RE: Cisco CSA

From: Jason Jaszewski (sec_info_at_page55.com)
Date: 05/28/04

  • Next message: Davis, Christopher - IT Security: "RE: Computer Forensics Consulting" 
    To: "Cherian Palayoor" <securinet2004@yahoo.ca>, <security-basics@securityfocus.com>
Date: Thu, 27 May 2004 17:20:57 -0500

            I went through a Cisco CSA training seminar late last year. At one point
    there was a "proof of concept" type exercise, where an attempt at installing
    malware was in fact foiled and reported by the CSA software. I fail to
    recall what malware package it was, but CSA seemed to detect and send an
    alert about it quite well. As we went on, one person managed to configure
    his policy so tight, when he deployed it to the group, no one had access to
    do anything but run notepad on their computer until the administrator took
    the policy off. This is not mentioned as a disadvantage, but just to
    illustrate how powerful CSA can be (it does mean that you need to take care
    and do some homework before deploying it).
            The CSA package does take some time to fine-tune and get down to the actual
    events that you want to actively monitor and the policies you want to
    configure. It is definitely not (and is not touted to be) "plug and play;"
    it can't be ordered one day and deployed the next. After a few weeks of
    fine-tuning, though, the number of false positives will slowly wind down
    close to 0 (a couple of false positives here and there should probably be
    expected). While the fine-tuning must be pretty meticulous, after the
    fine-tuning, it seems to work very well.
            I currently use and monitor events via CSA on a daily basis, although the
    event set we currently monitor is pretty small (and it was deployed
    recently). I have found the CSA software to be pretty intuitive and easy to
    use. I have not seen very many alarms on the CSA agent yet, so how it
    responds outside of the training seminar I really have yet to see. To me,
    the policy configuration seemed "similar" to GPOs in Windows 2000 Server, in
    the way they were deployed and created (you can lock down machines, define
    groups, etc.). All in all, after the seminar I was really impressed with
    what CSA could do and the examples that were shown.
            Have you gotten together with Cisco and had a CSA demo? If not, I would
    suggest it because it will give you a chance to see in action, rather than
    just in a brochure. I attended the seminar mentioned above with a few
    different network engineers and sysadmins... we were all pretty impressed.

    Hope this helps,
    Jason

    -----Original Message-----
    From: Cherian Palayoor [mailto:securinet2004@yahoo.ca]
    Sent: Tuesday, May 25, 2004 6:35 PM
    To: security-basics@securityfocus.com
    Subject: Cisco CSA

    Hi,

    Can anyone give me some feedback on the Cisco Security
    Agent. This product claims to stop malicious behaviour
    on machines infected by any malware.

    We were recently hit pretty hard by Sasser. Cisco has
    since been trying to sell us this product as a
    heuristic solution to malicious activity on the
    network. The product does not depend on any signature
    updates and is entirely behavioural.

    Cisco puports to have successfully stopped Sasser from
    doing any damage.

    Can anyone confirm this to be a fact. The product does
    not come cheap.

    Thanks in advance.

    Regards

    Cherian

    ______________________________________________________________________
    Post your free ad now! http://personals.yahoo.ca

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Davis, Christopher - IT Security: "RE: Computer Forensics Consulting"