Lippis Report 163: A Multi-Vendor Security Management Approach via a Cisco SIEM Ecosystem
In an effort to offer a multi-vendor SIEM (Security Information and Event Management) solution, Cisco is placing its SIEM product, CS-MARS, in end-of-life and in its place, offering the industry its first SIEM ecosystem. Cisco acquired MARS six years ago in December 2004. MARS provided traditional event management and security monitoring along with limited forensic capabilities and compliance reporting. But the market demanded a broader cross-vendor SIEM solution rather than a SIEM focused primarily on Cisco products. In response Cisco has launched a SIEM ecosystem to support deep event monitoring, forensics and compliance reporting across a heterogeneous enterprise network. IT has also expanded the role of its Cisco Security Manager or CSM to support policy management and troubleshooting across a wider range of Cisco products. In this Lippis Report Research Note, we examine the new distribution of security responsibilities that now stretch across Cisco CSM and its new SIEM ecosystem with an eye toward stronger defense of IT assets.
A Network Approach to Automated VM Moves with Virtualization Visibility
IT business leaders were requesting Cisco develop deeper forensics and compliance across multiple areas within MARS. But the MARS architecture was not designed for such long-term storage, long-term data indexing and look-ups required for conducting forensics and compliance in a manner that IT business leaders are demanding. So in June of 2010, Cisco launched a SIEM ecosystem to provide a scalable and cross-vendor approach for IT business leaders to conduct deep forensics and compliance capabilities. Real-time security monitoring capabilities, which MARS provided, are being blended into the CSM.
BLADE’s CEO Vikram Mehta on Virtualization and Being Acquired by IBM
CSM started as a policy manager for multiple Cisco devices such as routers, switches, firewalls, VPN, IPS, etc. But Cisco recently announced its 4.1 image for CSM that incorporates security-monitoring capabilities that enable policy troubleshooting. For example, essentially event logs will flow into CSM. CSM will determine if a stream of event logs rise to the level of a security problem or if it needs to make policy changes and execute those changes in real time via a closed-loop system. CSM does not deliver forensics or long-term compliance reporting. This is province of the Cisco SIEM ecosystem.
The Avaya Flare™ Experience
The SIEM Ecosystem
Both MARS and CSM have been missing the capability to conduct broad multi-vendor security monitoring, compliance reporting and forensics in a heterogeneous vendor environment. In fact, most, if not all, security vendors are guilty of this. Clearly market reality dictates that most enterprise IT organizations utilize multiple devices and/or software that contribute to IT security defense.
Therefore, to align its security products and IT defense approach with the reality of the market, Cisco has started a SIEM ecosystem consisting of the five largest SIEM suppliers. The five vendors in the ecosystem are RSA, ArcSight, LogLogic, Splunk and netForensics. Cisco’s exit of the SIEM market has created the opportunity for it to partner with these top SIEM providers covering 75% +/- of the enterprise market.
ArcSight Security Information and Event Management (SIEM) Deployment Guide
The power of a SIEM is to accept logs from multiple devices and make sense of them, meaning it weaves them together by way of correlation. The larger the number of log streams to a SIEM from various security appliances, the greater its ability to correlate. The goal of a SIEM is to gather data from all deployed security appliances, which ends up delivering an exponential lift with respect to the security intelligence gain obtained from correlating large streams of data.
With the Cisco SIEM ecosystem, Cisco is now able to deliver heterogeneous capabilities that cover security monitoring analysis, compliance and forensics capabilities, and some specifically, LogLogic, deliver long-term log management capabilities. To assure confidence that Cisco security and networking equipment interoperate with these five SIEM suppliers, Cisco has conducted extensive interoperability testing with each supplier. This is key for IT business leaders who have an operational SIEM deployed need to be assured that either the introduction of a new SIEM or security device will interoperate with their existing SIEM. This is key for Cisco CS-MARS customers who will be looking to transition to a new SIEM. Note that end-of-life is a multi-year process so co-existence and transition are important attributes for the ecosystem to contain.
LogLogic Security Information and Event Management (SIEM) Deployment Guide
Conduit between SIEM and Cisco Security Products
The interface or conduit that enables information transfer between Cisco products and its SIEM partners is device specific. The interface could be SysLog, SDEE or Security Device Event Exchange, and depends upon what conduit the end security device uses, be it an IPS, firewall, switch, router, etc. The conduits have not evolved yet, although at some point in time, they may.
nFX Cinxi One Security Information and Event Management Deployment Guide
The Interoperability, Validation and Testing Lab
To demonstrate Cisco interoperability, Cisco has created a Cisco-compatible logo, which a partner earns after they have passed through what is called the “IVT Lab” meaning Interoperability, Validation and Testing Lab. One of the key outputs of the IVT Lab is interoperability assurance plus license rights to display the Cisco-compatible logo, and a set of deployment guides to assist a Systems Engineer (SE) or an IT security department to deploy a partner’s SIEM product alongside Cisco’s firewalls, switches, routers or email plus web security products, etc. The detailed deployment guides offer various configurations of the SIEM ecosystem partners and Cisco products.
RSA Security Information and Event Management (SIEM) Deployment Guide
To gain the Cisco-compatible logo, a partner needs to be tested against Cisco security products, which are approximately eight devices in its latest software versions. These include Cisco Cross-Device, Firewall, IPS, ASA, E-mail Security Appliance (ESA), Web Security Appliance (WSA), etc. The Cisco-compatible logo says that each partner has been tested for that set of core security devices. Over time Cisco plans to test SIEMs across the entire Cisco security product line.
Splunk Security Information and Event Management (SIEM) Deployment Guide
The IVT Lab and associated Cisco-compatible logo essentially level-sets SIEM partners so all have validated and verified support for core Cisco security products. From a support perspective, Cisco’s TAC can take the lead on support. Cisco has developed relationships with its ecosystem partners by tying them into its TAC processes. In the event that SECOPS has an issue with, say, Splunk or RSA, Cisco TAC has a streamlined process that places customers in touch with the right person at RSA, Splunk and its other partners.
Understand the Savings of Deploying a Cisco Borderless Network
Greater Defense through Faster Innovation Absorption
Clearly Cisco products bring value to their ecosystem partners. For example, Cisco’s firewall team produces the number one firewall in the world, developing features or functionality nearly every quarter or at least twice a year.
Before the ecosystem was in place, a lag between Cisco innovation launch and SIEM ability to support new features was common. For example, SIEM vendors may not understand what the new features are meant to do or how they’re used. Therefore, as part of the SIEM ecosystem, Cisco is committing to assure that as new innovations/features are rolling out across its security portfolio, SIEM partners understand how Cisco recommends they be used which will speed SEC OPS innovation absorption.
Cisco 3Q10 Global Threat Report
Pulling It All Together
Cisco’s new approach to heterogeneous network security is based upon an ecosystem of SIEM providers that it provides interoperability testing, new feature training, TAC support and deployment guides. The SIEMs will aggregate event logs from a wide range of Cisco and other company security appliances to deliver cross-vendor IT forensics and compliance reports. Cisco’s CSM is the policy manager and troubleshooting platform going forward and will enjoy expanded support of Cisco’s security products. Therefore, policy management and troubleshooting services will be delivered through CSM, while the SIEM ecosystem delivers broader cross-vendor IT forensics, event monitoring and compliance reports.
IT business leaders are benefited with a broader multi-vendor approach to event monitoring, forensics and compliance reports as well as centralized policy management and troubleshooting of Cisco products. This new approach should increase IT defenses while simplifying the management of their Cisco security products.