Cisco security and IDS provide a mechanism to detect when an intrusion has occurred. The only problem in an HIDS is that a lot of alarms are false positives, especially in a large installation base of CSA clients. In other words, many alarms need not cause your security team to investigate a normal IP packet or TCP segment, for example. A CCIE candidate, however, must be able to tune out normal IP packets and TCP segments in the CCIE lab portion of this certification. The main concern is to ensure that valid attacks are identified and that the network infrastructure is protected.
The Cisco Threat Response (CTR) server-based application is an intelligent technology that eliminates false alarms and ensures that attacks are reported correctly and in real time. CTR is a software-based application.
The three-phased approach used by CTR is as follows:
1. Basic investigation to target vulnerability
2. Advanced investigation of target
The end goal of CTR is to be able to classify alarms coming into a destination device or system and validate them based on operating system types, patch levels, and actual log files on the end systems.
CTR ensures that your network is constantly monitored and that threats are immediately reported. This ensures that your significant investment in IDS is enhanced.
Ensuring that only real-time, valid threats are investigated means that the network infrastructure can be fully protected from most forms of attacks in an efficient manner. The best way to describe the CTR tool is to say that CTR reads IDS alarms and performs automated forensics on hosts or servers that may have been compromised.
For more details on CTR, visit http://www.cisco.com/en/US/partner/products/sw/secursw/ ps5054/index.html or search on the keywords "Cisco Threat Response" at Cisco.com.
Was this article helpful?