Guest

CiscoWorks Security Information Management Solution

CiscoWorks SIMS 3.2.1 Threat Visualization

  • Viewing Options

  • PDF (300.1 KB)
  • Feedback
WHITE PAPER

Ciscoworks Security Information Management Solution (SIMS)

SUMMARY

Data becomes valuable information when it can be easily understood and acted upon. Security event information is no different. In order to help users identify threats and respond to them faster, Security Information-Management (SIM) solutions must provide a range of information views to help security analysts identify threats and understand their full impact so complete mitigation can occur. Therefore, analysts must have advanced visual tools that provide high-level views of network activity based on their own reporting parameters, while allowing them to dynamically drill down to identify specific areas of vulnerability across the network.
The CiscoWorks Security Information Management Solution (SIMS) from Cisco Systems ® provides dynamic, high-level views of security information, in addition to real-time monitoring, reporting, charting, analytics, monitoring, and real-time alerting functions. This powerful combination allows security personnel to navigate through the glut of real-time and historical security information with ease to reduce response times, distinguish false positives from credible threats, and better manage risk.

THE CHALLENGE: INFORMATION OVERLOAD

The first generation of CiscoWorks SIMS was a major step forward in creating a unified environment for managing disparate security event data from a wide range of network and security devices. Consolidating the information and providing some level of reporting against it enabled security organizations to begin to rationalize and control the large volume of security events in their enterprise.
However, these solutions did not do enough to provide insight into the events to help analysts assimilate the information quickly. As correlation capabilities improved, so did event prioritization and notification-but the ability for users to comprehend the large volume of data quickly did not. Second-generation SIM tools continued to rely mainly on two limited methods of presenting information-the event console and tabular reports-with some basic charting capabilities added.
Event consoles do very little to help users keep up with information. The stream of real-time events across a large enterprise is overwhelming, even with color coding to indicate prioritization. Although the emergence of dashboard views has obviated this problem to some extent, very few enterprises can afford to keep a dashboard staffed constantly, and although dashboards are helpful in alerting analysts to the presence of a potential problem, they are not as useful when it comes to pinpointing specific problems.
Tabular reports provide an increased level of insight over the console by letting the user organize data in specific ways, but as anyone who has looked for information on a spreadsheet can attest-spreadsheets are extremely granular, and identifying relationships on a macro level and then exploring them is difficult.

THREAT VISUALIZATION AND NEXT-GENERATION SIM

Advanced threat visualization has greatly increased the value of information captured by SIM solutions, and is critical to maximizing the performance of the security organization. By providing drillable, high-level views of threat activity across an extended enterprise and its physical network and improved charting capabilities based on special analytics, a SIM solution can transform the way security teams work.
CiscoWorks SIMS allows companies to use new visual tools on top of tabular reports and sophisticated analytics to assimilate information faster, differentiate false positives from real threats, understand the exact nature and scope of a threat, and make sure that vulnerabilities are mitigated before a threat can proliferate. CiscoWorks SIMS delivers a comprehensive range of visual tools to help security analysts work the way they think.
CiscoWorks SIMS provides the following threat visualization capabilities to help security practitioners rationalize the large number of security events created in today's business climate.

• The Link Map feature allows analysts to visualize relationships among different assets under attack to identify the target, type, and method of attack. Analysts can immediately see the course of an attack in real time as it propagates across a network. Playback controls allow users to recreate the attack so they can determine the full extent of vulnerabilities and anticipate where an attack is heading. Analysts can drill down on a specific asset at any time to get more specific information (Figure 1).

Figure 1. Link Map

• The Geo Map allows analysts and operators to track events by country and city, flag suspicious traffic from specific countries, and pinpoint suspicious sources down to a specific longitude and latitude (Figure 2).

Figure 2. Geo Map

• Expanded charting capabilities give users more visual references that are easy to understand. Users now have a wider range of custom charting options to help identify threats and present summary views of data to management. User can drill down the graph detail and links for further detail exploration.

• The device status view gives analysts a real-time visibility into the status of devices across the network, making device count charts easier to view and analyze. The device status view also helps enable centralized configuration of devices (Figure 3).

Figure 3. New Chart View

FULLY INTEGRATED ANALYTICS AND REPORTING DELIVERS POWERFUL INSIGHT

CiscoWorks SIMS contains powerful next-generation reporting and analytics. Flexible reporting capabilities provide an excellent starting point for further analysis using analytics and visual tools. Integrated analytics give users comprehensive security information using multiple dimensions of data in a pivot table format. The results are also presented visually in charts that accompany the dataset. CiscoWorks SIMS provides the following reporting and analytic features to complement data visualization:

• Analytics make base reporting data valuable by allowing users to perform further specific analysis.

• Data-mining functions let security personnel analyze raw event data based on specific criteria to identify anomalous incidents. As a result, security analysts can pinpoint details that were previously undetectable.

• Analysts gain detailed views of specific actions over any given time period.

• Reporting functions allow users to easily integrate real-time and historical information to spot emerging trends, while enabling users to reuse the same dataset across all views.

• Support for custom report development allows security teams to generate reports on the information most vital to their organization.

Text Box:  Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel:	408 526-4000	800 553-NETS (6387)Fax:	408 526-4100	European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel:	31 0 20 357 1000Fax:	31 0 20 357 1100	Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel:	408 526-7660Fax:	408 527-0883	Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright  2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) 	205314.G_ETMG_LF_5.05Printed in the USA Text Box:  Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel:	408 526-4000	800 553-NETS (6387)Fax:	408 526-4100	European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel:	31 0 20 357 1000Fax:	31 0 20 357 1100	Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel:	408 526-7660Fax:	408 527-0883	Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed onthe Cisco Website at www.cisco.com/go/offices.Argentina · Australia · Austria · Belgium · Brazil · Bulgaria · Canada · Chile · China PRC · Colombia · Costa Rica · Croatia · Cyprus Czech Republic · Denmark · Dubai, UAE · Finland · France · Germany · Greece · Hong Kong SAR · Hungary · India · Indonesia · Ireland · Israel Italy · Japan · Korea · Luxembourg · Malaysia · Mexico · The Netherlands · New Zealand · Norway · Peru · Philippines · Poland · Portugal Puerto Rico · Romania · Russia · Saudi Arabia · Scotland · Singapore · Slovakia · Slovenia · South Africa · Spain · Sweden · Switzerland · Taiwan Thailand · Turkey · Ukraine · United Kingdom · United States · Venezuela · Vietnam · ZimbabweCopyright  2005 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0502R) 	205314.G_ETMG_LF_5.05Printed in the USA