Chapter 4. Cisco Incident Control Service

Cisco and Trend Micro have partnered to create several security components. One component of the partnership is the antivirus signatures in Cisco Intrusion Prevention System (IPS) products. Another component of the partnership is the Content Security and Control Security Services Module for the Adaptive Security Appliance (ASA) as discussed in Chapter 3, "Cisco Adaptive Security Appliance Overview." A third component of the partnership is the automatic download of access lists and new incident signatures for attacks such as worms and viruses from Trend Micro to Cisco router, ASA, and IPS devices. The download of access lists and signatures for new security incidents from Trend Micro helps to enable Cisco networks to be self-defending against new network attacks. Cisco Incident Control Service (Cisco ICS) manages the worm and virus access list and signature download service from Trend Micro.

Cisco ICS enables the automatic or manual download of access lists and IPS signatures to security devices. The download of access lists from Trend Micro can enable a new attack to be identified and stopped or slowed in less than one hour. Trend Micro maintains a database of new attacks, such as worms. Trend Micro, through the Cisco ICS and the service with Trend Micro, attempts to define an access list that will stop the new network worm within one hour of the discovery of the worm. This access list provides the broad protection against the worm, while Trend Micro creates a specific, custom signature to stop the worm. Trend Micro attempts to define a custom signature to stop the incident within several hours of identifying the incident or worm. This signature can also be either automatically or manually downloaded to the IPS device to stop the newly identified network incident.

Chapter 3 discusses the ASA appliance with support for IPS signatures, access lists, and antivirus protection. Cisco ICS, with the update service from Trend Micro, provides an extra layer of protection in the self-defending network by deploying or recommending access lists and IPS signatures when a new network outbreak such as a worm is identified. In addition to using TrendLabs to identify a new network attack, Cisco ICS also is a product in the self-defending network that focuses on worm mitigation.

Note

In this chapter, as with many other chapters in this book, some of the text and figures were created while the Cisco ICS product was being developed in order to get this book to you as soon as possible once the products are released. You may see some minor differences in the graphical user interface (GUI) and functionality between the figures in this chapter and the released products. GUIs also often change between different released versions of the product, so you may also see some differences between the text and figures in this book and products released after this book's publication date.

This chapter describes the role of Cisco ICS in controlling network incidents and explains the different options, including outbreak prevention access control lists (OPACLs), outbreak prevention signatures (OPSigs), outbreak prevention reports, and logs.