Chapter 11. Application Behavior Analysis

This chapter covers the following topics:

• Understanding application behavior investigation components

• Configuring application behavior investigation

• Using application behavior investigation on the remote agent

• Analyzing log data

• Viewing behavior reports

• Exporting the behavior analysis report data

• Analyzing UNIX application behavior

• Creating behavior analysis rule modules

When attempting to write policies to control and secure your application environment, you must have a detailed understanding of those applications and their usage. The information required includes the following:

• What applications are deployed

• Where the applications are deployed

• How the user should interact with the application

• How the applications should interact with the system

• How the system should interact with the application

This detailed knowledge helps you to develop a truly secure yet functional application policy. Application Behavior Analysis is a new feature included in Cisco Security Agent (CSA) version 4.5 that greatly assists in providing you the information required about various applications. This knowledge is gained through investigative processes running on agent-protected systems. In addition to the reports provided as a result of the analysis process, the CSA Management Console (MC) can also create a policy, which is restrictive in nature, to speed the deployment of the control mechanisms necessary. In this chapter, you learn about the implementation and usage of the Application Behavior Analysis feature.