Well its official, Cisco have announced the End of Life for Cisco MARS.
"Cisco announces the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System. The last day to order the affected product(s) is June 3, 2011."
You can read the official End of Life/End of Sales notification HERE.
The end of an Era, for probably the largest deployed SIEM tool out there.
I think its also important to note, Cisco' stance on future SIEM type products from the release notes "There is no replacement available for the Cisco Security Monitoring, Analysis, and Response System at this time."
Happy hunting for a replacement!
Saturday, December 04, 2010
Monday, November 29, 2010
Cisco SIEM Deployment Guide
November updates, a mixture of old and new news.
Cisco has made a few SIEM partner announcements in their efforts to bolster their Secure Borderless Network initiative as deftly referenced by Sean Martin in CIO Insight.
The new rather flashy SIEM Deployment Guide also references how Cisco is working with some other SIEM vendors.
Also see how others are working with SIEMS such as NetWitness .
And I have updated my part II assessment of the AccelOps SIEM as per their recent announcements.
Friday, November 12, 2010
Where on Earth is MARS?
Found this interesting article in a new infosecurity magazine, on the demise of Cisco MARS, entitled "Where on Earth is MARS?"
I have to say that many people though appreciate and still utilize the many innovations and capabilities that MARS offers.
While a few SIEM vendors have incorporated some of MARS features, MARS is still quite a capable Cisco-centric monitoring solution.
That being said, I also do agree that if you have outgrown your MARS appliance, need to upgrade, require broader device support, and want newer features etc, then it makes sense to look beyond MARS and kick the tires of SIEM alternatives.
Thursday, October 28, 2010
Cisco MARS 6.1.1 Released
Cisco have released MARS Version 6.1.1
You can view the release notes HERE
You can view the release notes HERE
Changes and Enhancements
ASA 8.2.2 Botnet Traffic Filter
The ASA BTF feature was enhanced in ASA 8.2.2 to add blacklist actions including blocking functionality to Dynamic Filter, as well as additional attributes. MARS Release 6.1.1 supports these enhanced BTF attributes:
•
Parses the new BTF-specific syslogs that provide visibility into blocked site traffic
Parses the new BTF-specific syslogs that provide visibility into blocked site traffic •Supports additional attributes for "threat_level" and "threat_category"
Supports additional attributes for "threat_level" and "threat_category" •Adds two system rules and one report
Adds two system rules and one report ASA 8.2.3
In 6.1.1, CS-MARS supports ASA 8.2.3 (Spyker) CLI changes and high priority syslogs for CS-MARS functionality
Agent-less Windows 2008/Vista/7 Support
In Windows 2008/Vista/7, the Windows Event Log subsystem was substantially overhauled relative to earlier versions supported by CS-MARS. MARS 6.1.1 supports Windows 2008/Vista/7 events pulled by CS-MARS from the Windows hosts (agent-less). [In 6.0.7, MARS supported Windows 2008/Vista/7 events sent by a SNARE agent (agent-based).]
Ability to Manage SSH Keys
A new CLI command is implemented to handle outdated SSH keys: pnsshfs
Wednesday, September 01, 2010
Cisco MARS 6.0.8 Now Available
A couple of weeks, out of date due to my holidays, but Cisco have released MARS 6.0.8
You can review the release notes HERE
There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below....
New Vendor Signatures
You can review the release notes HERE
There are no new product enhancements, but this release has updated Vendor Signatures, for Cisco (and Non Cisco Devices), as shown below....
New Vendor Signatures
The following table describes the most recent signatures supported for each product or technology:
Thursday, August 12, 2010
Book Review: Network Flow Analysis
Book Review: Network Flow Analysis
Author: Michael W.Lucas
Published By: no starch press
ISBN: 1593272030
Author: Michael W.Lucas
Published By: no starch press
ISBN: 1593272030
"Stop asking your users to reproduce problems. Network Flow Analysis gives you the tools and real-world examples you need to effectively analyze your network flow data."
If you have ever read any of Michael W.Lucas' other books, you will know you are in for a humorous and entertaining read.
Network Flow Analysis has a good introduction to flow, what it is, how records are made up and what its actually used for.
Network Flow Analysis has a good introduction to flow, what it is, how records are made up and what its actually used for.
"Knowing who talked to whom, when they talked, and how much each party said is terribly valuable"
Flow is not new, and there are many commercial products out there, and a few open source tools also.
Lucas has based the book on the open source Flow-tools
"Analyzing flow data from your internal network will quickly expose problems, mis-configurations, and performance issues."
The book covers how to configure flow, on differing vendors kit, and also how to configure hardware and software flow sensors, like softflowd. (Softflowd is flow-based network traffic analyser capable of Cisco NetFlow™ data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow™ to a collecting host)
The book covers how to configure flow, on differing vendors kit, and also how to configure hardware and software flow sensors, like softflowd. (Softflowd is flow-based network traffic analyser capable of Cisco NetFlow™ data export. Softflowd semi-statefully tracks traffic flows recorded by listening on a network interface or by reading a packet capture file. These flows may be reported via NetFlow™ to a collecting host)
Once you have your devices sending flow, and your open source collector set up, Lucas then demonstrates with a variety of tools, on how to manipulate the data.
"the flow-report program reads flows and produces totals, rankings, per-second and per-interface counts, and other reports"
There are also lots of warnings and help tips, to assist with troublesome installs, "Correct Cflow.pm installation seems to be the single most common reason flow management projects fail"....."do not proceed".."until flowdumper gives correct answers. You have been warned"
Open source tools are not everyones cup of tea, and you may actually prefer commercial tools like the excellent Lancope, which adds NBA functionality if you have budget.
But, if you have no dosh, and are happy installing say BSD, and compiling a few bits and pieces, then "Network Flow Analysis" will definitely be the book to help you every step of the way.
Friday, July 30, 2010
Review: AccelOps - Part 2
In the first part of the AccelOps review, I gave a quick overview of its many features.
In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.
Dashboards
One of the items where AccelOps excels is dashboards, and there are plenty of them. You will find ready-made dashboards for Incidents, applications, security and VMware to name a few – and their display is tied into your login. What this means is that you can have for example, security in one view, performance in another, etc. and pretty easily adjust the views you like- by display type, number of columns, over what time period and how many results. Some dashboards include topology maps with incident overlays. Elements within dashboards have additional highlight details or support the means to drill down to more relevant information.
In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.
Dashboards
One of the items where AccelOps excels is dashboards, and there are plenty of them. You will find ready-made dashboards for Incidents, applications, security and VMware to name a few – and their display is tied into your login. What this means is that you can have for example, security in one view, performance in another, etc. and pretty easily adjust the views you like- by display type, number of columns, over what time period and how many results. Some dashboards include topology maps with incident overlays. Elements within dashboards have additional highlight details or support the means to drill down to more relevant information.
Specialized dashboards exist for availability, performance, security, and biz services and you can build your own. The specialized dashboards are collections of widgets that provide information about specific functions. Any built-in or custom reports or saved searches are available as templates that can be used for dashboard widgets. The widgets in the dashboards offer five different display types: Aggregation View (Pie) - 1, Aggregation View (Bar) - 2, Tabular View - 3, Trend View - 4, and Combo View - 5.
Here you can see examples of top-firewall- reports, and login-failed-reports.
Here you can see examples of top-firewall- reports, and login-failed-reports.
Now remember MARS really concentrates on security logs and monitors netflow, where as AccelOps, also understands many applications as well.
Searches
Searches
Accelops has really improved the search function. Searches can be carried out in realtime and historically. You can conduct a Google-like search and add SQL like expressions, ie, Logon/Logoff AND administrator. In the results there is also a real-time intensity graph, common in most SIEM these days, and all the results have drop down menu selectors, which vastly improves the speed that you can drill down into the information you need. They also provide a structured search that offers considerably more functionality including the Group By expression to put together useful reports. Searches can be saved as reports – see Part I regarding reporting.
Rules/Tuning
SIEMs must have a solid rules engine. You can have event-based rules, statistical threshold based rules, time of the day based rules, etc. Better still, you can easily create rule exceptions that wont fire during your maintenance hours, or if your server already has Microsoft patch X that fixes a particular vulnerability.
Rules can be created, from over 300 source attributes, and there is a competent mixture of useful existing performance, availability, change, security and compliance rules built-in (that can be copied and edited).
Rules can be created, from over 300 source attributes, and there is a competent mixture of useful existing performance, availability, change, security and compliance rules built-in (that can be copied and edited).
AccelOps supports simple thresholds analytics to complex nested logic that could describe a variety of scenarios. Rules can be applied to devices, conditions and even services (described below). The rule language supports multiple sub-patterns (AND, OR, FOLLOWED_BY,..), broad operators (equals, greater than, contains, between,...), etc.
As an example, the DNS Botnet rule, better explained by pictures below, but basically rules can reference other rules. The DNS Botnet Rule, references 3 other rules, and all 3 must match before an Incident is created.
If this pattern occurs, that references the 3 other rules, generate an Incident
As an example, the DNS Botnet rule, better explained by pictures below, but basically rules can reference other rules. The DNS Botnet Rule, references 3 other rules, and all 3 must match before an Incident is created.
If this pattern occurs, that references the 3 other rules, generate an Incident
Where as an example one of the rules, is looking at ExcessiveDNS queries by Flow Data or Log Data..
I think you get the idea, lots more flexibility, and applications, flow data and conditions etc can be referenced.
Services
AccelOps has the notion of a business service that is a smart container of network devices, servers and applications serving a common business purpose. Within their CMDB, users can create a business service via a wizard that starts with the user selecting an app or device category – let’s say an ecommerce database application. AccelOps will show all the specific database applications and then specific servers. By selecting the application server, it will also automatically bring up the layer-3 devices such as switches. Once the specific web server and layer-3 devices are added to the defined service, any rules associated with those monitored devices are inherited by the service.
Services
AccelOps has the notion of a business service that is a smart container of network devices, servers and applications serving a common business purpose. Within their CMDB, users can create a business service via a wizard that starts with the user selecting an app or device category – let’s say an ecommerce database application. AccelOps will show all the specific database applications and then specific servers. By selecting the application server, it will also automatically bring up the layer-3 devices such as switches. Once the specific web server and layer-3 devices are added to the defined service, any rules associated with those monitored devices are inherited by the service.
This is an intelligent approach to understanding device relationships, tracking services and pinpointing any issues affecting services. Every incident is tagged with the affected business service and can be used to prioritize responses.. So you can very quickly identify, if Switch X goes down, what applications and services will be impacted on the network. So beyond severity, AccelOps shows business impact.
Services can be monitored, not only parsing the logs and other sources such as Netflow for stopped and started services or changed configuration, but also by synthetic transaction monitoring tests. Users can define and monitor simple or nested transactions from the likes of HTTP, LDAP, DNS, FTP, SMTP etc. The results of these tests can determine if a particular service is hung (or slow) and the server thinks it is working but it is not responding. Rules can also reference synthetic transactions results.
Appliance/Software vs. Virtual Appliance
One complaint I see with standard SIEMs, is that they can be too slow running queries, especially if you are firing in many events. In the case of hardware appliances, when you have bought the hardware, you are pretty much stuck with it. This presents problems once you reach the processor’s limit, or a new feature comes out for a later model or when storage capacity is reached. Now the AccelOps solution is a virtual appliance that uses your hardware running VMWare. VMware provides advantages for availability and performance, and makes AccelOps very scalable. If capacity is maxed out or queries get sluggish, simply have VMware reserve more capacity or license and fire up another VM image of the AccelOps virtual appliance. As part of a cluster, it automatically load balances the processing. AccelOps separated computation functions from storage, so using VMware, you just reference the NAS/SAN storage amount, and configure it to your RAID liking – and add more as required.. All the data is online – no need to restore partial archives. Maintaining the system, including updates or adding new device parsers, can be achieved with little effort.
One complaint I see with standard SIEMs, is that they can be too slow running queries, especially if you are firing in many events. In the case of hardware appliances, when you have bought the hardware, you are pretty much stuck with it. This presents problems once you reach the processor’s limit, or a new feature comes out for a later model or when storage capacity is reached. Now the AccelOps solution is a virtual appliance that uses your hardware running VMWare. VMware provides advantages for availability and performance, and makes AccelOps very scalable. If capacity is maxed out or queries get sluggish, simply have VMware reserve more capacity or license and fire up another VM image of the AccelOps virtual appliance. As part of a cluster, it automatically load balances the processing. AccelOps separated computation functions from storage, so using VMware, you just reference the NAS/SAN storage amount, and configure it to your RAID liking – and add more as required.. All the data is online – no need to restore partial archives. Maintaining the system, including updates or adding new device parsers, can be achieved with little effort.
Brief Comparison Table
MARS – Device support is mostly Cisco and a few select third party (no support beyond current devices as per Cisco notification); netflow v5, v9, SNMP v1, v2, v3;
AccelOps – Cisco devices and growing vendor list – (can updates without a new release), netflow v5, v9, SNMP v1, v2, v3.
MARS – Integration with CSM and Cisco IPS Sensors (pull direct IPS raw packet traces)
AccelOps – Does not support CSM but supports Cisco and all other major IDS/IPS vendors. Also has IDS/IPS false positve tagging to reduce noise regarding invalid incident alerts.
MARS – Basic level of device attributes (hard coded) and modest reporting flexibility (no dashboards)
AccelOps – Extensive device attributes, easy to update with extensive search, reporting and dashboard capabilities
MARS – Device support is mostly Cisco and a few select third party (no support beyond current devices as per Cisco notification); netflow v5, v9, SNMP v1, v2, v3;
AccelOps – Cisco devices and growing vendor list – (can updates without a new release), netflow v5, v9, SNMP v1, v2, v3.
MARS – Integration with CSM and Cisco IPS Sensors (pull direct IPS raw packet traces)
AccelOps – Does not support CSM but supports Cisco and all other major IDS/IPS vendors. Also has IDS/IPS false positve tagging to reduce noise regarding invalid incident alerts.
MARS – Basic level of device attributes (hard coded) and modest reporting flexibility (no dashboards)
AccelOps – Extensive device attributes, easy to update with extensive search, reporting and dashboard capabilities
MARS – Topology Graphs are Static
AccelOps – Topology Graphs are dynamic (eg. incident and stat overlays), can be saved, and items moved around! Very customizable dashboards.
MARS – No CMDB or business service concept
AccelOps – Automated CMDB with config. versioning and business service component grouping
MARS – Case Management
AccelOps – Case Management with incident filtering, auto-suppression rules, exception management and full ticketing.
MARS – Designed for Single Enterprise Users
AccelOps – Designed for Enterprise, and Multi-Tenancy, very suitable for MSSPs.
MARS – Restricted Disk Space by Appliance; weeks to months of data, requires archiving
AccelOps – Hybrid data management; does not have that problem – everything online, long-term
AccelOps – Yes with virtual appliance dynamic clustering, remote collector virtual appliances and multi-tenancy. Has EPS-elasticity to support peak event/log spikes with dropping data.
To summarize. AccelOps is well suited to support mid to large enterprise and service provider's security and network teams alike.
AccelOps is a SIEM and more than a SIEM. The product works right out of the box. It is also customizable and as a virtual appliance – pretty simple to expand out. And at the same time, it has the capabilities to reduce multiple tools in the Enterprise. Definitely one to put on your shortlist if you are looking for a new, or to replace your current SIEM / log management solution.
I hope you enjoyed my overview of AccelOps (prior ver. 1.6.4 and more recently ver2.1). Next, I’m going to look at some more of the Cisco SIEM Deployment Guides, starting with the Cisco Security Application for Splunk.
Tuesday, July 27, 2010
New Cisco SIEM Deployment Guide
Cisco have released, the Security Information Event Management (SIEM) Deployment Guide, as part of the Smart Business Architecture, Borderless Networks for Enterprise Organizations.
Personally this looks like a first step, Cisco is making to work with other SIEM vendors, to handle non Cisco and Cisco devices.
"This guide is for security operations personnel in enterprise organizations who want to understand the benefits of deploying Cisco infrastructure with security information and event management (SIEM) products, and learn how Cisco infra- structure helps deliver those benefits."
"Customers have a major investment in Cisco technology, and they rely on Cisco to provide secure, robust, scalable, and interoperable solutions. Cisco is partnering with best-in-class companies through the Cisco® Developer Network to deliver a security information and event management system that enhances the diverse security and reporting needs of our mutual customers. This integration enables customers to take advantage of Cisco’s infrastructure intelligence using the operational tools that are best suited to their environment."
"If CS-MARS is already deployed for monitoring and correlating events from Cisco devices, organisations can archive data from CS-MARS and import it into third-party SIEM solutions for consolidating events into a single dashboard. In a heterogeneous environment, it is recommended using third-party SIEM solutions."
Well worth a quick read , especially if you are new to SIEM.
Wednesday, July 21, 2010
SIEMLink with MARS
Although not exactly new news, you may not know, that one of the complaints from the security community regarding MARS, and to be honest most SIEMS, is the lack of real session data, or raw packets, for incident response.
Now one of the hottest products around, in this arena is NetWitness.
"NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness NextGen product suite. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data."
NetWitness has a product called SIEMLink, that can be used with your NetWitness setup to interface with MARS.
Simply install the SIEMLink product, and browse the MARS interface. Anywhere where we see ip address information, ie, in an incident, you can highlight the ip, and send to the NetWitness product, and reconstruct the traffic.
I actually did a demonstration of this a few months ago in London, as apart of an ASA Botnet Demo you can see the process here.
I should also mention, you can do this with not only MARS. I have personally done this with Palo Alto, QRadar, and Lancope.
NetWitness also provide a free edition to the community, I would seriously recommend to check this out, if its of Interest to you.
You can see some YouTube videos here on NetWitness in action, well worth 5 minutes of your time.
Further news on the upcoming NetWitness v9.5 have just been released, if you are interested......
One of the most compelling areas they have been working on is in content extraction, for the extraction and analysis of malware, and collection of certain types of content, such as executables, PDF Files etc..
And for enterprise customers, NetWitness Visualize, is a great new feature of Informer 2.0
A YouTube video of the new version is here, and a demonstration site of the cool new Virtualize features can be accessed here.
Friday, July 09, 2010
Review: Accelops - Part One
What options have you got, if you are looking to replace or upgrade your MARS appliance or other SIEM/logging solution?
A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.
MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and run those events against security-based rules to create incidents, producing real time alerts and historical queries and reporting functions.
Times move on and most vendors speak of SIEM 2.0 or second generation, with more intelligent log gathering, useful details, identity information, geo-location databases, more comprehensive windows event collection, etc..
Now you may already know, that the original MARS creators (the Protego folks) have created a new product called AccelOps, and they believe this is a better migration path and alternative to CS-MARS, than any other 2nd generation SIEM.
So what’s so good about AccelOps?
A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.
MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and run those events against security-based rules to create incidents, producing real time alerts and historical queries and reporting functions.
Times move on and most vendors speak of SIEM 2.0 or second generation, with more intelligent log gathering, useful details, identity information, geo-location databases, more comprehensive windows event collection, etc..
Now you may already know, that the original MARS creators (the Protego folks) have created a new product called AccelOps, and they believe this is a better migration path and alternative to CS-MARS, than any other 2nd generation SIEM.
So what’s so good about AccelOps?
Given smarter threats within more complex infrastructures, compliance mandate overlaps and the drive for resource efficiencies – security operational requirements have evolved.
Accelops has created a strong SIEM 2.0 comparable product, and then said ok, security events are only one part of the picture.
Lets add not only security devices, but servers, VMs, applications, processes running on those servers, DHCP and DNS information, web servers logs, application response times, Wireless AP logs, FLOW data, and then analyse the whole lot using a highly scalable and cluster capable VM infrastructure.
Now throw in device configs and OS patch information, switch port mappings and grab L2 and L3 topology data across multi-vendor devices.
(So basically I can pull up IP to Port Mappings just as easy from a HP Procurve switch, as I can with a Cisco Catalyst Switch)
Lets add not only security devices, but servers, VMs, applications, processes running on those servers, DHCP and DNS information, web servers logs, application response times, Wireless AP logs, FLOW data, and then analyse the whole lot using a highly scalable and cluster capable VM infrastructure.
Now throw in device configs and OS patch information, switch port mappings and grab L2 and L3 topology data across multi-vendor devices.
(So basically I can pull up IP to Port Mappings just as easy from a HP Procurve switch, as I can with a Cisco Catalyst Switch)
And while we are doing that lets collect CPU, disk space, and a whole host of performance and resources stats. Then you get the picture – literally the whole picture.
AccelOps discovers and monitors the entire infrastructure via agentless receiving or polling using various protocols (SNMP, syslog, Telnet, HTPP, WMI, RPC, JDBC, JMX, VI-SDK). It also auto detects a device type; if you send it say ASA logs via syslog it will identify and appropriately process the log. Captured data is parsed and correlated in real-time and can be historically analysed.
The security teams gets the usual SIEM and logging features and will love its NBAD functionality (and the ability to view FLOWS) since it baselines network activity and alerts on anomalous behavior. While network teams will love monitoring traffic, system and application activity, tracking issues and resource consumption, and assessing assets and config. changes.
The security teams gets the usual SIEM and logging features and will love its NBAD functionality (and the ability to view FLOWS) since it baselines network activity and alerts on anomalous behavior. While network teams will love monitoring traffic, system and application activity, tracking issues and resource consumption, and assessing assets and config. changes.
All the device/system config. data and recent stats get populated in a CMDB (configuration management database), so I always have device details. I can view my current Palo Alto device config, or do a compare with a DIFF of last weeks working config, a particular users AD group membership, the serial number of my ASA in London, which servers have IIS installed, etc, all from one place.
AccelOps has developed a hybrid data management system that stores unstructured event data in flat file based database (e.g logs, flows and events) and structured data (eg. configs.) in an embedded relational database (PostgreSQL).
This enables query parallelization, across clusters, and solves slow reporting problems (and storage bloat), encountered with many SIEMS as they grow. There is no database tuning required and all the historical data remains online (no need to restore archives).
This really provides the means to support root-cause analysis, conduct investigations or produce compliance or other reports that much more efficiently. You can more easily determine security issues from non-security issues that much faster, and at the same time support IT collaboration to resolve problems, with a tool everyone can use.
One of the great things in AccelOps is the Identity and Access Monitoring. This feature collates all primary and secondary logins, whether locally on the network, or remote via VPN, or wireless via an access point. Combine with DHCP and AD information, and any IP address can be automatically associated to a specific user, on a specific server/laptop.
This comes in real useful, when you have an incident, and you want to associate, who changed or did what and from where, at that particular time. Or go back in time to assess access policy, use of terminated accounts, suspicious service account activity, or user/group actions.
Where ever source or destination IP addresses are presented in AccelOps, you can gain further information. If an Internal IP address, the hostname, OS information, version, owner, and if it’s a known server or client machine in the network. If an External IP address, you can do 3rd Party Lookups to dnstuff, SANS, Cisco Senderbase, or a HoneyPot database.
If I had one complaint, it would be that it lacks an on box geo-location database, for country mappings at this present time (I was told – next release).
You would be forgiven if you thought processing all this and other performance data would slow its SIEM like event parsing and analytics. For many solutions it would believe me.
AccelOps marries a virtualization cluster architecture (the system runs on VMware as a turnkey software virtual appliance) to its high-speed event parsing engine (XML based framework) which assures performance. Adding AccelOps VM instances to a cluster offers near-linear performance for event correlation, search and reporting scale (vendor claims).
Where ever source or destination IP addresses are presented in AccelOps, you can gain further information. If an Internal IP address, the hostname, OS information, version, owner, and if it’s a known server or client machine in the network. If an External IP address, you can do 3rd Party Lookups to dnstuff, SANS, Cisco Senderbase, or a HoneyPot database.
If I had one complaint, it would be that it lacks an on box geo-location database, for country mappings at this present time (I was told – next release).
You would be forgiven if you thought processing all this and other performance data would slow its SIEM like event parsing and analytics. For many solutions it would believe me.
AccelOps marries a virtualization cluster architecture (the system runs on VMware as a turnkey software virtual appliance) to its high-speed event parsing engine (XML based framework) which assures performance. Adding AccelOps VM instances to a cluster offers near-linear performance for event correlation, search and reporting scale (vendor claims).
An XML-based parsing engine and compiler is used to support new devices and applications without a software upgrade – and they already support quite a decent list of mainstream devices.
I actually found this out for myself, when AccelOps created a Tippingpoint parser for me, and I simply copied the provided XML file to the box – took just a couple of days.
In my opinion the google like realtime search, advanced search and historical reporting is superb. You can move fields around, select and filter from over 350 parsable fields, incorporate Boolean and operator logic, and group results in your display.
I actually found this out for myself, when AccelOps created a Tippingpoint parser for me, and I simply copied the provided XML file to the box – took just a couple of days.
In my opinion the google like realtime search, advanced search and historical reporting is superb. You can move fields around, select and filter from over 350 parsable fields, incorporate Boolean and operator logic, and group results in your display.
The beauty is any of your results can produce on-demand or scheduled reports with charts, tables, etc. And these can be instantly added as dashboard elements. (In fact any of the dashboard fixings can be customized.). The rule GUI is very similar and powerful, supporting nested rules and attributes to describe alertable scenarios. For example, certain rules (like different startup from running config) can trigger compliance alerts. Alert notification supports SNMP, SMTP, email, XML and their console (more on rule analytics in part 2).
Reporting wise, AccelOps comes installed with over 800 reports and respective rules, containing security, performance, availability and compliance with specifics in PCI, COBIT, HIPAA/HITECH, SOX, ITIL, which are great for keeping management happy :-)
Reporting wise, AccelOps comes installed with over 800 reports and respective rules, containing security, performance, availability and compliance with specifics in PCI, COBIT, HIPAA/HITECH, SOX, ITIL, which are great for keeping management happy :-)
I found the AccelOps user interface to be very dynamic (it was developed in Adobe Flex) and runs within any browser (no more internet explorer only!), offering anywhere, anytime use.
A word of warning though, is that you may want a large monitor, to get full benefit, of the variety of information presented.
That’s it for Part One. I will cover rules, dashboards and monitoring of “Business Services”, and compare AccelOps to MARS in Part Two.
I still see organizations making large investments into SIEM alone, and not having the time, or resources to realize its investment.
In my opinion, AccelOps is worth putting on your SIEM/logger shortlist.. They have intelligently taking bits out of SIEM, Performance Management, Change Management and Business service management (BSM) and put it all together to create a tool to enable the security and IT teams to work more efficiently.
AccelOps can be deployed on-premise as a virtual appliance or delivered as a Software-as-a-Service.
A word of warning though, is that you may want a large monitor, to get full benefit, of the variety of information presented.
That’s it for Part One. I will cover rules, dashboards and monitoring of “Business Services”, and compare AccelOps to MARS in Part Two.
I still see organizations making large investments into SIEM alone, and not having the time, or resources to realize its investment.
In my opinion, AccelOps is worth putting on your SIEM/logger shortlist.. They have intelligently taking bits out of SIEM, Performance Management, Change Management and Business service management (BSM) and put it all together to create a tool to enable the security and IT teams to work more efficiently.
AccelOps can be deployed on-premise as a virtual appliance or delivered as a Software-as-a-Service.
Thursday, July 08, 2010
MARS Blog Update
You may of noticed that Gartner left Cisco MARS out of the SIEM Magic Quadrant for 2010 this year.
And although hard to find, Cisco did come out and say MARS will in future will concentrate on Cisco only devices, and critical host OS. (And then recently released 6.07 with support for Windows 2008)
Cisco have also recently announced Cisco Security Agent has gone End of Sale, but there have been NO similar notices for MARS. It is very much still alive.
But if you are NOT a pure Cisco network, you may be looking at the market, to replace MARS, with another product that can handle your 3rd party applications and devices.
In my next few articles, I am going to review a couple of alternatives, if you are looking to change, and make the most of your network.
But I am, (as always) on the look out for "Guest Articles", on making the most of your MARS deployment. So come on get involved!
Or as I think the direction that the blog may take, Monitoring and Analysis, of your Routers and Switches. (or Monitoring of Applications, Resources and Security.)
Wednesday, June 02, 2010
Book Review: Securing the Borderless Network
Book: Securing the Borderless Network
Published By: Cisco Press
Author: Tom Gillis
"Today’s new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless Network is the first book entirely focused on helping senior IT decision-makers understand, manage, and mitigate the security risks of these new collaborative technologies."
Honestly when this book arrived, I was very sceptical.
Written by Tom Gillis, Vice president and General Manager of the Security Technology Business Unit at Cisco, and only 150 pages, I was not expecting anything special.
Published By: Cisco Press
Author: Tom Gillis
"Today’s new Web 2.0, virtualization, mobility, telepresence, and collaborative applications offer immense potential for enhancing productivity and competitive advantage. However, they also introduce daunting new security issues, many of which are already being exploited by cybercriminals. Securing the Borderless Network is the first book entirely focused on helping senior IT decision-makers understand, manage, and mitigate the security risks of these new collaborative technologies."
Honestly when this book arrived, I was very sceptical.
Written by Tom Gillis, Vice president and General Manager of the Security Technology Business Unit at Cisco, and only 150 pages, I was not expecting anything special.
The book I would say is aimed at the IT Manager and senior IT decision makers, ie, no CCIE or CCNA material, but it is good read for the IT Professional.
Gillis obviously knows his stuff, and clearly defines what the current Web 2.0 threats and challenges are to todays businesses and beyond.
The book evolves from discussing yesterdays technologies, right up to the current day, with smartphones, malware, DLP issues etc, and what challenges this evolution has now presented us with, regarding the "Borderless Network"
All a quick and enjoyable read, I'd recommend it.
Wednesday, May 26, 2010
Cisco MARS 6.0.7 Now Available
Cisco have released MARS version 6.0.7
You can read the release notes HERE
You can read the release notes HERE
Changes and Enhancements
The following enhancement exists in Cisco Security MARS, Release 6.0.7:
•Support for Windows 2008—Cisco Security MARS provides agent based, native log support for Windows 2008 server hosts. Users can send syslog to CS-MARS by installing a Snare agent on their Windows 2008 server hosts.
Support for Windows 2008—Cisco Security MARS provides agent based, native log support for Windows 2008 server hosts. Users can send syslog to CS-MARS by installing a Snare agent on their Windows 2008 server hosts.•Support for Windows IIS 7—Cisco Security MARS provides support for IIS 7 on Windows 2008 servers.
Support for Windows IIS 7—Cisco Security MARS provides support for IIS 7 on Windows 2008 servers.Enjoy :-)
Tuesday, May 11, 2010
Cisco ASA Secure Logging and MARS
Doug McKillip, a Global Knowledge Instructor, has created a white paper, "Using Syslog Effectively for Security Troubleshooting".
Part of this whitepaper, details using The Cisco ASA Secure Logging feature, over TCP to Cisco MARS.
You can get access to this whitepaper HERE.
Further info on secure logging and the ASA, can be found here, in the Cisco ASA 8.2 CLI Guide.
Part of this whitepaper, details using The Cisco ASA Secure Logging feature, over TCP to Cisco MARS.
You can get access to this whitepaper HERE.
Further info on secure logging and the ASA, can be found here, in the Cisco ASA 8.2 CLI Guide.
Wednesday, April 21, 2010
MARS Support for SNMP V3
Rather than re-invent the wheel, there is a good write up on the new SNMP v3 feature, in MARS 6.0.6 on the Global Knowledge Blog.
Wednesday, March 24, 2010
Fancy a new Job?
I have been busy recently on a couple of new demos on making the most of MARS, by interfacing with some 3rd party products, unfortunately these are not finished yet.
But in the meantime I thought i would let you know about some jobs that are going at the United Health Group.
Recession -what recession? !!!
Network Manager – United Health Group
UHG has multiple network operations positions open within our corporate departments and various business segments. These positions offer tremendous growth possibility, a range of variety and responsibility, a high level of visibility and interaction with senior leaders.
Requirements (Skills, Technologies, etc) –
· 2+ Years of experience in a contracting or provider relations role working for a healthcare payor.
· BS degree in Business, or equivalent experience; MBA strongly preferred for some positions
· Ability to supervise staff including related personnel and development issues (i.e. appraisals, career planning, coaching, etc.) required for some positions.
· Advanced analytical skills
· Excellent verbal and written communication skills; ability to speak clearly and concisely, conveying complex or technical information in a manner that others can understand, as well as ability to understand and interpret complex information from others.
You can see more info and apply for these postions HEREIf I find out about any more tech related jobs, I`ll let ya know!
Tuesday, January 26, 2010
Cisco MARS 6.0.6 Now Available
Release Notes for 6.0.6 are available HERE
Miscellaneous Changes and Enhancements
Miscellaneous Changes and Enhancements
The following changes and enhancements exist in MARS, Release 6.0.6:
•
–
–
–
See the Release notes for a matrix of SNMP3 support for different Cisco Devices.
Internet Explorer 8 Support—MARS supports Microsoft Internet Explorer 8 without requiring compatibility mode. Due to the nature of security revisions in Internet Explorer, you may find that you must authenticate more frequently to the MARS appliance.
•
There have also been vendor signature updates for some Cisco and some non Cisco devices.
Subscribe to:
Posts (Atom)
Posts
