A

AAA servers, NAC Framework, 213 Action option (query interface), 96 actions alerting actions list, 125 rules, attaching to, 125 addressable implementation specification (HIPPA Security Rule), 30 admin groups, troubleshooting e-mail notifications, 203 Administrative Safeguards (HIPPA Security Rule), 30-31 Advanced Regex queries, 287 alerting actions list (rules), 125 alerts, 13 All Events and NetFlow-Top Destination Ports graph (Dashboard), 23 All False Positives section (Dashboard), 22 All-Top...

About Drop Rules

MARS uses drop rules to exempt certain traffic from triggering a rule. For example, MARS will likely alert on your SMTP relay server and claim it is a host sending spam. MARS thinks this because your SMTP server is sending out more e-mails than a typical host sends. In reality, this is normal behavior for your SMTP server, but MARS doesn't know it is normal for that particular host. You can use a drop rule to exempt your SMTP server from the event type that defines a spammer. Another example of...

About Rules

A rule is a description or definition of a behavior that you want to take some type of action on when it is seen. For example, a rule defines what a successful web attack looks like. When you see one on your network, you want it to appear on the MARS Dashboard. You also might want someone to be notified when it occurs. Rules are defined using the query engine, in a similar manner as reports. Like reports, rules can be created in the following ways Through a Rules Wizard, by clicking the RULES...

Acknowledgments

I would like to thank Greg Kellogg for writing this book with me. We began talking about this book a few years ago, sitting on a bench in San Francisco. It feels good to see it completed. I would also like to thank Phil Chiu for his support in getting the process started, the entire MARS team at Cisco, for making me part of their team, and Steve Wells, for being a good friend and coworker. Greg Kellogg First, I would like to thank my coauthor, Gary Halleen. This book never would have been...

Adding Log Templates

As you read through your sample log messages, try to determine what fields you need in your rules, queries, and reports. Where are the IP addresses Where are the port numbers Do you need certain fields but can't find a good place to put them Also, as you're studying the sample log messages, determine what text exists within each message that makes it different from other messages. Each position in the log template is used to either find and store a value, or to find some text to make the...

Adding Monitored Device or Software

Up to this point, the sendmail server has not been added as a supported device. Now, however, because you've defined a device or software model, and added parser templates, you can add the device to MARS. This is exactly like adding any other monitored device. Click the Admin button, and then click the System Setup tab. Now, click Security and Monitor Devices. As you add new hardware or add software applications on a new or existing server, you'll see that your newly defined software shows up...

Adding the Device or Application Type

Application Security Monitoring

You're ready to begin configuring MARS to parse events from sendmail. The first step is to define the application or device you're using. Because you're logging from an application called sendmail on a Linux host, you add it as an application instead of a device. Click the ADMIN button, and then click the Custom Setup tab to open the window shown in Figure 11-3. Click User Defined Log Parser Templates, and then click the Add button to open the window shown in Figure 11-4. Figure 11-4 Add...

Additional Messages

You will likely see some additional messages that show up as Unknown Device Event Type. These additional messages might not cause an adverse effect, but defining the log message can clean up the event viewer. Nov 30 03 00 40 groo sendmail 28280 kAU8gDV4028280 Milter add header X-Virus-Scanned ClamAV version 0.88.6, clamav-milter version 0.88.6 on localhost This message is simply telling you that the virus scanner scanned the e-mail, but it doesn't give you the results. However, you might want...

Alerts and Mitigation

MARS allows you to customize alerts based on incident type. For example, reconnaissance activity followed by an unsuccessful buffer overflow attack might be an incident in which you want to receive an e-mail, but more suspect behavior, such as reconnaissance activity followed by a successful buffer overflow incident, might require MARS to page a security administrator. MARS has several ways to notify you of incidents Short Message Service (SMS) E-mail with XML file attached

Appendixes

Appendix A Querying the Archive Appendix B CS-MARS Command Reference Appendix C Useful Websites Chapter 7, Archiving and Disaster Recovery, describes the Cisco Security Monitoring, Analysis, and Response System (CS-MARS) archiving capabilities. The archives provide critical backup and recovery functionality, as well as the capability to run queries against the archives from within the CS-MARS user interface. Although this functionality is handy, sometimes you might find the need to use other...

Are There Other Things to Consider

A requirement of the administrative safeguard standards is a regular evaluation of your network security, based on the standards implemented under the Security Rule. As this evaluation is performed, whether you choose to perform it internally or through an external security firm, security incidents will be created because of the various scans that are performed. This record, combined with written documentation, will be proof that you have complied with the evaluation requirement, and will...

B C

Batch query reporting method, 93 batch reports, 108-114, 117-119 beeping noises (MARS hardware), Build and Maintain a Secure Network category (PCI Data Security Standard), 45-46 built-in reports default reports list, 92 report groups list, 89-91 case notes, incident investigation, 151 case studies, CS-MARS deployments, 71-72 Check Point logs, troubleshooting, 200 Cisco CSC Module, 226 CISP (Cardholder Information Security Program), PCI Data Security Standard, 42 civil penalties, 23-24, 29...

Batch Reports and the Report Wizard

The following sections show you how to create a report that is automatically generated at regular intervals, such as daily, weekly, or hourly. Additionally, you can predefine reports to be available on demand. A new proxy server has been placed on the network. Your organization's policy specifies that all web and FTP traffic must use this proxy. Your manager needs a report that identifies potential violators of this policy. Your internal network uses IP addresses in the range of 10.0.0.1...

Be Prepared

When you install CS-MARS, make sure that configuring archiving is one of your top priorities. Too often, archiving is set aside as a task that will happen later, when you have more time. This is a mistake Archiving is your safety net in case of disaster. Many things can happen that might require you to restore data or configurations. This might be a catastrophic hardware failure, for example, requiring replacement of the appliance. It could also be something as simple as a power outage....

BuiltIn Reports

Many reports are already built in to the MARS appliance. Table 5-1 shows a list of the default report groups. Report groups are categories of reports that make it easier to locate the report you're looking for. Table 5-2 shows some of the default reports or queries. In the interest of space, the entire list is not shown in this book. Reports related to authentication success or failure, whether to a network or a host. Network Address Translation (NAT) reports, as well as Top reports, such as...

Challenges in Security Monitoring

Organizations have a lot of challenges when it comes to security monitoring. One of the biggest challenges is in the sheer volume of logs. Nearly every piece of equipment that is used on a network can also produce logs. Additionally, every host produces logs, and nearly every application on every host produces logs. Some of these logs typically stay local to the host, but others are intended to be sent to a monitoring system. Traditionally, however, each type of log has its own monitoring...

Check Point or Other Logs Are Incorrectly Parsed

It is common for at least some log entries to appear as Unknown Device Event Type. This often occurs when a rarely used log message is seen, or when a new feature is introduced for a device, but MARS does not yet understand the log messages. However, when you've configured a supported device to send logs to MARS, and you've configured MARS to receive the logs, but all events show up as Unknowns, something has been improperly configured. This problem is most often seen when security software,...

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Command Line Query

The simplest way to access the archive data is with the zgrep command. This command is identical to the commonly used grep command, except it is used for searching within gzipped files. A simple query example is as follows Show me all raw events from my Cisco 3750 switch where an interface was unplugged or plugged. You can change directories to the date you're interested in, and then change to the ES directory and run the following command This command results in the following output 00 38 13...

Common Features for SIM Products

SIM products are differentiated from other event collection applications and devices by their capability to analyze a variety of different reporting devices (firewalls, intrusion protection devices, applications, and so on) and make sense of them in a usable fashion. Each SIM product must include the following minimum set of features Event collection and correlation As a minimum requirement, you should expect a SIM to collect and correlate security event logs from your firewalls, intrusion...

Compliance Validation Requirements

Depending on your merchant level, certain requirements exist for validating your compliance with the PCI-DSS standards. These include quarterly and annual assessments or scans that must be documented and provided to the credit card companies. Table 2-5 lists the requirements for each merchant level. Table 2-5 Merchant-Level Compliance Validation Requirements Annual onsite PCI security assessment Qualified security assessor or internal audit if signed by officer of the company Annual PCI...

Configuration of Csmars for NAC Framework Reporting

CS-MARS has built-in capabilities for monitoring 802.1x and Network Admission Control log messages however, this is not a core reason for deploying MARS. MARS can parse, normalize, correlate, and report on NAC and 802.1x events from Cisco IOS and CatOS switches and from Cisco Secure ACS. This allows you to troubleshoot and report on authentication, host posture, and communications between ACS and external databases, such as Windows Active Directory. To provide these reporting capabilities, you...

Configuring CSManager to Support CSMARS

It is easy to configure integration between CS-Manager and CS-MARS. You need to do nothing from the CS-Manager interface. MARS needs a login and password set up to use when connecting to CS-Manager. Additionally, make sure that network communications between the two appliances are permitted. CS-Manager is a client-server application. In normal use, client software is installed on the computers that access it. Server software is installed on the CS-Manager itself. However, with MARS integration...

Configuring Csmars for Archiving

After the NFS archive server has been configured, the next step is to configure MARS for writing to the archive. This is simple to do. From the CS-MARS web interface, click the ADMIN button, and then click the System Maintenance tab. On the form provided (shown in Figure 7-1), enter the following information Remote Host IP Enter the IP address of the NFS server. Remote Path Enter the directory that MARS should write to on the archive server. Archiving Protocol Select NFS, if it isn't already...

Configuring Csmars to Integrate with CSManager

CS-Manager is added to CS-MARS in much the same way as any other security or network device is added. You treat CS-Manager as security software running on a host. This means, from within CS-MARS, you first add the server that it is running on, and then you add CS-Manager as software running on that server. From any screen in MARS, click the ADMIN tab, and then click on Security and Monitor Devices. Click the Add button, and select Add SW security apps on new host or Add SW security apps on...

Configuring the Archiving Server

The first step in setting up archiving is to configure the archive server. Most companies choose a Linux server for archiving however, this is not your only choice. Linux is available both as open source (free) and as a commercially available operating system. It is powerful and flexible, and it runs on a variety of computer hardware. The steps for setting up the archiving server are as follows Step 1 Make sure that the NFS service is enabled on the server. You might also need to modify...

Considerations for Future Growth and Flood Conditions

While you are determining the correct CS-MARS model and deployment option, consider how your network will react in a flood condition. When your network is under a DoS attack, a worm is loose on your network, or some other serious incident occurs, you want to be able to use MARS to determine the following How you can mitigate the problems If your MARS appliance is overwhelmed by the volume of traffic it is receiving, you might not have all the information you need to do your job. Make sure that...

Considerations for Reporting Performance

When reports are generated on CS-MARS, the processing required for the reports is given a lower priority than that given for event, session, and incident processing. For this reason, a CS-MARS appliance that is working at an EPS level that is close to the maximum for that appliance will process reports slowly, especially when compared to a lightly loaded appliance. You must determine whether reporting performance improvements that you might see on a larger MARS appliance are worth the...

Contents

Part I Introduction to CS-MARS and Security Threat Mitigation 3 Introduction to Security Information Management 6 The Role of a SIM in Today's Network 6 Common Features for SIM Products 7 Desirable Features for SIM Products 8 Challenges in Security Monitoring 9 Types of Events Messages 9 NetFlow 9 Syslog 10 SNMP (Simple Network Management Protocol) 10 Security Device Event Exchange (SDEE) 11 Security Threat Mitigation System 12 Topology and Visualization 12 Robust Reporting and Rules Engine 13...

Contents at a Glance

Part I Introduction to CS-MARS and Security Threat Mitigation 3 Chapter 1 Introducing CS-MARS 5 Chapter 2 Regulatory Challenges in Depth 27 Chapter 3 CS-MARS Deployment Scenarios 59 Part II CS-MARS Operations and Forensics 75 Chapter 5 Rules, Reports, and Queries 89 Chapter 6 Incident Investigation and Forensics 133 Chapter 7 Archiving and Disaster Recovery 163 Part III CS-MARS Advanced Topics 179 Chapter 8 Integration with Cisco Security Manager 181 Chapter 9 Troubleshooting CS-MARS 193...

Corporate and Government Sales

Cisco Press offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales. For more information please contact U.S. Corporate and Government Sales For sales outside the U.S. please contact International Sales international pearsoned.com Paul Boger David Dusthimer Anthony Wolfenden Jeff Brady Brett Bartow Patrick Kanouse Christopher Cleveland Tonya Simpson John Edwards Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA95134-1706 USA www,cisco.com Tel...

Creating a Rule

Often, you don't just want to see the results of queries and reports. Instead, you want to define a behavior that MARS should watch for. When it occurs, you want to be notified. This is precisely what rules are for. This next scenario shows you how to create a rule. This scenario is similar to the previous one, but it exempts a single host from the requirement to use the proxy server. In this case, the CEO does not want to access the proxy, and wants access to the Internet directly. The CEO...

Creating an OnDemand Report

In the first scenario, you learn one method to build an on-demand report. Throughout MARS, you'll find that you have numerous ways to do things, and building queries is no different. On the ACME Gadgets network, you have determined that TCP port 80 is the most commonly used destination port. Your manager has asked you to find out which user is the top web surfer and what websites are most popular. NOTE TCP and UDP use destination port numbers to determine which services are accessed on a...

Creating Drop Rules

So far in this chapter, you've learned about queries, reports, and rules. The following sections cover a special kind of rule, the drop rule. A drop rule is an exception rule a rule that MARS uses to ignore a behavior that would otherwise trigger an incident. MARS is detecting network and host scans sourced from one of your internal hosts. Upon further investigation, you've determined that this is a dedicated vulnerability assessment system. It actively scans hosts on your network, watching for...

Creating the Drop Rule

Figure 5-42 shows incidents created by the TCP SYN Port Sweep rule firing when your IPS sensor detects scans. The source address, 10.0.0.63, is your company's vulnerability assessment scanner, and you need to tune MARS to ignore these scans. Figure 5-42 Scans from Vulnerability Assessment System Figure 5-42 Scans from Vulnerability Assessment System As described earlier, you have a couple of ways to create the drop rule, but the easiest is usually to use the False Positive Wizard. To use the...

Creating the Rule

Because you have already created a report that fits most of your needs for the rule, it is easiest to begin with that report. Go to the Query Reports page, and select the custom report you created in the previous section, as illustrated in Figure 5-34. I Query Batch Query Report SUMMARY INCIDENTS QUERY REPORTS RULES MANAGEMENT ADMIN HELP QUERY REPORTS CS-MARS Standalone Demol v4.2 Load Report as On Demand Query with Filter I CUSTOW-JDOE HOSTS NOT USING PROXY ZMAY2DD7 (Total View) Click the...

Csmars Custom Parser

What do you do when you want to collect logs from an unsupported device Consider the following examples A firewall that isn't natively supported Antispam software on your mail server Application logs on a Windows server The custom parser allows you to define new devices and applications for reporting to the Cisco Security Monitoring, Analysis, and Response System (CS-MARS). This process takes three or four steps, depending on what you're hoping to accomplish Step 1 Define the device or...

Csmars Deployment Scenarios

Before you can deploy a Cisco Security Monitoring, Analysis, and Response System (CS-MARS), you must first understand the various ways that you can deploy it. This means deciding how many MARS appliances you need, where to place them, and which devices you want to log to them. Many companies need only a single appliance. Others, though, need to deploy several appliances, using a centralized MARS appliance, called a global controller (GC), to manage the entire deployment. This chapter describes...

Csmars Global Controller

A global controller (GC) provides several key capabilities that are important in a larger Cisco Security Monitoring, Analysis, and Response System (CS-MARS) deployment. As you've learned in previous chapters, many organizations can be successful with a single CS-MARS appliance. However, for various reasons, it is often desirable to have a distributed deployment instead, with a centralized console that controls the various local controllers (LC). The following is a list of some of the reasons...

Custom Parser for Cisco CSC Module

The Cisco CSC Module is a popular product. Figures 11-35 through 11-50 show a summary of 13 of the logs produced by this module, as well as the log parser templates needed to report on these logs. The CSC Module has its own management user interface and its own IP address, even though it is physically inserted into an ASA security appliance. Enable logging, through syslog, with it much as you would with any other application. The following figures are not a complete list, but they cover a large...

Dashboard

The Dashboard is the main page within the user interface and is useful for seeing the overall security health of your network. As illustrated in Figures 1-8 and 1-9, the Dashboard is broken into subsections, each one offering its own view of the data as described in the list that follows. Statistics, graphs, drawings, and alerts are each represented. The purpose of looking at each of these in a different view is to validate the resultant data. Figure 1-8 CS-MARS Dashboard Part 1 Figure 1-8...

Deciding Where to Tune

You have to decide where it makes the most sense to tune. Tuning typically means one of two things A certain network behavior that looks malicious is actually normal. A network behavior isn't bad in certain circumstances. When you need to tune, is it easier and more effective to configure the security or network device to not send events in a certain condition, or is it easier and more effective to configure MARS to ignore certain events This decision varies according to your needs and the...

Dedications

Gary Halleen I would like to dedicate this book to my beautiful wife, Pam, and my children (Amber, Harry, Ashley, Kristin, Jordan, and Bailey). They are all fantastic, and they motivate me to always be the best I can be. I would also like to dedicate this book to my dad, Arne, for always being there. Greg Kellogg This book is dedicated to my incredible and beloved wife, Lynette, for her dedication, vision, and strength. I owe every bit of my success to her. To my children, Max, Briggs, Gage,...

Deployment Types

The simplest and most common way to deploy CS-MARS is by using a standalone controller. This means that you use a single CS-MARS appliance that collects events from your security and network devices or software. The other deployment option is to use a GC. This means that you deploy two or more local controllers (LC), each of which is configured to interact with a GC. Your network and security devices are configured to send events to the LCs, and management of the CS-MARS appliances occurs...

Desirable Features for SIM Products

The common SIM features are what you can expect any SIM product to be capable of. Modern SIM products provide new capabilities that expand on what a traditional SIM can provide. These new features allow a SIM to do more than simple correlation, reporting, and alerting. SIM products that provide the following cutting-edge capabilities are often referred to as Security Threat Mitigation (STM) devices Sessionization The capability of an STM to sessionize data is a key differentiator when comparing...

Determining Your Storage Requirements

CS-MARS processes events in the following order 1 Receive, or retrieve, events from monitored device. Each individual log entry is considered a single event. 2 Sessionize the events by correlating on all events, from all monitored devices, that are part of the same traffic flow. This is done by correlating on time stamps of events, source IP address, destination IP address, source port and protocol, and destination port and protocol. 3 Process sessions through the rules engine. 4 Verify the...

Direct Access of Archived Events

If you are proficient at using tools such as Python or Perl, or if someone on your staff is, you might want to write a short script that parses the event store on the archive server. A sample script using Python is shown in Appendix A, Querying the Archive. TIP A good resource for scripting with Python is Programming Python, Third Edition, by Mark Lutz (published by O'Reilly Media, Inc.). As shown in the preceding section, the ES directories on the archive server contain the event store...

Drilling Down into an Incident

When you click an incident number or one of the path icons, your web browser opens a new window and connects to the specific LC. This is because the GC does not contain event data. However, the GCs and LCs use the same unique numbering system for incidents, sessions, and events. This allows quick and easy linking to the requested data from a local controller. Figure 12-12 shows two browser windows open. The window in the foreground opened when the incident ID was clicked. Notice how the...

E

Egress firewall rules, 83-84 e-mail, troubleshooting admin group notifications, 203 encryption, Protect Cardholder Data category (PCI Data Security Standard), 48 eradication step (incident investigation), 134 ES directories, querying archives, 284 event collection correlation (SIM), 7 event logs, troubleshooting, 197-200 event messages NetFlow, 9 SDEE, 11 SNMP, 10-11 Syslog, 10 determining details of (incident investigation), 149 device events, troubleshooting, 205 types (queries), filtering,...

Egress Firewall Rules

Egress firewall rules refer to filters that restrict traffic from the protected network to less trusted networks. Ideal security would restrict outbound traffic to only those ports that are necessary for proper functioning of the MARS appliance. However, in real life, this might be unmanageable. You need to determine the proper balance between security and manageability. For example, a strict default egress policy might make sense for your company's public-facing web server. Hopefully,...

Mail Notifications Sent to Admin Group Never Arrive

Several things can cause e-mail notifications to fail to arrive. First, try sending a report or notification to a single user. If all e-mail notifications are failing, your problem is related to the Simple Mail Transfer Protocol (SMTP) configuration within MARS, or with your SMTP server that accepts e-mail from MARS. Verify the settings by clicking the ADMIN button, and then clicking the System Setup tab to reach the screen shown in Figure 9-9. If all e-mail notifications appear to work fine,...

Employee Management and Training

Your employees must be properly screened during the hiring process. This helps ensure that you are hiring ethical individuals who can be trusted to handle sensitive information. Additionally, an ongoing training program helps remind your employees that confidentiality and security are important. The following list outlines the FTC's recommendations Check references of new employees who will have access to customer information. Require all employees to sign an agreement to follow your security...

Enabling Communications Between Controllers

When you've verified that the GCs and LCs are all running the same version of software, and time is synchronized between them, you then enable communications between them. This process also changes the mode the LCs are running in. Prior to this, they have been operating as standalone controllers. Begin by logging in to the GC as a system administrator (or pnadmin). Click the ADMIN button, and then click Local Controller Management. Figure 12-1 shows the page that appears. This page, called Zone...

F

False Positive Events chart (Dashboard), 23 False Positive Wizard, 152-153, 156 false positives All False Positives section (Dashboard), 22 defining, 17-18 system-determined false positives, defining, 19-20 unconfirmed false positives, defining, 18 user-confirmed false positives, defining, 19 FDIC (Federal Deposit Insurance Corporation), Gramm-Leach Bliley Act, 36 filtering query event types, 102 financial institutions, Gramm-Leach-Bliley Act, 35 Financial Privacy Rule (Gramm-Leach-Bliley Act),...

Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Finishing Your Investigation

Case notes are important to help you maintain your information. Whenever you find more useful information, click the More button (at the top of any page) to open a text area for adding notes. Additionally, if you ever lose your place and want to return to the incident, you can always click the case name that appears at the top of every page until the case is deselected. When you click the case name, you'll see a page that's similar to Figure 6-15, showing all information gathered so far. A full...

First Log Template

Make sure that the new application is selected and click the Add button within the Log Templates box. This lets you begin defining the individual log messages. Because you're not going to use an existing event definition, you need to create your own. At the bottom of the page, click the Add button and create a new definition, similar to what Figure 11-6 shows. Figure 11-6 Create New Event Definition 'S pnmars Event Type Management - Microsoft Internet Explorer Login Administrator (pnadmin)...

Foreword

If a tree falls in the forest but nobody is around to hear it, does it make a sound Philosophers and physicists have volleyed that brainteaser for years. But consider it as a metaphor for your computer systems. If an event is logged on your network, but nobody monitors your logs, how can you determine whether an attack occurred By missing out on the opportunity to catch bad guys early through solid event analysis, you've extended and deepened your exposure to the attacker's foul plot. You'll...

Fourth and Fifth Log Templates

The fourth log message is the one that tells you whether the e-mail message was delivered. You should see messages like the these Nov 30 00 01 43 groo sendmail 13760 k9U8eax9013757 to < gary acmewidgets.net> , delay 00 00 06, xdelay 00 00 06, mailer local, pri 32262, dsn 2.0.0, stat Sent Nov 30 00 09 29 groo sendmail 25917 kAU89Pwq027915 to M usr bin procmail, ctladdr < arne acme-gadgets.com> (508 508), delay 00 00 03, xdelay 00 00 03, mailer prog, pri 139763, dsn 2.0.0, stat Sent Nov...

G

Configuring, 263 CS-MARS-GC, 261 custom parsers, 276 Dashboard, 271 drilling down into incidents, 272 global rules, versus local rules, 274 installing, 263 controllers, 264, 268 troubleshooting, 269 logging in out, 270 overview of, 262 queries reports, 273 reasons for deploying, 261 recovery, 278 security and monitor devices, 275 software upgrades, 276-277 zones, 262-263, 269 global rules versus local rules, 274 Gramm-Leach-Bliley Act affected individuals companies, 35 financial institutions,...

Getting Messages to CSMARS

The first step in creating your custom parser is to send log messages to MARS. MARS supports the following two protocols for this Syslog is probably the easiest to use, primarily because the log messages tend to be easier to understand. Simple Network Management Protocol (SNMP) traps tend to be more cryptic and rely on codes to explain a message. These are general statements, however, and might not be the case with the device or software you're using. Most UNIX and Linux hosts have built-in...

Global Controller Recovery

At some time, you might need to remove the association between a GC and its LCs. Typically, this occurs when a hardware replacement of the GC is necessary, and you need to reassociate the LCs with a new GC. To remove the GC's information from the LCs, run the following command from the command line of each of the local controllers This begins a process that can take up to about 30 minutes to complete. At the end, you can reinstall the LC with an association to a new GC. CAUTION Make sure that...

Global Controllers

There are three different models of GC. The MARS-GC and MARS-GCM share the same hardware platform, while the MARS-GC2 is an entirely different platform. The MARS-GC and GCM differ in that the GCM is a restricted version, available for a lower price. Table 3-2 provides a comparison of the models. Table 3-2 CS-MARS Global Controllers A global controller acts as the central console for a network that requires multiple local controllers. It also provides a variety of additional capabilities,...

Goals and Methods

The goal of this book is to provide the information you need to successfully use the CS-MARS appliances in a real network, on a day-to-day basis. No SIM or STM solution, out of the box, is a perfect fit for every network. As you read through the chapters, we hope you find tidbits that help you make the most of your investment. We also hope you learn enough to avoid some of the common mistakes and misconfigurations. CS-MARS is a powerful tool that can dramatically increase your knowledge of...

Gramm LeachBliley Act of 1999 GLB

The GLB Act is also known as the Financial Modernization Act of 1999. The GLB Act was passed into law in 1999 as Public Law 106-102, and is a set of federal legislation that includes provisions to protect consumers' personal financial information that is held by financial institutions. The three principal parts of the GLB Act are as follows The Financial Privacy Rule Governs the collection and disclosure of personal financial information by financial institutions. It also applies to companies...

H

Hard disk storage space, determining, 202-203 hardware (MARS), troubleshooting, 193 beeping noises, 194 degraded RAID arrays, 194-196 healthcare case study (CS-MARS deployments), 72 Framework), 214 held desk role (CS-Manager), 184 HIPPA (Health Insurance Portability and Accountability Act) covered entities, 28-29 noncompliance, 29 Security Rule addressable implementation specification, 30 Administrative Safeguards, 30-31 effort cost of, 34 Physical Safeguards, 30-32 required implementation...

Health Insurance Portability and Accountability Act of 1996 HIPAA

Most people in information technology think of HIPAA as a privacy or security regulation. However, that's only a portion of HIPAA. In 1996, when HIPAA was enacted, its purpose wasn't related to security. In fact, the primary focus of the legislation was to provide a set of standards for electronic transactions used within the medical field for billing and payment of services. Portability of data was the focus. Over time, it gained provisions for both privacy and security. The three major areas...

Healthcare Example

ACME Regional Healthcare System is a small hospital that provides care for a large rural area. ACME Healthcare has not standardized on any single security or network vendor, and has chosen CS-MARS because of its capability to monitor a multivendor environment. ACME Healthcare uses NetScreen firewalls, Symantec IDSs, Cisco VPN concentrators, Symantec antivirus software, and Cisco routers and switches. On average, ACME Healthcare's log servers collect approximately 2.6 million events per day. The...

HIPAA Security Rule

The Security Rule is composed of three sections, called safeguards. Each of the safeguards contains a list of standards that a covered entity needs to comply with. Each of the standards is composed of implementation specifications that might be required or addressable. The three sections are as follows Administrative Safeguards Consist primarily of policies and procedures for managing, developing, and implementing security measures to protect ePHI Physical Safeguards Consist of measures,...

How Much Effort and Money Do I Need to Put Toward Implementing These Safeguards

The HIPAA Security Rule does not specify exact methods of complying with the safeguards. Many possible ways of meeting a requirement exist. Some of these are very expensive and provide a very strong level of security. Others are less costly and provide a lower level of security. HIPAA leaves this choice to the covered entity. You should choose how to implement the measures based on what is feasible for your organization. A large national health-care plan should have stronger controls than a...

How Much Storage Is Being Used and How Long Will It Last

How easily can you determine how much storage is currently in use on your MARS appliance Also, how long will your events, sessions, and incidents remain on your appliance before they are overwritten As of the MARS 4.2 software releases, you cannot answer these questions from the web interface. Instead, you need to log in from the command line. Remember that only the pnadmin user can Secure Shell (SSH) to a MARS appliance. The diskusage command can answer the first...

How This Book Is Organized

This book is organized into three parts, each with a number of chapters. Part I introduces CS-MARS and Security Threat Mitigation systems. It describes features and strategies for using CS-MARS as your STM solution. In addition, Part I covers regulatory issues and discusses design and sizing scenarios. Part II focuses on day-to-day operations and forensics. Part III discusses more advanced topics, such as integration with other management solutions or technologies, as well as customization...

Incident Handling and Forensic Techniques

This section walks you through a sample incident using the Identification and Containment steps of incident handling. ACME Widgets has had a suspicious incident appear on the MARS Dashboard. According to MARS, a Windows RPC DCOM Overflow attack has occurred (see Figure 6-1). Figure 6-1 Suspicious Incident, as It Appears on MARS Dashboard Figure 6-1 Suspicious Incident, as It Appears on MARS Dashboard

Incident Investigation and Forensics

When a serious incident occurs, you need to know what to do. A serious incident will eventually occur with all organizations, and it could take many forms. For example, it might be any of the following Sensitive financial information about your company or employees is stolen and posted to a hacker blog. An e-mail worm attacks your e-mail system, resulting in degraded network performance. An employee is inadvertently sharing all his Word documents on Limewire, Kazaa, or some other peer-to-peer...

Incidents

An incident is triggered when network activity matches the description of a behavior seen in a rule. An incident describes the entire story of what happened in an attack. A single incident can contain anywhere from a single event to millions of events. This is the highest level of correlation possible. Figure 1-2 shows an incident summary. This summary provides you with a high-level overview of the incident, prior to a closer investigation. The following list describes the columns in Figure 1-2...

Information Systems

Information systems include the design and implementation of the network and all software in use. It also includes storage, transmission, retrieval, and disposal of information systems and data. The FTC offers the following suggestions on maintaining security throughout the life cycle of customer information Store records in a secure facility Limit physical access to the systems to authorized employees. In particular, pay attention to Internet connectivity of systems that contain customer...

Inherent Security of MARS Appliances

Management access to all MARS appliances is through Secure Socket Layer (SSL)-encrypted web access (HTTPS) and Secure Shell (SSH). These protocols, using TCP 443 and TCP 22, respectively, are inherently secure because they use encryption, authentication, and authorization. Unencrypted protocols that serve similar functions, such as HTTP and Telnet, are both disabled on the MARS appliance and cannot be enabled. MARS appliances are hardened Linux servers that run a variety of services, including...

Initial Incident Investigation

It is often a good idea to create a case, especially when you are investigating what appears to be a serious security incident. After a case is opened, you can return to it and attach more incidents or change the status. To create a case, drill down into the incident by clicking the incident ID. Then, click the New Case button, which appears in the upper-right corner of the screen, as illustrated in Figure 6-2. Figure 6-2 Drilling into an Incident rs Incident Details - Microsoft Internet...

Installing the Global Controller

The GC is installed in the same manner as an LC. The user interface is similar, and most screens look the same as the interface on the LC. The biggest difference many users will notice is the lack of Topology Discovery and Vulnerability Scanning sections in the System Setup page. This is because the GC does not communicate directly with monitored devices. The GC is the reporting Dashboard for multiple local controllers, but the LCs still need to be configured for the devices they communicate...

Integration with Cisco Security Manager

Cisco Security Manager (CS-Manager) is a Cisco enterprise security management suite. CS-Manager provides the capability to manage various Cisco security devices and routers, including intrusion prevention systems (IPS), firewalls, and Virtual Private Networks (VPN). CS-Manager is easy to use and allows both small and large companies to manage their security devices from a central console. By integrating CS-Manager into the Cisco Security Monitoring, Analysis, and Response System (CS-MARS), you...

Introducing CSMARS

A Security Information Event Manager (SIEM, or commonly called a SIM) is a relatively simple tool. In its most basic sense, these devices collect Simple Network Management Protocol (SNMP) and syslog data from security devices and software, and insert it into a database. These devices then provide you with an easy user interface with which to access that information. By itself, this is nothing special, but what is done after the data is received is important. The Cisco Security Monitoring,...

Introduction

Security Event Management (SEM) systems, Security Information Management (SIM) systems, and Security Threat Mitigation (STM) systems are all solutions with a primary goal of making it easier to determine when bad things are happening on your network. Ideally, the tools we use to correlate events between various network and security devices or software will detect malicious behavior before damage is done, rather than letting us know when we've already been compromised. This book is intended to...

J K L

Key Pattern field, custom parsers, 229 Keyword option (query interface), 96 keywords matches within queries, 96 queries, 107 lessons learned step (incident investigation), 134 local rules versus global rules, 274 NetFlow event messages, 9 SDEE event messages, 11 SNMP event messages, 10-11 Syslog event messages, 10 viewing raw log messages (incident investigation), 146 CSC Module, 249, 255 custom parsers, 241 adding to, 225-226 fifth log templates, 239 first log templates, 226, 229-232, 235...

Local Versus Global Rules

When you are using a GC, you need to consider where to create any rules you need. In general, you should create all new rules from the GC. By doing this, the rules are pushed automatically to the individual LCs. When an incident is created because of one of these rules, the incident gets pushed automatically to the GC. However, if you create a rule on an LC instead of the GC, that rule stays local to the LC. The rule does not get pushed to the GC. Also, any incidents that are created when a...

Logging In to the Controller

The login page for the MARS-GC shows text boxes for a login name and password only. On the LCs, you see login, password, and type fields. If you define users on the GC, these users can also use those login names and passwords to log in to any of the LCs, without having to define local accounts on each controller. To log in to an LC using the central user database, select Global in the Type field, as shown in Figure 12-10. Figure 12-10 Log In to Local Controller with Centralized Users

M

Maintain a Vulnerability Management Program category (PCI Data Security Standard), 49-50 Maintain an Information Security Policy category (PCI Data Security Standard), 55 Map view (CS-Manager), 181 marchive.py utility source code, querying hardware, troubleshhoting, 193 beeping noises, 194 degraded RAID arrays, 194-196 mitigation, 13 purpose of, 12 query engine, 13 reporting, 13 rules engine, 13 topologies, 12 visualization, 12 merchant levels (PCI Data Security Standard), 43 messages (event)...

Managing System Failures

To effectively manage security, you must include the prevention, detection, and response to attacks, intrusions, and other system failures. These system failures can include such things as virus infections, worm outbreaks, and botnets, as well as targeted attacks by people attempting to steal or otherwise compromise your customers' information. This includes both external attacks and those that originate inside your network. NOTE A botnet is a group of computers running programs that allow them...

MARS Communications Requirements

Before you can protect MARS with a firewall, you first need to understand which TCP and UDP ports MARS requires to operate properly, and which of these carry outbound or inbound traffic. Table 4-1 provides a summary of all communications when MARS and the various monitored devices are all configured with default ports. Many or all of these can be changed, and you might need to modify this table for your installation. Used by MARS to retrieve switch and router configuration files from...

MARS Is Not Receiving Events from Devices

If MARS does not appear to be receiving events from monitored devices, this is typically caused by a network problem, or by having both Ethernet interfaces connected at the same time. If you need to use both interfaces, make sure that you only need a single default gateway. MARS cannot use a default gateway per interface. You need to verify that the Ethernet interface is connected, and then see whether any traffic is reaching MARS. From the CLI, use the ifconfig command to verify basic...

Mitigation

CS-MARS has multiple ways to assist you in mitigating threats and attacks. Because MARS understands topology and it understands where the specific threat exists, MARS can pinpoint the best method to mitigate an attack. While you are investigating a security incident, you can click an icon to bring up a recommended mitigation. For example, if you appear to have an infected or compromised host on your network, MARS can tell which switch port it is connected to, and it can shut off that port for...

N

NAC (Network Admission Control), 209 NAC Appliance, 210 NAC Framework, 210 AAA servers, 213 configuring CS-MARS for reporting, 214 CTA, 211-212 Healthy Secure Posture reports, 214 host conditions, 211 NAD, 212 Not Healthy Secure Posture reports, 215 posture validation servers, 213 sample posture checks, 213-214 NAD (Network Access Devices), NAC Framework, 212 NetFlow event messages, 9 network administrator role (CS-Manager), 184 network operator role (CS-Manager), 184 Network Status page, 23-24...

Net Flow

NetFlow was created by Cisco to address several needs by service providers and larger enterprise customers. NetFlow allows administrators to monitor a network in real time by creating flows, or sessions, based on the packets that flow through the interfaces. NetFlow can be used for the following purposes Application profiling and monitoring User profiling and monitoring Network interface monitoring, for capacity planning NetFlow can be enabled on many Cisco switches and routers. When used with...

Network Admission Control

Network Admission Control (NAC) is a technology that allows the network to check endpoints for compliance with your network security policy. NAC is an industrywide effort and is led by Cisco. Your security policy might require that all Windows computers adhere to a base level of security and patching. For example, you might require that your computers do the following Run antivirus (AV) software, which must be updated to the latest version and scanning capabilities Run a personal firewall, such...

Network Security Recommendations

As you can see, depending on your environment and the location of hosts, a complex set of rules can be required on your firewall. Don't let the complexity prevent you from properly configuring the firewall, however. A little work initially can mean a better, more secure monitoring solution. The following sections discuss issues regarding firewall protection for MARS and network-based IPSs and IDSs. The suggestions given are a good place to begin, but they by no means work in every network. For...

Network Status

Dnd Status Effects

The Network Status page, described in the list that follows and shown in Figures 1-10 and 1-11, provides several graphs in addition to those shown on the Dashboard page. Figure 1-10 CS-MARS Network Status Page Part 1 Figure 1-10 CS-MARS Network Status Page Part 1 Incidents This chart is a graphical representation of high (red), medium (yellow), and low (green) incidents that have occurred over a specific time frame. The default is one day. Attacks All-Top Rules Fired This chart gives a...

Network Based IDS and IPS Issues

A network-based IPS offers an additional level of protection to complement that provided by a stateful inspection firewall. An IPS is closely related to an IDS. At first glance, the most obvious difference between the two is how they are deployed. An IDS examines copies of network traffic, looking for malicious traffic patterns. It then identifies them and can sometimes be configured to take an automated response action, such as resetting TCP connections or configuring another network device to...

New Monitored Device Logs Still Not Parsed

Anytime you've added a new device, application, custom parser, or similar thing to MARS, make sure to click the Activate button at the upper-right corner of the MARS screen. This button appears on every screen. This is one of the most common resolutions seen by the Cisco TAC. Try to make a point of activating your changes frequently. You can try the following solutions when you appear to have communications problems between MARS and monitored devices Issue the tcpdump command from the MARS...

Payment Card Industry Data Security Standard PCIDSS

In June 2001, Visa USA implemented the Cardholder Information Security Program (CISP). The goal of CISP was to assure Visa credit card customers that their account information was safe whenever they use their card for a purchase, regardless of whether it's through telephone, across the Internet, through the mail, or in person. In 2004, the CISP requirements were incorporated into a new industry standard called the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS is now a...

Physical Safeguards Sec 164310

Four physical safeguard standards are in place. These standards are physical measures, policies, and procedures to protect a covered entity's buildings, equipment, and electronic information systems from both natural and environmental hazards, and unauthorized intrusions. The four physical safeguard standards are as follows Facility access controls This is an addressable standard. Each covered entity needs to implement policies and procedures to limit physical access to electronic information...

Physical Security

You cannot properly address network security without also addressing physical security. This is evident with common sense and in the various regulations addressed in Chapter 2, Regulatory Challenges in Depth. All the network security in the world is worthless if someone with malicious intent can gain physical access to the target. Make sure that the hosts on your security management network, and MARS specifically, reside in a protected facility. At the very least, they should be locked in a...