mcafee active response

.

Confidential

Colby Burkett | Technical Specialist

McAfee Active ResponseDeep detection and rapid response to advanced security threats

.

Confidential

Traditional Incident Response

3

Number of events

Time

Protect Detect Correct

Pre-breach Post-breach

MinimalThreat

Reduction

Prolonged Dwell Time

.

Confidential

Security Connected and McAfee Active Response

4

Minimized Dwell Time

Number of events

Time

Pre-breach Post-breach

MinimalThreat

Reduction

Protect Detect Correct

Prolonged Dwell Time

.

Confidential

Security budgets for rapid detection and response

Growth of Endpoint Threat Detection & Response

5

Gartner, “Market Guide for Endpoint Detection and Response Solutions,” May 13, 2014.

The need for more advanced EDR is growing fast

Most security teams cannot detect and react fast enough to targeted attacks with the tools they have.

Existing security tools do not have sufficient security monitoring, detection and response capabilities.

Organizations investing in EDR tools are purposefully moving from an ‘incident response’ mentality to one of ‘continuous monitoring’ in search of incidents that they know are constantly occurring.

- Gartner

10%by 2014 by 202060%

.

Confidential

Three Features to Look for in EDR Solutions

6

• How simple is it to operate?

• Is it automated?

• Is it easy to run searches?

• Will it scale easily?

Manageability1.

.

Confidential

1

0

0

1

0

1

0

0

1

0

1

1

0

0

0

1

0

1

1

0

0

1

1

0

0

0

1

0

1

0

1

1

0

1

1

0

1

0

0

1

1

0

1

0

1

1

0

0

1

0

1

0

0

1

0

1

1

0

0

0

1

0

1

1

0

0

1

1

0

0

0

1

0

1

0

1

1

0

1

1

0

1

0

0

1

1

0

1

0

1

1

0

0

1

0

1

0

0

1

0

1

1

0

0

0

1

0

1

1

0

0

1

1

0

0

0

1

0

1

0

1

1

0

1

1

0

1

0

1

0

0

1

0

1

0

0

1

0

1

1

0

0

0

1

0

1

1

0

0

1

1

0

0

0

1

0

1

0

1

1

Three Features to Look for in EDR Solutions

7

• Does it give you continuous visibility or only point-in-time peeks?

• Will it scan your entire infrastructure?

• Which types of files will it track? Executable, deleted, dormant or all?

Deep and Continuous Visibility2.

.

Confidential8

Customized graphic

Three Features to Look for in EDR Solutions

• Can the solution adapt as needed to changes in attack methodologies?

• How difficult is it to customize collectors and responses?

• Can you automate responses to meet your specific objectives?

Configurability3.

.

Confidential8

.

Confidential9

The EDR Solution You NeedMcAfee Active Response

.

Confidential10

Active Response 1.1 – Foundation for Threat Hunting

Built in collectors

- Processes

- Files w/hashes

- Network info

- User info

- Host info

- and more…

Triggers

- Processes

- Network & Files

Built-in reactions

- Kill process

- Delete file

- Delete reg value

- Content updates

Search Engine UI

- Collector based

- Saved searches

Search Syntax

- Combine collector

- Autocomplete

- Suggestions

- Filtering

Custom content

- Custom collectors

- Custom reactions

- Custom scripts OS commands, PowerShell, VBS, Linux Bash, Python.

Remove Files

Block Bad IPs

Stop Port Scanners

Remove Apps

Kill Running Process

Restore Good Files

Customize to Needs

Manage via ePO

Instant visibility Instant reaction Easy to use Adaptable Uses Cases

.

Confidential

McAfee Active Response

11

AdaptableAdjust quickly to changes in attack methodologies

ContinuousSet traps to detect attack

events whenever they occur

AutomatedCapture more threats with

minimal staff time

Adaptable Responses to Changing Threats

.

Confidential

Interactivity with McAfee ePolicy Orchestrator

12

1.View prioritized alerts

2.Execute custom or standard queries

.

Confidential

McAfee Active Response

13

AdaptableAdjust quickly to changes in attack methodologies

ContinuousSet traps to detect attack

events whenever they occur

AutomatedCapture more threats with

minimal staff time

Continuous Monitoring Across Infrastructure

.

Confidential

Continuous Protection with McAfee ePolicy Orchestrator

14

1.Set trigger for specific event

2.Establish action that will be activated automatically

.

Confidential

McAfee Active Response

15

AdaptableAdjust quickly to changes in attack methodologies

ContinuousSet traps to detect attack

events whenever they occur

AutomatedCapture more threats with

minimal staff time

Automated Capture and Monitoring

.

Confidential

Automation with McAfee ePolicy Orchestrator

16

1.Persistent collector captures relevant information

2.View and act on prioritized list of alerts and actions

.

Confidential

McAfee Active Response

Summary

• Deep, persistent monitoring

• Adaptable, easily configurable tools

• Single, unified management console

• Detect and correct breaches faster!

Adaptable

Automated

Continuous

.

Confidential

Security Connected

18

Adaptive, orchestrated, automated responses to adapt faster than threats can evolve

Attacker penetrates defenses

McAfee DLP notices oddity;

requests McAfee TIE

McAfee TIE provides insights

from local/ global sources

McAfee Active Response hunts, kills, remediates

threat

McAfee ePolicyOrchestrator

(ePO) provides single-console management

.

Confidential

Use Case 1

Proactively Search for Undetonated Files

19

Web Gateway Email GatewayNGFW TIE

Network & Gateway

ePO

Admin

Endpoints

Active Response

.

Confidential

Use Case 2

Hunt for Document-based Malware

20

TIE

Network & Gateway

ePO

Admin

Active Response

Endpoints

.

Confidential

DNSDNS

Use Case 3

Monitor All Network Activity

21

Internet ePO

Admin

Active Response

Endpoints

.

Confidential

Use Case 4Identify Reconnaissance Attempts Inside Your Network

22

Internet DNS ePO

Admin

Active Response

Endpoints

Port Scan

.

Confidential

Use Case 5

Continuously Monitor Hosts Files (A)

23

ePO

Admin

Active Response

Endpoints

.

Confidential

Use Case 5

Continuously Monitor Hosts Files (B)

24

ePO

Admin

Active Response

Endpoints

.

Confidential25