Cisco Cisco IPS 4255 Sensor Guía De Información

The Cisco Incident Control System includes embedded software and support from Trend Micro.

Point of sale and registration data will be provided to both Cisco and Trend Micro.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.

Page 5 of 8

relevancy rating, and target value rating. The Risk Rating ranges in value from 0 to 100. The higher the value for a particular event, the greater the

accuracy of an inline IPS packet drop action that is associated with that event.

What are the various components of Risk Rating?

The event severity rating is a user-modifiable weighted value that characterizes the damage potential of the suspect traffic. The attack relevancy

rating is an internal weighted value that characterizes any additional knowledge that the sensor may have about the target of the event. The asset

value rating is a user-defined value that represents the user's perceived value of the target host. The signature fidelity rating is a user-modifiable

weighted value that characterizes the fidelity of the signature that has detected the suspect activity.

Is the user required to manually specify or tune all Risk Rating components?

While these components are user-modifiable, it must be emphasized that the Risk Rating is dynamically generated for each event without

making it incumbent upon the user to tune each component. This greatly enhances the user experience by delivering a usable framework that does

not require intensive user intervention.

How can the resulting value of an event's Risk Rating be used to enhance the confidence level of inline IPS packet-drop actions?

The primary benefit of Risk Rating is the ability to define global thresholds within the range of values that the Risk Rating can assume. When

a Risk Rating threshold is defined, global event action overrides can be assigned to the various thresholds. For example, if a Risk Rating threshold

of 85 is specified, it can be associated with a packet-drop action such that whenever a Risk Rating value greater than 85 is generated, the malicious

activity will be stopped before it can cause damage to critical assets.

What is MEG?

Cisco IPS Sensor Software Version 5.0 incorporates advanced sensor-level event correlation that gives security administrators an automated

method for enhancing the confidence level of the classification of malicious activity detected by the sensor.

How is MEG different from correlation features that may be delivered by IPS management systems?

The effectiveness of IPSs is greatly enhanced when correlation algorithms are embedded in the sensor. The sensor can proactively take

automated response actions to effectively stop worms and viruses, immediately after they are identified by the IPS device.

For multifaceted worms that target more than one vulnerability, multiple alarms can result from a single worm outbreak. How can these

events be efficiently correlated while assigning the most appropriate mitigation action to the correlated event?

Nimda is an example of a worm that exploited multiple vulnerabilities during its propagation across networks, resulting in the triggering of

multiple events over a short time span. MEG takes the guesswork out of making an accurate assessment on the occurrence of multifaceted worms,

such as Nimda. MEG can consolidate all events pertaining to the worm into a single meta event, called “Nimda”; more importantly, all packets

associated with this malicious activity will be dropped, preventing the worm from reaching its target. This is especially critical because the meta

event constituents can have low Risk Rating values that would not make them candidates for inline IPS packet drops. But in the context of the meta

event that signifies worm activity, these packets can now be confidently dropped.

How can events generated from multiple threat identification techniques be effectively correlated to improve the overall confidence level of the

resultant event?

MEG can be used to correlate and corroborate events that are generated through the use of the hybrid detection techniques. For example, if a

denial of service (DoS) activity is detected through the triggering of a traffic anomaly algorithm and a classical “flood” type of signature, MEG can

be used to corroborate one event with the other, thereby delivering a single meta event that indicates a higher likelihood that the DoS activity has

actually occurred. This allows the user to make a more informed decision.

How can insight into the lifecycle of a malicious event enhance the confidence level of the resultant event?

Historical trend analyses performed to characterize the lifecycle of worms often reveal a certain sequence of actions that are detected just prior

to its penetration. These actions may occur in the “probing phase”, when a chain of reconnaissance activities is performed against the target network.