Security Monitoring with Cisco Security MARS

購買商店

---

Security Monitoring with Cisco Security MARS

$399.00

馬上購買

---

內容描述

---

Description

Security Monitoring with
Cisco Security MARS
 
Threat mitigation system
deployment
 
Gary Halleen
Greg Kellogg
 
Networks and hosts are probed
hundreds or thousands of times a day in an attempt to discover
vulnerabilities. An even greater number of automated attacks from worms and
viruses stress the same devices. The sheer volume of log messages or events
generated by these attacks and probes, combined with the complexity of an
analyst needing to use multiple monitoring tools, often makes it impossible to
adequately investigate what is happening.
 
Cisco® Security Monitoring,
Analysis, and Response System (MARS) is a next-generation Security Threat
Mitigation system (STM). Cisco Security MARS receives raw network and security
data and performs correlation and investigation of host and network
information to provide you with actionable intelligence. This easy-to-use
family of threat mitigation appliances enables you to centralize, detect,
mitigate, and report on priority threats by leveraging the network and
security devices already deployed in a network, even if the devices are from
multiple vendors.
 
Security Monitoring with
Cisco Security MARS helps you plan a MARS deployment and learn the
installation and administration tasks you can expect to face. Additionally,
this book teaches you how to use the advanced features of the product, such as
the custom parser, Network Admission Control (NAC), and global controller
operations. Through the use of real-world deployment examples, this book leads
you through all the steps necessary for proper design and sizing, installation
and troubleshooting, forensic analysis of security events, report creation and
archiving, and integration of the appliance with Cisco and third-party
vulnerability assessment tools.
 
“In many modern enterprise
networks, Security Information Management tools are crucial in helping to
manage, analyze, and correlate a mountain of event data. Greg Kellogg and Gary
Halleen have distilled an immense amount of extremely valuable knowledge in
these pages. By relying on the wisdom of Kellogg and Halleen embedded in this
book, you will vastly improve your MARS deployment.”
—Ed Skoudis, Vice President
of Security Strategy, Predictive Systems
 
Gary Halleen is a security
consulting systems engineer with Cisco. He has in-depth knowledge of security
systems as well as remote-access and routing/switching technology. Gary is a
CISSP and ISSAP. His diligence was responsible for the first successful
computer crimes conviction in the state of Oregon. Gary is a regular speaker
at security events and presents at Cisco Networkers conferences.
 
Greg Kellogg is the vice
president of security solutions for Calence, LLC. He is responsible for
managing the company’s overall security strategy. Greg has more than 15 years
of networking industry experience, including serving as a senior security
business consultant for the Cisco Enterprise Channel organization.
Additionally, Greg worked for Protego Networks, Inc. (where MARS was
originally developed). There he was responsible for developing channel partner
programs and helped solution providers increase their security
revenue.
 
Learn the differences between
various log aggregation and correlation systems

Examine regulatory and industry requirements

Evaluate various deployment scenarios
Properly size your deployment
Protect the Cisco Security MARS appliance from
attack
Generate reports, archive data, and implement
disaster recovery plans
Investigate incidents when Cisco Security MARS
detects an attack
Troubleshoot Cisco Security MARS operation

Integrate Cisco Security MARS with Cisco
Security Manager, NAC, and third-party devices
Manage groups of MARS controllers with global
controller operations
 
This security book is part of
the Cisco Press® Networking Technology Series. Security titles from Cisco
Press help networking professionals secure critical data and resources,
prevent and mitigate network attacks, and build end-to-end self-defending
networks.
 
Category: Cisco
Press—Security
Covers: Security Threat
Mitigation
Table of Contents

Foreword
Introduction
Part I Introduction to
CS-MARS and Security Threat Mitigation
Chapter 1
Introducing CS-MARS
Introduction to Security
Information Management
    The Role
of a SIM in Today’s Network
    Common
Features for SIM Products
    Desirable
Features for SIM Products
Challenges in Security
Monitoring
    Types of
Events Messages
Understanding
CS-MARS
    Security
Threat Mitigation System
    Topology
and Visualization
    Robust
Reporting and Rules Engine
    Alerts and
Mitigation
   
Description of Terminology
CS-MARS User
Interface
   
Dashboard
    Network
Status
    My
Reports
Summary
Chapter 2
Regulatory Challenges in Depth
Health Insurance Portability
and Accountability Act of 1996 (HIPAA)
    Who Is
Affected by HIPAA?
    What Are
the Penalties for Noncompliance?
    HIPAA
Security Rule
    HIPAA
Security Rule and Security Monitoring
Gramm-Leach-Bliley Act of
1999 (GLB Act)
    Who Is
Affected by the GLB Act?
    What Are
the Penalties for Noncompliance with GLB?
    The GLB
Act Safeguards Rule
    The GLB
Safeguards Rule and Security Monitoring
The Sarbanes-Oxley Act of
2002 (SOX)
    Who Is
Affected by Sarbanes-Oxley?
    What Are
the Penalties for Noncompliance with Sarbanes-Oxley?
   
Sarbanes-Oxley Internal Controls
Payment Card Industry Data
Security Standard (PCI-DSS)
    Who Is
Affected by the PCI Data Security Standard?
    What Are
the Penalties for Noncompliance with PCI-DSS?
    The PCI
Data Security Standard
    Compliance
Validation Requirements
Summary
Chapter 3
CS-MARS Deployment Scenarios
Deployment Types
    Local and
Standalone Controllers
    Global
Controllers
Sizing a CS-MARS Deployment

    Special
Considerations for Cisco IPSs
   
Determining Your Events per Second
   
Determining Your Storage Requirements
   
Considerations for Reporting Performance
   
Considerations for Future Growth and Flood Conditions
    Planning
for Topology Awareness
CS-MARS Sizing Case Studies

    Retail
Chain Example
    State
Government Example
    Healthcare
Example
Summary
Part II CS-MARS Operations
and Forensics
Chapter 4
Securing CS-MARS
Physical Security
Inherent Security of MARS
Appliances
Security Management Network

MARS Communications
Requirements
Network Security
Recommendations
    Ingress
Firewall Rules
    Egress
Firewall Rules
   
Network-Based IDS and IPS Issues
Summary
Chapter 5 Rules,
Reports, and Queries
Built-In Reports
Understanding the Reporting
Interface
    Reporting
Methods
    The Query
Interface
Creating an On-Demand Report

Batch Reports and the Report
Wizard
Creating a Rule
    About
Rules
    Creating
the Rule
Creating Drop Rules

    About Drop
Rules
    Creating
the Drop Rule
Summary
Chapter 6
Incident Investigation and Forensics
Incident Handling and
Forensic Techniques
    Initial
Incident Investigation
    Viewing
Incident Details
    Finishing
Your Investigation
False-Positive Tuning

    Deciding
Where to Tune
    Tuning
False Positives in MARS
Summary
Chapter 7
Archiving and Disaster Recovery
Understanding CS-MARS
Archiving
    Planning
and Selecting the Archive Server
   
Configuring the Archiving Server
   
Configuring CS-MARS for Archiving
Using the Archives

    Restoring
from Archive
    Restoring
to a Reporting Appliance
    Direct
Access of Archived Events
    Retrieving
Raw Events from Archive
Summary
Part III CS-MARS Advanced
Topics
Chapter 8
Integration with Cisco Security Manager
Configuring CS-Manager to
Support CS-MARS
Configuring CS-MARS to
Integrate with CS-Manager
Using CS-Manager Within
CS-MARS
Summary
Chapter 9
Troubleshooting CS-MARS
Be Prepared
Troubleshooting MARS Hardware

    Beeping
Noises
    Degraded
RAID Array
Troubleshooting Software and
Devices
    Unknown
Reporting Device IP
    Check
Point or Other Logs Are Incorrectly Parsed
    New
Monitored Device Logs Still Not Parsed
    How Much
Storage Is Being Used, and How Long Will It Last?
    E-Mail
Notifications Sent to Admin Group Never Arrive
    MARS Is
Not Receiving Events from Devices
Summary
Chapter 10
Network Admission Control
Types of Cisco NAC

    NAC
Framework Host Conditions
   
Understanding NAC Framework Communications
Configuration of CS-MARS for
NAC
    Framework
Reporting
Information Available on
CS-MARS
Summary
Chapter 11
CS-MARS Custom Parser
Getting Messages to CS-MARS

Determining What to Parse

Adding the Device or
Application Type
Adding Log Templates

    First Log
Template
    Second and
Third Log Templates
    Fourth and
Fifth Log Templates
    Additional
Messages
Adding Monitored Device or
Software
Queries, Reports, and Rules

    Queries

    Reports

    Rules

Custom Parser for Cisco CSC
Module
Summary
Chapter 12
CS-MARS Global Controller
Understanding the Global
Controller
Zones
Installing the Global
Controller
    Enabling
Communications Between Controllers
   
Troubleshooting
Using the Global Controller
Interface
    Logging In
to the Controller
    Dashboard

    Drilling
Down into an Incident
   
Query/Reports
    Local
Versus Global Rules
    Security
and Monitor Devices
    Custom
Parser
    Software
Upgrades
Global Controller Recovery

Summary
Part IV
Appendixes
Appendix A
Querying the Archive
Appendix B
CS-MARS Command Reference
Appendix C
Useful Websites
Index

---