Network security is constantly evolving. We have so many players developing so many security systems to make companies secure. We have technologies to inspect millions of packets as trey pass through the huge network, inspecting things such as Layer 7 information, aware of application standards and how they should be formatted even before those packets reach their destination. We have sensors strategically positioned into the network with thousands of signatures loaded into their memory trying to catch attacks as they occur. We have behavior pattern agents loaded into the endpoints, adding a huge extra security to whatever traffic that pass uninspected by our network whatchguards. We have mail gateways, web specific firewalls, corporate antivirus, routers with extra integrated security features. I do have to mention the network admission control, which is being placed as a top technology by Companies today, helping Companies to control who access and how they access their networks, enforcing their security policies by basically saying “if you do not comply with these policies, you won’t be able to access my network”. Well, I could spend a day just mentioning security technologies that companies are using today.
No doubts that all of these technologies when well implemented will add the security mechanisms that companies are relying today. But no security technology or equipment will ever reach its purpose without proper Monitoring and Procedures. And monitoring is what I have to say today.
If you could imagine how many logs and event messages all of those technologies mentioned above generate, you would be scared. For example, some IT guys think a firewall is a static thing, that you configure its rules and then it’s done. I’m afraid it’s not. A firewall, beyond other things, is a control mechanism, it inspect packets and guided by a set of rules (hopefully created and backed up by a security policy) it allows or drops the packets as they arrive. If someone or something (a worm perhaps) is trying to do something that is not allowed, the firewall will trigger its alarms and generate a lot of deny messages. Will these messages ever be analyzed? This is just one simple example. Now add 5 to 10 enterprise Firewall, IPS Sensors located in every perimeter point, Host Intrusion Protection, Antivirus, Network Admission Control and a self adapt technology to make the network intelligent enough to mitigate the attacks by itself. With that in mind, ask yourself these questions: How many logs will all of these generate? Who will ever analyze them? Do I need a team with 10 to 20 security expert to analyze this? Those are though questions that companies need to address in order to think about the return of investment to all security technologies acquired.
The answer is in a very strong security segment in the market today for Security Event Correlation and Analysis. Companies are investing millions with security and some of them are lacking to have a system capable of receiving security logs from different vendors, treat and correlate them in a way system administrators can easily understand and take the required actions to respond as fast as possible. The result for that is: different interfaces, more people, more costs, more training.
Strong players are involved today and with minimum comparison I just would like to talk about Cisco MARS. I’ve been implementing projects using this product for quite a while and Cisco is really working to constantly improve this product. Cisco MARS is not just an Event Correlation box, it is also a Response System, which means it just not only treats security events it also helps security administrator to respond to attacks as they occur. It comes in a very powerful appliance with a customized OS with an Oracle integrated database. And when I mean powerful, I do mean powerful. I’ve seem a lot of other security correlation boxes that lack on systems resources and a reliable and fast database. That’s not the case with MARS. If you dig a little into Cisco’s website you will be able to find an EPS (Events Per Second) Calculator that will help you to choose which appliance is the right choice for your scenario.
Back to the scenario described above with lots of security products. How would MARS be the answer for that scenario? First of all you need to know what kind of events your security products generate. After that, you will need to know if those products (the sum of all) exceed the amount of EPS that a single MARS can take. You really need to take that into consideration because you don’t want an attack to occur and not being detected by your security team because the MARS was overloaded during that time (and that’s a normal thing to happen during an attack, hackers attempt to overload the detection systems during the attack in order to disguise their attack into a huge load of events). So if you have to, buy more boxes. Will it add more administration burden? Read the rest. Cisco has an excellent solution to address multiple MARS deployments, offering a single Monitoring and Response interface. Remember, ROI is the key. One thing people are always asking me is if the MARS is only compatible with Cisco products. The answer is no. MARS can analyze web logs, database logs, antivirus logs, firewall and IPS from other vendors and you can even create integration for an unsupported product, making it compatible with MARS (I won’t lie, it will take some effort, but when it’s done, it will work beautifully).
Another cool thing about MARS is that it is network topology aware. That means is it can integrate with network equipments in order to fast respond to the attacks. And even before your security team discusses where to contain the attacks, it automatically shows mitigation points in the network allowing the administrators to see where the attack is coming in a graphical manner and it offers a mitigation button with command suggestions to be pushed to the equipments. You can even configure the appliance for automatically attack mitigation response, I can see Cisco developed something called the “Automitigate” feature which makes the MARS to do that mitigation process without administrative action. Reports are also something very required and MARS won’t lack on that. Mars has a lot of pre-defined reports to help Managers, Administrators and Consultants to see the security activity on the network.
The configuration process will demand some time to better tune the correlation rules and also the false-positive rules, even thou Cisco does a pretty good job with its “generic” rules, I must say that every network has its own reality, so you must put your hands into the product to show exactly what you need it to show you. The MARS has also a bult-in vulnerability scanner to help administrators reduce the false-positive messages generated typically by IPS Sensors, but don’t worry if you have your own vulnerability scanner tool, MARS accept reports from it (check compatibility first).
I am currently developing a security architecture for one very large oil company’s office. I don’t have to mention they will have a lot of security products since they are concerned about information leak. And those products will be placed along different sites and generate large amount of events. MARS will be a key element into this project for its capacity to do what we call a global correlation using its hierarchical architecture. What that means is we will have different MARS appliances distributed into the network correlating events from security products and servers and sending this correlated messages to a global MARS called the Global Controller. As I said before, security administrators will have a single monitoring and response interface. So, how many security experts will you need when all your security products are in place and a MARS solution is implemented in your network? My answer is none. Leave the implementation to experts, leave the administration to security administrators, the few as possible. MARS will give your security administrators the right interface to monitor the security events, treat them, open security cases and easily respond automatically or not to threats as they occur.
Hope that gives you some background into the Security Event Correlation and Analysis business and into this great product, the Cisco MARS. In my opinion, with the right security correlation product implemented, not only it will be the brain for your whole network security solution, but you will have the best result from you security investment
Nivon Silva, CCIE #19481 in Security and candidate for Double CCIE in R&S, CCSI #30851, MCSE, MCSA has been in the IT business for the last 8 years. Nivon is a Senior Consultant and Technical Leader at Multirede, a Multinational Cisco Solution Partner, designing and implementing Network and Security solutions across many countries. Nivon is also an official Cisco Systems Instructor delivering Cisco’s Security, Routing, Content Switching and WAN Acceleration courses, bringing to classroom real life project experience, being a tutor for students during their learning process.
Return to the top of 'Security Event Correlation and Analysis'.
Send Feedback