Implementing Cisco Security Monitoring, Analysis & Response System

COURSE OUTLINE:

Description The Cisco Security Monitoring Analysis and Response System (CS-MARS) is part of the Cisco Security Management Suite which provides security monitoring for network security devices and host application made by Cisco or non-Cisco providers. In addition to event correlation and data reduction features found in SIM products, CS-MARS also provides topology awareness and automatic mitigation features. In knowing the topology of a network, CS-MARS can determine where the attack is originating and apply the appropriate remediation. CS-MARS is a key component in the Cisco Self Defending Network strategy. CS-MARS exchanges information with CS-Manager to provide a unified security management solution. For example, an administrator can view IPS signatures or the Firewall block / permit syslog messages received from sensors or firewalls. CS-MARS will communicate with CS-Manager and display the IPS signature table or firewall rule table. From there the IPS signature or firewall rule can be modified as necessary. Together CS-MARS and CS-Manager provide a unified management solution for monitoring and provisioning.

Prerequisites
To fully benefit from this course, students should have the following prerequisite skills and knowledge:

  • Fundamental knowledge of implementing network security
  • CCNA Security Certification
  • CCSP or Security CQS and working knowledge of routing and switching

    Who should attend

    • Customer
    • Channel Partner/ Reseller
    • Employee

    Certifications

    This course is part of the following Certifications:

    • Cisco Certified Security Professional  (CCSP)
    Prerequisites

    The following or equivalent knowledge is required before taking this course:

    • Securing Networks with ASA Fundamentals (SNAF)
    • Securing Networks with Cisco Routers & Switches (SNRS)

    Course Objectives

    Upon completing this course, you will be able to meet these objectives:

    • Use CS-MARS to monitor security and host application devices.
    • Know CS-MARS architecture and how CS-MARS process events.
    • Know how to use archive and restore features.
    • Use CS-MARS to run / create / customize reports
    • Use CS-MARS to investigate an incident and mitigate the security threats.
    • Use CS-MARS to do customer parser for unknown devices in CS-MARS.
    • Use CS-MARS to create / customize rules that detects dark net through best practices example.
    • Know how to tune signature / log level on device side and CS-MARS side.

    Course Content


    LESSON 1: CISCO SECURITY MARS OVERVIEW AND STM TASK FLOW

    • Deploy Cisco Security MARS as an STM
    system in your network
    • Cisco Security MARS solution and its role in Cisco Threat
    Defense System Management

    LESSON 2: CISCO SECURITY MARS CONFIGURATION

    • Configure the network reporting devices
    to work with the Cisco Security MARS
    appliance
    • Configure Cisco reporting devices to work
    with the Cisco Security MARS appliance
    • Configure reporting devices from other vendors to work with
    the Cisco Security MARS appliance
    • Configure user-defined log parser templates on the Cisco
    Security Mars appliance

    LESSON 3: CISCO SECURITY MARS INCIDENT INVESTIGATION

    • Use summary page menu to get an
    overview of your network
    • Configure the Cisco Security MARS
    appliance to send a notification
    • Examine case management features that can capture,
    combine, and preserve user-selected Cisco Security MARS
    date within a specialized report called a case
    • Explore the process of incident investigation and attack
    mitigation in a Cisco Security MARS appliance

    LESSON 4: CISCO SECURITY MARS RULES AND MANAGEMENT

    • Perform system maintenance tasks on
    the Cisco Security MARS appliance
    • Features and functions of the Cisco
    Security MARS Global Controller
    • Configure a rule (or rules) that detect interesting patterns of
    network activity and other anomalous network behavior
    • Use the management features in the Cisco Security MARS
    appliance to add, edit, and delete event, IP addressing,
    service, and user information