Cisco Security Agent (CSA)

Citation

• discussed on 7/11/2007
• Cisco Security Agent Version 5.2 Data sheet, 2007 http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_data_sheets_list.html
• Securing Network Endpoints Without Signatures: A Policy-Based Approach to Host Intrusion Protection (White Paper), 2003.
• Integrating Cisco Security Agent with Cisco Intrusion Prevention System (White Paper), 2007
• Introduction to Cisco Security Agent Correlation (White Paper), 2007 http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_white_papers_list.html

Annotation

• formally known as StormWatch? Agent, bought by Cisco in 2003.

• Cost:

-- 1 server agent $1,950

-- 100 desktop agents bundle: $8,245

• Platforms:

Windows (desktop/server agents), RHEL (desktop/server agents), Solaris (Server agents only)

Network module:

1. Wireless Policy Controls

• Pre-application QoS prioritization
• Disable wireless NIC when wired is active
• Connection restrictions—certain SSIDs, Encryption, Ad-Hoc
• Require VPN connection when out of the office

2. Traffic Marking

• Classify traffic per-application basis to provide QoS for critical application.
• marking can also used to enhance the firewall inspection capabilities of cisco ASA 5500 Series.

3. Network Admission Control (NAC)

• hosts that are running CSA can be identified and trusted.
• mitigation against DoS? attack.

4. IPS

5. MARS (Monitoring, Analysis, and Response System)

Main feature:

• CSA combines security policies implementing distributed firewall, OS lockdown and integrity assurance, malicious mobile code protection, and audit event collection capabilities.
• Behavior-based instead of signature based. Protect against new, unknown attacks. The default policies stop both known and unknown attacks without needing updates.

Architecture:

CSA Agent:

It resides between the applications and the kernel. It intercepts all OS system calls to file, network, and registry sources, as well as to dynamic run-time resources such as memory pages, shared library modules, and COM objects. It then correlates these sys calls and compares them against a set of behavioral rules, and make a real-time allow or deny decision.

Some policies are still defined by admin, such as

• user cannot install p2p application
• user cannot move sensitive data out of host through copy/rename/email/copy&paste etc.

Agents use correlation to tie some of its rules to application behavior rather than application name (e.g. Windows Common Security Module). Rather than applying the rule to hardcoded named process, such as iexplore.exe, svchost.exe, and outlook.exe, the rule is applied to any process exhibiting one of a set of behaviors.

Microsoft SQL database

• as the central repository of the various policies that can be applied to agents across an enterprise.

Management Console/Center (MC):

CSA send log data to MC and are controlled and updated by MC. Communication between CSA and MC via HTTPS. Each request for file system, network, registry, and COM objects access is logged and uploaded from the agent to the MC, where the profiler analyzes the data.

Profiler:

Provides centralized ability to investigate alerts received from CSA. Analysis of the activities performed by applications and build custom protective policies for these applications and push to the agents to enforce.

Correlation

• Local Correlation

agents correlate the behavior of these system calls

• Global correlation

Correlates events received from deployed agents. Prevent global attacks such as network worms or distributed scans.

Integration of CSA and IPS

• Agent has the full visibility on the endpoints.
• MC global correlation generates threat data.
• IPS get the shared data from MC and increase its sensor visibility on endpoints and global threats.