1. McAfee Security Connected
Actionable Situational Awareness
Boubker Elmouttahid, CISSP, CISM, CRISC
Solution Architect, Management Platform
October 17, 2013
Confidential McAfee Internal Use Only
2. Security Connected Platform
NETWORK SECURITY
Access Control
Identity & Authentication
Intrusion Prevention
Network User Behavior Analysis
Next Generation Firewall
INFORMATION SECURITY
Data Loss Prevention
Email Security
Encryption
Web Security
SECURITY MANAGEMENT
Compliance
Policy Auditing & Management
Risk Management
Security Operations Console
SIEM
Vulnerability Management
ENDPOINT SECURITY
Application Whitelisting
Desktop Firewall
Device Control
Device Encryption
Email Protection
Embedded Device Protection
Endpoint Web Protection
Host Intrusion Protection
Malware Protection
Network Access Control
On Chip (Silicon-Based) Security
Server & Database Protection
Smartphone & Tablet Protection
Virtual Machine & VDI Protection
PARTNER COMMUNITY
Global Strategic Alliance Partners
McAfee Connected
Security Innovation Alliance (SIA)
Confidential McAfee Internal Use Only
3. Partners and An Open, Full-Featured Platform
Integrated Solutions Deliver
Management
z
3
Confidential McAfee Internal Use Only
4. McAfee Labs
• Multi-discipline security research
– Malware (viruses, spyware, rootkits, etc.)
– Spam and Phishing
– Web Security
– Network and Host Intrusion Prevention
– Vulnerabilities and Compliance Checks
• 24 x 7 emergency response team
26 cities around the world
400+ researchers
• Holds 118+ patents and 148+ pending patents
Confidential McAfee Internal Use Only
5. What It Takes to Make An Organization Safe
Global Threat Intelligence
Threat
Reputation
Network IPS
Firewall
Web
Gateway
Mail Gateway
Host AV
Host IPS
3rd Party Feed
.
Confidential McAfee Internal Use Only
6. 112 Reputation Servers in 7 Data Centers
DataStore
London
Chicago
San Jose
Atlanta
Amsterdam
Tokyo
Hong Kong
Confidential McAfee Internal Use Only
10. Total Malware Samples
The McAfee “zoo” now contains more than 140 million unique malware samples.
Total Malware Samples
160 000 000
140 000 000
120 000 000
100 000 000
80 000 000
60 000 000
40 000 000
20 000 000
0
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13
16
Confidential McAfee Internal Use Only
11. Enterprise IT BIG Bets 2013
…. Enable “Situational Security Awareness” through Big Security Data
•
Situational Security Awareness trough Big Security
Data
•
Less “Matching” more Trending
PROCESSING
DEMANDS
•
Long term analysis for “low and slow”
DATA
•
Continuous compliance monitoring
•
Immediate information access
USE CASES
INSTRUMENTATION
2000
Perimeter
Security
Compliance
Insider
Threat
Data
Security
2013 ……
Confidential McAfee Internal Use Only
12. Big Data vs. Big Security Data
Big Data
•
Size of security data doubling
annually
•
Advanced threats demand
collecting more data
•
Legacy data management
approaches failing
•
SIEM use shifting from
compliance to security
Datasets whose size and variety is beyond the ability of
typical database software to capture, store, manage &
analyse.
Big SECURITY Data
Understanding security data as big data.
•
How do I gather security context?
•
How do I manage big security information?
•
How do I make security information management work?
Confidential McAfee Internal Use Only
13. “The Importance” of Big Security Data
Old Attacks
• Amateurs
New
• Noisy
• Professionals
• Curious/Mischievous
• Stealthy
• Script driven
• For profit/intentional damage
• Untargeted
• Professionally developed
• Targeted
• Automated situational awareness
• Global threat intelligence
19
Confidential McAfee Internal Use Only
14. The Big Security Data Challenge
APTs
Billions of Events
Multi-dimensional Active Trending;
Analysis
Cloud
Data
Insider
Large Volume Analysis
Anomalies
Compliance
Historical Reporting
Thousands of Events
Perimeter
Correlate Events
Consolidate Logs
Confidential McAfee Internal Use Only
15. The Big Security Data Challenge
October 17, 2013
Confidential McAfee Internal Use Only
16. THINK FAST…ACT FAST
Actionable Situational Awareness through Enhanced Data Management and Integration
Move Fast
Learn Quickly
Act Decisively
Purpose built data
management
engine that makes
SIEM work, and is
Security ‘Big Data’
ready
Turns billions of
“so what” events
into Actionable
Information via
context, content
and advanced
analytics
Leveraging the
value of Security
Connected for
faster response
whilst lowering
cost of ownership
Confidential McAfee Internal Use Only
17. MOVE FAST
eDB: Purpose built data management engine that makes SIEM work
McAfee ESM
Extended Schema in 9.2, enabling…
• Improved tracking of assets via GUID;
increases accuracy as IP’s change
eDB
• More custom fields; increasing data collected,
correlated and reported about an event
• Ability to accumulate events (throughput,
packets, URL’s, etc…)
…without compromising performance!
Confidential McAfee Internal Use Only
18. Learn Quickly
Establishing baselines to identify deviations
Defining abnormal
Rolling Averages patterns of activity
24
Confidential McAfee Internal Use Only
19. Learn Quickly
Establishing baselines to identify deviations
Sum events and
track averages
Alert based on deviations from norm
ID Anomalies
25
Eliminate the Guesswork
Confidential McAfee Internal Use Only
20. Learn Quickly,
Global Threat Intelligence and IP Reputation
IP REPUTATION CHECK
GOOD
SUSPECT
AUTOMATIC RISK ANALYSIS VIA
ADVANCED CORRELATION
ENGINE
BAD
Medium Risk
High Risk
EVENT
AUTOMATIC IDENTIFICATION
McAfee Labs
IP Reputation Updates
Botnet/
DDos
Mail/
Spam
Sending
Web Access
Malware
Hosting
Network
Probing
Network
Probing
Presence of
Malware
DNS Hosting
Activity
Intrusion
Attacks
Confidential McAfee Internal Use Only
22. ACT DECISIVELY
Leverage the power of the platform
Global
Threat
Intelligence
Vulnerability
Manager
Compliance
Reporting
Streamlined
Investigations
1001
100110
01011
ePolicy
Orchestrator
Event
Collection
Policy
Management
Log
Management
Network
Security
Platform
Advanced
Correlation
Integrated Security Platform
Industry Leading Security Information and Event Management
Confidential McAfee Internal Use Only
26. McAfee ESM
• Unmatched Speed
– Industry’s Fastest SIEM
– 100x to 1,000x faster than current solutions
– Queries, correlation and analysis in minutes, not hours
• Unmatched Scale
–
–
–
–
Collect all relevant data, not selected sub-sets
Analyze months and years of data, not weeks
Include higher layer context and content information
Scales easily to billions of data records
• Improves
– Operational efficiencies and optimizes security
• Enhances
– Visibility & control on risk and helps you to stay compliant with regulations
• Demonstrates
– Measurable ROI and reduced TCO by delivering ease of use & Scalable
NG SIEM solution
27. McAfee ESM
2013 market Leadership and Recognition
SIEM MQ “Visionary Leader”
– Gartner 2012 & 2013 SIEM Magic Quadrant
“Fastest database in the business, truly creative front end”
– SC Magazine, Excellent value for the money, February, 2012
“Best log management solution”
– InfoWorld 2011 Technology of the Year, January, 2011
“ESM has attained tier-one status alongside larger organizations”
– Ovum, Technology Audit, July, 2011
“One of the most useful and seamless incident response-focused
SIEM products available today”
– The 451 Group, Impact Report, June, 2010
“Top performance, 2nd lowest price”
– Info-Tech Research Group Vendor Landscape, June, 2011