1. 1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring

2. 222 © 2001, Cisco Systems, Inc. All rights reserved. Problem Statement “We have so many security-management consoles we can’t keep up with all of the information. We have firewalls that haven’t been updated in months and reams of security logs we haven’t sifted through, I really couldn’t tell you whether we’ve been hacked or not. I honestly don’t know” Security analyst of a large consumer goods company Quote from Information Week

3. 333 © 2001, Cisco Systems, Inc. All rights reserved. Network IDS Switch Blades Network IDS Appliances Firewall Appliances Firewall Switch Blades IOS Routers Current security solutions typically consist of multiple point products; each working independently Security Devices generate massive volumes of events, most of them are not critical Sorting through them to determine if they indicate threat requires understanding the relationships among them Additional context is required to determine whether a problem exists and if so, what action is required Challenges of Security Management

4. 444 © 2001, Cisco Systems, Inc. All rights reserved. Value Proposition Wide Operational Monitoring Coverage Comprehensive monitoring - customers want a holistic view of their organizations’ security Coverage of firewalls, NIDSs, HIDSs as well as information throughout the IT infrastructure such as: smart cards, network-access logs, user application login and access data Input from VPNs, antivirus software and various kind of provisioning and access control apps Monitor configuration updates, Track failed operations, Monitor resource utilization Security relevant logs from SAP and other critical applications

5. 555 © 2001, Cisco Systems, Inc. All rights reserved. Clear distinction between alarms that represent successful attacks from false alarms and unsuccessful attacks Based on vulnerability assessment, reduce the event priority if the target machine doesn’t have at-risk software or if its antivirus software is prepared for the attack Most security alerts look a lot like performance or availability problems Need to monitor performance and network events as well as security events Integrate with other network management systems to distinguish attacks from natural phenomena Value Proposition False Alarms Reduction

6. 666 © 2001, Cisco Systems, Inc. All rights reserved. Threat Response Automation – customers need to be able to take an incident or attack and address it in the proper way in real-time Automated investigation to determine: 1) Was the attack successful? 2) What can be done about it? Automatic collection and preservation of evidence In some cases the response to an attack is to shut down a firewall, router or even part of a network. Tools that can be launched from event viewer The corrective action may also include reinstalling configuration files for devices that have been hacked Value Proposition Threat Response Tools

7. 777 © 2001, Cisco Systems, Inc. All rights reserved. Monitoring Configuration Changes Many hackers exploit security infrastructure for their own means, modifying configuration files to give them unlimited access. Analysis of configuration changes to identify “suspicious changes”. Distinguish changes triggered by Domain Manager versus telnet. Value Proposition Monitoring Configuration Changes

8. 888 © 2001, Cisco Systems, Inc. All rights reserved. Additional Feature Benefits Event enrichment and customer impact analysis Prevent attacks and intrusions instead of merely detecting them after they’ve taken place Easier and less-expensive way to deploy software patches to address vulnerabilities rapidly

9. 9 © 2001, Cisco Systems, Inc. All rights reserved. Security Monitoring Architecture

10. 10 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center Security Management Architecture Components Info Server Cisco Device Mediators (IDS, FW…) Cisco Universal Collector (Cisco CNS Notification Engine & Cisco CNS) Policy Manager / Impact (Security Policies) GW & Reports Webtop

11. 11 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Value Adds Rules Filters Views Automations Cisco Universal Collector (CUC) & Cisco CNS Handle Config Change Events

12. 12 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center Security Management Architecture RDEP Cisco CNS Notification Engine (Deduplicatoin and Correlation) Syslog Cisco CNS Info Server POP VPN IOS IDS IOS FW HIPS Okena CTR IDS PIX FW Cisco CNS ProbeNon Cisco Probes Other NE Cisco IP Solution Center Cisco Threat Response Cisco Threat Response Vulnerability Assessment Vulnerability Assessment IP Address Management IP Address Management Subscriber Management Subscriber Management PTC-MT Other Domain Mgrs Other Domain Mgrs Policy Manager Policy Manager Impact Security Policies

13. 13 © 2001, Cisco Systems, Inc. All rights reserved. Policy Manager Cisco IP Solution Center Threat Analysis and Response Tools Event Collection Event Correlation & Aggregation Display / Automation 1 2 1) Impact analysis Threat Response Actions: 2) Retrieve forensic logs 3) Shutdown network or 4) Activate dormant IDS in IOS 5) Trigger Vulnerability Assessment Integration with other Security Management Products Cisco Threat Response Vulnerability Assessment 43 5 Reports

14. 14 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center Security Management Product Differentiators Enhance Cisco Notification Engine to provide universal collection & integration to Cisco CNS for IDS, FW (IOS & PIX) Policy Manager Enhancements Integrated security and VPN policies Cisco Threat Response Integration (release 2) New Tools (release 2) Auto configuration of devices in response to a threat (Cisco IP Solution Center) Troubleshooting & Diagnostics

15. 15 © 2001, Cisco Systems, Inc. All rights reserved. Collection, consolidation & analysis of data generated across of Cisco security tools Correlate disparate events Provides historical security reports for ongoing analysis Centralized security monitoring Cisco Info Center Security Management Summary