Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
H T T P S : / / A E . L I N K E D I N . C O M / I N / K Y L E - T A Y L O R -
7 3 2 5 4 2 1 A
DLP Initiatives:
◦ Block Bluetooth and USB Printers
◦ Block Wireless NICs and SD Cards
◦ Track File Names copied to Extern...
Wireless – Block by Device Definition and Plug and Play Device Rule
◦ Device Class: Network Adapters
◦ Device Name: Allow ...
Track files copied to external media
1. In the DLP Console, turn on “Hit Highlighting”
2. Set up a “Removable Media Protec...
Checks Files being copied to Removable Media and searches within them for text
patterns
Only works on files being copied O...
Enable Signatures 6010 & 6011
Use Subject Distinguished Name to reduce overall total events
◦ We reduced events from 45,00...
McAfee Threat Activity Tracer – records the remote IP that triggered any events using HIPS and
VSE
◦ In the McAfee Tool Ex...
https://community.mcafee.com/docs/DOC-4231
• Checks computers for specific
files or registry keys – and
enforces versions
• Checks for Shares and USB
Devices
• Insta...
Dashboards and Automated Emails are good ways to keep Incident
Response informed
These do require training and a lot of po...
Displays Malware Names, Trends, and Top Violators
Breaks Down Systems on the Network by OS, Per Site, and Rogues
• Prompts the most questions, requires a lot of tuning, and can be Noisy
Kyle.taylor@darkmatter.ae
971-525-100-890
Note: I will try to make the policies and dashboards
available through the hosts of this symposium.
McAfee Threat Activity...
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Kyle Taylor – increasing your security posture using mc afee epo
Upcoming SlideShare
Loading in …5
×

Kyle Taylor – increasing your security posture using mc afee epo

893 views

Published on

Configuring McAfee HIPS and DLP to increase your security posture...with bonus policies and dashboards attached

Published in: Technology
  • Be the first to like this

Kyle Taylor – increasing your security posture using mc afee epo

  1. 1. H T T P S : / / A E . L I N K E D I N . C O M / I N / K Y L E - T A Y L O R - 7 3 2 5 4 2 1 A
  2. 2. DLP Initiatives: ◦ Block Bluetooth and USB Printers ◦ Block Wireless NICs and SD Cards ◦ Track File Names copied to External Media ◦ “Dirty Word” search on File copied to External Media Application Whitelisting: ◦ Using Subject Distinguished Name to Simplify Exemptions Future Projects: ◦ McAfee Threat Activity Tracer ◦ Epo Deep Command Discovery and Reporting (Free Tool) ◦ McAfee System Information Reporter IA/CND Dashboards
  3. 3. Wireless – Block by Device Definition and Plug and Play Device Rule ◦ Device Class: Network Adapters ◦ Device Name: Allow Partial Match Bluetooth – Block by Plug and Play Rule – Combine with additional Firewire block ◦ Bus Type: BlueTooth SD Cards – Block by Plug and Play Rule – allows you to make them Read-Only ◦ Compatible ID USB Printers – Use Plug and Play Rule ◦ Use Device Definition with USB Class: 07h Prevent executables from executing from removable media using the Removable Storage File Access rule – it will block .exe, .msi, .bat, .zip Create a Windows Portable Device Rule to look for Device Name containing “MTP” to catch iPods, Phones…etc., mounting as an MTP device vs. Removable Storage Wireless WiMax WiFi 802.11 Wlan RIMMPTSKDisk_SD SDCLASS_STORAGE SCSIDisk These mount as “Devices” vs. mounting as “Removable Storage” KB73171 – MTP Devices… we mainly see MTP devices mounting as “Windows Portable Devices” KB77769 – Managing Apple Products KB81602 – Possibility to allow you to record files being burned to CD/DVD – Not tested.
  4. 4. Track files copied to external media 1. In the DLP Console, turn on “Hit Highlighting” 2. Set up a “Removable Media Protection Rule” call it something like, “Track Files Copied to Removable Media” 3. Assign it all your exempted users but “Monitor Only” NOTE: It does not track files burned to CD/DVD… … However, you can track the amount of data burned per hour, day, month, etc.
  5. 5. Checks Files being copied to Removable Media and searches within them for text patterns Only works on files being copied OFF to removable media Create a new Text Pattern definition for “NOFORN”, “FVEY”,”SECRET//”…etc. called Classification Markings and then a Category called “Category – Classified Markings” for matches to go into as well as a Tag named similarly – I know…a ton of steps. Apply this text pattern definition to the Content Tagging Rule called “Possible Classified Document” and tell it to put matches into the Category “Category – Classified Markings” Create a “Removable Storage Protection Rule "looking for the category” Category – Classified Markings” and apply it to all USB and SD exempted users.
  6. 6. Enable Signatures 6010 & 6011 Use Subject Distinguished Name to reduce overall total events ◦ We reduced events from 45,000 to 1,000 per day only using around 50 exceptions Add all the Signatures into a Single Exception ◦ Adobe, Microsoft (about 10 different sigs), VMWare, Symantec, etc. Example: “C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS” The Layered/Effective Policy approach applied at each level using this hierarchy is recommended. [Assign a policy for each level with exceptions in each as required.] Learn to use ClientControl.exe for additional assistance and troubleshooting ◦ i.e. clientcontrol.exe /exportconfig c:WindowsHIPSEXPORT.txt 5 ◦ Clientcontrol.exe /log <HIPSPASSWORD> 0 4 …creates files in C:UsersAll UsersMcafeeHost Intrusion Prevention folder
  7. 7. McAfee Threat Activity Tracer – records the remote IP that triggered any events using HIPS and VSE ◦ In the McAfee Tool Exchange McAfee System Information Reporter ◦ Free from McAfee Platinum Support ◦ Checks for Files and enforces a version ◦ Checks and enforces registry keys ◦ Enumerates Software, Hotfixes, Services, Shares ◦ Possible CMI Mitigation EPO Deep Command Discovery and Reporting Tool ◦ Free from McAfee – Plugin and Extension ◦ Hardware Enumeration and Serial Number Tracking ◦ Nice addition for Inventory or Logistics Personnel, also Tech Refreshes ◦ Also Wireless NIC status, BIOS version, System Model and Manufacturer, Last Reboot…etc ◦ Alternatively, use the SystemInfo Tool from McAfee Tool Exchange to write the serial number to one of the Custom Properties Fields
  8. 8. https://community.mcafee.com/docs/DOC-4231
  9. 9. • Checks computers for specific files or registry keys – and enforces versions • Checks for Shares and USB Devices • Installed Hotfixes, Software, patches, services
  10. 10. Dashboards and Automated Emails are good ways to keep Incident Response informed These do require training and a lot of policy tuning to make them usable to IA/CND Track HIPS, VSE, DLP, maybe ABM and Rogues HIPS and VSE is where you are most likely to catch zero-days or APT’s Over 70% of our Remedy tickets for IA/CND come from McAfee
  11. 11. Displays Malware Names, Trends, and Top Violators
  12. 12. Breaks Down Systems on the Network by OS, Per Site, and Rogues
  13. 13. • Prompts the most questions, requires a lot of tuning, and can be Noisy
  14. 14. Kyle.taylor@darkmatter.ae 971-525-100-890
  15. 15. Note: I will try to make the policies and dashboards available through the hosts of this symposium. McAfee Threat Activity Tracer - https://community.mcafee.com/docs/DOC-4231 ePO Deep Command Discovery and Reporting : -Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en- us.pdf -McAfee Community: https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21 McAfee System Information Reporter: -KB: https://kc.mcafee.com/corporate/index?page=content&id=KB67830 -User Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf

×