1 SIEM Orchestration How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness Scott Taschler, Solution Architect, McAfee
2 Table of Contents Introduction Orchestration Triggers Orchestrating Action McAfee epolicy Orchestrator (McAfee epo ) Reporting on Suspicious Systems Practical Example: Flagging suspicious systems for follow-up Dynamic McAfee epo Policy Changes Trigger McAfee epo Client Task Execution Practical Example: Quarantine and remediation of compromised system McAfee epo Configuration McAfee Network Security Platform (NSP) Configuring McAfee Network Security Platform Practical Example: Behavior-based blacklisting McAfee Vulnerability Manager (MVM) Configuring McAfee Vulnerability Manager Orchestrating actions with other tools Configuring Scripting Other Examples Next Steps
3 Over the last 2 decades, Security Information and Event Management (SIEM) adoption has increased dramatically, driven largely by compliance requirements such as PCI DSS and SOX, as well as the needs of incident response teams. As adoption increased, enterprises quickly realized the value of the SIEM in providing situational awareness: visibility into activities occurring around the enterprise, and the ability to identify and track security incidents as they occur. Good situational awareness allows enterprises to detect attacks sooner, and as a result react more nimbly. Introduction Times change. According to Verizon s 2013 Data Breach report, 84 percent of today s exploits and 69 percent of data exfiltrations are executed in hours or less. However, from the time attacks are detected, 77 percent of incidents took days, weeks, or months to contain. 1 Attacks and loss happen in minutes. Response takes days and weeks. This slow response is driven largely by processes and tools that have not kept up with the rapid acceleration in attack speed. Attack responses often are loosely coordinated affairs, requiring the cooperation of multiple teams across the enterprise. Efforts follow manual workflows that require human intervention at multiple steps along the way. If there is to be any hope of stopping intrusions before the damage is done, we must find ways to optimize and automate these processes as much as possible. Similar evolution occurred in the Network Intrusion Detection System (NIDS) space in the early 2000s. At that time, NIDS were well established methods of identifying network-based attacks, based largely on attack signatures. As detection methodologies improved, administrators realized that it was feasible to rely on these tools to make policy enforcement decisions, and actually block known attacks; the Network Intrusion Prevention System (NIPS) was born. While not a silver bullet, NIPS significantly raised the bar that an attacker needed to cross in order to execute a successful attack. Ten years later, SIEM is at the same crossroads. No longer is it sufficient to simply detect threats to our networks. SIEM can be used not just to improve situational awareness, but as a platform to orchestrate responses, and to stop attacks well before they become breaches. This document begins by outlining the kinds of activities that are well suited to orchestration. Following this, we ll take a deep look at McAfee Enterprise Security Manager, the McAfee SIEM, and examine how it works as part of the McAfee Security Connected platform to optimize incident response processes. 1
4 Orchestration Triggers The first step in effectively responding to an attack is identifying triggers that will begin the process. The best triggers clearly describe a suspicious or malicious behavior, with enough precision that the reaction to it is clear. Triggers must also be highly accurate, if they are to be relied upon for automated responses. Below are a few examples. Anti-social behaviors. Most enterprises will see activities coming from within or outside their networks that, while not immediately alarming, are clearly not related to their business. Often times these behaviors are the precursors to an actual attack. Password guessing. High volumes of incorrect passwords are indicators of automated tools used by attackers to attempt to guess user credentials. Network Reconnaissance. Host scans, port scans, and similar activities are equivalent to jiggling the doorknob of a house to see if it s locked. This kind of activity should only originate from very trusted partners. Application Reconnaissance. Attackers will often begin a campaign with a series of probes designed to understand the attack surface of their target. This activity may be seen in application logs as high volumes of requests from a host, often for resources that do not exist. These activities happen so frequently in most organizations that it is not feasible for human analysts to follow up on each one. As a result, the records of these activities become simple fodder for regular executive rollup reports, or perhaps part of the evidence chain uncovered while investigating a breach. However, an effective SIEM platform can take appropriate actions in response to these behaviors, and stop attacks at their earliest stages. Signs of malware infection. Fighting malware is a daily part of the job for any enterprise security professional. Most malware is detected and dealt with efficiently by technologies at the endpoint (such as McAfee Endpoint Protection Suites) and malware detection in network devices, including next-generation firewalls (McAfee Next Generation Firewall powered by Stonesoft), network intrusion prevention systems (McAfee Network Security Platform), web protection gateways (McAfee Web Gateway), and advanced threat protection appliances (McAfee Advanced Threat Defense). However, when especially targeted or evasive malware does get around these defenses, it can be difficult to detect and eradicate. Signs of malware infection include: o Alerts and blocking based on IPS events. Most IPS products include signatures designed to identify traffic associated with o o botnet command-and-control networks, and similar behaviors. Communication with suspicious hosts. Many IPSs and SIEMs today incorporate geolocation, reputation feeds, and other contextual feeds that allow enterprises to track known malicious hosts and communication patterns within the enterprise. Internal hosts seen to be communicating with suspect hosts in other parts of the world merit additional follow-up as these activities are indicators of infected hosts. DNS requests. DNS requests for resolution of domain names that are associated with known purveyors of malware are clear signs of infection. Anomalous behaviors. In any network there are unexplained, outlier behaviors that can be excellent signs of systems that have been subverted or are otherwise not being used for their intended purpose. o NetFlow volumes and patterns. NetFlow records provide useful metadata about what systems are communicating, and o how much, in the enterprise. While individual NetFlow records may provide little useful information, over time, NetFlow records can be aggregated to establish a unique fingerprint that identifies how and when a system (or a class of systems) communicates. Deviations from this baseline can provide useful indicators of compromise. Suspicious network traffic. Tools such as McAfee Network Threat Behavior Analysis (used with the McAfee Network Security Platform) collect and analyze traffic from the entire network host and applications to detect unusual behavior resulting from worms, botnets, zero-day threats, spam, and reconnaissance attacks. While most enterprises strive to investigate these types of events, the sheer volume can quickly become overwhelming to incident responders. Even running a simple malware scan on a likely infected host may take hours or days to get scheduled, depending on the organization s operational maturity. All the while, the malware is free to execute the attacker s payload, perhaps exfiltrating data, or free simply to spread more deeply into the enterprise. What s needed is a simple, automated method to stop attacks as soon as they are detected. Freezing the attack gives responders breathing room to investigate the scope and take advanced remediation steps as needed. Orchestrating Action McAfee Enterprise Security Manager provides a rich platform to automate responses to the kinds of triggers discussed above. McAfee Enterprise Security Manager has direct ties into many pieces of the McAfee Security Connected Platform, which allows administrators to orchestrate responses easily without complicated custom integrations. In addition, McAfee Enterprise Security Manager provides open interfaces to allow integration with third-party products.
5 McAfee Enterprise Security Manager actions are driven by alarms triggered by a wide range of events, including those described above. You can configure each alarm to launch a variety of actions. Below we'll discuss some of the orchestration options possible with McAfee Enterprise Security Manager and its complementary products. McAfee epolicy Orchestrator (McAfee epo ) Integrated closely with McAfee Enterprise Security Manager, McAfee epo provides policy-based management of a wide range of endpoint, data center, and network security countermeasures, including antivirus, host intrusion prevention, whitelisting, activity monitoring, and data loss prevention. McAfee epo lets administrators categorize systems via manual or criteria-based tags, which may then be used as the basis for assigning configuration profiles to assets, launching tasks on managed endpoints, or filtering dashboards and reports. McAfee Enterprise Security Manager integrates with McAfee epo via the epo Web API. Through this channel, McAfee Enterprise Security Manager can assign tags to systems in epo in response to triggers seen by McAfee Enterprise Security Manager, just as a McAfee epo admin might do via the epo GUI. Through tags, McAfee Enterprise Security Manager can automate many first response actions, helping organizations respond to attacks more quickly and efficiently than would be possible when relying on SOC staff to drive incident responses. McAfee epo initiates policy-based responses to systems under attack. Reporting on Suspicious Systems In one of the simplest use cases, a tag may be used as a filter for a dashboard or a report in McAfee epo. Security operations staff often use a custom dashboard or role-based report to regularly monitor the status of the technologies managed via McAfee epo, and to identify events where a response may be necessary. This process provides excellent visibility into the different security countermeasures that McAfee epo manages, but is blind to the rest of the enterprise environment. McAfee Enterprise Security Manager provides deep situational awareness to complement standard McAfee epo visibility. By assigning the proper tags, McAfee Enterprise Security Manager can quickly and automatically bring systems exhibiting suspicious behaviors to the attention of endpoint security operations. Security operations can then take appropriate actions as needed. Practical Example: Flagging suspicious systems for follow-up In many enterprises, the team that handles endpoint security leverages McAfee epo as a tool to drive day-to-day workflow for incident response. For example, a system that reports large volumes of repeated malware infections in a short time often has additional undetected malware running behind the scenes. In this circumstance, the system requires human analysis to review its state and health, and identify additional remediation steps needed. Tagging helps incident response staff track systems that require investigation. A specified McAfee epo tag may be used as a filter for a McAfee epo dashboard or report, which in turn is monitored by incident response staff to drive daily remediation activities. This approach may be extended easily to allow McAfee Enterprise Security Manager to tag suspicious systems based on a wide variety of criteria.
6 Endpoint security staff gain greater awareness of enterprise security posture and can prioritize remediation efforts on the systems with the most severe security issues. Setup: McAfee epo. In order to take advantage of this use case, it's first necessary to perform appropriate setup in McAfee epo. o Identify or create a McAfee epo tag to use as a means to flag systems that require manual analysis. For purposes of o discussion, we'll name this tag "FILTER: Suspicious Systems". Set up this tag as a manual tag in McAfee epo. Identify or create a dashboard in McAfee epo that will be used to track suspicious systems. Each query in the dashboard should include the "FILTER: Suspicious Systems" tag as a filter, ensuring only data associated with tagged systems are displayed. For our purposes, we will use the tag as a filter for the McAfee epo System Tree. Identify SIEM Trigger. The next step is to identify the conditions seen by McAfee Enterprise Security Manager on which you would like to trigger. The potential triggers here are virtually limitless. They depend largely on the data sources that are present in your SIEM; the correlation rules that you have at your disposal; and the types of things into which the endpoint security team would like visibility. For our purposes, we'd like to notify the McAfee epo team anytime the enterprise web proxy (such as McAfee Web Gateway) detects an attempt to download a malicious file. These systems deserve inspection since systems that attempt to download malware are often already infected with malware. McAfee Enterprise Security Manager console displays malware detected by McAfee Web Gateway. Enable alarm. While it's certainly possible to manually trigger the McAfee epo tagging action (via the McAfee Enterprise Security Manager action menu), in our example we will automate this process to ensure that the endpoint security ops team has immediate visibility to the latest threats. As the final configuration step, we must configure McAfee Enterprise Security Manager with an alarm that is triggered by the event we've identified above, and takes the action of applying the "FILTER: Suspicious Systems" on the target systems. McAfee Enterprise Security Manager Alarm: McAfee epo Tagging Action.
7 Monitor dashboard in McAfee epo. Once the alarm is configured, you should begin to see systems tagged appropriately in McAfee epo, and they should automatically begin to appear in the "Suspicious Systems" dashboard. After the analyst reviews the systems and takes appropriate remediation steps taken, the analyst can remove the tag, and the system will be removed from the dashboard. Systems with web malware detections flagged as suspicious in McAfee epo. Dynamic McAfee epo Policy Changes In the context of McAfee epo, a policy is a collection of settings that you create and configure, then enforce on a set of managed systems. The McAfee epo console allows administrators to configure user- and systems-based policy settings for all products and systems from a central location. For example, McAfee epo policies provide complete control over all aspects of endpoint security, from the aggressiveness of on-access scanning to the network connections allowed by the endpoint firewall. McAfee McAfee epo policies may be assigned in a number of different ways. One highly flexible method is via Policy Assignment Rules. With McAfee epo Policy Assignment Rules, policies may be assigned to managed systems using a flexible set of criteria and updated on the fly as those criteria change. Asset tags are one of the criteria supported by Policy Assignment Rules in McAfee epo. By leveraging McAfee Enterprise Security Manager to manipulate McAfee epo asset tags in response to triggers, we can modify policies on those assets in near real time in response to changing conditions or detected threats. Essentially, we can take the incremental data that becomes visible through McAfee Enterprise Security Manager-to-McAfee epo integration, and use that data to modify policies that, in turn, affect countermeasures. McAfee epo Policy Assignment Rules. Trigger McAfee epo Client Task Execution A client task in McAfee epo is an action that is pushed to and executed on a managed endpoint. Examples of client tasks include scheduled antimalware scans and deployment of security agent software. Like policies, a client task may be assigned to a system in a variety of ways within McAfee epo. For example, client tasks may be tied to asset tags, such that assigning a tag to a system brings with it a set of associated client tasks.
8 Client task assigned to systems based on McAfee epo asset tags. By leveraging McAfee Enterprise Security Manager to manipulate McAfee epo asset tags in response to triggers, we can immediately execute tasks on managed systems in response to changing conditions or detected threats. Practical Example: Quarantine and remediation of compromised system In the course of investigating an ongoing attack or breach, it sometimes becomes clear that there is a definitive pattern of behaviors that indicate a compromised system. Examples might include communication with a specific IP address, repeated brute-force password guessing attempts, or specific malware detections. Regardless of the indicators, the first step for incident responders should be to isolate the compromised system from the enterprise network as quickly as possible, to minimize the amount of damage that will be done. In this example, we will leverage the SIEM to orchestrate a real-time response with McAfee epo, effectively quarantining the compromised host and launching an aggressive malware scan. These remediation actions should neuter the threat in real time, minimizing the impact much more quickly and effectively than would be possible when relying on human analyst response. Setup: McAfee epo policies and tasks. The first step in meeting this use case is to define a set of lockdown policies and tasks in McAfee epo that will be engaged when McAfee Enterprise Security Manager detects the compromise. Your optimal set of policies will be dictated by the managed products you have in McAfee epo. Below you will find some suggestions: o McAfee Host Intrusion Prevention (HIPS) Firewall: Enable firewall, with highly restrictive rule set o VirusScan Access Protection: Enable Maximum Protection rules. Consider implementing custom rules to block network o o traffic if HIPS is not deployed in your environment. VirusScan On-Access: Enable scanning inside archives, eliminate scanning exclusions, and set Artemis to Very High sensitivity level. VirusScan On-Demand Scan Task: Define a scan task to deeply assess all drives and files, with no exclusions. Sample Lockdown HIPS Firewall Rule Set. Setup: Map McAfee epo policies and tasks to tags. Once you define client tasks and lockdown policies, the next step will be to tie these to one or more tags. In our example, we will define two separate tags: o POLICY: Lockdown o TASK: Aggressive Scan. The first of these tags will be tied to the various lockdown policies via a McAfee epo Policy Assignment Rule, as shown in the screenshots below.
9 Selection of lockdown policies in McAfee epo Policy Assignment rule. Selection of Tag in McAfee epo Policy Assignment Rule. In the case of the On-Demand client task, we will leverage client task assignment criteria in order to automatically enable the Emergency Scan task on any systems with the TASK: Aggressive Scan tag. Tying Task to a McAfee epo Tag, using Task Assignment. We have now completed the setup within McAfee epo. Any systems that are assigned to the relevant tags in McAfee epo will automatically have the proper policies and tasks pushed down the next time the system communicates with McAfee epo. Identify SIEM Trigger. The conditions that are used to trigger the actions in this use case are entirely dependent on the specifics of the threat you wish to respond to. In our example, we will deal with a hypothetical threat, which has three behaviors that are easily observable: o Communication with known malicious IP addresses o Multiple attempts to guess root account passwords o Attempts to download and install malware Given this information, we will define a simple correlation rule that triggers when we see these behaviors together, associated with a single host.
10 A correlation rule can be defined for individual systems. Enable alarm. All that remains is to define a set of actions that will be executed when our triggering rule fires. We will do this by defining an alarm tied to the correlation rule. This alarm will take the primary action of Assign Tag with McAfee epo. Alarm Action: Assign Tag with McAfee epo. We will leverage this alarm to assign both our POLICY and TASK tags to the affected system. We will also check the box labeled Wake up client in the McAfee epo Tagging configuration. By default, McAfee epo clients check in with McAfee epo on a regular interval, which is typically every 1-2 hours. Checking the Wake up client box will ensure that the affected client immediately
11 communicates with McAfee epo, and receives its updated policies and tasks in near real-time. In practice, policy enforcement should occur in less than 1 minute from the time the alarm is triggered. Define Actions: Associate Policy and Task with an Action. McAfee epo Configuration McAfee Enterprise Security Manager can leverage McAfee epo tagging actions for any internal hosts (defined by the Homenet variable in the Network Discovery tab of the ESM Asset Manager). McAfee Enterprise Security Manager can drive McAfee epo tagging actions in two ways. First, McAfee epo tags may be assigned manually by a SIEM analyst, via the actions menu in the McAfee Enterprise Security Manager UI. In this model, a SIEM analyst identifies a triggering event via manual review and leverages McAfee epo tagging to orchestrate follow-up activity on the affected system. Manual Assignment of McAfee epo Tags. When the McAfee epo Tagging option is selected by the analyst, he or she is presented with a list of tags that have been defined in McAfee epo, and is then free to select the tags appropriate for the actions the analyst wishes to take. McAfee epo tags may also be applied to systems in McAfee epo automatically, by leveraging McAfee Enterprise Security Manager alarms. Alarms are triggered by a wide range of conditions, and each alarm has a set of actions associated with it that are executed when the alarm triggers. Assign Tag with McAfee epo is one of the supported options.
12 Automated Assignment of McAfee epo Tags via Alarm Actions. As in the manual case described above, when a system administrator clicks the Configure button seen above, the system presents a list of tags that have been defined in McAfee epo. The administrator can then select the appropriate tags for the actions desired in response to the defined conditions. As you can see, with proper configuration within McAfee epo, asset tags can be used to allow McAfee Enterprise Security Manager to exert a high degree of control over the security posture of a system managed by McAfee epo, either as part of a manual incident analysis process, or automatically. McAfee Network Security Platform (NSP) The McAfee Network Security Platform provides a full range of network-based intrusion detection and prevention features. The Network Security Platform includes a number of components: McAfee Network Security Manager (NSM). The McAfee Network Security Manager provides centralized management, analysis, and reporting capabilities for McAfee Network Security Platform. NSP Sensors. Sensors are deployed on network segments to monitor traffic and enforce security policy as configured in the McAfee Network Security Manager. McAfee Network Security Platform sensors, when deployed inline on a network segment, provide the ability to block attacks in real time. McAfee Network Threat Behavior Analysis (NTBA). McAfee Network Threat Behavior Analysis collects and analyzes traffic from the entire network host and applications to detect worms, botnets, zero-day threats, spam, and reconnaissance attacks. It reports any unusual behavior to help you maintain a comprehensive and efficient network security infrastructure. McAfee Network Security Platform provides a highly intelligent security solution that discovers and blocks sophisticated threats in the network. However, like any IPS, its visibility (and ability to react) is limited based on where McAfee Network Security Platform Sensors are deployed. McAfee Enterprise Security Manager is a natural complement to McAfee Network Security Platform. The McAfee Enterprise Security Manager access to activity logs from the entire enterprise gives it global visibility that is often missing in network-based security controls. McAfee Enterprise Security Manager integrates to McAfee Network Security Manager via the McAfee Network Security Platform Open API.
13 Overview of McAfee Enterprise Security Manager/McAfee Network Security Platform Operational Workflow. Configuring McAfee Network Security Platform From within the McAfee Enterprise Security Manager Console, McAfee Network Security Platform blacklist actions are available for any hosts, internal or external. Successful blacklisting requires a McAfee Network Security Platform sensor to be deployed inline; only network traffic that traverses an McAfee Network Security Platform sensor can be blocked in this manner. In practice, this tends to limit blacklisting to network choke points, such as perimeter links or data center boundaries. In addition to inline deployment, a few configuration steps are necessary within McAfee Network Security Platform before McAfee Network Security Platform blacklisting can be enforced. On the McAfee Network Security Manager, an appropriate Network Access Zone should be defined, which outlines precisely what traffic is blocked and allowed for any blacklisted hosts. Network Access Zones are defined in the NSM UI under Policy/Intrusion Prevention/IPS Quarantine/Network Access Zones. In addition, the IPS Quarantine feature must be enabled on desired network interfaces. This selection is located under Devices/Policy/IPS Quarantine/Port Settings. McAfee Network Security Platform blacklisting may be driven by McAfee Enterprise Security Manager in two ways. First, blacklist entries may be assigned manually by a SIEM analyst, via the actions menu in the McAfee Enterprise Security Manager UI. In this model, a SIEM analyst identifies a triggering incident via manual review, and leverages NSP blacklisting to block traffic to/from the affected system. Manual Blacklisting of a Suspicious Host. When you select the Blacklist option, you see a list of McAfee Network Security Platform sensors where the blacklist should be enforced. The blacklist entry can be applied to all sensors in your enterprise, via the Global Blacklist, or to an individual sensor you select.
14 For an orchestrated approach, blacklist entries may also be implemented automatically, by leveraging McAfee Enterprise Security Manager alarms. As discussed above under Orchestration Triggers, a wide range of conditions can trigger alarms, with associated actions that execute when the alarm triggers. Blacklist is one of the supported options. Automated Blacklisting via Alarm Actions. As in the manual case described above, when you click the Configure button seen above, the system presents a list of McAfee Network Security Platform sensors. You are then free to select the sensor where the automated blacklist is to be enforced, or to apply the new entry to the Global Blacklist. When integrated with McAfee Network Security Platform, McAfee Enterprise Security Manager becomes a powerful extension of the McAfee Network Security Platform detection engines. McAfee Enterprise Security Manager provides actionable intelligence to the McAfee Network Security Platform Sensor, which can then block attacks in real time. Practical Example: Behavior-based blacklisting Reconnaissance attacks represent one of the most frequently seen types of alerts coming from network-based IDS and firewalls. Reconnaissance activities indicate an adversary is gathering useful information about an enterprise, such as IP addresses in use, open ports, applications, and possible weak passwords. Data gathered during reconnaissance may then used in later phases of a targeted attack. While reconnaissance activity is seen frequently, it can be difficult to act upon. High volumes of this kind of activity make it impossible for security analysts to follow up directly on each incident. The nature of reconnaissance techniques makes it very difficult to block outright without also affecting authorized traffic coming from customers and trusted partners. However, once an attacker has tipped his hat by showing this kind of behavior, we can leverage SIEM to orchestrate an automated response at the network layer, blocking future connections from the attacker. Setup: McAfee Network Security Manager. In this use case we will leverage a McAfee Network Security Platform Sensor to block traffic from the attacker. In order to properly execute the blacklist, we will assume we have a McAfee Network Security Platform Sensor deployed inline on the perimeter Internet connection. You must also define a tightly restricted Network Access Zone, and enable quarantine on the relevant McAfee Network Security Platform Sensor interface. Identify SIEM Trigger. There are wide ranges of reconnaissance activities that represent reasonable triggers for a McAfee Network Security Manager quarantine action. While it might be tempting to aggressively block based on any type of reconnaissance activity, care must be taken to avoid reacting to potential false positive events. Initially, it's best to focus on a small number of behaviors that represent clear and accurate signs of bad intent. Good candidates include activities such as repeated failed login attempts, or repeated connections from known malicious IPs, which are unlikely to be triggered benignly. In our example, we will look for high volumes of HTTP 404 (File not Found) logs coming from an Apache web server. High volumes of these logs are very good indicators that an adversary is fingerprinting a web application, identifying the surface area available for a future attack. In order to provide flexibility in tuning this behavior pattern, we'll define a custom correlation rule in McAfee Enterprise Security Manager.
15 HTTP Reconnaissance Correlation Rule. Enable alarm: Finally, we will configure an alarm in McAfee Enterprise Security Manager. Our alarm will be triggered based on our custom correlation rule defined above. When the alarm is triggered, we will signal the McAfee Network Security Platform Sensor to block traffic for a duration of 60 minutes. In addition, we will trigger a report to run against the McAfee Enterprise Security Manager database and automatically sent via to a security analyst. This report will include a summary of all activity seen from the source of the reconnaissance activity, for review by security analyst staff. ESM Alarm Configuration. McAfee Vulnerability Manager (MVM) McAfee Vulnerability Manager provides enterprises with a comprehensive, network-based vulnerability scanner, as well as tools and workflow to manage vulnerability remediation. Vulnerability data can be very useful to incident responders, as it helps to verify whether
16 individual hosts are at risk to specific attacks. In many circumstances, though, vulnerability scan data can be quite out-of-date; most enterprises tend to scan monthly or quarterly, in order to meet compliance requirements. During an incident response, it s critical to have immediate access to the most current, accurate information on security posture. Configuring McAfee Vulnerability Manager McAfee Enterprise Security Manager integrates with McAfee Vulnerability Manager via the McAfee Vulnerability Manager OpenAPI and is easily configured by entering proper McAfee Vulnerability Manager credentials into the McAfee Enterprise Security Manager UI. Once connected, McAfee Enterprise Security Manager provides the ability to initiate a real-time vulnerability scan directly from the McAfee Enterprise Security Manager console. This integration ensures that analysts always have immediate access to the detailed information needed in order to make intelligent decisions while responding to security incidents. Overview of ESM/MVM Operational Workflow. Via the actions menu in the McAfee Enterprise Security Manager UI, you can initiate McAfee Vulnerability Manager scans manually for any internal hosts (defined by the Homenet variable in the Network Discovery tab of the ESM Asset Manager). Launching MVM Scan from ESM UI. When triggered, the McAfee Vulnerability Manager Quickscan feature executes a comprehensive vulnerability scan against the selected target host. Scan results are available in the MVM dashboards immediately, and are imported into McAfee Enterprise Security Manager on the next McAfee Vulnerability Manager data synchronization. Orchestrating actions with other tools While McAfee provides simple, pre-built connectivity to many McAfee technologies via existing APIs, McAfee Enterprise Security Manager also provides an open interface to allow orchestrating action with other technologies from third parties. McAfee Enterprise Security Manager can be configured to execute custom scripts in response to triggers. You can write scripts in any scripting language that is supported on the Scripting Host, and then run scripts on a designated Scripting Host or launch them via SSH.
17 Overview of ESM Scripting Operational Workflow. Configuring Scripting Automated scripts may be set up as an alarm action in the McAfee Enterprise Security Manager UI. Within McAfee Enterprise Security Manager, you enter the information necessary to establish SSH communication with the Scripting Host, as well as the path to the script and any needed command-line parameters. McAfee Enterprise Security Manager Script Action Configuration. Once enabled, McAfee Enterprise Security Manager will execute the configured script each time the relevant McAfee Enterprise Security Manager alarm conditions are satisfied. This interface provides a highly flexible means to drive automated actions with a wide range of third party platforms. Common targets for third-party integration include: workflow and ticketing systems, firewalls, and Network Access Control platforms.
18 Other Examples Below are a few additional use case ideas. o Tracking infected systems during a malware outbreak o Trigger: DNS request for specified malware domain associated with the outbreak. o Action 1: Apply McAfee epo filter tag to system, causing it to appear in McAfee epo dashboard and drive McAfee epobased remediation workflow. Action 2: Use custom script to push ACL to third-party firewall or NAC solution, blocking communication with external hosts. Stopping data exfiltration in progress o Trigger: Flow anomaly indicates unusually large volumes of data leaving the network from a single host. o Action: Apply McAfee epo policy tag that brings restrictive Data Loss Prevention policies, to provide enhanced visibility of what s happening on the endpoint. Quarantine if warranted. Alert on unauthorized changes o Trigger: configuration or policy change event coming from a switch, router, or mission-critical application. o Action: Custom script queries change management system to verify that the change was expected. Alerts threat responders Next Steps if change is not authorized. In this paper we have discussed the reality that today s incident responders cannot continue to react manually in time to deal effectively with the expanding threat landscape. The concept of SIEM orchestration provides immediate, automated responses. It is the only way for a modern enterprise to protect against advanced attacks. Consider the examples above and determine how they apply to your organization. Look for activities that take up significant time, and leverage orchestration concepts to automate and optimize where it makes sense. Finally, please share your questions, thoughts, successes, and failures with others in the McAfee Community: Mission College Boulevard Santa Clara, CA McAfee and the McAfee logo, McAfee epolicy Orchestrator, McAfee Enterprise Security Manager, McAfee Network Security Manager, McAfee Network Security Platform and McAfee Vulnerability Manager are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc gde_SIEM L4_1013
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
McAfee Global Threat Intelligence File Reputation Service Best Practices Guide for McAfee VirusScan Enterprise Software Table of Contents McAfee Global Threat Intelligence File Reputation Service McAfee
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
Security Secure server workloads with low performance impact and integrated management efficiency. Suppose you had to choose between securing all the servers in your data center physical and virtual or
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
Modular Network Security Tyler Carter, McAfee Network Security Surviving Today s IT Challenges DDos BOTS PCI SOX / J-SOX Data Exfiltration Shady RAT Malware Microsoft Patches Web Attacks No Single Solution
Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event
White Paper Secure Virtualization in the Federal Government Achieve efficiency while managing risk Table of Contents Ready, Fire, Aim? 3 McAfee Solutions for Virtualization 4 Securing virtual servers in
Solution Overview Cisco Advanced Malware Protection Breach Prevention, Detection, Response, and Remediation for the Real World BENEFITS Gain unmatched global threat intelligence to strengthen front-line
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
McAfee Acquires NitroSecurity McAfee announced that it has closed the acquisition of privately owned NitroSecurity. 1. Who is NitroSecurity? What do they do? NitroSecurity develops high-performance security
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
datasheet Trend Micro deep security as a service Advanced Security Built for the Cloud Organizations are embracing the economic and operational benefits of cloud computing, turning to leading cloud providers
McAfee Network Security Platform Next Generation Network Security Youssef AGHARMINE, Network Security, McAfee Network is THE Security Battleground Who is behind the data breaches? 81% some form of hacking
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
Solutions Brochure Security that Builds Equity Security Connected for Financial Services Safeguard Your Assets Security should provide leverage for your business, fending off attacks while reducing risk
IBM QRadar Security Intelligence April 2013 1 2012 IBM Corporation Today s Challenges 2 Organizations Need an Intelligent View into Their Security Posture 3 What is Security Intelligence? Security Intelligence
IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
WHITEPAPER DATA SHEET Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring January 15, 2015 Table of Contents
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation Harsh realities for many enterprise
McAfee Endpoint Security Frequently Asked Questions Overview You re facing new challenges in light of the increase of advanced malware. Limited integration between threat detection, network, and endpoint
How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform McAfee Endpoint Security 10 provides customers with an intelligent, collaborative framework, enabling endpoint defenses to
Under the Hood of the System The Nuts and Bolts of the Dynamic Attack Chain 1 Balazs Csendes IBM Security Intelligence Leader, CEE firstname.lastname@example.org 1 You are an... IT Security Manager at a retailer
Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats Executive Summary Palo Alto Networks strategic partnership with Splunk brings the power of our next generation
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity
APPLICATION NOTE COORDINATED THREAT CONTROL Interoperability of Juniper Networks IDP Series Intrusion Detection and Prevention Appliances and SA Series SSL VPN Appliances Copyright 2010, Juniper Networks,
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
White Paper McAfee Security Architectures for the Public Sector End-User Device Security Framework Table of Contents Business Value 3 Agility 3 Assurance 3 Cost reduction 4 Trust 4 Technology Value 4 Speed
IBM Software January 2013 IBM Security QRadar QFlow Collector appliances for security intelligence Advanced solutions for the analysis of network flow data 2 IBM Security QRadar QFlow Collector appliances
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
White Paper Time for Integrated vs. Bolted-on IT Security Cyphort Platform Architecture: Modular, Open and Flexible Overview This paper discusses prevalent market approaches to designing and architecting
McAfee VirusScan and epolicy Orchestrator Administration Course Intel Security Education Services Administration Course Training The McAfee VirusScan and epolicy Orchestrator Administration course from
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
DeltaV Systems Service Data Sheet Endpoint Security for DeltaV Systems Essential protection that consolidates endpoint and data security. Reduces the time and effort spent deploying and managing security
Product Guide Data Center Connector 3.0.0 for OpenStack For use with epolicy Orchestrator 5.1.0 Software COPYRIGHT Copyright 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee,
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD Protecting your infrastructure requires you to detect threats, identify suspicious
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery
Installation Guide McAfee Public Cloud Server Security Suite For use with McAfee epolicy Orchestrator COPYRIGHT Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766,
Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series Whitepaper Advanced Threat Detection: Necessary but Not Sufficient 2 Executive Summary Promotion
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
Technology Blueprint Protect the Network Perimeter Controlling what gets through into and out of your organization LEVEL 1 2 3 4 5 SECURITY CONNECTED REFERENCE ARCHITECTURE LEVEL 1 2 4 5 3 Security Connected
V1.4 August 2 Spambrella Email Continuity SaaS Easy to implement, manage and use, Message Continuity is a scalable, reliable and secure service with no set-up fees. Built on a highly reliable and scalable
ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the
13/09/2014 Unified Security Management and Open Threat Exchange RICHARD KIRK SENIOR VICE PRESIDENT 11 SEPTEMBER 2014 Agenda! A quick intro to AlienVault Unified Security Management (USM)! Overview of the
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5 Advanced protection and hardening for advanced threats. Data Sheet: Security Management Symantec Data Center Security: Server Advanced 6.5 Solution Overviewview
Product Guide Data Center Connector for vsphere 3.0.0 For use with epolicy Orchestrator 4.6.0, 5.0.0 Software COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS
QRadar SIEM and Zscaler Nanolog Streaming Service February 2014 1 QRadar SIEM: Security Intelligence Platform QRadar SIEM provides full visibility and actionable insight to protect networks and IT assets