cs-mars technial overview

© 2006 Cisco Systems, Inc. All rights reserved.C97-60004-00 Cisco Confidential

Cisco Security MARS 4.1:Technical Overview

Effective. Efficient. Integrated.

2© 2006 Cisco Systems, Inc. All rights reserved.C97-60004-00 Cisco Confidential

Agenda

• CS-MARS Product Overview• Getting Started with CS-MARS• GUI Overview• Configuring Devices into CS-MARS

• Reports and Queries• CS-MARS Integration with NAC• Device Anomalies• Incident Investigation

• Rules and Management• GC and LC• Custom Parser


Security Information Management(SIM)/Security Event Management (SEM)

• Security Information Management(SIM)/Security Event Management (SEM)fall way short of value proposition:

• The Good:Simple incident capture, correlation,and managementEvent/Log consolidation and reporting

• The Bad:No network intelligenceIncomplete attack vector analysisInsufficient performanceExpensive ownershipUnable to mitigate or contain threats


Cisco Security MARS Technologies

• CorrelationProfile network traffic (NetFlow) and detect anomaliesCorrelate events into sessionsApply correlation rules to sessions to identify incidents

• Vector AnalysisAnalyze incidents to determine valid threats

Path analysisVulnerability analysis for suspected hostsVulnerability scanner correlation

• MitigationDiscover optimal choke point, e.g. nearest L2 switch portRecommend mitigation commands and push with user’s validationNotify user of configuration changes


Incidents, Sessions, and Events

• Events―Raw messages sent to the Cisco® SecurityMonitoring, Analysis, and Response System(CS-MARS) by the monitoring/reporting devices

• Sessions―Events that are correlated by theCS-MARS across NAT boundaries

• Incidents―Identification of sessions tocorrelation rules


How the CS-MARS Works

1. Events come into the CS-MARSfrom network devices

2. Events are parsed3. Normalized4. Sessionized/NAT correlation5. Run against rule engine

Ignore drop rule, i.e. no match

Complete drop

Log to database only

6. False-positive analysis7. VA against suspected hosts8. Traffic profiling and statistical

anomaly detection


CS-MARS Benefits

• Easy Installation• Simple Licensing

No license restriction for the number of devices supported• Hardened Appliance

Has a built-in firewall and only opens SSH and HTTPSNo root access from SSH or consoleReduced services

• Easy MaintenanceWeb-based software updates

• ScalabilityAddress a wide range of network sizes and traffic

• Built-In Hard Drive Redundancy on High-End Models• Data Backup and Archiving Capabilities


Family of CS-MARS Appliances

Medium to Large businessCS-MAR 20Global controllerCS-MARS GCMid-tier business global controllerCS-MARS GCm

Medium to large businessCS-MARS 100eMedium to large businessCS-MARS 100Small businessCS-MARS 20 and 50Typical UseModel


Full-Spectrum Product Line

• Installation takes minutes• Raid 1+0• Oracle embedded―No DBA needed

• Agentless event collection• Layer 2/3 network topology

and mitigationNetFlowDrill down to MAC addresses

4 RU4 RU3 RU3 RU1 RU1 RURack Size1TB1TB750GB750GB120GB120GBRAID StorageN/A300,000150,00075,00025,00015,000NetFlow Flows/SecN/A

GlobalController

10,0005,0003,0001,000500Events/Sec

200100100e5020CS-MARS Model


Agenda





CS-MARS Basic Configuration

Name

• Enter a descriptive name for theappliance.

Interface Name

• The two interfaces for the CS-MARSare eth0 and eth1

• Best practice: Configure eth0 forevents and eth1 for mgmt

IP Address

• Enter the IP addresses for eachinterface

Default Gateway

• Enter the IP address for the defaultgateway for these interfaces

Mail Gateway

• The CS-MARS uses themail gateway to sende-mail notifications


CS-MARS User Roles

CS-MARS User Type/Role

• Admin―FULL access to CS-MARS functionsand features

• Security Analyst―Access to CS-MARS functionsand features EXCEPT can only create notificationtype users and has read-only privilege to ADMINfunctions

• Operator―Read-only privilege and ability toview reports but not to run/generate reports

• Notification Only―No access to CS-MARS butable to receive report results from CS-MARS


Topology Discovery

• Topology discovery enablesoperation at level three

• This is a three-step process:Add the communitystrings for SNMPAdd the valid networksDiscover immediatelyor schedule reoccurringupdates via the TopologyUpdate Scheduler


Understanding Discovery

• For the CS-MARS to reach full operability, you need to specify:Community strings with at least RO capability

Select the networks that you want to discover

• Once the appliance discovers these networks, you get a much moreaccurate view of MAC addresses, end-point lookup (attack paths),and network topology

• L2 discovery and mitigationAll L2 devices must have the SNMP RO community strings specified inthe CS-MARS UI for manual device discovery

If the access type is non-SNMP (e.g TELNET/SSH) it will still require thiscommunity string for discovery

L2 devices must be added manually—There is no automatic discovery forthese devices

Mitigation is performed via TELNET/SSH OR SNMP with RW comm string


Agenda





GUI Overview (Summary)


• DashboardFour areas of quick overall view of your networkLast five recent incidentsStatistical area (Events/Incidents/False positives)Topology and attack diagramsGraphs and reports

1. Logout―Logging out of the appliance2. Activate―Any changes to the configuration need to be activated before it

becomes active3. Refresh Rate―Applicable to Dashboard ONLY

GUI Overview (Dashboard)

SubtabsAppliance

NameLogin

Username

Tabs


Diagrams

• DiagramsHotSpot Graph (most recent incidents src/dest pairs)Full Topology (displays the full network)Attack Diagram (the last 500 events related to incidents for the past 24 hrs)

• Drill-down into the diagrams by clicking the icons• Drill-down attack paths in the Attack Diagram by clicking the Path icon• Drilling-down into these diagrams is one of the fastest ways to uncover

real-time information about your network


GUI Overview(Network Status and My Report)

• Networks Status―Big picturerepresent in charts

• Customer cannot customizedthese charts

IncidentsAttacks: All―Top Rules FiredActivity: All―Top Event TypesActivity: All―Top Reporting Devices

Activity: All―Top SourcesActivity: All―Top Destinations

• My Reports (Trending)Choose the reports that youwant to view


GUI Overview (INCIDENTS)

• This section covers detailed information on each fired incident.• All incidents are viewable for the next 24 hours.• After 24 hours you could perform a query to get to the incident.


GUI Overview (QUERY/REPORTS)

• This section provides the ability to perform real-time/batch queries,creating reports, and schedule reports


GUI Overview (RULES)

• The predefined system rules can be viewed in this tab.• This section also provides the ability of create the user and drop rules.


GUI Overview (ADMIN)

• Most of the system configuration, monitoring device configurationtopology, and discovery information are performed within this ADMIN tab.


Agenda





CS-MARS Device Support

• NetworkingCisco IOS 11.x and 12.x, Catalyst OS 6.xNetFlow v5/v7NAC ACS 3.xExtreme Extremeware 6.x

• Firewall/VPNCisco PIX 6.x, 7.x, ASA, IOS Firewall/IPS,FWSM 1.x, 2.3, VPN Concentrator 4.xCheckPoint Firewall-1 NG FPx, VPN-1NetScreen Firewall 4.x, 5.xNokia Firewall

• IDSCisco NIDS 4.x, 5.x, IDSM 4.x, 5.xEnterasys Dragon NIDS 6.xISS RealSecure Network Sensor 6.5, 7.0Snort NIDS 2.xMcAfee Intrushield NIDS 1.xNetScreen IDP 2.xSymantec ManHunt 3.x

• Vulnerability AssessmenteEye REM 1.xFoundstone FoundScan 3.xQualys Guard

• Host SecurityCisco Security Agent (CSA) 4.xMcAfee Entercept 2.5, 4.xISS RealSecure Host Sensor 6.5, 7.0Symantec AnitVirus 9.x

• Host LogWindows NT, 2000, 2003 (agent/agent-less)SolarisLinux

• SyslogUniversal device support

• ApplicationsWeb servers (IIS, iPlanet, Apache)Oracle 9i, 10i database audit logsNetwork Appliance NetCache


Adding Devices to CS-MARS

Autodiscovery


Adding Devices to CS-MARS

• The three most common ways to add devices:Import from seed file [preferred]SNMP discoveryAdd manually

• To use autodiscovery the user has to:Specify community stringsSpecify valid networksSpecify the Device Update Scheduler (this is to specify how oftenCS-MARS should go and rediscover the configuration for thatdevice)


Entering Reporting Devices

• There are two categories of device type:HW-based security devicesSW-based security devices


Entering Reporting Devices

• Depending on the device type, you will be prompted which arethe appropriate fields to fill.

• In this example for a Cisco® PIX® firewall, you need to providedevice name, reporting IP, access IP, access type, usernameand passwords, as required.


Benefit of Netflow

• With Cisco® NetFlow, you can take advantage of NetFlow’sanomaly detection using statistical profiling, which canpinpoint day-zero attacks like worm outbreaks.

• After CS-MARS is configured to work with NetFlow, it needs afew days to collect data to start analyzing your network beforeit can start presenting NetFlow’s anomaly detection throughthe charts.

• The CS-MARS detects anomalies by using two dynamicallygenerated watermarks comparing the previous data againstcurrent data. When the data breaches the first watermark,CS-MARS starts to save that data. When the data rises abovethe second watermark, CS-MARS creates an incident.


Netflow Configuration

If empty, then entirenetwork will beexamined for

anomalies

CS-MARS Ignores NetFlow


Logs from VA Scanning of 3rd-partyapplications (eEye and Foundstone)

Manual configuration (when adding host)By default it could be overwritten by theinfo from the VA logs

Result from VA probe(if targeted host is new)

Vulnerability Assessment

1. Several conditions that cause VA probe on destination host/device:Incident occurredIncident is within the VA valid networkInteresting event (mapped to (e.g.) nessus script)

2. Result from the VA probe is analyzed against CS-MARS database todetermine “unconfirmed” false-positive

3. VA result is cached for four hours

4. If targeted host (Linux or Window) doesn’t exist in CS-MARS database,it will get added automatically


Agenda





Query Page

• Run reports ason-demand queries

• Create your own query• Create rules

On the Query page,it is possible to:


Understanding Queries and Reports

• Fast drill-down into incidents• Quick building of rules to better analyze

network traffic• Predefined queries• Different save options

Save as reportBuild repeatable queries

Save as ruleSaves query as rule and takes you to the rules page

Queries are an important aspect of CS-MARS defense:


Running a Quick Query

• Things to think about before running a query:What do you want to see, Source IP/ Destination IP/Event …How do you want the results to be displayed

• To run a quick query:Enter a source IP, destination IP, or a service into the quick query fieldFormat results by clicking the edit tabEnter the timerangeClick the Submit Inline button to run the query


Query and Reports

Forensic Analysis• Easy-to-use GUI for writing queries and reports• Fully customizable means to define filters and aggregate output• Ability to view filtered events in real time for problem debugging• Batch queries provide the ability to run reports in the background


Free-Form Query

To run a free-form query:• You can click the icon to add parentheses for nested queries or click

the trash can icon to remove parentheses.• Under Search String, enter strings to query; under Operation, select

the operation (AND, OR, NOT). For the final item in the list, select None.


Selecting Query Type

• Selecting query typeDetermine a query’s result format, rank, time, whether itonly uses firing events, and the number of rows returnedSelect different query criteria by clicking the Query Type linkor Edit button.EventsDeviceOperationRuleAction


Total, Peak v. Recent Reports

Total View• The top N values for display by

calculating the sum total of eachvalue in the time range, and pickingthose with the largest total.

Peak View

• Top N values for display by examiningthe rate for each value in the selectedtime range, and picking those with thehighest peaks.

Recent View• Top N values from the past hour and

displays them over the selected timerange. A recent view shows the currentstate and can highlight ongoinganomalous behavior. If a spikehappened within the past hour, it willappear in the recent view, but the recentview can also show more fundamentalchanges in the shape of the networktraffic.

Total, Peak, and Recent Reports


Creating Reports

To Create a New Report:• On the Reports page, click the Add button• From the Query page, define a query and select to save it

as a report


Agenda


• Reports and Queries• CS-MARS Integration with NAC• Incident Investigation• Rules and Management

• GC and LC• Custom Parser


CS-MARS NAC Integration

• CS-MARS receives syslog from NAC modules:Network Access Device

EAP session creation/removalEAP host posture validation statusEAP host authentication typeEAP host policy attributes

ACSAuthentication status: pass, failed, reasonRADIUS accounting events will be parsed and categorized

• These events are parsed and categorizedPenetrate/GuessPassword/NACInfo/SuccessfulLogin/NAC

• Rules/Queries/Reports/Trends work as for other events

• CS-MARS determinesHost name, user name, IP, MAC, enforcement point, compliance status association


CS-MARS NAC Integration

• Perform investigation or generate compliance reportsAll noncompliant hosts as reported by a particular NetworkAccess DeviceCompliance activity for a particular user during a particular timeRemediation times per host

• Visualize interesting trendsNoncompliant hosts after a recent worm has been patchedNoncompliance activity for a particular domainRemediation times after a recent worm has been patched

• CS-MARS protects against day-zero anomalies for apatched host


802.1x, L2 Security Feature Set, andNetwork Admission Control Reporting

• Make sense out of LAN-based 802.1x solutions• Centralized reporting for L2, L3, and remote access NAC

deployments.• Provide policy trending reports based on endpoint posture

enforcement.• Centralized operational troubleshooting for helpdesk calls.• Centralized view of all your L2 infrastructure security feature

set hit rate. Dynamic ARP Inspection, Spanning Tree RootGuard, IP Source Guard, etc.


Agenda





Incidents Overview

• An incident is a chain of correlated events that describe anattack scenario against your network.

Examples are:Reconnaissance activity followed by a penetration attempt,and further, followed by malicious activity on the target hostReconnaissance activity followed by denial-of-service attempt

• An incident produced by the CS-MARS collects the interestingsessions that constitute an attack scenario and uses rules todescribe them.

• CS-MARS comes with predefined system rules that can bemodified, or new custom rules can be generated.

• Incidents are subdivided into sessions to make it easier foryou to investigate the attack scenario. Each instance aloneis a full attack scenario.


The Incidents Page

• These incidents are the result of the predefined system rules:The rules are genericGlobally applicableServe as a starting point to fine-tune the system

• The incidents page displays the last 24 hours of recent incidents


Incidents Details

Answers such questions as:• Who did it• What event types happened• When it happened• To whom it happened


The Incidents Page

The Incident Page’s Table:• Incident ID

An incident’s unique ID

• SeverityGreen, yellow, and red icons

• Event typeThe normalized signature sentfrom the reporting devices

• Matched ruleThe rule whose criteria was met

The Incident Page’s Table (Cont.):• Action

The description of the notificationtaken when this rule fires

• TimeA single time or a time range

• Incident pathThe icon that takes you tothe incident’s path diagram

• Incident vectorThe icon that takes you to thesource, event type, and destinationdiagram


Incidents Detail Table

Table Includes:• Instances• Session/Incident ID• Events column• Time column


Reading the Incidents Table

• Colors in the tableTo quickly scan the tablefor changes among rowsQuickly zero in onchanges between rows

• If a cell is either gray orwhite it is the same as thecell above

• If a cell of a grouping criteriais a shade of purple, thenthe value in that cell differsfrom the value in the rowabove


Case Management

• Provides framework to compile information collected by MARS• Create cases that may contain Incidents, device information,

sessions, rules, and report data• Completes case lifecycle for audit purposes

• Cases include many parameters, including owner,date/time stamps, status, notes, and case id numbers

• Cases can be searched from a variety of parametersand can be stored in a hierarchical grouping structure

• Cases can be emailed to asset owners or ticketingsystems via the logged on administrator


Incident Path

• Clicking on the PATHicon will display theattack path diagram ofthe incident

• It displays all theassociated sessions ofthis incident as well asthe event types of eachsession

• Toggle Topologydisplay the fulltopology of thediscovered network


Incident Attack Diagram

• Clicking on the Incidentvector icon will displaythe attack diagram

• It displays each attacksession and provides theSrc and Dest IPs as wellas the all event types

• The color-codedhost indicates if it iscompromised (red),attacker (brown), orboth (purple)

• Each link is labeled withthe number of occurrences


Mitigation Information Page

• Click the Mitigate link from the Incidents Details page.• By default, the detail incident information is collapsed. You may

need to click on Expand All to view the Path/Mitigation icon ofeach session.


Mitigation Information Page

To mitigate an attack:• Click the Mitigate link• Select an L2 or L3 device to mitigate• Review the enforcement device, select a new device if needed


False Positives or False Alarms

• What is a false positive?Broad and somewhat vague termFalse alarms are the Internet securityequivalents of the boy who criedwolfDiminish the value and urgency ofreal alerts

• What are acceptable levels of falsealarms?

• IDS sensor without anycustomization may have only 10%of its alarms associated with a truesecurity event.

• With tuning, an average real alarmrate of 60% or better is possible.You can achieve real alarm ratesabove 90%, depending on the levelof tuning and the type of traffic on anetwork.

• Common categories into whichfalse alarms can be divided:

Reactionary traffic alarms: Trafficthat is caused by another networkevent, often nonmalicious.Equipment-related alarms: Attackalerts that are triggered by odd,unrecognized packets generatedby certain network equipment.

Protocol violations: Alerts that arecaused by unrecognized networktraffic, often caused by poorly oroddly written client software.True false positives: Alarms that aregenerated by an IDS for no apparentreason. These are often caused byIDS software bugs.Non malicious alarms: Generatedthrough some real occurrence thatis nonmalicious in nature.


False Positives or False Alarms

• Two entries of performing the False Positive tuning


False Positive Page

Type of false-positive support by CS-MARS:• Unconfirmed false positive

CS-MARS needs user confirmation to determine if the target hostis vulnerable

• User-confirmed false positiveFor this type, a user has provided confirmation that a firing eventis a false positive

• User-confirmed positiveFor this type, a user has provided confirmation that a firing eventis a true attack

• System-determined false positiveFor this type, the system has determined that a firing event is afalse positive


False Positive Summary

• A summary of all falsepositives is presentedin the Summary Page


Agenda





Rules Overview

• A rule is a real-time filter that detects interesting patternsof network activity.

• Attacks share common traits, so use rules to define thesetraits for monitoring and alerting them.

• Rules create incidents. Based on events and sessionsrule, connect them together to form a chain of eventsthat describes an intrusion.

• Rules could determine when a false-positive is eitherdropped completely or kept as information in the database.

• There are more than 104 built-in system rules which detectanomalies based on behaviors.

• Easy-to-build, user-defined rules.


Creating Rules

• Create rules when there are new or unique threats.• A rule can have a single line, two lines, or multiple

linesLink these lines together using the logical operators“AND, OR, FOLLOWED-BY.”

• You could duplicate the existing rules or add others,such as system rules. However you can’t delete anyof these rules.

• Use dollar variables to constrain your host, $TARGET• Example: Build a rule to detect and alert on a new

P2P application which runs on ports 6667, 6668,or 6669―TCP.


System and User Inspection Rules

• User Inspection RulesRules created by the user

• System Inspection RulesPredefined rules

Limited ability to change these rules:

Edit some rule criteria (source anddestination IP and reporting devices)

Duplicate system rules

Inactivate and activate rules

Updated on an ongoing basis

• Drop RulesCS-MARS to either drop a false positivecompletely from the appliance and notlog to its database


Rules Behaviors

• User Inspection Rules can’t be deleted; however, user can change itsstatus from Active to Inactive

• Inactive rules do not fire incidents and do not affect the speed that thesystem processes events

• A system rules can be duplicated and allow limited editing (Source IP,Destination IP, and Device)

Duplicate Rule


Types of Alerts

• The CS-MARS supports fourtypes of alerts when a rule isfired. User can configure thesealerts as part of the rule:

Email

Syslog

Page

SNMP

SMS (introduced in 3.3.3)


Management Overview

• Use the management features in the CS-MARS to assign:event, addressing, service, and user information. Thisinformation is used in rules, queries, and to determinefalse positives.

• Event ManagementTake events presented here, group them, and then use them withrules to concentrate your search for attacks

• IP ManagementLets you work with addresses for: networks, IP ranges, variables,and hosts

• Service ManagementA combination of source port, destination port, and protocol

• User ManagementManage users, roles, and groups


Agenda





Global Controller Goals

• Global Controller (GC) provides the summary of all LCs informationNetwork topologies

Incidents

Queries and reports result

• It also provides central point for creating rules and queries thenapplies to multiple LCs simultaneously

• Changes in LC are automatically propagated to GC and vice versa• Seamlessly navigate to any LC from the GC GUI• Scalable through the distributed architecture• Divide the network based on zone (department function or region)


Global Controller Architecture Overview

• Distributed architectureGC is based on CS-MARS 200 hardwareGC manages multiple local controller, each LC manages ONE zoneLC is based on any of the existing modelsDifferent license key for GC and LC/standalone CS-MARSGC could support up to 20 simultaneous usersConnection establishment between GC and LC is 20 sec or lessCommunication is over https


Global Controller Overview

• ReportsLocally defined reports are only computedat the LCs and the results are not pushed up.

The mechanism of using LCs to compute partialglobal reports and then globally aggregating toproduce enterprise-wide reports is key, and truly scalesenterprise-wide security management at a reasonable cost.


Global Controller Overview

• HotSpot Graph and Full TopologyGraph can be viewed by selectedzoneViewing as Global Zone displays amerged topology of all monitoringLCs

a) A device that exists in multiplezones appears once in CGtopology after it is discovered

b) Two devices with same IPaddress in different zonesappear as two devices inGC topology

c) A device with two interfacesexisting in two different zonesappears once in GC topologyif the device is discovered


Agenda





User-Defined Log Parser Templates

• The technique used to defined the log parser is called “overloading”• Overloading is the mapping of a field from a custom event to an

existing CS-MARS field• For the example above, the destination port will be overloaded

with the number of connections



• Steps to create a user-defined parser in CS-MARS1. Create a new appliance or software type2. Create a new EVENT type that is associated to this

new device or software3. Define the patterns that are then associated to the

new EVENT type4. Add this new device or software into CS-MARS



• Test your new custom parser―New Event Type “HTTP Status OK”

cs-mars technial overview

Documents