tag:blogger.com,1999:blog-4088979.post687449927243394022..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Earth to MARSRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-87401945053979213912007-11-20T08:43:00.000-05:002007-11-20T08:43:00.000-05:00Anonymous,Based on what I hear, Cisco builds MARS ...Anonymous,<BR/><BR/>Based on what I hear, Cisco builds MARS market share by giving the product away. Hardly anyone buys it.<BR/><BR/>As far as Apple goes, I don't care for them so much either. <BR/><BR/>Besides, didn't you read my very first paragraph?<BR/><BR/><I>Disclaimer: I'm going to single out a book by Cisco employees that talks about a Cisco product. I have no personal feelings about Cisco. I have friends there. I've done work for Cisco. Since I think Cisco is eventually going to own all network security functions in their switches, I may even work for Cisco one day.</I>Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-59046968419802070472007-11-20T00:54:00.000-05:002007-11-20T00:54:00.000-05:00It's Coal In, Diamonds Out....jeeeez. seriously t...It's Coal In, Diamonds Out....jeeeez. seriously though, bash cisco all you want, i dont think they are losing market share on any one front or in general. if it were called iMARS and produced by some Different Thinking company would that make you like it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-66481355251220380722007-04-02T16:04:00.000-04:002007-04-02T16:04:00.000-04:00"have you ever heard of reclycling"Recycling start..."have you ever heard of reclycling"<BR/><BR/>Recycling starts with the paradigm shift that not all things being thrown out are actually garbage.<BR/><BR/>Thus it does not disprove Richard's point but rather re-emphasizes it. Even in recycling the quality of stuff collected for processing impacts the quality of stuff that comes out. <BR/><BR/>Thanks for the excellent review, Richard. I can probably get you the data you need if you've got the time...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-65728894974000902602007-02-21T16:48:00.000-05:002007-02-21T16:48:00.000-05:00I'll take a look at any products in this space, if...I'll take a look at any products in this space, if someone can get me a demo account with data to review.<BR/><BR/>Thanks!Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-18719745991295254002007-02-21T16:45:00.000-05:002007-02-21T16:45:00.000-05:00Richard, I'm including a comment here, simply beca...Richard, I'm including a comment here, simply because you stated that a product that truly performs automated mitigation would be impressive, which suggests you are not familiar with TriGeo Network Security...? At present, the only SEM that offers comprehensive automatic remediation...mostly Windows centric, but there are a handful of other useful responses, as well. If you're interested, check it out at: www.trigeo.com<BR/><BR/>P.S. Voted by SC Magazine readers at "Best Event Management" solution for 07Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50609507306608810262007-02-15T14:10:00.000-05:002007-02-15T14:10:00.000-05:00If you want true profiling and baselining then loo...If you want true profiling and baselining then look at Mazu Networks . MARS does 1% of what Mazu does in terms of profiling and visibility.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81318869540151813742007-02-14T14:34:00.000-05:002007-02-14T14:34:00.000-05:00I have used MARS when it still belonged to Protego...I have used MARS when it still belonged to Protego Networks and do so today now that is is rebranded as Cisco. It is not just alert-centric, in fact I am using it to baseline network usage via Netflow, SNMP polling for resource usage, custom script agents feeding metrics and CLI output via traps/syslog (requries custom parser on MARS end which it has support for). <BR/><BR/>Knock the book all you want but besides full content data, MARS with a little scripting is working out well. <BR/><BR/>I do work closely with Cisco and I can tell you they are currently adding full support for Netflow, user-configurable SNMP OID polling like OpenView, TCL scripting for pulling data not accessible in syslog/snmp and others they are considering but not committed to yet. <BR/><BR/>My user-defined rules kick butt, and I am mitigating by pushing IOS IPS sig packs to the edge, rate-limiting on the routers - and to be supported soon - dynamic ACLs and shunning to the firewalls. I am working on getting MARS to black-hole as well.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-5002859586501516112007-02-12T21:41:00.000-05:002007-02-12T21:41:00.000-05:00This just seems indicative of the Cisco IDS platfo...This just seems indicative of the Cisco IDS platform management as a whole. While I don't use MARS, I do use Cisco IDS sensors. The ability to manage multiple sensors is horrible and the alert info always leaves an analyst wanting. The descriptions of the IDS signature never give enough information to determine what actually caused the event to trigger. This usually leads to running a packet capture if the activity is ongoing, or having to consult firewall or application logs. I wish we ran Snort sensors instead.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62815866823398775502007-02-12T21:32:00.000-05:002007-02-12T21:32:00.000-05:00I agree with what you said, except:"garbage in alw...I agree with what you said, except:<BR/><BR/>"garbage in always produces garbage out"<BR/><BR/>have you ever heard of reclycling? :)<BR/><BR/>DanielAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-62730073831951616062007-02-12T20:25:00.000-05:002007-02-12T20:25:00.000-05:00A Green Needle,I plan to support clients who have ...A Green Needle,<BR/><BR/>I plan to support clients who have MARS by running Sguil collecting session and full content data. I may or may not use Snort with Bleeding Rules as part of Sguil, since the MARS deployments are supposed to be collecting alerts from existing IDS'.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30714358520864055192007-02-12T19:32:00.000-05:002007-02-12T19:32:00.000-05:00Hi Richard,another great article.what about using ...Hi Richard,<BR/>another great article.<BR/>what about using something like MARS in parallel with sguil ?<BR/><BR/>We are looking at Checkpoint's Eventia analyser for this reason. <BR/>Im hoping to use Eventia to point to the problems and then use sguil to do the investigation. <BR/>does this sound like a valid approach ?<BR/><BR/>BTW, hope to see you at AUSCERT if I can convince the "powers that be" :)A Green Needlehttps://www.blogger.com/profile/10008178580408395319noreply@blogger.com