41-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 41 Configuring Global Correlation
Understanding Global Correlation
Network Participation—The sensor sends alert and TCP fingerprint data to the SensorBase Network
so that other users can share in the community knowledge. For more information, see Understanding
Network Participation, page 41-3.
Global correlation has the following goals:
Dealing intelligently with alerts thus improving efficacy.
Improving protection against known malicious sites.
Sharing telemetry data with the SensorBase Network to improve visibility of alerts and sensor
actions on a global scale.
Simplifying configuration settings.
Automatic handling of the uploads and downloads of the information.
Tip You can use Report Manager to generate reports comparing the number of alerts generated by global
correlation to those generated by traditional IPS inspection. For information on the Inspection/Global
Correlation report, see Understanding General IPS Reports, page 67-17. For information on generating
reports, see Opening and Generating Reports, page 67-18.
For information on how to configure global correlation, see the following topics:
Global Correlation Requirements and Limitations, page 41-4
Configuring Global Correlation Inspection and Reputation, page 41-5
Configuring Network Participation, page41-7
Understanding Reputation
Similar to human social interaction, reputation is an opinion toward a device on the Internet. Reputation
indicates the probability that a particular attacker IP address will initiate malicious behavior based on its
known past activity. Reputation enables the installed base of IPS sensors to collaborate using the existing
network infrastructure and identify network devices that are likely to be malicious or infected.
By collecting data about devices and assigning reputation scores to them, the global correlation database
provides important data that the IPS sensor can use to adjust the risk rating of an attack. Risk rating is
the probability that a network event is malicious. Each signature has an associated risk rating. If you
enable global correlation, the IPS sensor computes a score based on the reputation of an attacker and
adds this score to the risk rating of the event. The updated risk rating is then used by your event action
override and filter policies to help determine what actions to take for the event.
Thus, you might have an event that is initially configured to simply produce an alert. But, if the attacker
has a bad reputation, the IPS might increase the risk rating to a number high enough that it triggers an
event action override rule that adds the Deny Packet Inline action. Thus, for some source devices, the
event simply produces an alert, but for others, the event drops the packet in addition to producing the
alert.
Tip The Produce Alert action is added to an event whenever global correlation raises the risk rating of the
event, or when global correlation adds the Deny Packet Inline or Deny Attacker Inline actions.
Because the global correlation database changes rapidly, the sensor must periodically download global
correlation updates from the global correlation servers.