Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.
Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to. Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network. SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting. Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices. The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.
The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM. An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.
As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors. CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked. CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it. STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories. Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds. MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.
In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to. Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.
Darknet | Ethical Hacking & Pentesting
- Cisco Vulnerability Given ‘Write Once, Run Anywhere’ Treatement January 7, 2009
- WITOOL v0.1 - GUI Based SQL Injection Tool in .NET January 6, 2009
- Phishing Attacks Hits Twitter Users - Utilising Direct Messages January 5, 2009
- Happy New Year For 2009 From Darknet December 31, 2008
- Burp Suite v1.2 Released - Web Application Security Testing & Attack Platform December 30, 2008
The Register | Security
- Researchers poke holes in Intel's anti-tampering tech January 7, 2009
- Pranksters infiltrate live Macworld feed January 6, 2009
- Bogus LinkedIn profiles punt malware to fools January 6, 2009
- Google picks up third spot in spam-friendly shame list January 6, 2009
- Israel hacks Arab TV station January 6, 2009
No comments
Comments feed for this article
Trackback link
http://syn-ack.co.uk/67/cs-mars-attacks/trackback