McAfee Network Security Platform Next Generation Network Security Youssef AGHARMINE, Network Security, McAfee
Network is THE Security Battleground Who is behind the data breaches? 81% some form of hacking (+31%) 69% incorporated malware (+20%) 10% involved physical attacks (-19%) 7% employed social tactics (-4%) 5% privilege misuse (-12%) Source: McAfee Threats Report: Third Quarter 2012 Source: Verizon 2012 Breach Investigations Reports No big surprise here; outsiders are still dominating the scene of corporate data theft. Verizon, 2012 The sophistication of attacks increases to a level where traditional signature-only solutions no longer provide adequate protection Gartner, 2012 2
Traditional vs. Comprehensive Network Security Traditional Network Security Comprehensive Network Security Too Many Alerts Thousands of events Which are malicious? Which ones to block? No Context Which systems? Other events? Reputation? Blind to Attacks Advanced malware? Protocol anomalies? File inspection? No Visibility Applications in use? How much bandwidth? Top threat vectors? No Flexibility Asymmetrical routes? Encrypted traffic? Virtualization? V U L N E R A B L E Intelligent Security Management Unparalleled Threat Prevention Global Malware Protection Visibility and Control Data Center Architecture SECURE
McAfee Network Security Platform Intelligen t Security Mgmt Unparalleled Threat Preventions Takes frustration out of information overload Global Malware Protection Security Connected Next Generation Intrusion Prevention Network Security Platform Performance & Scalability Visibility & Control Best defense against stealthy attacks Push to the limit without compromising security 4
Industry Recognition Technical Innovation McAfee Network Security Platform A History of IPS Excellence I-Series 1 st Enterprise IPS M-Series High Performance File Reputation GTI Packet Capture Heuristic-based SQL Injection Protection Connection Limiting Application Visibility Application Protocol Anomaly Detection 2003 DoS Prevention epo Integration OS Fingerprinting 2010 IP Reputation GTI Advanced Botnet Correlation File Anomaly Detection 2012 VM Protection MQ Leader MQ Leader MQ Leader MQ Leader Leads Next Generation IPS MQ Leader MQ Leader MQ Leader 1 st in IPS Largest IPS Market Share Largest IPS Market Share 1 st Certified 10 Gbps Best Perf. & Accuracy Best Un-tuned Block Rate 1 st and Only Certified 80 Gbps 6
Intelligent Security Management 7
Intelligent Security Management McAfee epolicy Orchestrator McAfee ESM (SIEM) TECHNICAL INNOVATIONS Progressive Disclosure Intelligent Alert Prioritization Scalable web-based management Plug-and-play appliances Security Connected integration ORGANIZATIONAL BENEFIT Streamlined investigations Less noise and more focus Grow with organizational needs Simplified deployment Relevant context and enabling workflows 8
Shared Security Intelligence Threat Reputation Network IPS Firewall Web Gateway Mail Gateway Host AV Host IPS 3rd Party Feed 300M IPS attacks/mo. 300M IPS attacks/mo. 2B Botnet C&C IP Reputation queries/mo. 20B Message Reputation queries/mo. 2.5B Malware Reputation queries/mo. 300M IPS attacks/mo. Geo Location Feeds 9
The Power of McAfee GTI Network IPS Firewall Web Gateway Mail Gateway Host AV Host IPS 3rd Party Feed 300M IPS attacks/mo. 300M IPS attacks/mo. 2B Botnet C&C IP Reputation queries/mo. 20B Message Reputation queries/mo. 2.5B Malware Reputation queries/mo. 300M IPS attacks/mo. Geo Location Feeds 10
Workflows with Progressive Disclosure The evolution from chasing alerts to understanding events Dashboard Threat Info Drill into Detail Synopsis of risks and threats Top threats, threat relevancy Connections, behavior, files, users System Info Forensics Countermeasures OS, vulnerabilities, host events Packet cap, SIEM, forensic integration IPS, app control, ACLs, custom 11
Unparalleled Threat Prevention 12
Contextual Awareness vulnerability data endpoint protection user identification system interactions device details geo-location threat reputation Intelligent Security Mgmt Global Malware Protection Security Connected Next Generation Intrusion Prevention Unparalleled Threat Protection Performance & Scalability Visibility & Control Network Security Platform 13
Unparalleled Threat Prevention Multiple Next Generation Defenses Threat Explorer Vulnerability-based engine requires less signatures Malware Downloads Comprehensive malware protection Active Botnets Multi-attack heuristic identification High-Risk Hosts Holistic host assessment Network Forensics Detailed behavior analysis 14
Global Malware Protection 15
Intelligent Malware Defenses Real-time Down-select process GTI file reputation evaluation Baseline IPS malware signature inspection Advanced malware engines File anomaly detection (executable emulation) 16
Advanced Malware Protection No single malware defense technique is best in all situations Malware is the fastest growing threat vector Zero-day Bots APTs Various malware tactics work better on different types of malware Traditional IPS is not prepared to defend against modern malware McAfee global list Your list PDF behavior Advanced analysis 17
Network Security Malware Market McAfee Sourcefire FireEye Palo Alto TippingPoint Malware Signatures P P P P P Custom Malware Signatures P P P P P Global Malware Reputation P partial partial partial P Network Behavior Analysis P partial P Multi-event Correlation P Integrated SIEM Analysis P P Deep File Analysis P Local File Behavior Analysis P partial P Local Sandboxing Soon P Cloud Sandboxing Beta partial P 18
Visibility and Control 19
Deep Visibility & Control 1500 Beyond simple reporting, application intelligence for security analysis and control More applications natively recognized than others Application and subapplication control Anomalies Uncovers security anomalies that are not seen at the aggregate network level Database server starts sending email Known attack always uses obscure (benign) application Alignment Precise control rules that actually match organizational policy Google chat is permitted but block file transfer BitTorrent is prohibited, but allow other web applications 20
Application Usage and Control Patching a hole Key in on an application anomaly Check the security alerts Select application Assign response Rule to block or rate limit threatening application 21
Architecture 22
McAfee Network Security Platform Architecture: Network Security Platform Sensors 80 Gbps XC Cluster 40 Gbps NS-9200 20 Gbps M-8000 NS-9100 10 Gbps 5 Gbps M-4050 M-6050 40 GigE Connectivity 3 Gbps M-3050 1.5 Gbps 1 Gbps 600 Mbps 200 Mbps 100 Mbps M-2950 M-2750 / M-2850 M-1450 M-1250 10 GigE Connectivity Certified 80 Gigabit performance Highest port-density available Scale to hundreds of sensors Single management console 23
Performance without Compromise McAfee Other Vendor 10 10 9 9 IPS IPS + App Control IPS + App Control + Network Discovery* 7 6 M-8000 XYZ* * Based on vendor product documentation 24
High Availability Firewall Active-Active Active-Active cluster Active-Passive IPS IPS Full stateful analysis Asymmetrical routes 25 Data Center
HTTPS Inspection On-box Decryption & Inspection Internet Encrypted and untouchable Decrypted and neutralized Network Security Platform DMZ HTTPS Servers Import Certificates Decrypt inbound HTTPS traffic on the IPS sensor 256 PKI certificates per sensor Hardware-powered decryption (up to 8800 sessions per second) No additional charge 27
Total Cost of Ownership 28
Counting It All Up Comprehensive Network Security Intelligent Security Management Unparalleled Threat Prevention Global Malware Protection Visibility and Control Data Center Architecture Cost Benefits Increases speed of human analysis and lowers operating costs Improves accuracy of detection and decreases loss from attacks Confidently closes security holes and reduces malware damage costs Intelligence outwits attacks and cuts overhead of network enforcement Reliable performance and flexibility eliminates hidden deployment costs Bottom Line Lower total cost of ownership and a superior solution