Book Review

Title : Security Monitoring with Cisco Security MARS : Threat mitigation system deployment
ISBN-13: 978-1-58705-270-5 . Publisher: Cisco Press
Authors: Gary Hallen, Greg Kellogg

Reviewer: Dr. Wole Akpose, CISSP, D.Eng

Ok, you recently purchased Cisco MARS appliance, now what? Or better yet, you are in the market for a Security Incident Management (SIM) solution or a Security Threat Mitigation (STM) Solution, and are already considering a Cisco solution; you may even be a Cisco network shop. How do you decide, without the pressure of the overbearing sales people over your neck? Well the best answer is to do your research. Read everything you can find online about SIM and STM technologies and research the various vendor solutions out there. You may even take note of Gartner’s reports on the technology or simply hire Gartner. However, one tool you will appreciate in your arsenal is the book by Gary Hellene and Greg Kellogg, Security Monitoring with Cisco Security MARS.

As you may well know, the product now called MARS did not originate in any of Cisco’s R&D lab, but was a product from Perigee Network bought by Cisco in the fall of 2005. The product itself has undergone various upgrades, as has its documentation. But when you need quick answers, or compressed answers about SIM, STM or specifically MARS, the pages of this compact, under 300 pages, book will be your best bet in most cases, as I quickly found out.

The book came in at an opportune times, when I was just fidgeting with our newly installed MARS appliance, and answers that were taking quite long to find, wadding though jungles of pages that constitute the Cisco user manuals and the internet, were soon available after a few minutes of riffling though the book.

Reading the entire book took much less time than to read through the latest Harry Porter release, but it also brought into perspectives many components and nuances of the MARS appliance.

Organized into parts (like most Cisco press books), the book's content is outlined into an introductory section, an operations and forensic section, and what it calls an advanced topic section. The first three chapters that make up the introduction section provide essential background and rationale for deploying an STM or SIM solution in any network. This is one part any prospective SIM solution shopper should be acquainted with. It kind of helps you make the case for the expenditure. Not that you wont find it useful if you already made the purchase, you will be better served if you are fully briefed on the content in this section, as it lays out what you are getting into in some detail. Of course the emphasis is on MARS, a Cisco product, there is enough material here for everyone.

If you are a techie, you already own a MARS box (so you have to live with what you got), and you are not so worried about the business case for security, then, section 2 (Operations and Forensic) is a good place to start. The section begins with basics of securing the appliance itself; runs through rules, reports and queries; details incident investigation and forensics and ends with pertinent instructions on log data archiving and recovery in case something goes wrong with the appliance. Given that the section covers so much materials and is made up of four chapters, its one page volume is a great refresher to the security engineer who just wants to get adequate information to quickly get up and running. You will not become an expert by reading these four chapters, but your understanding of the appliance and appreciation for what can be done will grow after you read it. Also, you should be able to carry out at least 50% of the tasks you will need to carry out with the appliance.

The last section is probably the most fun, but you will do well reading it last. While the book outlines the last section to include just 4 chapters, the three appendices can easily be considered a direct appendage of the materials in this section. The section provides basic instructions on how to integrate MARS with other Cisco security products including the Cisco Security Manager (CSM) in chapter 8, the Cisco Network Admission Control (NAC) solutions in chapter 10, and Cisco MARS enterprise deployment framework in chapter 12. Chapters 9 and 11 present additional operational information on troubleshooting and log management. The appendices includes various system level and command line tools for managing and getting more out of the MARS appliance.

In all, the book is a great buy.