McAfee Security Connected · 2017-06-09 · McAfee Th\൲eat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and
34
McAfee Confidential McAfee Security Connected Nicolas LEHOUX | Sales Engineer
While malware continues to be very pervasive and a growing method of attack, we have seen a shift towards new threat techniques that are more difficult to detect such as zero-day attacks, greyware and ransomware. Many of these attacks are getting past traditional protection measures, so there is a concerted effort among security architects to find new and innovative protection capabilities that will help them stay ahead of these type of threats. Many security architects are looking at ways to be able to find potential threats within their environments, which is critical to start any time of correction and remediation action. What follow next is to be able to do investigation with maximum contextual information and to be able to quickly and easily remediate threats across all endpoints. The challenge here is to ensure that the and many vendors touting that traditional AV is dead, companies are looking to new, innovative standalone point products in a desperate attempt to stop the attacks.
Quests for a “Silver Bullet” are Hurting, Not Helping
80%1 of organizations cite endpoint security processes and technology management as more difficult that it was two years ago.
5 Different Consoles10 Different AgentsMultiple Siloed Point Products
. . . .
Source: (1) ESG Research Report: The Endpoint Security Paradox
Silver Bullet FeatureWith “Free Security”
+O/S
4
Vorführender
Präsentationsnotizen
Security architects feel the pressures of the endpoint challenges within their environment. Well intentioned indeed, many security architects will find themselves in desperate times, and quickly start searching for the best of breed solution or silver bullet to halt the endpoint mayhem. However, the multiple siloed security products have compounded complexity, by introducing an average of 10 different agents1 on the endpoint, and created a management nightmare requiring five different consoles1 and endless manual correlations. Sadly, an already stretched IT Security Administrator is left juggling a myriad of specialized security, hoping that the security posture is improved. each single-point-of-failure catches what the previous one missed, and trying to decrease the friction that drives up false positives, leaves gaps for unknown threats to hide in, and frequently stands in the way of productivity. No wonder 80%2 of organizations cite endpoint security processes and technology management as more difficult than it was two years ago Forrester Study (Our sponsored technology adoption profile study) ESG Study, 2016
Not only fatigue, but security posture for the endpoint has not improved…
And the Result Is?
Hidden Threats+200 days1 is the time it take
on average to identify a malicious attack
Insight8 days1 is the average it
takes for a security investigation
Security Gaps62%1 of cases attackers
compromised organizations within minutes
Source: (1) Verizon Data Breach Report, 2016.
5
Vorführender
Präsentationsnotizen
Source: Verizon Data Breach Report, 2016 What is happening is eventually fatigue sets in, but security posture has not improved for the endpoint environment. The hope remains that each single-point product (or silver bullet product) will catch what the previous one missed, friction is increased with lack of threat sharing and increase in false positives. This situation leaves security gaps and we still see that 62% of cases attackers compromised organizations within minutes. Also, this approach frequently leaves gaps for unknown threats to hide in, and we see today it takes most customers about 200 days on average to identify a malicious attack. Then, once you know a breach has occurred complexities and lack of contextual information lead to a much longer time to investigate. It takes about 8 days on average…just think of what can happen during an 8 day period.
Unlike other security vendors, McAfee provides a connected platform with integrated tools that deliver better protection while preserving your most valuable resource – time. Dynamic Endpoint Threat Defense (Dynamic Endpoint) breaks down siloed security by combining established protection such as firewall, reputation and heuristics with cutting-edge capabilities such as machine learning and dynamic application containment, and adds native endpoint detection and response into a single platform agent, with a single management console. It uses integrated, multi-stage protection to keep users productive and connected while stopping zero-day malware, like ransomware, before it can infect the first endpoint. Exposure from hidden threats drops to seconds, rather than days or weeks, through instant visibility, simpler investigations and the ability to use one-click correction across the entire organization.
Machine learningMultistage defense Single modular agent
Reduced agent sprawl
Consolidated management
Lower TCO
The power of AI to combat the most sophisticated emerging threats with
static and dynamic analysis
Protect, detect, and correct with blended countermeasures and the
power of cloud-assisted analytics and intelligence
Vorführender
Präsentationsnotizen
Unlike other security vendors, McAfee provides a connected platform with integrated tools that deliver better protection while preserving your most valuable resource – time. Dynamic Endpoint Threat Defense (Dynamic Endpoint) breaks down siloed security by combining established protection such as firewall, reputation and heuristics with cutting-edge capabilities such as machine learning and dynamic application containment, and adds native endpoint detection and response into a single platform agent, with a single management console. It uses integrated, multi-stage protection to keep users productive and connected while stopping zero-day malware, like ransomware, before it can infect the first endpoint. Exposure from hidden threats drops to seconds, rather than days or weeks, through instant visibility, simpler investigations and the ability to use one-click correction across the entire organization.
framework encompassing traditional and advanced defense techniques
McAfee Web Protection(via McAfee Client
Proxy Agent)Stops the majority of zero-day
malware before it reaches an endpoint
Vorführender
Präsentationsnotizen
Let’s take a look at the set of sophisticated protections needed to protect your endpoint environment from advanced and emerging threats: McAfee Endpoint Security 10 Intelligent and collaborative framework for advanced targeted attack protection powered by the industry’s largest global threat intelligence network A true centrally managed, protect, detect, and respond endpoint solution with a single user interface Endpoint detection and response capabilities Dynamic Application Containment is available as part of McAfee Complete Endpoint Protection- Enterprise and helps customers protect against greyware, 0-day and patient-zero threats – before they have access to their systems McAfee Threat Intelligence Exchange: enables adaptive threat detection and response by operationalizing intelligence across your endpoint, gateway, network, and data center security solutions in real time. Combining imported global threat information with locally collected intelligence and sharing it instantly across the Data Exchange Layer (DXL), allows security solutions to operate as one, exchanging and acting on shared intelligence. McAfee Threat Intelligence Exchange narrows the gap from encounter to containment for advanced targeted attacks from days, weeks, and months down to milliseconds. McAfee Active Response: detects and corrects threats to provide security beyond the required level of protection. It offers continuous visibility and powerful insights into endpoints, so customers can identify breaches faster and gain control over the threat defense lifecycle. McAfee Active Response provides tools that enable customers to correct issues faster and in the way that makes the most sense for your customer’s business. McAfee Web Gateway (via Client Proxy Agent): Best-in-class protection from emerging threats with a unique behavioral protection engine that stops the majority of zero-day malware from the internet before it reaches an endpoint. McAfee Advanced Threat Defense: Protects against advanced malware, including zero-day and advanced persistent threats. McAfee ePolicy Orchestrator: Complete centralized management via ePO for increased control & visibility which helps lower security operational costs
Presents threat data in intuitive, common language
Integrates seamlessly with EDR to remediate and adapt
ePolicyOrchestrator
Adaptive Threat Protection
WEBControl
Threat Prevention
TIE Firewall
Vorführender
Präsentationsnotizen
Key Points Comprised of dynamic modules that create a multi-layered defense; unique to the industry Introduces machine learning and behavior based protection, for better defense than signature based techniques as part of Adaptive Threat Protection Module Local endpoint contains malware with Dynamic Application Containment based on behavior, thus stopping the spread of malware – ideal protection for threats such as ransomware Utilizes an intelligent feed for threat information that all modules connect to for faster detection Collaborates with EDR to remediate and adapt, resulting in removal of threats entirely Presents threat event data in intuitive, common language, shows what actions were taken and what the point of origin was Endpoint Security 10 offers several other improvements besides integration. Let’s take a quick look at 3 of the 10 modules. Threat Prevention Module: This includes OAS, ODS, Access Protection functionality, and unified buffer overflow protection technologies (aka memory protection) of VSE and HIPS to protect against exploits. Firewall Module: This is the equivalent of HIPS FW Web Control Module: This is the equivalent of SAE and WFE. Advanced Protection Module: Dynamic App Containment reduces greyware’s ability to make changes on the system, it contains the malware preventing further damage to your security infrastructure. � The TIE module: An optional threat intelligence module that further informs the other defenses within ENS 10 with several threat intelligence feeds from around the world All modules benefit from the McAfee Endpoint Security platform by utilizing common services, module to module communication, etc.
Dynamic Application ContainmentLocal Endpoint execution containment stops the spread of greyware and ransomware
11
Saves “Patient Zero” by reducing or eliminating unknown apps to make malicious changes
Defeat “sandbox-aware” malware as detection occurs at the endpoint
Easier and less costly to deploy by not requiring a sandbox or virtual machine solution
Create customized containment rules Works online or offline Contain greyware and its ability to make
changes on the endpoint while running endpoint detection analysis
Contain all processes. i.e. .exe;.jpg; .bmp and file modifications
Vorführender
Präsentationsnotizen
To trace dynamic behavior we have to allow malware to run. So it can cause damage in a second. What’s where virtualization or sandbox helps. You let the malware run in contained sandbox environment. But its not possible to create a vm at endpoint to trace behavior. Therefore, we came up with DAC. DAC is Dynamic App containment. It reduces ability of greyware to make changes on the system. We can trace behavior by looking at what app is trying to do. Malware will be unable to do any action but all attempts will be recorded. And that’s what we need to trace behavior. We will be able to trace behavior without heavy weight technologies like sandbox or machine learning. For containment we will be using access control rules which already exists in ENS. Customers can create their own rules as well. Sandbox is commonly used by appliance therefore, vm aware malwares are rising. This technology can catch sandbox aware malware as well. Its best technology to restrict patient zero. First instance of malware itself will be contained. Other benefits includes time to react as sandbox is not involved. What happens if it’s a good app. Unlike app control where everything is blocked behavioral technologies will allow apps to run. If it’s a good app then containment rules will not block the app and hence it will run without impacting business continuity.
Detect malware based on pre-execution static binary analysis using machine learning and comparison to
known malware attributes
Real Protect Dynamic (Post-Execution)
Detect dynamic behavior of Greyware on the endpoint, compare to known malware behaviors for
a match via behavioral cloud-based machine learning
Block zero-day malware before it executes with static analysis machine learning and dynamic behavioral cloud based machine learning
Pre-and Post Execution is critical to maximize your detection capabilities.
Real Protect
Vorführender
Präsentationsnotizen
There are a lot of silver bullet solutions out there, and in particular as you look at what is labeled in the market as next-generation protection. What Real Protect offers is pre-execution with Static-Analysis Machine Learning and post-execution protection with behavioral cloud-based machine learning. Pre- execution will help to detect more “zero-day” malware based on actual malware static file attributes, than any previous reactive signature-based method. It will help: Detects obfuscated, polymorphic malware in a proactive manner Reduces need for human analysis by levering machine learning = much faster to learn and adapt to new variants of malware. Core technology can also be used for lateral movement detection, patient zero discovery, threat actor attribution, forensics Post-Execution is delivered via behavioral cloud-based machine learning to help detect more “zero-day” malware based on actual malware behavior compared with signature based or static only method. With the addition of Real Protect Dynamic it will help provide: Detects obfuscated, polymorphic malware in a proactive manner Reduces need for human analysis by levering machine learning = much faster to learn and adapt to new variants of malware. Core technology can also be used for lateral movement detection, patient zero discovery, threat actor attribution, forensics
Threat Intelligence ExchangeSynthesizes intelligence to create a unified system that automatically adapts
13
Centralized Visibility and ControlIncident response knowledgebaseLocal prevalence intelligence
Integrated Endpoint ModuleExecution-time reputation inspection and protection
Open, Connected EcosystemNetwork, gateway, endpoint, and cloud-based countermeasures and intelligence
Data Exchange LayerUltra-fast persistentbidirectional messaging fabric
TIE Server
McAfee Solutions 3rd Party
Partners
Threat Intelligence
Feeds
TIE Endpoints
Vorführender
Präsentationsnotizen
McAfee Threat Intelligence Exchange (TIE) connects security components to share contextual insights and provide organization-wide visibility and control. The real-time insights inform the actions of Real Protect and Dynamic Application Containment. It is a combination of Intel and third party feeds that offers visibility across network, gateway endpoint and cloud-based countermeasures and threat intelligence. Accessing the latest information is easy thanks to its centralized visibility and control where incident response and local intelligence resources are available. It accomplishes all this by using our data exchange layer to communicate with your endpoint defenses.
Because of Behavior AnalysisBecause No Signature Match
Advanced Threat Defense
Family resemblance
Identify evasive attempts
Malware
Safe
Malware
Vorführender
Präsentationsnotizen
McAfee Advanced Threat Defense offers innovative sandbox analysis to detect unknown malware. Unlike traditional sandboxes, it provides multiple analysis engines to broaden detection and expose evasive threats. ATD combines low-touch antivirus signatures, reputation, and real-time emulation defenses with in-depth static code and dynamic analysis (sandboxing) to analyze actual behavior. Combined, this represents the strongest advanced malware security protection on the market and effectively balances the need for both protection and performance. ATD provides detailed malware classification information and allows identification of associated malware leveraging code reuse. Sandbox evasion techniques such as delayed or contingent execution paths, often not executed in a dynamic environment, can be detected through unpacking and full static code analysis.
Web Protection publishes the new malware reputation to TIE
Endpoints and other sensors are updated by TIE immediately, providing reputation for zero-day malware before a new DAT is published
Vorführender
Präsentationsnotizen
In this example, zero-day malware attempting to enter the network is discovered and blocked by the Web Gateway. The Web Gateway shares the information on this malware with the TIE server. Based on policy, TIE can then send out updated file information regarding this malware to all connected components. Endpoints do not need to wait for the latest DAT file update, they are immediate protected once the first encounter with the malware is detected, anywhere in the organization.
Master example: Six products, four vendors, total automation
Vorführender
Präsentationsnotizen
■ Step 1: Detection—Malware is launched on an infected endpoint, connecting to a known Command and Control Server identified by Check Point Anti-Bot. Check Point’s firewall notes the traffic to a known malicious command and control server. Check Point’s firewall publishes an OpenDXL event. ■ Step 2: Identification—The OpenDXL orchestration script has been listening over DXL. It receives the event, and then queries McAfee Active Response to identify, from the source system, which executable made the outbound connection. This allows us to move from just knowing network information (source, destination, port, and more) to file information. And, since McAfee Active Response maintains a historical record of network connections, this will succeed even if the process is no longer running. This provides additional data for Step 4: Scoping. ■ Step 3: Containment—The OpenDXL orchestration script then sets the reputation of the file it has identified to “known malicious” in McAfee Threat Intelligence Exchange. McAfee Threat Intelligence Exchange then broadcasts this new information over DXL, directing McAfee Threat Intelligence Exchange clients to kill the malware processes, thus disconnecting the communications. Note that this will apply to any system running the convicted process. ■ Step 4: Scoping—Although not shown in the demo, McAfee Active Response can be leveraged to find other processes that connected to the same command and control server or other dormant instances of the files that either have not been executed or are no longer running and then remove them. ■ Step 5: Tagging—To complete the cleanup, the systems that McAfee® Active Response has identified as containing malware are tagged in McAfee ePO software by the orchestration script as a hook to allow further activity by the administrator. ■ Step 6: Assessment—The orchestration script triggers a vulnerability scan reaction by Rapid7 Nexpose as a final step to identify all the weaknesses in the compromised systems that could also be exploited. ■ Step 7: Remediation—The orchestration script sends a request to the Aruba ClearPass OpenDXL service to update attributes for systems exposed to malware, which triggers policy enforcement, which can quarantine the device from the network while detailed remediation occurs.
NSS Labs Advanced Endpoint TestExcellent results for McAfee Endpoint Security version 10.5
17
99% Overall Security Effectiveness
100% Tested Evasions Blocked
0% False Positives
Vorführender
Präsentationsnotizen
Our own McAfee Endpoint Security (ENS) version 10.5 was included in the test and achieved a security effectiveness rating of 99% with zero false positives, and 100% of the tested evasions blocked. These results earned McAfee Endpoint Security an NSS Labs Recommended Rating for Advanced Endpoint Protection. Compared with the other vendors, McAfee Endpoint Security (ENS 10.5) did really well, having the second highest security effectiveness rating.
With a strong portfolio of products covering the complete Protect-Detect-Correct Threat Lifecycle and an intelligent and integrated framework via a single console, McAfee provides sophisticated protection for today and tomorrow’s advanced and emerging threats
Essential Protection that Grows with YouMcAfee Endpoint Threat Protection
McAfee Endpoint Threat Protection offers the essential protection you need today and keeps you ready for tomorrow’s advanced threat defense requirements. It delivers integrated threat prevention, firewall, web, email, and device control defenses that work together in real time to analyze and collaborate against threats
ePolicy Orchestrator Threat
Prevention
Web Control
Firewall
Scalable Management Architecture
No more point product integrations
– easily add other McAfee or third party products with ease as
your needs change
True Centralized management with a single pane of glass
simplifies management and saves time spent moving across several
Enhanced Protection for Commercial-sized Organizations*
McAfee Complete Endpoint Protection - Business
A comprehensive suite with collaborative core protection; now with dynamic application containment and machine learning to protect against advanced threats, application control, add-on EDR for instant remediation, and ePolicy Orchestrator for centralized management and reporting.
Add-On EDR
Threat Prevention
Web Control Firewall
True Centralized management with a single pane of glass
Data Protection
Machine Learning
*Limit 2000 nodes, added in Q2 ’17: (Dynamic Application Containment, Real Protect, Application Control), CEB Customers are now eligible for discount on optional EDR2 SKU
ePolicyOrchestrator
Core Protection
ApplicationControl
24
Dynamic Application
Containment
Deployment, Management & Reporting
McAfee Threat Intelligence Exchange (TIE)
McAfee Active Response(MAR)
Vorführender
Präsentationsnotizen
CEB Suite Updates for Q2 2017 - Addition of Adaptive Threat Protection Module which includes Dynamic Application Containment and Real Protect. Also added Application Control. CEB Customers are now eligible for discount on optional EDR2 SKU (same as CTP suite) to get Active Response and TIE. A comprehensive suite with collaborative threat defense against advanced threats with encryption to protect your data, and intrusion prevention and firewall for desktops and laptops to halt zero-day exploits. Phishing and multistage attacks are also blocked thanks to its email, web, and collaborative endpoint defenses, including dynamic application containment and machine learning CEB on McAfee.com => https://www.mcafee.com/us/products/complete-endpoint-protection-business.aspx
– easily add other McAfee or third party products with ease as
your needs change
True Centralized management with a single pane of glass
simplifies management and saves time spent moving across several
UIs
Integrated modules that perform core
antivirus, URL filtering and exploit/intrusion
prevention. Machine-learning analysis (pre and post
execution) and containment of suspicious files, processes and
applications
Enterprise-grade, advanced defenses that investigate and contain zero-day threats and sophisticated attacks - using a collaborative framework which includes dynamic application containment and machine learning analysis
Endpoint Security (ENS) Core ProtectionCore protection with shared intelligence to protect against download of a malicious file from the web
27
A file hash is sent from Web Control to Threat Prevention, triggering an ODS
Event data is shared with other modules and ePO, and is visible in client UI
Malicious files are detected and blocked before they have full access to the system
Forensics data is captured (Source URL, file hash, etc.)
ePO
Client UI
TIEThreat Prevention
Web Control Firewall
Vorführender
Präsentationsnotizen
Let’s take a look at a very common use case of a user downloading a malicious file and see how the module-to-module communication works to provide enhanced protection. In the current products, a file getting downloaded from the web and getting scanned through on-access scanning are two separate events. In Endpoint Security 10, since both products can now communicate with each other, when a file is downloaded, the Web Control module sends a file hash to Threat Prevention module. The Threat Prevention module triggers an immediate on-demand scan of the file. You can also configure GTI sensitivity in ePO for these types of scenarios. Then, based on the results of the scan, the product will take the necessary action. This provides significant advantages as you now can scan the file at a point of entry with a higher GTI sensitivity level since it is coming from the web, before it has full access to the system, thus providing better protection. And it allows us to capture better forensics data if detection occurs (Source URL, Attack Vector, File Hash, etc.).
Dynamic Application ContainmentMaintains productivity while securing patient-zero and isolating the network
28
How DAC works1. Integrated with ENS
and Active Response
2. Reputation or Admin triggers DAC
3. Suspicious application is contained
4. Application runs, blocks malicious processes
5. Real Protect or a sandbox analyze further
6. File data is traced, collected and reported
7. If dirty, terminate. If clean, release
PasswordsBlocks access to an insecure password hash file in Windows System32 directory
CookiesBlocks changes to the browser cookies folders from non-browser apps
InjectionBlocks changing memory or creating threads in any other process
Lateral Movement
Blocks creation or copying files to a network file location (e.g. on another PC or server)
PropagationBlocks creation of files on any physical external memory device (e.g. USB)
Scripts & Executables
Blocks creating files (bat, exe, jpg, html, bmp, vbs) that are used later to launch further attack stages
HidingBlocks scheduling tasks on system which can be used to avoid security scanners
RegistryBlocks registry modifications that are used to create entry points and establish persistence
Vorführender
Präsentationsnotizen
To trace dynamic behavior we have to allow malware to run. So it can cause damage in a second. That’s where Dynamic Application Control can help. DAC lets the malware load into memory, but stops it from making changes to the endpoint. Now, we can trace behavior by looking at what the application is actually trying to do (ie. Checking passwords, making changes to cookies, injecting code, moving laterally, etc…) This secures the first endpoint, or “patient-zero”, while keeping the endpoint productive and provides the data necessary for deeper analysis.
1. Real Protect Static gathers static properties (or features) from known-malware binaries on the backend
2. This information is fed to Machine-Learning (“ML”) algorithms on the backend to create “Real Protect Static ML Models” of each malware binary type
3. On the endpoint, Real Protect Static can query either the local “ML Model” library or do a match lookup in the Cloud depending on the product solution.
4. If a match occurs, then Real Protect Static informs the endpoint solution of this fact and remediation will occur if needed.
How it Works Detects Zero-Day Malware Pre-Execution
Works in Presence of Block Protection as well as Offline
Faster Response + Reduced need for human analysis
Requires very few resources on the Endpoint
Reduces Endpoint Administrator Headaches
Customer Benefits
Vorführender
Präsentationsnotizen
Real Protect static detects malware on the endpoint based on the analysis of the static file attributes. Customer Benefits: Detects Zero-Day Malware Pre-Execution: Detects obfuscated, polymorphic malware with static attribute analysis comparing to known malware. Works in Presence of Blocking Protection as well as Offline: Improves detection in conjunction with use of Dynamic Application Containment or HIPS, Firewall, etc. or Offline Faster Response + Reduced need for human analysis: Analysis and match happen very quickly, ML-based system means this is extensible with very few resources Requires very few resources on the Endpoint: Both RAM and HDD/SSD requirements are very modest (a few MB) Reduces Endpoint Administrator Headaches: Due to dramatic reduction in zero-day malware remediation
ENS McAfee Client Proxy AgentAutomatically routes all internet traffic to McAfee Web Protection to filter malware before the endpoint
31
Automatically route all internet traffic to web gateway
Proactive zero-day malware prevention before it reaches the endpoint
Picks cloud or on-premises based on location
Persistent protection for off-network users
Off-network
On-network
MCP
MCP
Vorführender
Präsentationsnotizen
Starting with ENS 10.5, all endpoint agents will feature a “client proxy”, capable of routing all internet traffic to either a cloud-based or on-premises McAfee Web Gateway. This delivers several benefits to the customer: Web Gateway (on-prem and cloud) features a zero-day emulation engine, which stops nearly 20% more malware than competing web gateways. This means less cleanup at the endpoint, and enables security teams to shift their efforts to more strategic activities like detection and response (EDR) The client proxy within ENS routes internet traffic to the cloud version of Web Gateway when endpoints are off-network, such as at a coffee shop or home office. This eliminates the gap of off-network user protection, providing the same level of web security as on-network Deployment of web security is much simpler with McAfee than any other vendor. Endpoint clients are ready to route traffic and even authenticate the user, removing those steps completely. This is a prime example of efficiency delivered through integration. Additional details on the client proxy (MCP): There are many routing options for Web Protection, including network-based methods such as IPSec, or even using PAC files. Our recommended approach is a client agent (now a feature of ENS), which we call McAfee Client Proxy (MCP).
McAfee Active Response Detect, Contain and Eliminate Advanced Threats
32
Persistent monitoring of critical events and state changes
Continuous collectors to find and visualize all files
Set traps to trigger automatic or customized responses
Efficient management of detection and response from a single console
ImmediateAction
AutomatedResponses
ContinuousMonitoring
Vorführender
Präsentationsnotizen
McAfee Active Response includes endpoint detection and response (EDR) capabilities to proactively identify, hunt and remediate threats. Continuous monitoring and customizable collectors search deeply for indicators of attack that are not only running or lying dormant, but may have even deleted themselves to evade detection. Integrated live search provides event timelines for enhanced hunting, and automated responses provide live security protection without manual intervention. Persistently monitor critical events and state changes at endpoints View and act-on prioritized alerts or custom and standard queries Use continuous collectors to find and visualize all files—executable, dormant or even deleted Set traps, triggering automatic or customized responses Analyze timelines and live searches Single-click to stop threats and update protection across all endpoints
Find and resolve potential threats in seconds, rather than days
What is WatchedProcesses All process create/terminate are tracked
for genealogy (parent-child relationships)
All processes with unknown reputation or suspicious reputation
Browsers, script-hosts
Child-processes of a traced process
Code-Injected processes
PowerShell
System Info Login/logout
Risk identification Persistence
Exfiltration
Injection
Self Protection
Recon
Infiltration
Stealth
Vorführender
Präsentationsnotizen
Use McAfee Active Response to answer key questions, like: What do we already know about this threat? Which endpoint did it start on? Which endpoint is it behaving the worst on? What happened on the endpoint itself? What risky behaviors have been seen? Has this ever been seen anywhere else before? Use the valuable endpoint-level data to determine the full scope of an attack and quickly remediate with confidence.
Surface high priority threats by prevalence and age
Correlate all hosts a threat has been seen on
Identify live, dormant, or even deleted threats across all endpoints
Take immediate action at a single endpoint or across the entire organization
Vorführender
Präsentationsnotizen
The McAfee Active Response Threat Workspace makes it easier to investigate and respond to threats: Left Panel: Automatically categorize suspicious events based on observed (Traced) behavior Top Center: Drill into threats by pre-defined categories Center bar graph: Visualize threat trends across the enterprise Center List: Select an individual threat and see the list of hosts that the threat has been seen on. Center Bottom: Select a single host, select a process and see the actual event timeline (see previous slide) Top Right Panel: Threat name, risk level and actions (Set malicious or known good, select one or more of the infected system and stop the process or stop and delete) Bottom Right Panel: Enterprise wide Reputations provided by the TIE server with the ability to view and set enterprise wide reputation of potential threats
