Guest

CiscoWorks Security Information Management Solution

CiscoWorks Security Information Management Solution Datasheet

  • Viewing Options

  • PDF (123.7 KB)
  • Feedback

CiscoWorks Security Information Management Solution (SIMS)

An important element of the Cisco ® Self-Defending Network, the CiscoWorks Security Information Management Solution (SIMS) integrates, correlates, and analyzes security event data from throughout the enterprise network to improve visibility and provide actionable intelligence for strengthening an organization's security posture.

Product Overview

With a high incidence of severe threats and attacks on information assets, IT security has become a priority at organizations' highest levels. In addition to mitigating threats to mission-critical network systems, enterprises must also comply with a wide range of federal and industry regulations that require them to implement-and verify the effectiveness of-security information management controls. The Cisco Self-Defending Network integrates security and security-information-management (SIM) solutions throughout the network for a globally distributed defense. CiscoWorks SIMS plays an important role by integrating with a heterogeneous array of network devices and applications (refer to Table 2, later in this document) and security products, allowing network managers to centrally monitor, analyze, and manage enterprise network security.
CiscoWorks SIMS is a key element of a Cisco Systems ® Threat Defense System-a collaboration of security solutions and intelligent networking technologies that identify and mitigate threats from inside and outside your organization. As part of a threat defense system, CiscoWorks SIMS provides comprehensive coverage throughout the network-from network data center to branch offices, to network endpoints. It helps security organizations create an auditable security infrastructure for demonstrating regulatory compliance, prevent catastrophic loss, and conduct historical or forensic analysis if an attack occurs.
CiscoWorks SIMS comprehensive capabilities include:

• Real-time event monitoring

• Multiple event correlation methods to detect both known and unknown threats while reducing false positives

• Dynamic visualization for fast and intuitive threat identification, tracking, and analysis

• Integrated risk assessment to understand the overall vulnerability of any particular asset within the enterprise

• Comprehensive reporting and forensics for all levels of security operations

• Robust incident management system that organizes security event data and enforces security response workflow

• Network Admission Control (NAC) event monitoring, reporting, and case management

Target Cutomer

CiscoWorks SIMS targets large or global enterprise customers as well as Managed Security Service Providers (MSSPs).

Applications

CiscoWorks SIMS extends security information management capabilities through all phases of the security lifecycle in order to strengthen the enterprise security posture and connect security processes with business objectives. It can be used to help security professionals:

• Connect knowledge about events to containment and remediation efforts

• Connect CiscoWorks SIMS data to improvements in security policy, security architecture, and technology configurations

• Facilitate development of guidelines and processes for handling alerts and security incidents across the enterprise

• Establish repeatable processes so that results can be quantified, progress can be measured, and impact on overall business imperatives can be analyzed

Features and Benefits

Comprehensive Correlation

CiscoWorks SIMS is SIM technology that can integrate statistical, rules-based, and vulnerability correlation to speed threat identification and reduce risk. By combining all three types of correlation with asset valuation, it paints a true risk profile for each event, facilitating response and also reducing the organization's total risk exposure.

Statistical Correlation

Statistical correlation analyzes network behavior and identifies threats based on the presence and severity of anomalous event patterns. CiscoWorks SIMS applies statistical algorithms to automatically determine incident severity and assign a threat score, based on the predetermined value of each information asset. CiscoWorks SIMS data can be used to determine the effectiveness of security measures by determining whether the number of attack patterns against high-value assets decreases over time.

Rules-Based Correlation

The CiscoWorks SIMS Rules-Based Correlation Engine allows users to apply conditional logic to identify likely attack scenarios by observing a specific series of events within a specified amount of time. Security personnel can deploy and modify preexisting event correlation rules or develop custom rules with multiple states to improve threat identification and reduce false positives. The engine includes an intuitive rules development GUI to simplify rules definition, modification, and deployment.

Vulnerability Correlation

CiscoWorks SIMS Vulnerability Correlation delivers comprehensive vulnerability management functions to help security teams actively identify asset weaknesses before they can be exploited. This feature automatically correlates intrusion detection data with multiple sources of vulnerability data-including data from vulnerability management scanners and a database of known vulnerabilities-and assigns a confidence level to events that are not false alarms. CiscoWorks SIMS then correlates vulnerability data with asset threat data and assigns a risk score, helping users quickly determine the business impact of specific events. It is the only solution that supports vulnerability correlation without writing rules, offering security teams the immediate benefits.

Advanced vulnerability reporting allows the security organization to demonstrate progress in eliminating vulnerabilities that relate to primary business objectives, such as policy compliance. This also aids in developing and revising mitigation and policy compliance strategies.

Risk scoring prioritizes threats based on asset value so analysts can take action on threats with the most loss potential for the organization first.

Vulnerability scanner integration incorporates data from vulnerability scanners to provide an up-to-date picture of vulnerable assets. CiscoWorks SIMS integrates with a range of leading vulnerability scanners (Table 2).

Resolution procedures, based on a library of procedures available from the knowledge base, take users through the process of fixing specific vulnerabilities so no steps are missed.

A dynamic knowledge base contains updated security information about known vulnerabilities, including a database of known vulnerabilities that can be correlated against scanner data, as well as published advisories about new vulnerabilities that are updated monthly.

Threat Visualization

Powerful next-generation analytics allow users to carefully examine security data in multiple dimensions while powerful visual tools help accelerate threat identification and remediation.

Expert Assistant-This tool guides users through multiple views to quickly obtain threat identification and attack information.

Data mining and drill downs-With flexible filtering tools, users can analyze events based on specific criteria to identify anomalous incidents. They can drill down on data in a table, console, map, chart, or tree to obtain more specific information.

Role-based dashboards-Predefined displays of SIM desktop components can include both real-time and historical views for analysts, operators, and executives. Dashboard layouts can be customized.

Multiple data views-Users can quickly change views to compare information and detect patterns. Reports and consoles present tables, charts, Analyzer, Geo Maps, and Link Maps on separate tabs for easy access. Dashboards place high-interest displays side by side, and CiscoWorks SIMS Virtual Desktops allow combined displays in alternate configurations.

Custom charts-A wide range of custom charting options help identify threats and present summary views of data. Charts are fully drillable, creating links for further exploration. Users also can tailor reports based on information relevant to their enterprise security processes and procedures.

Device status view-This view creates real-time visibility into the status of devices across the network and also helps enable centralized device configuration.

Incident Resolution Management

Any security incident anywhere in the network can be processed through the CiscoWorks SIMS integrated Incident Resolution Management system to ensure that standards-based remediation workflow is followed and noncompliant systems are elevated to operational standards. The incident resolution management capabilities of the solution gather and organize security event data into a logical form and then enforce proper security response workflow to accelerate effective incident response.

Graphical user interface-A powerful, easy-to-use graphical interface guides users to easily open, edit, and resolve virtually any security incident.

Built-in workflow-CiscoWorks SIMS integrates the SANS Institute six-step incident response process with flexible, customizable workflow to assure consistent, rigorous, documented incident response.

Evidence retention and security-Almost any document, scanned image, report, chart, audio records, traffic captures, or other data can be attached to an individual incident case. Files can be cryptographically check-summed upon insertion to assure evidence integrity.

Role-based access-CiscoWorks SIMS provides a secure way to store case evidence and apply tight and granular access controls to case data, while still allowing investigators to work together on a case.

Reporting-Robust reporting capabilities include both incident- and executive-level reports.

Unified policy compliance and remediation-CiscoWorks SIMS takes policy violation information and closes the loop by triggering workflow that allows teams to contain and remedy NAC and other policy violations that represent real network attacks. It also integrates with Remedy to facilitate communication with other IT groups involved in remediation processes.

Integrated Knowledge Base

An integrated knowledge base eliminates the need to perform hours of threat and vulnerability research. Information about newly discovered vulnerabilities and vendor-specific vulnerability data are directly accessible from CiscoWorks SIMS. The knowledge base also contains a complete database of security best practices from sources such as CERT and CVE. Regular advisories can be downloaded to help security teams keep pace with the latest vulnerability.

NAC Monitoring and Reporting

CiscoWorks SIMS is the Cisco solution for real-time monitoring and reporting for NAC environments. In addition to a full complement of NAC-specific reports, the CiscoWorks SIMS NAC dashboard provides summary and detailed drill-down views of all NAC-related activities, including quarantined and infected hosts, admitted and rejected hosts, most frequent policy violators, and time to remediation. If a NAC violation occurs, security analysts can open a case, investigate the violation, and follow it through complete resolution.

Security Portal

The CiscoWorks SIMS security portal is a lightweight, Web-enabled application that helps managers and security professionals easily and securely view CiscoWorks SIMS reports. Reports can be regularly scheduled, simplifying management for organizations without a continuous security operations center. Reports range from detailed analysis to summary overviews and can be generated for devices or business units as specified by the user. Features include:

Report calendar-The calendar displays the number of daily reports generated in calendar format.

Device list-Authorized users belong to device groups, represented on an expandable tree, and they can click on the appropriate branch to view detailed information.

Report options button-This button lets users choose report format and frequency for display in the calendar.

Real-Time Notification

When a high-priority threat is identified, CiscoWorks SIMS notifies analysts by their preferred method, including e-mail, personal digital assistants (PDAs), and pagers. It also integrates with network management consoles, such as HP OpenView, Cisco Info Center (Netcool), Tivoli, or Computer Associate (CA) Unicenter so security events also can be viewed or monitored directly by the Network Operations Center (NOC) network administrator teams in their familiar views.

Trouble-Ticketing Notification

CiscoWorks SIMS security incident cases can be integrated with a trouble-ticketing solution such as CA Service Plus, Remedy, Clarify, etc.

Product Architecture

CiscoWorks SIMS is built on the stable and proven Security Information Management (SIM) architecture to meet the performance demands of a mission-critical infrastructure spanning multiple sites.

N-Tier Architecture

A robust, enterprise-class architecture allows CiscoWorks SIMS to scale for 24-by-7 operation across a distributed, heterogeneous enterprise for reliable access to rich functions. A multi-tiered architecture helps ensure efficient distribution and eliminates single points of failure for maximum performance and availability.

Fault Tolerance

CiscoWorks SIMS assures fault tolerance through advanced failover to create redundancy across a distributed solution implementation. Agents can forward data to multiple engines, and engines can forward data to other engines, replicating information within a network. Multiple redundancy options make it easier and more cost-effective to deploy a backup Security Operations Center (SOC) based on actual business requirements.

Device Integration

CiscoWorks SIMS integrates natively with all Cisco switching, routing, and firewall platforms-as well as most third-party security devices and applications, including intrusion detection systems, firewalls, operating systems, and antivirus systems-without requiring installation on the devices themselves. Refer to the comprehensive device and application support list in the Table 2 below. If a device or application is not natively or off-the-shelf supported by CiscoWorks SIMS, users can quickly create custom connections through an easy-to-use Universal Agent Software Development Kit (SDK).

Self-Healing Administration

CiscoWorks SIMS is the only solution available with a built-in health module that continuously monitors the implementation and reports on problems when they occur. It also integrates with HP OpenView to connect CiscoWorks SIMS data to network systems management infrastructure.

Fully Auditable Database

An open, flexible, integrated database provides information about newly identified threats, together with vendor-specific vulnerability data. The database is self-managing and accessible through an easy-to-use interface, eliminating the need to assign a database administrator for management. Users have multiple options for distributing and archiving stored data for audit and compliance purposes.

Optional Add-on Modules Availability

CiscoWorks SIMS offers optional modules for purchase in addition to the base CiscoWorks SIMS starter-kit product:

• Vulnerability Correlation (VC)

• Rules-Based Correlation (RBC)

• Incident Resolution Management (IRM)

• Enterprise Security Portal (ESP)

• Universal Agent (UA)

Product Specifications

Table 1. Product Specifications of CiscoWorks SIMS

Features

Descriptions

Ciscoworks SIMS Version

3.2.1.02*

Software Compatibility

For updates, Version 3.1.1.01 must be installed and running

Supported Platforms

Red Hat Linux Advanced Server 2.1, Solaris 8

System Requirements

Java 2 Runtime Environment (JRE) 1.4.2_05 Java WebStart

Minimum Disk Space

270 MB

* As of April 29, 2005

Minimum Hardware Recommendation

Table 2. Hardware Recommendations for CiscoWorks SIMS

Component

Requirement

Operating System

Refer to the section "Product Specifications"

Processor

• Linux: Dual Intel Pentium 4; 1.5 GHz (server class)
• Solaris: Dual UltraSPARC-IIi; 444 MHz (server class)

Memory

4-GB total system memory

Free Disk Space

18 GB (refer to the section "Disk Partitions" in the CiscoWorks SIMS Quick Start Guide)

Storage Device

CD-ROM

Software Packages

• Linux: Anonymous FTP, development libraries, and kernel development
• Solaris 8: Refer to Quick Start documentation

Note: Hardware requirement may vary depending on implementation design specification.

Table 3. Device and Application Support Information for CiscoWorks SIMS

Device Name

Version

Device Type

Windows Agent

Linux Agent

Solaris Agent

Apache

2.0.49, 1.3.31

Web server

X

X

X

Arbor Peakflow X

 

Network-based intrusion detection system (IDS)

X

X

X

CATOS

6.4, 6.3

Network-based IDS

X

X

X

Check Point VPN-1

NG, 2000,4.1

VPN

X

X

X

Checkpoint Firewall-1

NG, 2000,4.1

Firewall

X

X

X

Cisco Secure ACS

3.3, 3.2, 3.1, and 3.0

Access control and authentication

X

   

Cisco Content Engine

5.0

Web proxy

X

X

X

Cisco Catalyst® 6500 Series Firewall Services Module (FWSM)

2.2, 2.1, and 1.1

Firewall

X

X

X

Cisco IDS

4.0, 3.1, 2.5, and 2.2

Network-based IDS

X

X

X

Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2) Services Module (secure IDS switch blade)

3.0 and 2.5

Network-based IDS

X

X

X

Cisco IOS® Software Access Control List (ACL)

Cisco IOS Software Versions 12.2 and 12.0

Access control and authentication

X

X

X

Cisco IOS Firewall

Cisco IOS Software Versions 12.2 and 12.0

Firewall

X

X

X

Cisco IOS IDS and Cisco IOS IPS*

Cisco IOS Software Versions 12.2 and 12.0

Network-based IDS and intrusion prevention system (IPS)*

X

X

X

Cisco 1800, 2800, and 3800 series integrated services routers (ISRs)*

Cisco IOS Software Version 12.3(8)T*

Integrated service router

X

X

X

Cisco IOS IPS

5.0

Network-based IDS

X

X

X

ASA* 5510, 5520, and 5540

5500* Series

Multi-function security/VPN

     

Cisco PIX® 501, PIX 505, PIX 506, PIX 515, PIX 515E, PIX 525, and PIX 535 firewalls

7.0, 6.3, 6.2, 6.1, 6.0, 5.3, 5.2, 5.1, and 5.0

Firewall

X

X

X

Cisco PIX IDS

6.3, 6.2, 6.1, 6.0, 5.3, and 5.2

Network-based IDS

X

X

X

Cisco Secure Agent

4.5 and 4.0

Host-based IDS

X

X

X

Cisco VPN 3000 Series Concentrator

4.7**, 4.1.7*, 4.1.2, 4.0.3, 4.0, 3.1, and 2.5.2

VPN

X

X

X

Cisco Visual Switch Manager (VSM) (VPN switch blade)

Cisco IOS Software Version 12.1

VPN

X

X

X

Cyberguard

5.1

Firewall

X

X

 

eEye Retina Scanner

5

Vulnerability assessment

X

X

X

Enterasys Dragon

1.3.1

Host-based IDS

 

X

 

Enterasys Dragon Sensor

6.1 and 1.3.1

Network-based IDS

 

X

 

Entercept HIDS

5.0, 4.0, 2.5.2, 2.5, and 2.0

Host-based IDS

X

   

Foundstone Scanner

4

Vulnerability assessment

X

X

X

Harris Stat Scanner Professional Edition

5.26 Update 2

Vulnerability assessment

X

   

HP-UX (Hewlett-Packard)

10.0

Operating system

X

X

X

ISS Desktop Protector*

7

Network-based IDS

X

X

X

ISS Internet Scanner

7

Vulnerability assessment

X

X

X

ISS Real Secure Network Sensor

7.0, 6.5, and 6.0

Network-based IDS

X

X

X

ISS Real Secure Server Sensor

7.0, 6.5, 6.0, and 5.5

Host-based IDS

X

X

X

ISS Site Protector

SP5*, 2.1 SP4, 2.0, and 1.0

Enterprise management, policy monitoring, and configuration

X

X

X

LANcope Stealth Watch

4.0.0

Network-based IDS

X

X

X

McAfee ePolicy Orchestrator (ePO)

3.5 and 3.0.1

Enterprise management, policy monitoring, and configuration

X

X

X

McAfee Intrushield

2.1, 1.9, 1.8, and 1.2

Network-based IDS

 

X

X

McAfee Virus Scan

7

Antivirus

X

   

Microsoft IIS

2000

Web server

X

   

Microsoft Windows

2000, Windows NT 4.0

Operating system

X

   

N-Circle*

6.0.5

Vulnerability assessment

X

X

X

Nessus Scanner

2.0.10

Vulnerability assessment

X

X

X

Netscape Enterprise Web Server

6

Web server

 

X

X

Netscreen

5.0 and 4.0

Firewall

X

X

X

Netscreen IDP

3

Network-based IDS

X

X

X

Network Flight Recorder

4.0 and 3.0

Network-based IDS

 

X

 

Nokia

IPSO

Firewall

X

X

X

Oracle

9i

Database

X

X

X

Red Hat Linux OS Events

8, 7.3, 7.2, and 7.1

Operating system

 

X

X

Secure Computing Sidewinder

5.2

Firewall

 

X

 

Snort NIDS

2.1, 2.0, 1.9.0, 1.8.0, and 1.7.0

Network-based IDS

 

X

X

Solaris OS Events

9, 8, 7, 6, and 2.0

Operating system

 

X

X

Sourcefire

3.0 (Estremer Integration) and 2.0

Network-based IDS

X

X

X

Squid Proxy

2.5

Web proxy

X

X

X

Stonegate Firewall

2.0

Firewall

X

X

X

Symantec Anti Virus

9.0 and 8.0

Antivirus

X

 

X

Symantec Enterprise Firewall

7.0 and 6.5 RAPTOR

Firewall

X

 

X

Symantec Enterprise VPN

7.0 and 6.5

VPN

X

 

X

Symantec HIDS

4.1

Host-based IDS

X

X

X

Symantec Intruder Alert

3.6

Host-based IDS

X

 

X

Symantec ManHunt

3.0 and 2.2

Network-based IDS

X

X

X

Tippingpoint

1.4 and above

Network-based IDS

X

X

X

Trendmicro Control Manager

3

Antivirus

X

X

X

Tripwire For Server

4.1

Host-based IDS

X

X

X

Tripwire NIDS

3

Network-based IDS

X

X

X

Zonelabs Integrity*

 

Firewall

X

X

X

* Under development as of April 29, 2005. Please verify with your Cisco sales representative or http://www.cisco.com/go/sims for updated device support availability information.
** On CiscoWorks SIMS roadmap. Please consult with Cisco product marketing for device and application support updated roadmap and verify with your Cisco product sales specialist for updated roadmap device support availability.
For devices that are not supported natively, a Universal Agent facility can be configured to integrate virtually any device type. Please consult with Cisco product sales specialist for your device integration need.

Software Features

In order for Incident Resolution Management (IRM), Rules-Based Correlation (RBC), and Vulnerability Correlation to use the functions in Version 3.2.1.02, updates to these add-on products must be completed. Refer to the appropriate update release note listed as follows for detailed information about running the update associated with each add on product:

• Software Update for Incident Resolution Management (IRM) 1.0 Release Notes (Update Version 1.0.03)

• Software Update for Rule Based Correlation (RBC) 1.0 Release Notes (Update Version 1.0.03)

• Software Update for Vulnerability Correlation (VC) 1.0 Release Notes (Update Version 1.0.0.2)

Warning: You must update all the add-on products used in your system: VC, IRM, or RBC.

Ordering the Software

Refer to the product ordering guide for part numbers provided on http://www.cisco.com/go/sims and the Cisco price book for actual pricing. Visit http://www.cisco.com/en/US/partner/ordering/index.shtml for product ordering.

Ordering Software for Upgrade

Use your service contract number to order a software upgrade at http://tools.cisco.com/gct/Upgrade/jsp/index.jsp.

Evaluation Software

Contact your Cisco sales representative or send an e-mail request to ciscoworks@cisco.com with title "SIMS Evaluation."

Service and Support

Cisco offers a wide range of services programs to accelerate customer success. These innovative services programs are delivered through a unique combination of people, processes, tools, and partners, resulting in high levels of customer satisfaction. Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco Services, refer to Cisco Technical Support Services or Cisco Advanced Services.

Cisco Technical Support Website

The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Website is available 24 hours a day, 365 days a year at http://www.cisco.com/techsupport. Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at http://tools.cisco.com/RPF/register/register.do.

For More Information

For updated product information about CiscoWorks SIMS, visit http://www.cisco.com/go/sims or contact your local Cisco account representative.