1 © 2001, cisco systems, inc. all rights reserved. cisco info center for security monitoring
TRANSCRIPT
1© 2001, Cisco Systems, Inc. All rights reserved.
Cisco Info Center
for
Security Monitoring
222© 2001, Cisco Systems, Inc. All rights reserved.
Problem Statement
“We have so many security-management consoles we can’t keep up with all of the information. We have firewalls that haven’t been updated in months and reams of security logs we haven’t sifted through, I really couldn’t tell you whether we’ve been hacked or not. I honestly don’t know”
Security analyst of a large consumer goods companyQuote from Information Week
333© 2001, Cisco Systems, Inc. All rights reserved.
Network IDS Switch Blades
Network IDS Appliances
Firewall Appliances
Firewall Switch Blades
IOS Routers
Current security solutions typically consist of multiple point products; each working independently
Security Devices generate massive volumes of events, most of them are not critical
Sorting through them to determine if they indicate threat requires understanding the relationships among them
Additional context is required to determine whether a problem exists and if so, what action is required
Challenges of Security Management
444© 2001, Cisco Systems, Inc. All rights reserved.
Value PropositionWide Operational Monitoring Coverage
• Comprehensive monitoring - customers want a holistic view of their organizations’ security
Coverage of firewalls, NIDSs, HIDSs as well as information throughout the IT infrastructure such as: smart cards, network-access logs, user application login and access data
Input from VPNs, antivirus software and various kind of provisioning and access control apps
Monitor configuration updates, Track failed operations, Monitor resource utilization
Security relevant logs from SAP and other critical applications
555© 2001, Cisco Systems, Inc. All rights reserved.
• Clear distinction between alarms that represent successful attacks from false alarms and unsuccessful attacks
Based on vulnerability assessment, reduce the event priority if the target machine doesn’t have at-risk software or if its antivirus software is prepared for the attack
• Most security alerts look a lot like performance or availability problems
Need to monitor performance and network events as well as security events
Integrate with other network management systems to distinguish attacks from natural phenomena
Value PropositionFalse Alarms Reduction
666© 2001, Cisco Systems, Inc. All rights reserved.
• Threat Response Automation – customers need to be able to take an incident or attack and address it in the proper way in real-time
Automated investigation to determine:
1) Was the attack successful?
2) What can be done about it?
Automatic collection and preservation of evidence
• In some cases the response to an attack is to shut down a firewall, router or even part of a network. Tools that can be launched from event viewer
• The corrective action may also include reinstalling configuration files for devices that have been hacked
Value PropositionThreat Response Tools
777© 2001, Cisco Systems, Inc. All rights reserved.
• Monitoring Configuration Changes
Many hackers exploit security infrastructure for their own means, modifying configuration files to give them unlimited access.
Analysis of configuration changes to identify “suspicious changes”.
Distinguish changes triggered by Domain Manager versus telnet.
Value PropositionMonitoring Configuration Changes
888© 2001, Cisco Systems, Inc. All rights reserved.
Additional Feature Benefits
• Event enrichment and customer impact analysis
• Prevent attacks and intrusions instead of merely detecting them after they’ve taken place
• Easier and less-expensive way to deploy software patches to address vulnerabilities rapidly
9© 2001, Cisco Systems, Inc. All rights reserved.
Security Monitoring Architecture
101010© 2001, Cisco Systems, Inc. All rights reserved.
Cisco Info Center Security Management Architecture Components
• Info Server
• Cisco Device Mediators (IDS, FW…)
• Cisco Universal Collector (Cisco CNS Notification Engine & Cisco CNS)
• Policy Manager / Impact (Security Policies)
• GW & Reports
• Webtop
111111© 2001, Cisco Systems, Inc. All rights reserved.
Cisco Value Adds
• Rules
• Filters
• Views
• Automations
• Cisco Universal Collector (CUC) & Cisco CNS
Handle Config Change Events
121212© 2001, Cisco Systems, Inc. All rights reserved.
Cisco Info Center Security Management Architecture
RDEP
Cisco CNS Notification Engine(Deduplicatoin and Correlation)
SyslogCisco CNS
Info Server
POP
VPN IOS IDS IOS FWHIPSOkena
CTR
IDSIDSPIX FW
Cisco CNS Probe Non Cisco Probes
Other NE
Other NE
Cisco IP Solution Center
Cisco IP Solution Center
CiscoThreat
Response
CiscoThreat
Response
Vulnerability AssessmentVulnerability Assessment
IP AddressManagementIP Address
Management
SubscriberManagementSubscriber
Management
PTC-MT
OtherDomain Mgrs
OtherDomain Mgrs
PolicyManagerPolicy
ManagerImpactImpact
Sec
urity
Po
licies
131313© 2001, Cisco Systems, Inc. All rights reserved.
PolicyManager
Cisco IP Solution
Center
Threat Analysis and Response Tools
EventCollection
EventCorrelation &Aggregation
Display /Automation
1
2
1) Impact analysis
Threat Response Actions:
2) Retrieve forensic logs
3) Shutdown network or
4) Activate dormant IDS in IOS
5) Trigger Vulnerability Assessment
Integration with other Security Management Products
Cisco Threat
Response
VulnerabilityAssessment
4 3 5
Reports
141414© 2001, Cisco Systems, Inc. All rights reserved.
Cisco Info Center Security Management Product Differentiators
• Enhance Cisco Notification Engine to provide universal collection & integration to Cisco CNS for IDS, FW (IOS & PIX)
• Policy Manager Enhancements
Integrated security and VPN policies
• Cisco Threat Response Integration (release 2)
• New Tools (release 2)
Auto configuration of devices in response to a threat (Cisco IP Solution Center)
Troubleshooting & Diagnostics
151515© 2001, Cisco Systems, Inc. All rights reserved.
• Collection, consolidation & analysis of data generated across of Cisco security tools
• Correlate disparate events
• Provides historical security reports for ongoing analysis
• Centralized security monitoring
Cisco Info Center Security Management Summary