Using Application Deployment Investigation

Application Deployment Investigation is a new feature available as of CSA version 4.5. Understanding this feature enables administrators of the CSA product to better understand the applications installed and running on the systems they are attempting to protect. Remember, the ultimate goal of CSA is to maximize system and end-user efficiency by preventing outages and unauthorized application use while protecting corporate assets and information.

The two components used during application deployment investigation are the CSA Management Console (MC) and CSA agent. Both of these components are inherent in the base installation of the CSA products and require no further licensing for this feature to function. The CSA MC is where you configure investigation parameters and view reports regarding the collected data. The CSA agent performs application investigation on the local host and reports back the findings to the CSA MC for correlation and further analysis.

On the Application Deployment Investigation menu, you have the following four options:

• Group Settings To perform an investigation, you must configure the groups that will participate in the analysis.

• Product Associations After completing the investigation, you must associate applications to the actual processes for the reporting to work correctly.

• Unknown Applications When you locate a process that is not associated with an application, it will be located here.

• Data Management To control the amount and type of data associated with investigations warehoused on the CSA MC, you must configure data-retention parameters.

The next sections describe each option in more detail.

Group Settings

Choosing the Group Settings menu option brings you to a screen that lists currently configured group sets configured for application deployment investigation, as shown in Figure 10-2.

Figure 10-2. Application Investigation Group Settings List

To configure an application deployment investigation, follow these steps, which correspond to Figure 10-3:

Figure 10-3. Application Deployment Investigation Configuration

NOTE

Application deployment investigation does not prevent agent protective mechanisms during the reporting process. All protective rules in an agent local policy continue to run as centrally defined.

It is important to understand the preceding settings when deploying application deployment investigation to agents within the architecture. The three collection options impact the amount of data stored and transmitted. Product data collection is the least-intensive method of data collection and only reports installed products. Product and network data collection requires more storage capacity because it also reports applications that connect to the network as clients and servers. Product and verbose network data collection is the most intensive approach to data collection because it also collects and reports IP address information with regard to the network interaction. You should only use the verbose method when you require IP address information, because it dramatically increases the storage requirements.

NOTE

When an application deployment investigation process is working on an agent, you can see two files in the local agent \CSAgent\log directory with names starting with trackdb and the date of the analysis. The two files will have .dir and .pag extensions.

After you have completed all the steps, you can begin to collect data on the agent endpoints. The agents begin collecting data only after they have been instructed via their normal polling communication. To verify the group selected is running an application deployment investigation job or has reported information back to the CSA MC, view the group configuration page. (See Figure 10-4.) The group configuration page has a section that states whether the investigation is enabled. If so, you can click the Reports link to get a pop-up page that displays available reports. Also, clicking the Yes link redirects your browser to the application deployment investigation configuration page that impacts this specific group.

Figure 10-4. Application Investigation Group Indication

You can also view information regarding the job from a specific host page, as in Figure 10-5. From the host-specific page, you can link to the reports available and view the date and time the host transmitted information as a result of the job. You can also click the Detailed Status and Diagnostic link within the Status pane to view information about the agent, as seen in Figure 10-6. The information you will receive from this link includes the last poll time current IP address, Cisco Trust Agent (CTA) posture, and the current Remote Security slider bar state.

Figure 10-5. Application Investigation Host Indication

Figure 10-6. Host Detailed Status and Diagnostic Screen

The Reset Cisco Security Agent button in the Host Diagnostics window enables you to reset the agent to factory default settings. This button has the same effect as the local agent option to reset the agent to factory defaults but enables you to perform this action from anywhere in the world. This process includes clearing locally defined firewall policies, file protection policies, and cached responses to query messages.

Product Associations

After you have received a data upload from the remote agents as a result of a configured application deployment investigation, you can choose the Product Associations option. This screen lists the applications installed on the agent systems along with a description and whether the application is configured, as shown in Figure 10-7. The CSA MC server needs to understand which processes or executables are part of which application as reported by the agents so that certain reports will provide the desired information.

Figure 10-7. Sample Product Associations Screen

From the Product Associations screen, you have a few options, as follows:

• Map to Application Class You can define application classes that will help identify which processes belong to that application. Only use this method if you have already created the application class that applies to this application.

• Ignore You can configure the CSA MC to ignore and stop reporting the listed application.

• View Ignored You can show the list of previously ignored applications to reinstate an application to the Product Association list.

• Select the Application Name By clicking the application name, you bring up the configuration screen, where you can select the appropriate application class or configure a new one.

After an application has been mapped appropriately, it displays as configured with a check in the Configured column as opposed to an exclamation point, which denotes an unconfigured application.

To configure an application mapping, follow these steps:

Step 1.	Choose the application you want to configure by clicking its name. This example configures Jgsoft s EditPad 5 Demo.
Step 2.	Enter a description.
Step 3.	Choose the application class that defines this product or, for this example, create a new application class by clicking New. You can also view the application class configuration by double-clicking the application class name.
Step 4.	In the Application Class window that opens, name the new application class, provide a description, and enter the application class executables as literals or choose the file set variable that defines the application executables from the list. This example defines the literal executables, as shown in Figure 10-8. Figure 10-8. Configuring the Application Class for Mapping Note You can find a more detailed explanation of application class and variable configuration in Chapter 5, "Understanding Application Classes and Variables."
Step 5.	After returning to the Product Association configuration screen, verify that the new application class is selected.
Step 6.	Click Save. Figure 10-9 shows the completed configuration. Figure 10-9. Completed Product Association Configuration

You have now configured a simple product mapping within the CSA MC. To verify successful configuration, return to the Product Associations screen and make sure the check box has appeared next to the application you were configuring, as in Figure 10-10. Now that you know how to configure product associations, you can move on to the unknown applications.

Figure 10-10. Successfully Configured Application Mapping

Unknown Applications

The products that had displayed within the Product Associations list were applications that were listed in the Add/Remove Programs list in the control panel of the remote systems. The other applications that you need to understand when protecting the systems are unknown applications. Unknown applications are applications that were witnessed running on the remote systems that are not associated with any product on the CSA MC. To view the list of unknown applications, choose Application Deployment Investigation > Unknown Applications to display a screen similar to Figure 10-11.

Figure 10-11. Unknown Application List

From this screen, you have a few options:

• Map to Product You can map this process to a known product as listed in the Product Associations list.

• Ignore You can remove this process from the list.

• View Ignored You can view the previously ignored items and reinstate those that you deem necessary.

To map a product, check the check box in front of the application you want to map and click Map to Product. The example maps winvnc4.exe. After you click the Map to Product button, a small pop-up screen displays with configuration options, as shown in Figure 10-12. You can create a new application class that includes this file by entering a name for the application class, or you can select an existing application class that includes the unknown application. After you select or create the appropriate application class, you need to select the correct product from the drop-down selection. These are products that are currently unconfigured in the Product Associations screen. Click the OK button to continue after you have correctly selected the options. At this point, the process is removed from the list of unknown applications and the application displays as Configured on the Product Associations screen.

Figure 10-12. Process-to-Product Mapping

Data Management

Collecting application deployment investigation data can consume a great deal of disk space. To control the amount of information collected, you can configure a data management plan. Figure 10-13 displays the data management configuration screen. From this screen, you have the following options:

• No Data Management This option prevents any collected data from being purged.

• Scheduled Data Management This option configures a data-retention policy.

  • Delete Application Deployment Investigation Data Select from the following options:

    EverynumberDays This option states how often data management should occur.

    Process Data Older ThannumberDays This is the number of days process information is retained.

    Network Data Older ThannumberDays This is the number of days network information is retained.

    Antivirus Data Older ThannumberDays This is the number of days antivirus information is retained.

    Related to Hosts in the Following Groups You can specify the groups you want to purge related information. Only Windows groups are displayed because only Windows hosts can run application deployment investigation jobs.

    Deletion Time This indicates the time of day the purge should occur.

  • Archive Before Purging This check box enables you to archive the information to a directory before purging the data. You fill in the following information:

    Archive Directory This is the directory the archive data should be placed within.

    Use Archive Data in Reports Checking this check box allows the CSA MC to use the offline archive records in any reports viewed.

Figure 10-13. Data Management Configuration