Cisco Security MARS 4.

1: Technical Overview

Effective. Efficient. Integrated.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Device Anomalies • Incident Investigation • Rules and Management • GC and LC • Custom Parser
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

2

Security Information Management (SIM)/Security Event Management (SEM)
• Security Information Management (SIM)/Security Event Management (SEM) fall way short of value proposition: • The Good:
Simple incident capture, correlation, and management Event/Log consolidation and reporting

• The Bad:
No network intelligence Incomplete attack vector analysis Insufficient performance Expensive ownership Unable to mitigate or contain threats
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

3

Cisco Security MARS Technologies
• Correlation
Profile network traffic (NetFlow) and detect anomalies Correlate events into sessions Apply correlation rules to sessions to identify incidents

• Vector Analysis
Analyze incidents to determine valid threats Path analysis Vulnerability analysis for suspected hosts Vulnerability scanner correlation

• Mitigation
Discover optimal choke point, e.g. nearest L2 switch port Recommend mitigation commands and push with user’s validation Notify user of configuration changes
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

4

Incidents, Sessions, and Events
• Events―Raw messages sent to the Cisco® Security Monitoring, Analysis, and Response System (CS-MARS) by the monitoring/reporting devices • Sessions―Events that are correlated by the CS-MARS across NAT boundaries • Incidents―Identification of sessions to correlation rules

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

5

How the CS-MARS Works
1. Events come into the CS-MARS from network devices 2. Events are parsed 3. Normalized 4. Sessionized/NAT correlation 5. Run against rule engine
Ignore drop rule, i.e. no match Complete drop Log to database only

6. False-positive analysis 7. VA against suspected hosts 8. Traffic profiling and statistical anomaly detection
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

6

CS-MARS Benefits
• Easy Installation • Simple Licensing
No license restriction for the number of devices supported

• Hardened Appliance
Has a built-in firewall and only opens SSH and HTTPS No root access from SSH or console Reduced services

• Easy Maintenance
Web-based software updates

• Scalability
Address a wide range of network sizes and traffic

• Built-In Hard Drive Redundancy on High-End Models • Data Backup and Archiving Capabilities
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

7

Family of CS-MARS Appliances
Model CS-MARS 20 and 50 CS-MARS 100 CS-MARS 100e CS-MAR 20 CS-MARS GC CS-MARS GCm Typical Use Small business Medium to large business Medium to large business Medium to Large business Global controller Mid-tier business global controller

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

8

Full-Spectrum Product Line
CS-MARS Model Events/Sec 20 500 50 1,000 100e 3,000 100 5,000 150,000 750GB 3 RU 200 10,000 300,000 1TB 4 RU Global Controller N/A N/A 1TB 4 RU

NetFlow Flows/Sec 15,000 RAID Storage 120GB Rack Size 1 RU

25,000 75,000 120GB 750GB 1 RU 3 RU

• Installation takes minutes • Raid 1+0 • Oracle embedded―No DBA needed

• Agentless event collection • Layer 2/3 network topology and mitigation NetFlow Drill down to MAC addresses

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

9

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Device Anomalies • Incident Investigation • Rules and Management • GC and LC • Custom Parser
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

10

CS-MARS Basic Configuration
Name • Enter a descriptive name for the appliance. Interface Name • The two interfaces for the CS-MARS are eth0 and eth1 • Best practice: Configure eth0 for events and eth1 for mgmt IP Address • Enter the IP addresses for each interface Default Gateway • Enter the IP address for the default gateway for these interfaces Mail Gateway • The CS-MARS uses the mail gateway to send e-mail notifications

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

11

CS-MARS User Roles
CS-MARS User Type/Role • Admin―FULL access to CS-MARS functions and features • Security Analyst―Access to CS-MARS functions and features EXCEPT can only create notification type users and has read-only privilege to ADMIN functions • Operator―Read-only privilege and ability to view reports but not to run/generate reports • Notification Only―No access to CS-MARS but able to receive report results from CS-MARS
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

12

Topology Discovery
• Topology discovery enables operation at level three • This is a three-step process:
Add the community strings for SNMP Add the valid networks Discover immediately or schedule reoccurring updates via the Topology Update Scheduler

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

13

Understanding Discovery
• For the CS-MARS to reach full operability, you need to specify:
Community strings with at least RO capability Select the networks that you want to discover

• Once the appliance discovers these networks, you get a much more accurate view of MAC addresses, end-point lookup (attack paths), and network topology • L2 discovery and mitigation
All L2 devices must have the SNMP RO community strings specified in the CS-MARS UI for manual device discovery If the access type is non-SNMP (e.g TELNET/SSH) it will still require this community string for discovery L2 devices must be added manually—There is no automatic discovery for these devices Mitigation is performed via TELNET/SSH OR SNMP with RW comm string

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

14

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Device Anomalies • Incident Investigation • Rules and Management • GC and LC • Custom Parser
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

15

GUI Overview (Summary)

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

16

GUI Overview (Dashboard)
• Dashboard
Four areas of quick overall view of your network Last five recent incidents Statistical area (Events/Incidents/False positives) Topology and attack diagrams Graphs and reports

Tabs

Subtabs

Appliance Name

Login Username

1. Logout―Logging out of the appliance 2. Activate―Any changes to the configuration need to be activated before it becomes active 3. Refresh Rate―Applicable to Dashboard ONLY
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

17

Diagrams
• Diagrams
HotSpot Graph (most recent incidents src/dest pairs) Full Topology (displays the full network) Attack Diagram (the last 500 events related to incidents for the past 24 hrs)

• Drill-down into the diagrams by clicking the icons • Drill-down attack paths in the Attack Diagram by clicking the Path icon • Drilling-down into these diagrams is one of the fastest ways to uncover real-time information about your network

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

18

GUI Overview (Network Status and My Report)
• Networks Status―Big picture represent in charts • Customer cannot customized these charts
Incidents Attacks: All―Top Rules Fired Activity: All―Top Event Types Activity: All―Top Reporting Devices Activity: All―Top Sources Activity: All―Top Destinations

• My Reports (Trending)
Choose the reports that you want to view

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

19

GUI Overview (INCIDENTS)
• This section covers detailed information on each fired incident. • All incidents are viewable for the next 24 hours. • After 24 hours you could perform a query to get to the incident.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

20

GUI Overview (QUERY/REPORTS)
• This section provides the ability to perform real-time/batch queries, creating reports, and schedule reports

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

21

GUI Overview (RULES)
• The predefined system rules can be viewed in this tab. • This section also provides the ability of create the user and drop rules.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

22

GUI Overview (ADMIN)
• Most of the system configuration, monitoring device configuration topology, and discovery information are performed within this ADMIN tab.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

23

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Device Anomalies • Incident Investigation • Rules and Management • GC and LC • Custom Parser
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

24

CS-MARS Device Support
• Networking
Cisco IOS 11.x and 12.x, Catalyst OS 6.x NetFlow v5/v7 NAC ACS 3.x Extreme Extremeware 6.x

• Vulnerability Assessment
eEye REM 1.x Foundstone FoundScan 3.x Qualys Guard

• Host Security
Cisco Security Agent (CSA) 4.x McAfee Entercept 2.5, 4.x ISS RealSecure Host Sensor 6.5, 7.0 Symantec AnitVirus 9.x

• Firewall/VPN
Cisco PIX 6.x, 7.x, ASA, IOS Firewall/IPS, FWSM 1.x, 2.3, VPN Concentrator 4.x CheckPoint Firewall-1 NG FPx, VPN-1 NetScreen Firewall 4.x, 5.x Nokia Firewall

• Host Log
Windows NT, 2000, 2003 (agent/agent-less) Solaris Linux

• IDS
Cisco NIDS 4.x, 5.x, IDSM 4.x, 5.x Enterasys Dragon NIDS 6.x ISS RealSecure Network Sensor 6.5, 7.0 Snort NIDS 2.x McAfee Intrushield NIDS 1.x NetScreen IDP 2.x Symantec ManHunt 3.x

• Syslog
Universal device support

• Applications
Web servers (IIS, iPlanet, Apache) Oracle 9i, 10i database audit logs Network Appliance NetCache
Cisco Confidential

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

25

Adding Devices to CS-MARS

Autodiscovery

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

26

Adding Devices to CS-MARS
• The three most common ways to add devices:
Import from seed file [preferred] SNMP discovery Add manually

• To use autodiscovery the user has to:
Specify community strings Specify valid networks Specify the Device Update Scheduler (this is to specify how often CS-MARS should go and rediscover the configuration for that device)

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

27

Entering Reporting Devices
• There are two categories of device type:
HW-based security devices SW-based security devices

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

28

Entering Reporting Devices
• Depending on the device type, you will be prompted which are the appropriate fields to fill. • In this example for a Cisco® PIX® firewall, you need to provide device name, reporting IP, access IP, access type, username and passwords, as required.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

29

Benefit of Netflow
• With Cisco® NetFlow, you can take advantage of NetFlow’s anomaly detection using statistical profiling, which can pinpoint day-zero attacks like worm outbreaks. • After CS-MARS is configured to work with NetFlow, it needs a few days to collect data to start analyzing your network before it can start presenting NetFlow’s anomaly detection through the charts. • The CS-MARS detects anomalies by using two dynamically generated watermarks comparing the previous data against current data. When the data breaches the first watermark, CS-MARS starts to save that data. When the data rises above the second watermark, CS-MARS creates an incident.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

30

Netflow Configuration
CS-MARS Ignores NetFlow

If empty, then entire network will be examined for anomalies

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

31

Vulnerability Assessment
Logs from VA Scanning of 3rd-party applications (eEye and Foundstone) Manual configuration (when adding host) By default it could be overwritten by the info from the VA logs Result from VA probe (if targeted host is new)

1.

Several conditions that cause VA probe on destination host/device:
Incident occurred Incident is within the VA valid network Interesting event (mapped to (e.g.) nessus script)

2. 3. 4.

Result from the VA probe is analyzed against CS-MARS database to determine “unconfirmed” false-positive VA result is cached for four hours If targeted host (Linux or Window) doesn’t exist in CS-MARS database, it will get added automatically
© 2006 Cisco Systems, Inc. All rights reserved.

C97-60004-00

Cisco Confidential

32

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Device Anomalies • Incident Investigation • Rules and Management • GC and LC • Custom Parser
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

33

Query Page
On the Query page, it is possible to: • Run reports as on-demand queries • Create your own query • Create rules

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

34

Understanding Queries and Reports
Queries are an important aspect of CS-MARS defense: • Fast drill-down into incidents • Quick building of rules to better analyze network traffic • Predefined queries • Different save options
Save as report Build repeatable queries Save as rule Saves query as rule and takes you to the rules page

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

35

Running a Quick Query
• Things to think about before running a query:
What do you want to see, Source IP/ Destination IP/Event … How do you want the results to be displayed

• To run a quick query:
Enter a source IP, destination IP, or a service into the quick query field Format results by clicking the edit tab Enter the timerange Click the Submit Inline button to run the query

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

36

Query and Reports
Forensic Analysis • Easy-to-use GUI for writing queries and reports • Fully customizable means to define filters and aggregate output • Ability to view filtered events in real time for problem debugging • Batch queries provide the ability to run reports in the background

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

37

Free-Form Query
To run a free-form query: • You can click the icon to add parentheses for nested queries or click the trash can icon to remove parentheses. • Under Search String, enter strings to query; under Operation, select the operation (AND, OR, NOT). For the final item in the list, select None.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

38

Selecting Query Type
• Selecting query type
Determine a query’s result format, rank, time, whether it only uses firing events, and the number of rows returned Select different query criteria by clicking the Query Type link or Edit button. Events Device Operation Rule Action

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

39

Total, Peak v. Recent Reports
Total, Peak, and Recent Reports
Total View • The top N values for display by calculating the sum total of each value in the time range, and picking those with the largest total. Peak View • Top N values for display by examining the rate for each value in the selected time range, and picking those with the highest peaks. Recent View • Top N values from the past hour and displays them over the selected time range. A recent view shows the current state and can highlight ongoing anomalous behavior. If a spike happened within the past hour, it will appear in the recent view, but the recent view can also show more fundamental changes in the shape of the network traffic.
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

40

Creating Reports
To Create a New Report: • On the Reports page, click the Add button • From the Query page, define a query and select to save it as a report

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

41

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Incident Investigation • Rules and Management • GC and LC • Custom Parser

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

42

CS-MARS NAC Integration
• CS-MARS receives syslog from NAC modules:
Network Access Device EAP session creation/removal EAP host posture validation status EAP host authentication type EAP host policy attributes ACS Authentication status: pass, failed, reason RADIUS accounting events will be parsed and categorized

• These events are parsed and categorized
Penetrate/GuessPassword/NAC Info/SuccessfulLogin/NAC

• Rules/Queries/Reports/Trends work as for other events • CS-MARS determines
Host name, user name, IP, MAC, enforcement point, compliance status association
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

43

CS-MARS NAC Integration
• Perform investigation or generate compliance reports
All noncompliant hosts as reported by a particular Network Access Device Compliance activity for a particular user during a particular time Remediation times per host

• Visualize interesting trends
Noncompliant hosts after a recent worm has been patched Noncompliance activity for a particular domain Remediation times after a recent worm has been patched

• CS-MARS protects against day-zero anomalies for a patched host

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

44

802.1x, L2 Security Feature Set, and Network Admission Control Reporting
• Make sense out of LAN-based 802.1x solutions • Centralized reporting for L2, L3, and remote access NAC deployments. • Provide policy trending reports based on endpoint posture enforcement. • Centralized operational troubleshooting for helpdesk calls. • Centralized view of all your L2 infrastructure security feature set hit rate. Dynamic ARP Inspection, Spanning Tree Root Guard, IP Source Guard, etc.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

45

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Incident Investigation • Rules and Management • GC and LC • Custom Parser

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

46

Incidents Overview
• An incident is a chain of correlated events that describe an attack scenario against your network.
Examples are: Reconnaissance activity followed by a penetration attempt, and further, followed by malicious activity on the target host Reconnaissance activity followed by denial-of-service attempt

• An incident produced by the CS-MARS collects the interesting sessions that constitute an attack scenario and uses rules to describe them. • CS-MARS comes with predefined system rules that can be modified, or new custom rules can be generated. • Incidents are subdivided into sessions to make it easier for you to investigate the attack scenario. Each instance alone is a full attack scenario.
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

47

The Incidents Page

• These incidents are the result of the predefined system rules:
The rules are generic Globally applicable Serve as a starting point to fine-tune the system

• The incidents page displays the last 24 hours of recent incidents

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

48

Incidents Details
Answers such questions as: • Who did it • What event types happened • When it happened • To whom it happened

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

49

The Incidents Page

The Incident Page’s Table: • Incident ID
An incident’s unique ID

The Incident Page’s Table (Cont.): • Action
The description of the notification taken when this rule fires

• Severity
Green, yellow, and red icons

• Time
A single time or a time range

• Event type
The normalized signature sent from the reporting devices

• Incident path
The icon that takes you to the incident’s path diagram

• Matched rule
The rule whose criteria was met

• Incident vector
The icon that takes you to the source, event type, and destination diagram
Cisco Confidential
50

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Incidents Detail Table
Table Includes: • Instances • Session/Incident ID • Events column • Time column

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

51

Reading the Incidents Table
• Colors in the table
To quickly scan the table for changes among rows Quickly zero in on changes between rows

• If a cell is either gray or white it is the same as the cell above • If a cell of a grouping criteria is a shade of purple, then the value in that cell differs from the value in the row above

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

52

Case Management
• Provides framework to compile information collected by MARS • Create cases that may contain Incidents, device information, sessions, rules, and report data • Completes case lifecycle for audit purposes • Cases include many parameters, including owner, date/time stamps, status, notes, and case id numbers • Cases can be searched from a variety of parameters and can be stored in a hierarchical grouping structure • Cases can be emailed to asset owners or ticketing systems via the logged on administrator

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

53

Incident Path

• Clicking on the PATH icon will display the attack path diagram of the incident • It displays all the associated sessions of this incident as well as the event types of each session • Toggle Topology display the full topology of the discovered network

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

54

Incident Attack Diagram

• Clicking on the Incident vector icon will display the attack diagram • It displays each attack session and provides the Src and Dest IPs as well as the all event types • The color-coded host indicates if it is compromised (red), attacker (brown), or both (purple) • Each link is labeled with the number of occurrences

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

55

Mitigation Information Page
• Click the Mitigate link from the Incidents Details page. • By default, the detail incident information is collapsed. You may need to click on Expand All to view the Path/Mitigation icon of each session.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

56

Mitigation Information Page
To mitigate an attack: • Click the Mitigate link • Select an L2 or L3 device to mitigate • Review the enforcement device, select a new device if needed

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

57

False Positives or False Alarms
• What is a false positive?
Broad and somewhat vague term False alarms are the Internet security equivalents of the boy who cried wolf Diminish the value and urgency of real alerts

• Common categories into which false alarms can be divided:
Reactionary traffic alarms: Traffic that is caused by another network event, often nonmalicious. Equipment-related alarms: Attack alerts that are triggered by odd, unrecognized packets generated by certain network equipment. Protocol violations: Alerts that are caused by unrecognized network traffic, often caused by poorly or oddly written client software. True false positives: Alarms that are generated by an IDS for no apparent reason. These are often caused by IDS software bugs. Non malicious alarms: Generated through some real occurrence that is nonmalicious in nature.
Cisco Confidential
58

• What are acceptable levels of false alarms? • IDS sensor without any customization may have only 10% of its alarms associated with a true security event. • With tuning, an average real alarm rate of 60% or better is possible. You can achieve real alarm rates above 90%, depending on the level of tuning and the type of traffic on a network.
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

False Positives or False Alarms
• Two entries of performing the False Positive tuning

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

59

False Positive Page
Type of false-positive support by CS-MARS: • Unconfirmed false positive
CS-MARS needs user confirmation to determine if the target host is vulnerable

• User-confirmed false positive
For this type, a user has provided confirmation that a firing event is a false positive

• User-confirmed positive
For this type, a user has provided confirmation that a firing event is a true attack

• System-determined false positive
For this type, the system has determined that a firing event is a false positive

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

60

False Positive Summary
• A summary of all false positives is presented in the Summary Page

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

61

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Incident Investigation • Rules and Management • GC and LC • Custom Parser

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

62

Rules Overview
• A rule is a real-time filter that detects interesting patterns of network activity. • Attacks share common traits, so use rules to define these traits for monitoring and alerting them. • Rules create incidents. Based on events and sessions rule, connect them together to form a chain of events that describes an intrusion. • Rules could determine when a false-positive is either dropped completely or kept as information in the database. • There are more than 104 built-in system rules which detect anomalies based on behaviors. • Easy-to-build, user-defined rules.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

63

Creating Rules
• Create rules when there are new or unique threats. • A rule can have a single line, two lines, or multiple lines
Link these lines together using the logical operators “AND, OR, FOLLOWED-BY.”

• You could duplicate the existing rules or add others, such as system rules. However you can’t delete any of these rules. • Use dollar variables to constrain your host, $TARGET • Example: Build a rule to detect and alert on a new P2P application which runs on ports 6667, 6668, or 6669―TCP.
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

64

System and User Inspection Rules
• User Inspection Rules
Rules created by the user

• System Inspection Rules
Predefined rules Limited ability to change these rules: Edit some rule criteria (source and destination IP and reporting devices) Duplicate system rules Inactivate and activate rules Updated on an ongoing basis

• Drop Rules
CS-MARS to either drop a false positive completely from the appliance and not log to its database
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

65

Rules Behaviors
• User Inspection Rules can’t be deleted; however, user can change its status from Active to Inactive • Inactive rules do not fire incidents and do not affect the speed that the system processes events • A system rules can be duplicated and allow limited editing (Source IP, Destination IP, and Device)

Duplicate Rule

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

66

Types of Alerts
• The CS-MARS supports four types of alerts when a rule is fired. User can configure these alerts as part of the rule:
Email Syslog Page SNMP SMS (introduced in 3.3.3)

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

67

Management Overview
• Use the management features in the CS-MARS to assign: event, addressing, service, and user information. This information is used in rules, queries, and to determine false positives. • Event Management
Take events presented here, group them, and then use them with rules to concentrate your search for attacks

• IP Management
Lets you work with addresses for: networks, IP ranges, variables, and hosts

• Service Management
A combination of source port, destination port, and protocol

• User Management
Manage users, roles, and groups
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

68

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Incident Investigation • Rules and Management • GC and LC • Custom Parser

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

69

Global Controller Goals
• Global Controller (GC) provides the summary of all LCs information
Network topologies Incidents Queries and reports result

• It also provides central point for creating rules and queries then applies to multiple LCs simultaneously • Changes in LC are automatically propagated to GC and vice versa • Seamlessly navigate to any LC from the GC GUI • Scalable through the distributed architecture • Divide the network based on zone (department function or region)

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

70

Global Controller Architecture Overview
• Distributed architecture
GC is based on CS-MARS 200 hardware GC manages multiple local controller, each LC manages ONE zone LC is based on any of the existing models Different license key for GC and LC/standalone CS-MARS GC could support up to 20 simultaneous users Connection establishment between GC and LC is 20 sec or less Communication is over https

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

71

Global Controller Overview
• Reports
Locally defined reports are only computed at the LCs and the results are not pushed up. The mechanism of using LCs to compute partial global reports and then globally aggregating to produce enterprise-wide reports is key, and truly scales enterprise-wide security management at a reasonable cost.

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

72

Global Controller Overview
• HotSpot Graph and Full Topology
Graph can be viewed by selected zone Viewing as Global Zone displays a merged topology of all monitoring LCs a) A device that exists in multiple zones appears once in CG topology after it is discovered b) Two devices with same IP address in different zones appear as two devices in GC topology c) A device with two interfaces existing in two different zones appears once in GC topology if the device is discovered
C97-60004-00 © 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

73

Agenda
• CS-MARS Product Overview • Getting Started with CS-MARS • GUI Overview • Configuring Devices into CS-MARS • Reports and Queries • CS-MARS Integration with NAC • Incident Investigation • Rules and Management • GC and LC • Custom Parser

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

74

User-Defined Log Parser Templates
• The technique used to defined the log parser is called “overloading” • Overloading is the mapping of a field from a custom event to an existing CS-MARS field • For the example above, the destination port will be overloaded with the number of connections

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

75

User-Defined Log Parser Templates
• Steps to create a user-defined parser in CS-MARS
1. Create a new appliance or software type 2. Create a new EVENT type that is associated to this new device or software 3. Define the patterns that are then associated to the new EVENT type 4. Add this new device or software into CS-MARS

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

76

User-Defined Log Parser Templates
• Test your new custom parser―New Event Type “HTTP Status OK”

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

77

C97-60004-00

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

78