Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
McAfee Confidentiality Language
Intelligent Security Operations
Tamas Barna CISSP, CISM, Security+
Senior System Engineer – Team Lead
Eastern Europe
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
An Evolving Threatscape
2
Source: McAfee Labs
It’s not how many, but the one that was designed to target you
25
2005 2017
“1”500K
2016
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
4 hours Time to Detect
1.5 Days Time to Correct
Ransomware
Identified by user
Incident logged
with SOC
SOC team analyses
and initiates
Incident response
With local IT
Local IT isolates
system
New DAT file
produced and
distributed to
environment
1 day 1.5 days 4 days4 hours
Local IT rebuilds
Client and restores
data
SOC analyses
malware and
requests XDat
2 days
Traditional Ransomware Response
Time to Protect
4 hours Time to Detect
2 days Time to Correct
4 days Time to Respond/Adapt
2 hours 4 hours 1 day
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
0 min Time to Protect
5 mins Time to Detect
6 mins Time to Correct
9 mins Time to Adapt/Fully Respond
File Analyzed by ATD andconfirmed malicious
ATD Intelligence
and Active
Response used to
determine full
extent
Hosts Contained
and Remediated
with AR or HIPS
All
Countermeasures
Updated
5:15 min 6:24 min 9:03 min
IMcAfee’s solution to Ransomware:From days to minutes
4:15 min1 sec
Dynamic
Application
Containment will
protect system from
infection
Auto-submit to ATD
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
I need a solution to this problem…
It takes an Advanced Systemwith Advanced Threat Defence
Source: McAfee Labs
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Asset
Threat
Identity
Activity
BPM
Risk
Data
Location
Data Exchange LayerAn innovative, real-time, bi-directional communications fabric providing with product integration simplicity.
Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security.
THE SECURITY CONNECTED FRAMEWORKADAPTIVE SECURITY ARCHITECTURE
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Result
• Proprietary Integrations
• Version and Use Case Depended
• Point of Failure
• Complex n x (n-1)
Result
• Standardized Communication
• Real Time Information Exchange
• API and Version independent
• Open (SIA Partner)
Data Exchange Layer (DXL)
Standardize integration and communication to break down operational silos
API-BASED INTEGRATIONS COLLABORATIVE ECOSYSTEM (DXL)
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
McAfee’s Extensible Platform for Security Risk Management
12
Security Management
NETWORKENDPOINT
.
Network Security &
Mgmt.
Risk & Compliance
Applications & Database
Authentication& Encryption
Data Loss & Content Protection
Endpoint, BYOD & Mobile
Cloud & Other Security
CLOUD & DATA CENTER
Incident Response &
Forensics
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
McAfee DXL: Data Exchange Layer
SIEM data collection
McAfeeEnterprise
Security Manager
McAfeeePolicy
Orchestrator
McAfeeWeb
Gateway
McAfeeNetwork Security
Platform
3rd PartySolutionsOpenDXL
McAfeeEndpoint
/ DLP
McAfeeDatabase Security
McAfee Threat Intelligence
Exchange Server
Data Exchange Layer
OpenDXL
McAfeeActive
Response
McAfee ThreatWorkspace
McAfeeApplication
Data Monitor
McAfeeAdvanced
Threat DetectionMcAfee Global
Threat Intelligence3rd Party
Theat Intelligence
FirewallWeb proxy
IPS DNSWAF
Load balancerWifi
SwitchRouter
Network flow
AntivirusHIPSDLP
Email WebOS
Directory Services
DatabaseVulnerability
scanner
Collection of over 450 sources
out-of-the-box
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
Threat Intelligence ExchangeAdapt and Immunize — From Encounter to Containment in Milliseconds
YES NO
McAfeeGlobal ThreatIntelligence
3rd PartyFeeds
Data Exchange Layer
McAfeeTIE Server
File age hidden
Signed with a revoked certificate
Created by an untrusted process
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
McAfeeWeb Gateway
McAfeeEmail Gateway
McAfeeNGFW
McAfeeNSP
Instant Protection Across the Enterprise
Data Exchange Layer
McAfeeGlobal ThreatIntelligence
3rd PartyFeeds
Gateways block access based on endpoint convictions
Security components
operate as one to immediately
share relevant data between endpoint, gateway, and other security products
Proactively and efficiently protect your organization
as soon as a threat is revealed
McAfeeTIE Server
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Use Case 1Proactively Search for Undetonated Files
16
Web Gateway Email GatewayNGFW TIE
Network & Gateway
ePO
Admin
Endpoints
Active Response
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Use Case 2Hunt for Document-based Malware
17
TIE
Network & Gateway
ePO
Admin
Active Response
Endpoints
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
DNSDNS
Use Case 3Monitor All Network Activity
18
Internet ePO
Admin
Active Response
Endpoints
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
DXL Evolution
McAfee products
Data Exchange Layer
McAfee Product #1
McAfee Product #3
McAfee Product #2
McAfee Product #2
DXL was initially used solely by McAfee products
McAfee Products
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
DXL Evolution
SIA partner products
SIA Product #3
Data Exchange Layer
SIA Product #2SIA Product #1McAfee Product #1
McAfee Product #3
McAfee Product #2
McAfee Product #2
Security Innovation Alliance partner products integrated with the fabric
McAfee Products
SIA Partner Products
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
3rd Party Product(Not DXL integrated)
DXL Evolution
OpenDXL
SIA Product #3
Data Exchange Layer
SIA Product #2SIA Product #1McAfee Product #1
McAfee Product #3
McAfee Product #2
McAfee Product #2
3rd Party Product(Not DXL integrated)
OpenDXL provides the capability for you to develop your own DXL integrations
OpenDXLOrchestration
Script
McAfee Products
SIA Partner Products
Orchestration scripts can be developed with OpenDXL that leverage the functionality available via DXL-integrated products
OpenDXL Service Wrapper
Products without native DXL integrations can be exposed using OpenDXL service wrappers
OpenDXL
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
Malware is launched on
the infected endpoint
causing traffic to be sent
to the malicious site
The event is received by
the OpenDXL
Orchestration Script site
DataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
InfectedEndpoint
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
The Orchestration
script performs a query
over DXL to McAfee
Active Response (MAR)
to determine the
systems and processes
(hash) that are
currently making calls
to the malicious site DataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
Use MAR to search for processes (matching external host and port)
InfectedEndpoint
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
The Orchestration
script sets the
reputation in McAfee
Threat Intelligence (TIE)
to Known Malicious
over DXL
The applied TIE policy
causes the malware
process to be killed
and the binaries
quarantined
DataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
Use MAR to search for processes (matching external host and port)
Set reputation for each process found (hash) in TIE
InfectedEndpoint
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
The Orchestration
script tags the systems
containing the malware
in ePO over DXL
DataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
Use MAR to search for processes (matching external host and port)
Set reputation for each process found (hash) in TIE
Tag each system found in ePOInfectedEndpoint
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
Malware
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
The Orchestration
script sends a request
to the Rapid7 Nexpose
DXL service to scan the
systems with the
malware
DataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
Use MAR to search for processes (matching external host and port)
Set reputation for each process found (hash) in TIE
Tag each system found in ePO
Launch Rapid7 Nexpose scan for each system
InfectedEndpoint
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
Malware
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Demo - Orchestration
What can you do with OpenDXL? Listen for Check Point event
The Orchestration
script sends a request
to the Aruba ClearPass
DXL Service to update
attributes for systems
with malware,
triggering policy
enforcementsDataExchangeLayer
Aruba ClearPassPolicy Manager
McAfee Active Response (MAR)
McAfeeePO
OpenDXLOrchestration
Script
• TIE Client Module
• MAR Client Module
Use MAR to search for processes (matching external host and port)
Set reputation for each process found (hash) in TIE
Tag each system found in ePO
Launch Rapid7 Nexpose scan for each system
Update attributes for each system in Aruba ClearPass(trigger policy enforcement)
MaliciousSite
Check PointFirewall
McAfee Threat Intelligence
(TIE)
Rapid7 Nexpose
InfectedEndpoint
Malware
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
Global Architecture
28
Event Receiver
Application Data Monitor
Database Event Monitor
Enterprise Security Manager
Advanced Correlation EngineReal Time
Advanced Correlation EngineHistorical
Event Log Manager
Alerts, metadata & Mgmt
Raw logs
Agg. Eve
nts
& M
gm
t
Qu
erie
s&
Mgm
t
Co
rrel
ate
dEve
nts
& M
gm
t
HTTPS
Available as physical or virtual appliances
Optional SIEM Collector Agent
Optional DatabaseApplication Monitor
Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE
New IDC ExpertROI Spotlight Top 100 US FDIC Bank
Source: http://idcdocserv.com/US42210917
“we can detect an attack within 60 seconds and complete the analysis to contain it within five minutes”
Solution: Endpoint, SIEM, TIE, GTI, ATD,DLP Benefits average $3.02 M /yr over 4 yrs
4 year ROI of 208%
Payback period of 20 months
90% faster resolution of security events
77% fewer impactful security events/yr
98% less productive time lost because of impactful security events
Support generation of $5-10 million in additional customer revenue/year
Monitor environment via 1-2 panes of glass
29