mcafee security connected · 2017-06-09 · mcafee th\൲eat intelligence exchange narrows the gap...

34
McAfee Confidential McAfee Security Connected Nicolas LEHOUX | Sales Engineer

Upload: others

Post on 17-Jun-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

McAfee Confidential

McAfee Security Connected

Nicolas LEHOUX | Sales Engineer

Page 2: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

© 2017 McAfee, Inc.All information provided here is subject to change without notice. Contact your McAfee representative to obtain the latest Intelproduct specifications and roadmaps.Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.McAfee and the McAfee logo are trademarks of McAfee, Inc. in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others.

Page 3: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Today’s Endpoint Security Challenges

Staying ahead of zero-day threats, greyware,

and ransomware

Visibility to find potential threats

quickly

Reduce complexity and minimize operational

burden

Rapid investigation and remediation of threats

across all endpoints

3

Vorführender
Präsentationsnotizen
While malware continues to be very pervasive and a growing method of attack, we have seen a shift towards new threat techniques that are more difficult to detect such as zero-day attacks, greyware and ransomware. Many of these attacks are getting past traditional protection measures, so there is a concerted effort among security architects to find new and innovative protection capabilities that will help them stay ahead of these type of threats. Many security architects are looking at ways to be able to find potential threats within their environments, which is critical to start any time of correction and remediation action. What follow next is to be able to do investigation with maximum contextual information and to be able to quickly and easily remediate threats across all endpoints. The challenge here is to ensure that the and many vendors touting that traditional AV is dead, companies are looking to new, innovative standalone point products in a desperate attempt to stop the attacks.
Page 4: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Quests for a “Silver Bullet” are Hurting, Not Helping

80%1 of organizations cite endpoint security processes and technology management as more difficult that it was two years ago.

5 Different Consoles10 Different AgentsMultiple Siloed Point Products

. . . .

Source: (1) ESG Research Report: The Endpoint Security Paradox

Silver Bullet FeatureWith “Free Security”

+O/S

4

Vorführender
Präsentationsnotizen
Security architects feel the pressures of the endpoint challenges within their environment. Well intentioned indeed, many security architects will find themselves in desperate times, and quickly start searching for the best of breed solution or silver bullet to halt the endpoint mayhem. However, the multiple siloed security products have compounded complexity, by introducing an average of 10 different agents1 on the endpoint, and created a management nightmare requiring five different consoles1 and endless manual correlations. Sadly, an already stretched IT Security Administrator is left juggling a myriad of specialized security, hoping that the security posture is improved. each single-point-of-failure catches what the previous one missed, and trying to decrease the friction that drives up false positives, leaves gaps for unknown threats to hide in, and frequently stands in the way of productivity. No wonder 80%2 of organizations cite endpoint security processes and technology management as more difficult than it was two years ago Forrester Study (Our sponsored technology adoption profile study) ESG Study, 2016
Page 5: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Not only fatigue, but security posture for the endpoint has not improved…

And the Result Is?

Hidden Threats+200 days1 is the time it take

on average to identify a malicious attack

Insight8 days1 is the average it

takes for a security investigation

Security Gaps62%1 of cases attackers

compromised organizations within minutes

Source: (1) Verizon Data Breach Report, 2016.

5

Vorführender
Präsentationsnotizen
Source: Verizon Data Breach Report, 2016 What is happening is eventually fatigue sets in, but security posture has not improved for the endpoint environment. The hope remains that each single-point product (or silver bullet product) will catch what the previous one missed, friction is increased with lack of threat sharing and increase in false positives. This situation leaves security gaps and we still see that 62% of cases attackers compromised organizations within minutes. Also, this approach frequently leaves gaps for unknown threats to hide in, and we see today it takes most customers about 200 days on average to identify a malicious attack. Then, once you know a breach has occurred complexities and lack of contextual information lead to a much longer time to investigate. It takes about 8 days on average…just think of what can happen during an 8 day period.
Page 6: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Endpoint Threat Defense Solution

The new, adaptive threat defense approach

Stop, contain, and

remediate attacks across

a dynamic endpoint

fabric

6

Vorführender
Präsentationsnotizen
Unlike other security vendors, McAfee provides a connected platform with integrated tools that deliver better protection while preserving your most valuable resource – time. Dynamic Endpoint Threat Defense (Dynamic Endpoint) breaks down siloed security by combining established protection such as firewall, reputation and heuristics with cutting-edge capabilities such as machine learning and dynamic application containment, and adds native endpoint detection and response into a single platform agent, with a single management console. It uses integrated, multi-stage protection to keep users productive and connected while stopping zero-day malware, like ransomware, before it can infect the first endpoint. Exposure from hidden threats drops to seconds, rather than days or weeks, through instant visibility, simpler investigations and the ability to use one-click correction across the entire organization.
Page 7: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Endpoint Threat Defense Solution

7

Advanced yet Simplified

Machine learningMultistage defense Single modular agent

Reduced agent sprawl

Consolidated management

Lower TCO

The power of AI to combat the most sophisticated emerging threats with

static and dynamic analysis

Protect, detect, and correct with blended countermeasures and the

power of cloud-assisted analytics and intelligence

Vorführender
Präsentationsnotizen
Unlike other security vendors, McAfee provides a connected platform with integrated tools that deliver better protection while preserving your most valuable resource – time. Dynamic Endpoint Threat Defense (Dynamic Endpoint) breaks down siloed security by combining established protection such as firewall, reputation and heuristics with cutting-edge capabilities such as machine learning and dynamic application containment, and adds native endpoint detection and response into a single platform agent, with a single management console. It uses integrated, multi-stage protection to keep users productive and connected while stopping zero-day malware, like ransomware, before it can infect the first endpoint. Exposure from hidden threats drops to seconds, rather than days or weeks, through instant visibility, simpler investigations and the ability to use one-click correction across the entire organization.
Page 8: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Endpoint Threat Defense Solution

Source

Neutralize Threats with a dynamic, integrated solution

8

McAfee Active Response (MAR) Detects and corrects threats faster with continuous visibility and automated responses

McAfee Threat Intelligence Exchange (TIE)Adaptive threat detection & response operationalizes intelligence

McAfee Advanced Threat Defense (ATD)Protects against advanced malware,

including zero-day and persistent threats

Dynamic Endpoint Threat Defense

McAfee ePolicy Orchestrator (ePO)Complete centralized management for increased control &

visibility which helps lower security operational costs

McAfee Endpoint Security (ENS)Comprehensive collaborative protection

framework encompassing traditional and advanced defense techniques

McAfee Web Protection(via McAfee Client

Proxy Agent)Stops the majority of zero-day

malware before it reaches an endpoint

Vorführender
Präsentationsnotizen
Let’s take a look at the set of sophisticated protections needed to protect your endpoint environment from advanced and emerging threats: McAfee Endpoint Security 10 Intelligent and collaborative framework for advanced targeted attack protection powered by the industry’s largest global threat intelligence network A true centrally managed, protect, detect, and respond endpoint solution with a single user interface Endpoint detection and response capabilities Dynamic Application Containment is available as part of McAfee Complete Endpoint Protection- Enterprise and helps customers protect against greyware, 0-day and patient-zero threats – before they have access to their systems   McAfee Threat Intelligence Exchange: enables adaptive threat detection and response by operationalizing intelligence across your endpoint, gateway, network, and data center security solutions in real time. Combining imported global threat information with locally collected intelligence and sharing it instantly across the Data Exchange Layer (DXL), allows security solutions to operate as one, exchanging and acting on shared intelligence. McAfee Threat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and months down to milliseconds.   McAfee Active Response: detects and corrects threats to provide security beyond the required level of protection. It offers continuous visibility and powerful insights into endpoints, so customers can identify breaches faster and gain control over the threat defense lifecycle. McAfee Active Response provides tools that enable customers to correct issues faster and in the way that makes the most sense for your customer’s business. McAfee Web Gateway (via Client Proxy Agent): Best-in-class protection from emerging threats with a unique behavioral protection engine that stops the majority of zero-day malware from the internet before it reaches an endpoint. McAfee Advanced Threat Defense: Protects against advanced malware, including zero-day and advanced persistent threats. McAfee ePolicy Orchestrator: Complete centralized management via ePO for increased control & visibility which helps lower security operational costs
Page 9: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Comprehensive Threat Defense

Page 10: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Endpoint Security (ENS) Dynamic, collaborative platform core protection to outsmart attackers

10

Collaborative and multi-layered defense

Behavior and machine learning based protection

Dynamic execution containment of threats

Intelligent feeds for faster detection

Presents threat data in intuitive, common language

Integrates seamlessly with EDR to remediate and adapt

ePolicyOrchestrator

Adaptive Threat Protection

WEBControl

Threat Prevention

TIE Firewall

Vorführender
Präsentationsnotizen
Key Points Comprised of dynamic modules that create a multi-layered defense; unique to the industry Introduces machine learning and behavior based protection, for better defense than signature based techniques as part of Adaptive Threat Protection Module Local endpoint contains malware with Dynamic Application Containment based on behavior, thus stopping the spread of malware – ideal protection for threats such as ransomware Utilizes an intelligent feed for threat information that all modules connect to for faster detection Collaborates with EDR to remediate and adapt, resulting in removal of threats entirely Presents threat event data in intuitive, common language, shows what actions were taken and what the point of origin was Endpoint Security 10 offers several other improvements besides integration. Let’s take a quick look at 3 of the 10 modules. Threat Prevention Module: This includes OAS, ODS, Access Protection functionality, and unified buffer overflow protection technologies (aka memory protection) of VSE and HIPS to protect against exploits. Firewall Module: This is the equivalent of HIPS FW Web Control Module: This is the equivalent of SAE and WFE. Advanced Protection Module: Dynamic App Containment reduces greyware’s ability to make changes on the system, it contains the malware preventing further damage to your security infrastructure. � The TIE module: An optional threat intelligence module that further informs the other defenses within ENS 10 with several threat intelligence feeds from around the world All modules benefit from the McAfee Endpoint Security platform by utilizing common services, module to module communication, etc.
Page 11: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Application ContainmentLocal Endpoint execution containment stops the spread of greyware and ransomware

11

Saves “Patient Zero” by reducing or eliminating unknown apps to make malicious changes

Defeat “sandbox-aware” malware as detection occurs at the endpoint

Easier and less costly to deploy by not requiring a sandbox or virtual machine solution

Create customized containment rules Works online or offline Contain greyware and its ability to make

changes on the endpoint while running endpoint detection analysis

Contain all processes. i.e. .exe;.jpg; .bmp and file modifications

Vorführender
Präsentationsnotizen
To trace dynamic behavior we have to allow malware to run. So it can cause damage in a second. What’s where virtualization or sandbox helps. You let the malware run in contained sandbox environment. But its not possible to create a vm at endpoint to trace behavior. Therefore, we came up with DAC. DAC is Dynamic App containment. It reduces ability of greyware to make changes on the system. We can trace behavior by looking at what app is trying to do. Malware will be unable to do any action but all attempts will be recorded. And that’s what we need to trace behavior. We will be able to trace behavior without heavy weight technologies like sandbox or machine learning. For containment we will be using access control rules which already exists in ENS. Customers can create their own rules as well. Sandbox is commonly used by appliance therefore, vm aware malwares are rising. This technology can catch sandbox aware malware as well. Its best technology to restrict patient zero. First instance of malware itself will be contained. Other benefits includes time to react as sandbox is not involved. What happens if it’s a good app. Unlike app control where everything is blocked behavioral technologies will allow apps to run. If it’s a good app then containment rules will not block the app and hence it will run without impacting business continuity.
Page 12: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Real Protect Overview

12

Real Protect Static (Pre-Execution)

Detect malware based on pre-execution static binary analysis using machine learning and comparison to

known malware attributes

Real Protect Dynamic (Post-Execution)

Detect dynamic behavior of Greyware on the endpoint, compare to known malware behaviors for

a match via behavioral cloud-based machine learning

Block zero-day malware before it executes with static analysis machine learning and dynamic behavioral cloud based machine learning

Pre-and Post Execution is critical to maximize your detection capabilities.

Real Protect

Vorführender
Präsentationsnotizen
There are a lot of silver bullet solutions out there, and in particular as you look at what is labeled in the market as next-generation protection. What Real Protect offers is pre-execution with Static-Analysis Machine Learning and post-execution protection with behavioral cloud-based machine learning. Pre- execution will help to detect more “zero-day” malware based on actual malware static file attributes, than any previous reactive signature-based method. It will help: Detects obfuscated, polymorphic malware in a proactive manner Reduces need for human analysis by levering machine learning = much faster to learn and adapt to new variants of malware. Core technology can also be used for lateral movement detection, patient zero discovery, threat actor attribution, forensics Post-Execution is delivered via behavioral cloud-based machine learning to help detect more “zero-day” malware based on actual malware behavior compared with signature based or static only method. With the addition of Real Protect Dynamic it will help provide: Detects obfuscated, polymorphic malware in a proactive manner Reduces need for human analysis by levering machine learning = much faster to learn and adapt to new variants of malware. Core technology can also be used for lateral movement detection, patient zero discovery, threat actor attribution, forensics
Page 13: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Threat Intelligence ExchangeSynthesizes intelligence to create a unified system that automatically adapts

13

Centralized Visibility and ControlIncident response knowledgebaseLocal prevalence intelligence

Integrated Endpoint ModuleExecution-time reputation inspection and protection

Open, Connected EcosystemNetwork, gateway, endpoint, and cloud-based countermeasures and intelligence

Data Exchange LayerUltra-fast persistentbidirectional messaging fabric

TIE Server

McAfee Solutions 3rd Party

Partners

Threat Intelligence

Feeds

TIE Endpoints

Vorführender
Präsentationsnotizen
McAfee Threat Intelligence Exchange (TIE) connects security components to share contextual insights and provide organization-wide visibility and control. The real-time insights inform the actions of Real Protect and Dynamic Application Containment. It is a combination of Intel and third party feeds that offers visibility across network, gateway endpoint and cloud-based countermeasures and threat intelligence. Accessing the latest information is easy thanks to its centralized visibility and control where incident response and local intelligence resources are available. It accomplishes all this by using our data exchange layer to communicate with your endpoint defenses.
Page 14: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Advanced Malware Detection Innovative sandbox analysis using McAfee Advanced Threat Defense

14

IdentifiedUnknown

Unpacking

Dynamic analysis

Disassembly of code

Because of Behavior AnalysisBecause No Signature Match

Advanced Threat Defense

Family resemblance

Identify evasive attempts

Malware

Safe

Malware

Vorführender
Präsentationsnotizen
McAfee Advanced Threat Defense offers innovative sandbox analysis to detect unknown malware. Unlike traditional sandboxes, it provides multiple analysis engines to broaden detection and expose evasive threats. ATD combines low-touch antivirus signatures, reputation, and real-time emulation defenses with in-depth static code and dynamic analysis (sandboxing) to analyze actual behavior. Combined, this represents the strongest advanced malware security protection on the market and effectively balances the need for both protection and performance. ATD provides detailed malware classification information and allows identification of associated malware leveraging code reuse. Sandbox evasion techniques such as delayed or contingent execution paths, often not executed in a dynamic environment, can be detected through unpacking and full static code analysis.
Page 15: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

McAfee Web Gateway as a Source of Local Threat Intelligence

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP

Endpoint

McAfeeGlobal Threat

Intelligence

3rd PartySolutions

McAfeeTIE Server

Gateway Anti-Malware engine detects zero-day malware

Web Protection publishes the new malware reputation to TIE

Endpoints and other sensors are updated by TIE immediately, providing reputation for zero-day malware before a new DAT is published

Vorführender
Präsentationsnotizen
In this example, zero-day malware attempting to enter the network is discovered and blocked by the Web Gateway. The Web Gateway shares the information on this malware with the TIE server. Based on policy, TIE can then send out updated file information regarding this malware to all connected components. Endpoints do not need to wait for the latest DAT file update, they are immediate protected once the first encounter with the malware is detected, anywhere in the organization.
Page 16: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Together is Power

Demo:https://www.youtube.com/watch?v=mbamFKgtqZY

Master example: Six products, four vendors, total automation

Vorführender
Präsentationsnotizen
■ Step 1: Detection—Malware is launched on an infected endpoint, connecting to a known Command and Control Server identified by Check Point Anti-Bot. Check Point’s firewall notes the traffic to a known malicious command and control server. Check Point’s firewall publishes an OpenDXL event. ■ Step 2: Identification—The OpenDXL orchestration script has been listening over DXL. It receives the event, and then queries McAfee Active Response to identify, from the source system, which executable made the outbound connection. This allows us to move from just knowing network information (source, destination, port, and more) to file information. And, since McAfee Active Response maintains a historical record of network connections, this will succeed even if the process is no longer running. This provides additional data for Step 4: Scoping. ■ Step 3: Containment—The OpenDXL orchestration script then sets the reputation of the file it has identified to “known malicious” in McAfee Threat Intelligence Exchange. McAfee Threat Intelligence Exchange then broadcasts this new information over DXL, directing McAfee Threat Intelligence Exchange clients to kill the malware processes, thus disconnecting the communications. Note that this will apply to any system running the convicted process. ■ Step 4: Scoping—Although not shown in the demo, McAfee Active Response can be leveraged to find other processes that connected to the same command and control server or other dormant instances of the files that either have not been executed or are no longer running and then remove them. ■ Step 5: Tagging—To complete the cleanup, the systems that McAfee® Active Response has identified as containing malware are tagged in McAfee ePO software by the orchestration script as a hook to allow further activity by the administrator. ■ Step 6: Assessment—The orchestration script triggers a vulnerability scan reaction by Rapid7 Nexpose as a final step to identify all the weaknesses in the compromised systems that could also be exploited. ■ Step 7: Remediation—The orchestration script sends a request to the Aruba ClearPass OpenDXL service to update attributes for systems exposed to malware, which triggers policy enforcement, which can quarantine the device from the network while detailed remediation occurs.
Page 17: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

NSS Labs Advanced Endpoint TestExcellent results for McAfee Endpoint Security version 10.5

17

99% Overall Security Effectiveness

100% Tested Evasions Blocked

0% False Positives

Vorführender
Präsentationsnotizen
Our own McAfee Endpoint Security (ENS) version 10.5 was included in the test and achieved a security effectiveness rating of 99% with zero false positives, and 100% of the tested evasions blocked. These results earned McAfee Endpoint Security an NSS Labs Recommended Rating for Advanced Endpoint Protection. Compared with the other vendors, McAfee Endpoint Security (ENS 10.5) did really well, having the second highest security effectiveness rating.
Page 18: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Summary

Page 19: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Endpoint Threat Defense SummaryA centrally managed platform for protection, custom intelligence, and threat hunting

19

Broad threat protection with optimized performance, containment, behavioral analysis and machine learning

Dynamically share threat intelligence with endpoint, network, and web; customizable to meet your needs

Advanced live hunting capability across all endpoints and flexibility to set traps and remediate malware customized to your environment

New user workflows reduce the number of clicks and ePO’s user interface provides more visibility and information for speedier management.

Single, unified, layered security all managed from ePO –no other solution has this breadth in one console

McAfee provides dynamic, collaborative and

integrated security for today and

tomorrow’s advanced and emerging threats

Page 20: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

For More Info

20

https://www.mcafee.com/us/resources/white-papers/wp-busting-myth-malware-silver-bullet.pdf

https://www.youtube.com/watch?v=gLoyHzSNda0&t=16s

DemoMcAfee Real Protect & Dynamic Application

Containment

White PaperMcAfee Dynamic Endpoint

Multilayered Malware Defense

https://www.mcafee.com/us/resources/reviews/nss-labs-aep-endpoint-security.pdf

https://www.mcafee.com/us/resources/reviews/nss-labs-aep-security-value-map.pdf

Test ReportNSS Labs Advanced Endpoint Protection

Technical InfoMcAfee Dynamic Endpoint

Expert Center

https://community.mcafee.com/community/business/expertcenter/products/ens

Vorführender
Präsentationsnotizen
.
Page 21: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

McAfee provides intelligent and

integrated security for today and

tomorrow’s advanced and emerging threats

Vorführender
Präsentationsnotizen
With a strong portfolio of products covering the complete Protect-Detect-Correct Threat Lifecycle and an intelligent and integrated framework via a single console, McAfee provides sophisticated protection for today and tomorrow’s advanced and emerging threats
Page 22: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.

Page 23: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Essential Protection that Grows with YouMcAfee Endpoint Threat Protection

McAfee Endpoint Threat Protection offers the essential protection you need today and keeps you ready for tomorrow’s advanced threat defense requirements. It delivers integrated threat prevention, firewall, web, email, and device control defenses that work together in real time to analyze and collaborate against threats

ePolicy Orchestrator Threat

Prevention

Web Control

Firewall

Scalable Management Architecture

No more point product integrations

– easily add other McAfee or third party products with ease as

your needs change

True Centralized management with a single pane of glass

simplifies management and saves time spent moving across several

UIs

Integrated modules that perform core antivirus,

URL filtering and exploit/intrusion

prevention.

23

Page 24: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Enhanced Protection for Commercial-sized Organizations*

McAfee Complete Endpoint Protection - Business

A comprehensive suite with collaborative core protection; now with dynamic application containment and machine learning to protect against advanced threats, application control, add-on EDR for instant remediation, and ePolicy Orchestrator for centralized management and reporting.

Add-On EDR

Threat Prevention

Web Control Firewall

True Centralized management with a single pane of glass

Data Protection

Machine Learning

*Limit 2000 nodes, added in Q2 ’17: (Dynamic Application Containment, Real Protect, Application Control), CEB Customers are now eligible for discount on optional EDR2 SKU

ePolicyOrchestrator

Core Protection

ApplicationControl

24

Dynamic Application

Containment

Deployment, Management & Reporting

McAfee Threat Intelligence Exchange (TIE)

McAfee Active Response(MAR)

Vorführender
Präsentationsnotizen
CEB Suite Updates for Q2 2017 - Addition of Adaptive Threat Protection Module which includes Dynamic Application Containment and Real Protect. Also added Application Control. CEB Customers are now eligible for discount on optional EDR2 SKU (same as CTP suite) to get Active Response and TIE. A comprehensive suite with collaborative threat defense against advanced threats with encryption to protect your data, and intrusion prevention and firewall for desktops and laptops to halt zero-day exploits. Phishing and multistage attacks are also blocked thanks to its email, web, and collaborative endpoint defenses, including dynamic application containment and machine learning CEB on McAfee.com => https://www.mcafee.com/us/products/complete-endpoint-protection-business.aspx
Page 25: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Advanced Protection for Enterprises

McAfee Complete Endpoint Threat Protection

ePolicy Orchestrator

Threat Prevention Web

Control

Firewall

Scalable Management Architecture

No more point product integrations

– easily add other McAfee or third party products with ease as

your needs change

True Centralized management with a single pane of glass

simplifies management and saves time spent moving across several

UIs

Integrated modules that perform core

antivirus, URL filtering and exploit/intrusion

prevention. Machine-learning analysis (pre and post

execution) and containment of suspicious files, processes and

applications

Enterprise-grade, advanced defenses that investigate and contain zero-day threats and sophisticated attacks - using a collaborative framework which includes dynamic application containment and machine learning analysis

Adaptive Threat Protection

*CTP Customers are eligible for discount on EDR

25

Page 26: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Backup – How It Works

Page 27: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Endpoint Security (ENS) Core ProtectionCore protection with shared intelligence to protect against download of a malicious file from the web

27

A file hash is sent from Web Control to Threat Prevention, triggering an ODS

Event data is shared with other modules and ePO, and is visible in client UI

Malicious files are detected and blocked before they have full access to the system

Forensics data is captured (Source URL, file hash, etc.)

ePO

Client UI

TIEThreat Prevention

Web Control Firewall

Vorführender
Präsentationsnotizen
Let’s take a look at a very common use case of a user downloading a malicious file and see how the module-to-module communication works to provide enhanced protection. In the current products, a file getting downloaded from the web and getting scanned through on-access scanning are two separate events.   In Endpoint Security 10, since both products can now communicate with each other, when a file is downloaded, the Web Control module sends a file hash to Threat Prevention module. The Threat Prevention module triggers an immediate on-demand scan of the file. You can also configure GTI sensitivity in ePO for these types of scenarios. Then, based on the results of the scan, the product will take the necessary action.   This provides significant advantages as you now can scan the file at a point of entry with a higher GTI sensitivity level since it is coming from the web, before it has full access to the system, thus providing better protection. And it allows us to capture better forensics data if detection occurs (Source URL,  Attack Vector, File Hash, etc.).
Page 28: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Dynamic Application ContainmentMaintains productivity while securing patient-zero and isolating the network

28

How DAC works1. Integrated with ENS

and Active Response

2. Reputation or Admin triggers DAC

3. Suspicious application is contained

4. Application runs, blocks malicious processes

5. Real Protect or a sandbox analyze further

6. File data is traced, collected and reported

7. If dirty, terminate. If clean, release

PasswordsBlocks access to an insecure password hash file in Windows System32 directory

CookiesBlocks changes to the browser cookies folders from non-browser apps

InjectionBlocks changing memory or creating threads in any other process

Lateral Movement

Blocks creation or copying files to a network file location (e.g. on another PC or server)

PropagationBlocks creation of files on any physical external memory device (e.g. USB)

Scripts & Executables

Blocks creating files (bat, exe, jpg, html, bmp, vbs) that are used later to launch further attack stages

HidingBlocks scheduling tasks on system which can be used to avoid security scanners

RegistryBlocks registry modifications that are used to create entry points and establish persistence

Vorführender
Präsentationsnotizen
To trace dynamic behavior we have to allow malware to run. So it can cause damage in a second. That’s where Dynamic Application Control can help. DAC lets the malware load into memory, but stops it from making changes to the endpoint. Now, we can trace behavior by looking at what the application is actually trying to do (ie. Checking passwords, making changes to cookies, injecting code, moving laterally, etc…) This secures the first endpoint, or “patient-zero”, while keeping the endpoint productive and provides the data necessary for deeper analysis.
Page 29: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Real Protect Static – Unmask Zero-Day Malware

29

1. Real Protect Static gathers static properties (or features) from known-malware binaries on the backend

2. This information is fed to Machine-Learning (“ML”) algorithms on the backend to create “Real Protect Static ML Models” of each malware binary type

3. On the endpoint, Real Protect Static can query either the local “ML Model” library or do a match lookup in the Cloud depending on the product solution.

4. If a match occurs, then Real Protect Static informs the endpoint solution of this fact and remediation will occur if needed.

How it Works Detects Zero-Day Malware Pre-Execution

Works in Presence of Block Protection as well as Offline

Faster Response + Reduced need for human analysis

Requires very few resources on the Endpoint

Reduces Endpoint Administrator Headaches

Customer Benefits

Vorführender
Präsentationsnotizen
Real Protect static detects malware on the endpoint based on the analysis of the static file attributes. Customer Benefits: Detects Zero-Day Malware Pre-Execution: Detects obfuscated, polymorphic malware with static attribute analysis comparing to known malware. Works in Presence of Blocking Protection as well as Offline: Improves detection in conjunction with use of Dynamic Application Containment or HIPS, Firewall, etc. or Offline Faster Response + Reduced need for human analysis: Analysis and match happen very quickly, ML-based system means this is extensible with very few resources Requires very few resources on the Endpoint: Both RAM and HDD/SSD requirements are very modest (a few MB) Reduces Endpoint Administrator Headaches: Due to dramatic reduction in zero-day malware remediation
Page 30: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

How Real Protect Dynamic Detection Works

30

1. Endpoint receives greyware. Based on intelligence scoring, Endpoint security product asks for a RealProtect assessment.

6. If dirty, Endpoint asks RealProtect for remediation

2. RealProtect allows process(es) to run and traces behaviors

3. RealProtect sends behavior information to the Cloud for analysis

5. RealProtect sends comparison results to endpoint for disposition

4. RealProtect Cloud uses Machine Learning to compare behavior to known malware behavior(s)

Vorführender
Präsentationsnotizen
Curtesy of Robert Leong in McAfee Labs.
Page 31: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

ENS McAfee Client Proxy AgentAutomatically routes all internet traffic to McAfee Web Protection to filter malware before the endpoint

31

Automatically route all internet traffic to web gateway

Proactive zero-day malware prevention before it reaches the endpoint

Picks cloud or on-premises based on location

Persistent protection for off-network users

Off-network

On-network

MCP

MCP

Vorführender
Präsentationsnotizen
Starting with ENS 10.5, all endpoint agents will feature a “client proxy”, capable of routing all internet traffic to either a cloud-based or on-premises McAfee Web Gateway. This delivers several benefits to the customer: Web Gateway (on-prem and cloud) features a zero-day emulation engine, which stops nearly 20% more malware than competing web gateways. This means less cleanup at the endpoint, and enables security teams to shift their efforts to more strategic activities like detection and response (EDR) The client proxy within ENS routes internet traffic to the cloud version of Web Gateway when endpoints are off-network, such as at a coffee shop or home office. This eliminates the gap of off-network user protection, providing the same level of web security as on-network Deployment of web security is much simpler with McAfee than any other vendor. Endpoint clients are ready to route traffic and even authenticate the user, removing those steps completely. This is a prime example of efficiency delivered through integration. Additional details on the client proxy (MCP): There are many routing options for Web Protection, including network-based methods such as IPSec, or even using PAC files. Our recommended approach is a client agent (now a feature of ENS), which we call McAfee Client Proxy (MCP).
Page 32: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

McAfee Active Response Detect, Contain and Eliminate Advanced Threats

32

Persistent monitoring of critical events and state changes

Continuous collectors to find and visualize all files

Set traps to trigger automatic or customized responses

Efficient management of detection and response from a single console

ImmediateAction

AutomatedResponses

ContinuousMonitoring

Vorführender
Präsentationsnotizen
McAfee Active Response includes endpoint detection and response (EDR) capabilities to proactively identify, hunt and remediate threats. Continuous monitoring and customizable collectors search deeply for indicators of attack that are not only running or lying dormant, but may have even deleted themselves to evade detection. Integrated live search provides event timelines for enhanced hunting, and automated responses provide live security protection without manual intervention. Persistently monitor critical events and state changes at endpoints View and act-on prioritized alerts or custom and standard queries Use continuous collectors to find and visualize all files—executable, dormant or even deleted Set traps, triggering automatic or customized responses Analyze timelines and live searches Single-click to stop threats and update protection across all endpoints
Page 33: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Rapidly Hunt and Respond

33

Find and resolve potential threats in seconds, rather than days

What is WatchedProcesses All process create/terminate are tracked

for genealogy (parent-child relationships)

All processes with unknown reputation or suspicious reputation

Browsers, script-hosts

Child-processes of a traced process

Code-Injected processes

PowerShell

System Info Login/logout

Risk identification Persistence

Exfiltration

Injection

Self Protection

Recon

Infiltration

Stealth

Vorführender
Präsentationsnotizen
Use McAfee Active Response to answer key questions, like: What do we already know about this threat? Which endpoint did it start on? Which endpoint is it behaving the worst on? What happened on the endpoint itself? What risky behaviors have been seen? Has this ever been seen anywhere else before? Use the valuable endpoint-level data to determine the full scope of an attack and quickly remediate with confidence.
Page 34: McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and

2017, McAfee Product Solutions Marketing MCAFEE CONFIDENTIAL

Rapidly Hunt and Respond

34

Find and resolve potential threats in seconds, rather than days

Single view to see, investigate and take action

Dashboard automatically categorizes suspicious events

Visualize threat trends across the enterprise

Surface high priority threats by prevalence and age

Correlate all hosts a threat has been seen on

Identify live, dormant, or even deleted threats across all endpoints

Take immediate action at a single endpoint or across the entire organization

Vorführender
Präsentationsnotizen
The McAfee Active Response Threat Workspace makes it easier to investigate and respond to threats: Left Panel: Automatically categorize suspicious events based on observed (Traced) behavior Top Center: Drill into threats by pre-defined categories Center bar graph: Visualize threat trends across the enterprise Center List: Select an individual threat and see the list of hosts that the threat has been seen on. Center Bottom: Select a single host, select a process and see the actual event timeline (see previous slide) Top Right Panel: Threat name, risk level and actions (Set malicious or known good, select one or more of the infected system and stop the process or stop and delete) Bottom Right Panel: Enterprise wide Reputations provided by the TIE server with the ability to view and set enterprise wide reputation of potential threats