Next Generation Network Security Andrew Hoerner, Director, Product Marketing

Next Generation Network Security

Andrew Hoerner, Director, Product Marketing

Confidential McAfee Internal Use Only

“Borderless network… Effectively extend trust

boundaries?

“100’s of new applications…

See & control use?”

“Data center project…Improve protection…

Consolidate vendors?”

“Advanced Threats (APTs, Botnets, Insider Risk)… Best practice prevention?”

Recent Customer Conversations…

“…Upgrading the data center…”

“…Consumerization of IT…”

“…Targeted attacks & Advanced Persistent Threats…”

“…Visibility & control of applications…”

“…Need more accurate IPS/IDS…”

“…Guest & contractor access…”

“…My firewall is EOL…”

“…Security shouldn’t be the brakes…”


Network Security Isn’t Adapting to Change

PPPPPPP

Symptoms

Incident costs increasing

Data center security under-performing

Advanced Persistent Threats a concern

Security policy hard to enforce

Excessive IDS/IPS alerts

Firewall rules hinder change management

Frequent refresh of security hardware


Changes Create Pressure Points, Complications Create Risk

SaaS

(Agility)

15% 32%

Outsource

(Reduce CapEx)

Virtualization

(Reduce OpEx)

30% 49%

Hosting

(Better Quality)

Mobile Web

(Improve Productivity)

200%

Projects Impacting Network Complications

Targeted and Advanced Persistent

Threats (APTs)

Consumerizationof IT

Severe Economic Constraints

Confidential McAfee Internal Use Only5

Evolving Threats

Passive Layered Attack: exploit via drive-by-download

• Exploit, Infect• Data leak• C & C execute• Propagate

Propagate Propagate Propagate

“Insider Initiated”

Download

Download

SPAM, Search, Social Network, etc.

Social Engineering: follow link to malicious site

“InsiderInitiated”

Active Layered Attack: exploit targeted vulnerability

Scan/Exploit- Server/vulnerability

• Infect , • C&C Upgrade• Propagate

Propagate Propagate Propagate

“OutsideAttacker Initiated”


Anatomy of an attack

6


Anatomy of an attack

Date: Tue, 10 Dec 2008 06:58:13 -0700 (PDT)

From: John Doe <[email protected]>

To: [email protected]

Subject: 7th Annual U.S. Defense Conference

7th Annual U.S. Defense Conference

1-2 Jan 2009

Ronald Reagan Building and International Trade Center

Washington, DC

Download 2009 Conference Preliminary Program (PDF)

http://conferences.satellite-stuff.net/events/MDA_Prelim_09.zip

Download 2009 Conference Registration Form (PDF)

http://conferences.satellite-stuff.net/events/MDA09_reg_form.zip

Contact: John Doe

Contractor Information Systems

(703) 555-1234

[email protected]


Conventional Approach to Network Security

Ticket Oriented Resolution Protection Focused on Identifying Attack Packets

Configuration Focused on Features Multi-Vendor Strategies

How to get to resolution? File tickets. Wait. How to protect? Find attack packets on wire

How to implement policy? Rely on product features. Defense in Depth? Manage multiple silo’d products.

101101100010010111010111100010101


The Maturity Model of Enterprise Security

SECURITY OPTIMIZATION

OPTIMIZED(~4% of IT Budget on Security)

REACTIVE(~3% of IT Budget on Security)

COMPLIANT/PROACTIVE(~8% of IT Budget on Security)

TCO

Security Posture


Optimized Network Security Adapts to Change

10

RISK

OPTIMIZATION

Optimized spend ~4%

Very low risk

Compliant/Proactive spend ~8% of IT

budget on security

Medium risk

Reactive spend ~3% of IT

budget on security

High risk

Why has it been so challenging to reduce risk?10

DYNAMICPredictive and agile, the enterprise instantiates

policy, illuminates events and helps the operators find, fix and target for

response

Tools BasedApplying tools and

technologies to assist people in reacting faster

REACTIVE and ManualPeople only. No tools or

processes. “Putting out fires”

McAfee ePO integrated products, plus GRC and GTI

Point products for System, network

and data

• Reactive tools

• Firewalls

• Log analysis

• Trouble tickets

• Ineffective change control

• Ad hoc firewall rules

• Audit findings

REACTIVE & MANUAL

• Point products

• IDS (compliance)

• SI/EM (logs)

• Structured firewall rule management

• Standard configurations

• Distributed consoles/mgmt

• Tedious audit preparation

COMPLIANT

• Integrated tools

• IPS (threats)

• SI/EM (events)

• Automatic updates

• Automated firewall rule mgmt

• Centralized consoles/mgmt

• Streamlined compliance reports

PROACTIVE

• Multi-layered, correlated solutions

• Predictive threat protection

• Policy-based control

• Proactive management

• Extensible architecture

• Automated compliance

OPTIMIZED


New Requirements for Optimized Network Security

Ticket Oriented Resolution Protection Focused on Identifying Attack Packets

Configuration Focused on Features Multi-Vendor Strategies

Turn days of process into clicks Characterize future threats today

Focus on real organization, people, applications, usage Integrated, collaborative, easily add new capabilities

Proactive Management Predictive Threat Protection

Policy-Based Control Extensible Architecture


When OptimizedLow Effort, Low Risk

Not OptimizedHigh Effort, High Risk

Protecting Critical Data Center from ZeuS Malware

Malware infects, McAfee Labs IDs, updates website reputations…

…Threat dissected, analyzed…

…Predictive action stops threat

Malware infects websites

Malware hits network

Wait on signature

Apply signature, update signature

Future variants covered

Benefit: Protection meets (and beats) hacker’s timelines, reduces alerts

Predictive Threat Protection with IPS + GTI


Controlling Google Calendar Use Before a Merger

User directory auto-imports groups…

Profiler sees similar rule. 1 click to add. Avoid duplicate

Hours or days to review, deploy

Identify M&A team

Map users to network address

Create new rule (duplicate?)

Weeks to review, test, deploy. Repeat?

New M&A members automatically added

Benefit: No need to map network topology to user, protects critical data

Policy-Based Control with Next Gen Firewall




Blocking Bot Command and Control Traffic

Right click to get details from management console

Right click to scan and patch

Visual view of traffic and connections

See Bot activity on network

Hours: open ticket w/ system team

Days: open ticket to plan outage/upgrade

Weeks: detailed review of network events

Have a second cup of coffee

Benefit: Eliminates days and weeks of effort while improving time to resolution

Proactive Management in Action




McAfee: Optimized Network Security Solutions

GLOBALTHREAT

INTELLIGENCE

ePO

NBA

Web

IPS SIA

NDLPRisk

Advisor Email

Firewall NAC

Network IPS: Top selling, best performing

Firewall: Most secure, new next gen features

NAC: integrated with IPS

NBA: cost-effective network visibility

NDLP: more important than ever

http://nsslabs.com/SUM/mcafee-m8000-sum-q2-2009.html

http://siblog.mcafee.com/network-defense/the-mcafee-next-generation-firewall/


What It Takes to Make An Organization SafeGlobal Threat Intelligence

.

Emai

l Add

ress

Mai

l Act

ivity

UR

L

Send

er R

eput

atio

n

Threat Reputation

Network IPS Firewall

Web Gateway Host AV

Mail Gateway Host IPS 3rd Party

Feed

300M IPS Attacks/Mo.


2B Botnet C&C IP

Reputation Queries/Mo.

20B Message Reputation

Queries/Mo.

2.5B Malware Reputation

Queries/Mo.


Geo Location Feeds

GTI


Optimized = Lower Total Cost of Ownership

Summary of Financial Results Risk-Adjusted

Return on Investment (ROI) 142%

Payback Period Within 5 Months

Total Costs (Present Value) ($244,659)

Total Cost Savings and Benefits (PV)

$593,276

Total (Net Present Value)

$348,617

Full Forrester TEI report based on McAfee customer data available here.

http://www.mcafee.com/common/media/mcafeeb2b/international/japan/pdf/smb/15minutes/midmkt_mcafee_adena_health_TEI_cs.pdf


Optimized Network Security: Solves Root Issues, Symptoms Disappear

PPPPPPP

Results

Incident costs decreasing

Data center security outperfoms @ lower cost

Advanced Persistent Threat protection

Policy in business terms, easy to enforce

IPS alerts minimized, staff re-allocated

Firewall rules streamline change management

Long life reduces CapEx for security hardware


While We’ve Been Chatting…

Our global sensor grid characterized 229 unique pieces of malicious or unknown code, based on:

570,000 file reputation queries

460,000 IP reputation queries

69,000 attacks were stopped by McAfee IPS across all our customers

Eliminated 64 trouble tickets and 8 critical escalations for our customers


Thank you for your time

20

Questions?

Email [email protected]

More info at:

www.mcafee.com/networkdefense

mailto:[email protected]

Confidential McAfee Internal Use Only21

Documents

Next Generation Network Security Andrew Hoerner, Director, Product Marketing