Download - McAfee ESM: Situational Awareness
Confidential McAfee Internal Use Only
May 8, 2013
McAfee ESM: Situational Awareness
Boubker Elmouttahid, CISSP, CISM, CRISC
Solution Architect, Management Platform
Confidential McAfee Internal Use Only
Security Connected Platform
INFORMATION SECURITY
Data Loss Prevention
Email Security
Encryption
Web Security
SECURITY MANAGEMENT
Compliance
Policy Auditing & Management
Risk Management
Security Operations Console
SIEM
Vulnerability Management
PARTNER COMMUNITY
McAfee Connected
Security Innovation Alliance (SIA)
Global Strategic Alliance Partners
Access Control
Identity & Authentication
Intrusion Prevention
Network User Behavior Analysis
NETWORK SECURITY
Next Generation Firewall
Network Access Control
Server & Database Protection
Smartphone & Tablet Protection
On Chip (Silicon-Based) Security
Virtual Machine & VDI Protection
ENDPOINT SECURITY
Application Whitelisting
Desktop Firewall
Device Control
Device Encryption
Email Protection
Embedded Device Protection
Endpoint Web Protection
Host Intrusion Protection
Malware Protection
Confidential McAfee Internal Use Only
The Big Security Data Challenge
May 8, 2013
Confidential McAfee Internal Use Only
Correlate Events
Consolidate Logs Perimeter
Thousands of Events
APTs
Cloud
Data
Insider
Compliance Historical Reporting
The Big Security Data Challenge
Anomalies Large Volume Analysis
Multi-dimensional Active Trending; LT
Analysis
Billions of Events
Confidential McAfee Internal Use Only
Our Customers Have Specific Areas of Need
I want assurance we can detect and
respond to attacks, are compliant with
regulations and the reports to prove it—
and I can’t spend a fortune on it
CIOS Compliance Security Analyst
I need real time, relevant
information so I can rapidly
investigate and
stop attacks
I need to ensure that we maintain
compliance with regulations and the
reports to make the auditors
understand it
Confidential McAfee Internal Use Only
Learn Quickly
Turns billions of
“so what” events
into Actionable
Information via
context, content
and advanced
analytics
Move Fast
Purpose built data
management
engine that makes
SIEM work, and is
Security ‘Big Data’
ready
Act Decisively
Leveraging the
value of Security
Connected for
faster response
whilst lowering
cost of ownership
THINK FAST…ACT FAST Actionable Situational Awareness through Enhanced Data Management and Integration
Confidential McAfee Internal Use Only
McAfee ESM
MOVE FAST eDB: Purpose built data management engine that makes SIEM work
eDB
Highly indexed purpose-built db, enables…
• Integrated log & event collection on a massive
scale, at high-performance
• Real-time enrichment of data with context to
drive intelligence
• On-line reporting / analytics on current &
historic data
…in parallel !
SMART FAST
Extended Schema in 9.2, enabling…
• Improved tracking of assets via GUID;
increases accuracy as IP’s change
• More custom fields; increasing data collected,
correlated and reported about an event
• Ability to accumulate events (throughput,
packets, URL’s, etc…)
…without compromising performance!
Confidential McAfee Internal Use Only 8
Rolling Averages Defining abnormal patterns of activity
Learn Quickly Establishing baselines to identify deviations
Confidential McAfee Internal Use Only 9
Eliminate the Guesswork
Alert based on deviations from norm
Sum events and
track averages
ID Anomalies
Learn Quickly Establishing baselines to identify deviations
Confidential McAfee Internal Use Only
Learn Quickly Correlating Both Flows and Events
1 1 100 010011 10
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011
1 0011 100 011 100 1
1 1 100 010011 100
10010001 1 1 100 010011
011 100 10010001
1 1 100 010011 100 10010001 1 1 100 010011 100 11
1 0011 100 011 100 110101 1 100 011 100 10010001
Flow
Event
Correlate Event and
Flow
Advanced Correlation
11 001 100 010011 100 10010001
100110 11 1 110 10 110
00 1001 100110 100 010011 11 100
1 110 10 010011 001 100 110
001 100 010011 100 10010001
100110 11 1 110 10 110
Enhanced with GTI
Identify spikes in
activity
Analyze Behavior of an
Individual Host
Detect zero-day
threats through traffic
profiling
Monitor compliance
via analysis of
application data,
protocol and user
Confidential McAfee Internal Use Only
Event
Collection
Compliance
Reporting
Streamlined
Investigations
Policy
Management
Advanced
Correlation
Log
Management ePolicy
Orchestrator
Network
Security
Platform
Integrated Security Platform
Global
Threat
Intelligence
Vulnerability
Manager
ACT DECISIVELY Leverage the power of the platform
Industry Leading Security Information and Event Management
10
01
10
01
10
01
01
1
ACT DECISIVELY Intelligent Orchestration and Integration
My Pal RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d
11 001 100 010011 100 10010001
100110 11 1 110 10 110
100 1001 100110 100 010011 11 100 1
110 10 010011 001 100 110
11 001 100 010011 100 10010001
100110 11 1 110 10 110
ESM
10010001 10010001
Trigger Alarm
Quarantine IP
Correlation
!
10010001
! !
Quarantine Endpoint
Launch AV Scan
Increase Security
Detect Connection
Attempt
ePO
NSM
Confidential McAfee Internal Use Only
Summary Actionable Situational Awareness from McAfee ESM
ESM ALLOWS YOU TO….
MOVE FAST LEARN QUICKLY ACT DECISIVELY
Confidential McAfee Internal Use Only
• Passive Event Monitoring Eliminates performance overhead associated with DB logging
• Stores event activity as Sessions Reconstruct and Examine activity from Login to Logoff
• Correlate Database activity to Security Events Correlate sensitive information access to users
SSL Connection
• Quantitative Risk Scoring Correlation ACE uses Rule-Less correlation to determine threat activity
• Enables Historical Correlation
Match new rules against historic events in near Real-Time
• Combined Correlation Engines without overhead Operates independently of event collection.
• Stores Event & Flow data using McAfeeEDB Patented, high-performance, embedded data access engine
• Hosts browser-based, flash-enabled SIEM interface Easy to use. Highly customizable Views / Dashboards.
• Manages rules thru Policy Manager. Customizable Data Source and Correlation rules
• Configures Reports and Alarms Customizable Reporting and Flexible Alarm Management
• Redundant Capable Primary and Secondary ESMs can be configured
• Designed to be Scalable Designed to support 100,000’s events per second
• Collection point for Events and Flows Passive and Active collection technologies
• Hosts Rules-based Correlation Engine Can be enterprise wide or specific to local receiver.
• Redundant Capable High Availability Receivers can be configured
• Designed to be Scalable Designed to support up to 20,000’s eps per appliance
• Archive Management for Raw Events Receiver forwards unaltered logs to ELM
• Maintains ELM Management database Ability to manage parsed and raw logs simultaneously
• Raw Log Integrity Management Ensures Forensic Integrity.
• Raw logs Compression Management (up to 20:1)
Delivers Maximum Storage Efficiency
• Flexible Storage Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations
Receiver
CIFSNFS
SAN
iSCSI
Application Data Monitor Content Visibility
ADM
McAfee SIEM Components
Receiver
ELM
Receiver
AES Encrypted Channel
AES Encrypted Channel
Enterprise Security Manager content aware SIEM
Advanced Correlation Engine Dedicate Correlation Logic Appliance ACE
Database Event Monitor Database Transaction Monitoring
DEM
Receiver
AE
S E
ncry
pte
d
ELM ESM
Enterprise Log Manager Fully integrated Compliant Log Management
Event Receiver 3rd Party Log/Event/Flow Collection
Receiver ELM
http://
P2P
chat
VoIP
Shell / FTP
LDP, PS
Span or Tap
Span or Tap
• Protocol & Application Monitoring Full inspection of application content
• Monitor Sensitive Data Transmitted via Applications Identify monitoring blind-spots
Confidential McAfee Internal Use Only