Monday, January 29, 2007

CS-MARS Case Management

One of the many features of CS-MARS is Case Management.

The Case Management feature can combine and preserve user selected MARS data, in a special report called a CASE.

Why would we want to do this?

Well when we see suspicious behavior alerted to us by MARS, we may want to tie multiple incidents together and keep a textual log, of what action/s the MARS admins have taken regarding these events. This level of information may be needed later for legal/audit/forensic use.

So what information can we add to a Case?

The following data can be added to a case...
  • Text Annotations
  • Incident ID Page
  • Incident Device Information - Source IP/Destination IP Device Info. Reporting Devices
  • Session Information Page
  • Query Results Page
  • Report Results Page
  • Build Reports Page
  • View Case Page (the current case can reference a different case!)

As an example, take the investigation of Peer-to-Peer software on the network.

A case has been created and assigned to a user on the MARS box.

The MARS user logs onto the box, and selects the CASE to work with...

Now reviewing the other incidents that have fired, he/she decides that there a few that they would like to group together for further investigation. This is achived via the "Add This Incident" button.

And maybe they want to add some comments, or re-assign to a different user....

Or maybe add a Device or Source IP/Destination IP Address information into the Case...

And Session information....

And maybe we have run some queries against a particular host, and want to add the results of those queries into the case...

And lastly, maybe we want to reference a different case, that has already been created...

Once done, and we view our case, we will see all the data collated together...

Now if we click on the "View Case Document" button, on the bottom of the CASE, we will see that CASE in full detail, with all the incident and session information expanded, as if we were viewing the individual Incident/Session Pages. This complete display can be emailed, by clicking the email button, and then a MARS user selected.

Any user can create or alter any case, and also add or remove incidents from the case, but this is all tracked in the CASE history.

In order to change or add to a case, we need to select it first, by simply clicking on the case, when found on the dashboard, (or via the Incidents TAB/Cases) or in the To-do List. This particular case is then always highlighted at the top of the dashboard. Once finished we can deselect the case.

Since in many environments multiple users are logging into the MARS box under different usernames, we can also assign cases to different personnel, and only the cases relevant to that particular user will appear under the To-Do List, on the main CS-MARS console.

Another thing to be aware of, is that once a CASE is created, it cannot be deleted. Hell No!, the auditors would just do their nut! It can be closed or resolved. Once in this state it can still be added to, but the status of a closed case cannot be changed.

In the Incident View, we can also narrow down the displayed Incidents, by CASE status, of New,Open, Assigned, Resolved or Closed.

Case information collected together builds up your forensic evidence pertinent to Audits, Policy Change Justifications, MARS False Positive Tuning and examples of allowed and prohibited behaviour.

The information collected by a CASE is preserved. ie, the data that is displayed within a case, is as it was, when the data was actually added to the case, regardless of subsequent changes to the MARS state.

So for example, the CS-MARS data can be purged due to disk partitions being full, (remember earlier articles), the topology can change etc.. but the data reported within a case remains the same as the time it was captured.

No comments: