SlideShare a Scribd company logo
1 of 22
McAfee Enterprise Security
Manager (ESM)
Security Information & Event Management (SIEM)
Iftikhar Ali Iqbal, CISSP, CCSP, CISM
https://www.linkedin.com/in/iftikhariqbal/
Valid till Jan 2020
2
AGENDA
Target
Partners &
RTM
1
2
3
Company Overview
Security Operations
Enterprise Security Manager (ESM)
4 Use Cases / Scenarios
OVERVIEW
Company and Portfolio
4
SOLUTIONS
SERVICES
OPEN
ARCHITECTURE
BRIEF
McAfee – the device-to-cloud
cybersecurity company – is one of the
largest pureplay cybersecurity companies
in the world, with 30+ years of market
leadership and 1,550+ patents worldwide.
CASB Connect
OpenDXL
MCAFEE: OVERVIEW
5
Portfolio Strategy
An Integrated And Open Security System
Threat Defense Lifecycle
Together, Is Far More Powerful Than Sum Of The Parts
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTURE
MCAFEE: STRATEGY
6
SIEM:
Broad Data
Collection
Advanced
Analytics:
Risk scoring, anomaly
detection
SIEM:
Long-term
Compliance, archive &
forensics
SIEM:
Real-time correlation &
detection
SIEM:
Short-term
Search & hunting
Sandboxing:
Malware Analysis
EDR:
Endpoint telemetry,
process trace
SIEM
View all alerts,
coordinate action
Investigator:
Automated analysis,
guided investigation
EDR:
Response
Collaboration with 3rd party solutions
SIA Partner and Open
Solutions
Advanced Analytics Investigate and Act
Collect, Enrich, and Share
Data at any Scale
Turn Data into Insight
Data Platform
Expert-guided Investigation for Confident
Action
ATDESMESM
MAR/M
EDR
MAR
/MEDRSIA MVISION EDR
MCAFEE: SECURITY OPERATIONS
7
Time to
Identify
Time to
Investigate
Time to
Contain
Mean Time to Respond
(MTTR)
Mean Time to Detect
(MTTD)
3-15 Months
Dwell Time
SECOPS: CHALLENGE
ENTERPRISE SECURITY MANAGER (ESM)
Security Information & Event Management (SIEM)
9
Real Time Advanced Analytics
Threat and Risk Prioritization
INTELLIGENT
INTEGRATED
ACTIONABLE
Comprehensive Security
Broad Data Collection, Including Cloud Support
Security Connected Integrations
Active and Customizable Dashboards
High Performance Data Management Engine
Ease of Operation
!
ESM: STRATEGIC OVERVIEW
10
ESM: ESSENTIALS
CORRELATION
• Event Normalization
• Receiver & Advanced Correlation
• Real-Time & Historical ‘Modes’
• Rule & Risk ’Engines’
MANAGEMENT
• Dashboard Views
• Threat Management & Intelligence
• Content Packs (Use-Case Driven)
• Policies & Rules
ALARMS
• Visual and Auditory
• Text and Email
• Case Management
• Remote Commands
• Watchlist
DATA SOURCES
• Security Events
• Network Flow Data
• Multi-Vendor
• Various Types
• Multi Method
11
ESM: COMPONENTS
McAfee Enterprise Security Manager
McAfee Enterprise Log Manager
McAfee Application
Data Monitor
McAfee Database Security
McAfee Advanced Correlation Engine
McAfee Event Receivers
Adaptive Risk Analysis and
Historical Correlation
Integrated SIEM & Log
Management
Rich Application and
Database Context
Scalable Collection and
Distributed Correlation
TIE/DXL SIA PartnersePO GTINSM
Connected SolutionsIntegration and
Operational Efficiency
McAfee solutions empower organizations with visibility across systems, networks, and
data, helping counter threats and mitigate risks.
Physical & Virtual
Appliances
ATDMAR
12
Data Sources
Enterprise Security Manager
Application Data Monitor
Event Receiver
Advanced Correlation Engine
(Real Time)
Enterprise Log Manager
TIP
FW
SEG
DNS SEC
IPS
APT
CASB
Global
Threat Intelligence
Datacenter Security
for Databases
Advanced Correlation Engine
(Historical)
ESM: ARCHITECTURE
Enterprise Log Search
13
ePolicy Orchestrator
ICAP
SMTP
DLP Monitor
DLP Discover
DLP Prevent Web
DLP Prevent Email
DLP Prevent Mobile
Mobile Device Management
Secure Web Gateway
Egress Switch
MVISION Cloud
API
Threat Intelligence Exchange +
Data Exchange Layer +
Active Response Server
Web Gateway
(Pooled)
Load Balancer
McAfee Labs
Global Threat Intelligence (GTI)
Active Response – Cloud Storage
Agent Handlers
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Data Loss Prevention
Device Control
DLP Endpoint
Data Classification
Web Proxy
Client Proxy
Physical Servers Virtual Servers
McAfee Agent
Next-Gen Server Protection
Endpoint Security for Servers
Adaptive Threat Protection
Active Response
Data Loss Prevention
DLP Endpoint
Data Classification
Web Proxy
Client Proxy
HEADQUARTERS – MAIN DATA CENTER
McAfee Agent
Endpoints
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Device Control
Client Proxy
McAfee Agent
Endpoints
SITE # 1
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Device Control
Client Proxy
McAfee Agent
Endpoints
SITE # 2
Active Directory
Rights Management Services (RMS)
Data Classification
Enterprise Security Manager
TIP FWSEG DNS SECIPSAPT CASB
ApplicationData Monitor
Event Receiver
Advanced CorrelationEngine
Enterprise Log Manager
`
DataSources
KafkaServiceBus
Security Operations Center (SOC)
14
ESM: INTEGRATIONS
OpenDXL
ePolicy Orchestrator
Advanced Threat Defense
(Malware Analysis)
Threat Intelligence Exchange
Active Response
MVISION EDR
USE CASES & SCENARIOS
16
ESM: USE CASES
SCENARIOS MANAGEMENT MCAFEE
SOLUTIONS
THIRD
PARTY
COMPLIANCE
BASEL II
EU 8th Directive
FISMA
GLBA
CPG 13
HIPAA
ISO 27002
NERC
PCI Compliance
SOX
.
.
.
Aruba
Cofense
Interset
PhishMe
ThreatConnect
Vormetric
.
.
.
Application Control
Change Control
Application Data Monitor
Database Activity
Database Event Monitor
General
Host Intrusion Prevention
Network Security Platform
Threat Intelligence
Web Gateway
.
.
.
Executive
Case Management
Hardware Health
.
.
.
User Behavior Analytics
Suspicious Activity
Exfiltration
Reconnaissance
Asset, Threat & Risk
Authentication
Doman Name Service (DNS)
Database
Denial-of-Service (DoS)
Domain Policy
Exploit
Firewall
Malware . . .
AlarmsViews ReportsCorrelation Rules WatchlistsData Sources
(Product)
17
ESM: USE CASES – User Behavioral Analytics (UBA)
• McAfee Advance Correlation Engine (ACE)
• McAfee Global Threat Intelligence
• Microsoft Windows Data Sources
DATA SOURCES / PRODUCTS
• Source User
• Risk Suspicious Geo Events
• User Behavior Events
VIEWS
• Security Groups
• Accounts Not Requiring a Password
• Accounts with Expired Password
• Computer Accounts
• Default Usernames
• .
• .
• .
WATCHLISTS
• Domain Policy x 10 Rules
• GTI x 2 Rules
• UBA x 13 Rules
• Windows Authentication x 8 Rules
CORRELATION RULES
Source User 1 Week
REPORTS
New User Logon Detected
ALARMS
18
McAfee Endpoint
Security
ESM
2
DXL Fabric
3
MAR
ESM: SCENARIO – ENDPOINT INCIDENT
Identify malware activity early in the kill chain
Security
Analyst
2 ESM correlation rule alerts security analysts to possible
attack using fileless techniques
4 Analyst performs validation with ELS and logs from
web gateway
Scenario Overview
5
Analyst performs scoping with Active Response
7 Analyst uses ESM to update Cyber Defense
Countermeasures via OpenDXL
8
1 ENS logs Powershell and Blocks MimiKatz
installation
Incident Identification
Incident Investigation
Analysts pivots around events and declares
incidents
6
Incident Containment
Endpoint, Server, Cloud DNS and Network
countermeasures are updated automatically via
OpenDXL
1
Analyst performs validation with Active Response and
ATD
4 5 6
7
8 8
Perimeter
Firewall
Data Center
Firewall
McAfee vIPS
Cloud Protection
8 8
McAfee Server Security
ATDELS
8
DNS Security
19
Time to
Detect
Time to
Investigate
Time to
Contain
Security
Effectiveness
Goals
Process
Efficiency
Goals
AVG 50% Process Automation with MTTR of under 10 Minutes
2 Analysts in this Use Case accessed 3 consoles only
Detection – ENS, ATP
Process Automation – 50%
Analysts – 1
Consoles - 1
Investigation – ESM, ELS, MAR and ATD
Process Automation – 25%
Analysts – 1
Consoles - 3
Containment – ESM, DXL, Third Party
Process Automation – 70%
Analysts – 1
Consoles - 1
ESM: SCENARIO - ENDPOINT RESULTS
20
Modern, scalable platform
for Sec Ops
Security focus from
day one
Deep, high-quality
integrations
Modular scale-out data platform makes costs predictable
Open source Kafka message bus removes data sharing tax
Out-of-the-box use cases and analytics that require less configuration and
professional support
Innovative advanced analytics for detection and investigation assistance
Tight integrations with other McAfee products
Expansive dashboarding, automation, and orchestration with 130 SIA
partners via DXL and direct capabilities
ESM: KEY POINTS
21
SECURITY OPERATIONS: OPEN & INTEGRATED
Local Threat
Intelligence
Reputation-based Protection
File and Certificates
STIX support
Collaborative Ecosystem
Data Exchange Layer
Global Threat
Intelligence (GTI)
Sec. Info. & Event Mgmt.
Integrated Log Management
Scalable Collection
Distributed Correlation
Adaptive Risk Analysis
Historical Correlation
Rich Application Context
Rich Database Context
Various Integrations
Integrations
Local Threat Intelligence
Advanced Threat Protection
Intrusion Prevention System
Endpoint Detection & Response
Security Orchestration
User & Entity Behavior
Machine Learning
User and Devices
McAfee SIEM & Non-McAfee
Remediation Actions
Incident Response
Evidence Collection
Investigation Guides
Coaching
SIEM Ingestion
THANK YOU

More Related Content

What's hot

Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
 
Azure Security Center- Zero to Hero
Azure Security Center-  Zero to HeroAzure Security Center-  Zero to Hero
Azure Security Center- Zero to HeroKasun Rajapakse
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinelarnaudlh
 
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)Iftikhar Ali Iqbal
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxArianeSpano
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SHRIYARAI4
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElasticsearch
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber  Security Operation Center: du Case  StudyWhat We’ve Learned Building a Cyber  Security Operation Center: du Case  Study
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
 
Security operation center
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 

What's hot (20)

Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 
Azure Security Center- Zero to Hero
Azure Security Center-  Zero to HeroAzure Security Center-  Zero to Hero
Azure Security Center- Zero to Hero
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
 
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise Security
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Fortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptxFortinet Corporate Overview Deck.pptx
Fortinet Corporate Overview Deck.pptx
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
 
Elastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyoneElastic Security: Unified protection for everyone
Elastic Security: Unified protection for everyone
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
IBM Security QRadar
 IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
What We’ve Learned Building a Cyber  Security Operation Center: du Case  StudyWhat We’ve Learned Building a Cyber  Security Operation Center: du Case  Study
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
 
Security operation center
Security operation centerSecurity operation center
Security operation center
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 

Similar to McAfee - Enterprise Security Manager (ESM) - SIEM

Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)PT Datacomm Diangraha
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Managementkarthikvcyber
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban PrósperoClusterCba
 
ManageEngine_SIEM_Log360_SOC.pptx
ManageEngine_SIEM_Log360_SOC.pptxManageEngine_SIEM_Log360_SOC.pptx
ManageEngine_SIEM_Log360_SOC.pptxTriLe786508
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptxneoalt
 
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approach
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approachCisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approach
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approachNetworkCollaborators
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem -  Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem -  Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...PlatformSecurityManagement
 
David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
Elastic Security Brochure
Elastic Security BrochureElastic Security Brochure
Elastic Security BrochureJoseph DeFever
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 

Similar to McAfee - Enterprise Security Manager (ESM) - SIEM (20)

Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)Endpoint Protection as a Service (EPaaS)
Endpoint Protection as a Service (EPaaS)
 
Security Information Event Management Security Information Event Management
Security Information Event Management Security Information Event ManagementSecurity Information Event Management Security Information Event Management
Security Information Event Management Security Information Event Management
 
Esteban Próspero
Esteban PrósperoEsteban Próspero
Esteban Próspero
 
ManageEngine_SIEM_Log360_SOC.pptx
ManageEngine_SIEM_Log360_SOC.pptxManageEngine_SIEM_Log360_SOC.pptx
ManageEngine_SIEM_Log360_SOC.pptx
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
XG Firewall
XG FirewallXG Firewall
XG Firewall
 
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approach
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approachCisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approach
Cisco Connect 2018 Malaysia - Cybersecurity strategy-an integrated approach
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem -  Security < productivity < security: syntax ...ASMC 2017 - Martin Vliem -  Security < productivity < security: syntax ...
ASMC 2017 - Martin Vliem - Security < productivity < security: syntax ...
 
David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016David Patterson IT Security Resumes 2016
David Patterson IT Security Resumes 2016
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Elastic Security Brochure
Elastic Security BrochureElastic Security Brochure
Elastic Security Brochure
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS Analytics
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 

More from Iftikhar Ali Iqbal

McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportIftikhar Ali Iqbal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...Iftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookMcAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookIftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
McAfee - McAfee Application Control (MAC) - Whitelisting - ProposalMcAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
McAfee - McAfee Application Control (MAC) - Whitelisting - ProposalIftikhar Ali Iqbal
 
McAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - WhitelistingMcAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - WhitelistingIftikhar Ali Iqbal
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)Iftikhar Ali Iqbal
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Iftikhar Ali Iqbal
 
Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Iftikhar Ali Iqbal
 
Technology Overview - Symantec IT Management Suite (ITMS)
Technology Overview - Symantec IT Management Suite (ITMS)Technology Overview - Symantec IT Management Suite (ITMS)
Technology Overview - Symantec IT Management Suite (ITMS)Iftikhar Ali Iqbal
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Iftikhar Ali Iqbal
 
Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Iftikhar Ali Iqbal
 
Symantec Endpoint Encryption - Proof Of Concept Document
Symantec Endpoint Encryption - Proof Of Concept DocumentSymantec Endpoint Encryption - Proof Of Concept Document
Symantec Endpoint Encryption - Proof Of Concept DocumentIftikhar Ali Iqbal
 
Symantec Messaging Gateway - Technical Proposal (General)
Symantec Messaging Gateway - Technical Proposal (General)Symantec Messaging Gateway - Technical Proposal (General)
Symantec Messaging Gateway - Technical Proposal (General)Iftikhar Ali Iqbal
 
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...Iftikhar Ali Iqbal
 
Symantec Portfolio - Sales Play
Symantec Portfolio - Sales PlaySymantec Portfolio - Sales Play
Symantec Portfolio - Sales PlayIftikhar Ali Iqbal
 

More from Iftikhar Ali Iqbal (16)

McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC ReportMcAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Report
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB) - POC Docu...
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookMcAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
McAfee - McAfee Application Control (MAC) - Whitelisting - ProposalMcAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
McAfee - McAfee Application Control (MAC) - Whitelisting - Proposal
 
McAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - WhitelistingMcAfee - McAfee Application Control (MAC) - Whitelisting
McAfee - McAfee Application Control (MAC) - Whitelisting
 
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
 
McAfee - Portfolio Overview
McAfee - Portfolio OverviewMcAfee - Portfolio Overview
McAfee - Portfolio Overview
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)Technology Overview - Validation & ID Protection (VIP)
Technology Overview - Validation & ID Protection (VIP)
 
Technology Overview - Symantec IT Management Suite (ITMS)
Technology Overview - Symantec IT Management Suite (ITMS)Technology Overview - Symantec IT Management Suite (ITMS)
Technology Overview - Symantec IT Management Suite (ITMS)
 
Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)Technology Overview - Symantec Data Loss Prevention (DLP)
Technology Overview - Symantec Data Loss Prevention (DLP)
 
Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)Technology Overview - Symantec Endpoint Protection (SEP)
Technology Overview - Symantec Endpoint Protection (SEP)
 
Symantec Endpoint Encryption - Proof Of Concept Document
Symantec Endpoint Encryption - Proof Of Concept DocumentSymantec Endpoint Encryption - Proof Of Concept Document
Symantec Endpoint Encryption - Proof Of Concept Document
 
Symantec Messaging Gateway - Technical Proposal (General)
Symantec Messaging Gateway - Technical Proposal (General)Symantec Messaging Gateway - Technical Proposal (General)
Symantec Messaging Gateway - Technical Proposal (General)
 
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
Symantec Endpoint Protection vs Sophos Endpoint Protection (Competitive Analy...
 
Symantec Portfolio - Sales Play
Symantec Portfolio - Sales PlaySymantec Portfolio - Sales Play
Symantec Portfolio - Sales Play
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsZilliz
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMsFact vs. Fiction: Autodetecting Hallucinations in LLMs
Fact vs. Fiction: Autodetecting Hallucinations in LLMs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

McAfee - Enterprise Security Manager (ESM) - SIEM

  • 1. McAfee Enterprise Security Manager (ESM) Security Information & Event Management (SIEM) Iftikhar Ali Iqbal, CISSP, CCSP, CISM https://www.linkedin.com/in/iftikhariqbal/ Valid till Jan 2020
  • 2. 2 AGENDA Target Partners & RTM 1 2 3 Company Overview Security Operations Enterprise Security Manager (ESM) 4 Use Cases / Scenarios
  • 4. 4 SOLUTIONS SERVICES OPEN ARCHITECTURE BRIEF McAfee – the device-to-cloud cybersecurity company – is one of the largest pureplay cybersecurity companies in the world, with 30+ years of market leadership and 1,550+ patents worldwide. CASB Connect OpenDXL MCAFEE: OVERVIEW
  • 5. 5 Portfolio Strategy An Integrated And Open Security System Threat Defense Lifecycle Together, Is Far More Powerful Than Sum Of The Parts SECURITY OPERATIONS DEVICE CLOUD MANAGEMENT THREAT INTELLIGENCE ANALYTICS AUTOMATION / ORCHESTRATION INFRASTRUCTURE MCAFEE: STRATEGY
  • 6. 6 SIEM: Broad Data Collection Advanced Analytics: Risk scoring, anomaly detection SIEM: Long-term Compliance, archive & forensics SIEM: Real-time correlation & detection SIEM: Short-term Search & hunting Sandboxing: Malware Analysis EDR: Endpoint telemetry, process trace SIEM View all alerts, coordinate action Investigator: Automated analysis, guided investigation EDR: Response Collaboration with 3rd party solutions SIA Partner and Open Solutions Advanced Analytics Investigate and Act Collect, Enrich, and Share Data at any Scale Turn Data into Insight Data Platform Expert-guided Investigation for Confident Action ATDESMESM MAR/M EDR MAR /MEDRSIA MVISION EDR MCAFEE: SECURITY OPERATIONS
  • 7. 7 Time to Identify Time to Investigate Time to Contain Mean Time to Respond (MTTR) Mean Time to Detect (MTTD) 3-15 Months Dwell Time SECOPS: CHALLENGE
  • 8. ENTERPRISE SECURITY MANAGER (ESM) Security Information & Event Management (SIEM)
  • 9. 9 Real Time Advanced Analytics Threat and Risk Prioritization INTELLIGENT INTEGRATED ACTIONABLE Comprehensive Security Broad Data Collection, Including Cloud Support Security Connected Integrations Active and Customizable Dashboards High Performance Data Management Engine Ease of Operation ! ESM: STRATEGIC OVERVIEW
  • 10. 10 ESM: ESSENTIALS CORRELATION • Event Normalization • Receiver & Advanced Correlation • Real-Time & Historical ‘Modes’ • Rule & Risk ’Engines’ MANAGEMENT • Dashboard Views • Threat Management & Intelligence • Content Packs (Use-Case Driven) • Policies & Rules ALARMS • Visual and Auditory • Text and Email • Case Management • Remote Commands • Watchlist DATA SOURCES • Security Events • Network Flow Data • Multi-Vendor • Various Types • Multi Method
  • 11. 11 ESM: COMPONENTS McAfee Enterprise Security Manager McAfee Enterprise Log Manager McAfee Application Data Monitor McAfee Database Security McAfee Advanced Correlation Engine McAfee Event Receivers Adaptive Risk Analysis and Historical Correlation Integrated SIEM & Log Management Rich Application and Database Context Scalable Collection and Distributed Correlation TIE/DXL SIA PartnersePO GTINSM Connected SolutionsIntegration and Operational Efficiency McAfee solutions empower organizations with visibility across systems, networks, and data, helping counter threats and mitigate risks. Physical & Virtual Appliances ATDMAR
  • 12. 12 Data Sources Enterprise Security Manager Application Data Monitor Event Receiver Advanced Correlation Engine (Real Time) Enterprise Log Manager TIP FW SEG DNS SEC IPS APT CASB Global Threat Intelligence Datacenter Security for Databases Advanced Correlation Engine (Historical) ESM: ARCHITECTURE Enterprise Log Search
  • 13. 13 ePolicy Orchestrator ICAP SMTP DLP Monitor DLP Discover DLP Prevent Web DLP Prevent Email DLP Prevent Mobile Mobile Device Management Secure Web Gateway Egress Switch MVISION Cloud API Threat Intelligence Exchange + Data Exchange Layer + Active Response Server Web Gateway (Pooled) Load Balancer McAfee Labs Global Threat Intelligence (GTI) Active Response – Cloud Storage Agent Handlers Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Data Loss Prevention Device Control DLP Endpoint Data Classification Web Proxy Client Proxy Physical Servers Virtual Servers McAfee Agent Next-Gen Server Protection Endpoint Security for Servers Adaptive Threat Protection Active Response Data Loss Prevention DLP Endpoint Data Classification Web Proxy Client Proxy HEADQUARTERS – MAIN DATA CENTER McAfee Agent Endpoints Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Device Control Client Proxy McAfee Agent Endpoints SITE # 1 Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Device Control Client Proxy McAfee Agent Endpoints SITE # 2 Active Directory Rights Management Services (RMS) Data Classification Enterprise Security Manager TIP FWSEG DNS SECIPSAPT CASB ApplicationData Monitor Event Receiver Advanced CorrelationEngine Enterprise Log Manager ` DataSources KafkaServiceBus Security Operations Center (SOC)
  • 14. 14 ESM: INTEGRATIONS OpenDXL ePolicy Orchestrator Advanced Threat Defense (Malware Analysis) Threat Intelligence Exchange Active Response MVISION EDR
  • 15. USE CASES & SCENARIOS
  • 16. 16 ESM: USE CASES SCENARIOS MANAGEMENT MCAFEE SOLUTIONS THIRD PARTY COMPLIANCE BASEL II EU 8th Directive FISMA GLBA CPG 13 HIPAA ISO 27002 NERC PCI Compliance SOX . . . Aruba Cofense Interset PhishMe ThreatConnect Vormetric . . . Application Control Change Control Application Data Monitor Database Activity Database Event Monitor General Host Intrusion Prevention Network Security Platform Threat Intelligence Web Gateway . . . Executive Case Management Hardware Health . . . User Behavior Analytics Suspicious Activity Exfiltration Reconnaissance Asset, Threat & Risk Authentication Doman Name Service (DNS) Database Denial-of-Service (DoS) Domain Policy Exploit Firewall Malware . . . AlarmsViews ReportsCorrelation Rules WatchlistsData Sources (Product)
  • 17. 17 ESM: USE CASES – User Behavioral Analytics (UBA) • McAfee Advance Correlation Engine (ACE) • McAfee Global Threat Intelligence • Microsoft Windows Data Sources DATA SOURCES / PRODUCTS • Source User • Risk Suspicious Geo Events • User Behavior Events VIEWS • Security Groups • Accounts Not Requiring a Password • Accounts with Expired Password • Computer Accounts • Default Usernames • . • . • . WATCHLISTS • Domain Policy x 10 Rules • GTI x 2 Rules • UBA x 13 Rules • Windows Authentication x 8 Rules CORRELATION RULES Source User 1 Week REPORTS New User Logon Detected ALARMS
  • 18. 18 McAfee Endpoint Security ESM 2 DXL Fabric 3 MAR ESM: SCENARIO – ENDPOINT INCIDENT Identify malware activity early in the kill chain Security Analyst 2 ESM correlation rule alerts security analysts to possible attack using fileless techniques 4 Analyst performs validation with ELS and logs from web gateway Scenario Overview 5 Analyst performs scoping with Active Response 7 Analyst uses ESM to update Cyber Defense Countermeasures via OpenDXL 8 1 ENS logs Powershell and Blocks MimiKatz installation Incident Identification Incident Investigation Analysts pivots around events and declares incidents 6 Incident Containment Endpoint, Server, Cloud DNS and Network countermeasures are updated automatically via OpenDXL 1 Analyst performs validation with Active Response and ATD 4 5 6 7 8 8 Perimeter Firewall Data Center Firewall McAfee vIPS Cloud Protection 8 8 McAfee Server Security ATDELS 8 DNS Security
  • 19. 19 Time to Detect Time to Investigate Time to Contain Security Effectiveness Goals Process Efficiency Goals AVG 50% Process Automation with MTTR of under 10 Minutes 2 Analysts in this Use Case accessed 3 consoles only Detection – ENS, ATP Process Automation – 50% Analysts – 1 Consoles - 1 Investigation – ESM, ELS, MAR and ATD Process Automation – 25% Analysts – 1 Consoles - 3 Containment – ESM, DXL, Third Party Process Automation – 70% Analysts – 1 Consoles - 1 ESM: SCENARIO - ENDPOINT RESULTS
  • 20. 20 Modern, scalable platform for Sec Ops Security focus from day one Deep, high-quality integrations Modular scale-out data platform makes costs predictable Open source Kafka message bus removes data sharing tax Out-of-the-box use cases and analytics that require less configuration and professional support Innovative advanced analytics for detection and investigation assistance Tight integrations with other McAfee products Expansive dashboarding, automation, and orchestration with 130 SIA partners via DXL and direct capabilities ESM: KEY POINTS
  • 21. 21 SECURITY OPERATIONS: OPEN & INTEGRATED Local Threat Intelligence Reputation-based Protection File and Certificates STIX support Collaborative Ecosystem Data Exchange Layer Global Threat Intelligence (GTI) Sec. Info. & Event Mgmt. Integrated Log Management Scalable Collection Distributed Correlation Adaptive Risk Analysis Historical Correlation Rich Application Context Rich Database Context Various Integrations Integrations Local Threat Intelligence Advanced Threat Protection Intrusion Prevention System Endpoint Detection & Response Security Orchestration User & Entity Behavior Machine Learning User and Devices McAfee SIEM & Non-McAfee Remediation Actions Incident Response Evidence Collection Investigation Guides Coaching SIEM Ingestion