Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR

The Old SECURITY Model Is BROKEN 2

Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT CONTAINMENT 9% Hours 4% 12% Months Years 19% Hours 2% Minutes 23% Months DISCOVERY 11% Days 14% Weeks COMPROMISE ATTACK 64% Weeks 42% Days $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model 3

Security-Related TCO Is Skyrocketing Multiple products operate in separate functional silos.. Constantly rising costs of operational security.. No efficiency, no effectiveness.. Stale defenses lack adaptive, contextaware capabilities.. Increasingly complex to manage 4

Focus technology SIEM SIEM is the Evolution and Integration of Two Distinct Technologies Security Event Management (SEM) Primarily focused on Collecting and Aggregating Security Events Security Information Management (SIM) Primarily focused on the Enrichment, Normalization, and Correlation of Security Events Security Information & Event Management (SIEM) is a Set of Technologies for: Log Data Collection Correlation Aggregation Normalization Retention Analysis and Workflow

SIEM main business drivers..

Corp. Big Data Challenge Terra/Petta/ Exabyte's of Data APTs Data Active Trending and Usage Analysis Insider Anomalies Large Volume Analysis Compliance Historical Reporting Thousands of Events Perimeter Correlate Events Consolidate Logs

The State of SIEM SIEM Promise: Turns Security Data Into Actionable Information Provides an Intelligent Investigation Platform Supports Management and Demonstration of Compliance Legacy SIEM REALITY: VS 00001001001111 11010101110101 10001010010100 00101011101101 Antiquated Architectures Force Choices Between Time-to-Data and Intelligence Events Alone Do Not Provide Enough Context to Combat Today s Threats Complex Usability and Implementation Have Caused Costs To Skyrocket

SIEM FIT FOR PURPOSE? TRADITIONAL DATA MANAGEMENT

McAfee ESM: Delivering on the Promise Meaningful Intelligence Continuous Compliance Big Security Data DB Rapid Response Exceptional Value 11 McAfee Next Generation SIEM

McAfee ESM Big Data Ready High Performance Data Management Engine McAfee ESM EDB Highly indexed purpose-built database, enables Integrated log & event collection on a massive scale, at high performance Real-time enrichment of data with context to drive intelligence On-line reporting / analytics on current & historic data in parallel! SMART FAST

McAfee ESM (Introduction) acquired in December 2011. Was a dedicated SIEM vendor and McAfee Security Innovation Alliance partner since 2006. NitroView suite of products rebranded McAfee SIEM in April 2012. Products in Gartner s SIEM Magic Quadrant leader quadrant, numerous industry accolades, over seven hundred customers globally across all industry sectors. Numerous patents including McAfee Enterprise Database (EDB) Latest SW release Sept 14 v9.4.2 include integration of: MFE Threat Intelligence Exchange (TIE) MFE Data Exchange Layer (DXL) Event support from third party SIEM vendors: Cisco Mars, Splunk & HP Arcsight

Industry Recognition Placed in the Leaders quadrant in Gartner s latest SIEM Magic Quadrant Ranked in the top 3 for Critical Capabilities We have been able to validate Nitro s high performance with large production deployments Winner of InfoWorld s prestigious 2011 Technology of the Year Award for NitroView ESM and ELM solutions This honor is the result of NitroSecurity s #1 ranking, outscoring six other vendors to achieve the highest overall score The best and fastest database in the security industry Very advanced technology and the vision to apply it in a threat management environment An analyst s power tool that provides strong SIEM capabilities in a highly configurable dashboard approach 14 NitroSecurity offers one of the most useful and seamless incident response-focused ESIM products available today The rate at which the NitroEDB can insert and recall data is without a doubt one of the key differentiators offered by NitroSecurity

SIEM Competitive Marketplace Gartner SIEM MQ Leader 11-12 - 13-14 Gartner SIEM MQ 2012 Gartner SIEM MQ 2013 Gartner SIEM MQ 2014

McAfee ESM Delivering Next Gen SIEM capabilities See log frequencies Search for logs Correlate events What data is involved? Who is doing it? Are they a bad actor? What is the risk of the system? What is the risk of the user? Visualize, Investigate, Respond THREAT LANDSCAPE Threat intelligence Exchange Immediate alerting Historical Analysis Advanced Correlation & Intelligence ENTERPRISE RISK LANDSCAPE Vulnerabilities Countermeasures Individuals Endpoint protection Network protection Sec. Optimized Dynamic Content Flow & Content Aware Big Security Data DB Applications Traditional Context Log Management Scalable Architecture NitroSecurity Next-generation SIEM 16 Database High Speed Intelligent Correlation

McAfee ESM - Single (Security) Management Platform Device and Application Log Files Application Contents Authentication and IAM Events from Security Devices User Identities Database Transactions OS Events VA Scan Data GEO Info Threat Intelligence Exchange (TIE)

McAfee ESM Advanced Correlation Intelligence Correlating Both Flows and Events FLOW EVENT 1 1 100 010011 10 1 0011 100 011 100 1 1 1 100 010011 100 10010001 1 1 100 010011 011 100 10010001 1 1 100 010011 100 10010001 1 1 100 010011 100 11 1 0011 100 011 100 110101 1 100 011 100 10010001 011 100 10010001 10010001 1 1 100 010011 1 1 100 010011 100 1 0011 100 011 100 1 1 1 100 010011 Advanced Correlation 11 001 100 010011 100 10010001 100110 11 1 110 10 11000 1001 100110 100 010011 11 100 1 110 10 010011 001 100 110 001 100 010011 100 10010001 100110 11 1 110 10 110 Enhanced with GTI McAfee Global Threat Intelligence (McAfee GTI ) Leveraging more than 100 million global sensors and over 350 researchers. Discover Threats Identify Suspicious Behavior Anomaly Detection Advanced Forensics

McAfee ESM Delivering Actionable Situational Awareness Common Use Case : Sorting Through a Sea of Events Have I Been Communicating With Bad Actors? 200M events Which Communication Was Not Blocked? What Specific Servers/Endpoints/ Devices Were Breached? 18,000 alerts and logs Dozens of endpoints Which User Accounts Were Compromised? What Occurred With Those Accounts? Handful users Specific files breached (if any) of RESPOND How Should I Respond? Optimized response 22

McAfee ESM DISCOVERY TO CONTAINMENT Industry Leading Security Information and Event Management Threat Intelligence Exchange 3 rd party threat feeds Vulnerability Assessment Compliance Reporting Event Collection Endpoint Security Streamlined Investigations 1001 100110 01011 Log Management Network Security Policy Management Advanced Correlation Integrated Security Platform

24

D User on host WinXPHost01 downloads Windows updates from untrusted site. Executes it, nothing apparent happens. Meanwhile...

We see LOTS of ugly stuff going on related to this host (WinXPHost01) in ESM. Time to ACT!... 26 April 24, 2015

Step 1: Let's Assess the destination host reputation within McAfee Labs (GTI) 27 April 24, 2015

GTI Reputation lookup Query on Destination Host Killerbean.com directly from McAfee ESM console 28 April 24, 2015 Confidential McAfee Internal Use Only

Step 2: This external host (killerbean.com) looks very sketchy. Let's quarantine him. 29 April 24, 2015

30 April 24, 2015

31 April 24, 2015

32 April 24, 2015

Quarantine successful!! Command and Control network Traffic/access towards host Killerbean.com Quarantined trough McAfee ESM Blacklisting!!! 33 April 24, 2015

Step 3: This internal endpoint looks like it was likely compromised. Let s contain & remediate the threat immediately.

Looking at host WinXPHost01, we see that the system firewall is off/ disabled by default.

Within seconds, the system firewall is enabled on host WinXPHost01, with a restricted firewall policy TAG, pushed by ESM. Trojan traffic is now neutralized!

We simultaneously launch an aggressive malware scan

Additional malware discovered and eradicated! Our work here is done

Putting it together with TIE and DXL

Instant Protection Across the Enterprise Gateways block access based on endpoint convictions McAfee NGFW McAfee NSP McAfee Web Gateway McAfee Email Gateway McAfee Global Threat Intelligence McAfee TIE Server McAfee ATD 3 rd Party Feeds Proactively and efficiently protect your organization as soon as a threat is revealed McAfee epo McAfee ESM Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products McAfee TIE Endpoint Module McAfee TIE Endpoint Module Data Exchange Layer

Threat Intelligence Exchange & IOC Manager Open platform for Enterprise Intelligence (IOC) sharing Consolidate and manage the threat intelligence from all Intel Security capabilities including: MEG, MWG, NSP and eventually NGFW. TIE + IOC Manager will support the upload & download of STIX/OpenIOC data into CybOX standard for Intelligence sharing from third party Vendor solutions, Intelligence Agencies & Industry consortiums e.g. FS-ISAC. 42

Intel Security Adaptive Threat Prevention & Detection NGFW DXL Ecosystem Network & Gateway NSP Web Gateway Email Gateway network and endpoints adapt Sandbox ATD IOC 1 IOC 2 IOC 3 IOC 4 payload is analyzed ESM IOC Manager new IOC intelligence pinpoints historic breaches DXL Ecosystem IOC 5 IOC 6 IOC 7 Endpoints previously breached systems are isolated and remediated TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module TIE Endpoint Module