Security Basics mailing list archives

RE: Cisco CSA

From: "Jason Jaszewski" <sec_info () page55 com>
Date: Thu, 27 May 2004 17:20:57 -0500

        I went through a Cisco CSA training seminar late last year. At one point
there was a "proof of concept" type exercise, where an attempt at installing
malware was in fact foiled and reported by the CSA software. I fail to
recall what malware package it was, but CSA seemed to detect and send an
alert about it quite well. As we went on, one person managed to configure
his policy so tight, when he deployed it to the group, no one had access to
do anything but run notepad on their computer until the administrator took
the policy off. This is not mentioned as a disadvantage, but just to
illustrate how powerful CSA can be (it does mean that you need to take care
and do some homework before deploying it).
        The CSA package does take some time to fine-tune and get down to the actual
events that you want to actively monitor and the policies you want to
configure. It is definitely not (and is not touted to be) "plug and play;"
it can't be ordered one day and deployed the next. After a few weeks of
fine-tuning, though, the number of false positives will slowly wind down
close to 0 (a couple of false positives here and there should probably be
expected). While the fine-tuning must be pretty meticulous, after the
fine-tuning, it seems to work very well.
        I currently use and monitor events via CSA on a daily basis, although the
event set we currently monitor is pretty small (and it was deployed
recently). I have found the CSA software to be pretty intuitive and easy to
use. I have not seen very many alarms on the CSA agent yet, so how it
responds outside of the training seminar I really have yet to see. To me,
the policy configuration seemed "similar" to GPOs in Windows 2000 Server, in
the way they were deployed and created (you can lock down machines, define
groups, etc.). All in all, after the seminar I was really impressed with
what CSA could do and the examples that were shown.
        Have you gotten together with Cisco and had a CSA demo? If not, I would
suggest it because it will give you a chance to see in action, rather than
just in a brochure. I attended the seminar mentioned above with a few
different network engineers and sysadmins... we were all pretty impressed.

Hope this helps,
Jason

-----Original Message-----
From: Cherian Palayoor [mailto:securinet2004 () yahoo ca]
Sent: Tuesday, May 25, 2004 6:35 PM
To: security-basics () securityfocus com
Subject: Cisco CSA


Hi,

Can anyone give me some feedback on the Cisco Security
Agent. This product claims to stop malicious behaviour
on machines infected by any malware.

We were recently hit pretty hard by Sasser. Cisco has
since been trying to sell us this product as a
heuristic solution to malicious activity on the
network. The product does not depend on any signature
updates and is entirely behavioural.

Cisco puports to have successfully stopped Sasser from
doing any damage.

Can anyone confirm this to be a fact. The product does
not come cheap.

Thanks in advance.

Regards

Cherian


______________________________________________________________________
Post your free ad now! http://personals.yahoo.ca

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Cisco CSA Cherian Palayoor (May 26)
- RE: Cisco CSA Jason Jaszewski (May 28)
- <Possible follow-ups>
- RE: Cisco CSA Damon Brinkley (May 27)
- Re: Cisco CSA John Kingston (May 27)
- Re: Cisco CSA professor buddha (May 27)
- RE: Cisco CSA Ralph H. Chapman (May 27)
- Re: Cisco CSA bryan_khoo (May 27)
- RE: Cisco CSA Dante Mercurio (May 28)
- RE: Cisco CSA Scherer, Brian (May 28)
- RE: Cisco CSA Gary Freeman (May 28)
- RE: Cisco CSA Dave Gonsalves (May 29)
  - RE: Cisco CSA Ayers, Diane (May 31)