[PPT] - McAfee ESM: Situational Awareness Boubker Elmouttahid, CISSP, CISM, PowerPoint Presentation

SLIDE 1

Confidential McAfee Internal Use Only

May 8, 2013

McAfee ESM: Situational Awareness

Boubker Elmouttahid, CISSP, CISM, CRISC

Solution Architect, Management Platform

SLIDE 2

Confidential McAfee Internal Use Only

Security Connected Platform

INFORMATION SECURITY Data Loss Prevention Email Security Encryption Web Security SECURITY MANAGEMENT Compliance Policy Auditing & Management Risk Management Security Operations Console SIEM Vulnerability Management PARTNER COMMUNITY McAfee Connected Security Innovation Alliance (SIA) Global Strategic Alliance Partners Access Control Identity & Authentication Intrusion Prevention Network User Behavior Analysis NETWORK SECURITY Next Generation Firewall Network Access Control Server & Database Protection Smartphone & Tablet Protection On Chip (Silicon-Based) Security Virtual Machine & VDI Protection ENDPOINT SECURITY Application Whitelisting Desktop Firewall Device Control Device Encryption Email Protection Embedded Device Protection Endpoint Web Protection Host Intrusion Protection Malware Protection

SLIDE 3

Confidential McAfee Internal Use Only

The Big Security Data Challenge

May 8, 2013

SLIDE 4

Confidential McAfee Internal Use Only

Correlate Events Consolidate Logs

Perimeter Thousands of Events APTs Cloud Data Insider Compliance

Historical Reporting

The Big Security Data Challenge

Anomalies

Large Volume Analysis Multi-dimensional Active Trending; L Analysis

Billions of Events

SLIDE 5

Confidential McAfee Internal Use Only

Our Customers Have Specific Areas of Need

I want assurance we can detect and respond to attacks, are compliant with regulations and the reports to prove it— and I can’t spend a fortune on it CIOS Compliance Security Analyst I need real time, relevant information so I can rapidly investigate and stop attacks I need to ensure that we maintain compliance with regulations and the reports to make the auditors understand it

SLIDE 6

Confidential McAfee Internal Use Only

Learn Quickly Turns billions of “so what” events into Actionable Information via context, content and advanced analytics Move Fast Purpose built data management engine that makes SIEM work, and is Security ‘Big Data’ ready Act Decisively Leveraging the value of Security Connected for faster response whilst lowering cost of ownership

THINK FAST…ACT FAST

Actionable Situational Awareness through Enhanced Data Management and Integration

SLIDE 7

Confidential McAfee Internal Use Only

McAfee ESM

MOVE FAST

eDB: Purpose built data management engine that makes SIEM work

eDB

Highly indexed purpose-built db, enables…

Integrated log & event collection on a massive

scale, at high-performance

Real-time enrichment of data with context to

drive intelligence

On-line reporting / analytics on current &

historic data …in parallel !

SMART FAST

Extended Schema in 9.2, enabling…

Improved tracking of assets via GUID;

increases accuracy as IP’s change

More custom fields; increasing data collected,

correlated and reported about an event

Ability to accumulate events (throughput,

packets, URL’s, etc…) …without compromising performance!

SLIDE 8

Confidential McAfee Internal Use Only 8

Rolling Averages Defining abnormal patterns of activity

Learn Quickly

Establishing baselines to identify deviations

SLIDE 9

Confidential McAfee Internal Use Only 9

Eliminate the Guesswork Alert based on deviations from norm Sum events and track averages

ID Anomalies

Learn Quickly

Establishing baselines to identify deviations

SLIDE 10

Confidential McAfee Internal Use Only

Learn Quickly

Correlating Both Flows and Events

1 1 100 010011 10 1 0011 100 011 100 1 1 1 100 010011 100 10010001 1 1 100 010011 011 100 10010001 1 1 100 010011 1 0011 100 011 100 1 1 1 100 010011 100 10010001 1 1 100 010011 011 100 10010001 1 1 100 010011 100 10010001 1 1 100 010011 100 11 1 0011 100 011 100 110101 1 100 011 100 10010001

Flow

Event

Correlate Event and Flow

Advanced Correlation

11 001 100 010011 100 10010001 100110 11 1 110 10 110 00 1001 100110 100 010011 11 100 1 110 10 010011 001 100 110 001 100 010011 100 10010001 100110 11 1 110 10 110

Enhanced with GTI

Identify spikes in activity Analyze Behavior of an Individual Host Detect zero-day threats through traffic profiling Monitor compliance via analysis of application data, protocol and user

SLIDE 11

Confidential McAfee Internal Use Only

Event Collection Compliance Reporting Streamlined Investigations Policy Management Advanced Correlation Log Management

ePolicy Orchestrator Network Security Platform Integrated Security Platform Global Threat Intelligence Vulnerability Manager

ACT DECISIVELY

Leverage the power of the platform

Industry Leading Security Information and Event Management

1001 100110 01011

SLIDE 12

ACT DECISIVELY

Intelligent Orchestration and Integration

My Pal RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d

11 001 100 010011 100 10010001 100110 11 1 110 10 110 100 1001 100110 100 010011 11 100 1 110 10 010011 001 100 110 11 001 100 010011 100 10010001 100110 11 1 110 10 110

ESM

10010001

10010001 Trigger Alarm Quarantine IP Correlation

!

10010001

! !

Quarantine Endpoint Launch AV Scan Increase Security Detect Connection Attempt

ePO NSM

SLIDE 13

Confidential McAfee Internal Use Only

Summary

Actionable Situational Awareness from McAfee ESM

ESM ALLOWS YOU TO….

MOVE FAST LEARN QUICKLY ACT DECISIVELY

SLIDE 14

Confidential McAfee Internal Use Only

Passive Event Monitoring

Eliminates performance overhead associated with DB logging

Stores event activity as Sessions

Reconstruct and Examine activity from Login to Logoff

Correlate Database activity to Security Events

Correlate sensitive information access to users

SSL Connection

Quantitative Risk Scoring Correlation

ACE uses Rule-Less correlation to determine threat activity

Enables Historical Correlation

Match new rules against historic events in near Real-Time

Combined Correlation Engines without overhead

Operates independently of event collection.

Stores Event & Flow data using McAfeeEDB

Patented, high-performance, embedded data access engine

Hosts browser-based, flash-enabled SIEM interface

Easy to use. Highly customizable Views / Dashboards.

Manages rules thru Policy Manager.

Customizable Data Source and Correlation rules

Configures Reports and Alarms

Customizable Reporting and Flexible Alarm Management

Redundant Capable

Primary and Secondary ESMs can be configured

Designed to be Scalable

Designed to support 100,000’s events per second

Collection point for Events and Flows

Passive and Active collection technologies

Hosts Rules-based Correlation Engine

Can be enterprise wide or specific to local receiver.

Redundant Capable

High Availability Receivers can be configured

Designed to be Scalable

Designed to support up to 20,000’s eps per appliance

Archive Management for Raw Events

Receiver forwards unaltered logs to ELM

Maintains ELM Management database

Ability to manage parsed and raw logs simultaneously

Raw Log Integrity Management

Ensures Forensic Integrity.

Raw logs Compression Management (up to 20:1)

Delivers Maximum Storage Efficiency

Flexible Storage

Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations

Receiver

CIFSNFS SAN iSCSI

Application Data Monitor

Content Visibility

ADM

McAfee SIEM Components

Receiver

ELM Receiver

AES Encrypted Channel AES Encrypted Channel

Enterprise Security Manager

content aware SIEM

Advanced Correlation Engine

Dedicate Correlation Logic Appliance

ACE

Database Event Monitor

Database Transaction Monitoring

DEM

Receiver

AES Encrypted

ELM

ESM

Enterprise Log Manager

Fully integrated Compliant Log Management

Event Receiver

3rd Party Log/Event/Flow Collection

Receiver ELM

http:// eMail P2P chat VoIP Shell / FTP LDP, PS

Span or Tap Span or Tap

Protocol & Application Monitoring

Full inspection of application content

Monitor Sensitive Data Transmitted via Applications

Identify monitoring blind-spots

SLIDE 15

Confidential McAfee Internal Use Only