Monday is book review day at Permit/Deny. I spent the weekend with a copy of Security Monitoring with Cisco Security MARS, by Gary Halleen and Greg Kellogg. The book was published in June 2007 by Cisco Press.
To give a little bit more perspective on the book, it's helpful to know that at the end of 2005, Cisco bought a company called Protego that made a security monitoring and threat management system. That product morphed into CS-MARS (Cisco Security Monitoring, Analysis, and Response System) and is the topic of a rather cursory overview that barely manages to justify the $60.00 cover price.
While the forward starts off bravely stating that "deploying and using MARS without reading this book is like throwing money away" you could also look here or here for some good overview (and a considerable amount of detail) on planning and implementing a CS-MARS deployment. It looks like that's what the authors did and reproduced some of the most useful project sizing guides from the Cisco documentation in their book.
Security Monitoring with Cisco Security MARS does offer some useful advice about event tuning (see page 152) and succeeds in its attempt to define Cisco's meaning of the term "false-positive." Generally, however, the book is a condensation of Cisco documentation and falls short on offering comments critical of CS-MARS.
For example, the book doesn't attempt to cover the reasons that CS-MARS might be less-than-effective for a task such as log management. And while the authors bring a significant amount of security experience to the topic, only dribs and drabs of practical suggestions make it onto the page. As such Security Monitoring with Cisco Security MARS ends up as an expert summary of the product—a step above a whitepaper, but not much.
Security Monitoring with Cisco Security MARS By Gary Halleen, Greg Kellogg. Published by Cisco Press ISBN-10: 1-58705-270-9; ISBN-13: 978-1-58705-270-5; Published: Jul 6, 2007; Copyright 2007; Dimensions 7-3/8x9-1/8; Pages: 336; Edition: 1st. $60.00.