Transcript Document
The Need for Efficiency Security Connected Franklin Sujo, CISSP SE East Commercial Sector [email protected] . McAfee Confidential A Nasty Math Problem VIRTUAL ENVIRONMENT DECREASED/FLAT BUDGETS LIMITED OR UNTRAINED RESOURCES Security Challenges: USB EMAIL SAN SMART PHONE PC LAPTOP TABLET WIRELESS DATABASE CHANGING BUSINESS DEMANDS VOIP APPS SERVERS UNPLANNED COMPLIANCE AND REPORTING REQUIREMENTS 469,000 unique malware samples discovered weekly ROUTING/ SWITCHING CLOUD EMBEDDED DEVICES 83% organizations hit by Advanced Persistent Threats Flat to down IT/IS budgets Flat number of trained practitioners 12.5 BILLION 25 BILLION 50 BILLION CONNECTED DEVICES TODAY CONNECTED DEVICES BY 2015 CONNECTED DEVICES BY 2020 Source: Cisco ISBG IoE Report Intel Security Confidential . Firm or Fixed Function Devices and IoT An onslaught of uncounted devices . Intel Security Confidential Advanced Targeted Attacks The reality ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT 2% 4% 12% Months CONTAINMENT 9% Minutes Years 23% 19% Hours Months Hours DISCOVERY 11% 14% Days Weeks COMPROMISE ATTACK 64% Weeks 42% Days $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day . Intel Security Confidential Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model Fragmented Security Industry Decreased integration and automation opportunities Endpoint Protection Firewall Gateway Security Network IPS Compliance Data Protection Mobility SIEM TIME . McAfee Confidential 5 – History of Defining Largest Dedicated Delivering a Next Generation Architecture Security Provider Security Architecture – – Inventor of the world’s most – Broadest security product Defining innovative industry approaches forcoverage collaborative widely used –computing in the industry and adaptive security architecture – Complete portfolio focused Defining countless standardssecurity integrations which are sustainable – Introducing upon security used in everydayand lives rangingreaching broadly – Leadership position in 6 of 8 from USB, WiFi, to IoT Gartner Security Magic – Developing capabilities for new security paradigms in Top 10 Most Influential Brands Quadrants areas such as Software Defined Datacenter, Cloud, and in the World IoT McAfee Confidential . 6 McAfee Security Connected Evolution Achieving A Connected Ecosystem Consolidating Architectures Challenge: • Operational Complexity • Console Sprawl Mail Gateway Intrusion Prevention Web Gateway DLP Need: • Easier Deployment • Broader Adoption Deliverables: Firewall • Console Consolidation • Fewer Agents Value: • Easier Policy Management • Reduced Computing Resources Advanced Malware Compliance SIEM Endpoint . McAfee Confidential 7 McAfee Security Connected Evolution Achieving A Connected Ecosystem Achieving Return Consolidating on Investment Architectures Challenge: Challenge: • • • • • Reduce Budgets Operational Complexity Greater Operational Expense Console Sprawl Reduced Staffing Mail Gateway Intrusion Prevention Web Gateway DLP Endpoint SIEM Need: Need: •• •• Easier Deployment Self Provisioning Broader ReducedAdoption Infrastructure Overhead Deliverables: Deliverables: •• •• • Firewall Console Consolidation Virtual / Cloud Security Fewer Agents Fewer Appliances Reduced Vendor Footprint Value: • Easier policy management Value : Reduced computing • Significantly Reducedresources TCO • Simplified Operational Experience Advanced Malware Compliance . McAfee Confidential 8 McAfee Security Connected Evolution Achieving A Connected Ecosystem Connected Achieving Services Return on Investment Framework Challenge: Challenge: • • • • • Reduce Budgets Siloed Technology Failures Greater Operational Expense Complex Attacks Reduced Staffing Mail Gateway Intrusion Prevention Web Gateway DLP Endpoint SIEM Need: Need: •• •• Coordinated Response Self Provisioning Adaptive Security Environment Reduced Infrastructure Deliverables: Firewall Virtual / Cloud Security • Data Exchange Framework Fewer Appliances • Standardized Integration Model • Reduced vendor footprint Value: •Value: Sustainable Integrations Significantly reducedModels TCO •• Adaptive Protection • Simplified operational experience Advanced Malware Compliance . McAfee Confidential 9 McAfee Security Connected Evolution Debunking Common Obstacles A Connected Services Architecture Is Not… • A Single Vendor Solution • A Monolithic Architecture • The Continuous Addition of New Technologies • A New Environment Requiring More Resources to Maintain • Massive Rip/Replace of Security Infrastructure . McAfee Confidential 10 Security Connected Getting more measurable results per labor hour • Capabilities delivered by single host agent and console • • • • • • • • • • • • • • Continuous Diagnostics and Mitigation Dynamic Whitelisting Real time file & directory level change control Rootkit, BIOS, device driver, hypervisor, MBR change detection/prevention Processor enabled KVM without KVM switch USB, Bluetooth, Ethernet, Infrared, other Device Control Data Leakage Prevention Processor-Accelerated Encryption (System & File/Folder) Host Intrusion Prevention Anti-Virus Auditing and Compliance Reporting Systems Management FIPS and Common Criteria certification Section 508 Compliance McAfee ePO Server Continuously Monitoring over 7M USG and DIB endpoints today SINGLE AGENT SINGLE CONSOLE . McAfee Confidential The Power of Optimization Reduced effort, increased security posture Review Centralized Security Dashboard NON-OPTIMIZED ENVIRONMENT OPTIMIZED ENVIRONMENT Consoles Required 7 consoles 1 console Resource s Required 4 resources 1 resource Time Required 7.5 hrs 36 mins Effectivenes s Low/Moderate High Discover Active Botnet Traffic Identify Impacted User/Host Verify Host Security Configuration Review Host Security Events Review Host Vulnerability Assessment Investigate Host Network Events Block Identified Attacker from Network . McAfee Confidential The Data Exchange Layer The new information-sharing ecosystem . McAfee Confidential 13 The Data Exchange Layer The new information-sharing ecosystem BPM Asset An innovative, real-time, bi-directional communications fabric providing product integration simplicity. Identity Risk Security components operate as one to immediately share relevant data among endpoint, gateway, and other security products, enabling security intelligence and adaptive security. The data exchange layer is analogous to the nervous system, dedicated to time-sensitive communication and operating alongside the arteries. Threat Activity Location Data THE SECURITY CONNECTED FRAMEWORK ADAPTIVE SECURITY ARCHITECTURE . McAfee Confidential 14 McAfee Data Exchange Layer The new information-sharing ecosystem Real-Time Messaging Fabric: Real-time messaging infrastructure for security products. Common Content Data: Provides enterprise security state and context. Includes information about devices, users, location, reputation, and more. Adaptive Workflows Clients: Security products that use the data exchange layer to publish or consume information. . McAfee Confidential 15 McAfee Threat Intelligence Exchange . McAfee Confidential 16 Global Threat Intelligence Utilizing Intel Security’s global footprint to your organizational advantage Network IPS Firewall Web Gateway Mail Gateway Host AV Public Records Host IPS 55B 55B 8B 260M 2B 55B IP Reputation queries/mo. IP Reputation queries/mo. Web Reputation queries/mo. Msg Reputation queries/mo. Malware Reputation queries/mo. IP Reputation queries/mo. Geo Location Feeds . McAfee Confidential Collective Threat Intelligence Apply the power of knowledge ? Organizational Intelligence Local Threat Intelligence McAfee Confidential Administrator Organizational Knowledge McAfee Web Gateway Other Data Sources Future McAfee Threat Intelligence Exchange Server McAfee Email Gateway McAfee Network Security Platform McAfee McAfee McAfee Endpoint Agent Advanced Next Generation Threat Defense Firewall Global Threat Intelligence McAfee Global Threat Intelligence Third-Party Feeds Threat Intelligence Assemble, override, augment, and tune the intelligence source information. . 18 Actionable Security Decisions Local Context Execute Prevent and Remediate Tunable Policy Personalized Threat Intelligence Classification Decision Prevent and Quarantine Submit to Application Sandboxing Variable Degrees of Risk Tolerance . 19 McAfee Confidential The Role of Threat Intelligence Exchange It’s not always black and white. There are some shades of grey. Metadata Sources • System properties: Example: run from recycle bin. File Is New • Reputations: Loads as Service Example: McAfee Global Threat Intelligence, McAfee Advanced Threat Defense, administrator overrides. • Enterprise-wide properties: Low Prevalence Packed Suspiciously Revoked Example:Runs New inFrom environment? Prevalent? Recycle Bin Certificate On execution, McAfee Threat Intelligence Exchange rules apply this metadata to a set of conditions that indicate risky behavior. . McAfee Confidential 20 Threat Intelligence Exchange Adapt and Immunize — From Encounter to Containment in Milliseconds McAfee Global Threat Intelligence McAfee TIE Server McAfee ATD 3rd Party Feeds YES NO Data Exchange Layer File age hidden Signed with a revoked certificate McAfee ePO VirusScan® Enterprise Threat Intelligence Module McAfee TIE Endpoint Module Created by an untrusted process . McAfee Confidential Instant Protection Across the Enterprise Gateways block access based on endpoint convictions McAfee NGFW McAfee Global Threat Intelligence McAfee TIE Server McAfee NSP McAfee McAfee Web Gateway Email Gateway McAfee ATD Proactively and efficiently protect your organization as soon as a threat is revealed 3rd Party Feeds Data Exchange Layer McAfee ePO McAfee ESM Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products VirusScan® Enterprise Threat Intelligence Module McAfee TIE Endpoint Module . McAfee Confidential Use Cases McAfee Threat Intelligence Exchange in action . McAfee Confidential 23 TIE Use case 1: Finding Patient 0 . McAfee Confidential 24 TIE Use case: Third Party Reputation lookup (VirusTotal) . McAfee Confidential Use Case: Analyzing the Unknown . McAfee Confidential 26 McAfee Advanced Threat Defense: Dynamic and Static Analysis Run Time DLLs Unpacking Network Operations Disassembly of Code File Operations Calculate Latent Code Process Operations Familial Resemblance Analyze Analyze Delayed execution Dynamic Analysis Static Analysis . McAfee Confidential 27 Use Case SIEM Top Malicious file Offenders by IP and User View: TIE Display of top IP and User offenders for malicious file executions. DXL TIE Client Events View: Trends by day for User and IP. SIEM ePO Additional Enrichment Data (ex. GUID to IP) Speed is to be enhanced with Agent Handler events sent directly to SIEM in Q4 Customer Value: Quickly see the top IP’s and users executing malicious files so action can be taken. Able to see trends by day/month/etc. Answers the question: Am I seeing more or less malicious files over time? . McAfee Confidential 28 Use Case SIEM New file on the Network Alarm: TIE When a file TIE has never seen is identified on the network. DXL TIE Client Events SIEM ePO Customer Value: Additional Enrichment Data (ex. GUID to IP) Once file reputation baseline is established this will pro-actively notify security admins when new executable files enter their network so they can do analysis and define action to be taken. . McAfee Confidential 29 Threat Intelligence Sharing The Power Of Open • Bridge the Gap between the Network and Endpoint • Ability to share threat data between technologies • Forward Thinking - Ability to pre-emptively import threat data collected by the security community • STiXX & TAXII • Empower the administrator to make security decisions on risk level of files running in their environment . McAfee Confidential 30 Data Exchange Layer A common messaging bus for automated security intelligence and action CONTEXT & ORCHESTRATION Mail Gateway Vulnerability Management Database Security Web Gateway Identity Management App & Change Control Web Gateway Identity Management Vulnerability Management Mail Gateway Mobile Security IPS IPS Data Protection Network Firewall Database Security Anti-Malware App & Change Control Network Firewall SECURITY MANAGEMENT Mobile Security HIPS HIPS Virtualization Data Protection Virtualization Encryption Anti-Malware Access Control Access Control Threat Analysis Data Exchange Layer . McAfee Confidential McAfee Threat Intelligence Exchange Adaptive Security Against Targeted Attacks ? Other Data Sources Future GLOBAL THREAT INTELLIGENCE ORGANIZATIONAL INTELLIGENCE Administrator Organizational Knowledge Personalized Threat Intelligence Assemble, override, augment and tune the intelligence source information Optimizing Security for Your Organization 3rd Party Feeds McAfee Threat Intelligence Exchange McAfee Web Gateway McAfee NSP McAfee Endpoint Client LOCAL THREAT INTELLIGENCE McAfee Global Threat Intelligence McAfee Email Gateway McAfee NGFW . McAfee Confidential 32 McAfee Threat Intelligence Exchange Additional information: https://community.mcafee.com/community/business/expertcenter/products/tie . McAfee Confidential 33 Measuring Reduced TCO Gains on both CAPEX avoidance as well as OPEX reduction and efficiencies US 2nd Largest healthcare insurer and provider Worlds largest Transportation provider Improved Efficiency Decreased network utilization 10% Saved 15% in annual audit/compliance cost ANALYTICS THREAT INTELLIGENCE Streamline Compliance COUNTERMEASURES 2nd Largest Bank & Brokerage in US SECURITY MANAGEMENT Reduced Costs NYC to Save $18M over five years Saved $1.5M in annual PCI remediation cost – without implementing anything more! CONTEXT & ORCHESTRATION Hardware-Enhanced Security Limited Liability Saved $22M; addressed glaring public issue Saved over $1M in annual helpdesk calls http://www.mcafee.com/us/resources/case-studies/cs-new-york-dept-of-it-telcom.pdf . McAfee Confidential 34 Intel & McAfee Confidential