Cisco ICS is a centralized management product from Cisco that manages the automated IPS signature update service with Trend Micro for new security incidents. Cisco ICS can deploy a broad access control lists (ACLs) to stop the spread of a newly identified infection through the network. These ACLs are known as OPACLs. After analysis of the new network incident by Trend Micro, Cisco ICS can also deploy a specific signature to mitigate a new network infection outbreak such as a worm. These signatures are known as OPSigs. OPSigs can be deployed to IOS routers with IPS signatures and other Cisco IPS systems. The first step in the ICS system is the identification of a new network threat. After a network threat is identified, Trend Micro will post on its website the information required to mitigate or reduce the impact of the network attack. The typical list of events that transpires to control the network incident includes the following items:
Cisco ICS is a Windows server application, and the client GUI is a web browser. Internet Explorer is required as the web browser since ActiveX is used as part of the client GUI. The logon screen for the Cisco ICS is displayed in Figure 4-1. Figure 4-1. Cisco ICS LogonOutbreak Management SummaryThe Cisco ICS summary page shown in Figure 4-2 provides a summary of the tasks to manage a network outbreak. The Outbreak Management Summary page is divided into the following areas:
Figure 4-2. Cisco ICS Summary PageAny new outbreak management tasks are highlighted at the top of the Active Outbreak Management Tasks. The location to select a new outbreak management task is displayed in Figure 4-3. Figure 4-3. Selecting a New Outbreak Management TaskSelecting a new outbreak management task results in the display of network threats with the new threat or corresponding outbreak management task selected, as shown in Figure 4-4. Figure 4-4. Selecting Name of ThreatInformation and Statistics on Network Threats from Trend MicroEach threat name contains a link to information about that threat from Trend Micro. Figure 4-5 provides an overview of the network threat from Trend Micro. The network threat information is displayed by selecting the name of the threat or incident. Figure 4-5. Overview of ThreatThe overview can also contain a behavior diagram of the network threat. A behavior diagram can contain actions, implications, and countermeasures for the network threat. Figure 4-6 provides an example of a behavior diagram from Trend Micro. Figure 4-6. Behavior Diagram of ThreatThe security information about the threat from Trend Micro can also contain technical details of the network threat. Figure 4-7 shows a technical details sample. Figure 4-7. Technical Details of ThreatStatistics of the threat are also provided in the security information from Trend Micro. Information like the number of computers infected by the network threat and a one-day trend of how many computers are infected by the threat can be provided in the Statistics option. These statistics tend to be global and based upon aggregate information from Trend Micro. Figure 4-8 displays an example of statistics on a network threat. Figure 4-8. Statistics of ThreatNew Outbreak Management TaskSelecting Next from the New Outbreak Management Task list in Figure 4-4 displays information about the recommended OPACL deployment to stop the network attack. OPACL information includes the time or end date at which the OPACL should expire, the ability to configure a custom OPACL, and the ability to view the OPACL configuration. An example of a display of this OPACL information for a new outbreak management task is provided in Figure 4-9. Figure 4-9. OPACL Information for ThreatThe next step in setting up a new outbreak management task is defining the target devices that will receive the OPACL. The wizard, by default, will select a default set of devices with an option to change the set of target devices. An example of the target device configuration for the OPACL is provided in Figure 4-10. Figure 4-10. Select Target Device for OPACLSelecting the target devices and then clicking Finish will result in the running of a new outbreak management task. Figure 4-11 displays an example of a summary that indicates that a New Outbreak Management Task is now running. Figure 4-11. New Outbreak Management Task RunningThe network threat that was identified in the New Outbreak Management Task list should now be listed in the Outbreak Management Task List. Information for each network threat in the Outbreak Management Task List includes the following:
You can stop an outbreak management task by clicking the Stop button in the Action column, as shown in Figure 4-12. Figure 4-12. Stop Management TaskCisco ICS features the ability to recommend an OPACL or to automatically deploy an OPACL in the event of a detected network threat. Cisco ICS enables the automatic deployment option to be configured by type of alert. These alerts can be divided into two classes: red and yellow. Red alerts are more mission-critical, whereas yellow alerts are less impactful. Figure 4-13 displays how the task automation default status per red and yellow alert class is shown to the user. Figure 4-13. Automated Outbreak Management Alert LevelOutbreak SettingsSpecific parameters for outbreak settings include the following:
Figure 4-14 provides an example of the configurable outbreak settings for automated task deployment. Figure 4-14. Automatic Outbreak Management Tasks Outbreak Settings |