Cisco MARS: What third-party lockout means for SIEM products

In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay? That's what we'll cover in this tip.

First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).

Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS.

How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.

Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider.

As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.

Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.

While we can only speculate as to the strategic reasons behind its decision, the implications are clear: A report last year from Gartner Inc. found that Cisco MARS is no longer viable as a general purpose SIEM. Alternatively, Cisco seems to be pushing its broader "security threat management" approach using Cisco products while de-emphasizing compliance reporting with non-Cisco devices.

The big question now is whether an enterprise should limit itself to the Cisco platform or consider migrating to a more open platform. A key driver for this decision would be to determine how committed an enterprise already is to the Cisco platform. If most of the switching and routing fabric within an organization's network is Cisco-based, and future spend for perimeter defenses is already ear-marked for Cisco gear, then staying with Cisco might be a much easier decision to make. On the flip side, by polarizing the SIEM space (Cisco vs. non-Cisco), Cisco has opened itself up to the risk of traditional Cisco shops abandoning its platform altogether for not only more interoperability, but also to avoid losing the flexibility of negotiating pricing and the ability to effect product enhancements in the long term. It's perhaps one of the reasons why the SIEM market (separate of Cisco) has been so fluid and competitive in the past year.

For enterprises with multi-vendor security point products that are shopping around for a SIEM platform, I wouldn't recommend putting MARS on the short list of products to consider. Enterprises currently using MARS to monitor non-Cisco security devices should begin planning the transition to an alternative SIEM platform. This recommendation is in no way a criticism of MARS' abilities -- it is good at what it does -- but more so on its effectiveness at integrating third-party vendor's security products, which is crucial to an effective SIEM platform. By making the MARS platform Cisco-centric, Cisco is setting a precedent that enterprises should consider: Will it make other, future security products less interoperable? It's hard to say, but enterprises should consider that likelihood when evaluating future adoption of Cisco security products, especially if a desire to avoid potential interoperability issues is important.

While Cisco's decision to stop supporting third-party security event management sources might affect its adoption rate in the short term, it has the unintended positive effect on the greater market of pushing a lot of the competition to support more open platforms.

About the author:
Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems.

View the original article here