Integrated Security

Event Monitoring + Network Intelligence = A Centralized Approach to Security

A glut of security data is coming from multiple sources. Here’s how you can centralize, simplify, and enhance detection, evaluation, and mitigation.

Computer and network security technologies have become increasingly sophisticated to stay one step ahead of ever-evolving malicious behavior and the theft of assets and identity. With the array of different types of security devices and software available to small and medium-sized businesses (SMBs) today, the volume of data pouring into event logs that network administrators must assess can be overwhelming and often confusing. For example, a worm attack on a Web server might appear as multiple separate attacks that originate from different locations on the Internet.

Integrated Security

Another challenge besides the growing volume of event data that must be correlated, understood, and acted upon, is the shift of security from Internet perimeter protection to an all-encompassing defense-in-depth model. With the latter, multiple countermeasures are embedded in every layer of the network and integrated into every device.

Each security component offers isolated event log and alert features for anomaly detection, threat reaction, and forensics. Aside from the data volumes and alarms generated by these security components, administrators must distinguish between real attacks and false positives that appear on event logs each day as network access points and systems are probed to exploit any vulnerabilities. And government compliance guidelines—with requirements for data privacy, demonstrable improvements in operational security, and well-maintained audit processes—add to the pressure on IT staff responsible.

The Self-Defending Network

Cisco has solved many challenges to providing an effective security posture, including how to cope with the spiraling security data from multiple sources for the SMB. Cisco security solutions are based on the Cisco Self-Defending Network strategy, which integrates security throughout all facets of the network so that:

• Every element in the network acts as a point of defense
• Various components in the network work together to provide new means of protection
• Innovative behavioral methods can be deployed to automatically recognize new types of threats as they arise

Faster, More Effective Threat Identification and Response

Among the many products and technologies that make the Self-Defending Network possible is the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS). This appliance, which comes in six different models to accommodate from 50 to 10,000 events per second:

• Aggregates massive amounts of network and security data from popular network devices and security components
• Correlates information about the network from routers, switches, firewalls, virtual private network (VPN) concentrators, and endpoint devices of various types and manufacturers
• Processes threats and visually displays them in real time, down to the IP and MAC address and the nearest attached switch port, with views of the attack path through the network
• Lets SMBs continue to derive value from existing security investments and lowers additional costs for add-ons by centralizing command and control
• Can help reduce millions of security events to just a few actual reported network incidents
• Recognizes and recommends mitigation for attacks before they can affect the network
• Serves as a central repository for all events generated by security devices
• Collects network device events and workstation and server logs in the repository and cross-correlates them to isolate the source or trajectory of problems
• Provides auditing and packaged compliance reporting

Many first- and second-generation security products do some of the same things as Cisco Security MARS, but not with the end-to-end network intelligence and attributes required to precisely identify and validate correlated events, pinpoint the paths of attack, and remove threats with precision. Cisco Security MARS also integrates with the Cisco Security Manager suite, allowing mapping of traffic-related syslog messages to firewall policies defined in Cisco Security Manager that alert administrators to events.

Additional Purpose-Built Security Solutions

With constantly escalating threats to different network layers and devices, maintaining effective network security today increasingly involves specialized solutions. Based on the characteristics of each SMB network, these highly specialized Cisco security products that are complementary to Cisco Security MARS may further improve security:

• Cisco Adaptive Security Appliance (ASA) 5500 Series is a unified threat management platform that provides firewalling, SSL and IPsec VPN security, anti-virus services, and intrusion prevention services.
• Cisco Integrated Services Routers (ISRs) with Cisco IOS Software Firewall tightly integrate defense-in-depth security between routers and the firewall.
• Cisco ASA Advanced Inspection and Prevention (AIP) Module with the Cisco ASA 5500 Series provides proactive intrusion prevention services to recognize and stop malicious traffic from entering and damaging the network.