| Course Title: |
|
| Course ID: |
|
| Course Length: |
|
| Course Price: |
|
| |
Course Overview
The Cisco Security Monitoring Analysis and Response System (CS-MARS) is part of the Cisco Security Management Suite which provides security monitoring for network security devices and host application made by Cisco or non-Cisco providers. In addition to event correlation and data reduction features found in SIM products, CS-MARS also provides topology awareness and automatic mitigation features. In knowing the topology of a network, CS-MARS can determine where the attack is originating and apply the appropriate remediation. CS-MARS is a key component in the Cisco Self Defending Network strategy. CS-MARS exchanges information with CS-Manager to provide a unified security management solution. For example, an administrator can view IPS signatures or the Firewall block / permit syslog messages received from sensors or firewalls. CS-MARS will communicate with CS-Manager and display the IPS signature table or firewall rule table. From there the IPS signature or firewall rule can be modified as necessary. Together CS-MARS and CS-Manager provide a unified management solution for monitoring and provisioning.
Objectives
Upon completing this course, the learner will be able to meet these overall objectives:
Use CS-MARS to monitor security and host application devices.
Know CS-MARS architecture and how CS-MARS process events.
Know how to use archive and restore features.
Use CS-MARS to run / create / customize reports
Use CS-MARS to investigate an incident and mitigate the security threats.
Use CS-MARS to do customer parser for unknown devices in CS-MARS.
Use CS-MARS to create / customize rules that detects dark net through best practices example.
Know how to tune signature / log level on device side and CS-MARS side.
Prerequisites
Cisco CCSP certified or equivalent knowledge
Passage of the Securing Cisco IOS Networks (SECUR) exam (642-501), the Securing Networks with Cisco Routers and Switches (SNRS) exam (642-502), or both
At least six months of practical experience configuring Cisco routers and security products
Familiarity with implementing network security policies and these networking components and concepts:
Perimeter security system components: Perimeter router, firewall, intrusion prevention system (IPS), virtual private network (VPN), and demilitarized zone (DMZ) host
Servers: Cisco Security Manager; syslog; authentication, authorization, and accounting (AAA); Cisco Secure Access Control Server (Cisco Secure ACS); and FTP
Protocols: syslog, Simple Network Management Protocol (SNMP), Secure Shell (SSH), FTP, and Telnet
Who Should Attend
Engineers who support sales of Cisco security product solutions
Cisco channel partners who sell, implement, and maintain secure networks
Cisco customers who implement and maintain secure networks
Course Outline
Lesson 1:Introducing Cisco Security Monitoring, Analysis, and Response System
Effective Security Monitoring and Management
Cisco Self-Defending Network and the Role of Cisco Security MARS
Cisco Security MARS
Cisco Security MARS Terminology
Cisco Security MARS Technologies
Cisco Security MARS User Interface
Cisco Security MARS Product Portfolio
Lesson 2:Understanding the System Architecture
Cisco Security MARS Software Components
Cisco Security MARS Process Flow Details
Lesson 3:Configuring a Cisco Security MARS Appliance
Initial Cisco Configuration Overview
Scenario: Configuration Tasks
Deployment Planning Guidelines
Lesson 4:Adding Reporting and Mitigation Devices
Overview of Reporting and Mitigation Devices
Scenario: Adding a Cisco Reporting Device and Enabling NetFlow
Data-Enabling Features of Cisco Security MARS
Integrating Cisco Security MARS with Third-Party Applications
Lesson 5:Viewing the Summary Page
Summary Page Overview
Dashboard
Network Status
My Reports
Scenario: Getting Information from the Summary Page
Lesson 6:Managing Rules
Rules Overview
Working with System and User Inspection Rules
Working with Drop Rules
Rule Groups Overview
Lesson 7:Understanding Queries and Reports
Query Page
Scenario: Configuring a Query
Reports Page
Scenario: Configuring a System Report
Lesson 8:Investigating and Mitigating Incidents
Incidents Overview
Incidents
Scenario: Role of Cisco Security MARS in Your Network
False Positives
Case Management
Scenario: Configuring a Case to Track an Incident
Configuring Notifications
Case Study: Preventing the W32 Blaster Worm
Lesson 9:Working with User-Defined Log Parser Templates
Overview of User-Defined Log Parser Templates
Scenario: Configuring a Customer Parser
Lesson 10:Integrating with Cisco Security Manager
Overview of Cisco Security Manager Policy Table Lookup
Scenario: Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS
Lesson 11:Managing and Administering the System
Management Overview
Overview of System Maintenance Tasks
IPS Signature Dynamic Update Settings
Upgrading the Cisco Security MARS Appliance Software
Migrating Data from Cisco Security MARS 4.3.x to 5.3.x
Lesson 12:Troubleshooting and Optimizing Cisco Security MARS
Hardware Installation Issues
Device Configuration Issues
Global Controller-to-Local Controller Communications
Sizing Cisco Security MARS Deployment
Tuning Cisco Security MARS
Securing Cisco Security MARS
Lesson 13:Using the Cisco Security MARS Global Controller
Cisco Security MARS Global Controller Overview
Configuring the Cisco Security MARS Global Controller
Summary Tab
Incidents Tab
Queries and Reports
Rules Tab
Management Tab
System Maintenance Tab
Lesson 14:Course Review: Cisco Security MARS at Work
Cisco Security MARS At Work
Lab Outline
Pre-Lab Activity: Accessing the Remote Lab
Lab 3: Accessing the Cisco Security MARS Appliance
Lab 4-1: Adding Reporting Devices and Enabling NetFlow
Lab 4-2: Configuring the Syslog Forwarding Feature
Lab 5: Generating Summary Reports
Lab 6-1: Configuring Cisco Security MARS Event Types
Lab 6-2: Configuring an Inspection Rule
Lab 7: Performing a Query and Creating a Custom Report
Lab 8: Performing Incident Investigation and Mitigation
Lab 9: Configuring the Custom Parser
Lab 10: Performing Cisco Security Manager Policy Lookup
Lab 11-1: Reviewing the CLI and Upgrading the Device Version
Lab 11-2: Configuring IPS Auto Signature Download
Lab 11-3: Configuring AAA RADIUS Authentication and Working with the Account Locking and Session Timeout Menu
Lab 11-4: Retrieving Raw Messages