mcafee oem overview and iot/ot security oem... · prevent against sensitive data leakage to cloud...

McAfee Confidentiality Language

McAfee OEM Overview

and IoT/OT Security

Alex Shen, CISSP

APAC OEM Sales Manager

2 McAFEE CONFIDENTIAL

The McAfee Advantage: Intelligence-Driven Security Responding to 45 billion threat queries per day

Learning from over 750 million local detection informational records per day via our Global Threat Intelligence

Executing over 200,000 files per day in our sandbox

Analyzing over 400,000 different URLs and 800,000 files per day

Identifying over 600,000 new threats per day

Protecting 400M consumer devices and 462M total endpoints and leveraging for machine learning models

Holding 1,300 patents worldwide

7500+ Dedicated McAfee Professionals


400+ OEM partnerships

Majority of Medical Imaging Providers standardized on McAfee

Over 50% of process control vendors standardized on McAfee

~50% of NA Water & Power production controls protected by McAfee

Nearly 50% of all ATMs protected with McAfee

100% of Japan POS vendors standardized on McAfee

Over 3 million OEM devices secured with Embedded Control

McAfee Embedded Business Overview


400+ OEM Partnerships

Security is not your core business, but it’s essential to your business

http://en.wikipedia.org/wiki/File:IHI_logo.svg

/upload.wikimedia.org/wikipedia/en/1/10/Mitsubishi_Electric_logo.svg

http://www.equipmentworld.com/files/2013/03/AstecLOGO.jpg


The Target: Critical Infrastructure Is More Than You Think

Pharma Oil and Gas Water

Utilities Transportation

Power and

Electric

Food and

Beverages

Nuclear

Plants

Chemical and

Petrochemical

Discrete

Manufacturing

Building

Automation Aerospace

Industry

Waste Water

Treatment


Transformation Automation & Efficacy

Asset management and Visibility

Consolidate Security Management

Risk and Resiliency

Threat Intel sharing

Reliability and Safety

Government

Regulations

Supply Chain

Risk

Value Drivers for IoT/OT Cyber Security

IT-OT Convergence

Industry 4.0

Smart Airports, Grid, City


Triton Oil & Gas, Power Grid - Weak IT-OT segregation - ICS system vulnerabilities - Destructive

Black Energy Ukraine Power Grid - Phishing - Credential Theft - Destructive

Bristol Airport - Flight Display Systems - Passenger Inconvenience

Ukraine Airports, Metro - Ransomeware, Petya - Disruption and Reputation

London Heathrow - Unencrypted USB - Sensitive Data Loss

Norsk Hydro Aluminum - Locker Gaga Ransomware - Production disruption

Threats to Reliability and Safety


Level 0 Field I/O

Level 1 Controllers

Level 2 Control Systems

Level 3 Control Center

Level 4 Enterprise IT and Internet Access

HMI

PLC

RTU

IED

Local HMI and

Engineering

Stations

Business Applications IT Applications Workplace Applications

Level 3.5 Security and Plant DMZ

Security and IT Services Remote Access Services Storage

Engineering Workstations Application Services Historians

Level 5 Cloud Infrastructure and Services

• Data related to the critical service may be accidentally leaked or shared via cloud services • Customer data may be exposed via unsecure cloud services and misconfigured S3 buckets • Unprotected Cloud Infrastructure represents an attack surface and potential entry point to the

critical services

OT

Ne

two

rk

IT N

etw

ork

Level 5

• Ransomware can disrupt critical service operations, data or processes • Malware delivered through spear phishing creates a backdoor into the enterprise and critical

services • Unsecure mobile devices create an entry point into the enterprise or vector for data loss

Level 4

• Ransomware can disrupt critical service operations or process • Malware delivered through USB can lead to service disruption or unauthorized access • Misconfigurations and unauthorized software can lead to service disruption or unauthorized

access • Insecure remote access or removeable media create a vector for data loss and backdoors into

the critical services • Unpatched workstations can be exploited easily and lead to service disruption or unauthorized

control

Level 3

• Unpatched Industrial Systems can be exploited and can lead to service outage or unauthorized access

• Malware delivered through USB can lead to service outage or unauthorized access • Unauthorized commands can lead to service disruption or access • Lack visibility increases risk of a compliance violation • Lack of visibility increases risk of rogue devices and access points

Level 1-2

OT Systems – Key Risks


Industrial IoT Applications on Platform as a Service

IoT Software as a Service

Sensors

Edge IT Communication Gateway Data Aggregation Device management

Communications

4G, 5G, Wi-Fi

Industrial IOT Systems – Key Risks

• Data related to the critical service may be accidentally leaked or shared via unauthorized access

• Customer data may be exposed via improper or lack of access control

• Customer data may be exposed via OS or Application vulnerability exploits • Sensitive leakage through insecure application API or mobile apps • Unprotected cloud workloads represents an attack surface and potential entry point

to critical services

Cloud Layer

• Data leakage through insecure network communications • Data leakage through unprotected data storage • Malware propagation through improper network segmentation

Connectivity and Communications Layer

• Unauthorized device access to the network • Denial of Service through unauthorized access caused by weak passwords • Botnet membership through unauthorized access caused by weak

passwords • Data leakage through weak passwords or insecure communication

Device Layer


Digital

Workplace Infrastructure

Transformation IT-OT

Convergence

SOC

Devices

Management

Cloud

Discover and Secure multiple cloud infrastructures AWS or Azure and beyond

Advanced analytics and threat intelligence to find and investigate threats to workplace systems and data breaches

Advanced analytics and threat intelligence to find and investigate compromised applications and accounts

Protect multiple types of end user devices against breach – malware and data loss

Discover and Secure private cloud infrastructures

Protecting Digital (Critical) Enterprise McAfee Device to Cloud Architecture

Simplified management of device and data security policy Simplified integration path for third party solutions

Simplified management of workload and infrastructure security policy Simplified integration path for third party solutions

Simplified management of Device, workload and data security policy Simplified integration path for third party solutions

Unified Data Protection policy from devices to cloud

Secure critical applications and customer data in Cloud Platforms

Secure critical applications to protect intellectual property and customer data

Advanced analytics and threat intelligence to find and investigate unauthorized access and system compromise

Prevent against sensitive data leakage to cloud services

Protect servers in the data center or cloud against breach – malware and data loss

Protect Engineering Workstations and Legacy System against a breach – malware and data loss


Manage Security Risk

Asset Management

Governance

Risk Management

Supply Chain

Protect Against Cyber Attack

Service Protection Policies

Identity and Access Control

Data Security

System Security

Resilient Systems

Staff Awareness

Detect Cyber Security Events

Proactive Security Event Discovery

Security Monitoring

Minimize Impact

Lessons Learned

Recovery Planning

NIS Directive Alignment


Industrial Enterprise – McAfee Controls Summary

Managing Security Risk

Protecting against cyber

attack

Detect cyber security

events

Minimize the impact of

cyber security incidents

ePO ESM

NSP/ATD CWS Endpoint Security Platform

ESM ACE ELM ELS ADM

Foundstone and APG Services

Foundstone and APG Services

Application Control

MVISION Cloud

DLP Database Security

NIS Directive Alignment


Domain 1 – Manage Cyber Risk S

up

ply

Ch

ain

– T

hir

d P

art

y

McAfee OEM Relationships

Market Vertical OEM Partners

Retail ATM, POS, kiosk, digital signage

Medical Medical devices, pharmacy, patient monitoring

Industrial Energy, factory automation process control

Office MFP, scanners, projectors, storage, systems

Comm’s Network appliances, switch, routers

14 McAFEE CONFIDENTIAL 14

Yokogawa Electric Corporation

Company Description

Yokogawa Electric Corporation is a Japanese electrical engineering and software company, with businesses based on its measurement, control, and information technologies. Yokogawa pioneered the development of

distributed control systems and introduced its Centum series DCS in 1975.

Some of Yokogawa's most recognizable products are production control systems, test and measurement

instruments, pressure transmitters, flow meters, oxygen analyzers, fieldbus instruments, Manufacturing Execution Systems and Advanced Process Control.

. Use Case

Yokogawa utilizes the following McAfee Solutions to ensure the integrity of their product offering: • McAfee Application Control

• McAfee Integrity Control

• VirusScan for OEM

• Endpoint Security for OEM Yokoawa offer a security service supporting the above solutions across the following Yokogawa solutions:

• OpreX Control Systems - SCADA

• Centrum DCS Workstations, Servers and HMI


Company Description

Honeywell provides industrial control and automation products to the oil and gas, and

manufacturing industries.

Use Case

Honeywell have tested an embed the following McAfee Solutions since 2012:

• McAfee Application Control

• Integrity Control

• VirusScan Enterprise

• Endpoint Security (ENS)

• Device Control

• McAfee MOVE

• McAfee Security for Mobile Devices

• Enterprise Security Manager (ESM / SIEM)

In the following Honeywell solutions

• Honeywell Scanning and Mobility Solutions

• Dolphin Handheld Computer Range

• Honeywell Process Solutions

• Experion Process Knowledge System Distributed Control System for

Process Manufacturers


General Electric

Company Description

Grid Solutions, a joint venture with Alstom. Grid Solutions equips 90% of power utilities worldwide to bring power reliably and efficiently from the point of generation to end power consumers

GE Sensing designs, manufactures, and services ultrasonic, remote visual, radiographic, and eddy current

equipment and systems.

Baker Hughes is an international industrial service company and one of the world's largest oil field services companies.

GE Healthcare manufacturer and distributor of diagnostic imaging agents and radiopharmaceuticals for imaging

modalities that are used in medical imaging procedures.

Use Case

GE utilizes the following solutions to ensure the integrity of their customer offering • McAfee Endpoint Security (ENS)

• McAfee Integrity Control

• Network Security Platform

• Enterprise Security Manager (ESM) • McAfee Policy Auditor


EMERSON Company Description

Emerson provides industrial control and automation products to the power, water, and manufacturing industries.

Use Case/Value Prop

Emerson has developed a good security portfolio that they are launching across several platforms. They are getting a

respectable adoption rate but only 10% of the main control component, the SIEM, was being bought by their customers. Most

of their customers did not need the power of the full sized SIEM. They would only be using a fraction of its capacity. So it

was important to develop a limited use version to attack the remaining portion of the market.

• McAfee Endpoint Security (ENS)

• McAfee Application Control

• Enterprise Security Manager (ESM)


Vestas , EMEA

Company Description

Vestas Wind Systems is the worlds largest manufacturer of wind turbines and control systems. Installing, servicing and supporting wind turbine farms globally.

Use Case/Value Prop

Vestas ship McAfee Integrity Control and ENS on all wind turbine control systems they supply to customers.

Deal Highlights

• Vestas chose to partner with McAfee because of our strong presence in Industrial Control System security • Hardening these embedded systems in remote locations reduced the impact of malware as well as

unintended changes to this Critical Infrastructure


Plant ePO

IT System Visibility, Policy Management and Compliance checks (Windows, MAC, Unix)

Plant ESM

Indegy

Log Collection, Secure Log Storage, Correlation Investigations

Enterprise Visibility Threat Intel Management Incident Response

Enterprise or OT SOC

Domain 1 – Manage Cyber Risk in OT

Gain Visibility over IT and OT Assets

Plant ESM

Plant ePO

Indegy

McAfee Agent, Policy Auditor and Application Control

Discovery and Visibility over Industrial Control Systems (PLC, RTU, DCS, IED)

HMI, Engineer Workstations

OT

Netw

ork

McAfee Agent, ENS, Adaptable Threat Protection, Application Control, Change Control, Mobile, Device Control, EDR

End user Devices


ePO

lT N

etw

ork

OT

Netw

ork

lT

Netw

ork


Domain 2 – Protect against Cyber Attacks

Protect against Data Loss or Theft

vNSP

ATD

Plant ePO

MWG+DLP

Plant ESM

Level 5 Cloud Services

lT N

etw

ork

O

T N

etw

ork


Plant ESM


Plant ePO

McAfee Agent, Device Control

HMI, Engineer Workstations O

T N

etw

ork

Perimeter NSP + ATD

Intrusion Prevention, Threat Intelligence and Anti-Malware Sandbox

lT N

etw

ork

Perimeter Web Gateway, Network Data Loss Protection

McAfee Agent, Device Control, Encryption, DLP

End User Devices

Perimeter MWG + DLP

Cloud Access Security Broker

MVISION Cloud


Domain 2 – Protect against Cyber Attacks

Protect against Malware and Misconfigurations


Plant ESM


Plant ePO

McAfee Agent, ENS, Application Control, Change Control, Device Control, EDR

HMI, Engineer Workstations O

T N

etw

ork

Perimeter NSP + ATD


lT N

etw

ork

Perimeter Web Gateway, Threat Intelligence and Anti-Malware Sandbox

McAfee Agent, ENS, Adaptable Threat Protection, Application Control, Change Control, Device Control, EDR

End User Devices

Perimeter MWG + ATD

Infrastructure assessment, Cloud Workload discovery and protection

MVISION + CWS

vNSP

ATD

Plant ePO

MWG+ATD

Plant ESM

Level 5 Cloud Infrastructure

lT N

etw

ork

O

T N

etw

ork


Domain 3 – Detect and Respond to Cyber Attacks

Identify Incidents and Adapt with Threat Intelligence

vIPS

ATD

McAfee pGTI ICS CERT Threat Intel Platform

IOC

SIEM

Plant ePO

Plant ESM

Indegy


Plant ESM

IT System Visibility, Threat Intelligence, EDR

Plant ePO

OT

Netw

ork

Perimeter NSP + ATD


ICS anomaly detection

lT S

OC

McAfee APG

Intelligence as a Service

Threat Intelligence Platform

Centralized SIEM, McAfee or partner

Enterprise SIEM

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries.

Other names and brands may be claimed as the property of others.

Copyright © 2017 McAfee, LLC.

McAfee Embedded Control


Malware Landscape

Operation Aurora

Unknown Malware

Poly- morphic Malware

Zero-Day Threats

Advanced Persistent Threats (APTs)

Known Malware

Viruses

Worms

Trojans

AV MAC

0

Stuxnet


McAfee Embedded Control Protection & Compliance

Application Control

• Dynamic Whitelisting

• Trusted Sources of Change

• No Updates or Signatures

Change Control

• Change Configuration Audit

• File Integrity Monitoring

• Data File Change Prevention

• Prevents “Compliance Drift”

• Keep the bad software out

• Stop unauthorized apps

• Deny unauthorized change

• Enforce change policy

Greater protection & faster time to compliance


McAfee Application Control

Dynamic Whitelisting Prevents all unauthorized code from running

Memory Protection Prevents whitelisted apps from being exploited via buffer overflow

attacks

File Reputation Integrates with GTI and TIE to classify binaries as Good, Bad and

Unknown

Containment Coordinates with ATD to assess unknown behavior and immunize

endpoints

Security Through Intelligent Whitelisting


Fixed Function Systems

ATM POS Kiosk

Blacklist vs Whitelisting

Static Dynamic

Primary Anti-malware

Secondary Anti-malware

COE Desktops Dynamic Desktops Servers

MAC MAC MAC

ODS AV

AV


McAfee Change Control End-to-end compliance with laws and regulations such as SOX and PCI DSS

Integrity Monitoring Alerts to critical and unauthorized changes

Change Prevention Selectively prevents out-of-policy changes

Logs any attempted out-of-policy change

Continuous detection of system-level changes across distributed and remote locations


McAfee Change Control Real-time monitoring and read/write protection

Process Start/Stop User Logon/Logoff File and Registry

Detect new viruses

Detect stolen/hacked passwords

Detect unauthorized changes

Read Protection Stops Unauthorized Access to Sensitive Files

Write Protection Eliminates Unwanted Ad-Hoc Changes and Configuration Drift

Industrial Threat

Management

Conceptual Architecture


High Level Purdue Model Security Reference Architecture

Manufacturing and Process and

Machinery

Industrial Control and supervision devices

and systems

Enterprise IT - Production and Supply Chain management

Third Party Cloud and Internet

services

DMZ - Security Management and Network Controls

Manufacturing and Process and

Sensors

Industrial Management

Systems

Business Function

Security Requirements

Cloud Data and Infrastructure

Security

Infrastructure, Web Security,

SOC

Perimeter Security, Threat Detection and Management

Asset Discovery, Threat Detection and

Endpoint Security

Asset Discovery, Threat Detection and

Endpoint Security

Asset Discovery

Asset Discovery Level 0

Level 1

Level 2

Sensors Actuators SIS

PLC RTU SCADA HMI

Engineer Workstation

Historian Level 3

Level 4 Email Intranet CRM

Level 5 Internet SAAS

IAAS PAAS

Indegy Sensor

Indegy Manager

OT ePO

OT NSM

OT ATD

Remote Access System

Warehouse Management

System

Level 3.5 OT ERC

OT ESM

Indegy Sensor

MWG IT ESM

IT ePO

Model Layers


High Level Purdue Model Security Reference Architecture

NSP - Network IPS Threat Protection, Detection Forensics and Intelligence

ePO Endpoint Security Policy Management, Event Collection and Reporting

OT ESM/ACE - SIEM Log Collection, Forensics, Threat Detection, Analytics, Reporting

Indegy Industrial Asset discovery and threat detection

ESM/RCVR - SIEM Log Collection and Event Forwarding

Endpoint Security Anti-Malware and Application Control for workstations and servers


McAfee – Indegy Integration Reference Architecture

Share Discovered Assets

Tag Systems based on Alert

Send Alerts via Syslog

McAfee EPO

McAfee ESM

McAfee DXL

Push Critical Alerts

McAfee ATD

Share C2 with Rule Objects

McAfee NSM

Share Discovered Asset and CVE*

Critical Alert Quarantine System

* Work in progress

Critical Alert - Create new

Investigation

MVISION EDR


Embedded Security with McAfee

Simple, Flexible, Comprehensive, Fast

mcafee oem overview and iot/ot security oem... · prevent against sensitive data leakage to cloud...

Documents