Intelligent Security Operations - konferencija.coming.rs · Incident response With local IT Local...

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE

McAfee Confidentiality Language

Intelligent Security Operations

Tamas Barna CISSP, CISM, Security+

Senior System Engineer – Team Lead

Eastern Europe


An Evolving Threatscape

2

Source: McAfee Labs

It’s not how many, but the one that was designed to target you

25

2005 2017

“1”500K

2016


Visibility


Detection


Protection


Correction


4 hours Time to Detect

1.5 Days Time to Correct

Ransomware

Identified by user

Incident logged

with SOC

SOC team analyses

and initiates

Incident response

With local IT

Local IT isolates

system

New DAT file

produced and

distributed to

environment

1 day 1.5 days 4 days4 hours

Local IT rebuilds

Client and restores

data

SOC analyses

malware and

requests XDat

2 days

Traditional Ransomware Response

Time to Protect

4 hours Time to Detect

2 days Time to Correct

4 days Time to Respond/Adapt

2 hours 4 hours 1 day


0 min Time to Protect

5 mins Time to Detect

6 mins Time to Correct

9 mins Time to Adapt/Fully Respond

File Analyzed by ATD andconfirmed malicious

ATD Intelligence

and Active

Response used to

determine full

extent

Hosts Contained

and Remediated

with AR or HIPS

All

Countermeasures

Updated

5:15 min 6:24 min 9:03 min

IMcAfee’s solution to Ransomware:From days to minutes

4:15 min1 sec

Dynamic

Application

Containment will

protect system from

infection

Auto-submit to ATD


I need a solution to this problem…

It takes an Advanced Systemwith Advanced Threat Defence

Source: McAfee Labs


Asset

Threat

Identity

Activity

BPM

Risk

Data

Location

Data Exchange LayerAn innovative, real-time, bi-directional communications fabric providing with product integration simplicity.

Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security.

THE SECURITY CONNECTED FRAMEWORKADAPTIVE SECURITY ARCHITECTURE


Result

• Proprietary Integrations

• Version and Use Case Depended

• Point of Failure

• Complex n x (n-1)

Result

• Standardized Communication

• Real Time Information Exchange

• API and Version independent

• Open (SIA Partner)

Data Exchange Layer (DXL)

Standardize integration and communication to break down operational silos

API-BASED INTEGRATIONS COLLABORATIVE ECOSYSTEM (DXL)


McAfee’s Extensible Platform for Security Risk Management

12

Security Management

NETWORKENDPOINT

.

Network Security &

Mgmt.

Risk & Compliance

Applications & Database

Authentication& Encryption

Data Loss & Content Protection

Endpoint, BYOD & Mobile

Cloud & Other Security

CLOUD & DATA CENTER

Incident Response &

Forensics


McAfee DXL: Data Exchange Layer

SIEM data collection

McAfeeEnterprise

Security Manager

McAfeeePolicy

Orchestrator

McAfeeWeb

Gateway

McAfeeNetwork Security

Platform

3rd PartySolutionsOpenDXL

McAfeeEndpoint

/ DLP

McAfeeDatabase Security

McAfee Threat Intelligence

Exchange Server

Data Exchange Layer

OpenDXL

McAfeeActive

Response

McAfee ThreatWorkspace

McAfeeApplication

Data Monitor

McAfeeAdvanced

Threat DetectionMcAfee Global

Threat Intelligence3rd Party

Theat Intelligence

FirewallWeb proxy

IPS DNSWAF

Load balancerWifi

SwitchRouter

Network flow

AntivirusHIPSDLP

Email WebOS

Directory Services

DatabaseVulnerability

scanner

Collection of over 450 sources

out-of-the-box


McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

Threat Intelligence ExchangeAdapt and Immunize — From Encounter to Containment in Milliseconds

YES NO

McAfeeGlobal ThreatIntelligence

3rd PartyFeeds

Data Exchange Layer

McAfeeTIE Server

File age hidden

Signed with a revoked certificate

Created by an untrusted process


McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeEmail Gateway

McAfeeNGFW

McAfeeNSP

Instant Protection Across the Enterprise

Data Exchange Layer

McAfeeGlobal ThreatIntelligence

3rd PartyFeeds

Gateways block access based on endpoint convictions

Security components

operate as one to immediately

share relevant data between endpoint, gateway, and other security products

Proactively and efficiently protect your organization

as soon as a threat is revealed

McAfeeTIE Server


Use Case 1Proactively Search for Undetonated Files

16

Web Gateway Email GatewayNGFW TIE

Network & Gateway

ePO

Admin

Endpoints

Active Response


Use Case 2Hunt for Document-based Malware

17

TIE

Network & Gateway

ePO

Admin

Active Response

Endpoints


DNSDNS

Use Case 3Monitor All Network Activity

18

Internet ePO

Admin

Active Response

Endpoints


DXL Evolution

McAfee products

Data Exchange Layer

McAfee Product #1

McAfee Product #3

McAfee Product #2

McAfee Product #2

DXL was initially used solely by McAfee products

McAfee Products


DXL Evolution

SIA partner products

SIA Product #3

Data Exchange Layer

SIA Product #2SIA Product #1McAfee Product #1

McAfee Product #3

McAfee Product #2

McAfee Product #2

Security Innovation Alliance partner products integrated with the fabric

McAfee Products

SIA Partner Products


3rd Party Product(Not DXL integrated)

DXL Evolution

OpenDXL

SIA Product #3

Data Exchange Layer

SIA Product #2SIA Product #1McAfee Product #1

McAfee Product #3

McAfee Product #2

McAfee Product #2

3rd Party Product(Not DXL integrated)

OpenDXL provides the capability for you to develop your own DXL integrations

OpenDXLOrchestration

Script

McAfee Products

SIA Partner Products

Orchestration scripts can be developed with OpenDXL that leverage the functionality available via DXL-integrated products

OpenDXL Service Wrapper

Products without native DXL integrations can be exposed using OpenDXL service wrappers

OpenDXL


Demo - Orchestration

What can you do with OpenDXL? Listen for Check Point event

Malware is launched on

the infected endpoint

causing traffic to be sent

to the malicious site

The event is received by

the OpenDXL

Orchestration Script site

DataExchangeLayer

Aruba ClearPassPolicy Manager

McAfee Active Response (MAR)

McAfeeePO


Script

• TIE Client Module

• MAR Client Module

InfectedEndpoint

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose




The Orchestration

script performs a query

over DXL to McAfee

Active Response (MAR)

to determine the

systems and processes

(hash) that are

currently making calls

to the malicious site DataExchangeLayer



McAfeeePO


Script



Use MAR to search for processes (matching external host and port)

InfectedEndpoint

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose




The Orchestration

script sets the

reputation in McAfee

Threat Intelligence (TIE)

to Known Malicious

over DXL

The applied TIE policy

causes the malware

process to be killed

and the binaries

quarantined

DataExchangeLayer



McAfeeePO


Script




Set reputation for each process found (hash) in TIE

InfectedEndpoint

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose




The Orchestration

script tags the systems

containing the malware

in ePO over DXL

DataExchangeLayer



McAfeeePO


Script





Tag each system found in ePOInfectedEndpoint

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose

Malware




The Orchestration

script sends a request

to the Rapid7 Nexpose

DXL service to scan the

systems with the

malware

DataExchangeLayer



McAfeeePO


Script





Tag each system found in ePO

Launch Rapid7 Nexpose scan for each system

InfectedEndpoint

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose

Malware




The Orchestration

script sends a request

to the Aruba ClearPass

DXL Service to update

attributes for systems

with malware,

triggering policy

enforcementsDataExchangeLayer



McAfeeePO


Script





Tag each system found in ePO

Launch Rapid7 Nexpose scan for each system

Update attributes for each system in Aruba ClearPass(trigger policy enforcement)

MaliciousSite

Check PointFirewall


(TIE)

Rapid7 Nexpose

InfectedEndpoint

Malware


Global Architecture

28

Event Receiver

Application Data Monitor

Database Event Monitor

Enterprise Security Manager

Advanced Correlation EngineReal Time

Advanced Correlation EngineHistorical

Event Log Manager

Alerts, metadata & Mgmt

Raw logs

Agg. Eve

nts

& M

gm

t

Qu

erie

s&

Mgm

t

Co

rrel

ate

dEve

nts

& M

gm

t

HTTPS

Available as physical or virtual appliances

Optional SIEM Collector Agent

Optional DatabaseApplication Monitor


New IDC ExpertROI Spotlight Top 100 US FDIC Bank

Source: http://idcdocserv.com/US42210917

“we can detect an attack within 60 seconds and complete the analysis to contain it within five minutes”

Solution: Endpoint, SIEM, TIE, GTI, ATD,DLP Benefits average $3.02 M /yr over 4 yrs

4 year ROI of 208%

Payback period of 20 months

90% faster resolution of security events

77% fewer impactful security events/yr

98% less productive time lost because of impactful security events

Support generation of $5-10 million in additional customer revenue/year

Monitor environment via 1-2 panes of glass

29


Thank You !!!

Date post:	10-Jul-2018
Category:	Documents
Upload:	lecong
View:	215 times
Download:	0 times

Intelligent Security Operations - konferencija.coming.rs · Incident response With local IT Local...

Documents