241_ATD_TUE_1430_EagleRockEnergy_final
•Download as PPTX, PDF•
1 like•428 views
Eagle Rock Energy began an advanced malware detection program to upgrade their security infrastructure due to limited previous capabilities and the need to secure remote systems. They identified threats, developed tactics and policies, and implemented products in a specific order to first control network access, then restrict threats, prevent infections, and monitor the environment. Products implemented included ForeScout for network access control, McAfee Web Gateway, Advanced Threat Defense, Intrusion Prevention System, Vulnerability Manager, and Security Information and Event Management. Regular executive reports were produced to communicate security status to non-technical leadership.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (13)
Similar to 241_ATD_TUE_1430_EagleRockEnergy_final
Similar to 241_ATD_TUE_1430_EagleRockEnergy_final (20)
241_ATD_TUE_1430_EagleRockEnergy_final
- 1. McAfee Confidential . Anthony Hopkins | Eagle Rock Energy Building an Advanced Malware Defense Program—Process and Technology Best Practices
- 2. McAfee Confidential . Speaker 2 Anthony Hopkins Senior Network/Security Engineer Eagle Rock Energy Partners
- 3. McAfee Confidential . Agenda • How the Advanced Malware Program Began • Identify Threats and Risks • Tactics, Techniques, and Procedures (TTP) • Identify Products and Deployment Order • Product Choices • Producing Informative Executive Reports 3 McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
- 4. McAfee Confidential . Why Eagle Rock Energy Began the Advanced Malware Detection Program • Who we are • Why we needed to upgrade our security infrastructure 4
- 5. McAfee Confidential . Integration and Security Before Upgrades Why Eagle Rock Energy Began the Advanced Malware Detection Program 55 Network Core MDM Stealth Watch Desktop /Laptops McAfee Global Threat Intelligence Field and DC Network Data Mobile Devices Corp Network Servers IPS McAfee ePO WebSense TrenMicro E- Mail SAAS Firewall/VPN IPS
- 6. McAfee Confidential . Why Eagle Rock Energy Began the Advanced Malware Detection Program • Limited capabilities • Requirement for remote Supervisory Control and Data Acquisition (SCADA) and Plant Controls Network (PCN) 6
- 7. McAfee Confidential . Identify Threats and Risks • Performing a security assessment • Understanding and identifying current threats and risks • Deciding on an approach to user training 7
- 8. McAfee Confidential . Tactics, Techniques, and Procedures • Developing Tactics, Techniques, and Procedures (TTPs) • Developing key processes and policies 1. Critical Event Process 2. Acceptable Use Policy 3. User Access Policies 4. Guest Access Policy 5. Internet Content Policy 6. Email Filtering Policy 8
- 9. McAfee Confidential . Identify Products and Deployment Order • Deciding on a solution • Holistic approach • Align products with threats and risks • Order of implementation • Control • Restrict • Prevent • Monitor 9 Control Restrict Prevent Monitor
- 10. McAfee Confidential . Network Access Control – ForeScout CounterACT • Implementation • Easy implementation robustness and simple integration with other McAfee products. ForeScout gave instant visibility into the network with little configuration without the requirement of 802.1X and management of supplicant addresses. • Best Practices • Organizational policy enforcement • Accurate device clarification and classification policy • Challenges • Lack of policy and policy enforcement • Benefits 10
- 11. McAfee Confidential . McAfee Web Gateway • Implementation • Hybrid configuration • McAfee Client Proxy (MCP) through ePolicy Orchestrator (ePO) • Advanced Threat Defense Integration • Best Practices • Hybrid deployment • MCP managed through ePO • Challenges • Policy imports from previous web appliance • Hybrid deployment • Benefits 11
- 12. McAfee Confidential . McAfee Advanced Threat Detection • Implementation • Integrated with Web Gateway • Integrated with Intrusion Prevention System (IPS) • VM’s built Windows XP, Windows 7 32&64bit, Windows 8 32&64bit, Server 2003, Server 2008 • Best Practices • Stager the licenses count for Virtual Machines (VMs) to best match your environment • Benefits 12
- 13. McAfee Confidential . McAfee Intrusion Prevention System and Network Security Manager • Implementation • Host Intrusion Prevention System (HIPS)/ ePO Integration • McAfee Vulnerability Manager Integration • High Availability with fail open kits • Best Practices • Deploy in simulated blocking until events have been scrutinized • Challenges • Determine what traffic is malicious, misconfigured, or by design • Benefits 13
- 14. McAfee Confidential . McAfee Vulnerability Manager • Implementation • Manager with remote scanners • Integrated with ePO, IPS, and Security Information and Event Management (SIEM) • Best Practices • Use remote scanners • Challenges • Scan reports • Turning off scan criteria • Benefits 14
- 15. McAfee Confidential . McAfee Security Information and Event Management • Implementation • Event receivers in each data center • Integration with IPS, MVM, and ePO • Best Practices • Understand which devices will provide events • Challenges • Amount data points • Configuring data sources on event receivers • Benefits 15
- 16. McAfee Confidential . Producing Informative Executive Reports • Report accurate information • Non-technical audience 16
- 17. McAfee Confidential . Integration and Security Before Upgrades Conclusion 17 Network Core MDM Stealth Watch Desktop /Laptops McAfee Global Threat Intelligence Field and DC Network Data Mobile Devices Corp Network Servers IPS McAfee ePO WebSense TrenMicro E- Mail SAAS Firewall/VPN IPS
- 18. McAfee Confidential . Integration and Security After Upgrades Conclusion 18 Network Core MDM Stealth Watch Desktop /Laptops McAfee Global Threat Intelligence Field and DC Network Data Mobile Devices Corp Network Servers Web Gateway IPS SIEM- Single Pane of Glass for Events McAfee ePO MVM ATD NAC McAfee Web Gateway SAAS Firewall/VPN McAfee E-Mail SAAS
- 19. McAfee Confidential . Questions & Answers 19 Rate This Session! From the FOCUS App select session #241 Building an Advanced Malware Defense Program— Process and Technology Best Practices Post-conference, Access Presentations at: www.mcafee.com/focus14 Password: Empowering14
Editor's Notes
- Anthony Hopkins: Anthony has been in the IT industry for about 12 years. He spent 7 of those years in the US Army as a soldier deploying tactical communication systems. He also spent about 3 years in the US Army Civil Service training providing network and security support to combat brigades deploying to a combat zone and while in combat operations. He recently made the transition to the private sector joining Eagle Rock Energy where he brings some of the tactics, techniques and procedures used in the DOD to an enterprise network. He holds multiple industry certifications in ITIL, CompTia, Cisco and ISC2.
- Eagle Rock Energy at the time was a Midstream and Upstream Oil and Gas business with SOX compliance we are currently and pure play Upstream business with SOX compliance after the divestiture of our Midstream business.
- Are security posture prior to upgrades was minimal and had the basic policies which included a user AUP and web content restrictions. Our hardware was Cisco ASA’s and one Cisco ASA with SSM-20 IPS module at our Houston data center and LanCope Stealth Watch only located at our Houston data center all other locations with internet access was only protected with an ASA. LanCope Stealth Watch include the SMC, Flow Collector, Flow Sensor and virtual Flow Sensors on all ESX hosts this provide us much needed insight into the infrastructure and the data traversing it. We were able to discover a lot of the suspicious traffic flows but, we had limited reaction capabilities.. The security software included Varonis, McAfee ePO, WebSense and Trend Micro SAAS. Varonis was deployed in our Houston data center which monitors and audits all file and folder access. McAfee ePO was deployed to the entire organization which included VSE only. We later started deploying McAfee Deep Defender, Host Intrusion Prevention System and Drive Encryption which was just prior to the purchase of our security upgrades. WebSense provided us with internet content restrictions. Trend Micro SAAS was providing are SPAM and e-mail security.
- With these limited capabilities and our growing mobile computing environment, as well as the business aggressively moving towards a centralization of plant operations and remote access. Remote access was required for plant operators and for third party support to assist with plant operations and troubleshooting as well as access to the SCADA infrastructure. With us having to expose our SCADA and PCN enclaves to corporate infrastructure “OUTSIDERS” it had greatly increased our security risks even though they were firewalled off. The new SCADA and PCN exposer and the visibility we gained from StealthWatch painted a grim picture for us. We are beyond the days where a good firewall will prevent the unwanted. We realized that we would need a more robust and proactive security solution that was able to be managed by a small support staff. Knowing that just buying some products would increase our overall security posture but, we needed to take more holistic manageable approach. We started by taking everything back to baseline and performing a security assessment.
- A security assessment is a document used to provide a realistic assessment of risk and understanding of threats and vulnerabilities of a system or organization. document all the software and hardware and their functions in use on the infrastructure established and ensure all network documentation was updated with current network diagrams Understand the business and their role Once you understand how the business operates and how it operates during daily operations you then are able to piece together the threats and risks the business will face. List all threats List all risks Rank the threats and risks from most probable to least Align current software and hardware mitigations with threats and risks We would be only as strong as our weakest link which was user education. User training began and occurs on a annual basis by instilling the fundamentals of cyber security, this helped to enforce and keep a security state of mind while at work or at home.
- Cyberspace is the new battlefield that we are all apart of, we had to develop our tactics, techniques and procedures to combat threats we are facing as an Oil and Gas company. These threats range from Criminal, Radical Politics, Hacktivists, State-Sponsored/Developed and Mischievous entities. With Advanced Persistent Threats and malware it is possible for an attacker to exfiltrate data, monitor user activity, modify data and cause havoc without anyone knowing. This can cause a huge financial loss, PII loss, brand recognition and possible death (In the Oil and Gas industry if an attacker is able to gain access to a plant controls network they may be able to alter valve controls or possibly cause the operator to make a change based on pressure readings that he may have not normally done causing a possible blowout). Our strategy comes down to traffic normalization and what is beyond. We had to understand what network traffic was legitimate, misconfigured and malicious. Once traffic is categorized we are able to proactively identify events and mitigate. Developing and refining current process and policies was a critical task. Without the proper process’s and policies the IT department can lack the appropriate authority to disconnect users. Policies also ensure that all users comply with certain a level of expectation. Since we doing such a large overhaul of our security infrastructure it required a overhaul on the policies as well. One of the process and policies we created were reaction based on critical events which enabled us to define what was a critical event, how would we react to that event, to what level of reaction would the event require and who would have to be notified. This simple process ensured that we have the right amount of support based on impact which increases administrative productivity. Some of the other processes and policies we created and refined are internet content restrictions, application restrictions, user access/AUP, guest access/registration, vulnerability management/remediation, external e-mail content, attachment restrictions and a security baseline that systems should have prior to network connectivity.
- Once we determined what our most critical threats and current capabilities are, we were able to find where our security gaps were. Next we had to select products that would close those gaps and provide a holistic approach to security. Some of the criteria we were looking for was integration, robustness and effectiveness. Since there were many holes based on our security assessment it required for some replacement of existing products and the introduction of new products to combat current threats and risks. We also knew that just throwing security products inline was not the master fix although it would increase our overall security posture it would not necessarily be an integrated solution. Without a integrated solution the support team would constantly be bouncing between security consoles which can be cumbersome and dangerous with the lack of event correlation. Products we purchased ForeScout CounterACT McAfee Web Gateway McAfee E-Mail Gateway McAfee IPS and NSM McAfee ATD McAfee Vulnerability Manager McAfee SIEM We chose a specific path of implementation to control, restrict, prevent and monitor systems and events. We started with ForeScout CounterACT to allow us to discover the types of devices on the network to begin our classification, clarification and comply policies. We then replaced our WebSense product for the McAfee Web Gateway to continue our web content inspection as well as enhance our malware detection capabilities we also setup in hybrid mode to provide proxy capabilities for mobile clients We integrated ATD into Web Gateway to improve malware detection We changed our SAAS provider from Trend Micro to McAfee for E-Mail (We are in the process of switching to E-Mail Gateway’s on premise hybrid solution) Installed all IPS locations and integrated into ATD Installed MVM and integrated into ePO and IPS Installed SIEM
- Part of building a well rounded security solution revolved around network access control. We chose ForeScout CounterACT as our NAC for its easy implementation robustness and integration in the McAfee product line. ForeScout allowed us to get instant visibility into what devices were on the network with little configuration and without the requirement of DOT1X and management of supplicant address’s. We deployed a HA pair of CT-2000’s in our Dallas and Houston data center and a manager in our Houston data center. We chose this deployment method do to the fact it would reduce the overall cost of the solution and all of our traffic flows through either data center. This deployment method also allows us to leverage the IDS/IPS capabilities within ForeScout for a added layer of protection as well as its use of honey pots. We had a lot of issues which were mostly do to lack of policy and policy enforcement with remote sites adding additional network devices, computers, phones, etc. without notification to the corporate office. With the new corporate process’s and policies in play enabled us to leverage ForeScout to ensure these standards were enforced. We are able to also ensure that when a machine connects to the infrastructure that it meets our desired security posture if not the machine is forced into automatic remediation. We are also able to control guest access and provided a captive self registration page for guest access request. This process gave us the visibility of who is connecting to the network, who approved it and for the length of time access was granted. Some of the challenges we faced deploying the NAC solution came down to executive support, which in some cases if a senior management or business essential personnel’s computer did not meet compliance requirements it would be automatically transitioned into a remediation VLAN for automatic remediation, until this process completes the user would have limited access to infrastructure services. This sometimes resulted in the bypassing of the automatic remediation process prior to connectivity to do a online non intrusive (best that we can do) remediation and wait until there was a better time. Some of the benefits we gained was visibility into the remote sites and allowed us to pinpoint where devices where connected and what the compliance level of that device is. This automates some of the desktop support functions freeing them up for other tasks
- Web Defense is a huge battle ground sifting through the thousands of web request per second to filter web content, applications, scan for malware, prevent zero day attacks and have the content presented to the end user with little to no delay. We installed Web Gateway with a hybrid central management deployment. We have four appliances deployed, two in our Houston data center and two in our Dallas data center. We are utilizing MCP deployed through EPO to manage proxy and SAAS selection based on best response time. While clients are on premise MCP will pick the best responding proxy and while off premise it will roll over to the SAAS solution. For clients that are not necessarily EPO managed/domain managed we forced a WCCP redirection which included BYOD and guest access and all subnets in the event there was a MCP failure. We have ATD integrated into Web Gateway providing us with an enhanced malware detection engine. Some of the challenges we had were how much malware data we were going to let the ATD box process vs letting the built GAM engine in the Web Gateway process. Some of the challenges we faced were some of the policy transitions from WebSense to the new McAfee Web Gateway which required some manual policy creation. This allowed us comb through our policies ensuring that there was no duplication of rules or if there was a better way to apply it on the Web Gateway. We also faced issues with the hybrid deployment with rules matching from on premises to SAAS and found that there is not an exact lineup with web rules. At that point we decided it was better to manage them separately with a less restrictive rule set on the SAAS side with the assumption that when a user goes mobile that they are more likely to establish VPN session versus just surfing the web. At the point they establish the VPN session MCP is able to communicate to the on premise proxies and back haul all internet access. With the new hybrid setup on SAAS we have a complete rule synchronization from on premise to SAAS. This has allowed us to manage all rules in a single location without a duplication of SAAS rules vs on premises rules. We have now allowed VPN split tunneling for web access. Some of the benefits we gained where a enhanced malware detection reducing the overall detections through the installed AV which intern reduced the overall support required from the desktop support in malware removal on the host machine.
- McAfee ATD really provided us the extra layer of insurance when it came to malware and zero day's detection with the integration into Web Gateway and IPS. With ATD we are able to build out virtual machines that match our environment to an extent. The gateway anti-malware engine within Web Gateway is a really strong product. We were able to integrate ATD into Web Gateway to give it that extra horsepower. We were also able to integrate into the IPS providing a malware engine to the IPS increasing our overall malware discovery rate.
- We deployed the McAfee IPS because of its fast performance, easy deployment , easy configuration and integration into the McAfee EPO/HIPS product. We have two sets of HA NS9100’s deployed to each data center. Each one is inline at every link in and out of the data centers (FW DMZ, FW Inside, MPLS, Metro-E and SIP). We also have a pair of M2950s in HA inline between the data centers located in Dallas and the one NSM located in Houston. We ensured that no matter where the traffic entered, exited or began we seen the conversation. This placement provided us with a great deal of visibility and control internally and externally. The integration into the EPO/HIPS endpoint allowed us to process the events on the NIPS and send blocking notifications to EPO for the HIPS clients. The integration between ePO and IPS provided ePO machine information within the NSM console. Policy creation became our biggest challenge. not to the effect that it was hard to configure it was that we had brought so many links into the IPS (internal and external) we had to ensure and document how the servers and systems communicated internally and externally and create the policies accordingly. Some of the benefits and gained from this IPS implementation was a high level of visibility on all links going in and out of the data center. We don’t have any times savings in day to day tasks do to the fact that our IPS implementation is a 6 times increase from our original deployment.
- McAfee Vulnerability Manager was deployed as our vulnerability assessment tool to provide a deep insight of our server and end user systems security posture. We have two scanners deployed one in our Houston data center and the other in our Dallas data center with the manager located in our Houston data center. We have integrated this product with our McAfee IPS and EPO which gave us some added features on the IPS side with the ability to kick off a vulnerability scan from within the IPS console. This capability has proven to be useful to determine if a targeted box is vulnerable to a specific attack. Within the EPO console we were able to incorporate the scan data to assist with event trending, access protection and HIPS policies. Challenge Refining the reports and generating custom reports for the SCCM administrator as the default reports are large and cumbersome. We also have issues with turning off certain scan criteria as we assumed a level of risk with certain windows services left on. Some of the benefits we gained from MVM is the ability to access a systems vulnerability level which allows to direct our patching requirements to cover our HIGH and Medium vulnerability's.
- SIEM has become our hub of knowledge as we continue to send more and more information to it. In our Houston data center we placed one event receiver, one enterprise log manager, two advanced correlation engines (one real time, one historical), one enterprise security manager, one application data monitor and one database event monitor. Our Dallas data center received one event receiver to aggregate events to be delivered to the ELM and ESM. We are sending windows event logs from all servers, netflow/syslog data from all network devices, ForeScout CEF event information and IPS integration which is allowing us to blacklist from with ESM console. Some of the challenges we faced with the SIEM deployment were all the data points to send to SIEM, this proved to be very time consuming but, produced great results. Some of the benefits are gained where a increased visibility in the events taking place on the infrastructure (this allowed to see a event on the firewall and correlate it against a event on a server). We have time savings by not having to track events on through individual logging sources but allowing us to see all events through one pane.
- Providing results to management and executive staff was a key element to establishing our security program. We wanted to be sure that we provided brief reports that made sense to a non-technical audience avoiding IT terms but to ensure that the information was accurate and relevant to our business. Initially articulating findings was relatively difficult with only seeing portions of the data provided through Stealth Watch. Once we began to deploy our EPO endpoint security solution we started to see the whole other picture which enabled us to provide accurate information. After deploying our new McAfee solution we are now seeing the correlation of EPO Endpoint events, Windows, events, netflow, NIPS events, MVM Endpoint vulnerability assessment information, syslog, ForeScout Events, etc. The correlation of all this information allowed us to provide accurate security posture information to senior leadership.