Building an enterprise information security system based on solutions from Cisco Systems. Products Collection and processing of information

Cisco MARS Monitoring, Analysis and Response System

Cisco MARS (Cisco Security Monitoring, Analysis, and Response System) is a comprehensive hardware platform providing unparalleled capabilities for thorough monitoring and control of the existing security system. As a key element of the security management lifecycle, Cisco MARS provides IT and network operations personnel with the ability to detect, manage, and defeat security threats.

Based on existing network and security investments, this system detects and isolates elements that violate normal work network, and also provides administrators with recommendations on their complete elimination. In addition, this system provides support for compliance with security policies and can be included as part of common system compliance with regulatory documents.

Network and security administrators face many complex challenges including:

• Information complexity of the security system and network.
• Lack of effectiveness in detecting, prioritizing, and responding to attacks and failures.
• Increased complexity, speed of spread and cost of mitigating the consequences of attacks.
• The need to comply with compliance regulations and reporting requirements.
• Lack of security specialists and funds.

Cisco MARS solves these problems by doing the following:

• Integration of intelligent functions into the network to improve the efficiency of the mechanism for correlating network anomalies and security events.
• Visualization of confirmed security violations and automation of their investigation.
• Repel attacks by taking full advantage of your existing network and security infrastructure.
• Monitor endpoints, network, and security operations to ensure regulatory compliance.
• Delivering a scalable, easy-to-implement and use device with minimal total cost of ownership (TCO).

Cisco MARS transforms raw network and security data about malicious activity into understandable information that can be used to resolve confirmed security breaches and ensure regulatory compliance. A suite of easy-to-use threat mitigation hardware enables administrators to centrally detect, prioritize, and defeat threats using network and security appliances already embedded in the infrastructure.

Information security techniques have evolved from perimeter defense at the interface with the Internet to a “deep” model in which multiple countermeasures are distributed at many levels throughout the infrastructure. A multi-layer model is becoming a necessity due to the increase in the number of attacks, their complexity and speed of implementation. Network objects can be scanned thousands of times a day looking for vulnerabilities. Modern “blended” or hybrid attacks use a variety of sophisticated techniques to gain unauthorized access and control from both outside and inside organizations. The spread of worms, viruses, Trojan horses, spyware and custom software poses a threat to even heavily protected networks, leaving less time to respond and increasing the cost of recovery.

In addition, in addition to the large number of servers and network devices, each component of the security system maintains its own event log and has its own set of tools for detecting anomalies and responding to threats. Unfortunately, this situation leads to the need to process a huge number of disparate event logs and false danger signals, resulting in the inability of the operator to respond effectively.

Information security and event management products allow you to assess threats in a specific way and handle them accordingly. These solutions allow IT security services to centrally collect and process event data, use correlations, processing queues, and generate reports.....

Cisco Systems Solution Overview

Cisco Security MARS is a hardware-based, full-featured solution that provides insight and control over your existing security posture. As part of the security management suite, MARS allows you to identify, control, and stop security threats. The solution works with your existing network and security system to find, isolate and eliminate problematic elements. MARS also helps maintain the integrity of internal security policies and can be integrated as part of an overall network regulation solution.

Security administrators face many challenges, such as:

• Excessive flow of incoming network and security information
• Problems in recognizing attacks and errors in identification, prioritization and response
• Complicating attacks, increasing recovery costs
• The need to maintain security compliance
• Problems with personnel

Cisco Security MARS allows you to solve these problems in the following way:

Integrates network data to build correlations of network anomalies and security incidents

Tracks incidents and automates investigations

Mitigates attacks by leveraging the full capabilities of your existing network and security infrastructure

Monitors the state of objects, networks, security procedures for compliance with the required template

Acts as a scalable solution, easy to implement and operate, with a low cost of ownership

Cisco Security MARS transforms raw data into a form convenient for processing, providing the ability to specifically detect, stop and generate reports for priority threats using devices already embedded in the network infrastructure.

Development of information security controls and threat prevention

To solve this problem, Cisco offers a line of scalable hardware systems. Cisco Security MARS is one of the high-performance, scalable systems that protect network devices and optimize information security by combining network data, content correlation functions “Context Correlation”, “SureVector™ analysis”, and the ability to automatically suppress threats. The MARS platform is closely integrated with the security management complex - Cisco Security Manager. This integration allows you to bind event messages to a policy configured in Cisco Security Manager. Policy review allows you to quickly analyze the operation of security policies on the firewall and detect network problems and configuration errors.

Features and Benefits

Intelligent event processing and performance management

Cisco Security MARS uses network data using knowledge of network topology, device configurations, and network traffic profiles. The system's integrated network exploration capability builds a topology diagram that includes device configurations and applied security policies, allowing Cisco Security MARS to model data flows on a network. Because Cisco Security MARS does not directly process network traffic and makes minimal use of network software elements, the impact on overall network performance remains minimal.

Cisco Security MARS centrally collects event data from a wide range of network devices such as routers and switches; security devices and applications such as firewalls, intrusion detection devices, vulnerability scanners, and antivirus applications. Data from end systems (Windows, Solaris, Linux), applications (databases, Web servers and authentication servers), and statistics on network traffic (Cisco NetFlow) are also processed.

Contextual correlation

When receiving data, a unified correspondence scheme is built with the network topology, device configuration, and address translation (NAT) parameters. Relevant events are grouped in real time. System and user correlation rules are then applied to identify network incidents. Cisco Security MARS comes with a comprehensive set of correlation patterns, regularly updated by Cisco, that can detect most of the various complex attacks. Graphical tools make it easy to create rules for various applications. Contextual correlation significantly reduces the amount of raw data processed, which allows for response prioritization and increases the effectiveness of applied countermeasures.

High performance aggregation

Cisco Security MARS processes millions of primary messages, efficiently classifies events to significantly reduce data volumes, and compresses information for archiving. Managing such volumes of data requires a stable and secure centralized platform. Cisco Security MARS appliances are optimized to process large numbers of events, up to 15,000 events per second, or 300,000 Cisco NetFlow events per second. In addition, MARS supports backup and recovery of configurations and data via NFS and sFTP.

Visualization and suppression of incidents

MARS allows you to speed up and simplify the process of detecting, investigating, assessing and remediating threats. A common challenge for IT security staff is the time it takes to analyze and resolve security events that occur. In this case, Cisco Security MARS is a powerful, interactive tool for managing security and creating rules.

The graphical work environment displays a topological map showing events, attack vectors, and incident details, which allows you to instantly identify existing threats. Cisco "SureVector analysis" processes close groups of events to assess the reality of the threat, and its origin, down to the MAC address of the end device. The process is automated by analyzing event logs from devices such as firewalls and intrusion prevention devices (IPS), third-party data assessment systems, and endpoint scanning results to prevent false positives. Using Cisco Security MARS, security teams have the tools to quickly understand the components of a complex attack and identify the affected system. Cisco's "automatic mitigation" features find available control devices along the attack path and automatically provide appropriate commands that operators can quickly apply to eliminate the threat.

Operational analysis and compliance verification

Cisco Security MARS provides an easy-to-use framework that simplifies ongoing security operations, automating investigations, escalations, alerts, ongoing activity documentation, and ad hoc audits. Cisco Security MARS graphically displays attacks and extracts historical data to analyze previous events. The system fully supports arbitrary queries to quickly obtain information.

Cisco Security MARS offers many built-in request templates and is compatible with PCI-DSS, GLBA, HIPAA, FISMA, Basel II protocols. The report generator allows you to modify more than 100 standard reports or create new ones with unlimited capabilities for planning response and recovery procedures, tracking incidents and network activity, monitoring compliance with security policies and conducting audits. Sending reports is also supported.

Speed ​​and ease of implementation

When implementing Cisco Security MARS, it is necessary to ensure the ability to send and receive “syslog” messages, SNMP messages (SNMP traps), and it is also necessary to communicate with installed network devices using generally accepted or proprietary protocols. Neither required additional equipment, nor modification of the software used. In this way, message forwarding to Cisco Security MARS is configured, and monitoring objects are added through the “Web-based GUI”. MARS can send statistics to external servers for integration with the current infrastructure.

One of the leading manufacturers of information security products is Cisco. This article aims to show examples of using Cisco Security Agent, Cisco NAC Appliance and Cisco MARS products to ensure internal information security of a company. These products integrate with each other and allow you to build an easily manageable and reliable system.

The information security department of a modern company faces completely different tasks - this includes supporting the company’s secure communication channels, supporting the user access control subsystem, providing anti-virus protection, fighting spam, controlling information leaks, as well as providing monitoring of information security events occurring on the network, and other equally important tasks.

Currently, there are a huge number of developments on the information security product market that in one way or another make it possible to solve the assigned problems. In our opinion, the most correct way is to build highly integrated security systems that can most flexibly adapt to specific processes occurring in the company.

Introduction

Any information security system is built based on the expected threat model. When starting to plan a security system, it is necessary to consider two categories of threats: external and internal.

External threats are easily predictable, since the company has complete information about what services are available from the outside, what software and hardware resources provide communication of this service and the Internet.

Combating insider threats is much more difficult because users working in a company have different levels of access and build different relationships within the company.

To ensure protection, it is necessary to take a comprehensive approach, and not be limited only to technical means. Competent work of the information security service, as well as a clearly thought-out administrative policy of the company will help achieve maximum results.

Administrative policy is built on the foundation of information security policy. The organization must develop regulations on the protection of confidential information and corresponding instructions. These documents should define the rules and criteria for categorizing information resources by degree of confidentiality, labeling rules and rules for handling confidential information. The rules for providing access to information resources must be defined, and appropriate procedures and control mechanisms must be implemented, including authorization and audit of access.

These administrative measures make it possible to successfully combat the most numerous class of threats - threats of unintentional disclosure of confidential information, but to combat intruders it is clearly not enough - the use of special software and hardware is necessary.

End Host Security – Cisco Security Agent

The Cisco Security Agent (CSA) solution is an end-host security system that, in conjunction with other systems, allows you to solve more complex and broader problems.

CSA provides protection server systems and desktop computers. The Cisco Security Agent goes beyond typical endpoint protection solutions by combining advanced protection against targeted attacks, spyware, and hidden attacks into one software tool. remote control, anti-virus protection, as well as protection against information leaks and many other types of computer security violations.

Cisco Security Agent is a system that uses agent applications to enforce information security policies configured on a central server.

CSA combines protection against zero-day attacks, ClamAV antivirus, firewall, file and application protection module, untrusted application module and other functions.

Cisco Security Agent provides a number of valuable features, including the following:

• monitoring compliance of the state of network objects with security policy requirements;
• preventive protection against targeted attacks;
• control USB, CD-ROM, PCMCIA, etc.;
• creation of a closed software environment;
• the ability to detect and isolate malware for covert remote control;
• advanced functions for preventing intrusion on network nodes, a personal firewall and protection against completely new attacks;
• control of information leakage;
• control and prevention of downloads from unauthorized media;
• optimizing Wi-Fi bandwidth usage;
• ensuring the availability of critical client-server applications and the ability to carry out transactions;
• network traffic tagging;
• integration with intrusion prevention systems (Cisco IPS);
• integration with network access control system (Cisco NAC);
• integration with security management system (Cisco MARS).

The architecture of the Cisco Security Agent system is shown in Figure 1. Agents interact with the management server and receive policy and software updates from it.

Figure 1: CSA System Architecture

End hosts are grouped into groups for which information security policies are applied. Policies are sets of rule modules (see Figure 2).

Figure 2: Policies, modules, rules in the CSA architecture

Cisco Security Agent allows you to monitor users' activities while they are connected to the data network and the management server is available. But it also supports a special set of states, such as management center unavailability, in which specialized access policies are applied to machines.

The second information security system is the data network access control system.

Network access control – Cisco Network Admission Control (NAC)

Cisco NAC Appliance (formerly Cisco Clean Access) is a solution designed to automatically detect, isolate, and disinfect infected, vulnerable, or non-compliant hosts that access wired or wireless corporate resources.

As one of the components of Network Admission Control technology, Clean Access is implemented either as a network module for Cisco ISR routers (for networks with less than 100 controlled devices) or as a separate device.

The main features of the Cisco NAC solution are:

• independence from the network equipment manufacturer (in-band mode);
• integration with Kerberos, LDAP, RADIUS, Active Directory, S/Ident and other authentication methods;
• support for Windows (including Vista), MacOS, Linux, Xbox, PlayStation 2, PDAs, printers, IP phones, etc.;
• support for antiviruses CA, F-Secure, Eset, Kaspersky Lab, McAfee, Panda, Dr.Web, Sophos, Symantec, TrendMicro and other computer protection tools (250 manufacturers in total);
• Quarantining an inappropriate host by applying ACLs or VLANs;
• creating a “white” list of nodes to speed up their access to network resources;
• automatic installation of missing updates, new versions of protection tools or updating of outdated anti-virus databases;
• centralized web management;
• Russian language support;
• conducting a transparent audit.

Cisco NAC Appliance Architecture and Operation

Cisco NAC is an internal information security software and hardware solution that leverages the network infrastructure to enforce information security policies and restrict network access to devices that do not meet the requirements of the information security policies.

The main functional components of the solution are the Clean Access Server (CAS) and Clean Access Manager (CAM). CAM is responsible for configuring security policies, and CAS is responsible for executing them.

The equipment can be installed in a fault-tolerant configuration in which Active/Standby Failover is performed.

Figure 3 shows the system state in which the user is in a specially created authentication VLAN from which the user is allowed access to the DHCP service and others, in accordance with the policies configured on the CAM.

Figure 3: No network access

After the user has been verified for compliance with information security policies, he is allowed into the network by assigning the switch port to a specific VLAN (Figure 4).

Users can undergo the authentication procedure either using a specialized agent - Cisco Clean Access, which also collects information for checks, or using web authentication.

Figure 4: Cisco NAC - Network Access Allowed

The logic of the system is made up of components - checks, rules and requirements applied to each specific user role.

For example, you can create several roles that correspond to departments of the company and for each role you can configure certain requirements, the fulfillment of which becomes a prerequisite for access to the corporate environment.

Figure 5: Cisco NAC - System operation logic

Various verification options are available. You can check the presence of a running application on your PC, install the necessary patches for operating system, version of anti-virus databases and other checks.

An information security system requires the mandatory presence of a monitoring system for events occurring on the network. For these purposes, it is intended to use the Cisco Security Monitoring, Analysis and Response System (Cisco MARS) product.

Cisco Security Monitoring, Analysis and Response System (MARS)

Modern enterprises are constantly faced with problems related to information security.

The complexity of the network infrastructure entails an increase in the number of protection means - these devices can be separate firewalls, routers with certain software functionality, switches, various IPS systems, IDS, HIPS systems, as well as various anti-virus systems, mail proxy servers, web -proxy and other similar systems.

A large number of security means gives rise to management problems, as the number of control points increases, the number of recorded events increases and, as a result, the time required for decision-making increases (see Figure 6).

Figure 6: Decision-making process to prevent an attack

In this regard, the enterprise needs a system of more high level, capable of assessing the existing level of information security by recording and correlating events received in the system.

The Cisco MARS Monitoring and Response System provides these functions.

Cisco MARS Key Features

Cisco MARS is a software and hardware solution in a server version. The system software is based on the Linux operating system (kernel 2.6). The main component of the system is the Oracle database, which is used to store information.

Cisco MARS has the ability to collect information from various devices using the Syslog, SNMP, NetFlow protocols, and also has the ability to receive system log files.

MARS supports equipment from various vendors such as Cisco, IBM, Check Point, Nokia, Symantec, McAfee, Netscape and others.

The operating logic of the Cisco MARS system is based on queries to the database. You can select information and refine it by source IP address, destination IP address, ports, event types, devices, keywords, and so on.

Based on requests, certain rules are based, which are grouped in the system. The Cisco MARS database contains more than 2000 rules. You can create your own rules, thereby flexibly adapting the system to specific types perceived threats.

After saving the rule and detecting information that satisfies this rule, an incident is generated.

Considering the operation of Cisco MARS, we can offer a specific example of an attack on a host (see Figure 7).

Figure 7: Performing an attack on a host

A stand containing Cisco MARS, several switches and a laptop with the Cisco Security Agent product installed was assembled. To emulate the attack, host services were scanned using the NMAP utility.

The events look like this:

• Cisco Security Agent detected a port scan;
• Information about this reached the management center of the Cisco Security Agent system, which in turn sent a message to MARS;
• MARS parsed and normalized the received message to a single form provided by the MARS database;
• MARS produced session correlations;
• This event was verified using rules configured on MARS to record information security incidents;
• Checked for false positives;
• An incident was generated and information was sent to the administrator.

On the Cisco MARS home page, information appeared that an information security incident had occurred from the network (see Figure 8), and the attack propagation path was shown (see Figure 9).

Figure 8: Displaying attack information in the Cisco dashboard MARS

Figure 9: Attack Path in Cisco Panel MARS

By clicking on the “Toggle Topology” button, you can see the real network topology and see the attack propagation path (see Figure 10).

Figure 10: Network topology of the attack propagation path in the Cisco dashboard MARS

To respond to an incident, Cisco MARS offers several options to prevent a network device-based attack (see Figure 11):

Figure 11: Response to prevent an attack

Cisco MARS also has a flexible reporting system, which allows you to obtain detailed data on all registered events. This allows the principle of improving protection to be implemented (see Figure 12).

Figure 12: Security Improvement Principle

Example of a comprehensive solution

Let's consider a comprehensive solution based on the above products for the central office of company K.

Company K has 100 employees in three departments at its headquarters. The Microsoft Active Directory system is used to control user access.

The following tasks need to be solved:

• ensure compliance with information security policies created for employees of each department;
• have up-to-date information about the software running on specific hosts;
• be able to control access to external systems for hosts located outside the corporate environment;
• provide access to the network based on specified information security policies;
• ensure that specified checks are performed for the host based on the domain user account;
• provide monitoring of events occurring on the network, as well as collection of information using the NetFlow protocol.

Configuring Cisco Security Agent Policies

First, we define the access rights of each user group. In accordance with these access rules, domain access rights and filtering rules are configured on active network equipment.

You can create network access rules using the Cisco Security Agent, but these rules are rather private in nature. For example, you can deny a specific user access to a specific resource (IP, TCP/IP). In this example, no network rules are created for the CSA.

The first step is to create a policy for all user groups in the CSA that makes it impossible to disable the agent application. This policy applies to all users, including local administrators.

A process is then launched to collect information about the software installed on the computers - a process called Application Deployment Investigation. As a result, we get a report (see Figure 13).

Figure 13: Installed Applications Report Using Cisco Security Agent

In the future, we can classify these applications, for example, distinguishing from the total number of office applications, ICQ clients, P2P applications, email applications, and so on. Also, using CSA, it is possible to analyze the behavior of a specific application for further creation of information security policies.

For all users of the head office are created general rules for all identified applications. The implementation is carried out in stages - first, the information security policy is implemented in audit mode, which allows you to monitor all events, but not influence the current actions of users. Subsequently, the revised policy is put into operational mode.

In addition to static classification of applications, CSA provides for dynamic classification - the dynamic class method. For example, the Microsoft Word application can be classified into two classes of applications - local and network, and depending on this, different security policies can be applied to it (see Figure 14).

Figure 14: Dynamic classes for classifying applications

For anti-virus protection, CSA has a built-in ClamAV anti-virus module. If you have an antivirus, this module can be disabled.

Control of information leaks

To prevent leaks of confidential information, CSA provides a special module called Data Loss Prevention.

When this software module is activated, the CSA agent scans files for confidential information. Information classification is set manually based on templates – scanning tags (see Figure 15). It is possible to perform shadow scanning, as well as scanning when opening/closing files.

Figure 15: Classification of confidential information

After the classification has been completed, it is necessary to create and apply information security policies for applications that work with these files. It is necessary to control access to these files, printing, transferring to external media, copying to the clipboard and other events. All this can be done using standard templates and rules that are preinstalled in Cisco Security Agent.

Setting up Cisco NAC (Clean Access)

When starting to configure Cisco NAC, you need to clearly understand the operating logic of this system for each specific user group.

In the case of implementation in company K, it is planned that all users will first fall into a single VLAN (Vlan 110 in Figure 16). While in this VLAN, they undergo authentication and verification for compliance with the requirements of information security policies. Access from this VLAN to corporate network resources is limited. At the second level of the OSI model, only Clean Access Server is available to users. At the same time, using DHCP, users receive IP addresses from working VLANs, which eliminates the need to obtain an IP address again.

Figure 16: Authentication VLAN

If the check is successful, the user is transferred to the “working” VLAN (Vlan 10 in Figure 17). This VLAN number is assigned according to the Organizational Unit (OU) to which the user belongs in Active Directory. This functionality is made possible by using user roles in the NAC system.

Figure 17: Transferring a user to the “work” VLAN

All Company K users are required to comply with the latest critical updates for the Windows operating system and have the Cisco Security Agent running.

Let's look at how you can check the status of the Cisco Security Agent on personal computers users:

• a new check is created (see Figure 18);
• then a rule is created (see Figure 19);
• a requirement is created (see Figure 20);
• Ultimately, this requirement applies to the user role.

Figure 18: Creating a New Cisco Security Agent Status Check

Figure 19: Creating a rule for a new Cisco Security Agent state check

Figure 20: Creating requirements for a new Cisco Security Agent health check

As a result of the completed setup, for all users of the HR group, the Cisco Security Agent operating conditions must be met to access network resources.

Using Cisco NAC, it is possible to check the relevance of anti-virus databases, the status of services on end hosts, and other important things.

Each configuration option is individual, but at the same time, the system initially has a rich set of requirements that facilitate its rapid deployment.

Setting up Cisco MARS

Cisco Security Agent and Cisco NAC have a rich system for providing reporting information, but to be able to correlate events, as well as to be able to collect information about events from various devices, it is proposed to use the Cisco MARS system.

Basic settings for the Cisco MARS system include adding devices to the system (firewalls, IPS, IDS, anti-virus systems, mail systems, etc.), setting up NetFlow export to the MARS server, and setting up users.

MARS already has a large number of predefined rules (see Figure 21), which allows you to quickly put the system into operation and receive up-to-date information about the state of information security.

Figure 21: Predefined rules with Cisco MARS

For deeper customization, you need to create your own rules in accordance with predicted threat models that will analyze incoming information.

If all the necessary conditions specified in the rule are present, an incident is created, which can be seen on the main panel of the system. It is also possible to send a notification to the email of personnel servicing Cisco MARS.

In this way, Cisco MARS transforms raw data about malicious activity provided by the network and security system into understandable information that can be used to resolve security breaches using equipment that already exists on the network.

Conclusion

The complex system considered solves a wide range of problems, allowing administrators to identify and eliminate violations of company security policies as quickly as possible.

The products used for this article are integral systems and are able to work separately from each other, but in combining these systems lies the strategy of a self-defending network that can withstand the latest (zero-day) security threats.

Zabiyakin Igor
Leading engineer of NTS LLC (NTS Ltd.)

If you are interested in implementing information security products from Cisco Systems, then you can contact NTS representatives.

The CISCO MARS hardware and software system is designed to manage security threats. Sources of information about them can be: network equipment (routers and switches), security tools (firewalls, antiviruses, attack detection systems and security scanners), OS logs (Solaris, Windows NT, 2000, 2003, Linux) and applications (DBMS, web, etc.), as well as network traffic (for example, Cisco Netflow). Cisco MARS supports solutions from various manufacturers - Cisco, ISS, Check Point, Symantec, NetScreen, Extreme, Snort, McAfee, eEye, Oracle, Microsoft, etc.

The ContextCorrelation TM mechanism allows you to analyze and compare events from heterogeneous security tools. Their visualization on a network map in real time is achieved using the SureVector TM engine. These mechanisms allow you to display the attack propagation path in real time. Automatic blocking of detected attacks is achieved using the AutoMitigate TM mechanism, which allows you to reconfigure various security measures and network equipment.

Key Features

• Process up to 10,000 events per second and over 300,000 Netflow events per second
• Ability to create your own correlation rules
• Notification of detected problems via e-mail, SNMP, syslog and pager
• Visualization of attacks at the data link and network levels
• Supports Syslog, SNMP, RDEP, SDEE, Netflow, system and user logs as information sources
• Ability to connect your own security tools for analysis
• Effectively suppresses false positives and noise, as well as detects attacks missed by separate security measures
• Anomaly detection using the NetFlow protocol
• Create and automatically update a network map, including import from CiscoWorks and other network management systems
• Support IOS 802.1x, NAC (phase 2)
• Monitoring switch protection mechanisms (Dynamic ARP Inspection, IP Source Guard, etc.)
• Integration with Cisco Security Manager (CSM Police Lookup)
• Integration with incident management systems using
• Authentication on the RADIUS server
• Cisco MARS Component Health Monitoring
• Syslog forwarding
• Dynamic recognition of new attack signatures on Cisco IPS and loading them into Cisco MARS