MARS did not originate in any of Cisco¿s R&D lab, but was a product from Perigee Network bought by Cisco in the fall of 2005. The product itself has undergone various upgrades, as has its documentation. But when you need quick answers, or compressed answers about SIM, STM or specifically MARS, the pages of this compact, under 300 pages, book will be your best bet in most cases, as I quickly found out. The book came in at an opportune times, when I was just fidgeting with our newly installed MARS appliance, and answers that were taking quite long to find, wadding though jungles of pages that constitute the Cisco user manuals and the internet, were soon available after a few minutes of riffling though the book. Reading the entire book took much less time than to read through the latest Harry Porter release, but it also brought into perspectives many components and nuances of the MARS appliance. Organized into parts (like most Cisco press books), the book's content is outlined into an introductory section, an operations and forensic section, and what it calls an advanced topic section. The first three chapters that make up the introduction section provide essential background and rationale for deploying an STM or SIM solution in any network. This is one part any prospective SIM solution shopper should be acquainted with. It kind of helps you make the case for the expenditure. Not that you wont find it useful if you already made the purchase, you will be better served if you are fully briefed on the content in this section, as it lays out what you are getting into in some detail. Of course the emphasis is on MARS, a Cisco product, there is enough material here for everyone. If you are a techie, you already own a MARS box (so you have to live with what you got), and you are not so worried about the business case for security, then, section 2 (Operations and Forensic) is a good place to start. The section begins with basics of securing the appliance itself runs through rules, reports and queries details incident investigation and forensics and ends with pertinent instructions on log data archiving and recovery in case something goes wrong with the appliance. Given that the section covers so much materials and is made up of four chapters, its one page volume is a great refresher to the security engineer who just wants to get adequate information to quickly get up and running. You will not become an expert by reading these four chapters, but your understanding of the appliance and appreciation for what can be done will grow after you read it. Also, you should be able to carry out at least 50% of the tasks you will need to carry out with the appliance. The last section is probably the most fun, but you will do well reading it last. While the book outlines the last section to include just 4 chapters, the three appendices can easily be considered a direct appendage of the materials in this section. The section provides basic instructions on how to integrate MARS with other Cisco security products including the Cisco Security Manager (CSM) in chapter 8, the Cisco Network Admission Control (NAC) solutions in chapter 10, and

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)