Conectando las piezas para mitigar el riesgo
Jorge Herrerías, CISSP
Sales System Engineer
Malware Continues to Grow…
128M Total Malware Samples in the McAfee Labs Database

New Malware Samples
14,000,000

New mal...
Ransomware
The number of new, unique samples this quarter is greater than 320,000, more than twice as many as in the first...
Total Malware Samples
The McAfee “zoo” now contains more than 140 million unique malware samples.

Total Malware Samples
1...
Suspicious Internet (MX)
As of December 31, 2012, nearly
1,100 suspicious Internet addresses
hosted in Mexico were analyze...
Comprehensive Malware Protection
First Layer of Defense:
Global Visibility and
Situational Awareness
Comprehensive Malware Protection
Second Layer of Defense:
McAfee Advanced Threat Defense

Network
Anti Malware
Comprehensive Malware Protection
Third Layer of Defense:
Network Threat Protection
IPS
Web
IPS

IPS
Comprehensive Malware Protection
Fourth Layer of Defense:
Comprehensive Endpoint
Threat Defense
Comprehensive Malware Protection
Fifth layer of defense:
Real Time Endpoint Awareness
Comprehensive Malware Protection
Sixth Layer of Defense:
Heal Endpoints
Comprehensive Malware Protection
Seventh Layer of Defense:
Global Threat Intelligence

GTI
Multi-Layering Defense | Interconnected

Firewall Enterprise

Web Protection

Intrusion Prevention
System
Security for Mic...
Escena 1
Escena 2
Escena 3
Escena 4
Escena 5
Escena 6
Escena 7

Result: https://www.virustotal.com/en/file/59c878b9daa887167c1857edf1d121dddfa0fb30031058e0d87f46890e7456ad/anal...
McAfee Comprehensive Malware Protection
Solution Overview

McAfee
Endpoint Agent*

McAfee
Global Threat Intelligence

FREE...
Discovering ZeroDay and Targeted Attacks
Live Walkthrough
YOU FIND ON-PREM

LIVE E-MAIL RECEIVED 08-27-2013

Advanced Thre...
Discovering ZeroDay and Targeted Attacks
Live Walkthrough
YOU FIND ON-PREM

REPUTATION CHECK OF THE URL PASSES

Advanced T...
Discovering ZeroDay and Targeted Attacks
Live Walkthrough
YOU FIND ON-PREM
Advanced Threat
Defense

McAfee
Global Threat I...
Discovering ZeroDay and Targeted Attacks
Live Walkthrough
YOU FIND ON-PREM
Advanced Threat
Defense

McAfee
Global Threat I...
Discovering ZeroDay and Targeted Attacks
Live Walkthrough
WHAT’S LEARNED THROUGH EXECUTION:

YOU FIND ON-PREM
Advanced Thr...
Escena 8 (Malware)
Usar los controles adecuados…

29

October 18, 2013
Defending Against Targeted Attacks Requires Lean-Forward Technologies and Processes
Global Threat Intelligence and SIEM
IP REPUTATION CHECK

GOOD

SUSPECT

AUTOMATIC RISK ANALYSIS VIA
ADVANCED CORRELATION
E...
Manejo de Eventos…
Priorizar los eventos de seguridad
De arriba hacia abajo…
Si bueno, con quién hablo?
User on WinXPHost01
downloads “Windows update”
from fake site. Executes it,
nothing sinister appears.

D
Meanwhile, we start to see a
number of potentially malicious
events related to this host on
McAfee ESM.

37

October 18, 2...
Step 1: This external host looks
suspicious. Let's blacklist him.

38

October 18, 2013
39

October 18, 2013
40

October 18, 2013
41

October 18, 2013
42

October 18, 2013
Quarantine successfully
implemented through the McAfee
NSM. Link to C&C host blocked.

43

October 18, 2013
Step 2: This internal endpoint appears to have
been compromised. From McAfee ESM we can
lock it down and scan it immediate...
Looking at the endpoint, we see
that the firewall started off
disabled.
ePO enables the firewall with a
restrictive policy.
The Trojan is contained on the
endpoint.
Simultaneously, ePO launches
an aggressive scan.
Additional malware on the infected
host discovered and cleaned.
• ESM Screeenshot to show remediation was successful in SIEM.

Confirmation back in the SIEM.
Remediation complete.

50

O...
Comprehensive
malware protection,
,

is an orchestrated approach
to protect against malware.
Referencias de reportes de consumo

52

October 18, 2013
Mc afee conectando las piezas
Upcoming SlideShare
Loading in …5
×

Mc afee conectando las piezas

862 views

Published on

En la actualidad el crecimiento exponencial del malware sofisticado y los métodos de evasión utilizados por cibercriminales se han convertido en una combinación letal para las organizaciones. Los silos de información y la carencia de automatización entre ellos, convierte a las empresas en foco fácil de los atacantes. Hoy las empresas no solo buscan llenar el “check” de Compliance, sino realmente mitigar sus riesgos de seguridad de manera más eficiente y proactiva. Una seguridad conectada, a través de diferentes componentes tecnológicos mediante los cuales se “comparte” la información para tomar conciencia y reaccionar de manera inmediata hace la diferencia entre ser uno más de las estadísticas de incidentes de seguridad o no serlo.

Dirigido a: Jefes o Coordinadores de TI, Gerentes de Sistemas o TI, CIO, CISO, CTO

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
862
On SlideShare
0
From Embeds
0
Number of Embeds
95
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Mc afee conectando las piezas

  1. 1. Conectando las piezas para mitigar el riesgo Jorge Herrerías, CISSP Sales System Engineer
  2. 2. Malware Continues to Grow… 128M Total Malware Samples in the McAfee Labs Database New Malware Samples 14,000,000 New malware samples grew 22% from Q4’12 to Q1‘13 12,000,000 10,000,000 2012 new malware sample discoveries increased 50% over 2011. 8,000,000 6,000,000 4,000,000 2,000,000 0 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2010 2010 2010 2010 2011 2011 2011 2011 2012 2012 2012 2012 2013 Malware continues to grow, and getting more sophisticated… 2 Source: McAfee Labs ,2013
  3. 3. Ransomware The number of new, unique samples this quarter is greater than 320,000, more than twice as many as in the first quarter of 2013. During the past two quarters, McAfee Labs has catalogued more ransomware samples than in all previous periods combined. 350,000 New Ransomware Samples 300,000 250,000 200,000 150,000 100,000 50,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 3
  4. 4. Total Malware Samples The McAfee “zoo” now contains more than 140 million unique malware samples. Total Malware Samples 160,000,000 140,000,000 120,000,000 100,000,000 80,000,000 60,000,000 40,000,000 20,000,000 0 4 Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13
  5. 5. Suspicious Internet (MX) As of December 31, 2012, nearly 1,100 suspicious Internet addresses hosted in Mexico were analyzed by McAfee. There were only 800 in late 2011. 62 percent of the current ones are assigned with a maximum risk. Nearly 51 percent of these URLs hide malware. About 26 percent of them are used in phishing campaigns and 13 percent in spam campaigns. 5
  6. 6. Comprehensive Malware Protection First Layer of Defense: Global Visibility and Situational Awareness
  7. 7. Comprehensive Malware Protection Second Layer of Defense: McAfee Advanced Threat Defense Network Anti Malware
  8. 8. Comprehensive Malware Protection Third Layer of Defense: Network Threat Protection IPS Web IPS IPS
  9. 9. Comprehensive Malware Protection Fourth Layer of Defense: Comprehensive Endpoint Threat Defense
  10. 10. Comprehensive Malware Protection Fifth layer of defense: Real Time Endpoint Awareness
  11. 11. Comprehensive Malware Protection Sixth Layer of Defense: Heal Endpoints
  12. 12. Comprehensive Malware Protection Seventh Layer of Defense: Global Threat Intelligence GTI
  13. 13. Multi-Layering Defense | Interconnected Firewall Enterprise Web Protection Intrusion Prevention System Security for Microsoft Exchange VirusScan Email Protection Network Anti Malware Site Advisor Database Security Application Control Data Center Security MOVE AV SIEM Host IPS Unified Administration Device Control Mobilty Deep Defender Device Control
  14. 14. Escena 1
  15. 15. Escena 2
  16. 16. Escena 3
  17. 17. Escena 4
  18. 18. Escena 5
  19. 19. Escena 6
  20. 20. Escena 7 Result: https://www.virustotal.com/en/file/59c878b9daa887167c1857edf1d121dddfa0fb30031058e0d87f46890e7456ad/analysis/
  21. 21. McAfee Comprehensive Malware Protection Solution Overview McAfee Endpoint Agent* McAfee Global Threat Intelligence FREEZE FIND NSP Gateways McAfee Network IPS GTI/LTI Efficient AV Signatures McAfee Web Gateway Emulation Engine Target-Specific Sandboxing (ValidEdge) McAfee Email Gateway FIX GTI Reputation Automated Host Cleaning (ePO) McAfee Advanced Threat Defense McAfee ePO Malware Fingerprint Query (Real Time ePO)
  22. 22. Discovering ZeroDay and Targeted Attacks Live Walkthrough YOU FIND ON-PREM LIVE E-MAIL RECEIVED 08-27-2013 Advanced Threat Defense McAfee Global Threat Intelligence Target-Specific Sandboxing (MATD) Emulation Engine Efficient AV Signatures GTI Reputation 3rd Party Threat Data JAR Analysis .exe Analysis PDF Analysis Network Threat Response MFE FINDS VIA CLOUD URL REDIRECT TO MALWARE SITE
  23. 23. Discovering ZeroDay and Targeted Attacks Live Walkthrough YOU FIND ON-PREM REPUTATION CHECK OF THE URL PASSES Advanced Threat Defense McAfee Global Threat Intelligence Target-Specific Sandboxing (MATD) Emulation Engine Efficient AV Signatures GTI Reputation 3rd Party Threat Data JAR Analysis .exe Analysis PDF Analysis Network Threat Response MFE FINDS VIA CLOUD PAYLOAD APPEARS TO BE A .SCR INSIDE A .ZIP
  24. 24. Discovering ZeroDay and Targeted Attacks Live Walkthrough YOU FIND ON-PREM Advanced Threat Defense McAfee Global Threat Intelligence Target-Specific Sandboxing (MATD) Emulation Engine Efficient AV Signatures GTI Reputation 3rd Party Threat Data JAR Analysis .exe Analysis PDF Analysis Network Threat Response MFE FINDS VIA CLOUD DUE TO ZERO DAY, FEW A/V SIGNATURE CATCHES
  25. 25. Discovering ZeroDay and Targeted Attacks Live Walkthrough YOU FIND ON-PREM Advanced Threat Defense McAfee Global Threat Intelligence Target-Specific Sandboxing (MATD) Emulation Engine Efficient AV Signatures GTI Reputation 3rd Party Threat Data JAR Analysis .exe Analysis PDF Analysis Network Threat Response MFE FINDS VIA CLOUD MATD OR NTR EXECUTION DEMONSTRATES:
  26. 26. Discovering ZeroDay and Targeted Attacks Live Walkthrough WHAT’S LEARNED THROUGH EXECUTION: YOU FIND ON-PREM Advanced Threat Defense McAfee Global Threat Intelligence Target-Specific Sandboxing (MATD) Emulation Engine Efficient AV Signatures GTI Reputation 3rd Party Threat Data JAR Analysis .exe Analysis PDF Analysis Network Threat Response MFE FINDS VIA CLOUD
  27. 27. Escena 8 (Malware)
  28. 28. Usar los controles adecuados… 29 October 18, 2013
  29. 29. Defending Against Targeted Attacks Requires Lean-Forward Technologies and Processes
  30. 30. Global Threat Intelligence and SIEM IP REPUTATION CHECK GOOD SUSPECT AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION ENGINE BAD Medium Risk High Risk EVENT AUTOMATIC IDENTIFICATION McAfee Labs IP Reputation Updates Botnet/ DDos Mail/ Spam Sending Web Access Malware Hosting Network Probing Network Probing Presence of Malware DNS Hosting Activity Intrusion Attacks
  31. 31. Manejo de Eventos…
  32. 32. Priorizar los eventos de seguridad
  33. 33. De arriba hacia abajo…
  34. 34. Si bueno, con quién hablo?
  35. 35. User on WinXPHost01 downloads “Windows update” from fake site. Executes it, nothing sinister appears. D
  36. 36. Meanwhile, we start to see a number of potentially malicious events related to this host on McAfee ESM. 37 October 18, 2013
  37. 37. Step 1: This external host looks suspicious. Let's blacklist him. 38 October 18, 2013
  38. 38. 39 October 18, 2013
  39. 39. 40 October 18, 2013
  40. 40. 41 October 18, 2013
  41. 41. 42 October 18, 2013
  42. 42. Quarantine successfully implemented through the McAfee NSM. Link to C&C host blocked. 43 October 18, 2013
  43. 43. Step 2: This internal endpoint appears to have been compromised. From McAfee ESM we can lock it down and scan it immediately through ePO.
  44. 44. Looking at the endpoint, we see that the firewall started off disabled.
  45. 45. ePO enables the firewall with a restrictive policy. The Trojan is contained on the endpoint.
  46. 46. Simultaneously, ePO launches an aggressive scan.
  47. 47. Additional malware on the infected host discovered and cleaned.
  48. 48. • ESM Screeenshot to show remediation was successful in SIEM. Confirmation back in the SIEM. Remediation complete. 50 October 18, 2013
  49. 49. Comprehensive malware protection, , is an orchestrated approach to protect against malware.
  50. 50. Referencias de reportes de consumo 52 October 18, 2013

×