Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Transcription

1 Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR

2 The Old SECURITY Model Is BROKEN 2

3 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT CONTAINMENT 9% Hours 4% 12% Months Years 19% Hours 2% Minutes 23% Months DISCOVERY 11% Days 14% Weeks COMPROMISE ATTACK 64% Weeks 42% Days $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model 3

4 Security-Related TCO Is Skyrocketing Multiple products operate in separate functional silos.. Constantly rising costs of operational security.. No efficiency, no effectiveness.. Stale defenses lack adaptive, contextaware capabilities.. Increasingly complex to manage 4

5 Focus technology SIEM SIEM is the Evolution and Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events Security Information Management (SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events Security Information & Event Management (SIEM) is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow

6 SIEM main business drivers..

7 Corp. Big Data Challenge Terra/Petta/ Exabyte's of Data APTs Data Active Trending and Usage Analysis Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Perimeter Correlate Events Consolidate Logs

8 The State of SIEM SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: VS Antiquated Architectures Force Choices Between Time-to-Data and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket

9 SIEM FIT FOR PURPOSE? TRADITIONAL DATA MANAGEMENT

10 McAfee ESM: Delivering on the Promise Meaningful Intelligence Continuous Compliance Big Security Data DB Rapid Response Exceptional Value 11 McAfee Next Generation SIEM

11 McAfee ESM Big Data Ready High Performance Data Management Engine McAfee ESM EDB Highly indexed purpose-built database, enables Integrated log & event collection on a massive scale, at high performance Real-time enrichment of data with context to drive intelligence On-line reporting / analytics on current & historic data in parallel! SMART FAST

12 McAfee ESM (Introduction) acquired in December Was a dedicated SIEM vendor and McAfee Security Innovation Alliance partner since NitroView suite of products rebranded McAfee SIEM in April Products in Gartner s SIEM Magic Quadrant leader quadrant, numerous industry accolades, over seven hundred customers globally across all industry sectors. Numerous patents including McAfee Enterprise Database (EDB) Latest SW release Sept 14 v9.4.2 include integration of: MFE Threat Intelligence Exchange (TIE) MFE Data Exchange Layer (DXL) Event support from third party SIEM vendors: Cisco Mars, Splunk & HP Arcsight

13 Industry Recognition Placed in the Leaders quadrant in Gartner s latest SIEM Magic Quadrant Ranked in the top 3 for Critical Capabilities We have been able to validate Nitro s high performance with large production deployments Winner of InfoWorld s prestigious 2011 Technology of the Year Award for NitroView ESM and ELM solutions This honor is the result of NitroSecurity s #1 ranking, outscoring six other vendors to achieve the highest overall score The best and fastest database in the security industry Very advanced technology and the vision to apply it in a threat management environment An analyst s power tool that provides strong SIEM capabilities in a highly configurable dashboard approach 14 NitroSecurity offers one of the most useful and seamless incident response-focused ESIM products available today The rate at which the NitroEDB can insert and recall data is without a doubt one of the key differentiators offered by NitroSecurity

14 SIEM Competitive Marketplace Gartner SIEM MQ Leader Gartner SIEM MQ 2012 Gartner SIEM MQ 2013 Gartner SIEM MQ 2014

15 McAfee ESM Delivering Next Gen SIEM capabilities See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? Visualize, Investigate, Respond THREAT LANDSCAPE Threat intelligence Exchange Immediate alerting Historical Analysis Advanced Correlation & Intelligence ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Endpoint protection Network protection Sec. Optimized Dynamic Content Flow & Content Aware Big Security Data DB Applications Traditional Context Log Management Scalable Architecture NitroSecurity Next-generation SIEM 16 Database High Speed Intelligent Correlation

16 McAfee ESM - Single (Security) Management Platform Device and Application Log Files Application Contents Authentication and IAM Events from Security Devices User Identities Database Transactions OS Events VA Scan Data GEO Info Threat Intelligence Exchange (TIE)

17 McAfee ESM Advanced Correlation Intelligence Correlating Both Flows and Events FLOW EVENT Advanced Correlation Enhanced with GTI McAfee Global Threat Intelligence (McAfee GTI ) Leveraging more than 100 million global sensors and over 350 researchers. Discover Threats Identify Suspicious Behavior Anomaly Detection Advanced Forensics

18 McAfee ESM Delivering Actionable Situational Awareness Common Use Case : Sorting Through a Sea of Events Have I Been Communicating With Bad Actors? 200M events Which Communication Was Not Blocked? What Specific Servers/Endpoints/ Devices Were Breached? 18,000 alerts and logs Dozens of endpoints Which User Accounts Were Compromised? What Occurred With Those Accounts? Handful users Specific files breached (if any) of RESPOND How Should I Respond? Optimized response 22

19 McAfee ESM DISCOVERY TO CONTAINMENT Industry Leading Security Information and Event Management Threat Intelligence Exchange 3 rd party threat feeds Vulnerability Assessment Compliance Reporting Event Collection Endpoint Security Streamlined Investigations Log Management Network Security Policy Management Advanced Correlation Integrated Security Platform

20 24

21 D User on host WinXPHost01 downloads Windows updates from untrusted site. Executes it, nothing apparent happens. Meanwhile...

22 We see LOTS of ugly stuff going on related to this host (WinXPHost01) in ESM. Time to ACT! April 24, 2015

23 Step 1: Let's Assess the destination host reputation within McAfee Labs (GTI) 27 April 24, 2015

24 GTI Reputation lookup Query on Destination Host Killerbean.com directly from McAfee ESM console 28 April 24, 2015 Confidential McAfee Internal Use Only

25 Step 2: This external host (killerbean.com) looks very sketchy. Let's quarantine him. 29 April 24, 2015

26 30 April 24, 2015

27 31 April 24, 2015

28 32 April 24, 2015

29 Quarantine successful!! Command and Control network Traffic/access towards host Killerbean.com Quarantined trough McAfee ESM Blacklisting!!! 33 April 24, 2015

30 Step 3: This internal endpoint looks like it was likely compromised. Let s contain & remediate the threat immediately.

31

32 Looking at host WinXPHost01, we see that the system firewall is off/ disabled by default.

33 Within seconds, the system firewall is enabled on host WinXPHost01, with a restricted firewall policy TAG, pushed by ESM. Trojan traffic is now neutralized!

34 We simultaneously launch an aggressive malware scan

35 Additional malware discovered and eradicated! Our work here is done

36 Putting it together with TIE and DXL

37 Instant Protection Across the Enterprise Gateways block access based on endpoint convictions McAfee NGFW McAfee NSP McAfee Web Gateway McAfee Gateway McAfee Global Threat Intelligence McAfee TIE Server McAfee ATD 3 rd Party Feeds Proactively and efficiently protect your organization as soon as a threat is revealed McAfee epo McAfee ESM Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products McAfee TIE Endpoint Module McAfee TIE Endpoint Module Data Exchange Layer

38 Threat Intelligence Exchange & IOC Manager Open platform for Enterprise Intelligence (IOC) sharing Consolidate and manage the threat intelligence from all Intel Security capabilities including: MEG, MWG, NSP and eventually NGFW. TIE + IOC Manager will support the upload & download of STIX/OpenIOC data into CybOX standard for Intelligence sharing from third party Vendor solutions, Intelligence Agencies & Industry consortiums e.g. FS-ISAC. 42

39 Intel Security Adaptive Threat Prevention & Detection NGFW DXL Ecosystem Network & Gateway NSP Web Gateway Gateway network and endpoints adapt Sandbox ATD IOC 1 IOC 2 IOC 3 IOC 4 payload is analyzed ESM IOC Manager new IOC intelligence pinpoints historic breaches DXL Ecosystem IOC 5 IOC 6 IOC 7 Endpoints previously breached systems are isolated and remediated TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module