Upload
sshaiksshaikss
View
230
Download
0
Embed Size (px)
Citation preview
8/3/2019 McAfee Total Protection Jun09
1/17
SANS Review: McAfees Total
Protection for Data
A SANS Whitepaper June 2009
Written by Dave Shackleford
Executive Summary
Data Protection in Review
Requirements
Methodology
SANS Review of McAfee
Endpoint Encryption for PC
(v5.1.8) and for Files and
Folders (v3.1.3)
SANS Review of McAfee Host
and Network Data Protection
SANS Review: NDLP, HDLP,
and Endpoint Encryption
Integration
8/3/2019 McAfee Total Protection Jun09
2/17
SANS Analyst Program 1 SANS Review: McAees Total Protection or Data
Executive Summary Data Protection in Review
1www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pd
Data in Motion: Data moving
across the network. Network-based
tools that can sni trac are used
or detection and prevention.
Data at Rest: Data that is stored
in various fle types and databases.
Host-based protections ranging rom
encryption to localized detection and
prevention agents address security
or this data.
Data in Use: Data that is currently
being accessed by applications and
users. This data may require both
host-based and network-based tools
and techniques to adequately moni-
tor and protect.
Ninety major breaches last year resulted in 285 million records being used in criminal activity,
according to Verizons 2009 Data Breach Report.
1
With breach reports like these, data protec-tion has now become a central ocus in IT environments. Resulting regulatory requirements,
along with concerns over negative publicity (and its associated costs), have spawned a market
or data-centric protections. So now, in addition to their traditional network security ocus,
organizations are looking more closely at where their critical data resides, how its used, how it
leaves the protected network, and how to protect sensitive and regulated data throughout its
liecycle.
However, when it comes to managing data at its source, organizations ace a key challenge:
How can they apply policy to their data in motion, data at rest, and data in use in any unied
manner? As organizations lay out their data protection roadmaps to accomplish these goals,they need policies and procedures that evolve as new tech-
nologies and regulations dictate.
Over the past several years, the market or data protection tools
evolved in ragmentsstarting with encryption thanks to
Payment Card Industry and state privacy requirements. Host-
based data ngerprinting and detection/prevention sotware
ollowed, along with data-centric network-based monitoring
and analysis. Now, the challenge is bringing these capabili-
ties together to work and be managed in tandema chal-
lenge McAees Data Protection suite, Total Protection or Data,
addresses robustly in Phase I integration o several acquired
data protection components including SaeBoot (encryption),
Reconnex (network policies) and others. Full integration into
its overall centralized management ramework, ePO (ePolicy
Orchestrator), is scheduled or the next release, according to
product managers.
8/3/2019 McAfee Total Protection Jun09
3/17
SANS Analyst Program 2 SANS Review: McAees Total Protection or Data
In this document, we describe the results o our review o a broad range o eatures and unc-
tions within McAees Total Protection or Data suite. This includes McAees Phase I integration
o host (Host DLP v3.0) and network (Network DLPDiscover, Manager, Monitor, and Prevent
v8.5) data protection tools and management dashboards, along with McAees host-based ull
disk, le/older and device control encryption (Endpoint Encryption (EE) or PC v5.1.8 and EE
or Files and Folder v3.1.3).
Each o these products met or exceeded review objectives in all categories. Furthermore,
McAee has made strong headway in integrating management among the products, starting
with its Host DLP integration into the ePO ramework. Some o the grades the products received
refect elements that are prioritized and planned or integration in McAees next release, but
which arent integrated in the versions in this review.
Overall Report Card: Total Protection for Data by McAfee
In the ollowing pages, we include more detailed report cards or DLP, encryption, and dash-
board integration, with descriptions o review results or both the EE and DLP toolsets. Preced-
ing the report cards is a description o review requirements and methodology.
Category
DLP
Endpoint Encryption
Integration
Products
Network DLP (NDLP)
Host DLP (HDLP)
Endpoint Encryption (EE) for PCs
Endpoint Encryption for Files and
Folders (EEFF)
HDLP Integration with ePO
NDLP Integration with ePO
EE Integration with ePO
Score
A
A
A
A
A
A
B
8/3/2019 McAfee Total Protection Jun09
4/17
SANS Analyst Program 3 SANS Review: McAees Total Protection or Data
Requirements
Data protection tools need to include ast, deep and accurate content identication or a variety
o use scenarios that involve data at rest, data in use and data in motion. Policy creation andtuning must be fexible and intuitive or monitoring, discovering and taking appropriate action
on critical data traversing the networkon data at rest or in use on the host, and as it attempts
to leave the host on removable media, via e-mail or by other means. Any data protection toolkit
should also include broad environmental coverage (network and host platorms, integration
with directory services and e-mail platorms, and auxiliary unctions like encryption.) While there
are myriad requirements to consider, they essentially all into the ollowing ve categories:
Discovery and Capture: Both host and network discovery tools should be capable o
discovering sensitive content stored on key systems across the enterprise, a critical rst
step many organizations still need to takeand one that large enterprises cannot rea-sonably conduct without leveraging automated tools.
Monitoring: Data in use and in motion should be monitored at line-speed as it traverses
network links. Monitoring o data on critical applications and systems, including storage
devices, should be comprehensive, port agnostic and fexible enough to change policy
on the fy when needed.
Alerting and Prevention: Host and network tools should be able to match detected
events to policies, which then tie into an incident response (alerting and blocking specic
actions). Workfow/alerting should involve specied participants rom aected business
units (Compliance, Human Resources, Legal, Help Desk, etc.). The system should also be
sel-learning, that is able to discover and alert on unknown or unclassied data types.
Encryption: Deployed encryption models should be fexibly and easily created and
enorced or a variety o uses, such as le, older, e-mail and ull disk encryption as well as
copying data to USB devices and other removable media.
Compliance: Policies and reports should be available out o the box, with the ability to
easily modiy these or internal compliance standards and changing regulations.
See our accompanying Data Protection Requirements Worksheet, which can be
used to create individually tailored lists o requirements based on organiza-
tional needs and rank vendor ability to meet those requirements.
8/3/2019 McAfee Total Protection Jun09
5/17
SANS Analyst Program 4 SANS Review: McAees Total Protection or Data
Methodology
The ollowing McAee products were included in the review:
Endpoint Encryption (EE) or PC version 5.1.8
EE or Files and Folders version 3.1.3 (V3.2 now available but was not yet released at time
o review)
Host DLP version 3.0
Network DLP (Discover, Manager, Monitor, and Prevent) version 8.5
Integration o these into the ePolicy Orchestrator version 4.0 (version 4.5 available soon)
For this product review, a number o separate products and components were installed and
congured. In the lab, the ollowing systems were congured as illustrated in Figure 1:
One Windows 2003 Server Domain Controller
One Windows 2003 Server running Exchange Server 2003
One Windows 2003 Server acting as a le server
One Cisco 2960 switch with a span port activated, connected to a hub
One Cisco 2800 connected to the Internet
One Red Hat Linux Enterprise server running NFS and TCPreplay
Four Windows workstations (two each o XP and Windows 2000)
One Windows Server 2003 system running ePolicy Orchestrator
(ePO)
Figure 1: Review Lab Architecture
8/3/2019 McAfee Total Protection Jun09
6/17
SANS Analyst Program 5 SANS Review: McAees Total Protection or Data
The data ormats used or testing included Microsot Oce documents and spreadsheets, text
les, e-mail content, and PDF documents. Sensitive data types o interest included Social Secu-
rity numbers, payment card data, customer lists, board meeting minutes, pharmaceutical or-
mulas, tax inormation, and other intellectual property.
The product review methodology, at a high level, involved the ollowing:1. Installing and conguring the products, including integration with Active Directory
and an e-mail server, as well as pointing components and agents to the ePO and the
McAee network DLP management platorm.
2. Creating host and network DLP policies to implement within the test network and
on workstations and servers.
3. Conducting network and host content discovery, capture and ngerprinting.
4. Testing modication o data on endpoints and attempting to remove data to exter-
nal media, create screen captures, and so on.
5. Testing network data leakage detection by sending data across the network usingTCPreplay and precongured PCAP les, as well as custom e-mails, le transers and
other such transmissions.
6. Testing encryption capabilities by dening policies or handling certain documents
and data types and then moving the les to removable media or transmitting them
via e-mail to determine whether encryption was properly maintained.
In this review, we reer to our accompanying Data Protection Requirements Worksheets sever-
ity level ratings as we set up scores or eatures and unctions. Priorities are described as ollows:
Priority 1: Essential, critical eatures that must be considered or all organizations when
evaluating DLP solutions.
Priority 2:Important eatures that deserve attention, but may not be deemed as critical
depending on the organization.
Priority 3: Interesting eatures that may be worthy o ocus and attention.
Assigned grades in this review are subjective. They are based on the reviewers experience
with the products, interviews with McAee product managers, and discussions with inorma-
tion security proessionals working with data protection tools in enterprise situations. Grades
were assigned as ollows:
A = Product met or exceeded expectations.B = Product met all requirements with some exceptions.
C = Product met most requirements but was decient in many.
D = Product met some requirements but was decient in most.
8/3/2019 McAfee Total Protection Jun09
7/17
SANS Analyst Program 6 SANS Review: McAees Total Protection or Data
SANS Review of McAfee Endpoint Encryptionfor PC (v5.1.8) and for Files and Folders (v3.1.3)
McAees Endpoint Encryption or PC (EEPC) and or Files and Folders (EEFF) allow or policy-based application and device control that can maintain persistent le and older encryption
across a variety o statesincluding sensitive les being transerred onto USB devices. EE or
removable media is integrated into McAees central management platorm, e Policy Orchestra-
tor (ePO). McAee plans to oer central management or third party, hardware-based Encrypted
USBs and hard disk drives through ePO in the uture.
Although not reviewed in this paper, the suite also includes encryption, as well as data and
device management tools or protecting mobile devices using the Windows Mobile and Sym-
bian platorms, with support or additional platorms planned or the uture.
Key eatures reviewed in the EEEF and EEPC products include disabling system ports, dening
what applications are trusted/untrusted (and what the applications are allowed to do on each
system), and maintaining persistent encryption as data moves rom the system via e-mail,
removable media or other transmission method. Other eatures o note include:
Complete encapsulation o the operating system on a users system, replacing all login and
system access unctions.
A central management console that keeps a running directory o users, systems, policies and
other objects.
Support or multiple two-actor authentication types like smart cards and hardware
tokens.
EEEF extends this level o protection to les and olders on systems, allowing extremely granular
policies to be established and maintained or dierent le types, system types and specic
users.
8/3/2019 McAfee Total Protection Jun09
8/17
SANS Analyst Program 7 SANS Review: McAees Total Protection or Data
The EEPC products were reviewed by rst installing the Endpoint Encryption Manager, EE
Server, and Object Directory on a Windows 2003 Server and then creating install packages
with a variety o password, audit, and le/older policies enabled. For both products, the review
process consisted o the ollowing:
Selecting a Password Only token option ater installation o the management components.Then selecting the deault Program Files list and creating a variety o user and machine
groups.
Creating user-based policies that restrict several applications and logging attempts to use
those applications.
Creating machine groups and adding user groups to them. For EEFF, this included creation
o several classes o encryption keys and policies including automatic encryption or Word
documents and data copied to USB drives, user and group policies, etc.
Generating and copying install packages to a USB or deployment to PCs.
Ater installation, policies were tested or each individual machine and ound to work as speci-
ed without exception. All encrypted data remained encrypted while moving rom the sys-
tems to devices. The user experience was easy, and users could not decrypt data that they had
no rights to view.
8/3/2019 McAfee Total Protection Jun09
9/17
SANS Analyst Program 8 SANS Review: McAees Total Protection or Data
Feature
Installation, Setupand Deployment
Platorm Support
User Transparencyand Friendliness
IdentityManagement
CentralizedAdministration andRole-Based Access
Algorithm Support
Key Management
RecoveryCapabilities
Security andAuditing
Priority
1
1
2
1
2
2
1
1
1
Grade
A
B
A
A
A
A
A
A
A
Comments
Deployment o the EE products was straightorward. There are several componentsthat need to be installedthe EE Manager, Object Directory, and communicationscomponents. These are simple to install and manage. Users, Machines, and MachineGroups are all then easily created and modied. Finally, an installation package orclients is created, which can then be installed rom removable media or via ePO, SMS orother sotware distribution tools.
EE products support Windows 2000, XP, Vista (32/64 bit), and Windows Server 2003.Mac OSX and Linux support are on the current McAee DLP product roadmap, but notavailable at the time o this review.
The level o user transparency or the EE line is magnicent. Encryption and decryptiono disk, les and olders had minimal impact on perormance. Enorcement o policiesand policy updates is per ormed seamlessly in the background without any userinteraction required. As an option, a system tray icon can be made visible, allowing theuser to perorm some simple actions at the administrators discretion.
LDAP, Active Directory, and other user identity repositories are supported. The productwas specically tested with Active Directory and integrated with no issues. All usermanagement is per ormed at the repository level, and rules then propagate to the EEManagement Server.
Administration and creation o agents are handled through a single console called theEndpoint Encryption Manager. Within this console, packages were generated withspecic user and machine policies, token-based and other types o authenticationcongured, and deployment options set. Multiple administrator accounts were created,each with a variety o roles and permissions that were assigned according to businessunit, machine groups, and so on.
FIPS 140-1/140-2 algorithms are supported, including AES and RC5 with strong key
lengths (256-bit and up).
Keys are not stored in plaintext on the server side and can be generated on the client andserver. Authentication is required to access keys, and all key transer communication isencrypted. This was observed by watching the trac with a snier while managing andupdating keys with clients.
Password and token recovery and resets were simple to perorm, and recoveryadministrators can be created that dont have any additional privileges (great orHelp Desk and Support teams that dont need ull access). The sotware was robust,maintaining the encrypted state even ater sudden power loss. One interesting eatureis a challenge-response password reset option or users who orget passwords, whichalso allows users with lost tokens or smart cards to temporarily become password-onlyusers at the local machine.
The EE products do not provide any sort o master key. Only the keys used to encryptdata can decrypt the data. This provides an additional level o protection against anyone administrator having the ability to access all encrypted data with a single key.Separation o duties was achieved by assigning specic roles or dierent administrators:encryption administrators or user and machine administrators. In this way, certainadministrators can be responsible or key management and encryption control, whileothers control user, group and machine administration. All boot and logon events arelogged centrally, and audit trails can be exported in a number o ormats.
Report Card: McAfee End Point Encryption for PC 5.1.8 and Files/Folders 3.1.3
8/3/2019 McAfee Total Protection Jun09
10/17
SANS Analyst Program 9 SANS Review: McAees Total Protection or Data
McAees Host DLP 3.0 and Network DLP 8.5 products cover a wide variety o dierent data
protection use cases.
McAee has integrated its agent-based Host DLP (HDLP) into the ePolicy Orchestrator (ePO)
console with a robust Policy Manager that centers on several key areas. First, a number o tags
and tagging rules are created. These are the oundation o HDLP and are used to classiy content
and dene rules that identiy content on systems on which agents are installed. Tagging rules can
be based on applications, specic content patterns or locations. The classication methods pro-
vided are fexible, including regular expressions, dictionaries and registered documents. Users
can also apply manual tags to les not covered by existing rules. Files being copied rom sensi-
tive shares can be tagged, and new les generated by applications can be tagged on the fy.
Protection rules are then created to dene the actions taken when violations are ound. A vari-ety o applications and system types (including printers) can be included in these rules. To help
locate applications that contain critical content, there are several major categories that dene
applications that edit content, archive content, and so on. Whitelists or applications and data
can be created, and other rules or controlling the clipboard, screen capture, and device con-
trols are also easily dened.
Host-based policies were then initiated through ePO and tested on workstations in various
ways, including attempts to take screenshots or to copy protected inormation to removable
media. All such attempts were successully blocked and reported per policy requirements.
McAees Network DLP (NDLP) suite includes Discover (identies sensitive data in the environ-
ment); Monitor (scans the network or sensitive data movement); Prevent (integrates with WebProxies and Mail Transer Agents to block sensitive content leakage); and Manager (manages all
network DLP unctions, policies and alerts). Once these products were installed in the test lab,
data discovery was initiated to determine whether the NDLP platorm could locate sensitive
data at rest on the NFS and SMB le shares. Numerous document types were included (e.g.,
XLS, DOC, and PDF), and the DLP tools ound and identied them accurately without advance
knowledge o what or where they were.
Network trac was then generated with SMTP and other applications, and sensitive data within
the applications were all discovered and identied through the NDLP Monitor. Prevention
rules were then tested with Microsot Exchange. Sensitive e-mails were successully
blocked, and various types and methods o notications were sent in accor-dance with pre-set policy. The Case Management system and workfow
within the NDLP Manager was leveraged with multiple users and vari-
ous roles. From a orensics standpoint, this tool is valuable because
evidence was gathered and attached to cases. Case data, searches
and reports history and other critical data are stored and indexed
or examination and chain o custody i needed.
SANS Review of McAfee Hostand Network Data Protection
8/3/2019 McAfee Total Protection Jun09
11/17
SANS Analyst Program 10 SANS Review: McAees Total Protection or Data
Feature
Installationand InitialConguration
Integration withDirectory Servicesand MTA (MailTranser Agent)
Data Discovery,Retention, andArchived Search
Policy and RuleCreation andManagement
Detection o Datain Motion, at Rest,and in Use
Priority
2
1
1
1
1
Grade
A
A
A
A
A
Comments
Installation o NDLP appliances was simple and intuitiveas close to plug andplay as possible. Installation o HDLP was also simple. Documentation is excellent.Conguration o out-o-the-box policies is easy.
Integration with Microsot Active Directory and Exchange servers was seamless and astdue to readily accessible conguration options within the NDLP and ePO consoles.
NDLP supports three scan modes: Registration (ngerprinting a repositorys les),Discover (nding previously-ngerprinted les), and Inventory (generating a ull listingo les, whether they are ngerprinted or not). Both CIFS and NFS network shares werereviewed using simple authentication via directory credentials. Scheduling scans andtying scans to existing rules and policies was simple. Perorming searches based onviolations and content types was also easy and fexible.
HDLP discovery crawls each endpoint looking or sensitive content (regular expressions,
dictionaries, content orm registered document) and/or previously tagged les.
Detected content les can be quarantined or encrypted using Endpoint Encryptionproducts. Rules and policies based on the tags were easily created and monitored orviolations. Events are then easily monitored within the ePO console, which archivesand indexes event data with ull search capabilities suitable or orensics, compliance orincident drill down.
Within NDLP, standard policies (known as Electronic Risk Modules) are installed bydeault and have a wide variety o fexible rules assigned to them. Compliance-specicpolicies are also available, and custom policies can be created easily by cloning anexisting policy. NDLP rules are fexible and use standard Boolean and Regex-like syntax.Rules can also be tuned rapidly as dictated by logged events to rene and eliminate alse
positive and alse negative behavior on the fy. Rule exceptions are also simple to add.
For HDLP, classication rules are used to dene sensitive categories according to regularexpression, dictionaries, and registered documents. Tagging rules are used to tag lescopied rom sensitive location, or les generated by sensitive applications. Protectionrules are then created to determine particular actions taken when data is transerredor transmitted. These rules are robust and use fexible syntax or tying data to specicapplications, le servers, network shares, printers and unique content patterns. Finally,device rules are used to speciy external devices like USB drives with a large variety ounique identier data. Loading HDLP rules and policies into ePO was simple.
The NDLP and HDLP products capably detected every attempt at sensitive data removal,modication, or transmission. Sensitive data in motion and use was successullydetected and logged in a variety o situations, including data sent in e-mail trac,sent as e-mail attachments, processed within applications on hosts, and transerred toUSB drives and CDs (CD-R). Attempts to capture screenshots and numerous other lemanipulations were all successully detected and logged.
Report Card: McAfee Host DLP 3.0 and Network DLP 8.5
8/3/2019 McAfee Total Protection Jun09
12/17
SANS Analyst Program 11 SANS Review: McAees Total Protection or Data
Feature
Incident Workfowand Management
CentralizedManagement andRole-based Access
Reporting
Product Security
Compliance
Priority
1
2
2
2
2
Grade
A-
A-
A
A
B
Comments
The NDLP console is a robust, built-in case creation and management system thatallows multiple incidents to be assigned or data at rest, in use and in motion. Theonly downside is that ePO does not directly manage the cases. It is only a minorinconvenience to launch the NDLP management console rom within ePO and managecases rom all products there. Full case management integration is on McAees roadmapor next release.
All events and systems could be managed rom within ePO 4.0. Some o the NDLPunctions within ePO launch a separate NDLP management console, but this is aminimal issue. Numerous roles can be assigned, including administrator, reviewer,agent administrator, auditor, and so on. Roles can be assigned to any user within theorganization, and audit trails or user actions within the console are maintained.
A variety o reports that oer many options and chart types are available within the ePOconsole and NDLP manager.
The NDLP appliances are purpose-built, locked-down devices that have only specic
ports and services running. The McAee host-based agents are also protected rom usertampering and disabling.
Although a wide variety o reports or compliance are available in the product, theyare primarily ocused on U.S.-based compliance. International regulatory complianceeatures are on the roadmap or next release, including content analysis and patternmatching in multiple languages, international compliance templates and reports, andadditional languages or the user interace.
Report Card: McAfee Host DLP 3.0 and Network DLP 8.5 (CONTINUED)
8/3/2019 McAfee Total Protection Jun09
13/17
SANS Analyst Program 12 SANS Review: McAees Total Protection or Data
SANS Review: NDLP, HDLP, and EndpointEncryption Integration Data Protection
With their latest developments and acquisitions in encryption, host and network DLP, McAeehas begun the integration to allow users to monitor and manage their critical data at use, data
at rest, and data in motion within one ramework. In this review, several critical rst stages o
this integration were in place, while others are on the product roadmap or next release.
One o the primary areas o ocus or McAee is consolidating management consoles into its
ePO product, which would allow a simple, well-known interace to be leveraged or all policy
and rule creation, package creation, event and incident management and reporting. Today,
McAees integrated deployment, auditing and reporting or data discovery, monitoring, pre-
vention, endpoint protection, device control and encryption can all be handled rom within
ePO. McAee aims to provide automated correlation, central policy conguration and manage-ment rom ePO in its next release.
Current integration o the Endpoint Encryption products with Host DLP is strong, allowing
encryption capabilities to be integrated with HDLP policies or use in the ollowing ways:
Data protection on USB and removable media: Ater dening named encryption
keys in the EEFF product and adding them in the HDLP console, these keys can be used
to encrypt data via HDLP Removable Storage Protection rules.
Network Share rules enforcement: Using HDLP File Access Protection rules, EEFF-
encrypted les can maintain an encrypted state even when copied to network shareswhere the EEFF product is not running.
Automatic encryption on discovered data: Endpoint discovery rules can be created
within HDLP and assigned Encrypt and Monitor actions on sensitive data discovered.
When sensitive data is discovered on a host, the les and/or data can be quarantined
and automatically encrypted.
8/3/2019 McAfee Total Protection Jun09
14/17
SANS Analyst Program 13 SANS Review: McAees Total Protection or Data
In this report card on integration, the Priority column has been removed, as the priority level o
integration actions was too subjective.
Integration Report Card: McAfee Total Protection for Data
Feature
Alerting andReporting
HDLP Integrationinto ePO
Endpoint EncryptionIntegration into ePO
NDLP Integrationinto ePO
Rule and PolicySupport
Workfow
Comments
All HDLP, NDLP and Encryption violation alerts can now be centrally monitored rom within ePO.Numerous other reports in the ePO allow or collection and aggregation o alerts into singlereports, providing a single pane o glass or all data incident inormation. Top-level tabs in theePO Dashboards area provide immediate visibility into violations involving data at rest, in useand in motion. Violations can be broken down into several categories (e.g., severity and types oevent).
The Host DLP product is ully integrated with ePO at this time. The HDLP Policy Manager isavailable rom within the System tab in ePO and can be used to create, modiy, manage andmonitor policies or host DLP agents. Full HDLP reporting is in place within ePO, as well.
Today, both McAees EEPC and EEFF are deployed and audited leveraging the ePO ramework.However, client conguration or EEPC and EEFF is not yet integrated into ePO or centralizedcontrol, so it must be done outside ePO. The next sotware release migrates the EE key escrowinto ePO and will provide or ull client conguration within ePO.
NDLP integrates into ePO to lesser extent than HDLP. ePO can now consolidate NDLP reports intothe Dashboards tab, and the NDLP management console can be launched directly rom withinePO. Multiple levels o NDLP reporting detail are available in ePO without having to launch theconsole. Additional integration o NDLP into ePO is planned or the next release cycle.
Although not ully integrated, an important eature has been added into NDLP 8.5 that relates toHDLP and EE capabilities. Known as Discover Remediation, this eature allows an administratorto leverage NDLP Discover to search or sensitive data at rest within the network environment(a critical automation point because no IT person knows how or where to nd critical dataoutside the database). When critical data types are discovered, administrators can take actionsbased on context and situation. For example, upon discovery o sensitive data on a le share,an administrator using the NDLP Discover management interace could elect to move, copy,encrypt, and/or delete the data based on system recommendations. This capability is not ullyautomatic and still involves the administrator, which is actually by design, as most enterprises donot currently want ully automated remediation actions involving sensitive data.
Policy and rule conguration is currently done rom dierent management consoles or HDLP,NDLP and EE, although integration is planned or the next release. However, this may or maynot be a big issue or organizations, because many still maintain a separation o duties and havedistinct groups assigned to manage policy creation, rule/control development, and enorcement.
Although not yet integrated into ePO, incidents involving data at rest, in use or in motion can
now be investigated rom within the NDLP Management console. All three event types can beadded to cases, which can then be assigned to individual users/owners and have notes added tothema strong eature or orensics, audit and ollow-up. Extensive details rom each incidentare maintained with the cases in a chain o custody ashion, and the McAee Capture capabilitiesprovide updates on data movement and disposition over time. In addition, the easy-to-useworkfow system allows multiple administrators and role-specic users to monitor and managedierent aspects o each incident and case until its resolved. McAee plans additional case andincident workfow integration within ePO in next release.
Grade
A
A
B
B
B
B
8/3/2019 McAfee Total Protection Jun09
15/17
SANS Analyst Program 14 SANS Review: McAees Total Protection or Data
Conclusion: Looking Forward
McAee has taken great strides in integrating its multiple product acquisitions in the data pro-
tection area into a cohesive and capable solution. In the product versions reviewed, SANS ana-
lysts assessed each individual product line (Network DLP, Host DLP and Endpoint Encryption)
to see i each would perorm as advertised. For the DLP product lines, sensitive data at rest, in
motion, and in use were capably detected and then handled according to previously specied
rules and policies. The Endpoint Encryption products were fexible and easy to use and oered
numerous key denition and management options.
McAee has integrated a number o eatures and unctions so that the products work together,
a value or most enterprises that havent been able to integrate separate data protection com-
ponents on their own. This is also a value rom a orensics standpoint when you consider that
all data incidents, including those that are unknown, can be logged, indexed and archived or
ollow-up searching and reporting. McAees NDLP component can now leverage HDLP data.
All o the HDLP and Endpoint Encryption rules and policies can be monitored and reported on
within ePO. And much o the management can be done in a single console.
McAees eorts to integrate all o the DLP and EE products into their best-o-breed ePO con-
sole are well underway and will be largely complete in the next product releases. This will allow
existing ePO customers to leverage and manage data protection capabilities and processes
without having to learn and build new consoles and management middleware.
Additional international rules and compliance support, and integration with other product
lines and partners, will urther integrate risk management, network security, and data protec-tions where needed. For example, McAee intends to integrate IDS/IPS and GRC (Governance,
Risk and Compliance) products into ePO and DLP, deepen its relationships with orensics solu-
tions providers, and introduce other expansions to its data protection outreach.
These partnerships and integration plans will go a long way in taking risk management,
forensics and compliance to the next level in which the comprehensive protection of sensi-
tive data becomes embedded in security, risk management and operations infrastructures,
as it should be.
8/3/2019 McAfee Total Protection Jun09
16/17
SANS Analyst Program 15 SANS Review: McAees Total Protection or Data
About the Author
Dave Shackleford, SANS GIAC Technical Director and Chie Security Ocer orConguresot. Dave has authored numerous SANS Analysts Program whitepa-
pers, is a SANS course author and instructor, and co-authored Hands-On Inorma-
tion Security, and the Managing Incident Response chapter in Readings and
Cases in the Management o Inormation Security, both published by Course
Technology. Previously, he worked as Chie Technology Ocer or the Center or
Internet Security and or a security consulting rm in Atlanta. He has worked as
a security architect, analyst, and manager or several Fortune 500 companies and
consulted with hundreds o organizations in the areas o regulatory compliance,
security and data protections, and network architecture and engineering.
8/3/2019 McAfee Total Protection Jun09
17/17
SANS Analyst Program 16 SANS Review: McAees Total Protection or Data
SANS would like to thank this papers sponsor