1 © 2001, cisco systems, inc. all rights reserved. cisco info center for security monitoring

1© 2001, Cisco Systems, Inc. All rights reserved.

Cisco Info Center

for

Security Monitoring


Problem Statement

“We have so many security-management consoles we can’t keep up with all of the information. We have firewalls that haven’t been updated in months and reams of security logs we haven’t sifted through, I really couldn’t tell you whether we’ve been hacked or not. I honestly don’t know”

Security analyst of a large consumer goods companyQuote from Information Week


Network IDS Switch Blades

Network IDS Appliances

Firewall Appliances

Firewall Switch Blades

IOS Routers

Current security solutions typically consist of multiple point products; each working independently

Security Devices generate massive volumes of events, most of them are not critical

Sorting through them to determine if they indicate threat requires understanding the relationships among them

Additional context is required to determine whether a problem exists and if so, what action is required

Challenges of Security Management


Value PropositionWide Operational Monitoring Coverage

• Comprehensive monitoring - customers want a holistic view of their organizations’ security

Coverage of firewalls, NIDSs, HIDSs as well as information throughout the IT infrastructure such as: smart cards, network-access logs, user application login and access data

Input from VPNs, antivirus software and various kind of provisioning and access control apps

Monitor configuration updates, Track failed operations, Monitor resource utilization

Security relevant logs from SAP and other critical applications


• Clear distinction between alarms that represent successful attacks from false alarms and unsuccessful attacks

Based on vulnerability assessment, reduce the event priority if the target machine doesn’t have at-risk software or if its antivirus software is prepared for the attack

• Most security alerts look a lot like performance or availability problems

Need to monitor performance and network events as well as security events

Integrate with other network management systems to distinguish attacks from natural phenomena

Value PropositionFalse Alarms Reduction


• Threat Response Automation – customers need to be able to take an incident or attack and address it in the proper way in real-time

Automated investigation to determine:

1) Was the attack successful?

2) What can be done about it?

Automatic collection and preservation of evidence

• In some cases the response to an attack is to shut down a firewall, router or even part of a network. Tools that can be launched from event viewer

• The corrective action may also include reinstalling configuration files for devices that have been hacked

Value PropositionThreat Response Tools


• Monitoring Configuration Changes

Many hackers exploit security infrastructure for their own means, modifying configuration files to give them unlimited access.

Analysis of configuration changes to identify “suspicious changes”.

Distinguish changes triggered by Domain Manager versus telnet.

Value PropositionMonitoring Configuration Changes


Additional Feature Benefits

• Event enrichment and customer impact analysis

• Prevent attacks and intrusions instead of merely detecting them after they’ve taken place

• Easier and less-expensive way to deploy software patches to address vulnerabilities rapidly


Security Monitoring Architecture


Cisco Info Center Security Management Architecture Components

• Info Server

• Cisco Device Mediators (IDS, FW…)

• Cisco Universal Collector (Cisco CNS Notification Engine & Cisco CNS)

• Policy Manager / Impact (Security Policies)

• GW & Reports

• Webtop


Cisco Value Adds

• Rules

• Filters

• Views

• Automations

• Cisco Universal Collector (CUC) & Cisco CNS

Handle Config Change Events


Cisco Info Center Security Management Architecture

RDEP

Cisco CNS Notification Engine(Deduplicatoin and Correlation)

SyslogCisco CNS

Info Server

POP

VPN IOS IDS IOS FWHIPSOkena

CTR

IDSIDSPIX FW

Cisco CNS Probe Non Cisco Probes

Other NE

Other NE

Cisco IP Solution Center

Cisco IP Solution Center

CiscoThreat

Response

CiscoThreat

Response

Vulnerability AssessmentVulnerability Assessment

IP AddressManagementIP Address

Management

SubscriberManagementSubscriber

Management

PTC-MT

OtherDomain Mgrs

OtherDomain Mgrs

PolicyManagerPolicy

ManagerImpactImpact

Sec

urity

Po

licies


PolicyManager

Cisco IP Solution

Center

Threat Analysis and Response Tools

EventCollection

EventCorrelation &Aggregation

Display /Automation

1

2

1) Impact analysis

Threat Response Actions:

2) Retrieve forensic logs

3) Shutdown network or

4) Activate dormant IDS in IOS

5) Trigger Vulnerability Assessment

Integration with other Security Management Products

Cisco Threat

Response

VulnerabilityAssessment

4 3 5

Reports

Ram Golla (rgolla)

Configuration change monitoringAccess control violationsResource utilization


Cisco Info Center Security Management Product Differentiators

• Enhance Cisco Notification Engine to provide universal collection & integration to Cisco CNS for IDS, FW (IOS & PIX)

• Policy Manager Enhancements

Integrated security and VPN policies

• Cisco Threat Response Integration (release 2)

• New Tools (release 2)

Auto configuration of devices in response to a threat (Cisco IP Solution Center)

Troubleshooting & Diagnostics


• Collection, consolidation & analysis of data generated across of Cisco security tools

• Correlate disparate events

• Provides historical security reports for ongoing analysis

• Centralized security monitoring

Cisco Info Center Security Management Summary

1 © 2001, cisco systems, inc. all rights reserved. cisco info center for security monitoring

Documents