Loading ...
Sorry, an error occurred while loading the content.
 

REVIEW: "Security Monitoring with Cisco Security MARS", Gary Halleen/Greg Kellogg

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKSMMARS.RVW 20080204 Security Monitoring with Cisco Security MARS , Gary Halleen/Greg Kellogg, 2007, 1-58705-270-9, U$60.00/C$75.00 %A Gary Halleen %A
    Message 1 of 1 , Apr 28, 2008
      BKSMMARS.RVW 20080204

      "Security Monitoring with Cisco Security MARS", Gary Halleen/Greg
      Kellogg, 2007, 1-58705-270-9, U$60.00/C$75.00
      %A Gary Halleen
      %A Greg Kellogg
      %C 800 East 96th Street, Indianapolis, IN 46240
      %D 2007
      %G 978-1-58705-270-5 1-58705-270-9
      %I Cisco Press
      %O U$60.00/C$75.00 feedback@... 800-382-3419
      %O http://www.amazon.com/exec/obidos/ASIN/1587052709/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1587052709/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1587052709/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 316 p.
      %T "Security Monitoring with Cisco Security MARS"

      Fair warning: these guys are into jargon. To even begin to approach
      this book you must know that CS-MARS is the Cisco Security Monitoring,
      Analysis, and Response System, which "performs" as an STM (Security
      Threat Mitigation) "solution." The introduction states that the work
      is intended for information security analysts charged with the
      monitoring and administration for firewalls and similar devices.
      (Usually that is the task of the administrator, not the analyst, but
      we'll let that pass.)

      Part one is an introduction to CS-MARS and security threat mitigation.
      Chapter one is a vague promotion for the MARS product. Even though it
      limits security incident management (SIM) to network events, it still
      claims the capability of countering frauds. Definitions of a number
      of terms such as event, incident, false positive, and mitigation are
      non-standard and therefore problematic, since the common understanding
      of the expressions may suggest that the authors are making claims
      which the technology cannot actually support. Regulatory challenges
      are covered in some depth in chapter two, including coverage of HIPAA
      (Health Insurance Portability and Accountability Act), the GLB (Gramm,
      Leach, Bliley) Act, the Sarbanes-Oxley Act, and the Payment Card
      Industry (PCI) standard. (Note the emphasis on American legislation
      and the financial industry.) Rather than the deployment scenarios
      promised by the title of chapter three (we do get a couple of brief
      stories at the end), the text is a kind of catalogue of CS-MARS
      products and size specifications.

      Part two is supposed to be about CS-MARS operations and forensics.
      Some generic advice about hardening the platform upon which the MARS
      product is running (mostly ports required by MARS and firewall
      rulesets) is in chapter four. Rules, reports, and queries are
      illustrated, in chapter five, mostly in terms of screenshots of the
      user interface, with little discussion of the implications of certain
      decisions. Some of the suggested "drop" rules, used incautiously,
      could eliminate most traffic through the system. The examination of
      incident investigation and forensics, in chapter six, lists
      preparation, identification, containment, repair, recovery, and
      debriefing as the major stages of the process, but really only deals
      with identification and containment. Chapter seven tells you to make
      a backup.

      Slightly more advanced topics are in part three. Chapter eight has
      screenshots showing the integration of MARS with the Cisco security
      manager product. There is a list of errors you might encounter while
      using the program, in chapter nine, but not much about how to solve
      any of the problems. Chapter ten is a promotional pamphlet for Cisco
      NAC (Network Admission Control) products. Screenshots demonstrating
      the use of the CS-MARS custom parser to look at data from other
      sources are printed in chapter eleven. Screenshots of using the
      CS-MARS global controller for a large implementation are in twelve.

      Overall, there is a great deal of promotion, and very little
      demonstration of product capability in this book. Basically what is
      being described is an intrusion detection system (IDS) with some added
      features. But it's being described in very awed tones.

      copyright Robert M. Slade, 2008 BKSMMARS.RVW 20080204


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Materialists are Object-Oriented
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.