Cisco Security Agent

Cisco Security Agent

by Chad Sullivan
Released June 2005
Publisher(s): Cisco Press
ISBN: 9781587052057

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Prevent security breaches by protecting endpoint systems with Cisco Security Agent, the Cisco host Intrusion Prevention System

  • Secure your endpoint systems with host IPS

  • Build and manipulate policies for the systems you wish to protect

  • Learn how to use groups and hosts in the Cisco Security Agent architecture and how the components are related

  • Install local agent components on various operating systems

  • Explore the event database on the management system to view and filter information

  • Examine Cisco Security Agent reporting mechanisms for monitoring system activity

  • Apply Application Deployment Investigation to report on installed applications, hotfixes, and service packs

  • Collect detailed information on processes and see how they use and are used by system resources

  • Create and tune policies to control your environment without impacting usability

  • Learn how to maintain the Cisco Security Agent architecture, including administrative access roles and backups

    • Cisco Security Agent presents a detailed explanation of Cisco Security Agent, illustrating the use of host Intrusion Prevention Systems (IPS) in modern self-defending network protection schemes. At the endpoint, the deployment of a host IPS provides protection against both worms and viruses. Rather than focusing exclusively on reconnaissance phases of network attacks a host IPS approaches the problem from the other direction, preventing malicious activity on the host by focusing on behavior. By changing the focus to behavior, damaging activity can be detected and blocked–regardless of the attack.

    Cisco Security Agent is an innovative product in that it secures the portion of corporate networks that are in the greatest need of protection–the end systems. It also has the ability to prevent a day-zero attack, which is a worm that spreads from system to system, taking advantage of vulnerabilities in networks where either the latest patches have not been installed or for which patches are not yet available. Cisco Security Agent utilizes a unique architecture that correlates behavior occurring on the end systems by monitoring clues such as file and memory access, process behavior, COM object access, and access to shared libraries as well as other important indicators.

    Cisco Security Agent is the first book to explore the features and benefits of this powerful host IPS product. Divided into seven parts, the book provides a detailed overview of Cisco Security Agent features and deployment scenarios. Part I covers the importance of endpoint security. Part II examines the basic components of the Cisco Security Agent architecture. Part III addresses agent installation and local use. Part IV discusses the Cisco Security Agent management console’s reporting and monitoring capabilities. Part V covers advanced Cisco Security Agent analysis features. Part VI covers Cisco Security Agent policy, implementation, and management. Part VII presents additional installation and management information.

    Whether you are evaluating host IPS in general or looking for a detailed deployment guide for Cisco Security Agent, this book will help you lock down your endpoint systems and prevent future attacks.

    “While there are still a lot of ways that security can go wrong, Cisco Security Agent provides a defense even when something is wrong. I remember the email that came around from our system administrator that said, ‘There’s something attacking our web server. We’re not sure what it is, but Stormwatch is blocking it.’ That was the Nimda worm–the first of a long line of attacks stopped by Cisco Security Agent.”

    –Ted Doty, Product Manager, Security Technology Group, Cisco Systems®

    This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

    Table of contents

    1. Copyright
    2. About the Author
    3. Acknowledgments
    4. Foreword
    5. Introduction
    6. The Need for Endpoint Security
      1. Introducing Endpoint Security
        1. The Early Days: Viruses and Worms
        2. The Present: Blended Threats
        3. The Insider
        4. Understanding Point Security Weaknesses
        5. Using Attack-Detection Methods
        6. Establishing a Security Policy
        7. Summary
      2. Introducing the Cisco Security Agent
        1. Intrusion Prevention and Intrusion Detection Technologies
        2. The Life Cycle of an Attack
        3. CSA Capabilities
        4. CSA Components Overview
        5. CSA Communication
        6. CSA's Role Within SAFE
        7. Summary
    7. Understanding the CSA Building Blocks
      1. Understanding CSA Groups and Hosts
        1. The Relationship Between Groups and Hosts
        2. Understanding CSA Groups
        3. Understanding CSA Hosts
        4. Summary
      2. Understanding CSA Policies, Modules, and Rules
        1. The Relationship Between Policies, Modules, and Rules
        2. Establishing Acceptable Use Documents and Security Policies
        3. CSA Rules
        4. CSA Rule Modules
        5. CSA Policies
        6. Summary
      3. Understanding Application Classes and Variables
        1. Using Application Classes
        2. Introducing Variables
        3. Summary
    8. CSA Agent Installation and Local Agent Use
      1. Understanding CSA Components and Installation
        1. General CSA Agent Components Overview
        2. CSA Installation Requirements
        3. Agent Kits
        4. Summary
      2. Using the CSA User Interface
        1. Windows Agent Interface
        2. Linux Agent Interface
        3. Solaris Agent Interface
        4. Summary
    9. Monitoring and Reporting
      1. Monitoring CSA Events
        1. Status Summary
        2. Event Log
        3. Event Monitor
        4. Event Log Management
        5. Event Sets
        6. Alerts
        7. Summary
      2. Using CSA MC Reports
        1. Audit Trail Reporting
        2. Event Reporting
        3. Group Detail Reporting
        4. Host Detail Reporting
        5. Policy Detail Reporting
        6. Report Viewing
        7. Creating a Sample Report
        8. Summary
    10. Analyzing CSA
      1. Application Deployment Investigation
        1. Using Application Deployment Investigation
        2. Using Application Deployment Reports
        3. Summary
      2. Application Behavior Analysis
        1. Understanding Application Behavior Investigation Components
        2. Configuring Application Behavior Investigation
        3. Using Application Behavior Investigation on the Remote Agent
        4. Analyzing Log Data
        5. Viewing Behavior Reports
        6. Exporting the Behavior Analysis Report Data
        7. Analyzing UNIX Application Behavior
        8. Creating Behavior Analysis Rule Modules
        9. Summary
    11. Creating Policy, Implementing CSA, and Maintaining the CSA MC
      1. Creating and Tuning Policy
        1. Creating Policy
        2. Tuning Policy
        3. Summary
      2. Developing a CSA Project Implementation Plan
        1. Planning for Success
        2. The Project Plan
        3. Outlining the Project Phases
        4. Summary
      3. CSA MC Administration and Maintenance
        1. CSA Licensing
        2. CSA MC Registration Control
        3. CSA MC Component Sharing
        4. CSA MC Role-Based Access Control
        5. Other CSA MC Administrative Features
        6. CSA MC Backup and Restore Procedures
        7. Summary
    12. Appendixes
      1. VMS and CSA MC 4.5 Installation
        1. VMS v2.3 Components
        2. Installation
        3. Summary
      2. Security Monitor Integration
        1. Adding the CSA MC to the Security Monitor
        2. Configuring the Security Monitor
        3. Verifying Connectivity
        4. Viewing Events in the Security Monitor
        5. Summary
      3. CSA MIB
        1. CSA MC MIB Definitions
    13. Index

    Product information

    • Title: Cisco Security Agent
    • Author(s): Chad Sullivan
    • Release date: June 2005
    • Publisher(s): Cisco Press
    • ISBN: 9781587052057