This page has moved to a new address.

Cisco MARS: What third-party lockout means for SIEM products

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("http://www.blogblog.com/rounders/corners_main_bot.gif") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("http://www.blogblog.com/rounders/corners_main_top.gif") no-repeat left top; padding:10px 0 0; } #main3 { background:url("http://www.blogblog.com/rounders/rails_main.gif") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("http://www.blogblog.com/rounders/corners_cap_top.gif") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("http://www.blogblog.com/rounders/corners_cap_bot.gif") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("http://www.blogblog.com/rounders/icon_arrow.gif") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } p.post-footer { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body p.post-footer { border-bottom-color:transparent; } p.post-footer em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("http://www.blogblog.com/rounders/icon_comment.gif") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("http://www.blogblog.com/rounders/corners_prof_bot.gif") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("http://www.blogblog.com/rounders/corners_prof_top.gif") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("http://www.blogblog.com/rounders/icon_profile.gif") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("http://www.blogblog.com/rounders/corners_side_top.gif") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("http://www.blogblog.com/rounders/corners_side_bot.gif") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("http://www.blogblog.com/rounders/icon_arrow_sm.gif") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("http://www.blogblog.com/rounders/corners_cap_top.gif") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("http://www.blogblog.com/rounders/corners_cap_bot.gif") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Tuesday, November 2, 2010

Cisco MARS: What third-party lockout means for SIEM products

In November of 2009, Cisco Systems Inc. announced that its MARS security information and event management (SIEM) product would no longer support integration with third-party products. As such, should enterprises still consider MARS when looking at SIEM products, or is the vendor lock-in too high a price to pay? That's what we'll cover in this tip.

First, a little background: What is MARS? Quoting from Cisco's Frequently Asked Questions (FAQ), the vendor's Security Monitoring, Analysis and Response System, or MARS for short, is an "appliance-based, all-inclusive solution that allows network and security administration to monitor, identify, isolate and counter security threats." Basically, MARS is Cisco's attempt at a unified security monitoring and mitigation platform that allows the appliances within Cisco's security product portfolio to interact with each other and effectively address security threats in a timely manner (sometimes in real time).

Cisco MARS belongs to a family of products that has its roots in log management. A traditional log management platform attempts to provide a central repository for collecting events from servers, firewalls, switches, routers and even Web services. Most log management platforms come with a pretty robust parsing engine with some ability to trigger alerts on preset search signatures. These search signatures are highly customizable, providing extensive regular expression matching. To give you an example, search signatures could be set up to trigger alerts when accounts are created or deleted on systems, device configurations are modified or system failures take place, among others. This provides a pretty effective way to track down system or security events. These platforms also come with preconfigured alert packages that help organizations address compliance requirements like PCI DSS.

How is MARS different? MARS is a SIEM product, and, like other SIEM products, it offers baseline log management features and extends to provide intelligent threat analysis and threat mitigation capabilities on security events received from a wide variety of sources. It might be easier to understand where MARS fits into the enterprise by running through an example. Since a Cisco product is our focus, I have kept this example Cisco-centric.

Let's say Company A likes to stay informed on the latest security threats and has a robust security infrastructure to provide it visibility into various parts of its network. Company A has deployed a firewall with an inline intrusion prevention (IPS) module, and has also deployed a Web security gateway to provide traditional URL and reputation filtering with malware intelligence. This architecture is augmented by an endpoint security product that combines a host-based IPS with acceptable use policy enforcement and traditional antivirus protection. To disallow unauthorized systems from connecting to its network, the company also employs a network access control (NAC) system. Finally, Company A also hosts an ecommerce platform at a service provider.

As you can see, Company A likes to keep on top of security with point products addressing security at multiple levels. But having all these point products makes it difficult -- if not impossible -- to manage, monitor and mitigate security risks in a timely manner. In other words, Company A has rightly implemented a multi-layered security strategy, but the effectiveness and timeliness of its risk mitigation capabilities would be compromised by the sheer number of devices providing information. But by adding a SIEM product to the mix, Company A can use intelligent correlation to take the alerts and data from each of the point products that the company has in place, aggregate and normalize them to remove repeat entries (damping), and then apply built-in security rules to identify threats and effectively mitigate them. The last action -- the actual application of the rules -- is the most critical step to successfully identifying a security threat.

Now that we've discussed the security function that SIEM tools like Cisco's MARS provide, the question emerges: How crucial is third-party interoperability? The answer: very. As the point of SIEM technologies is to be able to correlate data from a variety of sources, a SIEM's inability to talk to some or any of those sources renders it marginally useful at best, and marginally useful is not reason enough to spend a significant amount of money on a SIEM.

While we can only speculate as to the strategic reasons behind its decision, the implications are clear: A report last year from Gartner Inc. found that Cisco MARS is no longer viable as a general purpose SIEM. Alternatively, Cisco seems to be pushing its broader "security threat management" approach using Cisco products while de-emphasizing compliance reporting with non-Cisco devices.

The big question now is whether an enterprise should limit itself to the Cisco platform or consider migrating to a more open platform. A key driver for this decision would be to determine how committed an enterprise already is to the Cisco platform. If most of the switching and routing fabric within an organization's network is Cisco-based, and future spend for perimeter defenses is already ear-marked for Cisco gear, then staying with Cisco might be a much easier decision to make. On the flip side, by polarizing the SIEM space (Cisco vs. non-Cisco), Cisco has opened itself up to the risk of traditional Cisco shops abandoning its platform altogether for not only more interoperability, but also to avoid losing the flexibility of negotiating pricing and the ability to effect product enhancements in the long term. It's perhaps one of the reasons why the SIEM market (separate of Cisco) has been so fluid and competitive in the past year.

For enterprises with multi-vendor security point products that are shopping around for a SIEM platform, I wouldn't recommend putting MARS on the short list of products to consider. Enterprises currently using MARS to monitor non-Cisco security devices should begin planning the transition to an alternative SIEM platform. This recommendation is in no way a criticism of MARS' abilities -- it is good at what it does -- but more so on its effectiveness at integrating third-party vendor's security products, which is crucial to an effective SIEM platform. By making the MARS platform Cisco-centric, Cisco is setting a precedent that enterprises should consider: Will it make other, future security products less interoperable? It's hard to say, but enterprises should consider that likelihood when evaluating future adoption of Cisco security products, especially if a desire to avoid potential interoperability issues is important.

While Cisco's decision to stop supporting third-party security event management sources might affect its adoption rate in the short term, it has the unintended positive effect on the greater market of pushing a lot of the competition to support more open platforms.

About the author:
Anand Sastry is a Senior Security Architect at Savvis Inc. Before joining Savvis, he worked for clients in several industries (large and mid-sized enterprises in financial, healthcare, retail and media) as a member of the security services group for a Big 4 consulting firm. He has experience in network and application penetration testing, security architecture design, wireless security, incident response and security engineering. He is currently involved with network and web application firewalls, network intrusion detection systems, malware analysis and distributed denial of service systems.


View the original article here

Labels: , , , , , ,

0 Comments:

Post a Comment

Feel Free to Leave Your Comments/Thoughts Below

<< Home