Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 31

Chapter 1 STM Task Flow Overview
Task
Inventory and review possible reporting devices, mitigation devices, and supporting devices.
1.
Reporting devices provide logs about user and network activities and device status and configuration. Mitigation
devices can be used to respond to detected attacks. They also act as reporting devices. Supporting devices provide
network services to reporting devices, mitigation devices, or a MARS Appliance.
Identifying which devices on your network to monitor depends on multiple factors, including their placement,
the reporting they can provide relative to other devices on the same network segment, and the level of operation
that you want to achieve from your MARS Appliance.
When considering which devices to declare as reporting devices and mitigation devices, be sure you know what
data is provided to MARS by those devices. Simply adding all possible devices does not guarantee the best
monitoring and mitigation strategy. Deliberate selection of the devices can reduce the MARS workload, resulting
in improved detection and mitigation times, as well as improved false positive detection.
Because MARS only considers monitored devices, you should take care in identifying which devices to monitor.
The following are only a couple examples of considerations you should make when identifying devices.
Consider of the types of logs and data available from reporting devices on specific network segments, and
•
select those logs that provide the most complete picture of the activity on your network.
Identify mitigation devices at natural chokepoints across each segment in your network. You are more likely
•
to stop an attack if these mitigation devices are identified to MARS. When MARS identifies an attack, it
studies the topology of your network to identify the best chokepoint; however, it only considers those devices
that are monitored.
Supporting devices can play an important role in the operation of your STM system. Therefore, you should
inventory and review the supporting devices on your network, which include e-mail, AAA, DNS, and syslog
servers, that will play a role in the envisioned STM system.
Result: The list of devices that you want to monitor is complete. The details of each device include device name,
reporting IP address, management IP address, management protocol, administrative account information, and the
logging features, levels, and protocols to enable.
For more information, see:
Selecting the Devices to Monitor, page 2-2
•
Levels of Operation, page 2-1
•
Deployment Planning Guidelines, page 2-1
•
Analysis, and Response System
Device Inventory Worksheet, page 1-18
•
78-17020-01
in Install and Setup Guide for Cisco Security Monitoring,
User Guide for Cisco Security MARS Local Controller
Checklist for Provisioning Phase
1-3