ActualTests implementing cisco security monitoring analysis and response system exam 642544 may 2009 pdf

Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol Answer: C QUESTION 2: When adding a device to the Cisco Security MARS appliance, what is the reporting IP Addr

Exam : 642-544

Title : Implementing Cisco Security Monitoring,

Analysis andResponse System

Ver : 05-22-2009

QUESTION 1:

A Cisco Security MARS appliance cannot access certain devices through the default

gateway Troubleshooting has determined that this is a Cisco Security MARS

configuration issue Which additional Cisco Security MARS configuration will be

required to correct this issue?

A Use the Cisco Security MARS GUI to configure multiple default gateways

B Use the Cisco Security MARS GUI or CLI to configure multiple default gateways

C Use the Cisco Security MARS CLI to add a static route

D Use the Cisco Security MARS GUI or CLI to enable a dynamic routing protocol

Answer: C

QUESTION 2:

When adding a device to the Cisco Security MARS appliance, what is the reporting IP

Address of the device?

A The source IP Address that sends syslog information to the Cisco Security MARS

appliance

B The IP Address that Cisco Security MARS uses to access the device via SNMP

C The pre-NAT IP address of the device

D The IP Address that Cisco Security MARS uses to access the device via telnet or ssh

Answer: A

Explanation:

Reporting IP

The reporting IP is the source IP address of event messages, logs, notifications, or traps

that originate from the device MARS uses this address to associate received messages

with the correct device

QUESTION 3:

Exhibit:

The Service variables defined are used for what purpose? Select all that apply

A For IP Management Groups creation

B For Data Reduction

C For Query/Reports and Rules creation

D For Event Groups creation

E For NetFlow Events Management

Answer: A,C

QUESTION 4:

Which of the following alert actions can be transmitted to a use as notification that a

Cisco Security MARS rule has fired and that an incident has been logged? (Choose two.)

A Syslog

B OPSEC-LEA (Clear and encrypted)

C SNMP Trap

D Distributed Threat Mitigation

E Short Message Service

F XML notification

Answer: E, F

Explanation:

Source:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a00806b614c.html

QUESTION 5:

What are the two options for handling false-positive events reported by the Cisco

Security MARS appliance? ( Choose two.)

A Drop

B Mitigate at Layer 2

C Archive to NFS only

D Save as a false-positive report

E Escalate to the Cisco Security MARS administrator

F Log to the database only

Answer: A, F

Explanation:

Page 373 of the 4.2.x User Guide

To Tune an Unconfirmed False Positive to False Positive

Step 1 After you determine that a false positive is false, and you have clicked the Yes

Step 2 On the next page, decide whether or not you want MARS to keep this event type

in the database by

selecting the appropriate radio button:

- Dropping these events completely (that stops logging those events)

- Log to DB only (that logs the events to the DB)

QUESTION 6:

To configure a Microsoft Windows IIS Server to publish logs to the Cisco Security

MARS, which log agent is installed and configured on the Microsoft Windows IIS

Server?

A pnLog Agent

B None, Cisco Security MARS is an agentless device

C Cisco Security MARS agent

What are three benefits in deploying Cisco Security MARS appliances using the global

and local controller architecture? (Choose three.)

A Users can seamlessly navigate to any local controller from the global controller GUI

B A global controller can provide a summary of all local controller information (network

topologies, incidents, queries and reports results)

C A global controller can provide a central point for creating rules and queries, which

are applied simultaneously to multiple local controllers

D The architecture provides redundancy in case one of the Cisco Security MARS local

controllers fails within a zone

Answer: A, B, C

QUESTION 8:

Which two configuration options enable the Cisco Security MARS appliance to perform

mitigation? (Choose two.)

A SNMP RW Community String

B A NetFlow device added in the Cisco Security MARS database

C Cisco Security MARS integration with Cisco Security Manager

D Telnet or SSH access type with SNMP RO community

E SSL communications with the network devices

Answer: A, D

Explanation:

Page 79 of the 4.2.x User Guide

For L2 devices SNMP access type is sufficient with RO community But for mitigation,

A Cisco Security MARS disk drives are not hot-swappable

B No new events can be logged when the Cisco Security MARS local database reaches

its maximum storage capacity

C Cisco Security MARS audit logs can be exported to a centralized server for the

consolidation and protection of the log data

D If the archive is generated with one release of software, then the restore has to be done

with the same version of software

Answer: D

Explanation:

Page 150 of the Install and Setup Guide for Cisco MARS

Explanation:

Guidelines for Restoring

When you do restore to an appliance, keep in mind the following guidelines:

The version of MARS software running on the appliance to be restored must match the

Which action enables the Cisco Security MARS appliance to ignore false-positive events

by either dropping the events completely or by just logging them to the database?

A Inactivating the rules

B Creating system inspection rules using the drop operation

C Deleting the false-positive events from the events management page

D Creating drop rules

E Deleting the false-positive events from the incidents page

F Inactivating the events

Answer: D

Explanation:

Source

Page 441 of the 4.2.x User Guide

Working with Drop Rules

Navigate to the Drop Rules page by clicking the Rules > Drop Rules tabs

Drop rules instruct the MARS to either drop a false positive completely from the

Which attack can be detected by Cisco Security MARS using NetFlow data?

A Man-in-the Middle attack

Page 81 of the 4.2.x User Guide

How MARS Uses NetFlow Data

When MARS is configured to work with NetFlow, you can take advantage of NetFlow's

anomaly

detection using statistical profiling, which can pinpoint day zero attacks like worm

outbreaks MARS

uses NetFlow data to accomplish the following:

Profile the network usage to determine a usage baseline

Detect statistically significant anomalous behavior in comparison to the baseline

Correlate anomalous behavior to attacks and other events reported by network IDS/IPS

systems

After being inserted into a network, MARS studies the network usage for a full week,

including the

weekend, to determine the usage baseline Once the baseline is determined, MARS

switches to detection

mode where it looks for statistically significant behavior, such as the current value

exceeds the mean by

2 to 3 times the standard deviation

QUESTION 12:

In What two ways can the Cisco Security MARS present the incident data to the user

graphically from the Summary Dashboard? (Choose two.)

A Incident firing information

B System-confirmed true positive information

C Event Type group matrix

D Incident vector information

E Path information

F Compromised topology information

Answer: D, E

Explanation:

Now you can begin your visual analysis CS-MARS can present the incident data to you

graphically from the Summary Dashboard in two ways By clicking the respective icons

within the Path column, you can visualize the data through two perspectives:

How MARS Uses NetFlow Data

When MARS is configured to work with NetFlow, you can take advantage of NetFlow's

Profile the network usage to determine a usage baseline

Detect statistically significant anomalous behavior in comparison to the baseline

Correlate anomalous behavior to attacks and other events reported by network IDS/IPS

mode where it looks for statistically significant behavior, such as the current value

exceeds the mean by

2 to 3 times the standard deviation

QUESTION 14:

Which two of the following statements are TRUE when you configure the pnreset

command on the Cisco Security MARS? (Choose two.)

A Clears, sets and initializes database structures

B Sets the debug level that is reported in the logs

C Erases the license file

D Enables you to view the status of the Cisco Security MARS processes and how long

the processes have been active

E Sends Cisco IOS data from the Cisco Security MARS database to a network file server

F Lets you add or delete disks in the Cisco Security MARS devices that support RAID

configuration without powering down the devices

Answer: A, C

Explanation:

CiscoPress

The pnreset command resets the CS-MARS device to factory defaults This includes

erasing the license file You must write down the license file before doing a reset because

when you reconfigure the device, the license key is required When pnreset is completed,

the database structures are cleared, set, and initialized

QUESTION 15:

Which one of the following incident types is pushed from a local controller to a global

controller?

A Any incidents on the local controller

B Incidents on the local controller triggered by predefined system rules

C Incidents on the local controller triggered by local rules

D True positive incidents on the local controller

E Incidents on the local controller that are manually selected for escalation to the global

controller

Answer: B

Explanation: LC only push up incidents coming from Global Rules (System-defined

Rules are included) to the GC

QUESTION 16:

What enables the Cisco Security MARS appliance to profile network usage and detect

statistically significant anomalous behavior from a computed baseline?

A Cisco Security MARS Global Controller

B NetFlow

C Cisco Security Manager

D Cisco Security MARS custom Parser

Answer: B

Explanation:

Source

Page 81 of the 4.2.x User Guide

How MARS Uses NetFlow Data

When MARS is configured to work with NetFlow, you can take advantage of NetFlow's

anomaly

detection using statistical profiling, which can pinpoint day zero attacks like worm

outbreaks MARS

uses NetFlow data to accomplish the following:

Profile the network usage to determine a usage baseline

Detect statistically significant anomalous behavior in comparison to the baseline

Correlate anomalous behavior to attacks and other events reported by network IDS/IPS

mode where it looks for statistically significant behavior, such as the current value

exceeds the mean by

2 to 3 times the standard deviation

QUESTION 17:

DRAG DROP

Your work as a network administrator at Certkiller com Your boss, Mrs Certkiller, is

interested in Cisco definitions Match the terms with the appropriate definitions

Source Page 416 of the 4.2.x User Guide

Report Type Views: Total vs Peak vs Recent

Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate

Which statement is true about the case management feature of Cisco Security MARS?

A Cases are created on a global controller, but they can be viewed and modified on a

local controller

B The global controller has a Case bar and all cases are selected from the Query/Reports

> Case Page

C Cases are created on a local controller, but they can be viewed and modified on a

global controller

D The cases page on a local controller has an additional drop-down filter to display

cases per a global controller

Answer: C

Explanation: page 359 of the User Guide

QUESTION 21:

Which two steps are required to represent a Check Point device in the Cisco Security

MARS? ( Choose two.)

A Define Primary Management station

B Define Secure Internal Communicator (SIC)

C Define Child Enforcement Modules(s)

D Define Security Contexts

E Define Check Point OPSEC

F Define Parent Enforcement Module

Answer: A, C

Explanation:

Page 167 of the 4.2.x uUser Guide:

Add and Configure Check Point Devices in MARS

After you identify and bootstrap the Check Point reporting devices and install the policies

are running

the primary management station

QUESTION 22:

What is a supported mitigation feature on the Cisco Security MARS appliance?

A Generating and pushing configuration commands to Layer 2 devices

B Automatically dropping all suspected traffic at the nearest IPS appliance

C Storing and identifying NetFlow data for attack mitigation

D Generating and pushing configuration commands to Layer 3 devices

Answer: A

QUESTION 23:

Once data archiving has been enabled on the Cisco Security MARS appliance when does

archiving initially occur?

A Data is archived via NFS when a new incident occurs

B Data is archived when a configuration change occurs on the Cisco Security MARS

C Data is archived nightly as a scheduled operation

D Whenever a new event is received, data will be archived via NFS

E Data is archived off the Cisco Security MARS via NFS when the Cisco Security

MARS database fills up

Answer: C

Explanation:

Source - Page 485 of the 4.2.x User Guide

Archive server Retrieving raw messages, or event data, from an archive server is much

more current than an hour old, you should select the Database option to ensure that

correct data is

retrieved For all other periods, the archive server option is recommended

QUESTION 24:

Which statement is true about the case management feature of Cisco Security MARS?

A The global controller has a Case bar and all cases are selected from the Query/Reports

> Cases page

B The cases page on a local controller has an additional drop-down filter to display cases

per a global controller

C Cases are created on a global controller, but they can be viewed and modified on a

A Load the devices from seed files

B Use SNMP auto discovery

C Import the devices from CiscoWorks

D Manually add the devices, one at a time

E Use CDP to automatically discover the neighboring devices

F Import the devices from Cisco Security Manager

Answer: A,B,D

QUESTION 26:

Exhibit:

Refer to the Cisco Security MARS Event Management partial screen shown above

Which two statements are correct? (Choose two.)

A PIX and FWSM syslog message (104001) are normalized into a single event (Event

ID 1104001)

B Event ID 1104001 is triggered if ALL of the syslog messages under the Device Event

ID column are received by the Cisco Security MARS within a predefined time frame

C Event ID 1104001 is a low-severity event

D Info/Misc/FW is a user-defined rule that normalizes events into a single event

E Event ID 1104001 belongs in an event group that includes generic informational

events from firewalls

Once data archiving has been enabled on the Cisco Security MARS appliance when does

archiving initially occur?

A Data is archived nightly as a scheduled operation

B Data is archived when a configuration change occurs on the Cisco Security MARS

C Data is archived via NFS when a new incident occurs

D Data is archived off the Cisco Security MARS via NFS when the Cisco Security

MARS database fills up

E Whenever a new event is received, data will be archived via NFS

Which statement best describes the case management feature of Cisco Security MARS?

A It is used to conjunction with the Cisco Security MARS incident escalation feature for

incident reporting

B It is used to capture, combine and preserve user-selected Cisco Security MARS data

within a specialized report

C It is used to automatically collect and save information on incidents, sessions, queries

and reports dynamically without user interventions

D It is used to very quickly evaluate the state of the network