Post on 09-May-2015
description
Confidential McAfee Internal Use Only
October 17, 2013
McAfee Security ConnectedActionable Situational Awareness
Boubker Elmouttahid, CISSP, CISM, CRISC
Solution Architect, Management Platform
Confidential McAfee Internal Use Only
Security Connected Platform
INFORMATION SECURITY
Data Loss Prevention
Email Security
Encryption
Web Security
SECURITY MANAGEMENT
Compliance
Policy Auditing & Management
Risk Management
Security Operations Console
SIEM
Vulnerability Management
PARTNER COMMUNITY
McAfee Connected
Security Innovation Alliance (SIA)
Global Strategic Alliance Partners
Access Control
Identity & Authentication
Intrusion Prevention
Network User Behavior Analysis
NETWORK SECURITY
Next Generation Firewall
Network Access Control
Server & Database Protection
Smartphone & Tablet Protection
On Chip (Silicon-Based) Security
Virtual Machine & VDI Protection
ENDPOINT SECURITY
Application Whitelisting
Desktop Firewall
Device Control
Device Encryption
Email Protection
Embedded Device Protection
Endpoint Web Protection
Host Intrusion Protection
Malware Protection
Confidential McAfee Internal Use Only
z
Management
Partners and An Open, Full-Featured PlatformIntegrated Solutions Deliver
3
Confidential McAfee Internal Use Only
McAfee Labs
• Multi-discipline security research
– Malware (viruses, spyware, rootkits, etc.)
– Spam and Phishing
– Web Security
– Network and Host Intrusion Prevention
– Vulnerabilities and Compliance Checks
• 24 x 7 emergency response team
• Holds 118+ patents and 148+ pending patents
26 cities around the world
400+ researchers
Confidential McAfee Internal Use Only
What It Takes to Make An Organization SafeGlobal Threat Intelligence
.
Threat
Reputation
Network IPS FirewallWeb
Gateway Host AVMail Gateway Host IPS 3rd Party Feed
Confidential McAfee Internal Use Only
Atlanta
Tokyo
London
Hong KongSan Jose
AmsterdamChicago
DataStore
112 Reputation Servers in 7 Data Centers
Confidential McAfee Internal Use Only
McAfee Threat LandscapeThe Core Problem
Confidential McAfee Internal Use Only
Key Motivations
PurposeEspionageFinancial WeaponryEgo
Confidential McAfee Internal Use Only
Key ThreatsMANU-
FACTURING
RF/IR
BLUETOOTH
SCADA
WEBVIRTUAL
ZEUS
APPS
SOCIAL
MEDIA
EMBEDDED
NIGHT
DRAGON
MEDICAL
DEVICE
AURORA
STUXNET
ENTERTAINMENT
ATM/KIOSK
ENERGY
MOBILE
SILICON
DATA
BASE
SMART CARS
CONFICKERRSA
Confidential McAfee Internal Use Only
Total Malware Samples
16
The McAfee “zoo” now contains more than 140 million unique malware samples.
Total Malware Samples
0
20 000 000
40 000 000
60 000 000
80 000 000
100 000 000
120 000 000
140 000 000
160 000 000
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13
Confidential McAfee Internal Use Only
Enterprise IT BIG Bets 2013 …. Enable “Situational Security Awareness” through Big Security Data
2000 2013 ……
PROCESSING
DEMANDS
DATA
USE CASES
INSTRUMENTATION
• Situational Security Awareness trough Big Security
Data
• Less “Matching” more Trending
• Long term analysis for “low and slow”
• Continuous compliance monitoring
• Immediate information access
Perimeter
Security
Compliance Insider
ThreatData
Security
Confidential McAfee Internal Use Only
Big Data vs. Big Security Data
Big Data
Datasets whose size and variety is beyond the ability of
typical database software to capture, store, manage &
analyse.
Big SECURITY Data
Understanding security data as big data.
• How do I gather security context?
• How do I manage big security information?
• How do I make security information management work?
• Size of security data doubling
annually
• Advanced threats demand
collecting more data
• Legacy data management
approaches failing
• SIEM use shifting from
compliance to security
Confidential McAfee Internal Use Only
“The Importance” of Big Security Data
Old Attacks
• Amateurs
• Noisy
• Curious/Mischievous
• Script driven
• Untargeted
New• Professionals
• Stealthy
• For profit/intentional damage
• Professionally developed
• Targeted
• Automated situational awareness
• Global threat intelligence
19
Confidential McAfee Internal Use Only
Correlate Events
Consolidate LogsPerimeter
Thousands of Events
APTs
Cloud
Data
Insider
Compliance Historical Reporting
The Big Security Data Challenge
Anomalies Large Volume Analysis
Multi-dimensional Active Trending; LT
Analysis
Billions of Events
Confidential McAfee Internal Use Only
The Big Security Data Challenge
October 17, 2013
Confidential McAfee Internal Use Only
Learn Quickly
Turns billions of
“so what” events
into Actionable
Information via
context, content
and advanced
analytics
Move Fast
Purpose built data
management
engine that makes
SIEM work, and is
Security ‘Big Data’
ready
Act Decisively
Leveraging the
value of Security
Connected for
faster response
whilst lowering
cost of ownership
THINK FAST…ACT FASTActionable Situational Awareness through Enhanced Data Management and Integration
Confidential McAfee Internal Use Only
McAfee ESM
MOVE FASTeDB: Purpose built data management engine that makes SIEM work
eDB
Extended Schema in 9.2, enabling…
• Improved tracking of assets via GUID;
increases accuracy as IP’s change
• More custom fields; increasing data collected,
correlated and reported about an event
• Ability to accumulate events (throughput,
packets, URL’s, etc…)
…without compromising performance!
Confidential McAfee Internal Use Only24
Rolling AveragesDefining abnormal patterns of activity
Learn QuicklyEstablishing baselines to identify deviations
Confidential McAfee Internal Use Only25
Eliminate the Guesswork
Alert based on deviations from norm
Sum events and
track averages
ID Anomalies
Learn QuicklyEstablishing baselines to identify deviations
Confidential McAfee Internal Use Only
Medium Risk High Risk
Learn Quickly, Global Threat Intelligence and IP Reputation
McAfee Labs IP Reputation Updates
GOOD SUSPECT BAD
IP REPUTATION CHECK
Botnet/
DDos
Mail/
Spam
Sending
Web Access Malware
Hosting
Network
Probing
Network
Probing
Presence of
Malware
DNS Hosting
Activity
Intrusion
Attacks
EVENT
AUTOMATIC IDENTIFICATION
AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION
ENGINE
Confidential McAfee Internal Use Only
Learn QuicklyCorrelating Both Flows and Events
1 1 100 010011 10
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011 100 10010001 1 1 100 010011 100 11
1 0011 100 011 100 110101 1 100 011 100 10010001
Flow
Event
Correlate Event and
Flow
Advanced Correlation
11 001 100 010011 100 10010001
100110 11 1 110 10 110
00 1001 100110 100 010011 11 100
1 110 10 010011 001 100 110
001 100 010011 100 10010001
100110 11 1 110 10 110
Enhanced with GTI
Identify spikes in
activity
Analyze Behavior of an
Individual Host
Detect zero-day
threats through traffic
profiling
Monitor compliance
via analysis of
application data,
protocol and user
Confidential McAfee Internal Use Only
Event
Collection
Compliance
Reporting
Streamlined
Investigations
Policy
Management
Advanced
Correlation
Log
ManagementePolicy
Orchestrator
Network
Security
Platform
Integrated Security Platform
Global
Threat
Intelligence
Vulnerability
Manager
ACT DECISIVELY Leverage the power of the platform
Industry Leading Security Information and Event Management
10
01
10
01
10
01
01
1
Confidential McAfee Internal Use Only
Organized ChaosSecurity Operating in Silo’s (Data interconnection Left & Right)
SIEM
Confidential McAfee Internal Use Only
Dynamic Enrichment
GTI
Endpoint & SIA Alerts
& Policy Enforcement
ePO
Network Alerts
& Quarantine
NSP
Asset Inventory &
On-demand scan
MVM
ADM
FW
DLP
MWG
MEG
MAM
NTBA
DAM
ESM
LEARN QUICKLY & ACT DECISIVELYSecurity Connected - Intelligent Orchestration & Integration
ACT DECISIVELY Intelligent Orchestration and Integration
My Pal
RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d
11 001 100 010011 100 10010001
100110 11 1 110 10 110
100 1001 100110 100 010011 11 100 1
110 10 010011 001 100 110
11 001 100 010011 100 10010001
100110 11 1 110 10 110
ESM
10010001 10010001
Trigger Alarm
Quarantine IP
Correlation
!
10010001
!!
Quarantine Endpoint
Launch AV Scan
Increase Security
Detect Connection
Attempt
ePO
NSM
McAfee ESM
• Unmatched Speed– Industry’s Fastest SIEM
– 100x to 1,000x faster than current solutions
– Queries, correlation and analysis in minutes, not hours
• Unmatched Scale– Collect all relevant data, not selected sub-sets
– Analyze months and years of data, not weeks
– Include higher layer context and content information
– Scales easily to billions of data records
• Improves– Operational efficiencies and optimizes security
• Enhances– Visibility & control on risk and helps you to stay compliant with regulations
• Demonstrates– Measurable ROI and reduced TCO by delivering ease of use & Scalable
NG SIEM solution
McAfee ESM2013 market Leadership and Recognition
SIEM MQ “Visionary Leader”
– Gartner 2012 & 2013 SIEM Magic Quadrant
“Fastest database in the business, truly creative front end”
– SC Magazine, Excellent value for the money, February, 2012
“Best log management solution”
– InfoWorld 2011 Technology of the Year, January, 2011
“ESM has attained tier-one status alongside larger organizations”
– Ovum, Technology Audit, July, 2011
“One of the most useful and seamless incident response-focused
SIEM products available today”
– The 451 Group, Impact Report, June, 2010
“Top performance, 2nd lowest price”
– Info-Tech Research Group Vendor Landscape, June, 2011
Confidential McAfee Internal Use Only
SummaryActionable Situational Awareness from McAfee ESM
ESM ALLOWS YOU TO….
MOVE FAST LEARN QUICKLY ACT DECISIVELY
Confidential McAfee Internal Use Only
Demo
October 17, 201335
Confidential McAfee Internal Use Only