McAfee ESM: Situational Awareness

Confidential McAfee Internal Use Only

May 8, 2013

McAfee ESM: Situational Awareness

Boubker Elmouttahid, CISSP, CISM, CRISC

Solution Architect, Management Platform


Security Connected Platform

INFORMATION SECURITY

Data Loss Prevention

Email Security

Encryption

Web Security

SECURITY MANAGEMENT

Compliance

Policy Auditing & Management

Risk Management

Security Operations Console

SIEM

Vulnerability Management

PARTNER COMMUNITY

McAfee Connected

Security Innovation Alliance (SIA)

Global Strategic Alliance Partners

Access Control

Identity & Authentication

Intrusion Prevention

Network User Behavior Analysis

NETWORK SECURITY

Next Generation Firewall

Network Access Control

Server & Database Protection

Smartphone & Tablet Protection

On Chip (Silicon-Based) Security

Virtual Machine & VDI Protection

ENDPOINT SECURITY

Application Whitelisting

Desktop Firewall

Device Control

Device Encryption

Email Protection

Embedded Device Protection

Endpoint Web Protection

Host Intrusion Protection

Malware Protection


The Big Security Data Challenge

May 8, 2013


Correlate Events

Consolidate Logs Perimeter

Thousands of Events

APTs

Cloud

Data

Insider

Compliance Historical Reporting

The Big Security Data Challenge

Anomalies Large Volume Analysis

Multi-dimensional Active Trending; LT

Analysis

Billions of Events


Our Customers Have Specific Areas of Need

I want assurance we can detect and

respond to attacks, are compliant with

regulations and the reports to prove it—

and I can’t spend a fortune on it

CIOS Compliance Security Analyst

I need real time, relevant

information so I can rapidly

investigate and

stop attacks

I need to ensure that we maintain

compliance with regulations and the

reports to make the auditors

understand it


Learn Quickly

Turns billions of

“so what” events

into Actionable

Information via

context, content

and advanced

analytics

Move Fast

Purpose built data

management

engine that makes

SIEM work, and is

Security ‘Big Data’

ready

Act Decisively

Leveraging the

value of Security

Connected for

faster response

whilst lowering

cost of ownership

THINK FAST…ACT FAST Actionable Situational Awareness through Enhanced Data Management and Integration


McAfee ESM

MOVE FAST eDB: Purpose built data management engine that makes SIEM work

eDB

Highly indexed purpose-built db, enables…

• Integrated log & event collection on a massive

scale, at high-performance

• Real-time enrichment of data with context to

drive intelligence

• On-line reporting / analytics on current &

historic data

…in parallel !

SMART FAST

Extended Schema in 9.2, enabling…

• Improved tracking of assets via GUID;

increases accuracy as IP’s change

• More custom fields; increasing data collected,

correlated and reported about an event

• Ability to accumulate events (throughput,

packets, URL’s, etc…)

…without compromising performance!

Confidential McAfee Internal Use Only 8

Rolling Averages Defining abnormal patterns of activity

Learn Quickly Establishing baselines to identify deviations

Confidential McAfee Internal Use Only 9

Eliminate the Guesswork

Alert based on deviations from norm

Sum events and

track averages

ID Anomalies

Learn Quickly Establishing baselines to identify deviations


Learn Quickly Correlating Both Flows and Events

1 1 100 010011 10

1 0011 100 011 100 1

1 1 100 010011 100

10010001 1 1 100 010011

011 100 10010001

1 1 100 010011

1 0011 100 011 100 1

1 1 100 010011 100

10010001 1 1 100 010011

011 100 10010001

1 1 100 010011 100 10010001 1 1 100 010011 100 11

1 0011 100 011 100 110101 1 100 011 100 10010001

Flow

Event

Correlate Event and

Flow

Advanced Correlation

11 001 100 010011 100 10010001

100110 11 1 110 10 110

00 1001 100110 100 010011 11 100

1 110 10 010011 001 100 110

001 100 010011 100 10010001

100110 11 1 110 10 110

Enhanced with GTI

Identify spikes in

activity

Analyze Behavior of an

Individual Host

Detect zero-day

threats through traffic

profiling

Monitor compliance

via analysis of

application data,

protocol and user


Event

Collection

Compliance

Reporting

Streamlined

Investigations

Policy

Management

Advanced

Correlation

Log

Management ePolicy

Orchestrator

Network

Security

Platform

Integrated Security Platform

Global

Threat

Intelligence

Vulnerability

Manager

ACT DECISIVELY Leverage the power of the platform

Industry Leading Security Information and Event Management

10

01

10

01

10

01

01

1

ACT DECISIVELY Intelligent Orchestration and Integration

My Pal RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d

11 001 100 010011 100 10010001

100110 11 1 110 10 110

100 1001 100110 100 010011 11 100 1

110 10 010011 001 100 110

11 001 100 010011 100 10010001

100110 11 1 110 10 110

ESM

10010001 10010001

Trigger Alarm

Quarantine IP

Correlation

!

10010001

! !

Quarantine Endpoint

Launch AV Scan

Increase Security

Detect Connection

Attempt

ePO

NSM


Summary Actionable Situational Awareness from McAfee ESM

ESM ALLOWS YOU TO….

MOVE FAST LEARN QUICKLY ACT DECISIVELY


• Passive Event Monitoring Eliminates performance overhead associated with DB logging

• Stores event activity as Sessions Reconstruct and Examine activity from Login to Logoff

• Correlate Database activity to Security Events Correlate sensitive information access to users

SSL Connection

• Quantitative Risk Scoring Correlation ACE uses Rule-Less correlation to determine threat activity

• Enables Historical Correlation

Match new rules against historic events in near Real-Time

• Combined Correlation Engines without overhead Operates independently of event collection.

• Stores Event & Flow data using McAfeeEDB Patented, high-performance, embedded data access engine

• Hosts browser-based, flash-enabled SIEM interface Easy to use. Highly customizable Views / Dashboards.

• Manages rules thru Policy Manager. Customizable Data Source and Correlation rules

• Configures Reports and Alarms Customizable Reporting and Flexible Alarm Management

• Redundant Capable Primary and Secondary ESMs can be configured

• Designed to be Scalable Designed to support 100,000’s events per second

• Collection point for Events and Flows Passive and Active collection technologies

• Hosts Rules-based Correlation Engine Can be enterprise wide or specific to local receiver.

• Redundant Capable High Availability Receivers can be configured

• Designed to be Scalable Designed to support up to 20,000’s eps per appliance

• Archive Management for Raw Events Receiver forwards unaltered logs to ELM

• Maintains ELM Management database Ability to manage parsed and raw logs simultaneously

• Raw Log Integrity Management Ensures Forensic Integrity.

• Raw logs Compression Management (up to 20:1)

Delivers Maximum Storage Efficiency

• Flexible Storage Local, SAN (Fibre), CIFS, NFS, iSCSI, NAS and Combinations

Receiver

CIFSNFS

SAN

iSCSI

Application Data Monitor Content Visibility

ADM

McAfee SIEM Components

Receiver

ELM

Receiver

AES Encrypted Channel

AES Encrypted Channel

Enterprise Security Manager content aware SIEM

Advanced Correlation Engine Dedicate Correlation Logic Appliance ACE

Database Event Monitor Database Transaction Monitoring

DEM

Receiver

AE

S E

ncry

pte

d

ELM ESM

Enterprise Log Manager Fully integrated Compliant Log Management

Event Receiver 3rd Party Log/Event/Flow Collection

Receiver ELM

http://

eMail

P2P

chat

VoIP

Shell / FTP

LDP, PS

Span or Tap

Span or Tap

• Protocol & Application Monitoring Full inspection of application content

• Monitor Sensitive Data Transmitted via Applications Identify monitoring blind-spots


Documents

McAfee ESM: Situational Awareness