So what is CS-MARS and why does it deserve a blog? CS-MARS (short for Cisco Security Monitoring, Analysis and Response System) is a security aggregation point for network devices. I could sit here and talk about all the blah blah that the PDFs on Cisco.com provide, but I think a visual tour of our implementation of MARS will best describe this powerful network security tool.
1) Incident Dashboard - The CS-MARS homepage for events. Shows the 5 most recent secuirty events along with daily statistics and brief security diagrams.
2) Incident Listing - Here we see the most recent Incidents as recorded by MARS. You get all the basic information on the Incident triggered, and from here you drill into specific Incidents.
3) Rule View - Here we can see the rules the come built-into the MARS system. There are current 124 system rules. This sounds very minimal, but think of rules as the aggregation of multiple events (which we'll see soon). Rules are what generate incidents and can notify us.
4) Event View - Here is where we see the invidual events that MARS recognizes coming from devices. As of version 4.2.1 there are over 16,000! These are the events that are triggered from logs/polling of the monitored devices. The events are then correlated to the above rules and grouped to form incidents that represent security events.
5) Incident Details - On the final part of this tour I'll drill into a specific incident. Here we see a supposed VPN attack that was successful. This was the result of a user, christine, failing login to our VPN endpoint, disconnecting, then connecting succesfully. MARS detects this as a successful VPN password attack and generates an incident. As a network engineer I know this is a real user and that this incident is the result of a user mistyping credentials. In the event this user was not a real user, we would have an incident to now investigate further.
I hope this introduction showed how much power is behind this appliance. It's been a really exciting system to work on and I'm constantly learning more and more about the true capabilities of it. Now if I can just make it take my off-hour calls I'll be one happy network engineer...