Table of Contents
Advertisement
Chapter 1
STM Task Flow Overview
•
The first decision you must make is who will be responsible for mitigation at the selected choke points.
Often, organizations separate specialized security devices from the core network infrastructure devices
along organizational divisions. As an example, two separate teams, security operations and network
operations, may be responsible for different network components or different policies on shared devices.
Before you roll MARS out on your network, ownership of a strategies for mitigation must be clearly
defined in according with your corporate policies.
When it comes to a mitigation strategy, two options exist:
•
•
Regardless of the option you choose, you should develop guidelines on how long an attack should be
blocked, how to investigate an internal attack so that you can clean them, who is responsible for updating
the policies after the required quarantine period, and how records of such events should be maintained
for audit compliance (for example, is the case management feature of MARS tied to your ticket
integration system?).
Next, you should make a distinction in the type of monitoring that you should perform: system
monitoring versus security monitoring. System monitoring involves monitoring not only the status of the
MARS Appliance but also the health and status of the reporting devices and mitigation devices that
MARS manages. Security monitoring focuses on network and security activity.
For both types of monitoring, you must decide what predefined and custom queries and reports are
required, the processes for evaluating and responding to the data they reveal, and guidelines on using
the case management features of MARS to manage the responses and track changes.
The last phase involves determining who should be notified when specific incidents are detected. For
example, who is notified of device status incidents versus security-related incidents. You must identify
your mitigation and remediation personnel, identify those responsible for monitoring (across
organizations if necessary), and determine how notifications are to be generated and what they should
look like. This involves selecting among methods, including SMS, pager alert, and e-mail, as well as
whether the notifications are based on incidents, queries, or reports.
Appliance-side Tuning Guidelines
Tuning on the MARS Appliance focuses on not inspecting traffic that is received from the reporting
devices. Two primary techniques exist for appliance-side tuning:
•
Note
78-17020-01
Audit involves logging and reporting activities that have taken place during other tasks. The goal of
audit is to provide an account the activities and responses to support compliance audits and trend
analysis.
You can rely on MARS to identify the choke point and accept the recommended CLI changes to
block the detected attack.
You can issue notifications and incident details to a responsible party who can evaluate the MARS
recommendations, but ultimately that party will make the final decision about where and how to stop
the detected attack.
Drop rules. This technique involves dropping all events that match specific criteria received from
a reporting device. This technique is the fastest and the least refined. As part of defining a drop rule,
you can also specify whether to retain the event log in or simply discard it. The advantage of drop
rules is that they events are not processed by any inspection rules, which speeds up the processing
of the appliance by reducing the potential workload.
For releases 4.2.3 and earlier of MARS, you cannot define drop rules for a NetFlow-based event.
For these releases, tuning of NetFlow events must be performed on the reporting device.
Appliance-side Tuning Guidelines
User Guide for Cisco Security MARS Local Controller
1-17
Advertisement
Table of Contents
Troubleshooting
