Technology Blueprint

Achieve SituAtionAl AwAreneSSGet actionable insight out of your security systems

2 Achieve Situational Awareness

Get actionable insight out of your security systems

The Situation

One of the questions clients ask most frequently is, “Can you tell me how this piece of malware got onto my system?”

If you administer or manage endpoints, you probably have discovered an infected or compromised system. Your first reaction is to find the system and clean it, so that it does not affect your other systems, and the user can get back to work. Your second reaction is probably “how did this system get infected or compromised?” Unfortunately, most organizations do not have the ability to easily piece together all the information needed to understand an infection incident such as this. If just a single system is affected, it is a luxury for an administrator to track down the root cause—a luxury few can or choose to afford.

However, an infected or compromised system can be the tip of an iceberg that your cyber infrastructure is about to hit. If you can know more about an incident than just which system you fixed or quarantined, you may end up saving your organization time and money.

The data you need is often there. Most organizations discover that the web proxy or firewall logs collected data on activity related to the infected system. Perhaps the infected system communicated with a SharePoint system on your network, where it (inadvertently) placed a dropper for other LAN-connected systems to be infected. The SharePoint server that is now playing host to the malware did not detect the dropper because the directory was excluded from scanning.

If this is a “zero day” or a new strain of an old variant of malware, then it could spread quickly through your infrastructure before you know the root cause is sitting in your network. Ironically, most logs—IPS, server, firewall, web proxy—will collect activity data related to this incident. However, most organizations are siloed into teams or departments such as the network team, the server team, and the systems team, and so, too, is the pertinent data.

One of my customers told me that it took them a month to figure out that they had a system communicating with a command and control (C&C) server on the Internet. Once they knew what to look for, they found evidence of this activity in the web proxy logs.

Driving ConcernsSituational awareness means knowing what is going on around you, assessing the impact of adversarial actions against your network, and predicting future attacks. It has become a priority for enterprises concerned with the increasing volume and subtlety of attacks. To achieve situational awareness, you must collect, identify, process, and comprehend the data from not only your internal IT infrastructure, but also external sources, and produce actionable information for making decisions on the operation and defense of your IT infrastructure.1

LEVEL 1 3 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

2

LEVEL 1 2 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

3

LEVEL 2 3 4 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

1

LEVEL 1 2 3 5

SECURITY CONNECTEDREFERENCE ARCHITECTURE

4

LEVEL 1 2 3 4

SECURITY CONNECTEDREFERENCE ARCHITECTURE

5

Security Connected

The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for centralized, efficient, and effective risk mitigation. Built on more than two decades of proven security practices, the Security Connected approach helps organizations of all sizes and segments—across all geographies—improve security postures, optimize security for greater cost effectiveness, and align security strategically with business initiatives. The Security Connected Reference Architecture provides a concrete path from ideas to implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe.

3Achieve Situational Awareness

Unfortunately, there is no “out of the box” solution for achieving situational awareness. That’s one reason most organizations believe the road to situational awareness is slow. Common obstacles include:

• Collaboration. Instead of viewing IT as an ecosystem, many companies have siloed their IT departments into functional islands like network, servers, and desktops. Some organizations split things even more. This divides not only the people; it divides the data and the investigation. Pools of data and people form, pools that never mix or sync. Logs and other data kept separate may make the situation seem benign. Everyone has a piece of the picture, but no one knows what the whole picture looks like. Keeping teams and data separate also wastes time and energy. For example, during an event multiple teams could be investigating the same data in parallel.

• Historical data. Historical data can hold clues to ongoing attacks as well as future attacks. As Santayana wrote, “Those who cannot remember the past are condemned to repeat it.” If enterprises are collecting logs, it is usually for compliance reasons. They seldom mine the available data to improve their security or mitigate risk in their environments.

• Readily available critical data. After an event, forensic teams usually find evidence of breaches or cyber-attacks in the logs collected by IT departments. For situational awareness, IT departments need to get to this critical data during the event, when it can be most useful. Instead, the data they need is hard to find, hard to interpret, lost, or drowned out by all the other data. This is usually due to the disparate tools being used by the different siloed organizations. Each tool has a different repository of data, and the organization has no central location from which to access this information, especially not in real time.

• Predictive analysis. The objective of situational awareness is to reduce risk by adjusting countermeasures as threats and risks change. Without historical data, easily accessible current data, and an efficient way to analyze them, an organization cannot predict or speculate where the next attack or security breach may occur and adjust security systems accordingly. IT organizations need to know about new threats and vulnerabilities, and they need to know how their infrastructure may be at risk relative to these emerging dangers.

• Wide-angle view of vulnerabilities and threats. Besides being blinded by silos within their own IT ecosystems, organizations can also miss a wider perspective, a viewpoint that includes what is going on beyond the network perimeter. For example, many IT teams do not track patching or threats for vendors other than Microsoft. IT may have meetings on or just after Patch Tuesday, but what about Adobe, Apple, and Oracle applications used in the infrastructure? Also, few organizations track vulnerabilities related to their business or vertical. For example, if you run an IT team for a bank, do you track the vulnerabilities relevant to financial services? System and network admins need to understand what is happening outside their network and how this activity may affect them and the business or its assets. Using a wide-angle lens that includes a vision of what is happening beyond your perimeter allows you to prepare against an attack.

These are the challenges standing in the way of gaining situational awareness. If you can overcome them, you can reduce the “time to root cause” and make risk and mitigation decisions based on a well-rounded and complete data set.

Solution DescriptionTo attain situational awareness, your organization must break down technical walls that keep teams and critical data separated. You must allow the decision-makers managing your risk to see not only your internal infrastructure as a whole, but see beyond your perimeter to external actors, external dependencies, and all associated threats.

• Bring it all together. The solution should not only gather all logs into a central location, but make them accessible from a central web user interface (UI). A central web UI allows the multiple teams within IT to see the whole picture. Bringing all the logs and data of your IT ecosystem together not only makes access easier, it fosters collaboration between teams. Teams will no longer waste time looking at the same data; they can find the root cause to an incident or compliance violation faster.

Decision ElementsThese factors could influence your architecture:

•Where do you store data such as logs and events?

•Do you directly manage network peripherals such as your firewall, or is this outsourced?

•How many events per second are your network devices generating?

4 Achieve Situational Awareness

• Easy event analysis no matter your timeframe. Bringing together your logs and making them accessible to all who need access is only the beginning. You now need to analyze the events and logs. The solution should make it easy for you to access all this data for immediate analysis, widen your search across longer periods, or focus down to a particular second. All event details should be preserved according to forensic best practice (in case it should need to be presented in court) and easy to access in a timely fashion (not archived offline).

• Beyond your perimeter. IT administrators should be able to view new threats in the wild, filter out irrelevant noise (vulnerabilities affecting applications they don’t use), and zero in on the threats that pertain to their IT infrastructure and business.

• Responding. Once you understand the nature and scope of the event, the solution must allow you to respond or react in a timely fashion. Policies and thresholds linked to risk should trigger automated responses, such as activation of countermeasures, and alert you to the highest priority events that could damage your organization’s risk posture and valued assets.

• Forecasting. For your IT organization to move from reactive to proactive, you must be able to map out where you might have issues in the future. Forecasting that an incident may occur or where it may occur helps the IT team to prepare and proactively defend against an attack. Therefore, the solution has to allow quick access to pertinent information for analysis and forecasting. This data needs to include information about your infrastructure, as well as threat feeds about the latest vulnerabilities that may affect your applications, servers, endpoints, and network. This will help you correlate this information and know where your risks are, so that you can mitigate them.

Technologies Used in the McAfee SolutionThe McAfee solution has two primary components: McAfee® ePolicy Orchestrator® (McAfee ePO™) and McAfee Enterprise Security Manager (ESM), with additional integrations to extend visibility and control across the entire security and compliance management environment. McAfee ePO management, control, and openness combined with McAfee ESM data capture, correlation, and analysis unite the disparate IT data sources within a central C&C console. This information can be accessed and navigated by IT teams throughout the enterprise to allow real-time collaboration, controlled response, and accurate reporting.

Visualize, Investigate, Respond

• See log frequencies• Search for logs• Correlate events• What data is involved?• Who is involved?• Are they a bad actor?• What is the risk of the system?• What is the risk of the user?

Global Threat Landscape

• Threat intelligence feed• Immediate alerting• Historical analysis

Advanced Correlation Engine

Dynamic Context

Content Aware

Traditional Context

Log Management

Enterprise Risk Landscape

• Vulnerabilities• Countermeasures• Individuals

McAfee Risk

AdvisorMcAfee

GTI

McAfee ePolicy

Orchestrator

McAfee correlates data across sources to facilitate assessment and guide prompt action.

5Achieve Situational Awareness

McAfee ePolicy Orchestrator (McAfee ePO) McAfee ePO allows IT administrators to unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions. McAfee ePO provides flexible, automated management so you can identify, manage, and respond to security issues and threats. You can define how McAfee ePO should direct alerts and security responses based on the type and criticality of security events in your environment, as well as create automated workflows between your security and IT operations systems to quickly remediate outstanding issues.

McAfee ePO also gives you the controls to react to issues as you discover them within your infrastructure. For example, if you uncover an infected endpoint, you can verify that the system is up to date with the latest DATs or that McAfee Global Threat Intelligence™ (GTI) file reputation service is enabled. McAfee ePO also manages policy changes driven by McAfee ESM and the dynamic risk intelligence in McAfee GTI. Hence, McAfee ePO can help ensure that mitigations are implemented to match changing risks.

• If the concern is a desktop or server, then McAfee Host IPS, McAfee VirusScan® Enterprise, and McAfee Application Control could be used to help mitigate the risk

• Should the risk be in email, then the McAfee Email Gateway or McAfee Security for Email Servers could help

• Or, the McAfee Firewall Enterprise, McAfee Network Security Platform, and McAfee Web Gateway could be used to shield against network attacks that have been discovered or forecasted

All of these products are integrated with McAfee ePO or McAfee ESM to enable an efficient response to present and immediate threats or future risks.

In addition, McAfee ePO is an open platform. It can communicate and share data with third party solutions in your IT infrastructure, such as the helpdesk ticketing system. The following tasks can be automated within McAfee ePO:

• Deploy and manage McAfee solutions on desktops, laptops, or servers• Vulnerability or audit scans to review your risk posture• Alerting and reporting to improve visibility

McAfee ESM connects with McAfee ePolicy Orchestrator through a two-way integration for improved threat tracking and risk assessment. This connection brings together all of the McAfee portfolio plus the dozens of McAfee Security Innovation Alliance partners’ solutions to create a holistic framework for the IT organization to attain situational awareness.

McAfee Enterprise Security Manager (ESM)McAfee ESM is an enterprise-class security information and event management system (SIEM) that identifies, correlates, and remediates threats. Like other SIEMs, McAfee ESM collects logs, events, and data from the various appliances and software running your IT infrastructure. However, the speed and capacity of McAfee ESM separates it from other SIEMs. For example, you can collect all the logs from all the data sources you want to monitor, correlate events, and report on months of data in less than 10 seconds. For historical analysis, the system can process billions of events from multiple years—presenting query results in seconds, not hours.

To help place events in context for your organization, McAfee Global Threat Intelligence feeds real-time threat data into the McAfee ESM correlation engine, while McAfee Risk Advisor feeds in asset valuation data. The system can then show you the data related to the assets that you value most, as threats and vulnerabilities evolve. IT can leverage policies and systems to increase monitoring or drive an instant, automatic remediation, such as issuing new configurations, implementing new policies, and deploying software updates.

6 Achieve Situational Awareness

Through automated collection of the data throughout your enterprise and real-time correlation and prioritization, McAfee ESM helps you find the events and logs needed to answer questions, identify root causes to incidents, and bring together data for audits. You are free to spend more time on high-value activities: analyzing, forecasting, and adjusting countermeasures to changing events.

McAfee ESM actions include:

• Full collection, analysis, and reporting of log and event data, at enterprise speed and scale• Automatic establishment of security baselines, in real time, so you can easily see “normal” vs. “abnormal” behavior

• Proactive risk and threat detection based on your organization’s priorities• Automated launching of mitigations, such as configuration, policy, or software updates• Auditing of device configurations and detection of configuration changes•Tracking and logging of all incident investigations and response activities

McAfee Enterprise Log Manager (ELM)As stated earlier, collecting and storing logs is an integral part of situational awareness. Syslogs, event logs, application logs, firewall logs—if it is a log, McAfee Enterprise Log Manager (ELM) can collect and store it. Logs are signed and validated, ensuring authenticity and integrity—a necessity for regulatory compliance. Integration with McAfee ESM provides advanced searching, analytics, correlation, alerting, and reporting with the greatest operational efficiency.

McAfee Advanced Correlation Engine (ACE)The McAfee Advanced Correlation Engine (ACE) appliance deploys alongside McAfee Enterprise Security Management (ESM) to identify and score threat events in real time using both rule- and risk-based logic. You tell McAfee ACE what you value—users or groups, applications, specific servers, or subnets—and McAfee ACE will alert you if the asset is threatened. Audit trails and historical replays support forensics, compliance, and rule tuning. McAfee ACE supplements McAfee ESM event correlation with two dedicated correlation engines and purpose-built performance:

• A risk detection engine that generates a “risk score” using “rule-less” risk score correlation• A threat detection engine that detects threats using traditional rule-based event correlation

The standalone McAfee ACE appliance provides the processing power required to support this rich event correlation across your entire enterprise. Its data engine scales to accommodate even the largest networks.

McAfee Application Data Monitoring (ADM)If you are going to achieve situational awareness, you need visibility into all aspects of your network. The McAfee ADM appliance monitors all the way up the network stack to the application layer. You can fully inspect application contents to achieve the deepest visibility into how your network is being used, helping you achieve an awareness level previously unavailable.

McAfee ADM decodes an entire application session, providing a full analysis of everything from the underlying protocols and session integrity all the way up to the contents of the application (such as the text of an email or its attachments). This level of detail allows accurate analysis of real application use, while also enabling you to enforce application use policies and detect malicious, covert traffic.

This deep inspection supports compliance by tracking all use of sensitive data on the network. When McAfee ADM detects a violation, it preserves all details of that application session for use in incident response and forensics, or for compliance audit requirements.

7Achieve Situational Awareness

At the same time, McAfee ADM provides new visibility into threats that may masquerade as legitimate applications:

• Advanced application-layer threats •The unauthorized use or theft of confidential data• Attacks on or from security “blind spots”•The use of dangerous legacy code •The theft or misuse of user credentials • Sensitive data transmitted via any application

McAfee Database Event MonitoringSituational awareness is about visibility. An IT team needs to minimize blind spots so that they can see as much of their network as possible. Databases and their activity are constant blind spots to the security or IT team. The McAfee Database Event Monitor (DEM) enhances database visibility to help IT admins achieve a more complete picture of the enterprise.

McAfee DEM delivers non-intrusive, detailed security logging of databases and applications, monitoring all access to sensitive corporate and customer data. With minimal deployment effort, you can have visibility into database transactions, events, and specific database queries and responses—including who is accessing your data and why. McAfee DEM is the only database monitoring product that both consolidates database activity into a central audit repository and provides normalization, correlation, analysis, and reporting of that activity. Pre-defined rules and reports, privacy-friendly logging features, and encrypted, time-stamped files make it easy to comply with compliance regulations while strengthening your overall security posture.

McAfee Vulnerability ManagerMcAfee Vulnerability Manager (MVM) provides fast, precise, and complete insights into two basic questions about your network assets: “What do I have?” and “Is it vulnerable?” McAfee Vulnerability Manager enhances the depth of information available as you assess a situation, providing on-demand scans of select assets when needed. It integrates with McAfee ePO so that you can correlate your findings with ways to remediate or determine if the risk needs to be mitigated. You can:

• Audit and remediate based on priority• Provide conclusive evidence that systems are “not vulnerable” so you can focus attention elsewhere• Identify and correlate new threats to your asset and vulnerability data• Audit for compliance with policies and regulations• Categorize data by asset or network, filter to select and organize results in reports, and create reports

while scans are running

McAfee Risk AdvisorMany enterprises waste time patching systems when they already have a mitigating control in place. Whereas McAfee Vulnerability Manager gives visibility into your assets, McAfee Risk Advisor can tell you whether or not the asset is at risk. McAfee Risk Advisor helps you understand if a critical asset is protected by proactively correlating a threat feed with vulnerability and countermeasure information to pinpoint at-risk critical assets that require immediate attention. McAfee Risk Advisor helps determine what countermeasures you need, and when you need them.

From the McAfee Risk Advisor global risk dashboards, you can quickly drill down to get granular details of a threat and how it relates to specific assets. A consolidated threat feed viewer shows you updated information about new and current threats from millions of collection points. In addition to threat descriptions and analyses, the threat feed supplies recommended remediation, links to threat discussion groups and notices, various risk-scoring methods, a list of applications affected, and insight into how threats affect regulatory mandates. McAfee Risk Advisor maps the threat feed to specific McAfee countermeasures that are deployed (or should be deployed) to ensure an optimized security posture. Ultimately, Risk Advisor provides a clear ROI, enabling you to focus your priorities.

2821 Mission College BoulevardSanta Clara, CA 95054 888 847 8766 www.mcafee.com

McAfee, the McAfee logo, McAfee Advanced Correlation Engine, McAfee Database Event Monitoring, McAfee Enterprise Log Manager, McAfee Enterprise Security Manager, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Global Threat Intelligence, McAfee Host Intrusion Prevention, McAfee Network Security Platform, McAfee Risk Advisor, and McAfee Vulnerability Manager, are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee, Inc. 44503bp_situational-awareness-L3_0412_fnl_ETMG

Impact of the SolutionBetter risk analysis will allow for more insightful action and better security for your business. The McAfee solution for situational awareness will help your organization become sensitive to and informed of changing events, as they change. Instead of making tentative and reactionary decisions based on little data, you will take decisive action based on clear understanding of correlated events and their implications for your infrastructure. Your organization can move from cleaning up after incidents to preventing incidents through thoughtful and timely countermeasures that mitigate an attack or a security breach. As you become more aware of your security posture, you can determine if you are at risk or may be at risk to present-day exploits or future attacks. Once you have analyzed your posture, the solution gives you the ability to mitigate or accept the risk with higher confidence in each decision.

Additional Resourceswww.mcafee.com/gtiwww.mcafee.com/epowww.mcafee.com/siem

For more information about the Security Connected Reference Architecture, visit: www.mcafee.com/securityconnected

About the AuthorDouglas Simpson has over a decade in the IT industry. His experience includes designing, building, and managing networks with dedication to IT security, risk management, and compliance. Doug is a graduate of Wittenberg University with a B.A. and holds current certifications in Information Systems Security Professional (CISSP), Ethical Hacker (CeH), IT Service Management (ITIL), and MCSE.

1 http://www.uscg.mil/auxiliary/training/tct/chap5.pdf http://www.securityweek.com/content/be-position-act-through-cyber-situational-awareness