Unprecedented Malware Growth



Similar documents
Best Practices Guide Revision B. McAfee epolicy Orchestrator Software

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

McAfee Endpoint Protection Products

Best Practices Guide. McAfee epolicy Orchestrator Software

Protecting the un-protectable Addressing Virtualisation Security Challenges

McAfee epolicy Orchestrator

Security Information & Event Management (SIEM)

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

McAfee Application Control / Change Control Administration Intel Security Education Services Administration Course

McAfee VirusScan and epolicy Orchestrator Administration Course

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

McAfee MOVE / VMware Collaboration Best Practices

Modular Network Security. Tyler Carter, McAfee Network Security

Desktop Release Notes. Desktop Release Notes 5.2.1

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

Integrated Protection for Systems. João Batista Territory Manager

Endpoint protection for physical and virtual desktops

Data Protection McAfee s Endpoint and Network Data Loss Prevention

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

McAfee Public Cloud Server Security Suite

Kaseya IT Automation Framework

Release Notes for McAfee epolicy Orchestrator 4.5

Total Defense Endpoint Premium r12

McAfee MOVE AntiVirus Multi-Platform 3.5.0

Data Center Connector for vsphere 3.0.0

Product Guide. McAfee epolicy Orchestrator Software

McAfee Deep Safe. Security beyond the OS. Kai-Ping Seidenschnur Senior Security Engineer. October 16, 2012

Detecting rogue systems

Product Guide. McAfee epolicy Orchestrator Software

Release Notes McAfee Risk Advisor Software For use with epolicy Orchestrator and Software

How To Protect A Network From Attack From A Hacker (Hbss)

Patch Management SoftwareTechnical Specs

Endpoint protection for physical and virtual desktops

McAfee Agent Handler

McAfee MOVE AntiVirus (Agentless) 3.6.0

McAfee Content Security Reporter 2.0.0

McAfee Network Security Platform

McAfee Web Gateway 7.4.1

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

McAfee Enterprise Mobility Management Performance and Scalability Guide

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Secure Cloud-Ready Data Centers Juniper Networks

Endpoint Security for DeltaV Systems

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

System Management. What are my options for deploying System Management on remote computers?

Technology Blueprint. Protect Your VoIP/SIP Servers. Insulating your voice network and its servers from attacks and disruption

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

McAfee VirusScan Enterprise for Linux Software

Symantec Endpoint Protection Analyzer Report

Symantec Protection Suite Small Business Edition

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Release Notes for Websense Security v7.2

Symantec Endpoint Protection Datasheet

McAfee Certified Product Specialist McAfee epolicy Orchestrator

WHITE PAPER: BEST PRACTICES. Sizing and Scalability Recommendations for Symantec Endpoint Protection. Symantec Enterprise Security Solutions Group

McAfee Endpoint Security Software

AVeS Cloud Security powered by SYMANTEC TM

McAfee Data Loss Prevention Endpoint 9.4.0

Information Technology Solutions

Technology Blueprint. Protect Your Servers. Preserve uptime by blocking attacks and unauthorized changes

Backup Exec System Recovery Management Solution 2010 FAQ

Symantec Endpoint Protection

ACME Enterprises IT Infrastructure Assessment

The User is Evolving. July 12, 2011

Installation Guide. McAfee VirusScan Enterprise for Linux Software

McAfee Data Loss Prevention Endpoint

McAfee Optimized Virtual Environments for Servers. Installation Guide

Product Guide. McAfee Endpoint Security 10

CA Anti-Virus r8.1. Benefits. Overview. CA Advantage

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: McAfee

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

Product Guide. McAfee epolicy Orchestrator Software

McAfee VirusScan Enterprise 8.8 software Product Guide

McAfee Host Data Loss Prevention Administration Intel Security Education Services Administration Course

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Product Guide. McAfee SaaS Endpoint Protection (October, 2012 release)

Required Software Product List

McAfee Server Security

Kaspersky Endpoint Security 10 for Windows. Deployment guide

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

Proven LANDesk Solutions

Data Center Connector for OpenStack

Installation Guide. McAfee SaaS Endpoint Protection 6.0

Symantec Endpoint Protection

Installation Guide. McAfee Security for Microsoft Exchange Software

Symantec Protection Suite Small Business Edition

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Secure Cloud Computing

Secret Server Qualys Integration Guide

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Getting Started with Symantec Endpoint Protection

Transcription:

McAfee epolicy Orchestrator 4.5 Best Practices Sumeet Gohri Mid-Atlantic Sales Engineer McAfee User Group meeting organized by MEEC

Agenda 9:30 am 9:45 am Welcome 9:45 am - 11:00 am epo 11:00 am 11:15 - Break 11:15 11:45 Firewall 11:45-12:30 Lunch 12:30 1:15 GTI 1:15 1:30 Q&A Closing remarks 2

Unprecedented Malware Growth Virus and Bots PUP Trojan 3,200,000 3,000,000 2,800,000 2,600,000 2,400,000 2,200,000 2,000,000 1,800,000 1,600,000 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 2008 2009 Malware Growth (Main Variations) 3 3 Source: McAfee Labs December 3, 2010 3

Cost to Value Relationship Secure Compliant Proactive Optimized Value Additive cost Organizational Maturity The relationship to cost and security diverge during progression to the proactive and optimized states 4

McAfee Security Leadership Across the Board Challengers Leaders System Security Network IPS Mobile Data Protection System Security Email Security Web Security Network DLP Integrated Ability to Execute Firewall DLP E-mail Web IPS Firewall Mobile Data Protection Completeness of Vision 5

McAfee Security Leadership Across the Board Challengers Leaders System Security Network IPS Mobile Data Protection System Security Email Security Web Security Network DLP Integrated Ability to Execute Firewall DLP E-mail Web IPS Firewall Mobile Data Protection Completeness of Vision 6

McAfee Labs 300+ dedicated threat researchers Global Threat Intelligence Founded in 1995 First global 24/7 emergency response team in the industry 1,400 people in R&D with more than 300 dedicated threat researchers worldwide McAfee Labs has analyzed hundreds of thousands of threats and was first to discover some of the highest profile threats: MyDoom, Sasser, Blaster 7

McAfee Integrated Security Platform Artemis Software-as-a-Service (SaaS) Endpoint Anti-Virus & Anti-Spyware Email AV & Anti-Spam Desktop Firewall Host IPS SiteAdvisor NAC Policy Auditing Macintosh AV Linux AV Data Protection Endpoint Encryption Device Control Host DLP McAfee Agent Agents and Policies epo Single Agent Single Console Agent deployment Configuration Updates Policy settings Alerts and Reporting Events and Report s Network E-mail Security Web Security Network DLP IPS Firewall/UTM NAC Behavioral Analysis Risk and Compliance Vulnerability Mgmt. Remediation Policy Auditing Vulnerabilitie s and Reports 8 SIA Ecosystem

McAfee s Open Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance and Lower TCO SIA Associate Partner SIA Technology Partner 9(McAfee Compatible)

Cost to Value Relationship Secure Compliant Proactive Optimized Value Additive cost Organizational Maturity Where is my organization? 10

Agenda Introductions epo 4.5, a brief overview How to size the epo server infrastructure How to upgrade/migrate to epo 4.5 server How do I check for performance issues on my epo Server Tricks and tips on optimizing epo performance Enabling Global Threat Intelligence in AV policy Agent Deployment VSE 8.7 Policy Best Practices 11

epo Management Console Intuitive Web Based Security Management 12

McAfee epolicy Orchestrator Key Feature Overview End-to-End Visibility Single point of reference across networks and systems Personalized Command Center Tune work environment to optimize efficiencies Drillable Dashboards and Actionable Reports Immediate insight to action slashes response times Role-based Access Control Distribute administration and information Rogue System Detection Identify and manage all networked assets to lower risk Powerful Workflows Automate common routines, streamline processes across systems Flexible Architecture Can scale from managing a handful of machines to very large enterprises Extensible Framework Increase value of existing security assets, optimize for future needs McAfee epolicy Orchestor 13

McAfee Security Integration Architecture epolicy Orchestrator Management Console epo Agent Network VM Network IPS/ NAC Secure Email Gateway Secure Web Gateway Anti-Virus Anti-Spyware Desktop FW Host IPS NAC Policy Auditor Device Control Encryption Device Control/DLP Encrypted USB TOPS Endpoint TOPS Data 14 SolidCore Data Loss Prev. Firewall McAfee Secure Innovation Alliance (SIA) and future technologies

Security that Spans the Network to the Endpoint Holistic Security Not Disparate Solutions Network Security Endpoint Security Avert Labs Treat Data Network Security Platform Vulnerability Manager Network Data Loss Prevention Secure Web Gateway Secure Mail Gateway Network User Behavior epo VirusScan & Anti-Spyware HIPS & Firewall McAfee Site Advisor GroupShield for Mail Network Access Control Host Policy Auditor Host DLP Host Encryption ToPS ToPS Advanced ToPS For Data Risk Advisor Integrity Monitor Application Control Change Control Change Reconciliation SolidCore 15 Single Management Console to manage Endpoint security and integration with Network Security

McAfee Global Threat Intelligence McAfee Labs Network Reputation Web Reputation Reputation Technologies Network Security 16 Local Protection Web Security Email Reputation File Reputation Artemis Trusted Source Email Security Endpoint

Artemis (GTI) Technology Artemis is enabled on the endpoint without any additional client side install Internet 1 User receives new file via e-mail or Web 2 No detection with existing DATs, but the file is suspicious 6 5 VirusScan processes information and removes threat Artemis identifies threat and notifies client Artemis 3 4 Fingerprint of file is created and sent using Artemis Artemis reviews this fingerprint and other inputs statistically across threat landscape 17

Enabling Artemis (GTI) Cloud Lookup By leveraging Cloud Based threat intelligence customers can protect themselves from potential Zero Day attacks. Extremely easy to enable Level of Heuristic check can be throttled Uses standard DNS mechanism to perform lookups Provides Zero Day protection from unknown malware Provides protection from emerging threats Not dependent on DAT updates to be effective No impact on performance of the endpoint No customer data is transferred to McAfee 18

epo Infrastructure Sizing Can I install epo and my SQL server on the same physical hardware? Can I use a VM environment for epo or my SQL Server? Can epo use an existing SQL Server that has other Databases on it for epo? How should I partition my drives on epo and SQL? 19

Installing epo on a Single Server vs Multiple Servers epo can be hosted on a single server, where SQL DB is installed locally. There are certain considerations to keep in mind when sizing hardware. Single Server configurations can scale up to 5K to 10K nodes, depending on the environment and products managed. McAfee recommends optimizing disk sizing on the server to enhance performance, (ex hosting DB on a separate disk) If using epo to manage products in addition to AV, ASPY, HIPS, it is recommended that SQL server to be hosted separately. Plan ahead by sizing epo Server appropriately if you plan to roll out additional McAfee epo managed modules like HDLP, Disc Encryption, Device Control, Site Advisor etc. 20

Installing epo in a Virtualized Environment McAfee supports epo installs in a virtual environment(s) epo scales up to 25k to 30k nodes in a Virtual Environment Beyond 25k to 30K range the disk performance becomes a bottle neck Ensure that, when managing around 30K nodes, dedicated physical discs are used with assigned CPU priority McAfee recommends not to host epo database on a virtualized SQL server when node count is around or exceeds 30K Many of our customers are successfully hosting their epo environments virtually without any problems 21

Hosting epo DB on a shared SQL server Shared SQL servers can be used to host epo DB, few consideration when doing this: On a shared server epo will be competing for resources with other applications, so ensure that the DB sizing is appropriate. Sudden spikes in DB server usage by other hosted application can impact the epo performance. McAfee recommends a node limit of 20k, beyond which a dedicated SQL server for the epo may be more appropriate for the environment Keep in mind that that operationally you may have to work with SQL DBAs when epo server is hosted on a shared server, including getting them involved with potential troubleshooting. Ensure that DB and schema updates can be applied to the epo database on a shared server. 22

Disk configuration for epo Deployment Disk configuration and partitioning is rarely an issue below 5K nodes When using a single server configuration a separate discs are recommended for the OS, SQL and epo Application Disc performance is a critical factor for epo performance, so when using RAID, higher performance Arrays like RAID 1 RAID 10 are preferred. 23

Recommended Configuration Recap Node Count epo & SQL on same server VM Server epo DB on a shared SQL server 100-5k Yes Optional Optional 5k-25k Optional Optional Optional 25k 75k Not Recommended Not Recommended 75k+ No No No Not Recommended 24

Server Hardware, OS & DB Recommendations Less is better, epo can scale to 200K plus nodes so maintaining multiple instances of epo will add to the overall work load. CPU, RAM and Disc Performance are critical for epo, as in case of any other application. Use 64bit software where possible and if you have hardware that support 64Bit OS and apps. Very small organizations (up to 500 nodes) can use SQL Express that has 4GB DB size limit RAM CPU and HDD Sizing 25

Distributed Repositories Leverage distributed repositories to save bandwidth Better performance when uploading DATs and patches Lightweight hosting requirements FTP, UNC, HTTP supported Super Agents can be used as a part of distribution infrastructure Typical hosting agents are, file & print servers, FTP servers, UNC shares. Can be hosted in a DMZ environment 26

In Place Upgrade to epo 4.5 If you want to upgrade to 4.5 from 3.x, then you have to upgrade to 4.0 and then on to epo4.5 Ensure that your hardware and software specs are inline with the requirements for epo 4.5 Decommission any unused repositories Clean out any unused or redundant policies Clean out old and unused user accounts. Remove the client and server tasks that are not being used Purge events that are more than 60 days old Back up, re-index and defrag the Database and ensure that it has enough space Backup your epo system and DB Backup the system certs If possible, do a demo upgrade in a VM enviornment 27

Moving epo server to a different platform Key to moving from one physical epo server to another is to follow the procedure in KB Article 66616. The main steps to accomplish the migration is to Back up the epo Database Backup the Agent Keys and SSL Certs Install the epo Application and SQL server on the new box Ensure that new epo server has the same IP and DNS name as the old epo server Attach the backup DB to the SQL on the new box Apply the SSL Certs and Agent keys to the new epo Server Disconnect the old epo server from the network Connect the new epo server to the network and monitor activity. 28

McAfee Agent Deployment Deploying epo agent to the endpoint, what are my options? Active Directory Login Scripts Pre installed with the enterprise desktop/laptop image Using 3 rd party tools ie: Tivoli, SMS, BMC Self Serve HTTP, FTP, UNC shares The epo Agent is a small 5Mb package Additional packages are pushed from epo once epo Agent checks back to epo Server 29

Is my epo Server having a performance issue?? Have you looked at the performance counters for the epo under Performance Monitor? Total number of Open epo Agent connections should not exceed 200 (250 max) typical value should be around 30 Processed events per second is consistently high. The files in the events folder C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events is consistently high and getting higher. Throttle down Agent to Server Comm Interval (ASCI) from default 60 mins Additionally flag epo server processes as low risk processes in AV policy. 30

Maintaining epo Database Use Server Tasks under Automation tab to purge old events and logs Purging events based on time Purging events based on type Purging events based on a query Deleting inactive assets Deleting machines with duplicate GUID Backup the epo DB and transaction log Re-index the DB on a regular basis Rebuild the DB on a regular basis 31

Tuning VSE 8.7 policies Enable Access Protection and prevent services from being stopped Ensure, when applying policy for Server, use Server profile Enable Buffer Overflow Protection policy and enforce protection Use different scanning policies for high-risk, low-risk and default processes Enable client task to scan memory at least once a day Enable GTI lookups Scriptscan (KB65382) Daily scan task to check memory for rootkits and running process 32

McAfee s Open Platform for Security Risk Management Industry Leadership to Drive Better Protection, Greater Compliance & Lower TCO 33

Questions?? Thank You McAfee Sales Team Derrick Honea derrick_honea@mcafee.com Sumeet Gohri sumeet_gohri@mcafee.com