In several ways, the new McAfee Network Security Platform 7.5 release is a watershed moment for the IPS market. Up to this point, almost all IPS products were managed in the same way, but release 7.5’s Intelligent Security Management changes all of that. Click on the image below to check out this new short video on the subject.
Traditionally, IPS solutions identify potential attacks, listing alerts for these attacks on a screen as they pass through the IPS. The user sees a large screen of alerts, with the latest alert going to the top, pushing the earlier alerts down.
This system worked well during the early days of IPS where there were relatively few alerts or attacks on the network. However, things have changed now and an enterprise can expect to see thousands of attacks in a single day. Moreover, with stealthy attacks that cannot be discovered by signatures, several pieces of non-traditional data are correlated to pin down the likes of bots and other APTs. From an interface perspective, this just exasperates an already bad situation, leaving most IPS solutions unusable with alerts scrolling faster on than humans can process.
Fortunately, McAfee applied Intelligent Security Management to resolve this issue. Release 7.5 actually introduces three components of Intelligent Security Management:
- Progressive Disclosure
- Intelligent Alert Prioritization
- Scalable web-based management
Progressive Disclosure turns the IPS screen of scrolling alerts upside down. Instead of an unreadable blur of scrolling alerts, Progressive Disclosure presents a web-based dashboard that organizes all alerts into prioritized categories so the user can easily scan the entire threat estate and determine where their efforts are needed. Once a particular attack or bot or malware is selected by the user, new dashboards are created, progressively disclosing more and more detail as the user drills in, until fine grained detail and forensics are presented. Progressive Disclosure makes it possible to use all of the detail without overwhelming the user.
Not all alerts are created equal – some are simply more important and relevant to your environment and risk level. Intelligent Alert Prioritization takes the context of the alert into account. Environmental factors such as host configuration, application types and vulnerability assessments and analyzed along side McAfee GTI’s global reputation feeds. The result is an out-of-the-box custom weighting system that ensures the riskiest alerts are always on top.
Although every vendor would love for every customer to have thousands of IPS sensors in their network, the reality is that few customers have (or need) that many. However, there are enterprise customers that deploy hundreds of sensors and management on this level is not easy for most IPS vendors. Fortunately, McAfee’s web-based approach makes IPS management accessible from anywhere. Combining a hierarchical management approach with Progressive Disclosure ensures not only that big data is digestible by the users, but also that large numbers of sensors providing large amounts of data is usable even with over 1,000 sensors.