AFCEA TechNet EuropeDelivering Cyber Intelligence from the Cloud
May 2011 Mo CashmanDirector, Security Architecture
Global Defense and Central GovernmentsMcAfee, Inc
1
Thr
eat
Sop
hist
icat
ion
Speed of Reaction
AB
C
D
E
Titan Rain
BuckshotYankee
Night Dragon
Aurora
StuxnetWikiLeaks
Driving the Need for Speed
VectorVector
Attack SurfaceAttack Surface
Time to ExploitTime to Exploit
ReconnaissanceReconnaissance
Speed of DeliverySpeed of Delivery
THEN NOW
ServicesEmail
PCOS
Less than 0@ 26 Days
0 – 2 YearsAlmost None
NETWORK SPEED
HUMAN SPEED
THREAT ATTRIBUTE
How fast do I need that Intelligence?
COLLECTCOLLECT
ANALYZEANALYZE
DECIDEDECIDE
ACTACTREDUCE
ADVESARYIMPACT
BLUEDATA
REDDATA
GREY DATA
Cyber Intelligence Process
Intelligence System Attributes
Sensor Grids = Everything IPCOLLECTION
STORAGE &AGGREGATION
ANALYSIS
DISTRIBUTION &ACTION
Reputation, Over-the-HorizonCorrelation
Real Time and Relevant
Billions of Queries, Multiple Years of data
Your own network data; known good attributesBLUE
DATA
RED DATA
GREY DATA
Maybe good or Maybe bad;changing attribute reputation
Threat information, commercial or classified; known bad attributes
Data Definitions
Blue Data Elements
Data, Machines, UsersASSETS
EXPOSURES
STATUS
EVENTS
Configurations, Patches
Incidents, Infections, Loss
Vulnerabilities, Threats
ATTACKINFRASTRUCTURE
EXPLOITATIONFINGERPRINTS
Email Sender IP Addresses
Sender Email Addresses
Malware Delivery Domain
Malware C2 Domain
Extraction Domain
Attachments
Vulnerability Exploit Type
Malware Locations
Malware Persistence
Content Types
Data Extraction Tools
Red Data Examples
CYBER DEFENSE
PROCESSES
INTELLIGENCEDATA
ELEMENTS
CYBER DEFENSE
CAPABILITIES
COLLECTCOLLECT ANALYZEANALYZE DECIDEDECIDE
SUPPORTS DRIVES
Intelligence Supports Process and Capability
GTIGTI
ePOPolicyAuditor
RiskAdvisor
VulnerabilityManager
3rd Party Feeds
Threat and Threat and VulnerabilityVulnerability
FeedsFeeds
CountermeasureCountermeasureAnalysisAnalysis
SCAPSCAPBenchmarksBenchmarks
VulnerabilityVulnerabilityIntelligenceIntelligence
GTIGTI
VulnerabilityAnalysis
CountermeasureAnalysis
ThreatAnalysisSensor
Grid
McAfee Distributes Relevant Cyber Intelligence
Actionable Red Data delivered direct to the Enterprise
...
File Reputation
File Reputation
Web
Rep
utat
ion
Web
Rep
utat
ion
Ports
/ Prot
ocol
Ports
/ Prot
ocol Application
Application
Netw
ork A
ctivit
y
Netw
ork A
ctivit
y
IP A
ddre
ss
IP A
ddre
ss
Affilia
tions
Affili
ation
s
Add
ress
Addre
ss
DNS Server
DNS ServerW
eb A
ctivit
y
Web
Acti
vity
Data Activity
Data Activity
Acti
vity
Acti
vityUR
L
Send
er Re
putat
ion
Send
er Re
putat
ion
Domain
Domain
GeoGeo
-- location
location
GTIGTI
Grey Data that provides Real Time Protection
Network IPS Firewall Web
Gateway Host AVMail Gateway Host IPS 3rd Party
Feed
300M IPS 300M IPS attacks/attacks/
mo.mo.
300M IPS 300M IPS attacks/mattacks/m
o.o.
2B Botnet 2B Botnet C&C IP C&C IP
Reputation Reputation Queries/mQueries/m
o.o.
20B Message 20B Message Reputation Reputation Queries/mo.Queries/mo.
2.5B 2.5B Malware Malware
Reputation Reputation Queries/moQueries/mo
..
300M IPS 300M IPS Attacks/Attacks/
mo.mo.
Geo Geo location location
feedsfeeds
GTIGTI
McAfee Distributes Real-Time Cyber Intelligence
Known C&C
Unknown C&C
Unknown file connects to known C&C
1
Connection is blocked and file
terminated/removed
2
Same file connects to new C&C
3
Connection is blocked and file
terminated/removed
4
Machine 2Machine 1
File and Network Connection Reputations correlated in real-time
Machine 3
Unknown file connects to new C&C
5
Connection is blocked and file
terminated/removed
6
McAfee Cyber Intelligence in Action
GTI delivers Grey Data for real time protectionGTI delivers Grey Data for real time protection
ePO collects Blue Data for event analysis
ePO collects Blue Data for event analysis
GTI delivers Red Data for true risk assessment
GTI delivers Red Data for true risk assessment
GTI delivers Grey Data direct to product for real time protection
ePO collects Blue Data for event analysis
GTI delivers Red Data for actionable risk assessments
McAfee Cyber Intelligence in Action