REVIEW: "Security Monitoring with Cisco Security MARS", Gary Halleen/Greg Kellogg
- BKSMMARS.RVW 20080204
"Security Monitoring with Cisco Security MARS", Gary Halleen/Greg
Kellogg, 2007, 1-58705-270-9, U$60.00/C$75.00
%A Gary Halleen
%A Greg Kellogg
%C 800 East 96th Street, Indianapolis, IN 46240
%G 978-1-58705-270-5 1-58705-270-9
%I Cisco Press
%O U$60.00/C$75.00 feedback@... 800-382-3419
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 316 p.
%T "Security Monitoring with Cisco Security MARS"
Fair warning: these guys are into jargon. To even begin to approach
this book you must know that CS-MARS is the Cisco Security Monitoring,
Analysis, and Response System, which "performs" as an STM (Security
Threat Mitigation) "solution." The introduction states that the work
is intended for information security analysts charged with the
monitoring and administration for firewalls and similar devices.
(Usually that is the task of the administrator, not the analyst, but
we'll let that pass.)
Part one is an introduction to CS-MARS and security threat mitigation.
Chapter one is a vague promotion for the MARS product. Even though it
limits security incident management (SIM) to network events, it still
claims the capability of countering frauds. Definitions of a number
of terms such as event, incident, false positive, and mitigation are
non-standard and therefore problematic, since the common understanding
of the expressions may suggest that the authors are making claims
which the technology cannot actually support. Regulatory challenges
are covered in some depth in chapter two, including coverage of HIPAA
(Health Insurance Portability and Accountability Act), the GLB (Gramm,
Leach, Bliley) Act, the Sarbanes-Oxley Act, and the Payment Card
Industry (PCI) standard. (Note the emphasis on American legislation
and the financial industry.) Rather than the deployment scenarios
promised by the title of chapter three (we do get a couple of brief
stories at the end), the text is a kind of catalogue of CS-MARS
products and size specifications.
Part two is supposed to be about CS-MARS operations and forensics.
Some generic advice about hardening the platform upon which the MARS
product is running (mostly ports required by MARS and firewall
rulesets) is in chapter four. Rules, reports, and queries are
illustrated, in chapter five, mostly in terms of screenshots of the
user interface, with little discussion of the implications of certain
decisions. Some of the suggested "drop" rules, used incautiously,
could eliminate most traffic through the system. The examination of
incident investigation and forensics, in chapter six, lists
preparation, identification, containment, repair, recovery, and
debriefing as the major stages of the process, but really only deals
with identification and containment. Chapter seven tells you to make
Slightly more advanced topics are in part three. Chapter eight has
screenshots showing the integration of MARS with the Cisco security
manager product. There is a list of errors you might encounter while
using the program, in chapter nine, but not much about how to solve
any of the problems. Chapter ten is a promotional pamphlet for Cisco
NAC (Network Admission Control) products. Screenshots demonstrating
the use of the CS-MARS custom parser to look at data from other
sources are printed in chapter eleven. Screenshots of using the
CS-MARS global controller for a large implementation are in twelve.
Overall, there is a great deal of promotion, and very little
demonstration of product capability in this book. Basically what is
being described is an intrusion detection system (IDS) with some added
features. But it's being described in very awed tones.
copyright Robert M. Slade, 2008 BKSMMARS.RVW 20080204
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Materialists are Object-Oriented