Previous Page Next Page

Cisco Security Monitoring, Analysis, and Response System (CS-MARS)

CS-MARS is an appliance-based security information management (SIM) system providing security monitoring and correlation services to identify, contain, and respond to networkwide security threats.

CS-MARS is another key solution that extends the Cisco Self-Defending Network initiative and essential deployment for a security information management system.

CS-MARS offers network intelligence by using sophisticated event correlation technology to precisely identify and correlate events, validate threats, pinpoint attack paths, and provide comprehensive security threat control and mitigation solutions. Through various techniques, CS-MARS maps the entire network, thereby providing complete network visibility and reaction capability by leveraging data from all over the network.

Table 23-1 provides a summary of the common features and capabilities of the CS-MARS appliance-based security information management solution.

Table 23-1. CS-MARS Features and Capabilities
FeatureCapabilities
Dynamic Session-Based Correlation
  • Network-based anomaly detection, including Cisco NetFlow

  • Behavior-based and rules-based event correlation

  • Comprehensive built-in and user-defined rules

  • Automated network address translation (NAT) normalization

Topology Discovery
  • Layer 3 and Layer 2 routers, switches, and firewalls

  • Network intrusion detection system (IDS) blades and appliances

  • Manual and scheduled discovery

  • Secure Shell (SSH), Simple Network Protocol (SNMP), Telnet, and device-specific communications

Vulnerability Analysis
  • Incident-triggered targeted network-based and host-based fingerprinting

  • Switch, router, firewall, and NAT configuration analysis

  • Automated vulnerability scanner data capture

  • Automated and user-tuned false positive analysis

Incident Analysis and Response
  • Role-based security event management dashboard

  • Session-based event consolidation with full-rule context

  • Graphical attack path visualization with detailed investigation

  • Attack path device profiles with endpoint MAC identification

  • Graphical and detailed sequential attack pattern display

  • Incident details, including rules, raw events, common vulnerabilities and exposures, and mitigation options

  • Immediate incident investigation and false positive determination

  • GUI rule definition in support of custom rules and keyword parsing

  • Incident escalation with user-based "to-do" work list

  • Notification, including e-mail, pager, syslog, and SNMP

  • Integration with existing ticketing and workflow system via Extensible Markup Language (XML) event notification

Query and Reporting
  • Low-latency, real-time event query

  • GUI that supports numerous default queries and customized queries

  • More than 150 popular reports, including management, operational, and regulatory

  • Intuitive report generation yielding unlimited customized reports

  • Data, chart, and trend formats that support HTML and comma-separated vector (CSV) export

  • Live, batch, template, and e-mail forwarding reporting system

  • Easy-to-use query structure built for an effective drill down to the information in a specific incident

Administration
  • Web interface (HTTPS); roles-based administration with defined privileges

  • Global Controller hierarchical management of multiple Cisco Security Monitoring, Analysis, and Reporting Systems

  • Automated, verified updates, including device support, new rules, and features

  • Continuous compressed raw data and incident archive to offline NFS storage

The information in Table 23-1 is compiled from Cisco Security Monitoring, Analysis, and Response System 4.3.1 and 5.3.1 at http://www.cisco.com/en/US/products/ps6241/products_data_sheet0900aecd80272e64.html.


Security Threat Mitigation (STM) System

CS-MARS is a state-of-the-art security threat mitigation (STM) system providing cutting-edge capabilities. New advanced STM features include data sessionization, topological awareness, and mitigation capabilities.

CS-MARS offers security countermeasures by combining state-of-the-art network intelligence, context correlation using the ContextCorrelation feature, vector analysis using the SureVector feature, anomaly detection, hotspot identification, and automated mitigation using the AutoMitigate capabilities. These are defined in the list that follows:

Figure 23-1 shows CS-MARS with extended security threat mitigation (STM) system capabilities of using Cisco ContextCorrelation, SureVector, and AutoMitigate features.

Figure 23-1. CS-MARS—Security Threat Mitigation (STM) System


CS-MARS offers an automated event log collection system capturing data from various heterogeneous network devices (Layer 2 and Layer 3) across multiple devices such as routers, switches, firewalls, IDS, IPS, and server-based systems, aggregating all into a centralized database to perform intelligent correlation and to group related events of the same traffic flow.

Figure 23-2 depicts how CS-MARS works by capturing raw data and configuration from various devices and processing the isolated events, performing analysis, and correlating threat information into valid incidents, thus greatly reducing false positives.

Figure 23-2. CS-MARS—How It Works


CS-MARS uses a policy-based approach to block security attacks by transforming raw data into actionable intelligence, identifying and correlating real security threats, and providing recommendations for mitigation recommendations.

Topological Awareness and Network Mapping

CS-MARS builds topological awareness and paints network maps of the entire topology by performing discovery of the network devices within the network. CS-MARS is capable of capturing a wide range of Cisco and non-Cisco devices, including Layer 2 and Layer 3 devices.

CS-MARS has an integrated network discovery function that builds a topology map containing device configuration and current security policies, which enables it to model packet flows through a network.

CS-MARS reads a network device configuration and populates into a central database, allowing the construction of a complete topological map of the network.

CS-MARS provides network behavioral analysis by profiling network traffic, capturing raw data, and aggregating and correlating from heterogeneous devices from a wide range of devices in a single CS-MARS appliance.

Figure 23-3 shows CS-MARS capturing raw data and configuration files from various heterogeneous network devices (Layer 2 and Layer 3).

Figure 23-3. CS-MARS—Receiving Raw Data from Cisco and Non-Cisco Devices


CS-MARS is capable of receiving high volumes of data with its secure and stable architecture. It can receive more than 15,000 events per second or more than 300,000 Cisco NetFlow events per second.

CS-MARS offers a high-performance aggregation and consolidation service by capturing millions of raw events and grouping them efficiently into classified incidents with unprecedented data reduction.

CS-MARS is able to deliver high-performance correlation through inline processing logic and the use of an embedded high-performance database system.

Table 23-2 is a list of supported reporting devices (Cisco and non-Cisco) that can be captured by CS-MARS appliance.

Table 23-2. CS-MARS Device Support List
Device TypeCisco and Non-Cisco Devices
NetworkCisco IOS Software, Cisco Catalyst OS software, Cisco NetFlow, and Extreme Extremeware
Firewall/VPNCisco ASA Software, Cisco PIX Security Appliance, Cisco IOS Firewall, Cisco Firewall Services Module (FWSM), Cisco VPN 3000 Concentrator, Checkpoint Firewall-1 NG and VPN-1 versions, NetScreen Firewall, and Nokia Firewall
Intrusion Detection and PreventionCisco IDS and IPS Sensor, Cisco IDS Module, Cisco IOS IPS, Cisco ASA IPS Module, Enterasys Dragon NIDS, ISS RealSecure Network Sensor, Snort NIDS, McAfee Intrushield NIDS, NetScreen IDP, OS, and Symantec ManHunt
Vulnerability AssessmenteEye REM, Qualys QualysGuard, and FoundStone FoundScan
Host SecurityCisco Security Agent (CSA), McAfee Entercept, and ISS RealSecure Host Sensor
Host LogsWindows NT, 2000, and 2003 (agent and agentless), Solaris, and Linux
AntivirusSymantec Antivirus, Cisco Incident Control System (Cisco ICS), Trend Micro Outbreak Prevention Service (OPS), Network Associates VirusScan, and McAfee ePO
Authentication ServersCisco Secure Access Control Server (ACS)
ApplicationsWeb Servers (IIS, iPlanet, and Apache), Oracle audit logs, Network Appliance NetCache, and ISS site protector
UniversalUniversal device support to aggregate and monitor any application syslog
CustomSupport additional and custom devices using the custom log parser feature
The information in Table 23-2 is compiled from Cisco Security Monitoring, Analysis, and Response System 4.3.1 and 5.3.1 at http://www.cisco.com/en/US/products/ps6241/products_data_sheet0900aecd80272e64.html.


Note

CS-MARS continues to improve its device support. For a comprehensive, up-to-date list with supported version information, refer to the following URL: http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html.


Key Concepts—Events, Sessions, Rules, and Incidents

CS-MARS uses various terms to define contextual analysis and the process of threat investigation. These may vary from the traditional terminologies used for other systems:

Figure 23-4 depicts how a session is interpreted in CS-MARS.

Figure 23-5 depicts how an incident is interpreted in CS-MARS.

Event Processing in CS-MARS

CS-MARS uses the following steps to process events when it receives a raw message.

1.
Receive raw messages from network devices either via pulling mode or listening mode

2.
Parse raw messages

3.
Normalize raw messages to events—statically map raw messages from different vendor devices to CS-MARS known event types

4.
Sessionization/NAT correlation—identify commonality within the event, such as source IP/port, destination IP/port, protocol to sessionize events

5.
Run events against rule engine

6.
False positive analysis

7.
Vulnerability assessment against suspected hosts

8.
Traffic profiling and statistical anomaly detection

Figure 23-6 shows the event process flowchart in CS-MARS.

Figure 23-6. CS-MARS Event Process Flowchart

The information in Figure 23-6 is compiled from the Cisco Networkers Breakout Session presentation #BRKSEC-3006—Network Security Monitoring and Correlation with CS-MARS.


False Positive in CS-MARS

CS-MARS interprets false positives differently than other systems. In general terms, when a message is considered a false positive, this means that a system has incorrectly identified an attack but in reality it did not happen. However, in CS-MARS a false positive means the attack was identified correctly but it was unsuccessful against the target victim.

There are four basic types of false positives in CS-MARS:

Figure 23-7 illustrates the false positive process flowchart in CS-MARS.

Figure 23-7. CS-MARS False Positive Process Flowchart

The information in Figure 23-7 is compiled from the Cisco Networkers Breakout Session presentation #BRKSEC-3006—Network Security Monitoring and Correlation with CS-MARS.


Previous Page Next Page