Security Basics mailing list archives
RE: Cisco CSA
From: "Jason Jaszewski" <sec_info () page55 com>
Date: Thu, 27 May 2004 17:20:57 -0500
I went through a Cisco CSA training seminar late last year. At one point there was a "proof of concept" type exercise, where an attempt at installing malware was in fact foiled and reported by the CSA software. I fail to recall what malware package it was, but CSA seemed to detect and send an alert about it quite well. As we went on, one person managed to configure his policy so tight, when he deployed it to the group, no one had access to do anything but run notepad on their computer until the administrator took the policy off. This is not mentioned as a disadvantage, but just to illustrate how powerful CSA can be (it does mean that you need to take care and do some homework before deploying it). The CSA package does take some time to fine-tune and get down to the actual events that you want to actively monitor and the policies you want to configure. It is definitely not (and is not touted to be) "plug and play;" it can't be ordered one day and deployed the next. After a few weeks of fine-tuning, though, the number of false positives will slowly wind down close to 0 (a couple of false positives here and there should probably be expected). While the fine-tuning must be pretty meticulous, after the fine-tuning, it seems to work very well. I currently use and monitor events via CSA on a daily basis, although the event set we currently monitor is pretty small (and it was deployed recently). I have found the CSA software to be pretty intuitive and easy to use. I have not seen very many alarms on the CSA agent yet, so how it responds outside of the training seminar I really have yet to see. To me, the policy configuration seemed "similar" to GPOs in Windows 2000 Server, in the way they were deployed and created (you can lock down machines, define groups, etc.). All in all, after the seminar I was really impressed with what CSA could do and the examples that were shown. Have you gotten together with Cisco and had a CSA demo? If not, I would suggest it because it will give you a chance to see in action, rather than just in a brochure. I attended the seminar mentioned above with a few different network engineers and sysadmins... we were all pretty impressed. Hope this helps, Jason -----Original Message----- From: Cherian Palayoor [mailto:securinet2004 () yahoo ca] Sent: Tuesday, May 25, 2004 6:35 PM To: security-basics () securityfocus com Subject: Cisco CSA Hi, Can anyone give me some feedback on the Cisco Security Agent. This product claims to stop malicious behaviour on machines infected by any malware. We were recently hit pretty hard by Sasser. Cisco has since been trying to sell us this product as a heuristic solution to malicious activity on the network. The product does not depend on any signature updates and is entirely behavioural. Cisco puports to have successfully stopped Sasser from doing any damage. Can anyone confirm this to be a fact. The product does not come cheap. Thanks in advance. Regards Cherian ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Cisco CSA Cherian Palayoor (May 26)
- RE: Cisco CSA Jason Jaszewski (May 28)
- <Possible follow-ups>
- RE: Cisco CSA Damon Brinkley (May 27)
- Re: Cisco CSA John Kingston (May 27)
- Re: Cisco CSA professor buddha (May 27)
- RE: Cisco CSA Ralph H. Chapman (May 27)
- Re: Cisco CSA bryan_khoo (May 27)
- RE: Cisco CSA Dante Mercurio (May 28)
- RE: Cisco CSA Scherer, Brian (May 28)
- RE: Cisco CSA Gary Freeman (May 28)
- RE: Cisco CSA Dave Gonsalves (May 29)
- RE: Cisco CSA Ayers, Diane (May 31)