Saturday, December 04, 2010
"Cisco announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System. The last day to order the affected product(s) is June 3, 2011."
You can read the official End of Life/End of Sales notification HERE.
The end of an Era, for probably the largest deployed SIEM tool out there.
I think its also important to note, Cisco' stance on future SIEM type products from the release notes "There is no replacement available for the Cisco Security Monitoring, Analysis, and Response System at this time."
Happy hunting for a replacement!
Monday, November 29, 2010
Also see how others are working with SIEMS such as NetWitness .
And I have updated my part II assessment of the AccelOps SIEM as per their recent announcements.
Friday, November 12, 2010
I have to say that many people though appreciate and still utilize the many innovations and capabilities that MARS offers.
While a few SIEM vendors have incorporated some of MARS features, MARS is still quite a capable Cisco-centric monitoring solution.
That being said, I also do agree that if you have outgrown your MARS appliance, need to upgrade, require broader device support, and want newer features etc, then it makes sense to look beyond MARS and kick the tires of SIEM alternatives.
Thursday, October 28, 2010
You can view the release notes HERE
Changes and Enhancements
Wednesday, September 01, 2010
You can review the release notes HERE
There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below....
New Vendor Signatures
Thursday, August 12, 2010
Author: Michael W.Lucas
Published By: no starch press
Network Flow Analysis has a good introduction to flow, what it is, how records are made up and what its actually used for.
The book covers how to configure flow, on differing vendors kit, and also how to configure hardware and software flow sensors, like softflowd. (Softflowd is flow-based network traffic analyser capable of Cisco NetFlow™ data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow™ to a collecting host)
Once you have your devices sending flow, and your open source collector set up, Lucas then demonstrates with a variety of tools, on how to manipulate the data.
"the flow-report program reads flows and produces totals, rankings, per-second and per-interface counts, and other reports"
There are also lots of warnings and help tips, to assist with troublesome installs, "Correct Cflow.pm installation seems to be the single most common reason flow management projects fail"....."do not proceed".."until flowdumper gives correct answers. You have been warned"
Open source tools are not everyones cup of tea, and you may actually prefer commercial tools like the excellent Lancope, which adds NBA functionality if you have budget.
But, if you have no dosh, and are happy installing say BSD, and compiling a few bits and pieces, then "Network Flow Analysis" will definitely be the book to help you every step of the way.
Friday, July 30, 2010
In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.
One of the items where AccelOps excels is dashboards, and there are plenty of them. You will find ready-made dashboards for Incidents, applications, security and VMware to name a few – and their display is tied into your login. What this means is that you can have for example, security in one view, performance in another, etc. and pretty easily adjust the views you like- by display type, number of columns, over what time period and how many results. Some dashboards include topology maps with incident overlays. Elements within dashboards have additional highlight details or support the means to drill down to more relevant information.
Here you can see examples of top-firewall- reports, and login-failed-reports.
Rules can be created, from over 300 source attributes, and there is a competent mixture of useful existing performance, availability, change, security and compliance rules built-in (that can be copied and edited).
As an example, the DNS Botnet rule, better explained by pictures below, but basically rules can reference other rules. The DNS Botnet Rule, references 3 other rules, and all 3 must match before an Incident is created.
If this pattern occurs, that references the 3 other rules, generate an Incident
AccelOps has the notion of a business service that is a smart container of network devices, servers and applications serving a common business purpose. Within their CMDB, users can create a business service via a wizard that starts with the user selecting an app or device category – let’s say an ecommerce database application. AccelOps will show all the specific database applications and then specific servers. By selecting the application server, it will also automatically bring up the layer-3 devices such as switches. Once the specific web server and layer-3 devices are added to the defined service, any rules associated with those monitored devices are inherited by the service.
One complaint I see with standard SIEMs, is that they can be too slow running queries, especially if you are firing in many events. In the case of hardware appliances, when you have bought the hardware, you are pretty much stuck with it. This presents problems once you reach the processor’s limit, or a new feature comes out for a later model or when storage capacity is reached. Now the AccelOps solution is a virtual appliance that uses your hardware running VMWare. VMware provides advantages for availability and performance, and makes AccelOps very scalable. If capacity is maxed out or queries get sluggish, simply have VMware reserve more capacity or license and fire up another VM image of the AccelOps virtual appliance. As part of a cluster, it automatically load balances the processing. AccelOps separated computation functions from storage, so using VMware, you just reference the NAS/SAN storage amount, and configure it to your RAID liking – and add more as required.. All the data is online – no need to restore partial archives. Maintaining the system, including updates or adding new device parsers, can be achieved with little effort.
MARS – Device support is mostly Cisco and a few select third party (no support beyond current devices as per Cisco notification); netflow v5, v9, SNMP v1, v2, v3;
AccelOps – Cisco devices and growing vendor list – (can updates without a new release), netflow v5, v9, SNMP v1, v2, v3.
MARS – Integration with CSM and Cisco IPS Sensors (pull direct IPS raw packet traces)
AccelOps – Does not support CSM but supports Cisco and all other major IDS/IPS vendors. Also has IDS/IPS false positve tagging to reduce noise regarding invalid incident alerts.
MARS – Basic level of device attributes (hard coded) and modest reporting flexibility (no dashboards)
AccelOps – Extensive device attributes, easy to update with extensive search, reporting and dashboard capabilities
MARS – Topology Graphs are Static
AccelOps – Topology Graphs are dynamic (eg. incident and stat overlays), can be saved, and items moved around! Very customizable dashboards.
MARS – No CMDB or business service concept
AccelOps – Automated CMDB with config. versioning and business service component grouping
MARS – Case Management
AccelOps – Case Management with incident filtering, auto-suppression rules, exception management and full ticketing.
MARS – Designed for Single Enterprise Users
AccelOps – Designed for Enterprise, and Multi-Tenancy, very suitable for MSSPs.
MARS – Restricted Disk Space by Appliance; weeks to months of data, requires archiving
AccelOps – Hybrid data management; does not have that problem – everything online, long-term
AccelOps – Yes with virtual appliance dynamic clustering, remote collector virtual appliances and multi-tenancy. Has EPS-elasticity to support peak event/log spikes with dropping data.
To summarize. AccelOps is well suited to support mid to large enterprise and service provider's security and network teams alike.
AccelOps is a SIEM and more than a SIEM. The product works right out of the box. It is also customizable and as a virtual appliance – pretty simple to expand out. And at the same time, it has the capabilities to reduce multiple tools in the Enterprise. Definitely one to put on your shortlist if you are looking for a new, or to replace your current SIEM / log management solution.
I hope you enjoyed my overview of AccelOps (prior ver. 1.6.4 and more recently ver2.1). Next, I’m going to look at some more of the Cisco SIEM Deployment Guides, starting with the Cisco Security Application for Splunk.
Tuesday, July 27, 2010
Wednesday, July 21, 2010
Friday, July 09, 2010
A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.
MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and run those events against security-based rules to create incidents, producing real time alerts and historical queries and reporting functions.
Times move on and most vendors speak of SIEM 2.0 or second generation, with more intelligent log gathering, useful details, identity information, geo-location databases, more comprehensive windows event collection, etc..
Now you may already know, that the original MARS creators (the Protego folks) have created a new product called AccelOps, and they believe this is a better migration path and alternative to CS-MARS, than any other 2nd generation SIEM.
So what’s so good about AccelOps?
Given smarter threats within more complex infrastructures, compliance mandate overlaps and the drive for resource efficiencies – security operational requirements have evolved.
Lets add not only security devices, but servers, VMs, applications, processes running on those servers, DHCP and DNS information, web servers logs, application response times, Wireless AP logs, FLOW data, and then analyse the whole lot using a highly scalable and cluster capable VM infrastructure.
Now throw in device configs and OS patch information, switch port mappings and grab L2 and L3 topology data across multi-vendor devices.
(So basically I can pull up IP to Port Mappings just as easy from a HP Procurve switch, as I can with a Cisco Catalyst Switch)
The security teams gets the usual SIEM and logging features and will love its NBAD functionality (and the ability to view FLOWS) since it baselines network activity and alerts on anomalous behavior. While network teams will love monitoring traffic, system and application activity, tracking issues and resource consumption, and assessing assets and config. changes.
AccelOps has developed a hybrid data management system that stores unstructured event data in flat file based database (e.g logs, flows and events) and structured data (eg. configs.) in an embedded relational database (PostgreSQL).
This enables query parallelization, across clusters, and solves slow reporting problems (and storage bloat), encountered with many SIEMS as they grow. There is no database tuning required and all the historical data remains online (no need to restore archives).
This really provides the means to support root-cause analysis, conduct investigations or produce compliance or other reports that much more efficiently. You can more easily determine security issues from non-security issues that much faster, and at the same time support IT collaboration to resolve problems, with a tool everyone can use.
One of the great things in AccelOps is the Identity and Access Monitoring. This feature collates all primary and secondary logins, whether locally on the network, or remote via VPN, or wireless via an access point. Combine with DHCP and AD information, and any IP address can be automatically associated to a specific user, on a specific server/laptop.
Where ever source or destination IP addresses are presented in AccelOps, you can gain further information. If an Internal IP address, the hostname, OS information, version, owner, and if it’s a known server or client machine in the network. If an External IP address, you can do 3rd Party Lookups to dnstuff, SANS, Cisco Senderbase, or a HoneyPot database.
If I had one complaint, it would be that it lacks an on box geo-location database, for country mappings at this present time (I was told – next release).
You would be forgiven if you thought processing all this and other performance data would slow its SIEM like event parsing and analytics. For many solutions it would believe me.
AccelOps marries a virtualization cluster architecture (the system runs on VMware as a turnkey software virtual appliance) to its high-speed event parsing engine (XML based framework) which assures performance. Adding AccelOps VM instances to a cluster offers near-linear performance for event correlation, search and reporting scale (vendor claims).
I actually found this out for myself, when AccelOps created a Tippingpoint parser for me, and I simply copied the provided XML file to the box – took just a couple of days.
In my opinion the google like realtime search, advanced search and historical reporting is superb. You can move fields around, select and filter from over 350 parsable fields, incorporate Boolean and operator logic, and group results in your display.
Reporting wise, AccelOps comes installed with over 800 reports and respective rules, containing security, performance, availability and compliance with specifics in PCI, COBIT, HIPAA/HITECH, SOX, ITIL, which are great for keeping management happy :-)
A word of warning though, is that you may want a large monitor, to get full benefit, of the variety of information presented.
That’s it for Part One. I will cover rules, dashboards and monitoring of “Business Services”, and compare AccelOps to MARS in Part Two.
I still see organizations making large investments into SIEM alone, and not having the time, or resources to realize its investment.
In my opinion, AccelOps is worth putting on your SIEM/logger shortlist.. They have intelligently taking bits out of SIEM, Performance Management, Change Management and Business service management (BSM) and put it all together to create a tool to enable the security and IT teams to work more efficiently.
AccelOps can be deployed on-premise as a virtual appliance or delivered as a Software-as-a-Service.
Thursday, July 08, 2010
Wednesday, June 02, 2010
Published By: Cisco Press
Author: Tom Gillis
"Today’s new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless Network is the first book entirely focused on helping senior IT decision-makers understand, manage, and mitigate the security risks of these new collaborative technologies."
Honestly when this book arrived, I was very sceptical.
Written by Tom Gillis, Vice president and General Manager of the Security Technology Business Unit at Cisco, and only 150 pages, I was not expecting anything special.
The book I would say is aimed at the IT Manager and senior IT decision makers, ie, no CCIE or CCNA material, but it is good read for the IT Professional.
Gillis obviously knows his stuff, and clearly defines what the current Web 2.0 threats and challenges are to todays businesses and beyond.
The book evolves from discussing yesterdays technologies, right up to the current day, with smartphones, malware, DLP issues etc, and what challenges this evolution has now presented us with, regarding the "Borderless Network"
All a quick and enjoyable read, I'd recommend it.
Wednesday, May 26, 2010
You can read the release notes HERE
Changes and Enhancements
Tuesday, May 11, 2010
Part of this whitepaper, details using The Cisco ASA Secure Logging feature, over TCP to Cisco MARS.
You can get access to this whitepaper HERE.
Further info on secure logging and the ASA, can be found here, in the Cisco ASA 8.2 CLI Guide.
Wednesday, April 21, 2010
Wednesday, March 24, 2010
I have been busy recently on a couple of new demos on making the most of MARS, by interfacing with some 3rd party products, unfortunately these are not finished yet.
But in the meantime I thought i would let you know about some jobs that are going at the United Health Group.
Network Manager – United Health Group
UHG has multiple network operations positions open within our corporate departments and various business segments. These positions offer tremendous growth possibility, a range of variety and responsibility, a high level of visibility and interaction with senior leaders.
Requirements (Skills, Technologies, etc) –
· 2+ Years of experience in a contracting or provider relations role working for a healthcare payor.
· BS degree in Business, or equivalent experience; MBA strongly preferred for some positions
· Ability to supervise staff including related personnel and development issues (i.e. appraisals, career planning, coaching, etc.) required for some positions.
· Advanced analytical skills
· Excellent verbal and written communication skills; ability to speak clearly and concisely, conveying complex or technical information in a manner that others can understand, as well as ability to understand and interpret complex information from others.You can see more info and apply for these postions HERE
If I find out about any more tech related jobs, I`ll let ya know!
Tuesday, January 26, 2010
Miscellaneous Changes and Enhancements
The following changes and enhancements exist in MARS, Release 6.0.6:
•SNMP v. 3.0 Support—Leveraging a secure communication protocol between MARS and Cisco security enforcement devices, customers can be assured that they are securely mitigating attacks and configuring and managing devices. SNMPv3 support enables the following features:
–Per-device SNMPv3 credentials are used for manual discovery and layer 2 mitigation.
–Support for SNMPv3 credentials for an entire network or range of IP addresses. The MARS autodiscovery feature clones the credentials for an autodiscovered device on that network.
–Monitor the health of supported devices via SNMPv3 via the resource utilization charts that you can add to the Summary > My Reports subtab.
See the Release notes for a matrix of SNMP3 support for different Cisco Devices.
Internet Explorer 8 Support—MARS supports Microsoft Internet Explorer 8 without requiring compatibility mode. Due to the nature of security revisions in Internet Explorer, you may find that you must authenticate more frequently to the MARS appliance.
•Improved Device Support—MARS now includes backward compatible support for ASA 8.0.5 and IOS 15.0(1)M. Backward compatible support means that any events that MARS parsed for ASA 8.0.4 or IOS 12.4 (11) T2 have been verified to parse in the corresponding newer release.
There have also been vendor signature updates for some Cisco and some non Cisco devices.