1© 2005 Cisco Systems, Inc. All rights reserved.

CISCO SECURITY MONITORING, ANALYSIS & RESPONSE SYSTEM

222© 2005 Cisco Systems, Inc. All rights reserved.

Mandates:• Increase customer retention and acquisition• Build systems around customer/partner

access while preserving customer privacy• Avoid downtimeDisruptions:• Direct revenue losses

Average $2,000,000 / incidentMedian .067% of revenue / incident

• Recovery costsAverage = $74,000 per incidentMean = $6,000 per incident

• Frequency and durationOne incident per yearDowntime: 22 hours

$0

$5

$10

$15

$20

1 2 3 4 5 6 7 8 9 10

Inte

rnet

bus

ines

s di

srup

tion

loss

rate

s (m

illio

ns)

Number of incidents

Median revenue lossesAverage recovery costs

* Aberdeen Group, Automating Information Access Benchmark Research Report, September 2004

Mandates and Disruptions

333© 2005 Cisco Systems, Inc. All rights reserved.

• Constant Threat of Attacks and Zero-Day Threats• Companies experience 30+ attacks / week• Virus and worms attacks increasing at 11% annually• Slammer infected 75,000 hosts in 11 minutes• Network Computing estimates the cost per single incident of unknown buffer overflow attack to be

$98,306

• Variants, scripts, and automated tools essentially yield a persistent attack on open exposures

Persistent Attacks and Zero Day Threats

444© 2005 Cisco Systems, Inc. All rights reserved.

82%: prevention and avoidance9%: recovery

and restoration

9%: containment

Intrusion prevention forNetworks and/or hosts

Security event correlationand management

Firewalls at networkGateways and/or PCs

Threat assessmentand management tools

0%

10%

20%

30%

40%

50%

60%

Recover Contain Prevent Uncertain

* Aberdeen Group, Automating Information Access Benchmark Research Report, September 2004

Solutions to Overcome Disruptions

555© 2005 Cisco Systems, Inc. All rights reserved.

Network & Security

EventNoise

Inefficient Attack

Identification & Response

Compliance& Audit

Mandates

Never enoughSecurity

Staff

“after patching, putting out fires, investigation

and remediation… produce the audit report”

alarms, disconnected events, false positives,

network anomalies

Sarbox, HIPAA, GLBA, FISMA, Basel II…

due care and process

un-prioritized blended attacks, day zero

attacks, worms… and network issues

CostlyBusinessDilemma

Mitigate Attacks

Security Challenge = Business Problem

666© 2005 Cisco Systems, Inc. All rights reserved.

• Defense-in-depth• Firewalls• Proxies• VPN• Anti-virus • Network IDS/IPS• Host IDS/IPS• Vulnerability Assessment• Patch Management• Policy Compliance• Router• Switch• Integrated Management

Components of a Self-Defending Network

777© 2005 Cisco Systems, Inc. All rights reserved.

Reactive Steps:1. Escalated Alert2. Investigate3. Coordinate4. Mitigate

Network Operations

Security Operations

Firewall

IDS/IPS

VPN VulnerabilityScanners

AuthenticationServers

Router/Switch

Anti-virus

10K Win, 100’s UNIXCollect Network Diagram

Read and AnalyzeTONS of Data…

Repeat

Always Too Late

Security Operations Response

888© 2005 Cisco Systems, Inc. All rights reserved.

• CS-MARS transforms raw network and security data into actionable intelligence used to subvert real security incidents, as well as maintain corporate compliance

• Network-intelligent correlation• Incident validation• Attack visualization• Automated investigation• Leveraged mitigation• Compliance management• High performance• Low TCO

Introducing Cisco Security Monitoring, Analysis & Response System (CS-MARS)

999© 2005 Cisco Systems, Inc. All rights reserved.

Centrally aggregate logs… limited event reduction and correlation

No network intelligence…isolated device events

Basic alerts, workflow, and reports… lacks details for timely response

Integrated network intelligence for superior event aggregation, reduction, and correlation

Visually depicts topology, valid incidents; attack path details with layer 2 / 3 leveraged mitigation

Events are dynamically NAT resolved, correlated, grouped, and validated

CS-MARS Enterprise Threat Mitigation

Costly to buy, deploy, maintain Lowest TCO; immediate results, easy to use and cost-effective deployment

Alternative SIM Approaches

Poor performance; achieved with costly platforms and / or clustering

Full correlation in excess of 10,000 EPS and 300,000 flows / sec

CS-MARS Value Proposition

101010© 2005 Cisco Systems, Inc. All rights reserved.

• Gain Network IntelligenceTopology, traffic flow, device configuration, and enforcement devices

• ContextCorrelation™Correlates, reduces and categorizes eventsValidates incidents

Valid Incidents

Sessions

Rules

Verify

Isolated EventsCorrelation Re

duct

ion

Router Cfg.

Firewall Log

Switch Cfg.Switch Log

Server LogAV AlertApp Log

VA Scanner

Firewall Cfg.

NetflowNAT Cfg.

IDS Event

...

CS-MARS: “Know the Battlefield”

111111© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS: “Command and Control”

121212© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS: “Connect the Dots”

• SureVector™ AnalysisVisible and accurate attack pathDrill-down, full incident and raw event detailsPinpoint the true sources of anomalous and attack behaviorMore complete and accurate story

1. Host A Port Scans Target X2. Host A Buffer Overflow Attacks

XWhere X is behind NAT device and

Where X is Vulnerable to attack3. Target X executes Password

Attacks Target Y locateddownstream from NAT Device

131313© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS “Leveraged Mitigation”

• Use control capabilities within your infrastructure

Layer 2/3 attack path is clearly visible

Mitigation enforcement devices are identifiedExact mitigation command is provided

Firewall

Router

Switch

]

141414© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS: Compliance ReportsPopular reports with customization and distribution optionsQueries saved as rules or reports – intuitive framework (no SQL)

151515© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS: Correlation and ReductionDescriptive rule framework

and incident detailsSignificant

consolidation

161616© 2005 Cisco Systems, Inc. All rights reserved.

The CS-MARS Advantage

• Superior Functionality, Lowest TCO• Immediate results

Quick install, out-of-box use, web-based HTML consoleAgentless capture, embedded Oracle®, no dba necessary Supports popular network and security device

• Optimized performance and scalabilityRapid in-line processing~over 10,000 EPS with all features active High capacity RAID storage, continuous NFS archiveGlobal controller supports distributed CS-MARS management

171717© 2005 Cisco Systems, Inc. All rights reserved.

CS-MARS Lineup

• Appliance convenienceComplete integrated system; no additional hardware, platform, database, or agent software to purchase, install, and maintainNo need to determine nodes, admins, agents or other licensingHardened OS, roles-based admin. and secure communications

Model CS-MARS 20 CS-MARS 50 CS-MARS 100e CS-MARS 100 CS-MARS 200 CS-MARS GC

Events / Sec. 500 1,000 3,000 5,000 10,000 na

Flow / Sec. 10,000 25,000 75,000 150,000 300,000 na

RAID Storage 120GB+ 240GB 750GB 750GB 1TB 1TB

+not RAID

181818© 2005 Cisco Systems, Inc. All rights reserved.

Enterprise Threat Mitigation

• Empowers operators to maintain network availability• Leverages network and security infrastructure• Reduces noise and false alarms for better response• Streamlines investigation, compliance and management• Identifies significant, sophisticated, rapid threats• Delivers return on security investment

CS-MARSEffective. Efficient. Integrated.

191919© 2005 Cisco Systems, Inc. All rights reserved.