Director of Information Security Simon Brown oversees information security for the Liquor Control Board of Ontario (LCBO), one of the world’s largest retailers of beverage alcohol. LCBO operates 650 brick-and-mortar retail stores plus ecommerce and mobile storefronts across the Canadian province. The adaptable threat defense infrastructure that Brown and his very small IS team have built enables them to manage security with minimal resources and to find and respond to cyberthreats in minutes across LCBO’s extended enterprise
Why did you move from a managed service provider (MSP) model to an infrastructure based primarily on McAfee solutions?
We came to the realization that we could get more value with our own high-quality staff and the right tools. Plus, we would no longer have to rely on external businesses that will never know our business as well as we do. …We had used McAfee endpoint protection and the McAfee ePO™ central console but we didn’t seriously consider McAfee ePO as a means of managing other enterprise security solutions until our new CIO’s push for standardization. Because of the McAfee integrated security platform—the way all its solutions work together and enhance each other—it made total sense to leverage our existing McAfee endpoint environment and McAfee ePO.
How did you strategically roll out the various McAfee solutions?
The first thing we did was consolidate our five instances of McAfee ePO into one production console and one quality assurance console. Then, because our legacy SIEM was being obsoleted, we deployed McAfee Enterprise Security Manager and other components of the McAfee SIEM. We decided out of the gate that we would obtain the best value out of McAfee Threat Intelligence Exchange, McAfee Advanced Threat Defense (ATD), and McAfee Endpoint Threat Defense and Response. It didn’t make sense to deploy these solutions without McAfee Endpoint Security in place so we rolled it out after the SIEM and then layered in the other solutions.
What do you appreciate most about McAfee Endpoint Security (ENS). Do you have any advice for those considering migration to McAfee ENS?
Across the majority of our 6,000 endpoints, we migrated [McAfee VirusScan® Enterprise] to McAfee ENS version 10.5, including the cloud-based Real Protect machine learning functionality and Dynamic Application Containment (DAC). We especially appreciate DAC. Knowing that any file that is not already tagged as trusted will be contained before it can cause damage gives me considerable peace of mind.
When you migrate from [McAfee VirusScan Enterprise], it is important to spend time up front to ensure you migrate rule sets from ‘like to like,’ but the benefits of migrating to McAfee ENS far outweigh any work required to make the transition.
With everything integrated, we can manage our entire security infrastructure from two to three panes of glass instead of six or seven. Less things to see, less things to miss…and the ability to recover from an attack in minutes to an hour, rather than days or weeks, just can’t be overstated.”
—Simon Brown, Director of Information Security, LCBO
How about McAfee Endpoint Threat Defense and Response, which you deployed across all your back-office and point-of-service servers and production desktops?
With McAfee Active Response [functionality in McAfee Endpoint Threat Defense and Response], we can quickly and easily search for hashes, filenames, IP addresses…You name it, we go find it. Finding suspicious files fast reduces the time needed to respond appropriately and shrinks the window of vulnerability.
…In the [McAfee] Active Response workspace, we can view a list of all potential threats or of high-risk threats or threat timelines. We can click on an executable or other suspicious file, drill down to discover where it is installed, see what it is doing to its host system, and get a full read-out of its behavior. We can then click to take action, such as mark the file as known trusted or known malicious, or end or delete the process, for that one system or companywide—all from one console. It really is remarkable.
Please walk us through a typical potential threat scenario now that you have this integrated threat defense.
As soon as a potentially malicious file has been detected—for example, from an endpoint or IPS—and sent to McAfee ATD, we receive an alert from our McAfee SIEM. McAfee ATD gives us a better idea of the nature of the hash value or file name that is tripping the alert. Then we search using McAfee Endpoint Threat Defense and Response or McAfee Threat Intelligence Exchange to find out where the file exists, on which endpoint…Within minutes after being alerted, either by the SIEM or an email, we can ascertain whether the threat has been dealt with, and, if not, take appropriate action.
That we can now quickly see exactly where an infection exists within our entire environment and, if we want to, within minutes remove it—not only from that endpoint but from every single endpoint in our network—is a game changer. We simply couldn’t do anything like that before; it would have taken much longer to find the executable and remove it throughout the environment.
What other products are you in the process of adding to your infrastructure?
We are in the process of rolling out McAfee Web Gateway and McAfee Database Event Monitor for SIEM. The former will offload some of the web filtering load from our IPSs and enable suspicious files entering via the web to be sent directly to McAfee ATD for analysis. McAfee Database Activity Monitoring will watch key databases for out-of-the-ordinary activity and help combat “permissions creep.”
In sum, what are the main benefits of the McAfee integrated security platform for LCBO?
Ultimately, the main benefits of the McAfee ecosystem are integration and speed to recovery, which is itself a byproduct of integration. With everything integrated, we can manage our entire security infrastructure from two to three panes of glass instead of six or seven. Less things to see, less things to miss…and the ability to recover from an attack in minutes to an hour, rather than days or weeks, just can’t be overstated.