BKSMMARS.RVW 20080204 "Security Monitoring with Cisco Security MARS", Gary Halleen/Greg Kellogg, 2007, 1-58705-270-9, U$60.00/C$75.00 %A Gary Halleen %A Greg Kellogg %C 800 East 96th Street, Indianapolis, IN 46240 %D 2007 %G 978-1-58705-270-5 1-58705-270-9 %I Cisco Press %O U$60.00/C$75.00 feedback@ciscopress.com 800-382-3419 %O http://www.amazon.com/exec/obidos/ASIN/1587052709/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1587052709/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1587052709/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 316 p. %T "Security Monitoring with Cisco Security MARS" Fair warning: these guys are into jargon. To even begin to approach this book you must know that CS-MARS is the Cisco Security Monitoring, Analysis, and Response System, which "performs" as an STM (Security Threat Mitigation) "solution." The introduction states that the work is intended for information security analysts charged with the monitoring and administration for firewalls and similar devices. (Usually that is the task of the administrator, not the analyst, but we'll let that pass.) Part one is an introduction to CS-MARS and security threat mitigation. Chapter one is a vague promotion for the MARS product. Even though it limits security incident management (SIM) to network events, it still claims the capability of countering frauds. Definitions of a number of terms such as event, incident, false positive, and mitigation are non-standard and therefore problematic, since the common understanding of the expressions may suggest that the authors are making claims which the technology cannot actually support. Regulatory challenges are covered in some depth in chapter two, including coverage of HIPAA (Health Insurance Portability and Accountability Act), the GLB (Gramm, Leach, Bliley) Act, the Sarbanes-Oxley Act, and the Payment Card Industry (PCI) standard. (Note the emphasis on American legislation and the financial industry.) Rather than the deployment scenarios promised by the title of chapter three (we do get a couple of brief stories at the end), the text is a kind of catalogue of CS-MARS products and size specifications. Part two is supposed to be about CS-MARS operations and forensics. Some generic advice about hardening the platform upon which the MARS product is running (mostly ports required by MARS and firewall rulesets) is in chapter four. Rules, reports, and queries are illustrated, in chapter five, mostly in terms of screenshots of the user interface, with little discussion of the implications of certain decisions. Some of the suggested "drop" rules, used incautiously, could eliminate most traffic through the system. The examination of incident investigation and forensics, in chapter six, lists preparation, identification, containment, repair, recovery, and debriefing as the major stages of the process, but really only deals with identification and containment. Chapter seven tells you to make a backup. Slightly more advanced topics are in part three. Chapter eight has screenshots showing the integration of MARS with the Cisco security manager product. There is a list of errors you might encounter while using the program, in chapter nine, but not much about how to solve any of the problems. Chapter ten is a promotional pamphlet for Cisco NAC (Network Admission Control) products. Screenshots demonstrating the use of the CS-MARS custom parser to look at data from other sources are printed in chapter eleven. Screenshots of using the CS-MARS global controller for a large implementation are in twelve. Overall, there is a great deal of promotion, and very little demonstration of product capability in this book. Basically what is being described is an intrusion detection system (IDS) with some added features. But it's being described in very awed tones. copyright Robert M. Slade, 2008 BKSMMARS.RVW 20080204