AD: 10 Reasons for Migrating from MARS to AccelOps

Sponsor Advertisement

AccelOps, the integrated datacenter and cloud monitoring company, today announced a Competitive Upgrade Package with “10 Reasons for Migrating from CS-MARS to AccelOps” exclusively for Cisco CS-MARS security appliance customers and resellers. This is in response to the market demand from the current CS-MARS user community and resellers seeking a migration path, in response to the recent End-of-Life of CS-MARS. 

The company's new executive brief, "10 Reasons for Migrating from CS-MARS to AccelOps" outlines the many advantages available for CS-MARS clients that migrate to AccelOps' fully integrated datacenter and cloud monitoring platform.

.

Cisco MARS 6.1.2 Released

Looks like Cisco released MARS 6.1.2 towards the end of February.

Obviously no new features, but signature updates, and a couple of fixes.

New Features

This release includes contains no new features. It is a release dedicated to issue resolution. 

You can read the release notes HERE

February Update

WIth the Cisco MARS End of Life dates, being finally announced at the end of last year, I am starting to see more enquires to the blog around replacement products.

So I have lined up some new content for the blog, including some great guest articles, and I am still looking for more.

Cisco MARS End of Life - Official

Well its official, Cisco have announced the End of Life for Cisco MARS.

"Cisco announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System. The last day to order the affected product(s) is June 3, 2011."

You can read the official End of Life/End of Sales notification HERE.

The end of an Era, for probably the largest deployed SIEM tool out there.

I think its also important to note, Cisco' stance on future SIEM type products from the release notes  "There is no replacement available for the Cisco Security Monitoring, Analysis, and Response System at this time."

Happy hunting for a replacement!

Cisco SIEM Deployment Guide

November updates, a mixture of old and new news.

Cisco has made a few SIEM partner announcements in their efforts to bolster their Secure Borderless Network initiative as deftly referenced by Sean Martin in CIO Insight.

The new rather flashy SIEM Deployment Guide  also references how Cisco is working with some other SIEM vendors.

Also see how others are working with SIEMS such as NetWitness .

And I have updated my part II assessment of the AccelOps SIEM as per their recent announcements.

Where on Earth is MARS?

Found this interesting article in a new infosecurity magazine, on the demise of Cisco MARS, entitled "Where on Earth is MARS?"

The article references MARS past, and surmises on the demise of Cisco MARS, and continues to relay some of the negative sentiment from a handful of analysts in the past year.

I have to say that many people though appreciate and still utilize the many innovations and capabilities that MARS offers.

While a few SIEM vendors have incorporated some of MARS features, MARS is still quite a capable Cisco-centric monitoring solution.

That being said, I also do agree that if you have outgrown your MARS appliance, need to upgrade, require broader device support, and want newer features etc, then it makes sense to look beyond MARS and kick the tires of SIEM alternatives.

Cisco MARS 6.1.1 Released

Cisco have released MARS Version 6.1.1

You can view the release notes HERE

Changes and Enhancements

ASA 8.2.2 Botnet Traffic Filter

The ASA BTF feature was enhanced in ASA 8.2.2 to add blacklist actions including blocking functionality to Dynamic Filter, as well as additional attributes. MARS Release 6.1.1 supports these enhanced BTF attributes:

•Parses the new BTF-specific syslogs that provide visibility into blocked site traffic

•Supports additional attributes for "threat_level" and "threat_category"

•Adds two system rules and one report 

ASA 8.2.3

In 6.1.1, CS-MARS supports ASA 8.2.3 (Spyker) CLI changes and high priority syslogs for CS-MARS functionality 

Agent-less Windows 2008/Vista/7 Support

In Windows 2008/Vista/7, the Windows Event Log subsystem was substantially overhauled relative to earlier versions supported by CS-MARS. MARS 6.1.1 supports Windows 2008/Vista/7 events pulled by CS-MARS from the Windows hosts (agent-less). [In 6.0.7, MARS supported Windows 2008/Vista/7 events sent by a SNARE agent (agent-based).] 

Ability to Manage SSH Keys

A new CLI command is implemented to handle outdated SSH keys: pnsshfs

 

Cisco MARS 6.0.8 Now Available

A couple of weeks, out of date due to my holidays, but Cisco have released MARS 6.0.8

You can review the release notes HERE

There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below....

New Vendor Signatures

The following table describes the most recent signatures supported for each product or technology:

Revised in 6.0.8	Product	Signature Version Supported
Intrusion Prevention and Detection Signatures
Yes	Cisco IDS 4.0 Cisco IPS 5.x Cisco IPS 6.x Cisco IPS 7.x	Current through S496 signature release. Current as of June 16, 2010.
No	Cisco ASA	Current as of March 9, 2010.
No	Cisco IOS 12.2/12.3/12.4	Current as of March 9, 2010.
Yes	Snort 2.8	Current as of June 17, 2010 Latest signature mapped: 16664.
Yes	ISS RealSecure Network Sensor 6.5 and 7.0, and ISS RealSecure Server Sensor 6.5 and 7.0	XPU 30.061 Release date: June 14, 2010
Yes	McAfee IntruShield 4.1	v4.1.75.24 Release date: June 11, 2010
Yes	McAfee Entercept HIDS 6.x	Current through the June 15, 2010 signature release.
Yes	CheckPoint Application Intelligence (VPN-1 NG with Application Intelligence R65)	Current through the June 18, 2010 signature release.
Yes	Juniper IPD 4.x	Signature version: 4.0 Release date: June 14, 2010
Yes	Netscreen IDP 3.x	Signature version: 4.0 Release date: June 14, 2010
Yes	Enterasys Dragon 7.2/7.3	Current through the June 14, 2010 signature release.
Vulnerability Scanner Signatures
Yes	Qualys Guard ANY	Current through the June 16, 2010 signature release.
Yes	E-Eye, Retina Scanner Vulnerability Software, version v5.11.1.2181	Current through the June 16, 2010 signature release.
Yes	Foundstone, version ANY	Current through the June 17, 2010 signature release.
Yes	Common Vulnerabilities and Exposures (CVE) Database	Current with the June 18, 2010 definition update.
Miscellaneous Support
No	Oracle 11g	Support for new AUDIT_ACTIONS.

Book Review: Network Flow Analysis

Book Review: Network Flow Analysis
Author: Michael W.Lucas
Published By: no starch press
ISBN: 1593272030

"Stop asking your users to reproduce problems. Network Flow Analysis gives you the tools and real-world examples you need to effectively analyze your network flow data."

If you have ever read any of Michael W.Lucas' other books, you will know you are in for a humorous and entertaining read.

Network Flow Analysis has a good introduction to flow, what it is, how records are made up and what its actually used for.

"Knowing who talked to whom, when they talked, and how much each party said is terribly valuable"

Flow is not new, and there are many commercial products out there, and a few open source tools also.

Lucas has based the book on the open source Flow-tools

"Analyzing flow data from your internal network will quickly expose problems, mis-configurations, and performance issues."

The book covers how to configure flow, on differing vendors kit, and also how to configure hardware and software flow sensors, like softflowd. (Softflowd is flow-based network traffic analyser capable of Cisco NetFlow™ data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow™ to a collecting host) 

Once you have your devices sending flow, and your open source collector set up, Lucas then demonstrates with a variety of tools, on how to manipulate the data.

"the flow-report program reads flows and produces totals, rankings, per-second and per-interface counts, and other reports"

There are also lots of warnings and help tips, to assist with troublesome installs, "Correct Cflow.pm installation seems to be the single most common reason flow management projects fail"....."do not proceed".."until flowdumper gives correct answers. You have been warned"

Open source tools are not everyones cup of tea, and you may actually prefer commercial tools like the excellent Lancope, which adds NBA functionality if you have budget.

But, if you have no dosh, and are happy installing say BSD, and compiling a few bits and pieces, then "Network Flow Analysis" will definitely be the book to help you every step of the way.

Review: AccelOps - Part 2

In the first part of the AccelOps review, I gave a quick overview of its many features.

In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.

Dashboards
One of the items where AccelOps excels is dashboards, and there are plenty of them. You will find ready-made dashboards for Incidents, applications, security and VMware to name a few – and their display is tied into your login. What this means is that you can have for example, security in one view, performance in another, etc. and pretty easily adjust the views you like- by display type, number of columns, over what time period and how many results.  Some dashboards include topology maps with incident overlays. Elements within dashboards have additional highlight details or support the means to drill down to more relevant information. 

Specialized dashboards exist for availability, performance, security, and biz services and you can build your own. The specialized dashboards are collections of widgets that provide information about specific functions. Any built-in or custom reports or saved searches are available as templates that can be used for dashboard widgets. The widgets in the dashboards offer five different display types: Aggregation View (Pie) - 1, Aggregation View (Bar) - 2, Tabular View - 3, Trend View - 4, and Combo View - 5.

Here you can see examples of top-firewall- reports, and login-failed-reports.

Now remember MARS really concentrates on security logs and monitors netflow, where as AccelOps, also understands many applications as well.

Searches

Accelops has really improved the search function. Searches can be carried out in realtime and historically.  You can conduct a Google-like search and add SQL like expressions, ie, Logon/Logoff AND administrator. In the results there is also a real-time intensity graph, common in most SIEM these days, and all the results have drop down menu selectors, which vastly improves the speed that you can drill down into the information you need.  They also provide a structured search that offers considerably more functionality including the Group By expression to put together useful reports.  Searches can be saved as reports – see Part I regarding reporting.

Rules/Tuning

SIEMs must have a solid rules engine. You can have event-based rules, statistical threshold based rules, time of the day based rules, etc. Better still, you can easily create rule exceptions that wont fire during your maintenance hours, or if your server already has Microsoft patch X that fixes a particular vulnerability.
Rules can be created, from over 300 source attributes, and there is a competent mixture of useful existing performance, availability, change, security and compliance rules built-in (that can be copied and edited).

AccelOps supports simple thresholds analytics to complex nested logic that could describe a variety of scenarios. Rules can be applied to devices, conditions and even services (described below).  The rule language supports multiple sub-patterns (AND, OR, FOLLOWED_BY,..), broad operators (equals, greater than, contains, between,...), etc.
As an example, the DNS Botnet rule, better explained by pictures below, but basically rules can reference other rules. The DNS Botnet Rule, references 3 other rules, and all 3 must match before an Incident is created.

If this pattern occurs, that references the 3 other rules, generate an Incident

 Where as an example one of the rules, is looking at ExcessiveDNS queries by Flow Data or Log Data..

And the source is not a defined DNS application, known DNS Server, and the source is an internal IP…

I think you get the idea, lots more flexibility, and applications, flow data and conditions etc can be referenced.

Services

AccelOps has the notion of a business service that is a smart container of network devices, servers and applications serving a common business purpose.  Within their CMDB, users can create a business service via a wizard that starts with the user selecting an app or device category – let’s say an ecommerce database application.  AccelOps will show all the specific database applications and then specific servers.  By selecting the application server, it will also automatically bring up the layer-3 devices such as switches. Once the specific web server and layer-3 devices are added to the defined service, any rules associated with those monitored devices are inherited by the service.  

This is an intelligent approach to understanding device relationships, tracking services and pinpointing any issues affecting  services.  Every incident is tagged with the affected business service and can be used to prioritize responses..  So you can very quickly identify, if Switch X goes down, what applications and services will be impacted on the network. So beyond severity, AccelOps shows business impact.

Services can be monitored, not only parsing the logs and other sources such as Netflow for stopped and started services or changed configuration, but also by synthetic transaction monitoring tests.  Users can define and monitor simple or nested transactions from the likes of HTTP, LDAP, DNS, FTP, SMTP etc. The results of these tests can determine if a particular service is hung (or slow) and the server thinks it is working but it is not responding.  Rules can also reference synthetic transactions results. 

Appliance/Software vs. Virtual Appliance

One complaint I see with standard SIEMs, is that they can be too slow running queries, especially if you are firing in many events. In the case of hardware appliances, when you have bought the hardware, you are pretty much stuck with it. This presents problems once you reach the processor’s limit, or a new feature comes out for a later model or when storage capacity is reached. Now the AccelOps solution is a virtual appliance that uses your hardware running VMWare.  VMware provides advantages for availability and performance, and makes AccelOps very scalable.  If capacity is maxed out or queries get sluggish, simply have VMware reserve more capacity or license and fire up another VM image of the AccelOps virtual appliance.  As part of a cluster, it automatically load balances the processing. AccelOps separated computation functions from storage, so using VMware, you just reference the NAS/SAN storage amount, and configure it to your RAID liking – and add more as required.. All the data is online – no need to restore partial archives.  Maintaining the system, including updates or adding new device parsers, can be achieved with little effort.

Brief Comparison Table

MARS –  Device support is mostly Cisco and a few select third party (no support beyond current devices as per Cisco notification); netflow v5, v9,  SNMP v1, v2, v3;
AccelOps – Cisco devices and growing vendor list – (can updates without a new release), netflow v5, v9, SNMP v1, v2, v3.

MARS – Integration with CSM and Cisco IPS Sensors (pull direct IPS raw packet traces)
AccelOps – Does not support CSM but supports Cisco and all other major IDS/IPS vendors. Also has IDS/IPS false positve tagging to reduce noise regarding invalid incident alerts.

MARS – Basic level of device attributes (hard coded) and modest reporting flexibility (no dashboards)
AccelOps – Extensive device attributes, easy to update with extensive search, reporting and dashboard capabilities

MARS – Topology Graphs are Static
AccelOps – Topology Graphs are dynamic (eg. incident and stat overlays), can be saved, and items moved around!  Very customizable dashboards.

MARS – No CMDB or business service concept
AccelOps – Automated CMDB with config. versioning and business service component grouping

MARS – Case Management
AccelOps – Case Management with incident filtering, auto-suppression rules, exception management and full ticketing.

MARS – Designed for Single Enterprise Users
AccelOps – Designed for Enterprise, and Multi-Tenancy, very suitable for MSSPs.

MARS – Restricted Disk Space by Appliance; weeks to months of data, requires archiving
AccelOps – Hybrid data management; does not have that problem – everything online, long-term

MARS – Very Large Scale Deployments with Global / Local Controller
AccelOps – Yes with virtual appliance dynamic clustering, remote collector virtual appliances and multi-tenancy. Has EPS-elasticity to support peak event/log spikes with dropping data.


To summarize. AccelOps is well suited to support mid to large enterprise and service provider's security and network teams alike.

AccelOps is a SIEM and more than a SIEM.  The product works right out of the box. It is also customizable and as a virtual appliance – pretty simple to expand out. And at the same time, it has the capabilities to reduce multiple tools in the Enterprise. Definitely one to put on your shortlist if you are looking for a new, or to replace your current SIEM / log management solution.

I hope you enjoyed my overview of AccelOps (prior ver. 1.6.4 and more recently ver2.1).  Next, I’m going to look at some more of the Cisco SIEM Deployment Guides, starting with the Cisco Security Application for Splunk.