Glossary
A group of
Series 3
managed devices. The devices in this series include the 70xx Family (the 3D7010/7020/7030/7050 models) and the 71xx Family (3D7110/7120/3D7115/3D7125 and AMP7150 models).
A group of
Series 3
managed devices. The devices in this series include the 81xx Family (the 3D8120/8130/8140 and AMP8150 models), the 82xx Family (the 3D8250/8260/8270/8290 models), the 83xx Family (the 3D8350/8360/8370/8390 models), and the AMP83xx Family (the AMP8350/AMP8360/AMP8370/AMP8390 models). 8000 Series devices are generally more powerful than
7000 Series devices.
A set of conditions the FireSIGHT System uses to examine your monitored network traffic and achieve granular
access control. Access control rules, which populate an
access control policy, may perform simple IP address matching, or may characterize complex
connections involving many different criteria. The
access control rule action determines how the system handles traffic that meets the rule’s conditions. Other rule settings determine how (and whether) the connection is logged, and whether an
intrusion policy or
file policy inspects traffic allowed by the rule.
access control rule action
A setting that determines how the system handles network traffic that meets the conditions of an
access control rule. You can
block matching traffic (with or without resetting the
connection); for HTTP traffic you can provide users with the option to bypass the block. You can also
trust traffic to pass without further inspection,
allow matching traffic, which optionally can be inspected with an
intrusion policy and
file policy, or continue to
monitor the traffic with additional access control rules.
A user whose network use you can control using
access control. You specify the LDAP groups that access-controlled users must belong to when you configure a connection between a Microsoft Active Directory server and the
Defense Center. When the
User Agent reports logins by access-controlled users, those users are associated with IP addresses, which in turn allows
access control rules with user conditions to trigger. Compare with
non-access-controlled user.
A list of IP addresses, configured in the
system policy, that represents the
hosts that can access an
appliance. By default, anyone can access the web interface of an appliance using port 443 (HTTPS), as well as the command line using port 22 (SSH). You can also add SNMP access using port 161.
A setting that determines how the system handles, inspects, or logs network traffic that meets (or does not meet) certain criteria. Actions are associated with various types of
rule, as well as with certain policies as the policy’s
default action.
Recommended for passive deployments, an advanced
access control policy setting that uses
discovery data to determine the operating system for the target
host of a packet. Targeted profiles within network analysis policies then defragment IP packets and reassemble streams in the same way as the operating system on the target host. Intrusion policies then analyze the data in the same format as that used by the destination host.
advanced malware protection
A set of configurations that allows the system to send an
alert via email, syslog, or SNMP trap. You can use a single alert response to alert you to multiple types of
events.
Information you can obtain about an
appliance, including uptime, system memory usage, load average, disk usage, a summary of system processes, and, on the
Defense Center, information about
data correlator processes.
application business relevance
A general classification for an
application that describes its most essential function. Each application belongs to at least one category.
A tool that the system uses to identify
applications on your network. Application detectors identify applications using ASCII or hexadecimal patterns in the packet headers, the port that the traffic uses, or both. Cisco may deliver additional detectors via system update,
vulnerability database update, or the
import/
export feature. You can also create your own
application protocol detectors.
A type of
application that represents application protocol traffic detected during communications between server and
client applications on hosts; for example, SSH or HTTP.
The likelihood that an
application’s use may violate your organization’s
security policy. An application’s risk can range from very low to very high.
Information about an
application that is not covered by its
application category. For example, video streaming
web applications often are tagged “high bandwidth” and “displays ads.” An application may have any number of tags, including none.
The action you take to have a
policy, or changes to that policy, take effect. You apply most policies from the
Defense Center to its managed
devices; however, you activate and deactivate
correlation policies because they do not involve changes to the configuration of managed devices.
An
event that describes a specific FireSIGHT System user interaction. Each audit event contains a time stamp, the user name of the user whose action generated the event, a source IP address, and text describing the event. Audit events are recorded in the
audit log.
A record of user interactions with the system. The audit log comprises
audit events.
A collection of settings that allows you to connect to an external authentication server to enable
external authentication (RADIUS or LDAP) to the FireSIGHT System’s web interface.
automatic application bypass (AAB)
An advanced
device setting that limits the time allowed to process packets through an interface and allows packets to bypass processing if the time is exceeded.
A saved link to a specific location and time in an
event analysis. Bookmarks retain information about the
workflow you are using, the part of the workflow you are viewing, the page number within the workflow you are viewing, the
time window you selected, and any columns you disabled, as well as any constraints you imposed.
The likelihood that an
application is used within the context of your organization’s business operations, as opposed to recreationally. An application’s business relevance can range from very low to very high.
CAC authentication and authorization
certificate revocation list (CRL)
A list of certificates revoked by the
certificate authority that issued the user certificates for your
appliance. This allows you to restrict access to the FireSIGHT System web interface using client browser certificate checking. If the user selects a certificate that is listed in the CRL as a revoked certificate, the browser cannot load the web interface. During
SSL inspection, a
device can detect a
public key certificate on a CRL and not trust the encrypted traffic.
change reconciliation report
A detailed report of all system changes in the last 24 hours, based on snapshots taken whenever a new configuration is saved. You can configure the system to email these reports daily at a time that you specify.
A reusable
object that represents multiple cipher suites used to encrypt traffic.
Cisco ASA with FirePOWER Services
A group of Cisco Adaptive Security Appliance (ASA)
managed devices with an ASA FirePOWER module installed. The devices in this series include the ASA5506-X, ASA5506H-X, ASA5506W-X, ASA5508-X, ASA5512-X, ASA5515-X, ASA5516-X, ASA5525-X, ASA5545-X, ASA5555-X, ASA5585-X-SSP-10, ASA5585-X-SSP-20, ASA5585-X-SSP-40, and ASA5585-X-SSP-60 models.
Cisco NGIPS for Blue Coat X-Series
A software-based application built on Blue Coat’s scalable chassis-based system that provides most of the capabilities of a
virtual device.
Cisco’s Vulnerability Research Team.
Also called a client application, an
application that runs on one
host and relies on another host (a
server) to perform some operation. For example, email clients allow you to send and receive email. When the system detects that a user on a host is using a specific client to access another host, it reports that information in the
host profile and
network map, including the name and version (if available) of the client.
A feature that allows you to achieve redundancy of networking functionality and configuration data between two peer
Series 3
devices or
stacks. Clustering provides a single logical system for
policy applies, system updates, and registration. Compare with
high availability, which allows you to configure redundant
Defense Centers.
Collective Security Intelligence Cloud
command line interface (CLI)
A restricted text-based interface on
Series 3 and
virtual devices. The commands that CLI users can run depend on the users’ assigned level of access.
A constraint set in an
event view or event search that constrains an event query using all the criteria from a specific event.
Along with
correlation rules, one of the ways you can specify criteria that network traffic must meet in order to violate a
correlation policy. You can use the
Defense Center to configure compliance white lists to specify which operating systems,
applications, and protocols are allowed to run on the
hosts in a specific subnet. You can also configure the Defense Center to launch a response, such as an
alert or
remediation, when a white list is violated. Note that compliance white lists are not associated with the other types of
whitelist.
compliance white list event
compliance white list violation
configuration, for import or export
A monitored session between two
hosts. You can log connections detected by FireSIGHT System managed
devices as well as import connection data from
NetFlow-enabled devices.
An
event generated when the system detects a
connection between a monitored
host and any other host.
Security Intelligence events are a special kind of connection event. Connection events include information about the detected traffic. Various settings give you granular control over which connections you log, when you log them, and where you store the data. For connections detected by managed
devices, you can log unblocked connections at their beginning and end, but most blocked connections at their beginning only. You can log these connections to the
Defense Center database; depending on the rule or default action, you can also log connection events to an external syslog or SNMP trap server.
NetFlow records log the ends of connections and are always saved to the database.
Connection data aggregated over a five-minute interval. The system uses connection summaries to build
connection graphs and
traffic profiles. To be aggregated, multiple
connections must represent the end of connections, have the same source and destination IP addresses, and use the same port on the responder (destination)
host. They must use the same protocol (TCP or UDP) and
application protocol. Finally, they must either be detected by the same managed
device, or be exported by the same
NetFlow-enabled device.
One or more conditions that constrain a
correlation rule so that after the rule’s initial criteria are met, the system begins tracking certain
connections. The rule then triggers only if the tracked connections meet additional criteria.
A page that displays detailed, interactive graphical information about your monitored network. Distinct sections present information in the form of vivid line, bar, pie, and donut graphs, accompanied by detailed lists. You can easily create and apply custom filters to fine-tune your analysis, and you can examine data sections in more detail by clicking or hovering your cursor over graph areas. Compared with a
dashboard, which is highly customizable, compartmentalized, and updates in real time, the Context Explorer is manually updated, designed to provide broader context for its data, and has a single, consistent layout designed for active user exploration.
A pop-up menu, available on many of the pages in the web interface, that you can use as a shortcut for accessing other features in the FireSIGHT System. The contents of the menu depend on several factors, including the page you are viewing, the specific data you are investigating, and your
user role.
A feature you can use to build a
correlation policy that responds in real time to threats on your network. The
remediation component of correlation provides a flexible API that allows you to create and upload your own custom remediation modules to respond to
policy violations.
The operating system or
server identity that the system finds most likely to be correct for a particular network asset. The system uses this data in many ways; for example, to calculate statistics, assign
vulnerability information, assess impact of an attack, and evaluate
correlation rules.
The user that the system associates with a
host. If the user is an
access-controlled user, the system can perform
user control on traffic to or from that host. If no access-controlled user is associated with the host, a
non-access-controlled user can be the current user for the host. However, after an access-controlled user logs into the host, only a login by another access-controlled user changes the current user.
A table you can construct that combines fields from two or more of the predefined tables delivered with the FireSIGHT System. For example, you could combine the
host criticality information from the
host attributes table with information from the
connection data table to examine connection data in a new context.
A
user role with specialized access privileges. Custom user roles may have any set of menu-based and system permissions, and may be completely original or based on a predefined user role.
A
workflow that you create to meet the unique needs of your organization.
A display that provides at-a-glance views of current system status, including data about the
events collected and generated by the system. To augment the dashboards delivered with the system, you can create multiple custom dashboards, populated with the
dashboard widgets you choose. Compare with the
Context Explorer, which offers a broad, brief, and colorful picture of how your monitored network looks and acts.
A small, self-contained
dashboard component that provides insight into an aspect of the FireSIGHT System.
A feature that allows read-only access to the
Defense Center database by a third-party client.
A central management point that allows you to manage
devices and automatically aggregate and correlate the
events they generate.
An operating system
fingerprint created by the system from all passively collected fingerprints for a
host by applying a formula which calculates the most likely identity, using the confidence value of each collected fingerprint and the amount of corroborating fingerprint data between identities.
A physical fault-tolerant, purpose-built
appliance (including
Cisco ASA with FirePOWER Services) available in a range of throughputs, or a software-based deployment with many of the same capabilities. Depending on the licensed capabilities you enable on your devices, you can use them to passively monitor traffic to build a comprehensive map of your network assets,
application traffic, and
user activity, as well as perform
access control. Many devices can also perform switching, routing (including DHCP relay and
NAT), and
VPN. You must manage devices with a
Defense Center.
A component of the FireSIGHT System that uses managed
devices to monitor your network and provide you with a complete, persistent view of your network. Network discovery determines the number and types of
hosts (including
network devices and
mobile devices) on your network, as well as information about the operating systems, active
applications, and open ports on those hosts. You can also configure managed devices to monitor
user activity on your network, which allows you to identify the source of policy breaches, attacks, or network vulnerabilities.
Host, user, and
application information that qualifies your network assets and traffic flow, as gathered by the
discovery feature.
Within a
network discovery policy, specifies the networks and
zones you want to monitor and the
devices (including
NetFlow-enabled devices) or you want to use to monitor them, as well as any ports you want to exclude from monitoring. Each rule also specifies whether you want to discover
hosts,
users, or
applications on the monitored networks.
distinguished name object
A reusable
object that represents a public key certificate's subject or issuer distinguished name.
An intermediate
workflow page used to constrain
event views. Generally, a drill-down page presents constraints that you can select to advance to a more narrowly constrained page or a
table view.
dynamic analysis summary report
A intrusion
rule state that is set for a specified period of time in response to a detected rate anomaly in traffic matching the rule.
elliptic curve (EC) cryptography
A cryptographic method based on calculating points on a random elliptic curve over a finite field. Contrast with
RSA cryptography.
A collection of details about a specific occurrence that you can view in the
event viewer, using
workflows. Events may represent attacks on your network, changes in your detected network assets, violations of your organization’s security and network use policies, and so on. The system also generates events that contain information about the changing health status of
appliances, your use of the web interface,
rule updates, and launched
remediations. Finally, the system presents certain other information as events, even though these “events” do not represent particular occurrences. For example, you can use the event viewer to view detailed information about detected
hosts,
applications, and their vulnerabilities.
A feature that allows you to use suppress
intrusion events when a specific IP address or range of IP addresses triggers an
intrusion rule. Event suppression is useful for eliminating false positives. For example, if you have an email server that transmits packets that look like a specific exploit, you can suppress events for the rules that are triggered by that server, so you only see the events for legitimate attacks.
A feature that allows you to limit the number of times the system logs and displays an
intrusion event, based on how many times the event is generated within a specified time period. Use event thresholding if you are overwhelmed with a large number of identical events.
A component of the system that allows you to view and manipulate
events. The event viewer uses
workflows to present a broad, then a more focused event view that contains only the events of interest to you. You can constrain the events in an event view by drilling down through the workflow, or by using a search.
A method that you can use to transfer various configurations (such as policies) from
appliance to appliance. After you export a configuration from one appliance, you can
import it onto another appliance of the same type.
A characteristic of an
inline set that allows packets to bypass processing and continue through the
device if internal traffic buffers are full.
A
rule that you configure at a
device’s hardware level, using a limited set of criteria, to allow traffic that does not need to be analyzed to bypass processing.
An established definition that the system compares against specific packet header values and other unique data from network traffic to identify a
host's operating system. If the system misidentifies or cannot identify a host's operating system, you can create a custom fingerprint that identifies the host.
A general classification for
file types, such as graphics, executables, or archives.
A feature that, as part of
access control, allows you to specify and log the types of files that can traverse your network.
An
event that represents a file detected in network traffic by a managed
device.
A set of criteria within a
file policy that the FireSIGHT System uses to examine network traffic. If a transmitted file matches the rule criteria, the rule triggers and generates a
file event. The
file rule action determine whether you block the file (based on
file type or
malware disposition) or simply allow the file to pass and log the transmission.
A setting that determines how the system handles a file that meets the conditions of a
file rule. You can detect and alert on specific
file types, as well as block the transmission of those files. You can also perform
malware cloud lookups on a subset of those file types and block the transmission of those files based on
malware disposition.
A specific type of file format, such as PDF, EXE, or MP3.
Cisco’s enterprise-class,
endpoint-based, advanced malware analysis and protection solution that discovers, understands, and blocks malware outbreaks, persistent threats, and targeted attacks. If your organization has a
FireAMP subscription, individual users install lightweight
FireAMP Connectors on endpoints (computers, mobile devices), which then communicate with the
Collective Security Intelligence Cloud. This allows you to quickly identify and quarantine malware, as well as identify outbreaks when they occur, track their trajectory, understand their effects, and learn how to successfully recover. You can also use the
FireAMP portal to create custom protections, block execution of certain applications, and create custom whitelists. Compare with network-based
advanced malware protection.
A
FireAMP-provided virtual machine that acts as a secure mediator between your monitored network and the
Collective Security Intelligence Cloud for
FireAMP-based (file and malware) features. All connections to the cloud occur over the private cloud’s anonymized proxy connection, rather than from individual agents or
appliances on your network.
FireSIGHT Recommendations layer
FireSIGHT recommended rules
A number that indicates which component of the system generated an
intrusion event. GIDs help you analyze events more effectively by categorizing the type of event in the same way a rule’s
Signature ID (Sid) offers context for the packets that trigger rules.
A feature that provides data on the geographical source of routable IP addresses detected in traffic on your monitored network, including connection type, Internet service provider, and so on. You can see geolocation information in events and
host profiles, and use it to filter traffic in an
access control policy or
SSL policy.
geolocation database (GeoDB)
A regularly updated database of known
geolocation data associated with routable IP addresses.
Also called the high availability link interface, a
physical interface that you configure on each member of a clustered pair of
devices to act as a redundant communications channel for sharing health information between the devices.
An
event generated when one of the
appliances in your deployment meets (or fails to meet) performance criteria specified in a
health module. Health events can also generate
alerts.
A test of a particular performance aspect, such as CPU usage or available disk space, of the
appliances in your deployment. Health modules, which you enable in a
health policy, generate
health events when the performance aspects they monitor reach a certain level.
A feature that continuously monitors the performance of the
appliances in your deployment. The health monitor uses
health modules within an applied
health policy to test the appliances.
A configuration that temporarily disables aspects of health monitoring to prevent the generation of unnecessary
health events. You can disable monitoring for a group of
appliances, a single appliance, or a specific
health module.
The criteria used when checking the health of an
appliance in your deployment. Health policies use
health modules to indicate whether system hardware and software are working correctly. You can use the default health policy or create your own.
A feature that allows you to configure redundant physical
Defense Centers to manage groups of
devices. Event data streams from managed devices to both Defense Centers and most configuration elements are maintained on both Defense Centers. If your primary Defense Center fails, you can monitor your network without interruption using the secondary Defense Center. Compare with
clustering, which allows you to designate redundant devices.
A device that is connected to a network and has a unique IP address. To the FireSIGHT System, a host is any identified host that is not categorized as a
mobile device, bridge,
router,
NAT device, or
load balancer.
A tool you can use to provide information about
hosts detected by the system, classifying them in ways that are important to your network environment. The system has two predefined host attributes,
host criticality and notes, as well as host attributes that indicate the compliance of each host with each active
compliance white list. You can also create your own host attributes.
A
host attribute that indicates the business criticality (importance) of any given
host detected by the system.
A graphical representation of the last 24 hours of a user’s activity. The host history, which you can view in a user’s
user details, displays the IP addresses of the
hosts that the user logged into, with approximate login and logout times represented by bar graphs.
A feature that allows you to import data from third-party sources using scripts or command-line files to augment the information in the
network map. The web interface also provides some host input functionality; you can modify operating system or
application protocol identities, validate or invalidate vulnerabilities, and delete various items from the network map, including
clients and
server ports.
A kind of
discovery event that is generated when you use the
host input feature. In general, the system treats host input and passive discovery events identically, though they are distinguished when building
correlation rules.
host profile qualification
A web page you can configure the system to display when a user’s HTTP request is blocked by
access control. You can display a generic Cisco-provided response page, or you can provide custom HTML. If the request was blocked by an
Interactive Block rule, you can allow users to click a button on the response page to continue to the originally requested site.
The conflict that occurs when the system reports a new passive operating system or
server identity that conflicts with the current active identity and previously reported passive identities.
For
intrusion events, a numbered indicator of the correlation between
intrusion data,
discovery data, and
vulnerability information. Impact level 1 (red impact icon) means that the targeted
host is
vulnerable to the attack represented by the intrusion event, impact level 2 (orange impact icon) means it is
potentially vulnerable, and so on. Attacks directed at hosts on networks not monitored by the
network discovery policy are impact level 0 (gray impact icon), which indicates that the
Defense Center cannot determine the events’ impact.
A method that you can use to transfer various configurations from
appliance to appliance. You can import configurations that you previously
exported from another appliance of the same type.
An interval during which a
correlation rule does not trigger. You can configure the time, frequency, and duration of inactive periods. See also
snooze period.
One or more
intrusion events that you suspect are involved in a possible violation of your
security policy. The system provides incident-handling features that you can use to collect and process information that is relevant to your investigation of the incident.
indications of compromise (IOC)
Configured in the
network discovery policy, a feature where the system correlates
FireAMP endpoint data with hosts on your monitored network. Potentially compromised hosts are marked with tags to indicate their status, visible in the
host profile and in relevant event views.
A deployment of the FireSIGHT System where your managed
devices are placed inline on a network. In this configuration, devices can affect network traffic flow. Contrast with passive detection, where you can analyze and respond to, but not affect, the flow of traffic.
A collection of regularly updated lists of IP addresses determined by the
Cisco VRT to have a poor reputation. Each list in the Intelligence Feed represents a specific category: open relays, known attackers, bogus IP addresses (bogon), and so on. In an
access control policy, you can
blacklist any or all of the categories using
Security Intelligence. Because the Intelligence Feed is regularly updated, using it ensures that the system uses up-to-date information to filter your network traffic.
An authentication method that stores user credentials in a local database on the
appliance. When a user logs into the appliance, the user name and password are checked against the information in the database. Compare with
external authentication.
A security breach, attack, or exploit that occurs on your network.
intrusion detection and prevention
An
event that records an
intrusion policy violation. Intrusion event data includes the date, time, and the type of exploit, as well as other contextual information about the attack and its target.
A set of keywords and arguments that, when applied to monitored network traffic, identify potential
intrusions,
security policy violations, and security breaches. The system compares packets against rule conditions. If the packet data matches the conditions, the rule triggers and generates an
intrusion event. Intrusion rules include
drop rules and
pass rules.
A form of
external authentication that verifies user credentials by comparing them to a Lightweight Directory Access Protocol (LDAP) directory stored on an LDAP directory server.
Lights-Out Management (LOM)
A
Series 3 feature that allows you to use an out-of-band Serial over LAN (SOL) management connection to remotely monitor or manage certain
appliances without logging into the web interface of the appliance. You can perform limited tasks, such as viewing the chassis serial number or monitoring such conditions as fan speed and temperature.
Link Aggregation Control Protocol (LACP)
A component of the IEEE 802.3ad specification that provides a method of exchanging system and port information to control the bundling of several physical ports together to form a single logical data channel called a link aggregation group (LAG). When you enable LACP, each device on either end of the channel uses LACP to determine which links will be actively used in the aggregation.
link aggregation group (LAG)
A
Series 3 feature that allows you to group multiple physical Ethernet interfaces into a single logical link on
managed devices configured in either a Layer 2 deployment that provides packet switching between networks, or a Layer 3 deployment that routes traffic between interfaces. This single aggregate logical link provides higher bandwidth, redundancy, and load-balancing between two endpoints.
An option for
inline sets in bypass mode that automatically brings down the second interface in a pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up also. In other words, if the link state of a paired interface changes, the link state of the other interface changes automatically to match it.
malware disposition cache
A cache on the
Defense Center that stores
malware dispositions and
threat scores for files. To improve performance, if the system already knows the disposition or threat score for a file based on its
SHA-256 hash value, the Defense Center uses the cached information rather than performing a
malware cloud lookup. Information in the cache times out after a certain period of time so that cache data does not become stale.
A secondary solid-state drive supplied by Cisco that you can install in certain
devices to store
captured files, freeing space on the device’s primary hard drive for
event and configuration storage.
The network interface that you use to administer a FireSIGHT System
appliance. In most deployments, the management interface is connected to an internal
protected network. Compare with
sensing interface. On
virtual Defense Centers and all
Series 3 appliances, you can configure multiple management interfaces to either separate traffic into channels to improve performance, or to create a route to an additional network to allow a Defense Center to isolate traffic on different networks. You can also route
traffic channels to separate networks to increase throughput capacity.
management traffic channel
In the FireSIGHT System, a
host identified by the
discovery feature as a mobile, handheld device (such as a mobile phone or tablet). The system can often detect whether a mobile device is jailbroken.
A way to log matching traffic, but also to allow the system to continue evaluating the connection rather than immediately allowing or blocking it. You can monitor traffic that violates a
Security Intelligence blacklist, or that matches any combination of criteria in an
access control rule or
SSL rule.
Network address translation, a feature most commonly used to share a single Internet connection among multiple
hosts on a private network. Using
discovery, the system can identify
network devices as
load balancers. In addition, in a Layer 3 deployment of the FireSIGHT System, you can configure routing with NAT using a
NAT policy.
A policy that uses
NAT rules to perform routing with
NAT.
A set of configurations and conditions that evaluate network traffic and specify how traffic matching those qualifications is translated. NAT rules are added to an existing
NAT policy to perform routing using
NAT.
An open but proprietary network protocol for collecting IP traffic information, developed by Cisco to run on Cisco IOS-enabled equipment. You can use the information collected by NetFlow-enabled devices to supplement the discovery and
connection data collected by the FireSIGHT System and to monitor networks not covered by managed
devices.
A variety of
preprocessors that you can configure to decode, normalize, and preprocess network traffic in preparation for later analysis by an
intrusion policy. By default, a single system-provided network analysis policy preprocesses all traffic handled by an
access control policy. However, you can choose a custom network analysis policy to perform this preprocessing. Advanced users can use
network analysis rules to allow multiple custom network analysis policies to preprocess traffic based on security zone, network, or VLAN tag.
A set of conditions that advanced FireSIGHT System users can use to perform targeted preprocessing using multiple custom network analysis policies. You configure network analysis rules as an advanced option in an
access control policy.
A visual representation of a file’s path as
hosts transfer it across your network. For any file with an associated
SHA-256 hash value, the trajectory map displays the IP addresses of all hosts that have transferred the file, the time the file was detected, the file’s
malware disposition, associated
file events and
malware events, and so on.
A reusable
object that represents one or more IP addresses, CIDR blocks, or prefix lengths.
Network Mapper, an open source active scanner that you can use to detect operating systems and
application protocols running on a host. Running an
Nmap scan adds the information detected to your
network map.
non-access-controlled user
A reusable configuration that associates a name with a value (for example, an IP address or URL) so that when you want to use that value in the web interface, you can use the named object instead. You create objects using the
object manager. See also:
network object,
Security Intelligence object,
port object,
VLAN tag object,
URL object,
application filter,
variable set,
file list,
HA link interface,
security zone,
cipher suite list,
distinguished name object, and
PKI object.
The page on the web interface where you manage
objects and object groups.
operating system identity
The operating system vendor and version details for an operating system on a
host.
An
intrusion rule that, when triggered, does not generate an
intrusion event and does not log the details of the packet that triggered the rule. Pass rules allow you to prevent packets that meet specific criteria from generating an event in specific situations, as an alternative to disabling the intrusion rule. Compare with
drop rule.
pending (application protocol)
A designation given to an
application protocol identity when the system can neither positively nor negatively identify the application protocol. Most often, the system needs to collect and analyze more data before it can identify a pending application protocol.
An interface that represents a physical port on a
NetMod.
A reusable
object that represents an open port that uses transport layer protocols (for example, TCP, UDP, or ICMP).
A component of the system that prepares traffic to be further inspected for intrusions and exploits. Preprocessors normalize traffic and help identify network layer and transport layer protocol anomalies by identifying inappropriate header options, defragmenting IP datagrams, providing TCP stateful inspection and stream reassembly, and validating checksums. Preprocessors can also render specific types of packet data in a format that the system can analyze; these preprocessors are called data normalization preprocessors, or application layer protocol preprocessors. Normalizing application layer protocol encoding allows the system to effectively apply the same content-related intrusion rules to packets whose data is represented differently and obtain meaningful results. Preprocessors generate
preprocessor events whenever packets trigger preprocessor options that you configure. Preprocessors require specific expertise to configure, typically require little or no modification, and are not common to every deployment.
A type of
intrusion event that is generated when a packet triggers specified
preprocessor options. Preprocessor events can help you detect anomalous protocol exploits.
A named set of search criteria for a specific table, tied to your user account. Only you and users with Administrator access can use your private searches.
Your organization’s internal network that is protected from users of other networks by a device such as a firewall. Many of the
intrusion rules delivered with the system use
variables to define the protected network and the unprotected (or outside) network.
public key infrastructure (PKI)
Remote Authentication Dial In User Service, a service used to authenticate, authorize, and account for user access to network resources. You can create an external
authentication object to allow FireSIGHT System users to authenticate through a RADIUS server.
A form of anomaly detection that sets a new
intrusion rule state for a rule based on the rate of matching traffic.
An action that mitigates potential attacks on your system. You can configure remediations and, within a
correlation policy, associate them with
correlation rules and
compliance white lists so that when they trigger, the
Defense Center launches the remediation. This can not only automatically mitigate attacks when you are not immediately available to address them, but can also ensure that your system remains compliant with your organization’s
security policy. The Defense Center ships with predefined
remediation modules, and you can also use a flexible API to create custom remediations.
A set of configurations for a
remediation module. You can configure multiple instances per module, for example, you could respond to different correlation policy violations using the same module, but different instances that have different settings. When a remediation instance triggers, the resulting action is called a
remediation.
A program that launches a
remediation, using sets of configurations called
remediation instances. The FireSIGHT System ships with several remediation modules that perform various actions; you can also use a flexible API to create your own modules.
A template that specifies the data constraints and formats for a report and its sections.
retrospective malware event
An interface that routes traffic in a Layer 3 deployment. You can set up physical routed interfaces for handling untagged
Virtual local area network (VLAN) traffic, and logical routed interfaces for handling traffic with designated VLAN tags. You can also add static Address Resolution Protocol (ARP) entries to routed interfaces.
A construct, often within a
policy, that provides criteria against which network traffic is examined. See also:
access control rule,
correlation rule,
discovery rule,
fast-path rule,
file rule,
intrusion rule,
network analysis rule,
preprocessor rule, and
SSL rule.
Whether an
intrusion rule is enabled (set to Generate Events or Drop and Generate Events), or disabled (set to Disable) within an
intrusion policy. If you enable a rule, it is used to evaluate your network traffic; if you disable a rule, it is not used.
An administrative task that you can schedule to run once or at recurring intervals.
Secure Sockets Layer (SSL)
A feature that allows you to specify the traffic that can traverse your network, per
access control policy, based on the source or destination IP address. This is especially useful if you want to blacklist—deny traffic to and from—specific IP addresses, before the traffic is subjected to analysis by
access control rules. Optionally, you can use a
Monitor setting for Security Intelligence filtering, which allows the system to analyze connections that would have been blacklisted, but also logs the match to the blacklist.
Security Intelligence blacklist
Security Intelligence event
Security Intelligence feed
One of the types of
Security Intelligence objects, a dynamic collection of IP addresses that the system downloads on a regular basis, at an interval you configure. Because feeds are regularly updated, using them ensures that the system uses up-to-date information to filter your network traffic using the
Security Intelligence feature. See also the
Intelligence Feed.
Security Intelligence list
Security Intelligence object
Security Intelligence whitelist
An organization's guidelines for protecting its network. For example, your
security policy might forbid the use of wireless access points. A security policy may also include an acceptable use policy (AUP), which provides employees with guidelines of how they may use their organization’s systems.
security policy violation
A security breach, attack, exploit, or other misuse of your network.
A grouping of one or more inline, passive, switched, or
routed interfaces that you can use to manage and classify traffic flow in various policies and configurations. The interfaces in a single zone may span multiple
devices; you can also configure multiple security zones on a single device. You must assign at least one interface to a security zone to match traffic against that security zone, and each interface can belong to only one zone.
The second series of FireSIGHT System
appliance models. Because of resource, architecture, and licensing limitations, Series 2 appliances support a restricted set of features. Series 2 devices include the 3D500, 3D1000, 3D2000, 3D2100, 3D2500, 3D3500, 3D4500, 3D6500, and 3D9900. Series 2
Defense Centers include the DC500, DC1000, and DC3000.
The first 256 bytes of the first packet detected for a
server, which can provide additional information that may help you identify the server. The system collects a server banner only once, the first time the server is detected.
An encrypted certificate issued by a
certificate authority that provides unalterable confirmation of the server identity. You can request a certificate from any certificate authority and upload that custom certificate to your
appliance.
A small form-factor pluggable transceiver that is inserted into a network module on a 71xx Family device. Sensing interfaces on SFP modules do not allow
configurable bypass.
Sometimes abbreviated as SHA256, a 32-bit string that represents a file for which you are performing a
malware cloud lookup. The hash value is calculated using a cryptographic hash function so that files with identical SHA-256 values are very likely to have identical contents.
An
intrusion policy or
network analysis policy
layer that you allow to be used by other policies. Policies using a shared layer are updated with changes in the shared layer when you commit those changes. A shared layer can be modified only in the policy that allows it to be shared; it is read-only in policies using it.
An
intrusion rule delivered as a binary module compiled from C source code. You can use shared object rules to detect attacks in ways that
standard text rules cannot. You cannot modify the rule keywords and arguments in a shared object rule; you are limited to either modifying
variables used in the rule, or modifying aspects, such as the source and destination ports and IP addresses, and saving a new instance of the rule as a custom shared object rule. Shared object rules have a
generator ID (GID) of 3.
A unique identifying number assigned to each
intrusion rule (also known as a
Snort ID). When you create a new rule or modify an existing
standard text rule, it is given an SID of 1,000,000 or greater. The SIDs for
shared object rules and standard text rules delivered with the FireSIGHT System are lower than 1,000,000. Also,
preprocessors and
decoders use SIDs to identify the different types of packets they detect.
An interval specified in seconds, minutes, or hours after a
correlation rule triggers during which the system stops firing that rule, even if the rule is violated again during the interval. When the snooze period has ended, the rule can trigger again (and start a new snooze period). See also
inactive period.
An open source intrusion detection system that performs real-time traffic analysis and packet logging on IP networks. Snort can perform protocol analysis, content searching and matching, and can detect a variety of attacks and probes. Snort uses a flexible rules language to describe network traffic that it should collect or pass. The FireSIGHT System uses Snort to test packets against
decoders,
preprocessors, and
intrusion rules.
A feature that allows you to inspect, decrypt, and log the encrypted traffic that traverses your network. Both traffic you choose not to decrypt and decrypted traffic can be further inspected with
access control.
A policy that you apply as part of a parent
access control policy, and that performs
SSL inspection on the encrypted traffic monitored by
policy target devices. An SSL policy may include multiple
SSL rules; it also specifies a
default action, which determines the handling and logging of traffic that does not meet the criteria of any of those rules. An SSL policy can also specify how to handle undecryptable traffic, and what encrypted traffic it trusts, based on CA
public key certificates.
A set of conditions the system uses to examine encrypted traffic and which allows
SSL inspection.
SSL rules, which populate an
SSL policy, may perform simple IP address matching, or may characterize complex connections involving different users, applications, ports, URLs, and encrypted session characteristics. The
SSL rule action determines how the system handles traffic that meets the rule’s conditions. Other rule settings determine how (and whether) the connection is logged.
A setting that determines how the system handles encrypted network traffic that meets the conditions of an
SSL rule. You can block matching traffic (with or without resetting the connection). You can also not decrypt encrypted traffic, decrypt incoming traffic with an uploaded
private key, decrypt outgoing traffic with a re-signed
public key certificate, or continue to monitor traffic with additional SSL rules.
Two to four connected
devices that share detection resources.
A feature that allows you to increase the amount of traffic inspected on a network segment by connecting two to four physical
devices in a stacked configuration. When you establish a stacked configuration, you combine the resources of each stacked device into a single, shared configuration.
An
intrusion rule created based on the identifiers, keywords, and arguments available in the rule editor. You can create your own custom standard text rules and modify Cisco-provided standard text rules. A standard text rule has a
generator ID (GID) of 1.
A feature that allows clustered
devices or
stacks to synchronize so that if either device or stack fails, the peer can take over with no interruption to traffic flow. State sharing ensures that strict TCP enforcement, unidirectional
access control rules, blocking persistence, and dynamic
NAT fail over properly.
A
server called by another server on the same host.
An interface that you want to use to switch traffic in a Layer 2 deployment. You can set up physical switched interfaces for handling untagged
Virtual local area network (VLAN) traffic, and logical switched interfaces for handling traffic with designated VLAN tags.
Settings that are likely to be similar for multiple
appliances in a deployment, such as mail relay host preferences and time synchronization settings. Use the
Defense Center to
apply a system policy to itself and its managed
devices.
A type of
workflow page that displays
event information, with one column for each of the fields in the database table. When performing event analysis, you can use
drill-down pages to constrain the events you want to investigate before moving to the table view that shows you the details about the events you are interested in. The table view is often the next-to-last page in workflows delivered with the system.
An advanced
inline set option available on 3D9900 and
Series 3 devices where a copy of each packet is analyzed and the network traffic flow is undisturbed instead of passing through the
device. Because you are working with copies of packets rather than the packets themselves, the device cannot affect the packet stream even if you configure access control and intrusion policies to drop, modify, or block traffic.
A queue of jobs that the
appliance needs to perform. When you
apply a
policy, install software updates, and perform other long-running jobs, the jobs are queued and their status reported on the Task Status page. The Task Status page provides a detailed list of jobs and refreshes every ten seconds to update their status.
third-party vulnerability
Vulnerability data obtained from a third party. If your organization can write scripts or create command line import files to
import
network map data from third-party
applications, you can use the
host input feature to import third-party
vulnerability data to augment the system’s vulnerability data.
A time constraint on the
events in any event view. Different event views may have different default time windows, depending on your user preferences. Note that not all event views can be constrained by time.
A connection you can configure on the management interface of a
Series 3
appliance or
virtual Defense Center to carry either management or event traffic. The event traffic channel carries only event data generated on the managed device’s network segment and the management traffic channel carries only internally generated traffic (that is, management traffic between the Defense Center and the device). See
management interface.
A profile of the traffic on your network, based on
connection events logged over a time span that you specify. You can create profiles using all the traffic on a monitored network segment, or you can create more targeted profiles. Then, you can use the
correlation feature to detect abnormal network traffic by evaluating new traffic against an existing profile.
An advanced
inline set option that allows a
device to act as a “bump in the wire” and to forward all the network traffic it sees, regardless of its source and destination.
A
host whose operating system cannot be identified because the system has not yet gathered enough information about the host. Compare with
unknown host.
A binary file format that the FireSIGHT System uses to log
event data.
A general classification for a URL, such as malware or social networking.
A reusable
object that represents an individual URL.
A user whose network activity has been detected by a managed
device or
User Agent.
An
event generated when the system detects a user login or logoff (optionally, including some failed login attempts) or the addition or deletion of a user record from the
Defense Center database.
An agent you install on a
server to monitor users as they log into the network or when they authenticate against Active Directory credentials for any other reason. Activity by
access-controlled users is used for
access control only when a User Agent reports it.
A feature that allows your organization to correlate threat, endpoint, and network intelligence with
user identity information, and that allows you to perform
user control.
A collection of settings that allows you to connect to an LDAP server to retrieve metadata for users whose activity was detected in network traffic or by a
User Agent. If your organization uses Microsoft Active Directory, user awareness objects can also specify your
access-controlled users.
An encrypted certificate that identifies a user's browser to the FireSIGHT System web server, allowing the server to do a secondary verification of user identity. The certificate must be issued by the same
certificate authority that issued the
server certificate for your
appliance.
A feature that, as part of
access control, allows you to specify and log the user-associated traffic that can traverse your network.
The final page in
user identity and
user activity
workflows. Along with general information about the user, the user details also display a
host history, which is a graphical representation of the last twenty-four hours of the user’s activity.
A graphical representation of the last twenty-four hours of
user activity for a
host. The user history, which you can view in a host’s
host profile, displays the user names of the users detected logging into the host, with approximate login and logout times represented by bar graphs.
The level of access granted to a user of the FireSIGHT System. For example, you can grant different access privileges to the web interface for
event analysts, the administrator managing the FireSIGHT System, users accessing the
Defense Center database using third-party tools, and so on. You can also create custom roles with specialized access privileges.
A privilege you can give to
custom user roles that allows users to enter a password to gain the permissions of another
user role for the duration of a login session.
Coordinated Universal Time. Also known as Greenwich Mean Time (GMT), UTC is the standard time common to every place in the world. The FireSIGHT System uses UTC, although you can set the local time using the Time Zone feature.
A representation of a value that is commonly used in
intrusion rules. The FireSIGHT System uses preconfigured variables, organized in
variable sets, to define networks and port numbers. Rather than hard-coding these values in multiple rules, to tailor a rule to accurately reflect your network environment, you can change the variable value.
A
Defense Center that you can deploy on your own equipment in a virtual hosting environment.
Virtual local area network (VLAN)
VLANs map hosts not by geographic location, but by some other criterion, such as by department or primary use. A monitored host’s
host profile shows any VLAN information associated with the host. Innermost VLAN tag information is also included in various
events. The system can also perform multiple types of traffic handling including
access control, based on a connection’s VLAN tag. In Layer 2 and Layer 3 deployments, you can configure
virtual switches and
virtual routers on managed
devices to appropriately handle VLAN-tagged traffic.
A group of
routed interfaces that route Layer 3 traffic. In a Layer 3 deployment, you can configure virtual routers to route packets by making packet forwarding decisions according to the destination IP address. You can define static routes, configure Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) dynamic routing protocols, as well as implement Network Address Translation (
NAT).
A group of
switched interfaces that process inbound and outbound traffic through your network. In a Layer 2 deployment, you can configure virtual switches on managed
devices to operate as standalone broadcast domains, dividing your network into logical segments. A virtual
switch uses the media access and control (MAC) address from a host to determine where to send packets.
A feature that allows you to build secure
VPN tunnels between the
virtual routers of FireSIGHT System managed
devices.
A description of a specific compromise to which a
host is susceptible. The
Defense Center provides information on the vulnerabilities to which each of your hosts is vulnerable in the hosts’
host profiles. In addition, you can use the vulnerabilities
network map to obtain an overall view of the vulnerabilities that the system has detected on your entire monitored network. If you deem a
host or hosts no longer vulnerable to a specific compromise, you can deactivate, or mark as invalid, a specific vulnerability.
Also called the VDB, a database of known vulnerabilities to which
hosts may be susceptible. The system correlates the operating system,
application protocols, and
clients detected on each host with the VDB to help you determine whether a particular host increases your risk of network compromise. VDB updates may contain new and updated vulnerabilities, as well as new and updated
application detectors.
A type of
application that represents the content of, or requested URL for, HTTP traffic.
Feedback