Transcript Document
The Need for Efficiency
Security Connected
Franklin Sujo, CISSP
SE East Commercial Sector
[email protected]
.
McAfee Confidential
A Nasty Math Problem
VIRTUAL
ENVIRONMENT
DECREASED/FLAT
BUDGETS
LIMITED OR
UNTRAINED
RESOURCES
Security
Challenges:
USB
EMAIL
SAN
SMART
PHONE
PC
LAPTOP
TABLET
WIRELESS
DATABASE
CHANGING
BUSINESS
DEMANDS
VOIP
APPS
SERVERS
UNPLANNED
COMPLIANCE
AND REPORTING
REQUIREMENTS
469,000 unique
malware samples
discovered weekly
ROUTING/
SWITCHING
CLOUD
EMBEDDED
DEVICES
83% organizations
hit by Advanced
Persistent Threats
Flat to down IT/IS
budgets
Flat number of
trained
practitioners
12.5 BILLION
25 BILLION
50 BILLION
CONNECTED DEVICES
TODAY
CONNECTED DEVICES
BY 2015
CONNECTED DEVICES
BY 2020
Source: Cisco ISBG IoE Report
Intel Security Confidential
.
Firm or Fixed Function Devices and IoT
An onslaught of uncounted devices
.
Intel Security Confidential
Advanced Targeted Attacks
The reality
ADVANCED
TARGETED ATTACKS
COMPROMISE TO DISCOVERY
DISCOVERY TO CONTAINMENT
2%
4% 12%
Months
CONTAINMENT
9%
Minutes
Years
23%
19%
Hours
Months
Hours
DISCOVERY
11%
14%
Days
Weeks
COMPROMISE
ATTACK
64%
Weeks
42%
Days
$8,769 / Incident
$3,840,988 / Year
1.2 incidents / Day
.
Intel Security Confidential
Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model
Fragmented Security Industry
Decreased integration and automation opportunities
Endpoint
Protection
Firewall
Gateway
Security
Network IPS
Compliance
Data
Protection
Mobility
SIEM
TIME
.
McAfee Confidential
5
–
History of Defining
Largest Dedicated
Delivering a Next Generation
Architecture
Security Provider
Security Architecture
–
–
Inventor of the world’s most
– Broadest security product
Defining innovative industry approaches forcoverage
collaborative
widely used –computing
in the industry
and adaptive security
architecture
– Complete portfolio focused
Defining countless
standardssecurity integrations which are sustainable
– Introducing
upon security
used in everydayand
lives
rangingreaching
broadly
– Leadership position in 6 of 8
from USB, WiFi, to IoT
Gartner Security
Magic
– Developing capabilities for new security paradigms
in
Top 10 Most Influential Brands
Quadrants
areas such as Software Defined Datacenter,
Cloud, and
in the World
IoT
McAfee Confidential
.
6
McAfee Security Connected Evolution
Achieving A Connected Ecosystem
Consolidating
Architectures
Challenge:
• Operational Complexity
• Console Sprawl
Mail
Gateway
Intrusion
Prevention
Web
Gateway
DLP
Need:
• Easier Deployment
• Broader Adoption
Deliverables:
Firewall
• Console Consolidation
• Fewer Agents
Value:
• Easier Policy Management
• Reduced Computing Resources
Advanced
Malware
Compliance
SIEM
Endpoint
.
McAfee Confidential
7
McAfee Security Connected Evolution
Achieving A Connected Ecosystem
Achieving
Return
Consolidating
on
Investment
Architectures
Challenge:
Challenge:
•
•
•
•
•
Reduce Budgets
Operational Complexity
Greater Operational Expense
Console Sprawl
Reduced Staffing
Mail
Gateway
Intrusion
Prevention
Web
Gateway
DLP
Endpoint
SIEM
Need:
Need:
••
••
Easier
Deployment
Self Provisioning
Broader
ReducedAdoption
Infrastructure Overhead
Deliverables:
Deliverables:
••
••
•
Firewall
Console
Consolidation
Virtual / Cloud
Security
Fewer
Agents
Fewer Appliances
Reduced Vendor Footprint
Value:
• Easier
policy management
Value
:
Reduced computing
• Significantly
Reducedresources
TCO
• Simplified Operational Experience
Advanced
Malware
Compliance
.
McAfee Confidential
8
McAfee Security Connected Evolution
Achieving A Connected Ecosystem
Connected
Achieving Services
Return
on
Investment
Framework
Challenge:
Challenge:
•
•
•
•
•
Reduce Budgets
Siloed Technology Failures
Greater Operational Expense
Complex Attacks
Reduced Staffing
Mail
Gateway
Intrusion
Prevention
Web
Gateway
DLP
Endpoint
SIEM
Need:
Need:
••
••
Coordinated
Response
Self Provisioning
Adaptive
Security
Environment
Reduced Infrastructure
Deliverables:
Firewall
Virtual
/ Cloud Security
• Data
Exchange
Framework
Fewer Appliances
• Standardized
Integration Model
• Reduced vendor footprint
Value:
•Value:
Sustainable Integrations
Significantly
reducedModels
TCO
•• Adaptive
Protection
• Simplified operational experience
Advanced
Malware
Compliance
.
McAfee Confidential
9
McAfee Security Connected Evolution
Debunking Common Obstacles
A Connected Services
Architecture Is Not…
• A Single Vendor Solution
• A Monolithic Architecture
• The Continuous Addition of New
Technologies
• A New Environment Requiring
More Resources to Maintain
• Massive Rip/Replace of Security
Infrastructure
.
McAfee Confidential
10
Security Connected
Getting more measurable results per labor hour
• Capabilities delivered by single host agent and console
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Continuous Diagnostics and Mitigation
Dynamic Whitelisting
Real time file & directory level change control
Rootkit, BIOS, device driver, hypervisor, MBR change
detection/prevention
Processor enabled KVM without KVM switch
USB, Bluetooth, Ethernet, Infrared, other Device Control
Data Leakage Prevention
Processor-Accelerated Encryption (System & File/Folder)
Host Intrusion Prevention
Anti-Virus
Auditing and Compliance Reporting
Systems Management
FIPS and Common Criteria certification
Section 508 Compliance
McAfee ePO Server
Continuously Monitoring
over 7M USG and DIB
endpoints today
SINGLE
AGENT
SINGLE
CONSOLE
.
McAfee Confidential
The Power of Optimization
Reduced effort, increased security posture
Review Centralized
Security Dashboard
NON-OPTIMIZED
ENVIRONMENT
OPTIMIZED
ENVIRONMENT
Consoles
Required
7 consoles
1 console
Resource
s
Required
4 resources
1 resource
Time
Required
7.5 hrs
36 mins
Effectivenes
s
Low/Moderate
High
Discover Active Botnet
Traffic
Identify Impacted User/Host
Verify Host Security
Configuration
Review Host Security
Events
Review Host Vulnerability
Assessment
Investigate Host Network
Events
Block Identified Attacker
from Network
.
McAfee Confidential
The Data Exchange Layer
The new information-sharing ecosystem
.
McAfee Confidential
13
The Data Exchange Layer
The new information-sharing ecosystem
BPM
Asset
An innovative, real-time,
bi-directional communications
fabric providing product
integration simplicity.
Identity
Risk
Security components operate
as one to immediately share
relevant data among endpoint,
gateway, and other security
products, enabling security
intelligence and adaptive
security.
The data exchange layer is
analogous to the nervous system,
dedicated to time-sensitive
communication and operating
alongside the arteries.
Threat
Activity
Location
Data
THE SECURITY CONNECTED FRAMEWORK
ADAPTIVE SECURITY ARCHITECTURE
.
McAfee Confidential
14
McAfee Data Exchange Layer
The new information-sharing ecosystem
Real-Time
Messaging
Fabric:
Real-time
messaging
infrastructure for
security products.
Common
Content
Data:
Provides enterprise
security state and
context. Includes
information about
devices, users,
location, reputation,
and more.
Adaptive
Workflows
Clients:
Security products
that use the data
exchange layer to
publish
or consume
information.
.
McAfee Confidential
15
McAfee Threat Intelligence Exchange
.
McAfee Confidential
16
Global Threat Intelligence
Utilizing Intel Security’s global footprint to your organizational advantage
Network
IPS
Firewall
Web
Gateway
Mail
Gateway
Host AV
Public
Records
Host IPS
55B
55B
8B
260M
2B
55B
IP Reputation
queries/mo.
IP Reputation
queries/mo.
Web Reputation
queries/mo.
Msg Reputation
queries/mo.
Malware Reputation
queries/mo.
IP Reputation
queries/mo.
Geo Location
Feeds
.
McAfee Confidential
Collective Threat Intelligence
Apply the power of knowledge
?
Organizational
Intelligence
Local Threat
Intelligence
McAfee Confidential
Administrator
Organizational
Knowledge
McAfee
Web Gateway
Other Data
Sources
Future
McAfee
Threat Intelligence
Exchange Server
McAfee
Email Gateway
McAfee
Network
Security
Platform
McAfee
McAfee
McAfee
Endpoint
Agent
Advanced
Next
Generation Threat Defense
Firewall
Global Threat
Intelligence
McAfee
Global Threat
Intelligence
Third-Party
Feeds
Threat Intelligence
Assemble, override, augment,
and tune the intelligence source
information.
.
18
Actionable Security Decisions
Local
Context
Execute
Prevent and
Remediate
Tunable Policy
Personalized
Threat
Intelligence
Classification
Decision
Prevent and
Quarantine
Submit to
Application Sandboxing
Variable Degrees
of Risk Tolerance
.
19
McAfee Confidential
The Role of Threat Intelligence Exchange
It’s not always black and white. There are some shades of grey.
Metadata Sources
• System properties:
Example: run from recycle bin.
File Is New
• Reputations:
Loads as
Service
Example: McAfee Global Threat Intelligence, McAfee
Advanced Threat Defense, administrator overrides.
• Enterprise-wide properties:
Low
Prevalence
Packed
Suspiciously
Revoked
Example:Runs
New inFrom
environment? Prevalent?
Recycle Bin
Certificate
On execution, McAfee Threat Intelligence
Exchange rules apply this metadata to a set of
conditions that indicate risky behavior.
.
McAfee Confidential
20
Threat Intelligence Exchange
Adapt and Immunize — From Encounter to Containment in Milliseconds
McAfee
Global Threat
Intelligence
McAfee
TIE Server
McAfee
ATD
3rd Party
Feeds
YES
NO
Data Exchange Layer
File age hidden
Signed with a revoked
certificate
McAfee
ePO
VirusScan®
Enterprise Threat
Intelligence Module
McAfee
TIE Endpoint
Module
Created by an untrusted
process
.
McAfee Confidential
Instant Protection Across the Enterprise
Gateways block access based on endpoint convictions
McAfee
NGFW
McAfee
Global Threat
Intelligence
McAfee
TIE Server
McAfee
NSP
McAfee
McAfee
Web Gateway Email Gateway
McAfee
ATD
Proactively and
efficiently protect
your organization
as soon as a threat
is revealed
3rd Party
Feeds
Data Exchange Layer
McAfee
ePO
McAfee
ESM
Security
components
operate as one to
immediately share
relevant data
between endpoint,
gateway, and other
security products
VirusScan®
Enterprise Threat
Intelligence Module
McAfee
TIE Endpoint
Module
.
McAfee Confidential
Use Cases
McAfee Threat Intelligence Exchange in action
.
McAfee Confidential
23
TIE Use case 1: Finding Patient 0
.
McAfee Confidential
24
TIE Use case: Third Party Reputation lookup (VirusTotal)
.
McAfee Confidential
Use Case: Analyzing the Unknown
.
McAfee Confidential
26
McAfee Advanced Threat Defense: Dynamic and
Static Analysis
Run Time DLLs
Unpacking
Network Operations
Disassembly of Code
File Operations
Calculate Latent Code
Process Operations
Familial Resemblance
Analyze
Analyze
Delayed execution
Dynamic Analysis
Static Analysis
.
McAfee Confidential
27
Use Case SIEM
Top Malicious file Offenders by IP and User
View:
TIE
Display of top IP and
User offenders for malicious
file executions.
DXL TIE Client Events
View:
Trends by day for User
and IP.
SIEM
ePO
Additional Enrichment
Data (ex. GUID to IP)
Speed is to be enhanced with Agent Handler events sent directly to SIEM in Q4
Customer Value:
Quickly
see the top IP’s and users
executing malicious files so
action can be taken.
Able to see trends by
day/month/etc. Answers the
question: Am I seeing more or
less malicious files over time?
.
McAfee Confidential
28
Use Case SIEM
New file on the Network
Alarm:
TIE
When a file TIE has
never seen is identified on the
network.
DXL TIE Client Events
SIEM
ePO
Customer Value:
Additional Enrichment
Data (ex. GUID to IP)
Once file
reputation baseline is established
this will pro-actively notify
security admins when new
executable files enter their
network so they can do analysis
and define action to be taken.
.
McAfee Confidential
29
Threat Intelligence Sharing
The Power Of Open
• Bridge the Gap between the Network and
Endpoint
• Ability to share threat data between technologies
• Forward Thinking - Ability to pre-emptively import
threat data collected by the security community
• STiXX & TAXII
• Empower the administrator to make security
decisions on risk level of files running in their
environment
.
McAfee Confidential
30
Data Exchange Layer
A common messaging bus for automated security intelligence and action
CONTEXT & ORCHESTRATION
Mail Gateway
Vulnerability Management
Database Security
Web Gateway
Identity Management
App & Change Control
Web Gateway
Identity Management
Vulnerability Management
Mail Gateway
Mobile Security
IPS
IPS
Data Protection
Network Firewall
Database Security
Anti-Malware
App & Change Control
Network Firewall
SECURITY MANAGEMENT
Mobile Security
HIPS
HIPS
Virtualization
Data Protection
Virtualization
Encryption
Anti-Malware
Access Control
Access Control
Threat Analysis
Data Exchange Layer
.
McAfee Confidential
McAfee Threat Intelligence Exchange
Adaptive Security Against Targeted Attacks
?
Other Data Sources
Future
GLOBAL THREAT
INTELLIGENCE
ORGANIZATIONAL
INTELLIGENCE
Administrator
Organizational Knowledge
Personalized Threat Intelligence
Assemble, override, augment and
tune the intelligence source
information
Optimizing Security for
Your Organization
3rd Party
Feeds
McAfee
Threat
Intelligence
Exchange
McAfee
Web Gateway
McAfee
NSP
McAfee
Endpoint Client
LOCAL THREAT
INTELLIGENCE
McAfee
Global Threat Intelligence
McAfee
Email Gateway
McAfee
NGFW
.
McAfee Confidential
32
McAfee Threat Intelligence Exchange
Additional information:
https://community.mcafee.com/community/business/expertcenter/products/tie
.
McAfee Confidential
33
Measuring Reduced TCO
Gains on both CAPEX avoidance as well as OPEX reduction and efficiencies
US 2nd Largest
healthcare insurer and
provider
Worlds largest
Transportation provider
Improved
Efficiency
Decreased network
utilization 10%
Saved 15% in annual
audit/compliance cost
ANALYTICS
THREAT INTELLIGENCE
Streamline
Compliance
COUNTERMEASURES
2nd Largest Bank &
Brokerage in US
SECURITY MANAGEMENT
Reduced
Costs
NYC to
Save $18M
over five
years
Saved $1.5M in annual
PCI remediation cost –
without implementing
anything more!
CONTEXT & ORCHESTRATION
Hardware-Enhanced Security
Limited
Liability
Saved $22M;
addressed glaring
public issue
Saved over $1M in
annual helpdesk calls
http://www.mcafee.com/us/resources/case-studies/cs-new-york-dept-of-it-telcom.pdf
.
McAfee Confidential
34
Intel & McAfee Confidential