cs-mars presales
TRANSCRIPT
-
8/7/2019 CS-MARS presales
1/18
1 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARS Positioning Training
-
8/7/2019 CS-MARS presales
2/18
2 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Agenda
Introduction
Security Management Challenges
Ciscos Protego Mitigation and Response System(MARS)
Solution Overview
Protego MARS Deployments
Protego MARS in Action: LoveGate
Protego MARS in Action: Sasser-D
Product Line
How to Sell Protego MARS
Customer Success Stories
Live Demo
-
8/7/2019 CS-MARS presales
3/18
3 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Protego Mitigation and Response System (MARS)Next Generation SIM/STM
Leverage YOUR existing investment to buildpervasive security
Correlate data from across the Enterprise
NIDS, Firewalls, Routers, Switches, CSA
Syslog, SNMP, RDEP, SDEE, NetFlow,
Endpoint event logs
Rapidly locate and mitigate attacks
Key Features
Determines security incidents based on
device messages, events, and sessions Incidents are topologically aware for
visualization and replay
Mitigation on L2 ports and L3chokepoints
Efficiently scales for real-time use acrossthe Enterprise
-
8/7/2019 CS-MARS presales
4/18
4 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
MARS Value Proposition
Plug-and-Play Deployment
No professional services required
Can be installed and receiving events within just a few hours
Event Monitoring and Mitigation
Ability to correlate events from multiple network and securitydevices, tune IDS signatures, locate offending hosts, determineattack path and offer active mitigation options
Broad Product Portfolio
Entry-level price point for commercial customers
Scales from 500 EPS to 10,000 EPS per appliance, with options for
distributed deployments Helps Prove ROI for Existing and New Security Devices
Converts millions of events to a small number of actionablemitigation options
Allows customers to expand the number of security devices intheir networks
-
8/7/2019 CS-MARS presales
5/18
5 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Self-Defending Network Components
Defense-in-depth
Firewalls
Proxies
VPN
Anti-virus
Network IDS/IPS
Host IDS/IPS
Vulnerability Assessment
Patch Management
Policy Compliance
Router
Switch
-
8/7/2019 CS-MARS presales
6/18
6 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Security Operations / Reactions Today
Action Steps:
1. Alert
2. Investigate
3. Mitigate
Network Operations Security Operations
Security
knowledge
base
Firewall
IDS/IPS
VPN Vulnerability
Scanners
Authentication
Servers
Router/Switch
Anti-virus
10K Win,
100s UNIXCollect Network Diagram
Read and Analyze
TONS of Data
Repeat
-
8/7/2019 CS-MARS presales
7/18
7 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Business Problem
In-depthDefense
Noise
Poor AttackIdentification& Response
Compliance& Audit
Mandates
InsufficientSecurity
Staff
after patching, puttingout fires, investigation
and remediationproduce the audit report
alarms, disconnectedevents, false positives,
network anomalies
Sarbox, HIPAA, GLBA,FISMA, Basel II due
care and process
un-prioritized blendedattacks, day zero
attacks, worms andnetwork issues
MitigateAttacks
CostlyBusinessDilemma
-
8/7/2019 CS-MARS presales
8/18
8 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Infected Host
Log/Alert
Defense-In-Depth = Complexity
-
8/7/2019 CS-MARS presales
9/18
9 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
What You Have to Deal With: NIDS Alert
-
8/7/2019 CS-MARS presales
10/18
10 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
What You Have to Deal With: Firewall Log
-
8/7/2019 CS-MARS presales
11/18
11 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
MARS Product Line
-
8/7/2019 CS-MARS presales
12/18
12 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
Full Spectrum Product Line
Installation takes minutes
NO JAVA!!!!
Server side scripting does it all!
Raid 1+0 No DBA Needed
Agent-less Event Collection
Layer 2/3 Network Topology andMitigation
NetFlow
Drill down to MAC addresses
PN-MARS Model 20 50 100e 100 200Global
Controller
Events/Sec 500 1,000 3,000 5,000 10,000 N/A
NetFlow Flows/Sec 15,000 25,000 75,000 150,000 300,000 N/A
RAID Storage 120GB 120GB 750GB 750GB 1TB 1TBRack Size 1 RU 1 RU 3 RU 3 RU 4 RU 4 RU
-
8/7/2019 CS-MARS presales
13/18
13 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
MARS Device Support
Networking Cisco IOS 11.x and 12.x, Catalyst OS 6.x
NetFlow v5/v7
NAC ACS 3.x
Extreme Extremeware 6.x
Firewall/VPN
Cisco PIX 6.x, IOS Firewall, FWSM 1.x & 2.2,VPN Concentrator 4.0
CheckPoint Firewall-1 NG FPx, VPN-1
NetScreen Firewall 4.x, 5.x
Nokia Firewall
IDS
Cisco NIDS 3.x & 4.x, IDSM 3.x & 4.x
Enterasys Dragon NIDS 6.x
ISS RealSecure Network Sensor 6.5, 7.0
Snort NIDS 2.x
McAfee Intrushield NIDS 1.x
NetScreen IDP 2.x
Symantec ManHunt 3.x
Vulnerability Assessment eEye REM 1.x
Foundstone FoundScan 3.x
Host Security
Cisco Security Agent (CSA) 4.x
McAfee Entercept 2.5, 4.x
ISS RealSecure Host Sensor 6.5, 7.0 Symantec AnitVirus 9.x
Host Log
Windows NT, 2000, 2003 (agent andagent-less)
Solaris
Linux
Syslog
Universal device support
Applications
Web servers (IIS, iPlanet, Apache)
Oracle 9i, 10i database audit logs
Network Appliance NetCache
-
8/7/2019 CS-MARS presales
14/18
14 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARSGlobal Controller Deployment
Switch
VPN
Router
Wireless
Sw2
Switch / NIDS
App
= HostIDS
LogHIDS
AV
Log
HIDSAV
o erce
Internal
Inbound
Mg t.Net
External
DBMSURL / AV
Filter
Outbound
Mail GW
FW / NAT
AAA
NAS Archive
Protego PN-MARS
Passive monitoring anywhere theappliance can send and receiveinformation
Gains network intelligence Translates NAT, sets Netflow
thresholds Correlates logs, alerts, Netflow Identifies valid incidents, no falsepositives Offer real-time visualization, replay,query Enables complete drill-downinvestigation
Automates mitigation and workflow
Consolidates / stores incidents and rawdata
PN-MARS
Web
PN-MARSGC
PN-MARS GC deployed in themanagement network provides global
view, management, and reporting.Each PN-MARS securely and efficientlycommunicates to the GC. GC
appliance can distribute updates, rules,report templates, access rules, andqueries across MARS appliances.
Tunnel
Remote
PN-MARS can
be placed onremote sites andbe managed byPN-MARS GC
AAA
PN-MARSInternal
-
8/7/2019 CS-MARS presales
15/18
15 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARSCommand and Control
-
8/7/2019 CS-MARS presales
16/18
16 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARSThe Battlefield
Network Intelligence
Topology
Traffic Flow
Device Configuration Enforcement Devices
-
8/7/2019 CS-MARS presales
17/18
17 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARSConnect the Dots
Accurate attack-path , detailed investigation
Host A Port Scans Target X,followed by
Host A Buffer Overflow Attack toTarget X
Where X is vulnerable to Attack,followed by
Target X executes passwordattack on Target Y
-
8/7/2019 CS-MARS presales
18/18
18 2005 Cisco Systems, Inc. All rights reserved. Company Confidential
CS-MARSAttack Path with Layer 2 Mitigation