Cisco Security Monitoring, Analysis, and Response System

Cisco MARS
Developer	Cisco Systems
Working state	End-Of-Support
Source model	Closed source
Latest release	Cisco Security MARS Appliance 6.2.2 / May 12, 2014;3 years ago
Available in	English
Default user interface	Graphical user interface
Official website	Cisco MARS

Last updated March 20, 2019

Cisco Security Monitoring, Analysis, and Response System (MARS) was a security monitoring tool for network devices. Together with the Cisco Security Manager (CSM) product, MARS made up the two primary components of the Cisco Security Management Suite.

MARS was an appliance-based solution that provided insight and control of existing security deployments. It could monitor security events and information from a wide variety of sources, including third-party devices and hosts. The correlation engine in MARS could identify anomalous behavior and security threats and could use large amounts of information collected for forensics analysis and compliance reporting.

Features

Learns the topology, configuration and behavior of your environment
Automatically updates knowledge of new Cisco IPS signatures, for up to the minute reporting on your environment
Promotes awareness of environmental anomalies with network behavior analysis using NetFlow and syslog
Provides simple access to audit compliance reports with more than 150 ready-to-use customizable reports
Makes precise recommendations for threat mitigation, including the ability to visualize the attack path and identify the source of the threat with detailed topological graphs that simplify security response at Layer 2 and Layer 3
Integrates with the Cisco Security Manager to correlate security events with the configured firewall rules and intrusion prevention system (IPS) signatures that can affect the security event.

Supported Types

MARS centrally aggregates logs and events from a wide range of popular devices:

network devices (such as routers and switches)
security devices and applications (such as firewalls, intrusion detection systems vulnerability scanners, and antivirus software)
hosts (such as Microsoft Windows, Sun Microsystems Solaris, and Linux syslog)
server-based applications (such as databases, Web servers, and authentication servers)
- Note: Web logging is only supported on hosts running Microsoft IIS on Windows, Apache on Solaris or Linux, or iPlanet on Solaris.^[1]
  - Note: Hosts running Microsoft IIS on Windows need to run InterSect Alliance SNARE for IIS, from which MARS receives web log data.^[2]
Snare is a collection of software tools that collect audit log data from a variety of operating systems and applications to facilitate centralised log analysis. Enterprise Agents are available for Linux, OSX, Windows, Solaris, Microsoft SQL Server, a variety of browsers, and more. Snare Enterprise Epilog for Windows facilitates the central collection and processing of Windows text-based log files such as ISA/IIS. Snare Enterprise Epilog for Unix provides a method to collect any text based log files on the Linux and Solaris operating systems. Opensource Agents are available for Irix and AIX.
network traffic (such as Cisco NetFlow).

Router (computing) Device that forwards data packets between computer networks, creating an overlay internetwork

A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. Data sent through the internet, such as a web page or email, is in the form of data packets. A packet is typically forwarded from one router to another router through the networks that constitute an internetwork until it reaches its destination node.

In computing, a firewall is a security network system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.

A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. They are utilized in the identification and detection of vulnerabilities arising from mis-configurations or flawed programming within a network-based asset such as a firewall, router, web server, application server, etc. Modern vulnerability scanners allow for both authenticated and unauthenticated scans. Modern scanners are typically available as SaaS ; provided over the internet and delivered as a web application. The modern vulnerability scanner often has the ability to customize vulnerability reports as well as the installed software, open ports, certificates and other host information that can be queried as part of its workflow.

Related Research Articles

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources, and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, former founder and CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013, at which Roesch is a chief security architect.

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity level.

In computer log management and intelligence, log analysis is an art and science seeking to make sense out of computer-generated records. The process of creating such records is called data logging.

OSSEC is a free, open-source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It provides intrusion detection for most operating systems, including Linux, OpenBSD, FreeBSD, OS X, Solaris and Windows. OSSEC has a centralized, cross-platform architecture allowing multiple systems to be easily monitored and managed. OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats.

A virtual security switch is a software Ethernet switch with embedded security controls within it that runs within virtual environments such as VMware vSphere, Citrix XenDesktop, Microsoft Hyper-V and Virtual Iron. The primary purpose of a virtual security switch is to provide security measures such as isolation, control and content inspection between virtual machines.

Information Technology Specialist or Information Systems Operator-Analyst is a Military Occupational Specialty (MOS) in the United States Army. Information Technology Specialists have the responsibility of maintaining, processing and troubleshooting military computer systems and operations.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry.

CimTrak is computer software for file integrity monitoring and regulatory compliance auditing. It assists in ensuring the availability and integrity of critical IT assets by detecting the root-cause and responding immediately to any unexpected changes to the host operating system, applications, and network devices located on the IT infrastructure. CimTrak works cross-platform and is supported on multiple Windows, Linux, Unix, and Macintosh operating systems. It is licensed as commercial software.

In computer networking, Cisco ASA 5500 Series Adaptive Security Appliances, or simply Cisco ASA, is Cisco's line of network security devices introduced in May 2005, that succeeded three existing lines of popular Cisco products:

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort rule management software and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can record events to the Snort "unified2" output format which makes Sagan compatible with user interfaces such as Snorby, Sguil, BASE and proprietary consoles

Rainer Gerhards is a German software engineer, network engineer, and protocol designer best known for his Computer data logging work including Rsyslog and Reliable Event Logging Protocol. He began developing Rsyslog in 2004, to forward log messages in an Internet Protocol Network from UNIX and Unix-like computer systems. In 1988, Gerhards founded the company RG Informationssysteme, which was later rebranded as Adiscon GmbH in 1997.

The following outline is provided as an overview of and topical guide to computer security:

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an ISMS within ISO/IEC 27001-compliant environments.

IPFire is a hardened open source Linux distribution that primarily performs as a router and a firewall; a standalone firewall system with a web-based management console for configuration.

References

↑ "Cisco" . Retrieved 2009-02-25.
↑ "Cisco" . Retrieved 2009-02-25.

External links

Cisco Security Monitoring, Analysis and Response System product page

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Cisco" . Retrieved 2009-02-25.

[2] "Cisco" . Retrieved 2009-02-25.