Presentation is loading. Please wait.

Presentation is loading. Please wait.

McAfee Threat Intelligence Exchange

Published byWalter Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "McAfee Threat Intelligence Exchange"— Presentation transcript:

1 McAfee Threat Intelligence Exchange
George Younan | Enterprise Solutions Architect

2 Security Obstacles Facing Organizations
SILOED SECURITY ORGANIZATIONS LACK OF VISIBILITY Separate organizations utilizing point products, from multiple vendors, operating in functional silos with no intelligence sharing. Too much data and not enough intelligence makes visibility into threats challenging. Reactive security infrastructure lacks the timely intelligence needed to identify threats. TARGETED ATTACKS Attacks are becoming more sophisticated, autonomous and stealthy and are specifically designed to penetrate existing security controls, including security processes and people. Siloed Security Organizations Separate organizations utilizing point products, from multiple vendors, operating in functional silos with no intelligence sharing prevents effective infrastructure-wide visibility for real-time detection of threats Data Disconnect, isolated security infrastructure and delayed defenses lack the context and timely intelligence needed to understand and take intelligent action against the constantly changing threat landscape results in threats being missed or ignored. Targeted Attacks Attacks are becoming more sophisticated, autonomous and stealthy and are specifically designed to penetrate existing security controls, including security processes and people. Too much data and not enough intelligence Big Data challenge driving lack of visibility, clarity and insight…”can’t protect against what you can’t see or understand” Reactive security infrastructure lacks the timely intelligence needed to identify indicators of threat or compromise Latent Time to Knowledge: too late to affect breach detection, exfiltration, or to take defensive actions.

3 The Resulting Impact Adobe 152,000,000 AOL 92,000,000 Ebay 145,000,000
World’s Biggest Data Breaches 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 AOL 24,000,000 Cardsystems Solutions Inc 40,000,000. TK/TJ Maxx 94,000,000 Action.co.kr 18,000,000 Heartland 130,000,000 KT Corp Target 110,000,000 Scribd Ubisoft “unknown” Yahoo Yahoo 22,000,000 Washington State system court Ubuntu Twitter Nintendo Living Social 50,000,000 South Africa police Central Hudson Gas & Electric Drupal Apple Adobe 152,000,000 SnapChat NASDAQ Ebay 145,000,000 Neiman Marcus Mac Rumors.com LexisNexis Korea Credit Bureau 20,000,000 Sony Online Entertainment Blizzard 14,000,000 RockYou! 32,000,000 Medicaid Sony PSN 77,000,000 Evernote 50,000,000 US Dept of Vet Affairs 26,500,000 University of Miami Starbucks Gap Inc. AT&T AvMed, Inc. US National Guard Colorado Government Tricare Florida Courts Crescent Health Inc., Walgreens Stanford University Sutter Medical Foundation Spartanburg Regional Healthcare System Eisenhower Medical Center US Law Enforcement AOL 24,000,000 Chile Ministry of Education Jefferson County Tax Authorities Norwegian Yale University State of Texas Military singles.com Apple 12,367,232 Linkedin eHarmony Last.fm Formspring Facebook 6,000,000 TerraCom &YourTel Stratfor US Army US Military 76,000,000 US Dept of Defense University of Utah Hospitals & Clinics T-Mobile Deutsche Telecom 17,000,000 Citigroup Blue Cross Blue Shield of Tennessee BNY Mellon Shareowner Services South Shore Hospital, Massachusetts Triple-S Salud, Inc. JP Morgan Chase Emergency Healthcare Physicians, Ltd. New York City Health & Hospitals Corp. Medical & Mental Health Center Lincoln Educational Credit Management Corp Advocate Medical Group Health Net California Dept. of Child Support Services UK Revenue & Customs 25,000,000 NHS 8,300,00 Nemours Foundation Memorial Healthcare System Health Net IBM Morgan Stanley Smith Barney AOL 92,000,000 Dai Nippon Printing 8,637,405 GS Caltex 11,100,000 Selected Losses Greater Then 30,000 Records Accidentally Published Hacked Inside Job Lost/Stolen Media Poor Security Lost/Stolen Computer Unknown Virus Source:

4 The Need for Adaptive Threat Prevention
The current model is broken Solution: Threat Intelligence Exchange Products work together Intelligence is shared Responses are immediate Environment responds as a whole Can immunize the environment immediately Can take action without vendor involvement Problem Products act in isolation Integrations are slow and brittle Intelligence is not shared Too much white noise Responses are not automated Each product requires its own update Vendor or 3rd party dependency In order to gain a sustainable advantage and ensure that risk is maintained within acceptable levels, it is paramount that you be able to act concisely and promptly across the entire IT infrastructure regardless of architectural or proprietary barriers. Simply put, you must be able to adjust your efforts and defenses  faster than a threat can unfold. To do this requires intelligent, adaptive security controls that can act collaboratively to squelch threats and emerging risk. Our three foundational pillars (Clarity, Confidence and Control) come together to deliver on this: Learned insights are shared instantly with a collaborative infrastructure that self informs Evolving threat knowledge can be applied to identify, contain and remediate existing breaches Predictive modeling of risk and threats drives proactive countermeasures By removing the friction of deploying controls, automating adaptive responses, and predicting future risk, McAfee empowers customers to out maneuver the threats they face.

5 McAfee Threat Intelligence Exchange
Bringing adaptive threat prevention to your environment Ultrafast, bi-directional messaging fabric that connects individual security products so they operate as one entity. Network, Gateway, endpoint and cloud countermeasures are connected through this fabric. Dedicated server acts as a repository for all of your threat intelligence. This includes the latest threat information from: - McAfee Security Connected components such as ATD, MWG, NSP, etc. - McAfee Global Threat Intelligence and 3rd party sources (e.g. VirusTotal) - System level and enterprise level intelligence A new plugin to you’re your McAfee Agent. It examines files on execution and makes intelligent decisions to protect your entire environment. These decisions are driven by a behavioral rules engine that understands your environment and leverages your threat intelligence.

6 McAfee Threat Intelligence Exchange
Solution Architecture Global Threat Intelligence 3rd Party Feeds TIE Server Database for your threat intelligence Broker for messages being shared on the Data Exchange Layer TIE Client Enhanced endpoint protection Joins the endpoint to the Data Exchange Layer Data Exchange Layer Connects the components Operates in real time TIE Server ePO Data Exchange Layer TIE Client TIE Client Product architecture Add ports Vm for tie server DMZ bubble added TIE Client

7 McAfee Threat Intelligence Exchange
Solution Architecture Details Global Threat Intelligence 3rd Party Feeds TIE Server Virtual appliance running McAfee Linux OS, delivered as .ova Postgres database (TCP and UDP 5432) Broker service to facilitate DXL messages TIE Server/DXL Ports (8883 for TLS , 1883 for DXL Client to Broker) Additional TIE brokers can be deployed for scalability, HA and connectivity (DMZ) TIE Client Module for McAfee Virus Scan Enterprise Persistent connection to DXL (port 1883) Data Exchange Layer Message Queue Telemetry Transport (MQTT) protocol Light weight messaging protocol, designed for scalability and speed Persistent connection with the client and other components, secured with TLS 1.3 TIE Server ePO DXL Fabric TIE Client TIE Client Product architecture Add ports Vm for tie server DMZ bubble added TIE Client

8 TIE Client

9 Protection Technologies
File A File B File C File D File E File F File G New File New File New File New File New File File A File B File C File D File E File F File G Blacklisting Known bad files Anti-Virus Technology Intelligence is Global Daily updates What about everything else? Whitelisting Known good files Application Whitelisting Intelligence is Manual Ad-Hoc Updates

10 A New Kind of Inspection
Threat Intelligence Exchange Client When a file executes, leverage multiple intelligence sources to determine if it is good or bad Shared intelligence What do other security products know about it? What does VirusTotal know about it? Enterprise intelligence Has it ever run in your environment? Does your admin know if it is good or bad? Local intelligence Was it executed after being downloaded from a known bad website?

11 Comparing Three Executables
Unknown Microsoft Visio Custom Business App Signed by trusted cert Strong global reputation Trust Level Very High Action: Allow No signature No global reputation Highly prevalent in your enterprise No other red flags Trust Level High Action: Allow No signature No local reputation First encounter Suspicious packing Trust Level Low Action: Block references

12 Threat Intelligence Exchange Client
Example inspection on a new file TIE Client Considerations System properties Examples: Was it run from recycle bin? Reputations Example: GTI, ATD, Admin Overrides, VirusTotal Enterprise wide properties Example: Is this the first time it has run in my environment? The TIE Client will block or allow based on the combination of these factors. This information is immediately published to the DXL for your other products to use File Is New Low Prevalence Packed Suspiciously

13 Data Exchange Layer

14 THE SECURITY CONNECTED FRAMEWORK ADAPTIVE SECURITY ARCHITECTURE
BPM Asset Data Exchange Layer Identity An innovative, real-time, bi-directional communications fabric providing with product integration simplicity. Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products enabling security intelligence and adaptive security. Risk Threat Activity Location Data THE SECURITY CONNECTED FRAMEWORK First lets use analogy of the human body. Throughout our body we have sensors, like touch, smell, sight, hearing, temperature, etc. that give us information to do something. Just like in security we have sensor that provide information, like threat, location, risk, activity, etc. that provides information about security threats. But in our body you have the central nervous system that takes that sensory information and passes it to our brain to take action immediately in some cases. Build 2 – McAfee has developed that central nervous system for security, we call it the Data Exchange Layer (DXL). The DXL is a bi-directional communications fabric that transits messages to and from other security solutions that connect to this messaging framework. This enables security components to operate as one to immediately share relevant data between endpoint, gateway and other security products. This enables the McAfee Security Connected framework. --- Additional Information The data exchange layer provides with product integration simplicity (a single API) enabling seamless integration between products: - Minimizes costs associated with product deployment and integration - Eliminates the complexity which is usually associated with product integrations (i.e. solves the spaghetti integration problem) - Reduces the overhead which is usually associated with product maintenance (i.e. solves the traditional versioning issue) - Rapid onboarding of new products - Faster time to deploy new solutions and services ADAPTIVE SECURITY ARCHITECTURE

15 Data Exchange Layer Standardize integration and communication to break down operational silos DISJOINTED API-BASED INTEGRATIONS COLLABORATIVE FABRIC-BASED ECOSYSTEM (DXL) Result Slow, heavy and burdensome Complex and expensive to maintain Limited vendor participation Fragmented visibility Result Fast, lightweight and streamlined Simplified and reduced TCO Open vendor participation Holistic visibility Most attempts at cross-technology data integration and unification to date have been disjointed and API-based. Around the industry, tactical alliances based on 1:1 integration models are typically negotiated between small vendors, and despite the efforts put forth – the integrations are brittle, expensive and overall visibility remains fragmented. So far, McAfee has delivered the best ecosystem example with the Security Innovation Alliance program. More than 130 partners work with ePO and ESM APIs, but this effort takes significant work to implement and maintain. While we have the scope and commitment to succeed, we know that each product change requires testing and updates by vendors and customers. We have seen a better way. McAfee is building on its industry leadership and changing the model entirely with the delivery of the data exchange layer . This standardized integration and communication layer provides a collaborative “fabric” for all products—both from Intel Security and from partners who become DXL-ready—to share insights and communicate regardless of their underlying proprietary architecture. The collaborative fabric is an elegant  approach that dramatically simplifies and streamlines integrations, while encouraging open vendor participation. The increased speed, agility and scalability realized from the DXL-enabled fabric provides the foundation for holistic visibility across the IT landscape.  A primary benefit of this  new collaborative fabric (DXL) is central to the ability to improve the clarity (contextual awareness and visibility) within organizations. The security management business unit now leverages DXL to connect advanced and contextual intelligence analytics in the McAfee Threat Intelligence Exchange with the aggregation, correlation, and data analytics horsepower of the McAfee Enterprise Security Manager to turn raw data into actionable intelligence.

16 What is the McAfee Data Exchange Layer?
Driving efficiency through enhanced communication Real-Time Messaging Standardized Content Adaptive Workflows Security products McAfee Data Exchange Layer Fabric: Real-time messaging infrastructure for security products built on message queue telemetry transport (MQTT). Common Information Model (CIM): Provides enterprise security state and context. Includes information about devices, users, location, reputation, and more. DXL Clients: Security products use the McAfee Data Exchange Layer to publish or consume information. Endpoint Network Identity Data 3rd Party 1616

17 McAfee Threat Intelligence Exchange
Adaptive threat prevention Smart When a threat is detected all of the connected components act together as a single system instantly sharing insights Fast Adapts automatically to neutralize the threat with in milliseconds Aware Learns collectively from the insights of a single encounter You are able to investigate point of origin and control exposure with precision and speed. references

18 Threat Intelligence Exchange
Workflow McAfee Global Threat Intelligence McAfee VSE Threat Intelligence Module VSE Threat Intelligence Module ePO ATD McAfee TIE Server 3rd Party Feeds YES NO Data Exchange Layer File age hidden Signed with a revoked certificate Created by an untrusted process The next set of slides illustrate how Threat Intelligence Exchange works. In this example, <build 1> if an endpoint attempts to executes an executable file that VSE has never seen before and is not part of our DAT file, it will send the file information to the TIE server to determine if it is a known file. In this case, it has determined if it is an unknown file and does not have a reputation for this file. The query is to be performed over the data exchange layer and is to include file, process and environmental attributes recorded by the endpoint with regards to this file <Build 2> From this point, the TIE server will check the McAfee Global Threat Intelligence in the cloud for a reputation. It will then send back the results of this look up back to the endpoint. <Build 3> At this point, there are has some options, 1. allow the file to execute, 2. prevent it from executing and quarantine it, 3. Prevent execution because it is a known bad file, 4. Or if it doesn’t know the reputation, it can sent it to McAfee Advanced Threat Defense (ATD) for analysis. <Build4> to next slide

19 Threat Intelligence Exchange
Workflow Gateways block access based on endpoint convictions McAfee NGFW McAfee NSP McAfee Web Gateway McAfee Gateway McAfee Global Threat Intelligence McAfee VSE Threat Intelligence Module ePO ATD McAfee TIE Server 3rd Party Feeds Proactively and efficiently protect your organization as soon as a threat is revealed McAfee ESM Data Exchange Layer Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products <Build 1> Once classification is determined, ATD is to publish the information using the DXL Endpoints, Gateways and other security components are to consume classification changes published by specific sources Once a conviction is received endpoints immunize themselves – Prevent on endpoints which had not observed this file as of yet Detect and remediate on endpoints which had been previously infected Once a conviction is received by gateways they are to block access based on endpoint convictions Remark: The components added to this slide (McAfee ESM on the DXL, McAfee NGFW, McAfee NSP, McAfee MWG, McAfee MEG) are slated for a late 2H14 delivery

20 Threat Intelligence Exchange
Workflow McAfee VSE Threat Intelligence Module ePO ATD Web Gateway Gateway NGFW NSP McAfee Global Threat Intelligence McAfee TIE Server 3rd Party Feeds NO YES McAfee ESM Data Exchange Layer Endpoints are protected based on gateway convictions The process is initiated by McAfee NSP now integrated with the DXL and with McAfee Threat Intelligence Exchange requesting metadata (information) about a file from the TIE service over the DXL. The differences with this workflow from the previous – The TIE server TIE service already maintains (metadata) about the requested file and will respond with the said information immediately Endpoints are protected based on gateway convictions

21 TIE Summary You control what is good and bad in your environment
You have Full visibility into every file executing in your environment VirusTotal Integration for quick analysis No more waiting for extra.dat files for malware that may be targeting your environment. Identify patient zero in the case of a malware attack. Instant visibility into the presence of advanced targeted attacks in your organization answering the question “Are We Exposed?” is a question that get asked by many companies. With TIE you will bet that instant visibility into the presence of advanced targeted attacks because the security components operate as one, whether they are within the corporate or traveling outside of it. TIE transforms events, automatically, into actionable intelligence providing automated protection via DXL. Additional points: Identify evidence of compromise and forensic artifacts on your endpoints left behind by attacker activity For example, an administrator can enter a file hash through the UI to detect where it is present (if at all) throughout your environment. Artifacts related to indicators of compromise found in your environment indicates compromised machines. Provides the visibility and threat intelligence needed for incident response For example, first contact, file trajectory, enterprise prevalence, age and reputation, endpoint context Endpoint protection anywhere anytime Real-time management of threat policy, detections and security updates no matter where endpoints are

22 Deployment Requirements
Refer to TIE Demo Environment slide From Dev led training Recommended deployment plan • Install TIE Server and client ePO Management Extensions • Deploy TIE Server/DXL Broker MLOS OVA • Deploy TIE Client widely in observation mode via Product Deployment • Turn on enforcement for a test group • Manage reputations for one-off cases if needed • Monitor for a couple days • Turn on enforcement across all systems

23 Architecture slide plus system requirements
Virtual clients ePO 5.1 MA 5.0 VSE 8

24 Connected Ecosystem What does this mean?
Web / Mail Gateway All of the components have a central hub to exchange information This information is available to all products on the DXL Adding products is as easy as joining the DXL SIA Partners / 3rd Parties SIEM NGFW DLP TIE Server NSP As you consider our strengths, we have breadth across the network with capabilities such as Network IPS, NGFW, and Web / Mail Gateways. We are globally recognized for our strength on the endpoint side and our consolidation of endpoint management within our ePO framework. We maintain strong industry leadership position in the Gartner magic quadrant around key areas such as our Data Leakage Prevention technologies for network and hosts. We provide strong analytical capabilities for in-depth malware analysis with our Advanced Threat Defense capability and a broader security analytics platform with our Gartner leading SIEM technology. Each of these technologies is great in its own right and can compete and win in that particular silo. However as we move forward with Data Exchange, we are introducing the Threat Intelligence Exchange (TIE) that will allow the environment to leverage data exchange for sharing threat intelligence across the environment. The Data Exchange architecture first being leveraged by TIE, will allow for a significantly more sustainable security model across the environment and an environment that can effectively adapt to threats as the landscape changes. Endpoint . 24 McAfee Confidential

Download ppt "McAfee Threat Intelligence Exchange"

Similar presentations

Unified Communications Bill Palmer ADNET Technologies, Inc.

Unified Communications Bill Palmer ADNET Technologies, Inc.
THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.

THE BUSINESS NEED Create affordable alternative/ provide enterprise power/capability for any-sized company Reduce resource-draining burden of meeting.
Is technology ubiquity a chance to re-connect security? Greg Day Director of Security Strategy.

Is technology ubiquity a chance to re-connect security? Greg Day Director of Security Strategy.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.

Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.

Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.
Microsoft Security Solutions A Great New Way of Making $$$ !!! Jimmy Tan Platform Strategy Manager Microsoft Singapore.

Microsoft Security Solutions A Great New Way of Making $$$ !!! Jimmy Tan Platform Strategy Manager Microsoft Singapore.
Top of Content Box Line Subtitle Line Title Line Ruslans Barbasins| Territory Manager – CIS, Central Asia, Caucasus Leading The World Into Connected Security.

Top of Content Box Line Subtitle Line Title Line Ruslans Barbasins| Territory Manager – CIS, Central Asia, Caucasus Leading The World Into Connected Security.
A Successful RHIO Implementation

A Successful RHIO Implementation
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Optimizing Business Operations Business Priorities Presentation.

Optimizing Business Operations Business Priorities Presentation.
Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.

Customized solutions. Keep It Secure Contents  Protection objectives  Endpoint and server software  Protection.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.

1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.

IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.
Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.

Partnering For Profitability Growing your business with Microsoft Forefront Security Solutions Mark Hassall Director Security & Access BG Microsoft Corporation.
©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

Similar presentations

Ads by Google