Thursday, August 16, 2007

New Trend Micro DCS MARS Integration

Trend Micro have come up with a new Integration for Cisco MARS, utilising there own Damage Cleanup Services.

Quote"Trend Micro Damage Cleanup Service extends the capability of MARS not just to notify administrators of worm and spyware incidents but to also perform remediation action automatically within seconds after the incident has been identified by MARS. After DCS server completed its remediation process on the attacker’s machine, the DCS action result is sent back to MARS to inform the network administrator of the result of the cleanup if it is successful, fail or an error has occurred."

Process flow for Automatic Remediation

More info on this soon, but there are some relevant links including a DEMO below.

A Datasheet on the Trend DCS Integration can be found HERE

A Video DEMO below with Ryan Holland, of the Cisco Technical Alliance Team, for Trend Micro

Tuesday, August 07, 2007

NAC Appliance Custom Parser

The NAC Appliance Custom Parser has been available in the User Group for a while now. I`ve finally found the time to set this up for myself (and not a customer!) in the test lab, so i can produce a demo.


Its really simple to setup, but give yourself a couple of hours, as there are over 60 templates to define.


Once done, MARS can then understand the raw event messages coming in from the Clean Access Manager.





And you can then create your own rules/alerts and reports.

Look out for the demo soon on Demolabs.

Sunday, August 05, 2007

Book Review: Cisco Security MARS

Title: Security Monitoring with Cisco Security MARS
Authors: Gary Halleen and Greg Kellogg
Publisher: Cisco Press


Quote"Security Monitoring with Cisco Security MARS helps you plan a MARS deployment and learn the installation and administration tasks you can expect to face."

Top marks from me, for this book, and not just because i try to beg/borrow content for the Blog from the Authors!

You may think another MARS book, would be pretty much a duplicate of the first, with large sections devoted to setting up firewalls/switches in MARS, and stuff which is in the User Guide.

Well I was pleasantly surprised, that that is not the case with "Security Monitoring with Cisco Security MARS."

There is a great chapter on various requirements of key regulations mainly PCI, SOX, GBL and HIPAA. Plus an excellent section on Sizing your MARS appliance and Archiving. (with some python scripts to actually Query the archive).

Another chapter that caught the eye, was how to secure your MARS appliance, and why you should, with suggested firewall rules.

Other chapters include Troubleshooting Software and Devices, Integrating MARS with CSM and NAC, and a chapter on the Global Controller in a distributed environment.

The book would not of been complete without a section on the Custom Parser. There are a few examples, plus a parser for the Cisco CSC Module that you wont find anywhere else.

Overall a must for a Cisco MARS Administrator.

Thursday, August 02, 2007

MARS Exam delayed


Good job I didnt wait for the MARS exam for my recertification.

This has been put back to the 15th August 2007.

Wednesday, August 01, 2007

Finjan Custom Parser

Just an update on some of the work i`ve been involved with recently.

I`ve been busy creating an ISA Server and a Finjan Parser (below), and once complete, these will be shared with the User Group.


I`ll talk more about Finjan, once the parser is complete, but as with any device that is capable of sending MARS syslog or SNMP, we can manipulate the logs, and get MARS to create Incident based on the data.


And then create reports, and display this information in various formats.




Was not me, honest, Guv.

Finally, Congratulations to Todd Allaria, who wins the new Cisco MARS Book, for the winning Logo. I`m sure i`ll soon get time to modify the look and feel of the blog.