False Positives

CS-MARS considers a false positive an attack that was unsuccessful against the target, either because the host was not vulnerable to the attack or because other products prevented the attack from succeeding. This is somewhat of a misnomer, because the real definition of a false positive is when a product incorrectly identifies an attack, when in reality it was not an attack. For example, if legitimate communication between a network printer and a host is incorrectly detected by your...

Using CSManager Within CSMARS

Integration of CS-Manager is useful when investigating security incidents. CS-Manager does not send events to MARS. Instead, it allows MARS to pull information from CS-Manager, on demand. In Figure 8-8, the MARS console is showing traffic being denied by the pix515 firewall. It appears that a host with address 10.0.0.61 is attempting to communicate with 192.168.2.25 using TCP port 5. Figure 8-8 PIX Firewall Denied Traffic Query Results - Microsoft Internet Explore File Edit View Favorites Tools...

NAC Framework Host Conditions

Both NAC Framework and NAC Appliance assign tokens to describe the posture of each host that is checked by NAC. With NAC Framework, these tokens are passed to the NAD, which is preconfigured with network access policies for each token. The tokens in the list that follows are supported with NAC Framework. Remember that NAC doesn't mandate a particular action or permission based on the posture token. The descriptions that follow are simply recommendations. NAC is a flexible technology, and it...

Syslog

Syslog is perhaps the most widely used of all the logging protocols. It is a general-purpose message protocol, and it can send virtually any type of message from a device to a syslog server. Most, but not all, syslog messages are simple text, and they are easy to read without special software. Examples of systems that commonly use syslog include the following Most network devices can communicate at this level. Syslog provides a facility for communication between network devices, servers, and...

The GLB Safeguards Rule and Security Monitoring

The requirements for security monitoring within the Safeguards Final Rule are relatively vague. This is because of the flexibility financial institutions have in deciding what makes the most sense for their organization. All financial institutions are required to monitor and test their controls, but how this is done is not described. What you should think about is how your monitoring solution can provide the monitoring needs, and how it can be used to demonstrate due diligence in other areas....

Determining What to Parse

After you have the events being sent to MARS, the next thing you want to do is determine what types of messages you need to parse, and what information you need from each message. As you look through these messages, you need to understand what fields are available within MARS to store the information. The following fields are available within MARS You don't need to use each of these fields on every message, but if the information is available within an individual message, you should use as much...

Administrative Safeguards Sec 164308

The following nine administrative safeguard standards are in place Security management process Covered entities must implement policies and procedures to prevent, contain, and correct security violations. This standard includes the requirement to conduct a thorough assessment of the potential risks and vulnerabilities of ePHI. It also requires you to implement security measures to reduce the risks and vulnerabilities to a reasonable and appropriate level. When you discover personnel who are...

Requirement 11 Regularly Test Security Systems and Processes

A network can be secure one day, but open to new vulnerabilities the next. Hackers continually expose new vulnerabilities in applications, operating systems, and network devices. In addition to regularly updating and patching systems, you also need to frequently test the security you've implemented. Test security controls, limitations, network connections, and restrictions routinely to make sure that they can adequately identify or stop unauthorized access attempts. If wireless networking is...

Requirement 6 Develop and Maintain Secure Systems and Applications

Hackers use security vulnerabilities to find ways of gaining unauthorized access to systems. Many vulnerabilities are fixed through vendor-supplied security patches, and all systems should have current patches installed to protect against exploitation. In-house-developed applications should be developed using secure coding techniques. Within one month of release, all security patches should be installed on affected systems. Establish a process to identify newly discovered vulnerabilities....

Advanced Capabilities

If you are skilled at writing Common Gateway Interface (CGI) or other web applications, you can easily make use of the examples in the preceding section to write web-based applications that allow archive queries. For example, perhaps you would like technicians to search for predefined string matches on dates and times in which they are interested. You can use languages such as Perl, PHP Hypertext Preprocessor (PHP), Python, and more to write your web applications. We have included a sample...

How Long Do I Need to Retain Security Logs

This is a question that each organization needs to determine for itself. HIPAA does not impose any requirements for data retention. However, it does require that your policies and procedures for the security standards be retained for at least six years. This does not necessarily mean that the actual logs need to be retained for the same period of time. Your organization needs to make that determination based on its needs. Many covered entities have elected to retain security logs for one to two...

Requirement 2 Do Not Use Vendor Supplied Defaults for System Passwords and Other Security Parameters

Numerous resources exist on the Internet for discovering vendor-default passwords for administrative access to systems. Always change the vendor-supplied defaults before installing a system on the network. This should include passwords and Simple Network Management Protocol (SNMP) community strings, as well as elimination of unnecessary accounts. For wireless environments, be sure to change defaults for Wired Equivalent Privacy (WEP) keys, default service set identifiers (SSIDs), and passwords....

Security Device Event Exchange SDEE

SDEE is a somewhat open standard used by many IPS IDS vendors, including Cisco, ISS, Sourcefire, and TruSecure. Somewhat open means that you can use it, but it is ultimately owned by the International Computer Security Association (ICSA). SDEE uses Extensible Markup Language (XML) to organize the format of IDS alerts (or events) and specifies the protocol as HTTP. SDEE was designed to be both flexible and extensible. SDEE, when used on Cisco IDS IPS sensors, is backward compatible with Remote...

Requirement 1 Install and Maintain a Firewall Configuration to Protect Data

You must establish firewall configuration standards that include such things as A formal change control process for approving and testing all external network connections and changes to the firewall configuration. A current network diagram showing all connections to cardholder data, including wireless networks. Requirements for a firewall to be deployed at each Internet connection and between any demilitarized zone (DMZ) and the intranet. Descriptions of groups, roles, and responsibilities for...

Degraded RAID Array

MARS-100E and larger appliances feature Redundant Array of Independent Disks (RAID) to provide protection against data loss. RAID allows MARS to lose a hard drive without losing data, or even requiring a reboot. A degraded RAID array can occur when the data on a hard disk is damaged. This usually occurs when an appliance is not cleanly shut down or rebooted, such as when power is lost. Power surges and drops (also known as brownouts) can also cause damage to your hard disks. You can help...

Sizing a Csmars Deployment

After you have chosen a deployment model, it is time to decide which CS-MARS appliance or appliances best fit your needs. Table 3-1 provided an overall view of the EPS and NPS of each of the models. Selecting the appropriate size appliance is perhaps the most difficult task. Each reporting device can send a certain number of events per second, based on the software it is running and the platform it is running on. For CS-MARS sizing purposes, you can elect to calculate the properly sized...

About the Authors

Gary Halleen is a security consulting systems engineer with Cisco. He has in-depth knowledge of security systems, remote access, and routing switching technology. Gary is a CISSP and ISSAP and has been a technical editor for Cisco Press. Before working at Cisco, he wrote web-based software, owned an Internet service provider, worked in Information Technology at a college, and taught computer science courses. His diligence was responsible for the first successful computer crimes conviction in...

Csmars Command Reference

The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) command-line interface (CLI) is currently only available to the pnadmin user. The descriptions provided in this command reference are not intended to be a replacement for those in the official Cisco MARS command reference. Please refer to it for detailed information about each of these commands. This reference is intended only as a quick guide to the commands. Provides a list of available commands. arp. Same as the Linux arp...

Local and Standalone Controllers

No difference in hardware or software exists between a local controller and a standalone controller. A standalone controller is a MARS-20R, MARS-20, MARS-50, MARS-100e, MARS-100, MARS-110R, MARS-110, MARS-200, or MARS-210 that operates as a complete CS-MARS system. An LC is the same model that is configured to communicate with a global controller. Table 3-1 shows the capabilities of each of the CS-MARS local and standalone controllers. Table 3-1 CS-MARS Local and Standalone Controllers Table...

Determining Your Events per Second

Although the numbers presented in Table 3-3 might not be realistic in your network, they do give you an idea of which types of devices tend to send the most events. The noisiest devices on your network are likely in this order 3 Intrusion detection systems intrusion prevention systems (IDS IPS) 4 Virtual Private Network (VPN) devices 7 Other devices, such as databases, operating systems, antivirus software, desktop and server protection software (such as Cisco Security Agent), and so on This...

Warning and Disclaimer

This book is designed to provide information about day-to-day operations, configuration, and customization capabilities of the Cisco Security MARS appliances. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising...

Unknown Reporting Device IP

When your event logs contain entries from unknown reporting devices, this usually means that a device is configured to send logs to MARS, but MARS isn't configured to receive them. You might have also simply forgotten to click the Activate button at the upper-right corner of the MARS screen. If you're sure that you've correctly configured MARS to receive logs from a device, but they are still showing up from an unknown reporting device, try activating your changes. Figure 9-3 shows an example...

Restoring from Archive

No interface to the restore capabilities of a CS-MARS appliance exists from the web user interface. Instead, you must connect to MARS from the command-line interface (CLI). This requires that you either connect a keyboard and monitor to the appliance or Secure Shell (SSH) to the appliance. Only the pnadmin user can log in through SSH. After you've logged in to CLI, use the pnrestore command to configure how information is copied to the MARS appliance from the archive. Typing pnrestore -h...

Ingress Firewall Rules

To simplify the work involved, you should define some network object groups on your firewall. If you're not familiar with this term, think of object groups as variables that you can use while configuring the firewall to make life easier. Rather than referring to a large list of IP addresses or TCP UDP ports, you can simply refer to a name instead. The following examples use an object group called CORP_NET, which consists of all IP addresses used on your organization's network. Ingress traffic...