McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Similar documents
Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

McAfee epolicy Orchestrator * Deep Command *

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities. John Skinner, Director, Secure Enterprise and Cloud, Intel Americas, Inc.

McAfee/Intel Security Workshop

Protecting the un-protectable Addressing Virtualisation Security Challenges

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

McAfee Server Security

Endpoint Security for DeltaV Systems

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Choosing Between Whitelisting and Blacklisting Endpoint Security Software for Fixed Function Devices

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

How McAfee Endpoint Security Intelligently Collaborates to Protect and Perform

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Proactive Rootkit Protection Comparison Test

McAfee MOVE / VMware Collaboration Best Practices

Integrated Protection for Systems. João Batista Territory Manager

Technology Blueprint. Essential Protection for PCs. Match your endpoint protection with today s risks

Securing the Internet of Things OEM capabilities assure trust, integrity, accountability, and privacy.

Unprecedented Malware Growth

Endpoint protection for physical and virtual desktops

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

McAfee Network Security Platform

Symantec Endpoint Protection

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Data Center Connector for vsphere 3.0.0

Getting Ahead of Malware

Solutions Brochure. Security that. Security Connected for Financial Services

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Windows Operating Systems. Basic Security

SIEM Orchestration. How McAfee Enterprise Security Manager can drive action, automate remediation, and increase situational awareness

Automation Suite for. 201 CMR Compliance

24/7 Visibility into Advanced Malware on Networks and Endpoints

McAfee Threat Intelligence Exchange Software

Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

Host-based Intrusion Prevention System (HIPS)

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Endpoint Security 2.0: The Emerging Role of Application Whitelisting Solutions. Todd Schell

Endpoint protection for physical and virtual desktops

Redefining Endpoint Security: Symantec Endpoint Protection Russ Jensen

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

MALWARE THREATS AND TRENDS. Chris Blow, Director Dustin Hutchison, Director

McAfee MOVE AntiVirus (Agentless) 3.6.0

McAfee Network Security Platform A uniquely intelligent approach to network security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Symantec Endpoint Protection Small Business Edition Installation and Administration Guide

Not All Database Security Solutions Are Created Equal

Dell Client. Take Control of Your Environment. Powered by Intel Core 2 processor with vpro technology

Network Intrusion Prevention Systems Justification and ROI

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Product Guide. McAfee Endpoint Security 10

High End Information Security Services

SourceFireNext-Generation IPS

Defending Against Cyber Attacks with SessionLevel Network Security

Driving Company Security is Challenging. Centralized Management Makes it Simple.

JUNIPER NETWORKS FIREFLY HOST ANTIVIRUS ARCHITECTURE

Secure Your Mobile Workplace

McAfee Endpoint Encryption 7.0

Increasing Situational Awareness and Multi-zone Protection of Utility Infrastructure

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

Cisco Advanced Malware Protection for Endpoints

McAfee Enterprise Mobility Management Performance and Scalability Guide

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Proven LANDesk Solutions

McAfee Public Cloud Server Security Suite

Patch Management SoftwareTechnical Specs

Data Center Connector for OpenStack

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

Technology Blueprint. Protect Your Servers. Preserve uptime by blocking attacks and unauthorized changes

End-user Security Analytics Strengthens Protection with ArcSight

Protecting Virtual Endpoints with McAfee Server Security Suite Essentials

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Total Defense Endpoint Premium r12

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

CCEVS Approved Assurance Continuity Maintenance Report

Frontiers in Cyber Security: Beyond the OS

Symantec Endpoint Protection Small Business Edition Implementation Guide

PROTECTION FOR SERVERS, WORKSTATIONS AND TERMINALS ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Symantec Mobile Security

Hardware Enabled Zero Day Protection

Security Information & Event Management (SIEM)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows

Section 12 MUST BE COMPLETED BY: 4/22

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Transcription:

McAfee Deep Safe Security beyond the OS Kai-Ping Seidenschnur Senior Security Engineer October 16, 2012

Intel/McAfee Initiatives: epo Deep Command and Deep Defender McAfee epo Deep Command Security Management Beyond the OS McAfee Deep Defender Endpoint Security Beyond the OS

McAfee Deep Defender October 16, 2012

Threats Continue to Move Down the Stack Attack and disable security products and hence all protection Compromise virtual machine and hence all guest machines within Applications/RDBMS AV HIPS Operating System Virtual Machine I/O Memory Disk Network Display Traditional attacks and defenses focused primarily on the application layer Infect OS with APT s resulting in threats hidden from security products Rogue peripherals & firmware bypassing all other security measures Ultimate APT s compromise devices below OS, either before or after shipment BIOS CPU Malware/rootkits target Storage Devices gain Unauthorized control

Introducing McAfee DeepSAFE Technology: Next-Generation Security Beyond the OS Applications Anti-Virus Data Loss Prevention Intrusion Prevention System Firewall Deep Defender Operating System DeepSAFE Central Processing Unit Input/Output Memory Disk Network Display 5 October 16, 2012

Deep Defender Problems with Today s Solutions 1. Traditional AV product do not see rootkit kernel access 2. Rely on heuristic file or behavior analysis 3. Zero day detection difficult, requires pre-knowledge of the threat or threat type Deep Defender Real-time monitoring for malicious memory access Day zero protection against rootkits and APTs Monitor, block and removal Minimal performance impact GTI Integrated: Feeds Rootkit detection back to GTI Enhances time to rootkit protection across all McAfee products 6 October 16, 2012

Deep Defender: Stopping a Stealthy Rootkit Real-time kernel-level monitor of memory Identifies kernel-mode rootkits in real-time Prevents the drivers from loading DeepSAFE technology loads before the OS DeepSAFE technology informs Deep Defender of suspicious behavior McAfee DeepSAFE Intel i3/i5/i7 CPU (BIOS VT-x Enabled) OS Loader DeepSAFE Loader/Agent Boot Driver Rootkit Boot Driver Driver AV Driver Rootkit Driver Driver Deep Defender Agent Application Application Malware Application DeepSAFE Loaded Beyond the OS OS Initialization Boot Drivers Other Drivers Services and Applications 7 October 16, 2012

McAfee Confidential Internal Use Only

McAfee epo Deep Command October 16, 2012

McAfee epo Deep Command McAfee epo Deep Command utilizes Intel vpro Active Management Technology (AMT) to deliver beyond-the-operating system management, reducing security operations costs while enhancing your security posture. epo Deep Command lets you control powered-off endpoints to execute security updates, deployment, and scan tasks as well as perform remote remediation of security issues. 10 October 16, 2012

McAfee epo Deep Command Security Management Beyond the OS epo Agent Handler Apps McAfee Security McAfee Agent OS Preboot Intel vpro Utilizes Intel vpro technology (AMT) Local and remote AMT connections Permits remote assistance, policy control, and remediation epo-class scalability Value Reduce cost of security operations Improve security to powered-off PCs Maintain security access while lowering energy use 11

McAfee epo Deep Command Dashboards 12

Identifying vpro AMT-Enabled Endpoints 13

epo Deep Command Use Cases Business Challenge McAfee epo Deep Command Compromised systems or system failures force physical access to the endpoint to remediate epo Deep Command enables the administrator to boot the compromised system from a remote remediation disk image, allowing full cleaning/repair of the system disk Can t deploy updated security ahead of an attack if endpoints are powered off epo Deep Command can contact and apply updated security policies to all AMT-enabled systems before a potential threat outbreak regardless of their power state Organizations have to reduce power consumption, yet still meet security & compliance regulations epo Deep Command can apply security updates, patches, and new products or policies to systems by leveraging the Intel AMT Alarm and remote wake up capabilities Policy or system misconfigurations that cause connectivity issues epo Deep Command connects to the system at the AMTlevel and allows remote reconfiguration of the faulty policy to re-establish normal traffic flows to/from the operating system environment 14

Recovering Compromised Systems Goals (a) Remediate compromised or corrupt systems from epo (b) Perform forensics on boot disk epolicy Orchestrator 1. End users notifies administrator of disabled system either via call or via Remote Call for Help function 2. epo administrator access disabled endpoint via AMT at hardware level Connection to AMT Remote Boot from.iso 3. Administrator instructs endpoint to boot from another network disk image 4. Once booted, administrator deploys remediation steps to restore endpoint or collect forensic evidence 15

Deploying Security Ahead of the Attack Goals (a) Ensure all endpoints, even powered off, have up-to-date security 1. IT Security team sees threats spreading throughout environment 2. epo administrator connects via AMT to turn on powered-off PCs Alternately sets AMT Alarm to wake systems at specific time epolicy Orchestrator Connection to AMT Task: Update DAT now 3. On Wake-up, epo Deep Command executes series of tasks to update security profile e.g. update anti-malware signatures, deploy additional security, run scan 4. After tasks execute, system powers off 16

epo Deep Command Wake & Execute epo will send tasks to the McAfee Agent, e.g. Intel upgrade AMT will VSE, power update DAT, computer run ODS, and McAfee send Agent will start events, and shutdown check for open tasks Apps McAfee VirusScan Wake Up Computer AMT Alarm or Power-on! McAfee Agent OS Preboot Intel AMT

Integration with upcomming EEPC V7 - Remote Unlock - Reset User Password - Location Aware Preboot - Remote Remediation https://community.mcafee.com/videos/1380 https://community.mcafee.com/videos/1381 October 16, 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information