McAfee EmbeddedOptimized Security Solutions for Embedded Systems

Intel Intelligent Systems Event – Istanbul, Turkey

Kathryn Martin – McAfee, OEM Account Manager

April 2012

Agenda

McAfee – Security Trends & Threat Landscape

McAfee Embedded Security Solution

McAfee Software Development Kits for Embedded Systems

McAfee Global Threat Intelligence (GTI)

McAfee Centralized Embedded Security Management

Global Threat Intelligence

• File Reputation

• Web Reputation

• Web Categorization

• Message Reputation

• Network Connection Reputation

Network Security

• Next Generation Firewall

• Network Intrusion Prevention

• NAC Gateway

• Network User Behavior Analysis

• Network Threat Behavior Analysis

• Network Threat Response

Content Security

• Email Gateway

• Web Gateway

• Data Loss Prevention

• Encryption

• Policy Management

• Security Reporting

• Mobile Management

• Vulnerability Management

• Risk Management

• Compliance

Security Management

Endpoint Security

• Anti-Virus & Anti-Spyware

• Host Intrusion Prevention

• Endpoint Encryption

• Application Whitelisting

• Desktop Firewall

• Device Control

• Policy Auditing

• NAC Endpoint

• Email Server AV & Anti-Spam

• SharePoint Protection

• Mobile Protection

• Virtual Desktop & Server

Security Trends

Threat Landscape

The Multi-Million Business

Increasing Embedded Device Security Threats

April

10,

201

55

CumulativeMalware Threats

The MALWARE Explosion

20M

40M

JAN.

2010 FEB.

2010

MAR.

2010 APRIL

2010

MAY

2010 JUNE

2010

JULY

2010 AUG.

2010

SEPT.

2010 OCT.

2010

NOV.

2010 DEC.

2010

JAN.

2011 FEB.

2011

MAR.

2011 APRIL

2011

MAY

2011 JUNE

2011

10M

30M

50M

60M

70M

Threat LandscapeGlobal Malware Vision 2011

* 2

01

1 *

+2,800,000

+8,600,000

+14,400,000

+4,600,000

+75,200,000

+7,320,000

+662,900Malware (families)(DAT related)

Autorun(Collection)

Exploits(Collection)

FakeAV, Scareware(Collection)

PassWord Stealers(Collection)

Rootkits(Collection)

Malware Zoo(Collection)

+7,320,000

+662,900Malware (families)(DAT related)

Autorun(Collection)

HOW

• First worm developed with ―nation-state‖ support—targeted at sabotaging Iran’s nuclear enrichment facility

• 60% infected machines in Iran—Iran confirmed damage to nuclear program in Fall 2010

WHAT

• Highly sophisticated development—used 6 new zero-day vulnerabilities and worked flawlessly on all Windows versions down to Windows 95

• Digitally signed software

• Attacked SCADA systems running specific controllers — deep knowledge of control systems

• Stealth attack, operated from 2008–2010—infected variable frequency drives with slight adjustment, enough to impact centrifuges

Stuxnet: The Anatomy of an Attack

DEVICES

CONNECTED DEVICES

Explosion of IP Devices in a Connected World

Embedded Systems Are Changing

Proprietary OS

High Development Cost Low Development Cost

Patching Rare * Patching Common *

Limited Security Risk * Standard Security Risk *

Past Today

Low Support Cost Higher Support Cost

Isolated Network Internet Connected

Windows, Linux

Embedded Development

Effects of Change: Higher Support Costs

Development

Support

Cost

Time

Embedded Development

Goal: Keep Support Costs Low, Increase Revenue

Development

Support

Cost

Time

Device Manufacturer Distributor/Dealer Device Owner

Security, Control, & Compliance

Embedded System Challenges Maintaining Security and Control Across the Lifecycle

Additional Focus Products for Embedded

Key Focus Products for Embedded

McAfee Embedded Security Solutions

Removable Device Security

(McAfee Device Control)

Application Control and

Change Control

(McAfee Embedded Control)

Content Security

(McAfee Embedded Reputation SDK)

Data Security

(McAfee Endpoint Encryption)

Host Network Security

(McAfee Host Intrusion Prevention)

Security Management

(McAfee ePolicy Orchestrator)

Virus Detection & Remediation

(McAfee Embedded Anti-Virus SDK)

Database Security

(McAfee Activity Monitor/Virtual

Patching/Vulnerability Manager)

McAfee Embedded

Security

Protect your device

effectively

MAC

NetBook

Consumer PC

Black White

Medical Devices

SCADA

Servers

Point of Sale

ATMs

Kiosks

Smart Meter

Printer

Dynamic Static

Web Servers

Email/Web Gateway

Firewall

Grey

REPUTATION-BASED

McAfee Embedded SecurityThe right security solution for your solutions

Challenges

- for Embedded Device/System Manufactures

Unauthorized applications

System

downtime

Patching

and updates

Rise in

support costs

Traditional

AV overhead

Zero day

threats

Device

management

Secure

content

Compliance

drift

Security

Control

Compliance

McAfee Embedded SecuritySingle Solution for Challenge Resolution

18

Security Control

Compliance

• Dynamic whitelisting

• No signatures to update

• Only approved software

and applications run

Prevention of Known &

Zero-Day Attacks

• What can change

• Who can change it

• When it can change

• How it can change

• Patch on your schedule

Accountability &

Device Longevity

• PCI

• HIPAA

• NERC

• Fed. Regulations

Compliance Ready

The Embedded Security ProductMcAfee Embedded Control

1. Application control• Controls what software installs and runs

• Prevents malware

• Memory Protection

• Reduces patching frequency

• Image deviation reporting

2. Change control• Enforces software change policy

• Prevents out-of-policy changes

• File integrity monitoring for compliance

GainControl

McAfee Embedded ControlHow it works: Build the Inventory

20

Preparation Stage Production Stage

Create

Inventory

Automated

inventory creation

0Enable

McAfee

Establish gold or

audited image

1Solidified

Disk Image

Gold or audited

image

2Solidified

Production Mode

Real-time continuous

solidification

3

The solidification process requires no user intervention, and

copies of solidified images can be distributed to other devices.

Authorized

Update Mode

Authorized

Admin.

Secure Signed

Updates

McAfee Embedded ControlHow it works: Maintain State With Trusted Change

AuthorizedU

pdaters

Solidified

Production Mode

Update

Windows

Returned to

Solidified Mode

21

McAfee Embedded ControlQuick and Simple Setup

• Once deployed, no re-configuration required

• Nearly zero performance overhead

• Small footprint 8-12MB RAM, ~25 MB HDD

• Supports software distribution mechanisms

• Broad platform support:

• Microsoft OS since NT4 – Windows 8 (2012)

• Multiple Linux Distributions (RHLE, SLES, etc.)

• Solaris 8, 9, 10 (SPARC)

• HPUX 11.11, .23, .31,

• AIX 5.3, 6.1

• Wind River Linux

22

Blacklisting versus Whitelisting

• Currently

80 Million Signatures of

Malware known to McAfee

• Every Day more than 60.000

unique threats newly identified

• No protection against Rootkits

• No protection against

Exploitation

• No Signatures Required

• Only Approved applications

allowed to execute

• Protection against known

threats and unknown threats

(Zero-Day Exploits)

• Protection against rootkits

• Whitelist is dynamically

evolving during lifetime

Dynamic Static

McAfee Embedded SecurityTo secure solution for your solution

MAC

NetBook

Consumer PC

Black White

Medical Devices

SCADA

Servers

Point of Sale

ATMs

Kiosks

Smart Meter

Printer

Web Servers

Email/Web Gateway

Firewall

Grey

REPUTATION-BASED

McAfee Embedded Anti-Virus SDK ReviewKey Features, Functions, and Benefits

Scan Engine SDK

– Comprehensive detection so threats are isolated before they can spread

– Removal of viruses, worms, and other malicious code

– Reliable and accurate detection, without a costly false-alarm problem

– Effective scanning of compressed, archived, and packed files

– Support for a wide range of platforms

– Scan engine SDK for easy integration into third-party applications

Dynamic Static

McAfee Embedded SecurityTo secure solution for your solution

MAC

NetBook

Consumer PC

Black White

Medical Devices

SCADA

Servers

Point of Sale

ATMs

Kiosks

Smart Meter

Printer

Web Servers

Email/Web Gateway

Firewall

Grey

REPUTATION-BASED

McAfee Security

Connected

McAfee Global Threat

Intelligence (GTI)

McAfee Global Threat Intelligence (GTI)

• 75 Billion Malware Reputation Queries/Month

• 20 Billion Email Reputation Queries/Month

• 2 Billion IP Population Queries/Month

• 300 Million IPS Attacks/Month

• 100 Million IP Port Reputation Queries/Month

• 100+ BILLION QUERIES

Volume

Breadthand

Depth

• Malware: 60 Million Endpoints

• Email: 30 Million Nodes

• Web: 45 Million Endpoint and Gateway Users

• Intrusions: 4 Million Nodes

• 100+ MILLION NODES, 120 COUNTRIES

What It Takes to Make An Organization SafeGlobal Threat Intelligence

.

Threat

Reputation

Network

IPSFirewall

Web Gateway Host AV

Mail Gateway Host IPS 3rd Party

Feed

Why McAfee Is Best Positioned to Deliver GTI360˚ Correlation Across All Threat Vectors

• Mail/spam sending activity• Intrusion attacks launched• IP addresses of attackers• Web hosting/phishing activity• Botnet/DDoS activity

• Mail/spam sending activity• Web access/referer activity• Malware hosting activity• Hosted files• Popups• Affiliations• DNS hosting activity

• Botnet/DDoS activity• Mail/spam sending activity• Web access activity• Malware hosting activity• Network probing activity• Presence of malware• DNS hosting activity• Intrusion attacks launched

• IP addresses distributing• URLs hosting malware• Mail/spam including it• Botnet affiliation• IPS attacks caused

Web Reputation

Network Connection Reputation Message Reputation

File Reputation

Reputation SDK Web Security• URL Categorization

• Web Reputation

Reputation SDK Email and Network Protection• IP Reputation (anti-spam)

• Message Reputation (anti-spam)

• Connection Reputation

Embedded Reputation SDK Real-time Lookups via

our GTI cloud service

Supported Platforms• Windows, Solaris, Linux and BSD (specific x86 versions)

The McAfee Embedded Reputation SDK is a software library that

provides an API for obtaining reputations and categories from

McAfee’s GTI Cloud.

McAfee Embedded Reputation SDK ReviewKey Features, Functions, and Benefits

McAfee Embedded Security

Management

McAfee ePolicy

Orchestrator (ePO)

33

McAfee ePolicy OrchestratorCentralized Security Management

McAfee ePolicy Orchestrator

• Automate solutions

with open API

• Leverage

ecosystem

• Connect to your IT

infrastructure

• Streamline

processes

• Speed incident

responses

• Reduce audit

fatigue

• Central point of

reference

• Enterprise-wide

visibility

• Reduce

management

complexity

• Distributed

architecture

supports

deployments of

any size

• Flexible reference

architecture

Extensible Automated Unified Enterprise-ready

34

McAfee ePolicy Orchestrator Key Feature Overview

McAfee ePolicy Orchestor

• End-to-End Visibility

– Unified point of reference across security solutions

• Personalized Command Center

– Tune work environment to optimize efficiencies

• Drag-and-Drop Dashboards and Actionable Reports

– Immediate insight to action slashes response times

• Role-based Access Control

– Distribute administration and information

• Rogue System Detection

– Identify and manage all networked assets to lower risk

• Powerful Workflows

– Automate common routines, streamline processes across systems

• Enterprise-ready

– Flexible, scalable architecture minimizes CAPex and OPex

• Extensible Framework

– Increase value of existing security assets, optimize for future needs

Use Cases

McAfee Technologies

Global leader in assisted and self-service retail and financial systems, shipping 60,000+ ATMs/year with McAfee Embedded Security

―With this technology and compliance-ready ATMs, our bank customers don’t have to worry about security issues affecting their business or their consumer.‖

• Problem Definition

• Lack of zero-day security

• Unauthorized software changes on production ATMs

• What NCR Needed

• Provide zero-day comprehensive security

• Transparent, small footprint & no overhead

• Deploy and forget, without ongoing updates

• Cost effective

• Why Embedded Security

• Insider threat mitigation, no unauthorized changes

• Complete ATM channel change control for PCI compliance

• Standardized on NCR APTRA platform

• How They Did It

• Utilizing process and certificate-based updaters for secure change control

• Built a repeatable process for specific application and OS auditing

OEM Case StudyNCR Financial Solutions

Confidential McAfee Internal Use Only36

NEC Infrontia is a leading developer of point-of-sale systems, and currently ships more than 15,000 POS systems in Japan with McAfee Embedded Security

―Embedding McAfee gives us complete control and certainty

over what changes on each device.‖

• Problem Definition

• High partner support costs related to security problems

• Frequent OS patching

• Minimal to no PCI compliance

• What NEC Needed

• Reduce patching on Windows XP Embedded OS

• No performance draining security

• Need for service provider partners to make changes

• Compliance

• Why Embedded Security

• Prevents unapproved installs to reduce in-field breakage

• Reduces number of touch points to the device

• Minimizes the need to frequently patch the OS

• Change control provides tight control over what is installed

• Delivers PCI compliant device to retailers

OEM Case StudyNEC Infrontia POS

Confidential McAfee Internal Use Only37

Merge Healthcare’s CADstream™, the standard in CAD for magnetic

resonance imaging (MRI), ships with McAfee Embedded Security

―Integrating McAfee Embedded Security into CADstream improved

CADstream security, availability, and support.‖

• Problem Definition

• Unavailability caused by unauthorized changes

• Rampant field maintenance from unauthorized software modifications

• Current security solution resource intensive

• No Compliance

• What Merge Healthcare Needed

• Blocking unapproved installs to reduce in-hospital breakage

• Less frequent OS patching cycles

• Low overhead keeps system running smooth at hospitals

• Provides zero-day protection for sustainable FDA compliance

• Change control dictates what can be changed or installed

• Why Embedded Security

• Minimal overhead required

• Protection in a standalone mode

• Code protection from unwanted and unauthorized change

OEM Case StudyMerge Healthcare MRI

Confidential McAfee Internal Use Only

Global leader in developing integrated business solutions, shipping more than 15,000 MX-series MFPs in Japan with McAfee Embedded Security

―McAfee locks-down our office automation printers and multifunction peripherals

by preventing unauthorized access and software changes.‖

• Problem Definition

• Lack of control and minimal device security

• High field maintenance costs tied to unauthorized changes

• No PCI compliance or zero-day protection

• What Sharp Needed

• Single solution for security and compliance

• Minimal device overhead

• Why Embedded Security

• Prevents zero-day attacks and unnecessary field maintenance

• Allows for controlled configuration changes

• Improved service availability

• Helps ensure PCI compliance

• How They Did It

• Created template policies for configuration and system protection

• Trusted only the processes they wanted for application updates

OEM Case StudySharp MFPs

Confidential McAfee Internal Use Only39

TECHNOLOGY

EXPERTISE

PARTNERSHIP

NEXT STEPS Identify &

evaluate

needs

Scope and

conduct proof

of concept

OEM

partnership

agreement

McAfee Embedded Security

McAfee

Trusted Security Partner for Embedded Developers

• Whitelisting approach provides complete malware protection without need for updates

Section 5

Use and regularly update anti-virus software

• Zero-day protection and change reconciliation with change management systems

Section 6

Develop and maintain secure systems and apps

• File change tracking on cardholder data, user activity, and unauthorized change attempts

Section 10

Track and monitor all access to cardholder data

• Comprehensive file integrity monitoring and malware protection

Section 11

Regularly test security systems and processes

McAfee Embedded SecurityCompliance: PCI DSS Requirements

42

• Application control protects the state of systems and keeps security controls pristine, while change control tracks changes specified in the requirement and during an audit

CIP-007-1-R1

Ensure cyber assets and changes to assets do not adversly affect

cyber security controls

• Application control maintains the state of the system and prevents configuration changes to standards set by the ―responsible entity‖

CIP-007-1-R2

Ensure ports and services required for normal

operations are enabled

• Application control provides a compensating measure to mitigate risk exposure when the security patch or patch management program cannot be accomplished

CIP-007-1-R3

Security patch management for tracking, evaluating, testing, and installing cyber security patches

• Application control and whitelisting-based approach provides complete proactive malware protection without need for updates or signatures

CIP-007-1-R4

Use anti-virus and malware prevention to detect, prevent, deter, and mitigate malware

• Change control provides file integrity monitoring, system alerts, and login attempts, while application control can lock the system

CIP-007-1-R6

Ensure Cyber Assets implement automated tools or process

controls to monitor system events

McAfee Embedded Security Compliance: NERC CIP-007 Guidelines

43