Upload
phunghanh
View
217
Download
0
Embed Size (px)
Citation preview
Top of Content Box Line
Subtitle Line
Title Line
McAfee Security Management Adaptive Security Model & Threat Intelligence Exchange David O’Berry CSSLP, CISSP-ISSAP, ISSMP, CRISC, MCNE
Worldwide Technical Strategist
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Security Obstacles Facing Organizations
2
TARGETED ATTACKS
SILOED SECURITY ORGANIZATIONS
LACK OF VISIBILITY
Separate organizations utilizing point products, from multiple vendors, operating in
functional silos with no intelligence sharing.
Attacks are becoming more sophisticated, autonomous and stealthy and are specifically designed to penetrate existing security controls, including security processes and people.
Too much data and not enough intelligence makes visibility into threats challenging. Reactive security infrastructure lacks the timely intelligence needed to identify threats.
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Challenge Presented by Targeted Attacks
3 Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model
CONTAINMENT
ATTACK
COMPROMISE
DISCOVERY
ADVANCED TARGETED ATTACKS
Weeks
COMPROMISE TO DISCOVERY
64%
Days 11%
Years 4% Months
12%
Hours 9%
Minutes 2%
Weeks 14%
Months 23%
Days 42%
Hours 19%
DISCOVERY TO CONTAINMENT
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Where Security Professionals’ Spend Their Time
4 Source: McAfee Survey at Black Hat USA 2013
Chasing False Positives 20%
Detection 35%
Other 3% Damage Repair
9% Breach Notification 11%
Protection / Timely Block 22%
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Quantifying The Impact of Targeted Attacks
5
Downtime Brand Impact Data Loss Priceless
INTELLECTUAL PROPERTY LEAKAGE
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Quantifying The Impact
6
1. http://online.wsj.com/news/articles/SB10001424052702304255604579406694182132568 2. McAfee, “Net Losses: Estimating the Global Cost of Cybercrime,” June 2014 3. Ponemon Institute 2013 Cost of Cyber Crime study
SALES down 46%1
COSTS so far US $61M1
BRAND IMPACT PRICELESS
PROFITS down 34%1
Global annual cost of cybercrime: US $400 billion2
Average cost of 2013 attack: US $11.6 million3
Number of successful attacks: 122 per week per company3
POSSIBLE FINES US $400M to $1.1B1
Retail Example
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
World’s Biggest Data Breaches The Resulting Impact
7 Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
AOL 24,000,000 Cardsystems
Solutions Inc 40,000,000.
TK/TJ Maxx 94,000,000
Action.co.kr 18,000,000
Heartland 130,000,000 KT
Corp
Target 110,000,000
Scribd
Ubisoft “unknown”
Yahoo
Yahoo 22,000,000
Washington State court
system
Ubuntu
Nintendo
Living Social
50,000,000
South Africa police
Central Hudson Gas &
Electric
Drupal
Apple
Adobe 152,000,000
SnapChat
NASDAQ
Ebay 145,000,000
Neiman Marcus
Mac Rumors.com
LexisNexis Korea Credit
Bureau 20,000,000
Sony Online Entertainment
Blizzard 14,000,000
RockYou! 32,000,000
Medicaid
Sony PSN 77,000,000
Evernote 50,000,000
US Military 76,000,000 US Dept
of Defense
University of Utah
Hospitals & Clinics
T-Mobile Deutsche Telecom 17,000,000
Citigroup
Blue Cross Blue Shield
of Tennessee
BNY Mellon Shareowner
Services
South Shore Hospital,
Massachusetts
Triple-S Salud,
Inc.
JP Morgan Chase
Emergency Healthcare Physicians,
Ltd.
New York City Health & Hospitals
Corp.
Lincoln Medical
& Mental Health Center
Educational Credit
Management Corp
Advocate Medical Group
Health Net
California Dept. of Child
Support Services
UK Revenue & Customs 25,000,000
NHS 8,300,00
Nemours Foundation
Memorial Healthcare
System
Health Net IBM
Morgan Stanley Smith Barney
AOL 92,000,000
Dai Nippon Printing
8,637,405
GS Caltex 11,100,000
US Dept of Vet Affairs
26,500,000 University of Miami
Starbucks
Gap Inc.
AT&T AvMed, Inc.
US National Guard
Colorado Government
Tricare
Florida Courts
Crescent Health Inc., Walgreens
Stanford University
Sutter Medical
Foundation
Spartanburg Regional Healthcare
System
Eisenhower Medical Center
US Law Enforcement
AOL 24,000,000
Chile Ministry of Education
Jefferson County
Norwegian Tax
Authorities
Yale University
State of Texas
Military singles.com
Apple 12,367,232
Linkedin eHarmony
Last.fm
Formspring
Facebook 6,000,000
TerraCom &YourTel
Stratfor
US Army
Accidentally Published Hacked Inside Job Lost/Stolen Media Poor Security Lost/Stolen Computer Unknown Virus
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
We Must Shift to Adaptive Security
8
CURRENT REALITY
Increasingly complex and sophisticated threat landscape Abundance of data with disparate security tools providing little “real” security intelligence Malware-centric protection Post-exploit indicators of compromise with little breach prevention
A NEW, ADAPTIVE APPROACH
Shift from singular threat to continuous protection Controls share data and orchestrate responses enabling automated security intelligence Relevant, rich, real-time contextual analytics Pre-exploit indicators of attack
For Clarity, Confidence, and Control
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Security Model
9
Turning data into actionable security intelligence
ADAPTIVE THREAT PREVENTION
ADAPTIVE RISK MANAGEMENT
CLARITY CONFIDENCE
CONTROL
!
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Clarity to Drive Better, Faster Decisions
10
Current state vs. Adaptive approach
ADAPTIVE APPROACH Continuous monitoring and contextual analytics
CURRENT STATE Limited scope. Limited point in time context.
Result Limited, reactive visibility and threat protection
Result Faster, more proactive awareness of threats and anomalous events
Product 3
Product 2
Product 1
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
11
Confidence to Act Derive knowledge and perspective from multiple sources
Global scale
Organizationally relevant focus
HUMAN ORGANIZATIONAL INTELLIGENCE
GLOBAL INTELLIGENCE
COMPANY SPECIFIC INTELLIGENCE
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Confidence to Act Boost confidence with risk scoring, automation, watch lists and alerting
Gain confidence to act: • Distillation and prioritization • Risk scoring and customizable tuning • Increased automation • Focus on what matters most
STATES / EVENTS
CLARITY FROM CONTEXT
TRIAGE AND PRIORITIZE
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Result Slow, heavy and burdensome Complex and expensive to maintain Limited vendor participation Fragmented visibility
Result Fast, lightweight and streamlined Simplified and reduced TCO Open vendor participation Holistic visibility
Control to Instantly Take Integrated Action Standardize integration and communication to break down operational silos
DISJOINTED API-BASED INTEGRATIONS
COLLABORATIVE FABRIC-BASED ECOSYSTEM (DXL)
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
GTM Positioning Security Management Portfolio Stack
14
Business Partner Portal Self-Service Portal
Enterprise-wide Visibility and Correlation (ESM, TIE)
Operational Control (ePO, incl Mobile -- supporting Point Product Mgt extensions)
Secure communications (DXL, legacy comms)
On-Device Controls (Agent technologies supporting point products)
abstract
concrete
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Changing World of Operational Management Services not Servers
ePO1 ePO2
ESM
ePO1 ePO2
ESM
TIE Service
Threat Radar = Answering The Ques3on Why?
• Industrial Threats Will Mature
• Hack3vism: Reboot or be Marginalized
• Windows 8: BIOS and Hardware AGacks
• Mobile Botnets, Rootkits, and AGack Surface…Oh MY!
• Rogue CERTs: Roo3ng Trust
Next genera3on data centers -‐ the u3lity compu3ng vision
switched fabric
processing elements
storage elements
infrastructure on demand
internet
intranet
access tier
web tier
application tier
database tier
edge routers
routing switches authentication, DNS,
intrusion detect, VPN web cache
1st level firewall
2nd level firewall
load balancing switches
web servers web page storage
(NAS)
database SQL servers
storage area network (SAN)
application servers files
(NAS)
switches
switches
large scale virtualized u3lity fabric
provides applica3on services to millions of users Mul3-‐3ered applica3ons
Common Language(s) • MITRE has been working with Industry
to develop common structures – STIX – CYBOX – TAXII – CAPEC – MAEC – OVAL
• Implementa3ons are s3ll immature but there is a gathering storm…
• Analysts must have a firm grasp of this en3re space…
21
Cyber Threat Intelligence
What Activity are we seeing?
What Threats should I be looking
for and why?
Where has this threat been Seen?
What does it Do?
What weaknesses does this threat
Exploit?
Why does it do this?
Who is responsible for
this threat?
What can I do?
Consider These Questions…..
22
That Machines Can Use Too <?xml version="1.0" encoding="UTF-8"?> <cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cybox="http://cybox.mitre.org/cybox_v1" xmlns:common="http://cybox.mitre.org/Common_v1" xmlns:FileObj="http://cybox.mitre.org/objects#FileObject" xsi:schemaLocation="http://cybox.mitre.org/cybox_v1 http://cybox.mitre.org/XMLSchema/cybox_core_v1.0(draft).xsd http://cybox.mitre.org/objects#FileObject http://cybox.mitre.org/XMLSchema/objects/File/File_Object_1.2.xsd" cybox_major_version="1" cybox_minor_version="0(draft)"> <cybox:Observable> <cybox:Stateful_Measure> <cybox:Object id="cybox:A1" type="File"> <cybox:Defined_Object xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <common:Hash> <common:Type datatype="String">MD5</common:Type> <common:Simple_Hash_Value condition="IsInSet" value_set="4EC0027BEF4D7E1786A04D021FA8A67F, 21F0027ACF4D9017861B1D021FA8CF76,2B4D027BEF4D7E1786A04D021FA8CC01" datatype="hexBinary"/> </common:Hash> </FileObj:Hashes> </cybox:Defined_Object> </cybox:Object> </cybox:Stateful_Measure> </cybox:Observable> </cybox:Observables>
<!-- STIX Indicator w/ Snort Example Copyright (c) 2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. This example demonstrates a simple usage of STIX to represent indicators with a Snort test mechanism. This demonstrates the ability of STIX indicators to represent external test mechanisms within an indicator. It demonstrates the use of: * STIX Indicators * STIX TestMechanisms * Extensions (Snort) * Controlled vocabularies Created by Mark Davidson --> <stix:STIX_Package xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:indicator="http://stix.mitre.org/Indicator-2" xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1" xmlns:testMechSnort="http://stix.mitre.org/extensions/TestMechanism#Snort-1" xmlns:example="http://example.com/" xsi:schemaLocation= "http://stix.mitre.org/stix-1 ../stix_core.xsd http://stix.mitre.org/Indicator-2 ../indicator.xsd http://stix.mitre.org/default_vocabularies-1 ../stix_default_vocabularies.xsd http://stix.mitre.org/extensions/TestMechanism#Snort-1 ../extensions/test_mechanism/snort.xsd" id="example:STIXPackage-0935d61b-69a4-4e64-8c4c-d9ce885f7fcc" version="1.0.1" > <stix:STIX_Header> <stix:Title>Example SNORT Indicator</stix:Title> <stix:Package_Intent xsi:type="stixVocabs:PackageIntentVocab-1.0">Indicators - Network Activity</stix:Package_Intent> </stix:STIX_Header> <stix:Indicators> <stix:Indicator xsi:type="indicator:IndicatorType" id="example:Indicator-ad560917-6ede-4abb-a4aa-994568a2abf4"> <indicator:Type xsi:type="stixVocabs:IndicatorTypeVocab-1.0">Exfiltration</indicator:Type> <indicator:Description> Indicator that contains a SNORT signature. This snort signature detects 'exfiltration attempts' to the 192.168.1.0/24 subnet. </indicator:Description> <indicator:Test_Mechanisms> <indicator:Test_Mechanism id="example:TestMechanism-5f5fde43-ee30-4582-afaa-238a672f70b1" xsi:type="testMechSnort:SnortTestMechanismType"> <!-- From http://manual.snort.org/node29.html --> <testMechSnort:Rule><![CDATA[log udp any any -> 192.168.1.0/24 1:1024]]></testMechSnort:Rule> </indicator:Test_Mechanism> </indicator:Test_Mechanisms> </stix:Indicator> </stix:Indicators> </stix:STIX_Package>
23
Sharing Solu3on • Instead of 2% or less of attacks blocked, detected, or prevented,
a much higher percentage of attacks are stopped
Intelligence Repository
Org A Many Trusted Orgs
1
2 4
3 5
24
Itera3ve Real Time Loops – OODA MaGers
The ability to make this world happen exists now…
It is not futures or fic3on.
Coordinated Security : Pub/Sub Rules the New World
SNMP, Syslog
Custom Integration
Routing Server or Cloud Security
IDS Switching Wireless Firewalls
IPAM SIM / SEM
Asset Management System
AAA
ICS/SCADA Security
Physical Security
Endpoint Security (via NAC)
Open Infterfaces IF-MAP Protocol
Nitro, ePO, MAP Servers
Current Standards Status • Pilot group aka “Friends and Family”
– 25 Organiza3ons Par3cipa3ng • Vision Gaining Momentum
– Live at NH-‐ISAC – Working with several others
• Released Version 1.2 to the group – Focus on “installability”
• Enabled Collabora3on – Forums, Bug Tracker, Download System
• Conversion of Open Source Intel Feeds – Approximately 14 sources 27
Automa3on Maturity • Humans will always be in the loop • Using STIX and TAXII repositories/gateways we can leverage already
scarce talent • Fewer analysts will have to develop their own signatures • Using automa3on it is possible to move signatures faster • Off the shelf COTS may not interoperate across vendors • Open Source may require in-‐house development to automate
informa3on flow • Ensuring security in informa3on flow across systems??? Don’t let your
security solu3on become the problem! • But, can you trust Analysts/Incident Handlers in other organiza3ons?
28
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Data Exchange Layer (DXL) Use Case Example Transforming Events Into Actionable Intelligence
McAfee managed endpoint (Nomadic)
Remote Site
ESM
Broker
TIE EPO
Broker
1
DMZ
MWG NSP FW Broker
2
Using Network Security Planorm, Enterprise Security Manager, and ePO to Find and Remediate Poten3ally Compromised Systems
NSP detects Botnet ac3vity (a device trying to reach a botnet server)
NSP publishes event data to the message bus (IP address of the suspicious device and the IP address of the Botnet server)
3 McAfee ESM searches for past connec3on aGempts with Botnet server’s IP address
4 ESM publishes list of suspected list of devices to the message bus
5 Infected devices are secured using a combina3on of solu3ons and methods
Network Security Platform
McAfee Web Gateway
Enterprise Security Manager
McAfee managed endpoints TIE
Server ePO
TIE Server
ATD
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Security in Action
• Countermeasures are really good at what they do
… and …
• They are completely blind to anything outside their plane of existence.
Orchestrated & automated responses to adapt faster than threats can evolve
Threat Intelligence Exchange
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
31
Organizational Intelligence Security
Administrators SOC
IR
Global Threat Intelligence
McAfee Global Threat
Intelligence Third-Party Feeds
Threat Intelligence Assemble, override, augment, and tune the intelligence source information.
Other Data Sources Future ?
Local Threat Intelligence
McAfee Web Gateway
McAfee Email Gateway
McAfee Network Security Platform
McAfee Advanced
Threat Defense
McAfee Next
Generation Firewall
McAfee Endpoint Security
McAfee Enterprise Security Manager
McAfee Threat Intelligence Exchange Server
McAfee Threat Intelligence Exchange Applying the power of knowledge
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Execute
Prevent and Remediate
Prevent and Quarantine
Submit to Application Sandboxing
Cutting-Edge Endpoint Protection
32
Tunable Policy
Variable Degrees of Risk Tolerance
Local Context
Personalized Threat
Intelligence
Classification Decision
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Any Given Thing is Just Suspicious …
33
… But Context and Additional Points of View Reveal Much
File Is New
Packed Suspiciously
Low Prevalence
Loads as Service
Revoked Certificate
Runs From Recycle Bin
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Any Given Thing is Just Suspicious …
34
… But Context and Additional Points of View Reveal Much
File Is New
Packed Suspiciously
Low Prevalence
Loads as Service
Revoked Certificate
Runs From Recycle Bin
OTHER FILE CHARACTERISTICS GTI File Reputation
GTI Certificate Reputation 3rd Party File Reputation 3rd Party Cert. Reputation
Enterprise Prevalence (Occurrence) Enterprise Age (First Contact)
Enterprise File Reputation
Enterprise Cert. Reputation Endpoint Context
Endpoint Detection Info. ATD Detection Info.
Administrator Classifications Existing Files & Certificates
New Files & Certificates
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Endpoint Endpoint
McAfee ePO
35
McAfee Global Threat Intelligence
3rd Party Feeds
McAfee TIE Server
McAfee ATD
McAfee ESM
Adaptive Security In Action Adapt and Immunize—From Encounter to Containment in Milliseconds
Endpoint
Data Exchange Layer ü File age hidden ü Signed with a revoked
certificate ü Created by an untrusted
process
ü Report Action Taken
Adaptive security improves anti-malware protection
• Better analysis of the gray
• Crowd-source reputations from your own environment
• Manage risk tolerance across departments/system types
Actionable intelligence
• Early awareness of first occurrence flags attacks as they begin
• Know who may be/was compromised when certificate or file reputation changes
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Endpoint Endpoint
McAfee ePO
McAfee ATD
36
McAfee Global Threat Intelligence
3rd Party Feeds
McAfee TIE Server
McAfee ESM
Web Gateway
Email Gateway
NGFW
NSP
Threat Intelligence Exchange Adapt and Immunize—From Encounter to Containment in Milliseconds
Data Exchange Layer Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
McAfee ESM
Endpoint Endpoint
McAfee ePO
McAfee ATD
Web Gateway
Email Gateway
NGFW
NSP
37
McAfee Global Threat Intelligence
3rd Party Feeds
Gateways block access based on endpoint convictions
McAfee TIE Server
Instant Protection Across the Enterprise
Data Exchange Layer
Proactively and efficiently protect your organization as soon as a threat is revealed
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Intelligent Controls
• Learned insights are shared instantly
• Response (hunt, kill, remediate) is orchestrated to neutralize threats and reduce complexity:
• Identify IOCs & IOAs
• Isolate affected systems
• Kill malicious processes
• Remove payloads
• Find “Patient Zero”
• Repair systems (registry, file system, configurations)
• Patch vulnerabilities
Orchestrated & automated responses to adapt faster than threats can evolve
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Event Collection
Compliance Reporting
Streamlined Investigations
Policy Management
Advanced Correlation
Log Management
ePolicy Orchestrator
Network Security Manager
Integrated Security Platform
Global Threat Intelligence
Vulnerability Manager
Industry Leading Security Information and Event Management
1001 100110 01011
McAfee Enterprise Security Manager (SIEM)
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Threat Prevention and Detection
40
Web Gateway Email Gateway NGFW NSP
Network & Gateway ATD
Endpoints
Sandbox ESM
SIEM
IOC 1 IOC 2 IOC 3 IOC 4
network and endpoints adapt
payload is analyzed
new IOC intelligence pinpoints historic breaches
previously breached systems are isolated and remediated
TIE Endpoint Module
TIE Endpoint Module
TIE Endpoint Module
TIE Endpoint Module
DXL Ecosystem DXL Ecosystem
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Security Model Prevent, detect, respond and adapt
41
Collaborative infrastructure Open ecosystem
Rich contextual analytics
Orchestrated actions Architecture ubiquity Vendor agnostic
Prioritization | Baseline/outlier detection | Risk driven
• Detect breaches and changing risk exposure Adaptive Threat Prevention & Risk Management
• Prevent advancing attacks and reduce risk with countermeasures and baseline policies
• Adapt instantly to threats and emerging risk across the entire connected IT ecosystem
• Respond quickly to threats and risk with prioritized workflows and automation
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Endpoint Security Network Security
Deep Security
McAfee Security Connected
• . 42 McAfee Confidential
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
Adaptive Security Model
44
Clarity, confidence, control
CLARITY: Turn security data into security intelligence CONFIDENCE: Use rules, workflows, alerts, and risk scoring to make intelligent, timely decisions CONTROL: Employ adaptive intelligence to gain sustainable advantage over attackers
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
The McAfee Security Connected Platform
CONTENT SECURITY
• Email Gateway • Web Gateway • Data Loss Prevention
SECURITY MANAGEMENT
• Enterprise Security Manager (SIEM)
• ePolicy Orchestrator • Threat Intelligence Exchange • Vulnerability Manager
NETWORK SECURITY
• Advanced Threat Defense • Network Security Platform (IPS) • Firewall Enterprise • Next Generation Firewall
ENDPOINT SECURITY
• Endpoint Security Suites • Data Center Security Suites • Embedded Security • Device Control • Endpoint Encryption • Hardware Enhanced Security
Title Line
Subtitle Line
Top of Content Box Line
Top of Footer Line
Left Margin Line Right Margin Line
Top of Footer Line
Top of Content Box Line
Subtitle Line
Title Line
Right Margin Line Left Margin Line
McAfee ESM McAfee
VSE Threat Intelligence Module
McAfee VSE Threat
Intelligence Module
McAfee ePO
McAfee ATD
McAfee Web Gateway
McAfee Email Gateway
McAfee NGFW
McAfee NSP
46
Data Exchange Layer
NO YES
McAfee Global Threat Intelligence
3rd Party Feeds
Endpoints are protected based on gateway convictions
McAfee TIE Server
Adaptive Security Model “In Action” Adapt and Immunize—From Encounter to Containment in Milliseconds