mcafee oem overview and iot/ot security oem... · prevent against sensitive data leakage to cloud...
TRANSCRIPT
McAfee Confidentiality Language
McAfee OEM Overview
and IoT/OT Security
Alex Shen, CISSP
APAC OEM Sales Manager
2 McAFEE CONFIDENTIAL
The McAfee Advantage: Intelligence-Driven Security Responding to 45 billion threat queries per day
Learning from over 750 million local detection informational records per day via our Global Threat Intelligence
Executing over 200,000 files per day in our sandbox
Analyzing over 400,000 different URLs and 800,000 files per day
Identifying over 600,000 new threats per day
Protecting 400M consumer devices and 462M total endpoints and leveraging for machine learning models
Holding 1,300 patents worldwide
7500+ Dedicated McAfee Professionals
3 McAFEE CONFIDENTIAL
400+ OEM partnerships
Majority of Medical Imaging Providers standardized on McAfee
Over 50% of process control vendors standardized on McAfee
~50% of NA Water & Power production controls protected by McAfee
Nearly 50% of all ATMs protected with McAfee
100% of Japan POS vendors standardized on McAfee
Over 3 million OEM devices secured with Embedded Control
McAfee Embedded Business Overview
4 McAFEE CONFIDENTIAL
400+ OEM Partnerships
Security is not your core business, but it’s essential to your business
5 McAFEE CONFIDENTIAL
The Target: Critical Infrastructure Is More Than You Think
Pharma Oil and Gas Water
Utilities Transportation
Power and
Electric
Food and
Beverages
Nuclear
Plants
Chemical and
Petrochemical
Discrete
Manufacturing
Building
Automation Aerospace
Industry
Waste Water
Treatment
6 McAFEE CONFIDENTIAL
Transformation Automation & Efficacy
Asset management and Visibility
Consolidate Security Management
Risk and Resiliency
Threat Intel sharing
Reliability and Safety
Government
Regulations
Supply Chain
Risk
Value Drivers for IoT/OT Cyber Security
IT-OT Convergence
Industry 4.0
Smart Airports, Grid, City
7 McAFEE CONFIDENTIAL
Triton Oil & Gas, Power Grid - Weak IT-OT segregation - ICS system vulnerabilities - Destructive
Black Energy Ukraine Power Grid - Phishing - Credential Theft - Destructive
Bristol Airport - Flight Display Systems - Passenger Inconvenience
Ukraine Airports, Metro - Ransomeware, Petya - Disruption and Reputation
London Heathrow - Unencrypted USB - Sensitive Data Loss
Norsk Hydro Aluminum - Locker Gaga Ransomware - Production disruption
Threats to Reliability and Safety
8 McAFEE CONFIDENTIAL
Level 0 Field I/O
Level 1 Controllers
Level 2 Control Systems
Level 3 Control Center
Level 4 Enterprise IT and Internet Access
HMI
PLC
RTU
IED
Local HMI and
Engineering
Stations
Business Applications IT Applications Workplace Applications
Level 3.5 Security and Plant DMZ
Security and IT Services Remote Access Services Storage
Engineering Workstations Application Services Historians
Level 5 Cloud Infrastructure and Services
• Data related to the critical service may be accidentally leaked or shared via cloud services • Customer data may be exposed via unsecure cloud services and misconfigured S3 buckets • Unprotected Cloud Infrastructure represents an attack surface and potential entry point to the
critical services
OT
Ne
two
rk
IT N
etw
ork
Level 5
• Ransomware can disrupt critical service operations, data or processes • Malware delivered through spear phishing creates a backdoor into the enterprise and critical
services • Unsecure mobile devices create an entry point into the enterprise or vector for data loss
Level 4
• Ransomware can disrupt critical service operations or process • Malware delivered through USB can lead to service disruption or unauthorized access • Misconfigurations and unauthorized software can lead to service disruption or unauthorized
access • Insecure remote access or removeable media create a vector for data loss and backdoors into
the critical services • Unpatched workstations can be exploited easily and lead to service disruption or unauthorized
control
Level 3
• Unpatched Industrial Systems can be exploited and can lead to service outage or unauthorized access
• Malware delivered through USB can lead to service outage or unauthorized access • Unauthorized commands can lead to service disruption or access • Lack visibility increases risk of a compliance violation • Lack of visibility increases risk of rogue devices and access points
Level 1-2
OT Systems – Key Risks
9 McAFEE CONFIDENTIAL
Industrial IoT Applications on Platform as a Service
IoT Software as a Service
Sensors
Edge IT Communication Gateway Data Aggregation Device management
Communications
4G, 5G, Wi-Fi
Industrial IOT Systems – Key Risks
• Data related to the critical service may be accidentally leaked or shared via unauthorized access
• Customer data may be exposed via improper or lack of access control
• Customer data may be exposed via OS or Application vulnerability exploits • Sensitive leakage through insecure application API or mobile apps • Unprotected cloud workloads represents an attack surface and potential entry point
to critical services
Cloud Layer
• Data leakage through insecure network communications • Data leakage through unprotected data storage • Malware propagation through improper network segmentation
Connectivity and Communications Layer
• Unauthorized device access to the network • Denial of Service through unauthorized access caused by weak passwords • Botnet membership through unauthorized access caused by weak
passwords • Data leakage through weak passwords or insecure communication
Device Layer
10 McAFEE CONFIDENTIAL
Digital
Workplace Infrastructure
Transformation IT-OT
Convergence
SOC
Devices
Management
Cloud
Discover and Secure multiple cloud infrastructures AWS or Azure and beyond
Advanced analytics and threat intelligence to find and investigate threats to workplace systems and data breaches
Advanced analytics and threat intelligence to find and investigate compromised applications and accounts
Protect multiple types of end user devices against breach – malware and data loss
Discover and Secure private cloud infrastructures
Protecting Digital (Critical) Enterprise McAfee Device to Cloud Architecture
Simplified management of device and data security policy Simplified integration path for third party solutions
Simplified management of workload and infrastructure security policy Simplified integration path for third party solutions
Simplified management of Device, workload and data security policy Simplified integration path for third party solutions
Unified Data Protection policy from devices to cloud
Secure critical applications and customer data in Cloud Platforms
Secure critical applications to protect intellectual property and customer data
Advanced analytics and threat intelligence to find and investigate unauthorized access and system compromise
Prevent against sensitive data leakage to cloud services
Protect servers in the data center or cloud against breach – malware and data loss
Protect Engineering Workstations and Legacy System against a breach – malware and data loss
11 McAFEE CONFIDENTIAL
Manage Security Risk
Asset Management
Governance
Risk Management
Supply Chain
Protect Against Cyber Attack
Service Protection Policies
Identity and Access Control
Data Security
System Security
Resilient Systems
Staff Awareness
Detect Cyber Security Events
Proactive Security Event Discovery
Security Monitoring
Minimize Impact
Lessons Learned
Recovery Planning
NIS Directive Alignment
12 McAFEE CONFIDENTIAL
Industrial Enterprise – McAfee Controls Summary
Managing Security Risk
Protecting against cyber
attack
Detect cyber security
events
Minimize the impact of
cyber security incidents
ePO ESM
NSP/ATD CWS Endpoint Security Platform
ESM ACE ELM ELS ADM
Foundstone and APG Services
Foundstone and APG Services
Application Control
MVISION Cloud
DLP Database Security
NIS Directive Alignment
13 McAFEE CONFIDENTIAL
Domain 1 – Manage Cyber Risk S
up
ply
Ch
ain
– T
hir
d P
art
y
McAfee OEM Relationships
Market Vertical OEM Partners
Retail ATM, POS, kiosk, digital signage
Medical Medical devices, pharmacy, patient monitoring
Industrial Energy, factory automation process control
Office MFP, scanners, projectors, storage, systems
Comm’s Network appliances, switch, routers
14 McAFEE CONFIDENTIAL 14
Yokogawa Electric Corporation
Company Description
Yokogawa Electric Corporation is a Japanese electrical engineering and software company, with businesses based on its measurement, control, and information technologies. Yokogawa pioneered the development of
distributed control systems and introduced its Centum series DCS in 1975.
Some of Yokogawa's most recognizable products are production control systems, test and measurement
instruments, pressure transmitters, flow meters, oxygen analyzers, fieldbus instruments, Manufacturing Execution Systems and Advanced Process Control.
. Use Case
Yokogawa utilizes the following McAfee Solutions to ensure the integrity of their product offering: • McAfee Application Control
• McAfee Integrity Control
• VirusScan for OEM
• Endpoint Security for OEM Yokoawa offer a security service supporting the above solutions across the following Yokogawa solutions:
• OpreX Control Systems - SCADA
• Centrum DCS Workstations, Servers and HMI
15 McAFEE CONFIDENTIAL 15
Company Description
Honeywell provides industrial control and automation products to the oil and gas, and
manufacturing industries.
Use Case
Honeywell have tested an embed the following McAfee Solutions since 2012:
• McAfee Application Control
• Integrity Control
• VirusScan Enterprise
• Endpoint Security (ENS)
• Device Control
• McAfee MOVE
• McAfee Security for Mobile Devices
• Enterprise Security Manager (ESM / SIEM)
In the following Honeywell solutions
• Honeywell Scanning and Mobility Solutions
• Dolphin Handheld Computer Range
• Honeywell Process Solutions
• Experion Process Knowledge System Distributed Control System for
Process Manufacturers
16 McAFEE CONFIDENTIAL 16
General Electric
Company Description
Grid Solutions, a joint venture with Alstom. Grid Solutions equips 90% of power utilities worldwide to bring power reliably and efficiently from the point of generation to end power consumers
GE Sensing designs, manufactures, and services ultrasonic, remote visual, radiographic, and eddy current
equipment and systems.
Baker Hughes is an international industrial service company and one of the world's largest oil field services companies.
GE Healthcare manufacturer and distributor of diagnostic imaging agents and radiopharmaceuticals for imaging
modalities that are used in medical imaging procedures.
Use Case
GE utilizes the following solutions to ensure the integrity of their customer offering • McAfee Endpoint Security (ENS)
• McAfee Integrity Control
• Network Security Platform
• Enterprise Security Manager (ESM) • McAfee Policy Auditor
17 McAFEE CONFIDENTIAL 17
EMERSON Company Description
Emerson provides industrial control and automation products to the power, water, and manufacturing industries.
Use Case/Value Prop
Emerson has developed a good security portfolio that they are launching across several platforms. They are getting a
respectable adoption rate but only 10% of the main control component, the SIEM, was being bought by their customers. Most
of their customers did not need the power of the full sized SIEM. They would only be using a fraction of its capacity. So it
was important to develop a limited use version to attack the remaining portion of the market.
• McAfee Endpoint Security (ENS)
• McAfee Application Control
• Enterprise Security Manager (ESM)
18 McAFEE CONFIDENTIAL 18
Vestas , EMEA
Company Description
Vestas Wind Systems is the worlds largest manufacturer of wind turbines and control systems. Installing, servicing and supporting wind turbine farms globally.
Use Case/Value Prop
Vestas ship McAfee Integrity Control and ENS on all wind turbine control systems they supply to customers.
Deal Highlights
• Vestas chose to partner with McAfee because of our strong presence in Industrial Control System security • Hardening these embedded systems in remote locations reduced the impact of malware as well as
unintended changes to this Critical Infrastructure
19 McAFEE CONFIDENTIAL
Plant ePO
IT System Visibility, Policy Management and Compliance checks (Windows, MAC, Unix)
Plant ESM
Indegy
Log Collection, Secure Log Storage, Correlation Investigations
Enterprise Visibility Threat Intel Management Incident Response
Enterprise or OT SOC
Domain 1 – Manage Cyber Risk in OT
Gain Visibility over IT and OT Assets
Plant ESM
Plant ePO
Indegy
McAfee Agent, Policy Auditor and Application Control
Discovery and Visibility over Industrial Control Systems (PLC, RTU, DCS, IED)
HMI, Engineer Workstations
OT
Netw
ork
McAfee Agent, ENS, Adaptable Threat Protection, Application Control, Change Control, Mobile, Device Control, EDR
End user Devices
IT System Visibility, Policy Management and Compliance checks (Windows, MAC, Unix)
ePO
lT N
etw
ork
OT
Netw
ork
lT
Netw
ork
20 McAFEE CONFIDENTIAL
Domain 2 – Protect against Cyber Attacks
Protect against Data Loss or Theft
vNSP
ATD
Plant ePO
MWG+DLP
Plant ESM
Level 5 Cloud Services
lT N
etw
ork
O
T N
etw
ork
Log Collection, Secure Log Storage, Correlation Investigations
Plant ESM
IT System Visibility, Policy Management and Compliance checks (Windows, MAC, Unix)
Plant ePO
McAfee Agent, Device Control
HMI, Engineer Workstations O
T N
etw
ork
Perimeter NSP + ATD
Intrusion Prevention, Threat Intelligence and Anti-Malware Sandbox
lT N
etw
ork
Perimeter Web Gateway, Network Data Loss Protection
McAfee Agent, Device Control, Encryption, DLP
End User Devices
Perimeter MWG + DLP
Cloud Access Security Broker
MVISION Cloud
21 McAFEE CONFIDENTIAL
Domain 2 – Protect against Cyber Attacks
Protect against Malware and Misconfigurations
Log Collection, Secure Log Storage, Correlation Investigations
Plant ESM
IT System Visibility, Policy Management and Compliance checks (Windows, MAC, Unix)
Plant ePO
McAfee Agent, ENS, Application Control, Change Control, Device Control, EDR
HMI, Engineer Workstations O
T N
etw
ork
Perimeter NSP + ATD
Intrusion Prevention, Threat Intelligence and Anti-Malware Sandbox
lT N
etw
ork
Perimeter Web Gateway, Threat Intelligence and Anti-Malware Sandbox
McAfee Agent, ENS, Adaptable Threat Protection, Application Control, Change Control, Device Control, EDR
End User Devices
Perimeter MWG + ATD
Infrastructure assessment, Cloud Workload discovery and protection
MVISION + CWS
vNSP
ATD
Plant ePO
MWG+ATD
Plant ESM
Level 5 Cloud Infrastructure
lT N
etw
ork
O
T N
etw
ork
22 McAFEE CONFIDENTIAL
Domain 3 – Detect and Respond to Cyber Attacks
Identify Incidents and Adapt with Threat Intelligence
vIPS
ATD
McAfee pGTI ICS CERT Threat Intel Platform
IOC
SIEM
Plant ePO
Plant ESM
Indegy
Log Collection, Secure Log Storage, Correlation Investigations
Plant ESM
IT System Visibility, Threat Intelligence, EDR
Plant ePO
OT
Netw
ork
Perimeter NSP + ATD
Intrusion Prevention, Threat Intelligence and Anti-Malware Sandbox
ICS anomaly detection
lT S
OC
McAfee APG
Intelligence as a Service
Threat Intelligence Platform
Centralized SIEM, McAfee or partner
Enterprise SIEM
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee, LLC.
25 McAFEE CONFIDENTIAL
Malware Landscape
Operation Aurora
Unknown Malware
Poly- morphic Malware
Zero-Day Threats
Advanced Persistent Threats (APTs)
Known Malware
Viruses
Worms
Trojans
AV MAC
0
Stuxnet
26 McAFEE CONFIDENTIAL
McAfee Embedded Control Protection & Compliance
Application Control
• Dynamic Whitelisting
• Trusted Sources of Change
• No Updates or Signatures
Change Control
• Change Configuration Audit
• File Integrity Monitoring
• Data File Change Prevention
• Prevents “Compliance Drift”
• Keep the bad software out
• Stop unauthorized apps
• Deny unauthorized change
• Enforce change policy
Greater protection & faster time to compliance
27 McAFEE CONFIDENTIAL
McAfee Application Control
Dynamic Whitelisting Prevents all unauthorized code from running
Memory Protection Prevents whitelisted apps from being exploited via buffer overflow
attacks
File Reputation Integrates with GTI and TIE to classify binaries as Good, Bad and
Unknown
Containment Coordinates with ATD to assess unknown behavior and immunize
endpoints
Security Through Intelligent Whitelisting
28 McAFEE CONFIDENTIAL
Fixed Function Systems
ATM POS Kiosk
Blacklist vs Whitelisting
Static Dynamic
Primary Anti-malware
Secondary Anti-malware
COE Desktops Dynamic Desktops Servers
MAC MAC MAC
ODS AV
AV
29 McAFEE CONFIDENTIAL
McAfee Change Control End-to-end compliance with laws and regulations such as SOX and PCI DSS
Integrity Monitoring Alerts to critical and unauthorized changes
Change Prevention Selectively prevents out-of-policy changes
Logs any attempted out-of-policy change
Continuous detection of system-level changes across distributed and remote locations
30 McAFEE CONFIDENTIAL
McAfee Change Control Real-time monitoring and read/write protection
Process Start/Stop User Logon/Logoff File and Registry
Detect new viruses
Detect stolen/hacked passwords
Detect unauthorized changes
Read Protection Stops Unauthorized Access to Sensitive Files
Write Protection Eliminates Unwanted Ad-Hoc Changes and Configuration Drift
32 McAFEE CONFIDENTIAL
High Level Purdue Model Security Reference Architecture
Manufacturing and Process and
Machinery
Industrial Control and supervision devices
and systems
Enterprise IT - Production and Supply Chain management
Third Party Cloud and Internet
services
DMZ - Security Management and Network Controls
Manufacturing and Process and
Sensors
Industrial Management
Systems
Business Function
Security Requirements
Cloud Data and Infrastructure
Security
Infrastructure, Web Security,
SOC
Perimeter Security, Threat Detection and Management
Asset Discovery, Threat Detection and
Endpoint Security
Asset Discovery, Threat Detection and
Endpoint Security
Asset Discovery
Asset Discovery Level 0
Level 1
Level 2
Sensors Actuators SIS
PLC RTU SCADA HMI
Engineer Workstation
Historian Level 3
Level 4 Email Intranet CRM
Level 5 Internet SAAS
IAAS PAAS
Indegy Sensor
Indegy Manager
OT ePO
OT NSM
OT ATD
Remote Access System
Warehouse Management
System
Level 3.5 OT ERC
OT ESM
Indegy Sensor
MWG IT ESM
IT ePO
Model Layers
33 McAFEE CONFIDENTIAL
High Level Purdue Model Security Reference Architecture
NSP - Network IPS Threat Protection, Detection Forensics and Intelligence
ePO Endpoint Security Policy Management, Event Collection and Reporting
OT ESM/ACE - SIEM Log Collection, Forensics, Threat Detection, Analytics, Reporting
Indegy Industrial Asset discovery and threat detection
ESM/RCVR - SIEM Log Collection and Event Forwarding
Endpoint Security Anti-Malware and Application Control for workstations and servers
34 McAFEE CONFIDENTIAL
McAfee – Indegy Integration Reference Architecture
Share Discovered Assets
Tag Systems based on Alert
Send Alerts via Syslog
McAfee EPO
McAfee ESM
McAfee DXL
Push Critical Alerts
McAfee ATD
Share C2 with Rule Objects
McAfee NSM
Share Discovered Asset and CVE*
Critical Alert Quarantine System
* Work in progress
Critical Alert - Create new
Investigation
MVISION EDR