MID_SIEM_Boubker_EN

Confidential McAfee Internal Use Only

October 17, 2013

McAfee Security ConnectedActionable Situational Awareness

Boubker Elmouttahid, CISSP, CISM, CRISC

Solution Architect, Management Platform


Security Connected Platform

INFORMATION SECURITY

Data Loss Prevention

Email Security

Encryption

Web Security

SECURITY MANAGEMENT

Compliance

Policy Auditing & Management

Risk Management

Security Operations Console

SIEM

Vulnerability Management

PARTNER COMMUNITY

McAfee Connected

Security Innovation Alliance (SIA)

Global Strategic Alliance Partners

Access Control

Identity & Authentication

Intrusion Prevention

Network User Behavior Analysis

NETWORK SECURITY

Next Generation Firewall

Network Access Control

Server & Database Protection

Smartphone & Tablet Protection

On Chip (Silicon-Based) Security

Virtual Machine & VDI Protection

ENDPOINT SECURITY

Application Whitelisting

Desktop Firewall

Device Control

Device Encryption

Email Protection

Embedded Device Protection

Endpoint Web Protection

Host Intrusion Protection

Malware Protection


z

Management

Partners and An Open, Full-Featured PlatformIntegrated Solutions Deliver

3


McAfee Labs

• Multi-discipline security research

– Malware (viruses, spyware, rootkits, etc.)

– Spam and Phishing

– Web Security

– Network and Host Intrusion Prevention

– Vulnerabilities and Compliance Checks

• 24 x 7 emergency response team

• Holds 118+ patents and 148+ pending patents

26 cities around the world

400+ researchers


What It Takes to Make An Organization SafeGlobal Threat Intelligence

.

Threat

Reputation

Network IPS FirewallWeb

Gateway Host AVMail Gateway Host IPS 3rd Party Feed


Atlanta

Tokyo

London

Hong KongSan Jose

AmsterdamChicago

DataStore

112 Reputation Servers in 7 Data Centers


McAfee Threat LandscapeThe Core Problem


Key Motivations

PurposeEspionageFinancial WeaponryEgo


Key ThreatsMANU-

FACTURING

RF/IR

BLUETOOTH

SCADA

WEBVIRTUAL

ZEUS

APPS

SOCIAL

MEDIA

EMBEDDED

NIGHT

DRAGON

MEDICAL

DEVICE

AURORA

STUXNET

ENTERTAINMENT

ATM/KIOSK

ENERGY

MOBILE

SILICON

DATA

BASE

SMART CARS

CONFICKERRSA


Total Malware Samples

16

The McAfee “zoo” now contains more than 140 million unique malware samples.

Total Malware Samples

0

20 000 000

40 000 000

60 000 000

80 000 000

100 000 000

120 000 000

140 000 000

160 000 000

Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13


Enterprise IT BIG Bets 2013 …. Enable “Situational Security Awareness” through Big Security Data

2000 2013 ……

PROCESSING

DEMANDS

DATA

USE CASES

INSTRUMENTATION

• Situational Security Awareness trough Big Security

Data

• Less “Matching” more Trending

• Long term analysis for “low and slow”

• Continuous compliance monitoring

• Immediate information access

Perimeter

Security

Compliance Insider

ThreatData

Security


Big Data vs. Big Security Data

Big Data

Datasets whose size and variety is beyond the ability of

typical database software to capture, store, manage &

analyse.

Big SECURITY Data

Understanding security data as big data.

• How do I gather security context?

• How do I manage big security information?

• How do I make security information management work?

• Size of security data doubling

annually

• Advanced threats demand

collecting more data

• Legacy data management

approaches failing

• SIEM use shifting from

compliance to security


“The Importance” of Big Security Data

Old Attacks

• Amateurs

• Noisy

• Curious/Mischievous

• Script driven

• Untargeted

New• Professionals

• Stealthy

• For profit/intentional damage

• Professionally developed

• Targeted

• Automated situational awareness

• Global threat intelligence

19


Correlate Events

Consolidate LogsPerimeter

Thousands of Events

APTs

Cloud

Data

Insider

Compliance Historical Reporting

The Big Security Data Challenge

Anomalies Large Volume Analysis

Multi-dimensional Active Trending; LT

Analysis

Billions of Events


The Big Security Data Challenge

October 17, 2013


Learn Quickly

Turns billions of

“so what” events

into Actionable

Information via

context, content

and advanced

analytics

Move Fast

Purpose built data

management

engine that makes

SIEM work, and is

Security ‘Big Data’

ready

Act Decisively

Leveraging the

value of Security

Connected for

faster response

whilst lowering

cost of ownership

THINK FAST…ACT FASTActionable Situational Awareness through Enhanced Data Management and Integration


McAfee ESM

MOVE FASTeDB: Purpose built data management engine that makes SIEM work

eDB

Extended Schema in 9.2, enabling…

• Improved tracking of assets via GUID;

increases accuracy as IP’s change

• More custom fields; increasing data collected,

correlated and reported about an event

• Ability to accumulate events (throughput,

packets, URL’s, etc…)

…without compromising performance!

Confidential McAfee Internal Use Only24

Rolling AveragesDefining abnormal patterns of activity

Learn QuicklyEstablishing baselines to identify deviations

Confidential McAfee Internal Use Only25

Eliminate the Guesswork

Alert based on deviations from norm

Sum events and

track averages

ID Anomalies

Learn QuicklyEstablishing baselines to identify deviations


Medium Risk High Risk

Learn Quickly, Global Threat Intelligence and IP Reputation

McAfee Labs IP Reputation Updates

GOOD SUSPECT BAD

IP REPUTATION CHECK

Botnet/

DDos

Mail/

Spam

Sending

Web Access Malware

Hosting

Network

Probing

Network

Probing

Presence of

Malware

DNS Hosting

Activity

Intrusion

Attacks

EVENT

AUTOMATIC IDENTIFICATION

AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION

ENGINE


Learn QuicklyCorrelating Both Flows and Events

1 1 100 010011 10

1 0011 100 011 100 1

1 1 100 010011 100

10010001 1 1 100 010011

011 100 10010001

1 1 100 010011

1 0011 100 011 100 1

1 1 100 010011 100

10010001 1 1 100 010011

011 100 10010001

1 1 100 010011 100 10010001 1 1 100 010011 100 11

1 0011 100 011 100 110101 1 100 011 100 10010001

Flow

Event

Correlate Event and

Flow

Advanced Correlation

11 001 100 010011 100 10010001

100110 11 1 110 10 110

00 1001 100110 100 010011 11 100

1 110 10 010011 001 100 110

001 100 010011 100 10010001

100110 11 1 110 10 110

Enhanced with GTI

Identify spikes in

activity

Analyze Behavior of an

Individual Host

Detect zero-day

threats through traffic

profiling

Monitor compliance

via analysis of

application data,

protocol and user


Event

Collection

Compliance

Reporting

Streamlined

Investigations

Policy

Management

Advanced

Correlation

Log

ManagementePolicy

Orchestrator

Network

Security

Platform

Integrated Security Platform

Global

Threat

Intelligence

Vulnerability

Manager

ACT DECISIVELY Leverage the power of the platform

Industry Leading Security Information and Event Management

10

01

10

01

10

01

01

1


Organized ChaosSecurity Operating in Silo’s (Data interconnection Left & Right)

SIEM


Dynamic Enrichment

GTI

Endpoint & SIA Alerts

& Policy Enforcement

ePO

Network Alerts

& Quarantine

NSP

Asset Inventory &

On-demand scan

MVM

ADM

FW

DLP

MWG

MEG

MAM

NTBA

DAM

ESM

LEARN QUICKLY & ACT DECISIVELYSecurity Connected - Intelligent Orchestration & Integration

ACT DECISIVELY Intelligent Orchestration and Integration

My Pal

RT@aguyweknow Very Inspiring article Bit.ly/p0wn3d

11 001 100 010011 100 10010001

100110 11 1 110 10 110

100 1001 100110 100 010011 11 100 1

110 10 010011 001 100 110

11 001 100 010011 100 10010001

100110 11 1 110 10 110

ESM

10010001 10010001

Trigger Alarm

Quarantine IP

Correlation

!

10010001

!!

Quarantine Endpoint

Launch AV Scan

Increase Security

Detect Connection

Attempt

ePO

NSM

McAfee ESM

• Unmatched Speed– Industry’s Fastest SIEM

– 100x to 1,000x faster than current solutions

– Queries, correlation and analysis in minutes, not hours

• Unmatched Scale– Collect all relevant data, not selected sub-sets

– Analyze months and years of data, not weeks

– Include higher layer context and content information

– Scales easily to billions of data records

• Improves– Operational efficiencies and optimizes security

• Enhances– Visibility & control on risk and helps you to stay compliant with regulations

• Demonstrates– Measurable ROI and reduced TCO by delivering ease of use & Scalable

NG SIEM solution

McAfee ESM2013 market Leadership and Recognition

SIEM MQ “Visionary Leader”

– Gartner 2012 & 2013 SIEM Magic Quadrant

“Fastest database in the business, truly creative front end”

– SC Magazine, Excellent value for the money, February, 2012

“Best log management solution”

– InfoWorld 2011 Technology of the Year, January, 2011

“ESM has attained tier-one status alongside larger organizations”

– Ovum, Technology Audit, July, 2011

“One of the most useful and seamless incident response-focused

SIEM products available today”

– The 451 Group, Impact Report, June, 2010

“Top performance, 2nd lowest price”

– Info-Tech Research Group Vendor Landscape, June, 2011


SummaryActionable Situational Awareness from McAfee ESM

ESM ALLOWS YOU TO….

MOVE FAST LEARN QUICKLY ACT DECISIVELY


Demo

October 17, 201335

MID_SIEM_Boubker_EN

Technology

Transcript of MID_SIEM_Boubker_EN