Evolving Your Internet Defense Strategy

Tim Roddy | Head of Product Management, Web Security

Web Security Challenges Organizations Face Today

2

THREATPROTECTION

Security teams can’t keep up with highly

sophisticated malware and targeted attacks that evade traditional

defenses.

EFFICIENT SECURITY OPERATIONS

Point products are not sharing threat

information between internal and external

sources, resulting in an inefficient and

expensive security practice.

PROTECTIONEVERYWHERE

It is expensive and often not possible to maintain consistent protection wherever an employee resides and on each of their

devices.

Identify all cloud applications including shadow IT, then control both access and functionality

Control regulated data with pre-built dictionaries and encryption for cloud storage

Increase efficacy and improve security operations through integration to sandbox, endpoint, threat intelligence exchange, SIEM, and more.

ePAnti-Malware

Security Integration

Data Protection

Application Visibility &

Control

Content Inspection

SSL Scanning

Web Protection Multi-layered Security

3

Enabling secure web connectivity for every device, user, and location

Stop both known and zero-day malware before it reaches its target

Gain visibility into encrypted traffic and prevent hidden threats

Filter unwanted URLs, categories, and media types

Rule

Engine

Outbound Traffic Inbound Traffic

4

Threat ProtectionReduce remediation costs through in-line detection of zero-day malware

URL Filtering and AV stop known threats, letting the rest hit endpoints and sandbox How Most Organizations Approach Web Threats

5

Filter Known Bad Sandbox (zero-day)

Web Gateways Sandbox

Dynamic Analysis

URL Category

AVURL Rep.

~.05ms

Input Quantity

Depth of Inspection

~.08ms ~8ms

~90s

(~80% detected) (~20% detected)

Speed and detection rates are test calculations. Actual figures will vary in each organization.

The Intel Security Approach – Erase Zero-Days

6

Zero-day threat emulation stops nearly 20% more malware

Filter Known BadSandbox / Reverse-engineering

(zero-day)Real-time Behavioral Emulation

(zero-day)

McAfee Web Protection McAfee ATD

Dynamic and Static Analysis

Gateway Anti-Malware

AV

Input Quantity

Depth of Inspection

~.05ms ~.08ms ~8ms

~5ms

~90s

(~80% detected) (~19.5% detected) (~0.5% detected)

Speed and detection rates are test calculations. Actual figures will vary in each organization.

URL Category

URL Rep.

AV-TEST Validation

7

AV-Test.orgPerformance results obtained using specific combinations of hardware, software, and test samples. The results reflect approximate relative performance as measured by the tests performed. Any difference in system hardware, software or available threat information may cause your performance to vary.

Malware detection

91%99% 99%

74%

94% 97%

25%

85%

71%

58%

91%

16%

0%

20%

40%

60%

80%

100%

McAfeeBlue CoatCiscoWebsense

• Cloud intelligence• Ability to open content and

inspect• Proactive scanning

• Signature-based protection• Worms, Trojans• PW stealing programs

• PDF exploits• Macros for MS Office• Malicious scripts

95%99%99%

Latest results• Web Gateway increases

Zero-Day protection to 95%• Other vendors invited to

participate - no response

Zero Day Protection Rate PE Malware Detection Non-PE Malware Detection

Intel Security: Integrated Platform

8

McAfeeWeb Protection

NetworkSecurity Platform

Endpoint Security

McAfee Advanced Threat Defense

McAfeeActive Response

McAfee Enterprise Security Manager (SIEM) McAfee ePO

McAfee Threat Intelligence Exchange/Data Exchange Layer

McAfeeActive Response

McAfee EnterpriseSecurity Manager (SIEM)

McAfee ePOMcAfee Threat Intelligence Exchange/Data Exchange Layer

Protect

DetectCorrect

McAfee Advanced Threat Defense

Threat Intelligence Exchange Data Protection McAfee ePO

SIA Partners

McAfee Advanced Threat Defense Integration

9

Elevate detection rates with dynamic and static code analysis

Analyze

Static Code AnalysisDynamic Analysis

Analyze

UnpackingDisassembly of CodeCalculate Latent CodeFamilial Resemblance

Run Time DLLs

Network Operations

File Operations

Process Operations

Delayed Execution

10

Protection EverywhereProtect users on and off-network with one unified solution

Protection For Web Connectivity EverywhereAny device, any location – all visible and secured

Main OfficeAppliance (vm/hw)

Remote OfficeAppliance (vm/hw)

Remote OfficeDirect-to-cloud

Mobile UserDirect-to-cloud

MPLS/VPN backhaul

Direct-to-cloudDirect-to-cloud

Equal protection everywhere• Single set of policies

between on-premises and cloud

• One management console

• One reporting interface• Multiple routing options• Dynamic routing to on-

premises or cloud based on user location

+

+

Client-Based Routing and Authentication

12

Maintain protection off-network with a pervasive connection at the endpoint

On-network

Off-network

MCP

MCP

Client Proxy Features• Browser agnostic,

port-level routing• Intelligent agent

knows when it’s on-network vs off-network

• Transparent authentication

• Lock-down or allow end user bypass

Gain Efficiency Through the Cloud

13

Tangible benefits of moving away from hardware

Lower TCO Global AccessHigher performance• Remove the cost of

hardware appliances

• No more resources used maintaining hw

• Remove entire process of patching and upgrading sw – always on the latest version

• 22+ datacenter locations WW

• Local web content for 20+ countries

• Connect anywhere in the world through pervasive connection to endpoint client

• High availability with elastic capacity increases in 15 minutes

• Immediate failover to closest, fastest point of presence

• Peering with internet exchanges often outperforms direct connection

14

Actively expanding cloud service Global Data Center Infrastructure

• 22+ datacenter locations • Routes to closest DC for low latency• Traffic processed in local region• High availability

15

Driving Efficiency in Security OperationsImprove threat detection and reduce incident response times by sharing threat intelligence in an integrated system

Time to Recover

Months -Weeks

Time to Discover

Years - Months

Current Reality for Web Threat Defense

16

High volume of successful intrusions and extended dwell time

=$$$ Catastrophic Impact $$$

Constant cleanup, manual process to utilize threat intelligence

=Overwhelmed Security Teams

Only 80% of malware defeated with URL Filtering + AV

=Minimal Adversarial Effort

Time to Compromise

Minutes

Time to Recover

Minutes

Time to Discover

HoursHours

Web Threat Defense in an Integrated ArchitectureIncrease prevention and compress incident response times

17

Immediate prevention by all countermeasures

=$ Minimized Impact $

Automated threat intelligence sharing

through TIE=

Optimized Security Teams

99.5% of malware including zero-days prevented

=Significant Adversarial Effort

Time to Compromise

Months

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeATD

McAfeeWeb Protection

McAfeeNSP

Sharing the powerful zero-day detection capabilities of GAM Publishing to Threat Intelligence Exchange (TIE)

Data Exchange Layer

McAfeeGlobal ThreatIntelligence

McAfeeTIE Server Internet

Gateway Anti-Malware engine (GAM) detects zero-day malware in real-time using behavioral emulation

Web Protection publishes the new malware reputation to TIEEndpoints and other sensors are updated by TIE immediately, providing reputation for zero-day malware before a new DAT is published

Result: proactive and efficient protection for the organization as soon as a threat is discovered

?

McAfeeePO

3rd PartyFeeds

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Protection

McAfeeNSP

Expanding the intelligence of Web Protection in real-time Consuming Threat Reputations from TIE

Data Exchange Layer

McAfeeGlobal ThreatIntelligence

3rd PartyFeeds

McAfeeTIE Server Internet

?

Third-party intelligence feed or security solution discovers new malware and sends file reputation to SIEM. SIEM shares with TIE.

The new file reputation is shared with Web Protection and the rest of the connected ecosystem, including endpoints

Result: more threats are stopped at both the gateway and endpoint through the expanded intelligence of immediate threat information sharing

McAfee Web Protection

20

THREATPROTECTION

Best-in class malware detection, full

coverage of web traffic including SSL

EFFICIENT SECURITYOPERATIONS

More effective threat detection, lower TCO,

and operational efficiency for web

security and the entire infrastructure

PROTECTIONEVERYWHERE

Feature parity between cloud and on-

premises, deployed to users efficiently

wherever they reside

www.mcafee.com/webprotection