Foreword
Introduction
Part I Introduction to CS-MARS and Security Threat Mitigation
Chapter 1 Introducing CS-MARS
Introduction to Security Information Management
The Role of a SIM in Today’s Network
Common Features for SIM Products
Desirable Features for SIM Products
Challenges in Security Monitoring
Types of Events Messages
Understanding CS-MARS
Security Threat Mitigation System
Topology and Visualization
Robust Reporting and Rules Engine
Alerts and Mitigation
Description of Terminology
CS-MARS User Interface
Dashboard
Network Status
My Reports
Summary
Chapter 2 Regulatory Challenges in Depth
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Who Is Affected by HIPAA?
What Are the Penalties for Noncompliance?
HIPAA Security Rule
HIPAA Security Rule and Security Monitoring
Gramm-Leach-Bliley Act of 1999 (GLB Act)
Who Is Affected by the GLB Act?
What Are the Penalties for Noncompliance with GLB?
The GLB Act Safeguards Rule
The GLB Safeguards Rule and Security Monitoring
The Sarbanes-Oxley Act of 2002 (SOX)
Who Is Affected by Sarbanes-Oxley?
What Are the Penalties for Noncompliance with Sarbanes-Oxley?
Sarbanes-Oxley Internal Controls
Payment Card Industry Data Security Standard (PCI-DSS)
Who Is Affected by the PCI Data Security Standard?
What Are the Penalties for Noncompliance with PCI-DSS?
The PCI Data Security Standard
Compliance Validation Requirements
Summary
Chapter 3 CS-MARS Deployment Scenarios
Deployment Types
Local and Standalone Controllers
Global Controllers
Sizing a CS-MARS Deployment
Special Considerations for Cisco IPSs
Determining Your Events per Second
Determining Your Storage Requirements
Considerations for Reporting Performance
Considerations for Future Growth and Flood Conditions
Planning for Topology Awareness
CS-MARS Sizing Case Studies
Retail Chain Example
State Government Example
Healthcare Example
Summary
Part II CS-MARS Operations and Forensics
Chapter 4 Securing CS-MARS
Physical Security
Inherent Security of MARS Appliances
Security Management Network
MARS Communications Requirements
Network Security Recommendations
Ingress Firewall Rules
Egress Firewall Rules
Network-Based IDS and IPS Issues
Summary
Chapter 5 Rules, Reports, and Queries
Built-In Reports
Understanding the Reporting Interface
Reporting Methods
The Query Interface
Creating an On-Demand Report
Batch Reports and the Report Wizard
Creating a Rule
About Rules
Creating the Rule
Creating Drop Rules
About Drop Rules
Creating the Drop Rule
Summary
Chapter 6 Incident Investigation and Forensics
Incident Handling and Forensic Techniques
Initial Incident Investigation
Viewing Incident Details
Finishing Your Investigation
False-Positive Tuning
Deciding Where to Tune
Tuning False Positives in MARS
Summary
Chapter 7 Archiving and Disaster Recovery
Understanding CS-MARS Archiving
Planning and Selecting the Archive Server
Configuring the Archiving Server
Configuring CS-MARS for Archiving
Using the Archives
Restoring from Archive
Restoring to a Reporting Appliance
Direct Access of Archived Events
Retrieving Raw Events from Archive
Summary
Part III CS-MARS Advanced Topics
Chapter 8 Integration with Cisco Security Manager
Configuring CS-Manager to Support CS-MARS
Configuring CS-MARS to Integrate with CS-Manager
Using CS-Manager Within CS-MARS
Summary
Chapter 9 Troubleshooting CS-MARS
Be Prepared
Troubleshooting MARS Hardware
Beeping Noises
Degraded RAID Array
Troubleshooting Software and Devices
Unknown Reporting Device IP
Check Point or Other Logs Are Incorrectly Parsed
New Monitored Device Logs Still Not Parsed
How Much Storage Is Being Used, and How Long Will It Last?
E-Mail Notifications Sent to Admin Group Never Arrive
MARS Is Not Receiving Events from Devices
Summary
Chapter 10 Network Admission Control
Types of Cisco NAC
NAC Framework Host Conditions
Understanding NAC Framework Communications
Configuration of CS-MARS for NAC
Framework Reporting
Information Available on CS-MARS
Summary
Chapter 11 CS-MARS Custom Parser
Getting Messages to CS-MARS
Determining What to Parse
Adding the Device or Application Type
Adding Log Templates
First Log Template
Second and Third Log Templates
Fourth and Fifth Log Templates
Additional Messages
Adding Monitored Device or Software
Queries, Reports, and Rules
Queries
Reports
Rules
Custom Parser for Cisco CSC Module
Summary
Chapter 12 CS-MARS Global Controller
Understanding the Global Controller
Zones
Installing the Global Controller
Enabling Communications Between Controllers
Troubleshooting
Using the Global Controller Interface
Logging In to the Controller
Dashboard
Drilling Down into an Incident
Query/Reports
Local Versus Global Rules
Security and Monitor Devices
Custom Parser
Software Upgrades
Global Controller Recovery
Summary
Part IV Appendixes
Appendix A Querying the Archive
Appendix B CS-MARS Command Reference
Appendix C Useful Websites
Index
1587052709 TOC 6/11/2007
Security Monitoring with CS-MARS helps readers plan a MARS (Security Monitoring, Analysis, and Response System) deployment and learn the installation tasks and day-to-day tasks a network security professional can expect to face. Additionally, the book will teach the reader how to use the advanced features of the product, such as the custom parser and hierarchical deployment models.
Security Monitoring with CS-MARS uses a series of real-world case studies to lead the reader through all steps of these very important tasks, including:
While security products have gained capabilities and sophistication, security monitoring has not kept pace. Usually, a company finds they need to deploy a different monitoring tool for each specific product. This results in increased staffing costs, but doesn't address the overall need to make sense from the data accumulated from various logging sources. CS-MARS addresses this need, and this book helps those network professionals using it get the most from the system.
Gary Halleen is a security consulting systems engineer with Cisco. He has in-depth knowledge of security systems, remote access, and routing/switching technology. Gary is a CISSP and ISSAP and has been a technical editor for Cisco Press. Before working at Cisco, he wrote web-based software, owned an Internet service provider, worked in Information Technology at a college, and taught computer science courses. His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Gary is a regular speaker at security events, and he presents at Cisco Networkers conferences. He lives in Salem, Oregon, with his wife and children.
Greg Kellogg is the vice president of security solutions for Calence, LLC, which is based out of Tempe, Arizona. He is responsible for managing the company’s overall security strategy, as well as developing new security solutions and service offerings, establishing strategic partnerships, managing strategic client engagements, and supporting business development efforts. Greg has more than 15 years of networking industry experience, including serving as a senior security business consultant for the Cisco Systems Enterprise Channel organization. While at Cisco, Greg helped organizations understand regulatory compliance, policy creation, and risk analysis to guide their security implementations. He was recognized for his commitment to service with the Cisco Technology Leader of the Year award. Additionally, Greg worked for Protego Networks, Inc. (where MARS was originally developed). While there, he was responsible for developing channel partner programs and helping solution providers increase their security revenue. Greg currently resides in Spring Branch, Texas, with his wife and four children.
 |
Ask a Question About this Product More... |
|
