Wednesday, November 21, 2007

Extending CS-MARS Forensics and Reporting

You may of heard of products that can make use of the Cisco MARS Archive data. There are 3 i`ve heard of that can do this, once such product is SecureVue from EIQNetworks.

eIQ SecureVue provides extended forensics and investigative search capabilities that allow Cisco Security MARS customers to quickly search volumes of archived log data collected across the enterprise.

SecureVue processes Cisco Security MARS archived log data and generates comprehensive SOX, PCI, GLBA, FISMA, HIPAA and other compliance-specific reports to meet evolving federal, state and industry regulatory mandates and audit requirements.

You can find a data sheet on the MARS - EIQNetworks Integration here.


Eneko said...

I have read also about Sensage, do you know something about it ????

dan said...

Hi, have you looked at the SenSage integration with MARS? Given the volume of data we're dealing with we need something powerful. Plus, it lets us take in a lot of sources that MARS doesn't support.

chewbacca said...

I have used eIQ's product with a MARS 4.3 box and have to say i am happy with the results- forensic search is very fast and reports show up automatically once you schedule the task (they call it profile). the forensic search and reports all show up. BTW eIQ also has Linux version as well as windows, this made it trivial to use since my linux box was where MARS was sending its data to.

dan said...

Eneko, yes, I've met with SenSage and seen a full demo. I listened to a webcast they had where a MARS customer described how they had deployed the two products together. There's a case study on their site.

The key for us is scalability, and log support. We threw some proprietary logs at SenSage and they were able to parse it granularly and load it with no problem.

thanks chris! said...

woohooo! this is a great blog!
and now i dont have to work this weekend:)

i installed EIQ yesterday and
the time taken for a specific search came down to 4 minutes from about 40 minutes using native mars forensics. we have 100 million events a day on average.

i have seen canned reports mentioned, but havent spent any time on it yet.