Cisco Mars

Skyline Cisco Header

MARS v3.0 - Cisco Security Monitoring, Analysis and Response System

Course length: 4.0 day(s)

Learning Credits: 30

Course Description:

The Cisco Security Monitoring Analysis and Response System (CS-MARS) is part of the Cisco Security Management Suite which provides security monitoring for network security devices and host application made by Cisco or non-Cisco providers. In addition to event correlation and data reduction features found in SIM products, CS-MARS also provides topology awareness and automatic mitigation features. In knowing the topology of a network, CS-MARS can determine where the attack is originating and apply the appropriate remediation. CS-MARS is a key component in the Cisco Self Defending Network strategy. CS-MARS exchanges information with CS-Manager to provide a unified security management solution. For example, an administrator can view IPS signatures or the Firewall block / permit syslog messages received from sensors or firewalls. CS-MARS will communicate with CS-Manager and display the IPS signature table or firewall rule table. From there the IPS signature or firewall rule can be modified as necessary. Together CS-MARS and CS-Manager provide a unified management solution for monitoring and provisioning.

Target Students:

Engineers who support sales of Cisco security product solutions
Cisco channel partners who sell, implement, and maintain secure networks
Cisco customers who implement and maintain secure networks

Course Objectives:

Use CS-MARS to monitor security and host application devices.
Know CS-MARS architecture and how CS-MARS process events.
Know how to use archive and restore features.
Use CS-MARS to run / create / customize reports
Use CS-MARS to investigate an incident and mitigate the security threats.
Use CS-MARS to do customer parser for unknown devices in CS-MARS.
Use CS-MARS to create / customize rules that detects dark net through best practices example.
Know how to tune signature / log level on device side and CS-MARS side.

Prerequisites:

The knowledge and skills that a learner must have before attending this course are as follows:

Cisco CCSP certified or equivalent knowledge
Passage of the Securing Cisco IOS Networks (SECUR) exam (642-501), the Securing Networks with Cisco Routers and Switches (SNRS) exam (642-502), or both
At least six months of practical experience configuring Cisco routers and security products
Familiarity with implementing network security policies and these networking components and concepts:

Perimeter security system components: Perimeter router, firewall, intrusion prevention system (IPS), virtual private network (VPN), and demilitarized zone (DMZ) host
Servers: Cisco Security Manager; syslog; authentication, authorization, and accounting (AAA); Cisco Secure Access Control Server (Cisco Secure ACS); and FTP
Protocols: syslog, Simple Network Management Protocol (SNMP), Secure Shell (SSH), FTP, and Telnet

Delivery Method:

Instructor led, group-paced, classroom-delivery learning model with structured hands-on activities.

This is NOT online learning. We use a 65 Inch Panasonic Flat Screen. Our instructor will have full contact with students.. This is a LIVE delivery. We’ve had great responses from other past students. We also use high-definition Audio and Video systems to ensure an engaging experience. This has allowed us to drastically reduce reschedules and guarantee more running classes for our students, offering the convenience of staying local for your training.

Live Delivery
Same Authorized Cisco Materials
Same labs to support the class as any Skyline delivery.
Same Student PC’s
High Definition audio and visual experience
Instructor is able to see and even control your PC (Instructors are happy to stay after class to provide assistance)
1 year audit policy-meaning you may come and re-sit the same class as many times as you like for up to 1 year as long as the version and or course materials don’t change.

Course Content

Lesson 1:Introducing Cisco Security Monitoring, Analysis, and Response System

Effective Security Monitoring and Management
Cisco Self-Defending Network and the Role of Cisco Security MARS
Cisco Security MARS
Cisco Security MARS Terminology
Cisco Security MARS Technologies
Cisco Security MARS User Interface
Cisco Security MARS Product Portfolio

Lesson 2:Understanding the System Architecture

Cisco Security MARS Software Components
Cisco Security MARS Process Flow Details

Lesson 3:Configuring a Cisco Security MARS Appliance

Initial Cisco Configuration Overview
Scenario: Configuration Tasks
Deployment Planning Guidelines

Lesson 4:Adding Reporting and Mitigation Devices

Overview of Reporting and Mitigation Devices
Scenario: Adding a Cisco Reporting Device and Enabling NetFlow
Data-Enabling Features of Cisco Security MARS
Integrating Cisco Security MARS with Third-Party Applications

Lesson 5:Viewing the Summary Page

Summary Page Overview
Dashboard
Network Status
My Reports
Scenario: Getting Information from the Summary Page

Lesson 6:Managing Rules

Rules Overview
Working with System and User Inspection Rules
Working with Drop Rules
Rule Groups Overview

Lesson 7:Understanding Queries and Reports

Query Page
Scenario: Configuring a Query
Reports Page
Scenario: Configuring a System Report

Lesson 8:Investigating and Mitigating Incidents

Incidents Overview
Incidents
Scenario: Role of Cisco Security MARS in Your Network
False Positives
Case Management
Scenario: Configuring a Case to Track an Incident
Configuring Notifications
Case Study: Preventing the W32 Blaster Worm

Lesson 9:Working with User-Defined Log Parser Templates

Overview of User-Defined Log Parser Templates
Scenario: Configuring a Customer Parser

Lesson 10:Integrating with Cisco Security Manager

Overview of Cisco Security Manager Policy Table Lookup
Scenario: Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS

Lesson 11:Managing and Administering the System

Management Overview
Overview of System Maintenance Tasks
IPS Signature Dynamic Update Settings
Upgrading the Cisco Security MARS Appliance Software
Migrating Data from Cisco Security MARS 4.3.x to 5.3.x

Lesson 12:Troubleshooting and Optimizing Cisco Security MARS

Hardware Installation Issues
Device Configuration Issues
Global Controller-to-Local Controller Communications
Sizing Cisco Security MARS Deployment
Tuning Cisco Security MARS
Securing Cisco Security MARS

Lesson 13:Using the Cisco Security MARS Global Controller

Cisco Security MARS Global Controller Overview
Configuring the Cisco Security MARS Global Controller
Summary Tab
Incidents Tab
Queries and Reports
Rules Tab
Management Tab
System Maintenance Tab

Lesson 14:Course Review: Cisco Security MARS at Work

Cisco Security MARS At Work

Lab Outline

Pre-Lab Activity: Accessing the Remote Lab
Lab 3: Accessing the Cisco Security MARS Appliance
Lab 4-1: Adding Reporting Devices and Enabling NetFlow
Lab 4-2: Configuring the Syslog Forwarding Feature
Lab 5: Generating Summary Reports
Lab 6-1: Configuring Cisco Security MARS Event Types
Lab 6-2: Configuring an Inspection Rule
Lab 7: Performing a Query and Creating a Custom Report
Lab 8: Performing Incident Investigation and Mitigation
Lab 9: Configuring the Custom Parser
Lab 10: Performing Cisco Security Manager Policy Lookup
Lab 11-1: Reviewing the CLI and Upgrading the Device Version
Lab 11-2: Configuring IPS Auto Signature Download
Lab 11-3: Configuring AAA RADIUS Authentication and Working with the Account Locking and Session Timeout Menu
Lab 11-4: Retrieving Raw Messages