Cisco Security MARS transforms raw network and security data into actionable intelligence used to subvert valid security incidents and maintain compliance. This easy to use family of threat mitigation appliances enables operators to centralize, detect, mitigate, and report on priority threats by leveraging the network and security devices already deployed in your infrastructure.

Information security practices have evolved from Internet, perimeter protection to an in-depth defense model in which multiple countermeasures are layered throughout the infrastructure to address vulnerabilities and attacks. This is a necessity due to increased attack frequency, diverse attack sophistication, and the rapid nature of attack velocity all blurring the boundaries between the network and perimeter. Network access points and systems are probed thousands of times a day in the attempt to exploit vulnerabilities. Modern blended/hybrid attacks use multiple and deceptive attack methodologies to gain unauthorized system access and control from outside and within organizations. The proliferation of worms, zero-day attacks, viruses, trojans, spyware, and attack tools challenges even the most fortified infrastructures---resulting in smaller reaction time, downtime, and costly remediation. Beyond the mere number of servers and network devices, each security component offers isolated event log and alert features for anomaly detection, threat reaction, and forensics. Unfortunately, this yields a tremendous amount of noise, alarms, log files and false positives for operators to discern or effectively utilize---assuming the time and resources are available to parse through and understand this information. In addition, compliance legislature requires strict data privacy, improved operational security, and maintained audit processes.

Security Information/Event Management (SIM) products logically seem to alleviate these problems---you can’t manage what you can’t measure. SIMs enable operators the ability to centrally: aggregate security events and logs, analyze this data through limited correlation and query techniques, and generate alarms and reports on isolated events.

Unfortunately, many first and second generation SIMs do not yield sufficient network intelligence and performance attributes to more precisely identify and validate correlated events, better pinpoint attack paths, surgically remove threats, or maintain high event loads.

Cisco Systems addresses these security issues and management deficiencies with a family of scalable, enterprise threat mitigation appliances. Cisco Security MARS complements your network and security infrastructure investment by delivering a security command and control solution that is easy to deploy, easy to use, and cost-effective. Cisco Security MARS is a family of high performance, scalable threat mitigation appliances that fortify deployed network devices and security countermeasures by combining network intelligence, ContextCorrelation™, SureVector™ analysis and AutoMitigate™ capability which empowers companies to readily identify, manage and eliminate network attacks and maintain compliance.

Network Intelligent Event Aggregation and Performance Processing                                            Cisco Security MARS obtains network intelligence by understanding the topology and device configurations from routers, switches, and firewalls, and by profiling network traffic. The system’s integrated network discovery builds a topology map containing device configuration and current security policies which enables Cisco Security MARS to model packet flows through your network. Since the appliance does not operate inline and makes minimal use of existing software agents, there is minimal impact on network or system performance.

The appliance centrally aggregates logs and events from a wide range of popular network devices (such as routers and switches), security devices and applications (such as firewalls, intrusion detection, vulnerability scanners, and anti-virus), hosts (such as Windows, Solaris and Linux syslogs), applications (such as databases, web servers, and authentication servers), and network traffic (such as Cisco Netflow).

ContextCorrelation™ As events and data are received, the information is normalized against the topology, discovered device configurations, same source and destination applications (across NAT boundaries), and similar attack types. Similar events are grouped into sessions in real-time. System and user-defined correlation rules are then applied to multiple sessions to identify incidents. The system ships with a full complement of pre-defined rules, frequently updated by Protego, that identify a majority of blended attack scenarios, zero-day attacks, and worms. A graphical rule definition framework simplifies the creation of user-defined custom rules for any application. ContextCorrelation significantly reduces raw event data, facilitates response prioritization, and maximizes results from deployed countermeasures.

High Performance Aggregation and Consolidation The Cisco Security MARS solution captures thousands of raw events, efficiently classifies incidents with unprecedented data reduction, and compresses this information for archive. Managing the high volume of security events requires a secure and stable centralized logging platform. The Cisco Security MARS appliances are security hardened and optimized for receiving extremely high levels of event traffic---over 10,000 events per second or over 300,000 Netflow events per second. This is made possible through patent pending Protego in-line processing logic and employing embedded Oracle®. All the database functionality and tuning is transparent to the user. On-board storage and continually compressing historical data archives to NFS secondary storage devices makes Cisco Security MARS a sound security log/event aggregation solution.

SureVector™ analysis processes like event sessions to determine if threats are valid or have been countered by assessing the entire attack path down to the end point MAC address. This automated process is accomplished by analyzing device logs such as firewalls and intrusion prevention applications, third party vulnerability assessment data, and through Cisco Security MARS end point scans to eliminate false positives. Users can quickly fine-tune the system to further reduce false positives.

The end-goal of any security program is to keep systems on-line and functioning properly… this equates to preventing security exposures, containing incidents, and facilitating remediation. With Cisco Security MARS, operators have a rapid means to understand all of the components involved within an attack down to the offending and compromised system MAC address. AutoMitigate™ capabilities identifies available choke point devices along the attack path and automatically provides the appropriate device commands that the user can employ to mitigate the threat. The results can be used to quickly and accurately prevent or contain an attack by leveraging the infrastructure.

Cisco Security MARS boasts an easy-to-use analysis framework which streamlines conventional security workflow providing automated case assignment, investigation, escalation, notification, and annotation for daily operations and specialized audits. It can graphically replay attacks and retrieve stored event data to analyze previous events. The system fully supports ad hoc queries for real-time and subsequent data-mining efforts.

Cisco Security MARS offers numerous pre-defined reports to satisfy operational requirements and assist in regulatory compliance efforts including Sarbox, GLBA, HIPPA, FISMA, and Basel II . An intuitive report generator can modify the more than 80 standard reports or generate new reports for an unlimited means to build: action and remediation plans, incident and network activity, security posture and audit, as well as departmental reports - in data, trend and chart formats. The system also provides for batch and email reporting.

Cisco Security MARS is placed on a TCP/IP network where it can send and receive syslog, SNMP traps, and establish secure sessions with deployed network and security devices through standard secure or vendor-specific protocols. Plug it in and go. No additional hardware, operating system patches, licensing, or lengthy professional service engagements are required to install and deploy the Cisco Security MARS system. Simply configure your log sources to point to the MARS appliance and define any network and source through the web-based GUI.

The appliance is centrally managed through a secure web-based interface supporting role-based administration. The optional Cisco Security MARS GC appliance centralizes expansive security operations to provide a single view of the entire enterprise, disseminate access privileges, configurations, updates, customized rules, and report templates, as well as coordinate complex investigations with accelerated queries and reports which are processed locally.

As the local Cisco Security MARS appliances execute queries and rules across the enterprise, the results are efficiently rolled up and consolidatedfor rapid and centralized analysis at the Cisco Security MARS GC. This scalable architecture yields an additional level of distributed processing and storage. The result is more cost-effective deployment and greater manageability which address the requirements of large and geographically dispersed organizations.

Cisco Security MARS family offers different performance characteristics and prices to meet a variety of organization and deployment scenarios.