McAfee ESM: Situational Awareness Boubker Elmouttahid, CISSP, CISM, CRISC Solution Architect, Management Platform May 8, 2013 Confidential McAfee Internal Use Only
Security Connected Platform NETWORK SECURITY ENDPOINT SECURITY Application Whitelisting Access Control Identity & Authentication Desktop Firewall Intrusion Prevention Device Control Network User Behavior Analysis Device Encryption Next Generation Firewall Email Protection Embedded Device Protection Endpoint Web Protection INFORMATION SECURITY Host Intrusion Protection Data Loss Prevention Malware Protection Email Security Network Access Control Encryption On Chip (Silicon-Based) Security Web Security Server & Database Protection Smartphone & Tablet Protection Virtual Machine & VDI Protection SECURITY MANAGEMENT Compliance Policy Auditing & Management PARTNER COMMUNITY Risk Management Security Operations Console Global Strategic Alliance Partners SIEM McAfee Connected Vulnerability Management Security Innovation Alliance (SIA) Confidential McAfee Internal Use Only
The Big Security Data Challenge May 8, 2013 Confidential McAfee Internal Use Only
The Big Security Data Challenge Billions of Events APTs Multi-dimensional Active Trending; L Cloud Analysis Data Insider Large Volume Analysis Anomalies Compliance Historical Reporting Thousands of Events Correlate Events Perimeter Consolidate Logs Confidential McAfee Internal Use Only
Our Customers Have Specific Areas of Need I need real time, relevant I want assurance we can detect and I need to ensure that we maintain information so I can rapidly respond to attacks, are compliant with compliance with regulations and the investigate and regulations and the reports to prove it — reports to make the auditors stop attacks and I can’t spend a fortune on it understand it Compliance Security Analyst CIOS Confidential McAfee Internal Use Only
THINK FAST…ACT FAST Actionable Situational Awareness through Enhanced Data Management and Integration Move Fast Learn Quickly Act Decisively Turns billions of Purpose built data Leveraging the “so w hat” events management value of Security into Actionable engine that makes Connected for Information via faster response SIEM work, and is Security ‘Big Data’ context, content whilst lowering and advanced cost of ownership ready analytics Confidential McAfee Internal Use Only
MOVE FAST eDB: Purpose built data management engine that makes SIEM work McAfee ESM Highly indexed purpose-built db , enables… Extended Schema in 9.2, enabling… • Integrated log & event collection on a massive • Improved tracking of assets via GUID; increases accuracy as IP’s change scale, at high-performance • Real-time enrichment of data with context to • More custom fields; increasing data collected, drive intelligence correlated and reported about an event eDB • On-line reporting / analytics on current & • Ability to accumulate events (throughput, packets, URL’s, etc…) historic data …in parallel ! …without compromising performance! FAST SMART Confidential McAfee Internal Use Only
Learn Quickly Establishing baselines to identify deviations Rolling Averages Defining abnormal patterns of activity 8 Confidential McAfee Internal Use Only
Learn Quickly Establishing baselines to identify deviations Sum events and track averages Alert based on deviations from norm Eliminate the Guesswork ID Anomalies 9 Confidential McAfee Internal Use Only
Learn Quickly Correlating Both Flows and Events Correlate Event and Identify spikes in Flow activity Analyze Behavior of an Flow Individual Host Advanced Correlation 1 1 100 010011 10 1 0011 100 011 100 1 Monitor compliance 1 1 100 010011 100 10010001 1 1 100 010011 11 001 100 010011 100 10010001 011 100 10010001 via analysis of 100110 11 1 110 10 110 1 1 100 010011 100 10010001 1 1 100 010011 100 11 00 1001 100110 100 010011 11 100 1 0011 100 011 100 110101 1 100 011 100 10010001 application data, 1 110 10 010011 001 100 110 011 100 10010001 protocol and user 001 100 010011 100 10010001 10010001 1 1 100 010011 1 1 100 010011 100 100110 11 1 110 10 110 1 0011 100 011 100 1 1 1 100 010011 Detect zero-day threats through traffic Event profiling Enhanced with GTI Confidential McAfee Internal Use Only
ACT DECISIVELY Leverage the power of the platform Global Vulnerability Threat Manager Intelligence Compliance Event Reporting Collection 01011 100110 1001 Log Streamlined Network ePolicy Management Investigations Security Orchestrator Platform Advanced Policy Correlation Management Integrated Security Platform Industry Leading Security Information and Event Management Confidential McAfee Internal Use Only
ACT DECISIVELY Intelligent Orchestration and Integration Detect Connection Attempt NSM Correlation 11 001 100 010011 100 10010001 Quarantine Endpoint 100110 11 1 110 10 110 10010001 Trigger Alarm 100 1001 100110 100 010011 11 100 1 Launch AV Scan 110 10 010011 001 100 110 10010001 11 001 100 010011 100 10010001 10010001 Quarantine IP Increase Security 100110 11 1 110 10 110 ESM My Pal RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d ! ePO ! !
Summary Actionable Situational Awareness from McAfee ESM ESM ALLOWS YOU TO…. MOVE FAST LEARN QUICKLY ACT DECISIVELY Confidential McAfee Internal Use Only
McAfee SIEM Components Enterprise Security Manager content aware SIEM Receiver Receiver Receiver Receiver ESM SSL Connection Event Receiver Receiver ELM AES Encrypted Channel 3 rd Party Log/Event/Flow Collection ELM AES Encrypted Channel ELM • Collection point for Events and Flows Enterprise Log Manager Passive and Active collection technologies Fully integrated Compliant Log Management • Stores Event & Flow data using McAfeeEDB • Archive Management for Raw Events CIFSNFS • Hosts Rules-based Correlation Engine AES Encrypted Patented, high-performance , embedded data access engine SAN Receiver forwards unaltered logs to ELM Can be enterprise wide or specific to local receiver. iSCSI • Hosts browser-based, flash-enabled SIEM interface • Maintains ELM Management database • Redundant Capable Easy to use. Highly customizable Views / Dashboards. Ability to manage parsed and raw logs simultaneously High Availability Receivers can be configured Advanced Correlation Engine ACE • Manages rules thru Policy Manager. Dedicate Correlation Logic Appliance • Raw Log Integrity Management • Designed to be Scalable Customizable Data Source and Correlation rules eMail Designed to support up to 20,000’s eps per appliance Ensures Forensic Integrity. • Quantitative Risk Scoring Correlation chat Shell / FTP Database Event Monitor • Configures Reports and Alarms ACE uses Rule-Less correlation to determine threat activity DEM Span or Tap • Raw logs Compression Management (up to 20:1) P2P Database Transaction Monitoring Customizable Reporting and Flexible Alarm Management • Enables Historical Correlation Delivers Maximum Storage Efficiency LDP, PS Match new rules against historic events in near Real-Time • Redundant Capable Application Data Monitor • Passive Event Monitoring • Flexible Storage VoIP ADM Span or Tap Primary and Secondary ESMs can be configured • Combined Correlation Engines without overhead http:// Content Visibility Eliminates performance overhead associated with DB logging Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations Operates independently of event collection. • Designed to be Scalable • Protocol & Application Monitoring • Stores event activity as Sessions Designed to support 100,000’s events per second Full inspection of application content Reconstruct and Examine activity from Login to Logoff • Monitor Sensitive Data Transmitted via Applications • Correlate Database activity to Security Events Identify monitoring blind-spots Correlate sensitive information access to users Confidential McAfee Internal Use Only
Confidential McAfee Internal Use Only
Recommend
More recommend
