mcafee active response
TRANSCRIPT
.
Confidential
Colby Burkett | Technical Specialist
McAfee Active ResponseDeep detection and rapid response to advanced security threats
.
Confidential
Traditional Incident Response
3
Number of events
Time
Protect Detect Correct
Pre-breach Post-breach
MinimalThreat
Reduction
Prolonged Dwell Time
.
Confidential
Security Connected and McAfee Active Response
4
Minimized Dwell Time
Number of events
Time
Pre-breach Post-breach
MinimalThreat
Reduction
Protect Detect Correct
Prolonged Dwell Time
.
Confidential
Security budgets for rapid detection and response
Growth of Endpoint Threat Detection & Response
5
Gartner, “Market Guide for Endpoint Detection and Response Solutions,” May 13, 2014.
The need for more advanced EDR is growing fast
Most security teams cannot detect and react fast enough to targeted attacks with the tools they have.
Existing security tools do not have sufficient security monitoring, detection and response capabilities.
Organizations investing in EDR tools are purposefully moving from an ‘incident response’ mentality to one of ‘continuous monitoring’ in search of incidents that they know are constantly occurring.
- Gartner
10%by 2014 by 202060%
.
Confidential
Three Features to Look for in EDR Solutions
6
• How simple is it to operate?
• Is it automated?
• Is it easy to run searches?
• Will it scale easily?
Manageability1.
.
Confidential
1
0
0
1
0
1
0
0
1
0
1
1
0
0
0
1
0
1
1
0
0
1
1
0
0
0
1
0
1
0
1
1
0
1
1
0
1
0
0
1
1
0
1
0
1
1
0
0
1
0
1
0
0
1
0
1
1
0
0
0
1
0
1
1
0
0
1
1
0
0
0
1
0
1
0
1
1
0
1
1
0
1
0
0
1
1
0
1
0
1
1
0
0
1
0
1
0
0
1
0
1
1
0
0
0
1
0
1
1
0
0
1
1
0
0
0
1
0
1
0
1
1
0
1
1
0
1
0
1
0
0
1
0
1
0
0
1
0
1
1
0
0
0
1
0
1
1
0
0
1
1
0
0
0
1
0
1
0
1
1
Three Features to Look for in EDR Solutions
7
• Does it give you continuous visibility or only point-in-time peeks?
• Will it scan your entire infrastructure?
• Which types of files will it track? Executable, deleted, dormant or all?
Deep and Continuous Visibility2.
.
Confidential8
Customized graphic
Three Features to Look for in EDR Solutions
• Can the solution adapt as needed to changes in attack methodologies?
• How difficult is it to customize collectors and responses?
• Can you automate responses to meet your specific objectives?
Configurability3.
.
Confidential8
.
Confidential9
The EDR Solution You NeedMcAfee Active Response
.
Confidential10
Active Response 1.1 – Foundation for Threat Hunting
Built in collectors
- Processes
- Files w/hashes
- Network info
- User info
- Host info
- and more…
Triggers
- Processes
- Network & Files
Built-in reactions
- Kill process
- Delete file
- Delete reg value
- Content updates
Search Engine UI
- Collector based
- Saved searches
Search Syntax
- Combine collector
- Autocomplete
- Suggestions
- Filtering
Custom content
- Custom collectors
- Custom reactions
- Custom scripts OS commands, PowerShell, VBS, Linux Bash, Python.
Remove Files
Block Bad IPs
Stop Port Scanners
Remove Apps
Kill Running Process
Restore Good Files
Customize to Needs
Manage via ePO
Instant visibility Instant reaction Easy to use Adaptable Uses Cases
.
Confidential
McAfee Active Response
11
AdaptableAdjust quickly to changes in attack methodologies
ContinuousSet traps to detect attack
events whenever they occur
AutomatedCapture more threats with
minimal staff time
Adaptable Responses to Changing Threats
.
Confidential
Interactivity with McAfee ePolicy Orchestrator
12
1.View prioritized alerts
2.Execute custom or standard queries
.
Confidential
McAfee Active Response
13
AdaptableAdjust quickly to changes in attack methodologies
ContinuousSet traps to detect attack
events whenever they occur
AutomatedCapture more threats with
minimal staff time
Continuous Monitoring Across Infrastructure
.
Confidential
Continuous Protection with McAfee ePolicy Orchestrator
14
1.Set trigger for specific event
2.Establish action that will be activated automatically
.
Confidential
McAfee Active Response
15
AdaptableAdjust quickly to changes in attack methodologies
ContinuousSet traps to detect attack
events whenever they occur
AutomatedCapture more threats with
minimal staff time
Automated Capture and Monitoring
.
Confidential
Automation with McAfee ePolicy Orchestrator
16
1.Persistent collector captures relevant information
2.View and act on prioritized list of alerts and actions
.
Confidential
McAfee Active Response
Summary
• Deep, persistent monitoring
• Adaptable, easily configurable tools
• Single, unified management console
• Detect and correct breaches faster!
Adaptable
Automated
Continuous
.
Confidential
Security Connected
18
Adaptive, orchestrated, automated responses to adapt faster than threats can evolve
Attacker penetrates defenses
McAfee DLP notices oddity;
requests McAfee TIE
McAfee TIE provides insights
from local/ global sources
McAfee Active Response hunts, kills, remediates
threat
McAfee ePolicyOrchestrator
(ePO) provides single-console management
.
Confidential
Use Case 1
Proactively Search for Undetonated Files
19
Web Gateway Email GatewayNGFW TIE
Network & Gateway
ePO
Admin
Endpoints
Active Response
.
Confidential
Use Case 2
Hunt for Document-based Malware
20
TIE
Network & Gateway
ePO
Admin
Active Response
Endpoints
.
Confidential
DNSDNS
Use Case 3
Monitor All Network Activity
21
Internet ePO
Admin
Active Response
Endpoints
.
Confidential
Use Case 4Identify Reconnaissance Attempts Inside Your Network
22
Internet DNS ePO
Admin
Active Response
Endpoints
Port Scan
.
Confidential
Use Case 5
Continuously Monitor Hosts Files (A)
23
ePO
Admin
Active Response
Endpoints
.
Confidential
Use Case 5
Continuously Monitor Hosts Files (B)
24
ePO
Admin
Active Response
Endpoints
.
Confidential25