Optimize Operations – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Thu, 22 Jun 2017 16:00:24 +0000 en-US hourly 1 Can you see me now? Unpacking malware for advanced threat analysis. https://securingtomorrow.mcafee.com/business/optimize-operations/can-see-now-unpacking-malware-advanced-threat-analysis/ https://securingtomorrow.mcafee.com/business/optimize-operations/can-see-now-unpacking-malware-advanced-threat-analysis/#respond Thu, 22 Jun 2017 16:00:24 +0000 https://securingtomorrow.mcafee.com/?p=75343 A recent McAfee blog ‘Malware Packers Use Tricks to Avoid Analysis, Detection’, highlighted the use of packers as an effective way to slow down analysis and decrease detection by antimalware products. As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually …

The post Can you see me now? Unpacking malware for advanced threat analysis. appeared first on McAfee Blogs.

]]>
A recent McAfee blog ‘Malware Packers Use Tricks to Avoid Analysis, Detection’, highlighted the use of packers as an effective way to slow down analysis and decrease detection by antimalware products.

As an engineer with a keen interest in malware, I’m very familiar with packers and the conclusion from that blog that ‘manual analysis usually defeats .’ Manual analysis can take time. Something that seems to be in short supply as of late.  I’ve found a McAfee product – McAfee Advanced Threat Defense (ATD)- that takes care of the packing problem for me, saving lots time and a few headaches too.

Let me explain: First, what’s a packer?

A packer, is a tool that can be utilized to compress, encrypt, or modify the format of a file. By packing a file, malware authors can obfuscate the content and disrupt analysis by threat detection tools. This technique may also be referred as “executable compression.” Compression of the file reduces the footprint or size of the file and can be an effective method to avoid or reduce the chance of the malicious file being detected, allowing for successful delivery of a payload. While an effective method, forcing the re-execution of code through a memory dump provides a solution to detect even the most advanced threats. So how is this accomplished? McAfee ATD provides an answer to detecting the most advanced and obfuscated code in packed or unpacked files.

When a packed sample arrives at McAfee ATD for analysis, the sample is loaded into memory and the packer associated with the sample unpacks the code, de-obfuscating the code during execution. At this point, several advanced detection engines are engaged, including dynamic analysis (observation of execution) and static code analysis (where the code – not just the behavior it exhibited in the sandbox – is scrutinized for any malicious behavior). After the sample has finished execution, McAfee ATD assesses the memory dump and maps the code. As sections of code are analyzed, family classification is performed on the buffered code based on known malicious behavior. Once the assessment of behavioral characteristics of the code is completed, a determination on whether the file is clean or malicious yields a reputation verdict. Quick. Easy. Done.

As mentioned in the previous blog, a rather effective method for defeating a packer is to manually analyze the file. McAfee ATD can help with that as well.  McAfee ATD offers manual analysis capabilities with its interactive mode, or X-Mode. Manually uploading a file to a McAfee  ATD appliance and enabling the X-Mode feature will allow users to choose their specified analysis environment or virtual machine (VM) to initiate the execution of a file. As the file is uploaded through this route, a user may open a window to the active VM denotating the file to observe and interact with the malware. This provides a deep investigative and forensic capability for a malware analyst to understand the behavior of the executed code.

A packer can prove to be an effective way to reduce the speed of analysis and even avoid it all together. With packed files that could typically fly under the radar undetected by traditional sandbox solutions, McAfee ATD provides ways to overcome this advanced method of detection avoidance from malware authors.

The post Can you see me now? Unpacking malware for advanced threat analysis. appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/can-see-now-unpacking-malware-advanced-threat-analysis/feed/ 0
Automation seen as relief for payment fraud worries https://securingtomorrow.mcafee.com/business/optimize-operations/automation-seen-as-relief-for-payment-fraud-worries/ Mon, 19 Jun 2017 22:42:45 +0000 https://securingtomorrow.mcafee.com/?p=75279 Financial and payment professionals don’t anticipate any respite from cyber fraud and attacks in the near future, according to a recent survey conducted by TD Bank. An overwhelming 91 percent of the 392 finance professionals surveyed by the bank at the recent 2017 NACHA Payments conference said they expect payments fraud will become a bigger …

The post Automation seen as relief for payment fraud worries appeared first on McAfee Blogs.

]]>
Financial and payment professionals don’t anticipate any respite from cyber fraud and attacks in the near future, according to a recent survey conducted by TD Bank.

An overwhelming 91 percent of the 392 finance professionals surveyed by the bank at the recent 2017 NACHA Payments conference said they expect payments fraud will become a bigger threat in the next two to three years.

The concerns are not without merit, the report said, with 64 percent of the respondents saying either their organization or one of its clients was involved in a cyber security event in the past year.

The most commonly cited incidents were business email compromise (20 percent); account takeover (19 percent); and data breach (15 percent).

“Companies need to be mindful that everyday tools from email to the Internet can pose risk to payment operations, and the criminal toolbox is expanding,” said Rick Burke, head of corporate products and services at TD Bank. “Corporate treasurers need to create layers of control for accounts and payments processing, both within their organization and in conjunction with their banking partners.”

The finance professionals surveyed said automating payments processing could offer greater defense against attacks, Burke noted. When thinking about the advantages of automating payments, 21 percent cited fraud control and security as the top benefit.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Automation seen as relief for payment fraud worries appeared first on McAfee Blogs.

]]>
How to avoid a disastrous recovery https://securingtomorrow.mcafee.com/business/optimize-operations/how-to-avoid-a-disastrous-recovery/ Wed, 14 Jun 2017 17:58:08 +0000 https://securingtomorrow.mcafee.com/?p=75107 Every chief information officer speculates on the health and resiliency of their data center to ensure the continuity of their business in the event of a disaster. Many go as far as to hold periodic tests to discover and mitigate vulnerabilities. Netflix has gone even further by introducing testing in the form of their Simian …

The post How to avoid a disastrous recovery appeared first on McAfee Blogs.

]]>
Every chief information officer speculates on the health and resiliency of their data center to ensure the continuity of their business in the event of a disaster. Many go as far as to hold periodic tests to discover and mitigate vulnerabilities.

Netflix has gone even further by introducing testing in the form of their Simian Army which randomly tests the resiliency of their production environment against all manner of failures. And though cloud computing has provided a wealth of options for ensuring business continuity in the event of natural or manmade interruptions, disaster recovery (DR) is your last line of defense when every business continuity procedure and plan fails.

With outages costing enterprises up to $60 million a year, according to IHS Markit, DR planning is a critical component of every data center plan, even if the data center is in the cloud.

Furthermore, there are now regulations that require companies to have a DR plan in place. For instance, the Federal Financial Institutions Examination Council (FFIEC) has guidelines about the maximum allowable downtime for IT systems based on how critical downtime is to the business. If a disaster arises and a company isn’t prepared for it, the company can face fines and legal penalties in addition to the loss of service, data, and customer good will.

The ultimate goal of DR planning is to move “cold” data, complete copies of the data center frozen at a point in time, to the most cost effective location possible that provides for meaningful SLA recovery if/when necessary. These copies are then constantly updated to ensure any subsequent changes to the production environment are replicated to the DR environment.

Before moving forward with DR planning, organizations must look at industry-specific regulations such as HIPAA or the Sarbanes-Oxley Act to determine the right hosting infrastructure for their data. For example, strict data sovereignty and security requirements prevent organizations from saving personal data to the cloud if that data leaves the country of residence at any time.

After evaluating these requirements, it may be that the CIO will see that hybrid cloud makes the greatest financial and risk permissive option for that organization. Where previously, “cold” data was moved to tape for offsite storage, cloud based cold storage provides for cost effective retention of data and quicker recovery in the event of a disaster.

Implementing a hybrid IT infrastructure where data is backed up to the cloud – private or public – enables IT to continue to control and align the appropriate levels of data performance, protection, and security across all environments. By replicating data to the cloud and/or other physical sites, organizations can quickly recover operations to that facility when a primary site outage occurs.

Even in the absence of natural disasters, one potential disaster that is wreaking havoc on sensitive enterprise data today is ransomware – malware that takes the victim’s data hostage until ransom is paid. However, organizations with backup/DR solutions as simple as snapshot management software can use it to combat ransomware as part of the DR plan.

The concept is rooted in user-driven data recovery, and fights ransomware with its read-only feature that prevents encryption of the snapshot by an outside source. The protection occurs in the background for added reassurance and halts the need to pay cyber criminals for taking data hostage, as users will have a point-in-time recovery from which to restore their uncompromised data.

These days it’s rarely a matter of if disasters will strike, rather when they will strike. Organizations must create and test a comprehensive DR plan to prevent the potential for lost productivity, reputation, and revenue for the business.

By understanding the threats to their data, taking compliance regulations into careful consideration and creating an all-encompassing DR strategy, organizations will be well positioned to quickly recover operations and avoid the consequences of downtime from any disaster.

 

This article was written by Mike Elliott from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How to avoid a disastrous recovery appeared first on McAfee Blogs.

]]>
4 Tips to Secure Your IoT Deployment https://securingtomorrow.mcafee.com/business/optimize-operations/4-tips-to-secure-your-iot-deployment/ Thu, 08 Jun 2017 22:17:12 +0000 https://securingtomorrow.mcafee.com/?p=74952 After years of delays and false starts, 2017 is supposed to be the year where the Internet of Things (IoT) truly starts to become a ubiquitous part of our lives. But while progress has been made, deploying IoT devices has been slowed by various concerns, of which the biggest are the very real security concerns …

The post 4 Tips to Secure Your IoT Deployment appeared first on McAfee Blogs.

]]>
After years of delays and false starts, 2017 is supposed to be the year where the Internet of Things (IoT) truly starts to become a ubiquitous part of our lives. But while progress has been made, deploying IoT devices has been slowed by various concerns, of which the biggest are the very real security concerns around any IoT network.

Any IoT breach can carry serious consequences. A survey released today found that “Almost half of all companies in the US using an IoT network have been the victims of recent security breaches,” which can cost smaller companies around 13 percent of their annual revenue. Each of the tens of billions devices which make up IoT networks are a security threat, and the network is only as strong as its least protected device.

None of this takes away from the IoT’s benefits. But if companies want to use the IoT without being worried about threats like ransomware or privacy breaches, there are some critical steps in order to ensure your network and organization’s security.

1. Prioritize your devices

A February estimate of IoT forecasts that there will be 8.4 billion connected things worldwide in 2017 and that this number will increase to 20 billion by 2020. But just because a device can be connected to the Internet does not mean it should. And each one of those devices represents a security threat, as shown by cyberattacks where hackers took down major websites like the New York Times by hacking baby monitors and webcams.

I did not make that last sentence up. Each one of these devices represents a risk. And newer, more innovative devices using the IoT are more problematic because toaster and refrigerator manufacturers do not possess the same technological knowledge needed to protect their devices which larger tech companies have.

If you are creating a network with an IoT signal booster, whether for your home or your business, each and every device added is a potential security risk. Consequently, take the time to ask yourself if you really need that new device which boasts Internet connectivity to be connected to the Internet. If you cannot think of a good reason, then do not connect it. As so many more companies create new devices as part of the IoT, users have to realize that some devices are not worth the risk.

2. Hold cyber security drills

You have probably heard stories about how some businesses pay hackers to try and break into their business so they know what their weaknesses are. Such an approach may be a bit extreme, but a business should consider holding cyber security drills in order to identify weak IoT devices and how secure your system is.

Drills are not just about knowing your cyber security weaknesses. They are about ensuring that everyone knows what to do in the event of a breach. Businesses should have a plan for a data breach or hacking just as a business in Japan should have a plan for what to do in the case of an earthquake. If a hacker breaks into your business through your IoT devices and uncovers data, testing beforehand should make it clear what sort of response your business should give and what sort of data is the most likely to be at risk.

3. Communication within the business

As noted above, a major threat with IoT security is that there are a lot of IoT-related devices out there where security is a secondary concern for the device makers and tacked on at the end. This cannot happen if you are deploying an IoT network yourself. Leadership must be in constant communication with their IT departments so that everyone is on the same page.

This may seem obvious, but IT departments everywhere have always complained about how leadership does not understand the security risks they are going under, and IoT will just make this worse. I have personally heard in certain companies the idiotic paradigm of leaders who say the IT department is pointless when things are going fine, and then complain how they are not doing their job when things are going badly.

The IoT necessitates further cooperation between IT and the highest levels of leadership to know what security measures should be implemented for your business. Get on it.

4. Change passwords

A basic example of the lack of communication between leadership and IT concerns passwords. Most IT professionals know that it is important to have strong passwords which are changed regularly, but leadership can chafe at trying to remember those more complicated passwords. But a strong password really matters for IoT devices. Many of them come with a default password, but businesses never bother to change them as they are unaware of the security risks.

Passwords and encryptions remain some of the most basic yet critical aspects to protecting your devices. Talk with IT about ensuring that all of your devices carry strong protection and make sure it is regularly changed.

 

This article was written by Gary Eastwood from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post 4 Tips to Secure Your IoT Deployment appeared first on McAfee Blogs.

]]>
Majority of organizations expect cyberattack this year https://securingtomorrow.mcafee.com/business/optimize-operations/majority-of-organizations-expect-cyberattack-this-year/ Wed, 07 Jun 2017 21:38:41 +0000 https://securingtomorrow.mcafee.com/?p=74878 A majority of organizations think they will experience a cyber security attack this year, and many are not prepared, according to a new report from ISACA, a global association that helps individuals and enterprises optimize their use of technology. ISACA’s State of Cyber Security report, based on a survey of more than 600 security executives …

The post Majority of organizations expect cyberattack this year appeared first on McAfee Blogs.

]]>
A majority of organizations think they will experience a cyber security attack this year, and many are not prepared, according to a new report from ISACA, a global association that helps individuals and enterprises optimize their use of technology.

ISACA’s State of Cyber Security report, based on a survey of more than 600 security executives worldwide, shows that four out of five organizations think they will be attacked this year. Only 46 percent of those organizations have confidence in their cyber defense teams.

“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, ISACA board chair and group head of information security at INTRALOT. “Cyber security professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”

Among the other key findings of the research is that cyber security budgets are still expanding, but more slowly. Half of the respondents (50 percent) anticipate budget growth over the next year, which is down from 61 percent last year.

Enterprises continue to have difficulty finding qualified personnel. Only 30 percent receive 10 applicants or more for an open position, of which less than half are qualified. At the same time, the threat environment is increasingly hostile, with 53 percent of respondents reporting an increase in attacks in 2016.

The Internet of Things (IoT) is replacing mobile technology as a major area of concern. IoT concerns show no sign of slackening, the report said. And ransomware is expanding, but the processes to address it are not. About two thirds of organizations (62 percent) experienced ransomware attacks in 2016, but only 53 percent have a formal process in place to address it.

 

This article was written by Bob Violino from Information Management and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Majority of organizations expect cyberattack this year appeared first on McAfee Blogs.

]]>
How To Plan For Security Incident Response https://securingtomorrow.mcafee.com/business/optimize-operations/how-to-plan-for-security-incident-response/ Tue, 06 Jun 2017 19:46:22 +0000 https://securingtomorrow.mcafee.com/?p=74834 Planning for the seemingly unlikely event of a severe cybersecurity incident seems unwieldy and time-consuming for many organizations. But consider this: According to the Ponemon Institute, 90% of organizations that go offline due to a cyberattack shutter their windows in the following two years. A strong incident response plan is clearly a necessity these days. …

The post How To Plan For Security Incident Response appeared first on McAfee Blogs.

]]>
Planning for the seemingly unlikely event of a severe cybersecurity incident seems unwieldy and time-consuming for many organizations. But consider this: According to the Ponemon Institute, 90% of organizations that go offline due to a cyberattack shutter their windows in the following two years.

A strong incident response plan is clearly a necessity these days. From threats like the recent WannaCry ransomware attack to the Google Docs phishing scam, there are a number of ways a security incident can unfold at your organization. Having a tested incident response plan in your back pocket can make the difference between a swift recovery or a high stress situation where every minute the incident remains unresolved results in more financial or reputational damage.

There are three fundamental components that will help ensure that your company’s incident response plan is a success.

Define security incidents and likely scenarios. While all IT service incidents deserve swift identification and triage, security incidents – which often have malicious intent – must be identified and tackled even more quickly. For example, a server at your company is unexpectedly rebooted in the middle of the day. This could be caused by an innocuous outage or it could be something far more sinister. Perhaps an unknown third party has installed a rootkit, and the system is restarting so changes can be applied allowing that third party unauthorized system access.

As you think through the possible incidents and scenarios, think about security best practices that can be circumvented (such as authentication) and cues from the news as your guide to recent, real threats (such as phishing and ransomware attempts).

What experts and stakeholders will be mobilized to handle all of the security, privacy and legal implications when a security incident occurs? How will your organization recover from a successful phishing attack? How will your organization cope with news of a severe data leak? What will you do once hackers are booted from your system? Play out each possible incident and how you would realistically respond. From there, write your incident response plan and procedures accordingly.

One resource to get you started is a generic incident handling procedure template from the Computer Security Incident Response Team. This is a good baseline document, but you’ll need to tailor it to meet your organization’s specific needs.

Communicate and train on the plan. Once your plan has been developed, reviewed and approved, the roles and responsibilities everyone plays should be disseminated to all relevant parties. An incident can be detected by anyone with the right “visibility.” Your IT team is obviously on the front lines for incident detection and response, but many people in your organization could end up identifying a problem first. Maybe your marketing team, who owns the website, notices some highly suspect traffic one day or encounters issues with the server. Do they know where to go? Any of your end users could click on a link in an email and realize afterwards that it seemed suspicious. Do they know who to call or email?

A hands-on and interactive way to ensure that key stakeholders know what role they play in incident response is to conduct tabletop exercises. A tabletop exercise is usually led by a security subject matter expert who walks a team of diverse stakeholders (from IT, security, management, legal, HR, etc.) through an impactful security incident scenario, facilitating the decisions made and providing feedback afterwards on how well the participants were aware of their responsibilities and the company’s policies. Tabletop exercises are one way of doing “red teaming” because they simulate how internal processes will play out if a real security incident gets reported and escalated.

Proactively mitigate your losses. A security incident that turns into a validated security breach can lead to devastating financial or reputational loss. Such losses are not easy to recover from, and in some scenarios, organizations never fully rebound. The Anthem Healthcare breach of 2015 came with a price tag well into the billions of dollars. And the code-hosting service, Code Spaces, went under in the months following its breach.

In addition to putting preventative best practice technical measures in place and preparing an actionable incident response plan, consider building relationships and lines of communication now with relevant government agencies, external legal counsel, digital forensics firms and potentially procuring cybersecurity liability insurance. All of these measures will be things your Board of Directors will and should expect you to have answers to, and communicating with your Board on these matters is an art unto itself.

In a world where it isn’t a question of “if,” but “when” your company may find itself the target of a cyber incident, a detailed incident response plan will be your lifeline to weathering the storm of security incidents in measurable ways. Executed well, it can help you demystify the what-if scenarios, decrease your panic about who will do what and plan through the worse-case scenarios to make sure you have all the experts and resources you need to handle any security incident scenario.

 

This article was written by Christie Terrill from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How To Plan For Security Incident Response appeared first on McAfee Blogs.

]]>
A lack of IoT security is scaring the heck out of everybody https://securingtomorrow.mcafee.com/business/optimize-operations/a-lack-of-iot-security-is-scaring-the-heck-out-of-everybody/ Mon, 05 Jun 2017 20:00:18 +0000 https://securingtomorrow.mcafee.com/?p=74765 Enterprises aren’t yet managing the risks posed by the swelling wave of IoT technology very well, according to a study released by the Ponemon Institute. The study, which surveyed 553 enterprise IT decision-makers, found that 78% of respondents thought that it was at least somewhat likely that their organizations would experience data loss or theft …

The post A lack of IoT security is scaring the heck out of everybody appeared first on McAfee Blogs.

]]>
Enterprises aren’t yet managing the risks posed by the swelling wave of IoT technology very well, according to a study released by the Ponemon Institute.

The study, which surveyed 553 enterprise IT decision-makers, found that 78% of respondents thought that it was at least somewhat likely that their organizations would experience data loss or theft enabled by IoT devices within the next two years.

The fact that a lot of small-scale connected devices and other parts of the Internet of Things are highly insecure has been frightening IT departments for a long time. On their own, IoT gadgets aren’t particularly tempting targets, so manufacturers don’t fuss too much about security. In great numbers – and Gartner said recently that it estimates there are 8.4 billion connected devices active this year – swathes of easily compromised IoT gizmos can make for a formidable botnet, as the Mirai botnet showed in 2016.

Yet, in a lot of places, it can be difficult to put policies in place to neutralize this threat. Nearly three respondents in four – 72% – said that the speed at which IoT technology advances makes it harder to keep up with evolving security requirements. Almost as many said that new strategies are needed to cope with the problem.

Those strategies are difficult to design, according to the Ponemon study. Just 44% of respondents told researchers that their enterprise has the ability to protect itself and its network from IoT devices. Less than half said that they specifically monitor the risk posed by devices being used in the workplace.

Another big factor in the generally poor state of IoT management is organization – of the 50% or so of companies that didn’t track IoT inventory, fully 85% said that there is a lack of centralized responsibility for those devices, and over half cited a lack of resources available to perform this task.

Nevertheless, respondents at least recognize the need for a new way of thinking about IoT management – two-thirds said that “a new approach” is necessary for IT departments coping with IoT.

 

This article was written by Jon Gold from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post A lack of IoT security is scaring the heck out of everybody appeared first on McAfee Blogs.

]]>
Caught in the breach – what to do first https://securingtomorrow.mcafee.com/business/optimize-operations/caught-in-the-breach-what-to-do-first/ Wed, 31 May 2017 21:50:59 +0000 https://securingtomorrow.mcafee.com/?p=74648 Security experts have been saying for more than a decade that it is “not if, but when” an organization will be hacked. So, the more relevant question, posed in the title of a panel discussion at May 24’s MIT Sloan CIO Symposium is: “You Were Hacked: Now What?” Indeed, given that there is no sure way …

The post Caught in the breach – what to do first appeared first on McAfee Blogs.

]]>
Security experts have been saying for more than a decade that it is “not if, but when” an organization will be hacked. So, the more relevant question, posed in the title of a panel discussion at May 24’s MIT Sloan CIO Symposium is: “You Were Hacked: Now What?”

Indeed, given that there is no sure way to prevent every intrusion by so-called, “determined adversaries,” much of the defense playbook has shifted to incident response (IR). And that, said panelists, if done quickly and correctly, can mitigate the damage attackers can cause, even if they make it inside a network.

“Hacking is an action,” said Andrew Stanley, CISO of Phillips. “A breach is the outcome. So we spend more time on the hack than the breach. We want to know how, why – what was the intent – when and where. That’s what the C-suite wants to know more than the nature of the breach.” Answering those questions is what helps make the response, and therefore containing the damage, more effective, he added.

James Lugabihl, director, execution assurance at ADP, agreed that the key to limiting the damage of a breach is, “how quickly can you respond and stop it.” He said it is also crucial not to react without complete information. “It’s almost like a disaster scenario you see on the news,” he said. “It takes a lot of patience not to react too quickly. A lot of my information may be incomplete, and it’s important to get everybody staged. It isn’t a sprint, it’s a marathon. You need time to recognize data so you’re not reacting to information that’s incomplete.” With the right information, he said, it is possible to “track and eradicate” malicious intruders, plus see what their intentions were.

Both panelists said legal notification requirements can vary by country, or even by state, and if it is not a mandate, notifying law enforcement is something they will sometimes try to avoid. “Executives don’t like it, because it becomes a matter of public record,” Stanley said. “But it also can affect people’s privacy, and you don’t want to become an arm of the government.”

Aside from who needs to know and who legally must know, Stanley said collecting information that can help with the response is the most important thing to do. “It’s about intent,” he said. “If all (phishing) emails are going to one location, that’s an attack. So we need to ask: What do we do there? What’s the target?”

Both also said they conduct tabletop exercises, pen testing and simulated crises to practice their IR for when the real thing happens. But, as Lugabihl noted, “it takes perfect practice to make a perfect response. Bad practice makes bad response.”

To a question from moderator Keri Pearlson, executive director of the MIT Interdisciplinary Consortium on Improving Critical Cybersecurity Infrastructure, about how to cope with the reality that “people are the weakest link” in the security chain, Lugabihl said workers are not entirely at fault. “We haven’t fostered an environment that lets them do their jobs,” he said. “I’ve seen security professionals fall for phishing – those are getting more sophisticated. We just need to encourage them to report it. We need to help make things easier and more transparent.”

 

This article was written by Taylor Armerding from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Caught in the breach – what to do first appeared first on McAfee Blogs.

]]>
Risk assessments for local governments and SMBs https://securingtomorrow.mcafee.com/business/optimize-operations/risk-assessments-for-local-governments-and-smbs/ Fri, 26 May 2017 18:55:15 +0000 https://securingtomorrow.mcafee.com/?p=74564 Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other …

The post Risk assessments for local governments and SMBs appeared first on McAfee Blogs.

]]>
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.

I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.

Enterprise IT risk assessments

Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.

I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.

When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.

Where to start?

If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.

The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.

Scope the project carefully

Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800 – 30 provides valuable information on how to perform risk assessments, including some information on scoping.

Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.

Positive outcomes

One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.

Risk assessments are way cheaper than disasters, so go schedule your checkup.

 

This article was written by Jeffrey Morgan from CIO and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Risk assessments for local governments and SMBs appeared first on McAfee Blogs.

]]>
What security leaders need before applying intelligence to cyber https://securingtomorrow.mcafee.com/business/optimize-operations/what-security-leaders-need-before-applying-intelligence-to-cyber/ Thu, 25 May 2017 20:04:26 +0000 https://securingtomorrow.mcafee.com/?p=74551 What does it take to successfully apply the process of intelligence to the field of cyber security? Or perhaps we need to consider what happens when our efforts don’t produce the outcomes we seek. What really needs to happen? John Boling has some ideas. John recently shared his insights in Do we really need higher …

The post What security leaders need before applying intelligence to cyber appeared first on McAfee Blogs.

]]>
What does it take to successfully apply the process of intelligence to the field of cyber security?

Or perhaps we need to consider what happens when our efforts don’t produce the outcomes we seek. What really needs to happen?

John Boling has some ideas. John recently shared his insights in Do we really need higher education to solve our perceived and actual security needs? Since that piece got people talking, I reached out to see if he wanted to step up and try out my new Security Slapshot series … and he stepped up to take a shot.

John Boling (@CySocSci) is a security veteran who followed his own path to success. Currently working as a Senior Security Consultant, he started on the front lines supporting MS-DOS and Windows before completing degrees from the University of North Carolina at Charlotte and the National Intelligence University. A conforming contradiction, he boldly blends business, technology, and social science to understand security threats.

Here’s his Security Slapshot on applying intelligence to security:

SLAPSHOT: Intelligence is NOT failing because of data or people, but from a lack of direction.

How do you get to a destination without knowing where you are going?

You can have the best maps and algorithms, but without knowing the desired destination how does a path emerge? As a result, many programs meander. Sometimes, an adequate destination appears, however many times it does not.

The reference model for the intelligence process is found in the US Department of Defense publication Joint Intelligence (JP 2-0). Much like the OSI Reference Model for networking, this represents the core understanding an intelligence professional should hold. While variances occur, all start with some sort of requirement, followed by collecting and processing data such that it can be analyzed, and finish with a reporting mechanism. Each component of this process serves a purpose and needs feedback for refinement.

As a system, the intelligence process often fails from lack of direction.

The solution is discipline to the process. The industry must recognize that intelligence emerges from a system with clear objectives. No mystery exists on processes that develop quality intelligence products, but expectations should be measured. Give your analyst clear direction outlining what questions need answers for the organization. Build data collection and processing engines to support their analysis based on those requirements. I would incorporate the following in any intelligence program:

My Take (some color commentary)

I frequently point out the three keys of leadership including articulating the current situation accurately, painting a picture of a better tomorrow to set the direction, and then offering individuals a pathway that elevates and accelerates them.

Seems the proper application of intelligence principles requires a similar focus. In the process, the organization benefits as individuals thrive. The challenge lies in embracing the situation and translating the value of the intelligence process into the picture of a better tomorrow.

 

This article was written by Michael Santarcangelo from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post What security leaders need before applying intelligence to cyber appeared first on McAfee Blogs.

]]>
For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/ https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/#respond Wed, 24 May 2017 17:28:00 +0000 https://securingtomorrow.mcafee.com/?p=74436 In this year’s Radicati APT Protection—Market Quadrant, McAfee Advanced Threat Defense attained a position in the Top Players quadrant for the third year running. The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. …

The post For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection appeared first on McAfee Blogs.

]]>
In this year’s Radicati APT Protection—Market Quadrant, McAfee Advanced Threat Defense attained a position in the Top Players quadrant for the third year running.

The Radicati report assesses advanced persistent threat (APT) solutions from major security vendors and places them in its quadrant based on the depth and breadth of product functionality and strategic vision. Top Players are typically market leaders that shape the industry through their technology innovations and understanding of market forces.

In the APT area, vendors are evaluated on multiple parameters. Some of these are: deployment options, malware detection methods, firewall and URL filtering for attack behavior analysis, web and email security, analysis of zero-day and advanced threats, sandboxing and quarantining, data loss prevention, administration, real-time updates, remediation, environment threat analysis, and more.

McAfee Advanced Threat Defense landed its position in the Radicati quadrant because of its ability to detect complex, sophisticated threats and to connect with other security components and turn threat information into action and protection.

Here are the key areas of strength emphasized by Radicati:

  • Deployment flexibility—appliances, virtual appliances, and cloud form factors—with CapEx and OpEx purchase options.
  • The powerful, layered detection approach combines in-depth static code and dynamic analysis. Proprietary static code analysis does a thorough job unpacking and unencrypting samples to expose executables in order to examine anomalies. Dynamic analysis uses sandboxing to look at malware behavior.
  • Reporting and outputs, including the ability to share indicators of compromise (IoCs) for targeted investigations.
  • The overall breadth of protection provided by the McAfee product portfolio—from endpoints to desktops to servers.
  • Additional detection engines, such as signatures, reputation, and real-time emulation, that accelerate analysis.
  • The centralized analysis device acts as a shared resource among multiple Intel Security devices.
  • Tight integration with all McAfee solutions and third-party partner products, whether directly or through the McAfee Data Exchange Layer communications fabric. This enables real-time information sharing across the entire security ecosystem when attacks and malware are detected.
  • Application of DLP technology is applied in-line to traffic by way of integration with McAfee Web Gateway.

Download your copy of the Radicati APT Protection—Market Quadrant 2017.

For information on how McAfee Advanced Threat Defense can detect and protect your enterprise from stealthy malware and zero-day threats, visit our website.

The post For Three Years Running, McAfee Advanced Threat Defense Places in Radicati’s Top Players Quadrant for APT Protection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/three-years-running-mcafee-advanced-threat-defense-places-radicatis-top-players-quadrant-apt-protection/feed/ 0
How ‘smart cities’ push IoT cybersecurity for state and local IT https://securingtomorrow.mcafee.com/business/optimize-operations/how-smart-cities-push-iot-cybersecurity-for-state-and-local-it/ Tue, 23 May 2017 21:53:28 +0000 https://securingtomorrow.mcafee.com/?p=74433 In the last installment of this column, we talked about cyber hygiene as a way to reduce security vulnerability. Now let’s turn our focus to cybersecurity, particularly as government gears up for the coming rush of the internet of things (IoT). The threat recently became more real for state and local leaders. This past April, …

The post How ‘smart cities’ push IoT cybersecurity for state and local IT appeared first on McAfee Blogs.

]]>
In the last installment of this column, we talked about cyber hygiene as a way to reduce security vulnerability. Now let’s turn our focus to cybersecurity, particularly as government gears up for the coming rush of the internet of things (IoT).

The threat recently became more real for state and local leaders. This past April, the emergency alert system in Dallas was hacked, with hurricane warnings starting just before midnight, activating 156 emergency sirens at once – 15 times over nearly two hours.

For that and other reasons, the state and local governments are becoming more proactive in their approach to IT and cybersecurity, together spending more than the federal government. According to the research company e.Republic, state and local governments will spend some $101.3 billion on IT, with both counties and states each increasing their budget by about 1.5 percent. (By comparison, the federal government has budgeted about $90 billion.)

So cybersecurity is a top IT priority among CIOs at the state, county and city level. In general we can say that the priority has been triggered by a push toward IoT in the so-called “smart cities” development vision to integrate IoT with communications technology to better manage municipal assets.

To that extent, IoT is at a much more mature place at the state and local level than it is in the federal government or even private industry. State IT executives are more aware of IoT cybersecurity implications, because they’re dealing with industrial systems, facilities HVAC, appliances and the power grid, all of which are managed at the municipal level. To complicate matters, many connected municipal services, from public transportation to water purification are both used and in some cases managed by private companies, so potential cybersecurity threats can come from many different intrusion points at once.

The risk and expense is high. At a recent seminar by the Center for Digital Government, Oakland County CIO Phil Berolini noted that the cost of a breach can be as much as $240 per record. Multiply that by the number of breaches in a typical attack, and the costs mount rapidly. LA County recently dealt with a 750,000 records breach, Berolini noted.

James Collins, Delaware’s CIO, explained that these actual and potential threats have put cybersecurity on legislative and executive radars. Because cyber is no longer relegated to being an “IT thing,” it actually opens the door for more practical solutions, Collins said.

Across the board, the real door opener for these and other CIOs is any discussion with the IT community on “baking in” cybersecurity into technology solutions. When cybersecurity maintenance costs are rolled into the tools that are actually included in IT budgeting, there’s more bang for the buck on infrastructure spending, with a higher level of security resilience. Because state and local IT leaders are still getting their arms around on-premise and off-premise cybersecurity, baked in defensive tools are especially valuable in IT purchases.

Some advice for the IT vendor community: slow down

The accelerated interest in IoT in state and local government has led to something of a gold rush among technology companies, who are often guilty of prospecting in that market in all the wrong ways. Many times overzealous technology salespeople make calls without enough research, or promise things that are of no importance.

Wanda Gibson, CTO for Fairfax County, urged the vendor community to pay better attention to published information regarding government IT priorities and budget. “Do your research,” she said, and talk to the other county departments to know what matters most.

The all-too-common sales strategy of blanket emails requesting a first meeting out of the blue are just plain “creepy” for Travis County CIO Tanya Acevedo. Calls like that do nothing to help Acevedo sell technology up the ladder in the county. A softer approach is better, with roundtables or symposiums providing good information without feeling like salespeople are trying to shoot ducks in a barrel.

The slow, measured approach seems to be the right way to get traction in the state and local technology community. As Oakland’s Berolini explains, leading with the gold-plated solution is a “turn-off” for any future discussions. Berolini, like most IT leaders, advocates a consultative approach where vendors work to understand problems, rather than trying to force fit a solution blindly.

It’s a balancing act, clearly, between government leaders working to implement IoT technology to better serve citizens quickly while ensuring that this rapid pace doesn’t introduce more security problems than it’s worth. While the vendor community is a valuable resource to address potential problems, they’re doing no one any favors by pushing their way into the process. CIOs have enough on their hands without having to fend off the advances of an under-informed partner.

With enough shared background and experience, the IoT phenomenon will take off for state and local government – and will provide valuable insight all the way up to the federal level.

 

This article was written by Lloyd McCoy Jr. From CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post How ‘smart cities’ push IoT cybersecurity for state and local IT appeared first on McAfee Blogs.

]]>
What WannaCry Means for the SOC https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/ https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/#respond Wed, 17 May 2017 15:38:39 +0000 https://securingtomorrow.mcafee.com/?p=74215 In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack. Responding to an attack like WannaCry, …

The post What WannaCry Means for the SOC appeared first on McAfee Blogs.

]]>
In addition to the endpoint and network operational efforts for WannaCry, this outbreak presents great learning and response opportunities for analysts in the security operations center (SOC). Understanding and automating these best practices will set you up to handle evolving WannaCry activities, as well as the next fast-moving attack.

Responding to an attack like WannaCry, the SOC must answer three key questions:

1. First Question – Am I affected?

The first process for a SOC is to assess what you have already experienced and gain current situational awareness. This evaluation can come from reports on endpoint and network security events related to the attack, from within the malware, and from the SIEM. In the McAfee ecosystem, here is what you can do:

  1. Report on Endpoint events. McAfee ePolicy Orchestrator can report out events based on the signatures it has downloaded from McAfee Global Threat Intelligence.
  2. Conduct Malware analysis. Sandboxing systems like McAfee Advanced Threat Defense can generate reports on unknown variants and share in machine-readable form as a STIX file.
  3. Perform Automated searching. Leveraging integrations provided by McAfee, IOC data from sandboxes and other sources can be used to immediately mine endpoints (via McAfee Active Response) and the SIEM database (via McAfee Enterprise Security Manager) for related activity. If an event containing an IOC is present in the SIEM database, it can indicate other hosts that are in the process of being locked, hosts connecting to malicious IP addresses or domains related to WannaCry, and related indicators that your own hunters may want to pursue as part of their containment efforts.
  4. Perform Manual IOC searches. Other sources of intelligence, such as external CERT notices, can also be used for ad hoc searching using McAfee Active Response.
Multi-engine analysis by McAfee Advanced Threat Defense shows the scope of malicious behavior in a WannaCry

2. Second Question – Is there new activity?

Proactive analysis and hunting using analytics and intelligence allows SOC staff to be on constant vigil for activity related to known WannaCry behaviors, and trigger an action – from active quarantine to a policy-driven scan to an email or SMS alert to drive incident responders. Here’s what you can do in the McAfee ecosystem:

  1. Enable Analytics-driven monitoring of events and behaviors. IOCs ingested by the SIEM can populate a watchlist for ongoing, forward-looking monitoring for new occurrences. In addition, endpoint trace data sent by McAfee Active Response is being monitored in the cloud for behaviors that are indications of WannaCry activities (persistence, stealth, recon, self protection, data stolen, signal infection).
  2. Enhance Human investigations. The Active Response threat workspace presents endpoint event findings from the cloud in a dynamic dashboard that can help you drill down and explore event relationships. Similarly, SIEM shows new events in the context of the overall estate, including user context, network flow data, and more.
  3. Conduct Manual IOC searches. In the case of WannaCry, indicators of compromise (IOCs) are publicly available from several sources, including the US CERT. So in addition to the discoveries within your environment shared by your internal sandbox, you should also be consuming and evaluating these other third party intelligence sources to get the most complete picture of known WannaCry behaviors. When new intelligence emerges from third party or local sources, these can trigger ad hoc searching using McAfee Active Response.

3. Final Question – Am I maintaining protection?

Many tools today can be updated with new IOCs and signature and policy-driven updates and actions. This video of OpenDXL and a threat intelligence platform show one way that this process can be managed. McAfee ePolicy Orchestrator integrations can take action on a variety of endpoint systems, including Security Innovation Alliance integrated partners.

Rapidly spreading malware like WannaCry should be a further spur to SOC teams to improve their access to and use of the intelligence so readily available today. The good news for SOC staff is that many functions that should be performed can be automated, freeing you to do the investigation and extrapolation that only humans can drive. For ideas, please check out these blogs on automation and threat hunting.

The post What WannaCry Means for the SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/what_wannacry_means_soc/feed/ 0
Expanding Automated Threat Hunting and Response with Open DXL https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/ https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/#respond Fri, 12 May 2017 16:00:09 +0000 https://securingtomorrow.mcafee.com/?p=73896 Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will …

The post Expanding Automated Threat Hunting and Response with Open DXL appeared first on McAfee Blogs.

]]>
Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will find a statistic about how long attackers linger in a network without detection. It’s getting better, but the average is still heavily in favor of the attacker.

One of the reasons why attackers are so successful at maintaining persistence is that most organizations struggle to make effective use of threat intelligence. Making effective use means taking the volumes of threat intelligence data, primarily technical Indicators of Compromise (IOCs), hunting for affected systems with those IOCs, and then adapting countermeasures to contain the incident or just update protection. These critical tasks, collecting and validating intelligence, performing triage, and adapting cyber defenses to contain incident must be automated if we ever want to get ahead of the attackers.

McAfee’s Intelligent Security Operations solution automates many key threat hunting tasks. In this solution, McAfee Advanced Threat Defense (ATD), a malware analytic system, produces the local IOCs based on malware submissions from the endpoint and network sensors. It automatically shares the new intelligence with McAfee Enterprise Security Manager (ESM) for automated historical analysis, with the McAfee Active Response component of McAfee Endpoint Threat Defense and Response (ETDR) for real time endpoint analysis, and with McAfee Threat Intelligence Exchange (TIE) for automated containment at the endpoint or network.

However, wouldn’t it be great if we could automate hunting and incident containment for all threat intelligence, not just file hashes? We can expand the capability of the Intelligent Security Operations solution to handle more intelligence and automate more incident response tasks using the power of OpenDXL.

Consolidate Threat Intelligence Collection with OpenDXL and MISP

Organizations need threat intelligence from three different sources:

  • Global intelligence from vendors or large providers
  • Community Intelligence from closed sources, and
  • Enterprise, or Local-Produced

Local threat intelligence, typically produced by malware sandboxes, such as McAfee Advanced Threat Defense (ATD), or learned from previous incident investigations, usually relates to attacks targeted at the enterprise and would not be visible through other external intelligence feeds. Large organizations typically consolidate these feeds inside a threat intelligence platform to simplify the management, sharing and processing of the data.

Using OpenDXL, we can more simply push locally-produced intelligence from ATD into threat intelligence platforms, such as Malware Information Sharing Platform (MISP), an open source intelligence sharing platform. Inside MISP, ATD data can be labeled and combined with other sources providing a central repository to operationalize threat intelligence. Using OpenDXL, MISP can then push all threat intelligence-based IOCs to ESM and Active Response for further triage and out to firewalls, proxies, endpoints and other cyber defense tools for automated containment.

Full IOC Hunting with ESM, Active Response and OpenDXL

One of the best ways to reduce attacker dwell time is to use threat intelligence to hunt for compromised systems in the enterprise with ESM and Active Response. With threat intelligence centrally collected in MISP, we can automate historical analysis using the existing back trace feature in ESM. Using OpenDXL integration with MISP, we can also hunt on all the IOCs and send the results back to ESM or Kibana. This expands the capability of the original solution fully automating the hunting process with both historical and real time searches for all IOCs, not just local intelligence.

Automated Incident Containment with OpenDXL

If a system is found to be comprised, the next task is to contain and update defenses as fast as possible. When it comes to updating cyber defense countermeasures, such as firewalls or web proxy, internal procedures or business silos can slow response. For example, sending a ticket to the firewall team or service provider to block a command-and-control IP address or domain could take hours even in mature organizations. These silos slow down incident response and increase attackers’ dwell time.

With OpenDXL integration with MISP, we can reduce dwell time by pushing all indicators, not just file hashes, out to network and endpoint countermeasures. With OpenDXL integration with MISP, indicators such as command-and-control IP addresses, malicious URLs or domains, and file hashes can be automatically shared with the McAfee Dynamic Endpoint, Network Firewalls such as Force Point or Checkpoint, or Web Proxies such as McAfee Web Gateway. With OpenDXL integration with MISP, we can automate indicator-sharing with any countermeasures on the network or endpoint, to reduce dwell time and better protect your business.

For more information on automated threat hunting with OpenDXL and to get connected with the community of OpenDXL users, I’d encourage you to check out the McAfee DXL architecture guide and the data sheet.

The post Expanding Automated Threat Hunting and Response with Open DXL appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/expanding-automated-threat-hunting-response-open-dxl/feed/ 0
Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/ https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/#respond Tue, 09 May 2017 19:39:40 +0000 https://securingtomorrow.mcafee.com/?p=73787 Time was, automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My …

The post Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness appeared first on McAfee Blogs.

]]>
Time was, automation was a dirty word in security. Now, it is a necessity. A new Enterprise Strategy Group (ESG) survey, sponsored by McAfee and other technology vendors, shows that 3 out of 5 organizations see manual processes as holding them back from better organizational effectiveness when it comes to security analytics and operations. My rule of thumb is: The third time you do the same thing, automate it. That doesn’t mean automating actions like wiping a system or rebooting, but it does mean you get the machines to do the easy work. Automation can mean setting a policy, defining an alarm or quarantine based on a trigger, defining a correlation rule to make the same review decision you had been doing and then setting an alarm or creating a watchlist, or using a script to package and forward data. Any of these approaches is easily implemented with today’s technology.

A case in point – the  findings also show that the #1 priority for automation and/or orchestration is integrating external threat intelligence with internal security data collection and analysis. That capability is entirely automated today with the McAfee Enterprise Security Manager. You can consume IOCs and mine your database to see if they are already part of your environment, generating alarms for any matches, and also set a watch in case these IOCs enter your infrastructure in the future. The watchlist can also implement an action you define – from simple alarm to active quarantine. Check out this video to see for yourself.

ESG Research, Cybersecurity Analytics and Operations Survey, April 2017.

The post Security Automation is Here —The Time is Now: 60% of respondents think manual processes are holding back security effectiveness appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/security-automation-time-now-60-respondents-think-manual-processes-holding-back-security-effectiveness/feed/ 0
Automated mitigation on endpoint devices and networks can be tricky https://securingtomorrow.mcafee.com/business/optimize-operations/automated-mitigation-on-endpoint-devices-and-networks-can-be-tricky/ Wed, 03 May 2017 22:42:53 +0000 https://securingtomorrow.mcafee.com/?p=73398 Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack. That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in …

The post Automated mitigation on endpoint devices and networks can be tricky appeared first on McAfee Blogs.

]]>
Many companies have automated systems in place for preventing, detecting, and investigating security incidents, but automating the incident response and mitigation process for networks and endpoint devices has been a tougher nut to crack.

That includes actions such as automatically re-imaging endpoint devices, isolating devices from corporate networks, or shutting down particular network processes in order to quickly and efficiently respond to attacks.

“I think there’s a lot of potential,” said Joseph Blankenship, analyst at Forrester Research. “We’re definitely in a period of discovery, though, and that has to take place before we’re going to see widespread, mainstream adoption.”

Enterprises first need to get more experience with security automation tools, he said, and see what impact they have.

But full incident response automation is probably three to five years from becoming reality, he said.

“I think we’re seeing some early attempts,” he said. “Say, if every time you see the same threat indicator, the analyst gets action recommendations from an automated tool or machine learning algorithm and makes the same choice, to click yes, let’s go ahead and take the next step. Then if we do that 500 or 1,000 times we can agree that this is a process that we can fully automate and take the analyst fully out of the loop.”

At that point, the analysts can focus on their more difficult, complex situations.

But companies can also approach automation without a machine learning system, if they already have incident response playbooks in use at their company, said Ariel Tseitlin, partner at Foster City, Calif.-based investment firm Scale Venture Partners.

“Take one of those playbooks, and take security automation tools, and test how much of that playbook can be automated,” he said. “That’s a very practical and real way of going and determining if a tool is applicable for an individual environment and how much benefit you can get from it.”

Even partial automation can be very effective, he said.

“Say you have malware on an endpoint, and your playbook for that has 50 steps in it,” he said. “If you can, say, automate 80 percent of it, you can see how many hours of savings you’ll get for your security team, and you can quickly get proof of value.”

Tseitlin said that he talks with customers when deciding whether to invest in any particular security startup, and he’s finding that there’s already real value that’s being realized.

One key factor that determines whether a particular incident response technology works is whether the enterprise itself is ready for automation.

“Different companies are at different stages of security maturity,” he said. “If you haven’t thought about the process, then thinking about automation is really premature. The first thing you have to do is map out the risks, threats and controls, and then you think about how you go through implementing each of those controls. But then when you’ve gone through that, automation is a great way to accelerate and improve the efficiency of the organization.”

Cleaning up the end points

One of the earliest uses of automation on endpoint devices has been to quarantine or remove malware files before they do any damage.

Almost every PC now has some form of anti-virus, and many companies are also using behavior-based malware detection to spot new threats.

A manual response would be too slow, since malware can act quickly to damage a device, or even to start spreading to other machines on the same network.

“So it’s not a new concept,” said Rob Clyde, security consultant and member of the ISACA board of directors.

But what happens if a user clicks on a malicious link or attachment, and installs malware that is able to evade all the defenses, install itself on the machine, and begin to do damage?

A typical response would be to store a copy of the device image for later forensic analysis, wipe the machine, restore it from a clean image, and restore the user’s files from the latest backup. While this is all happening, the user might get sent to take some anti-phishing training so to be more careful next time.

Automating this process is easier for some companies than others, said Clyde.

“Some have gone to complete virtual desktops,” he said. “In essence, their desktop is always available to be re-imaged, because the physical machine is just a host for the virtual desktop.”

Similarly, if a company has its employees use a cloud-based platform like Office 365 and saves all work documents on either their own servers, or in the cloud, then reimaging can also be relatively quick and easy.

In both cases, there’s less risk of losing valuable files in the process, which reduces the potential damage that can be caused if there was no actual infection.

“At the very same time, we have heavy knowledge workers, say, someone in a marketing organization, who is constantly working on new ad copy and PowerPoint presentations,” he said. “These are still often stored, at many companies, locally on the individual machine. The idea of wiping that machine and losing a day’s work unnecessarily is putting some companies off of trying to adopt this.”

Isolating the threat

Another common technique for automated mitigation is to quarantine infected machines.

“You might not wipe it, but it won’t spread the infection any further,” he said.

But doing this requires more than just having endpoint protection in place, he said.

“It does require network access controls,” he said. “If you have a link between the detection of the infected endpoint, and the network access control system, that can automatically link back with network security products and actually keep that device from connecting to the network.”

But too often, when products that have those capabilities are deployed, they aren’t implemented.

“In some cases, there’s a bit of a check-the-box mentality,” he said. “And nobody is asking whether I’ve implemented the network access controls. They should add that to the check list.”

In a large organization, there could be an additional barrier to setting up these kinds of systems in that the people responsible for the networks and the people responsible for endpoints are two different groups.

“It requires cooperation,” he said, “and sometimes the cooperation is just too hard to get.”

In addition, there’s the question of how many devices have to be isolated, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.

“If I quarantine one system, that’s fine,” he said. “But if I’m quarantining more systems, it gets more complex.”

As the required response gets more extensive, the more complicated it gets, he said. “And the more confidence you have to have that you’re doing the right thing.”

Smart networks

There are many tools available today that can detect suspicious activity on the network.

“You see a person in marketing has launched a network scan – that shouldn’t happen, so you can quarantine that system,” said Oltsik. “Or you see systems beaconing out to known command and control servers, so you can stop them at the system level or the network level. That’s pretty routine, and there are lots of companies that do that.”

But the more sophisticated the attack, the harder it is to automate a response, he said.

That doesn’t mean network vendors aren’t trying.

Network security has been a hotbed of activity recently when it comes to automation, said ISACA’s Clyde.

“If you were to walk around the last RSA show, you would see network security company after network security company touting how they automate detection of attacks and in some cases automatically take action,” he said.

But opinion is divided as to whether this is a good idea.

“Some voice concerns about taking action without human involvement, especially if a system was not 100 percent deterministic,” he said. “They might get it wrong, and take some action that might block legitimate activity. But others are like, ‘The attackers move too quickly and we need automation.'”

If false positives are too high, companies prefer to send the alerts to analysts for manual response.

“We are making progress,” he said. “But the state of the art tends to be about detecting, and not taking action, except for cases where it’s 99.9 percent certain that it’s real.”

Fortunately, because of improving technology, human analysts are able to handle and monitor a lot more than they could even a couple of years ago, he said.

“That’s the good news,” he said. “The bad news is, I’m not sure that we’re keeping up with the innovation on the attacker side.”

 

This article was written by Maria Korolov from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Automated mitigation on endpoint devices and networks can be tricky appeared first on McAfee Blogs.

]]>
Enterprise security technology consolidation https://securingtomorrow.mcafee.com/business/optimize-operations/enterprise-security-technology-consolidation/ Mon, 01 May 2017 20:37:57 +0000 https://securingtomorrow.mcafee.com/?p=73316 Look around the cybersecurity infrastructure at any enterprise organization, and here’s what you’ll see – dozens and dozens of cybersecurity tools from just as many vendors. Now this situation wasn’t planned; it just happened. Over the past 15 years, bad guys developed new cyber weapons to exploit IT vulnerabilities. And large organizations reacted to these …

The post Enterprise security technology consolidation appeared first on McAfee Blogs.

]]>
Look around the cybersecurity infrastructure at any enterprise organization, and here’s what you’ll see – dozens and dozens of cybersecurity tools from just as many vendors.

Now this situation wasn’t planned; it just happened. Over the past 15 years, bad guys developed new cyber weapons to exploit IT vulnerabilities. And large organizations reacted to these new threats by purchasing and deploying new security controls and monitoring systems. This pattern continued over time, leading to today’s patchwork of security point tools.

So, what’s the problem? Point tools aren’t really designed to talk with one another, leaving human beings to bridge the communications, intelligence and technology gaps between them. Furthermore, each individual tool requires training, deployment, configuration and ongoing operational support. More tools, more needs.

Fast forward to 2017, and there simply aren’t enough eyeballs, hands or hours in the day to make this jerry-rigged security model work. Want proof? In a 2016 research project conducted by ESG and the Information Systems Security Association (ISSA), survey respondents were asked about the ramifications of the global cybersecurity skills shortage on their organizations. Alarmingly, 35 percent said the skills shortage has created a situation where the cybersecurity staff doesn’t have adequate time to learn the nuances of the security technologies they purchase, leading to a condition where these technologies aren’t used to their full potential.

In summary, many enterprises have too many security point tools and not enough time. And the downsides here are pretty bad: complex operations, employee burnout, low ROI and increased risk.

Fortunately, CISOs recognize the state of their cybersecurity technologies and are adjusting their strategies accordingly. Recent ESG research reveals that 24 percent of enterprise organizations claim they are actively consolidating the number of cybersecurity vendors they do business with, while another 38 percent are consolidating the number of cybersecurity vendors they do business with on a limited basis. And another 21 percent are considering vendor consolidation. Look for this trend to continue and accelerate.

As previously mentioned, another issue with point tools is their inherent lack of integration with one another. CISOs are busy addressing this, as well, with updated security technology procurement strategies – 74 percent of survey respondents said their organizations select best-of-breed security technologies but only if they are designed for broader integration. This sentiment was summarized by a CISO I spoke with who exclaimed, “Integration is the new best of breed.”

It will certainly take time for large organizations to replace legacy security point tools with new technologies built for integration, but the ESG data points to a burgeoning trend. Enterprise organizations are actively tossing security point tools aside and building integrated security technology architectures (similar to ESG’s SOAPA model). Henceforth, security point tools must offer stand-alone functionality, provide easy integration into broader security architecture, and be able to interoperate with other security technologies to provide a force multiplier effect.

 

This article was written by Jon Oltsik from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Enterprise security technology consolidation appeared first on McAfee Blogs.

]]>
Banks Face Challenge Of Integrating Cyber And Operational Risk https://securingtomorrow.mcafee.com/business/optimize-operations/banks-face-challenge-of-integrating-cyber-and-operational-risk/ Fri, 28 Apr 2017 20:53:36 +0000 https://securingtomorrow.mcafee.com/?p=73162 Banks are increasingly aware of the threats that can arise from cyber-related crimes and are continuing to strengthen their defenses against these threats. The resulting pace of change and innovation on both sides of the “conflict” continues to accelerate as the potential for gain and/or loss for the attacking entities and financial institutions only grows. Newly …

The post Banks Face Challenge Of Integrating Cyber And Operational Risk appeared first on McAfee Blogs.

]]>
Banks are increasingly aware of the threats that can arise from cyber-related crimes and are continuing to strengthen their defenses against these threats. The resulting pace of change and innovation on both sides of the “conflict” continues to accelerate as the potential for gain and/or loss for the attacking entities and financial institutions only grows.

Newly published Accenture research on cybersecurity across the banking sector found that 78 percent of senior security executives from across the banking sector expressed confidence about their overall cybersecurity strategy. However, these executives may be overconfident; the survey also revealed that, among the thousands of phishing, malware and penetration attacks that financial services firms face each year, there were an average of 85 serious attempted cyber breaches. Of these, about one-third (36 percent) were successful – meaning at least some information was obtained through the breach. And, according to respondents, a majority (59%) of successful breaches go undetected for several months – demonstrating that the cybercrime industry has evolved from its early days of being “smash and grab” to a more sophisticated approach of getting inside in order to listen, learn and extend the criminal activity.

Dealing with threats of this magnitude continues to call for new and innovative approaches to cybersecurity. Typically, banks have tried to establish controls to manage cyber risk from the top down with a strong security perimeter. But in coping with the complexities of firewalls, malware and phishing alongside increasing use of social engineering approaches to infiltrate the institutions, banks are struggling to connect the technical aspects of cybersecurity with the broader concerns of operational risk – defined by the Basel Committee as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

Any successful cyberattack has the opportunity to affect people, processes and technology throughout the organization. In the wake of an attack, banks need to get IT systems back up and running, but they also need to reassure customers and regulators, deploy effective back-up systems, and potentially, compensate losses. This calls for advance planning, cooperation and communication between operational, risk, infrastructure and cybersecurity teams. Proper planning is a critical component in the overall defense approach and needs to be prioritized on a risk basis. Being able to identify the valuable data assets in the environment – and then focusing on how to provide multiple layers of defense for this specific population – helps to enable the right strategy and focus the security related investment.

Another important factor for consideration is the ability to quickly quarantine an area which has been breached, to enable the broader systems and processes of the bank to continue operating while the affected areas are investigated, repaired and brought back on line. Incorporating the cyber risk strategy with an effective enterprise risk management (ERM) strategy can therefore help to limit the damage from a data loss event, distributed denial of service (DDoS) attack or other cyber incidents. Increasingly we do see cyber risk as a specific component of a comprehensive operational and ERM strategy, with formal review and oversight by the board and senior management.

Banks are continuing to step up both their investments in cybersecurity and their risk-based approach to protecting the institution. In addition to spending on technology and cyber expertise, they also are enhancing the governance framework to help foster accountability across heritage functional silos and create a more cohesive security-minded culture. By ensuring that the security program is supported by a more comprehensive risk and business strategy, organizations are able to develop a more complete “cyber response plan” that includes stakeholder communications and the protection and recovery of key assets. And the result is seen in banks decreasing their risk exposure while also improving the speed and effectiveness of their responses.

Cyber threats will continue to evolve, but banks that tie cybersecurity efforts to broader operational risks will be far more resilient in a challenging environment.

 

This article was written by Steve Culp from Forbes and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Banks Face Challenge Of Integrating Cyber And Operational Risk appeared first on McAfee Blogs.

]]>
OpenDXL Case Study: Sandbox Mania featuring Cuckoo and Wildfire https://securingtomorrow.mcafee.com/business/optimize-operations/opendxl-case-study-sandbox-mania-featuring-cuckoo-wildfire/ https://securingtomorrow.mcafee.com/business/optimize-operations/opendxl-case-study-sandbox-mania-featuring-cuckoo-wildfire/#respond Wed, 19 Apr 2017 15:00:52 +0000 https://securingtomorrow.mcafee.com/?p=71715 To unleash creativity, my middle school art teacher occasionally offered up all the painting, woodcarving, pottery, and collage resources in the studio, with no guidelines or constraints other than our imaginations and the available class time. The results ranged from the mundane to the inspired. I carved a 3D lobster. (Sadly, no picture survives, but …

The post OpenDXL Case Study: Sandbox Mania featuring Cuckoo and Wildfire appeared first on McAfee Blogs.

]]>

To unleash creativity, my middle school art teacher occasionally offered up all the painting, woodcarving, pottery, and collage resources in the studio, with no guidelines or constraints other than our imaginations and the available class time. The results ranged from the mundane to the inspired. I carved a 3D lobster. (Sadly, no picture survives, but let’s pretend it is as wonderful as the one here carved by Ryousuke Ohtake).

OpenDXL as a Blank Canvas

As an open source integration framework, OpenDXL is like that art studio. Creative security analysts and developers can use the OpenDXL SDK (libraries, classes, and helper classes), the python client, and code examples on github to express their own ideas and activate their APIs. They can build everything from simple productivity boosters to sophisticated conditional workstreams.

Unfortunately, unlike the art classroom, OpenDXL projects aren’t easily visible. So, we at McAfee created a virtual studio, a contest to see what our sales engineers would create with OpenDXL. [We also captured some examples in our new Idea Guide, downloadable here.]

One of the first contest submissions, now published to github.com/opendxl-community, helps solve the age-old malware analysis dilemma: how many sandboxes are enough?

Simple POCs with high value

Jesse Netz, a sales engineer on the East Coast, used OpenDXL to integrate the open source Cuckoo sandbox and the Palo Alto Networks Wildfire sandbox with the DXL messaging fabric and the McAfee Advanced Threat Defense sandbox. These integrations can help enterprises get more value out of their existing resources and share the latest threat data for the fastest detection of emerging threats.

  1. A Cuckoo sandbox can pull changing malware file reputations maintained by the McAfee Threat Intelligence Exchange and include these reputations in its processing as well as the Cuckoo report. TIE provides visibility into the local prevalence of the file, helping the analyst understand how widespread an infection might be. In addition, customers who have the McAfee Advanced Threat Defense sandbox would see the ATD verdicts appear within the Cuckoo report, enriching the Cuckoo details about what the sample did while executing.
  2. DXL-integrated applications can use a lightweight DXL interface (service wrapper) instead of the Cuckoo APIs to access Cuckoo sandbox details (socket connections, registry writes, etc.) from anywhere, on-network or off-network. For this integration, Jesse reused a reference example provided in the OpenDXL SDK, the ePO API service wrapper.
  3. Wildfire verdicts update McAfee Threat Intelligence Exchange’s reputation database with new scores. Any application that listens to TIE reputation scores will get the updated information without having to integrate directly with Wildfire, and can immediately inoculate its systems by blocking the newly identified malware. This example converts verdicts to TIE reputations.

Done in Hours, Not Weeks

The three integrations took a total of about 30 hours, with the hardest part being learning each third party API. Once he had done the first OpenDXL integration, the subsequent ones were much easier. Without OpenDXL’s support for SSL, Authentication, and Authorization, Jesse estimates these integrations would have taken at least twice as long. Now, others don’t need to invest the time learning the Cuckoo and Wildfire APIs and doing point-to-point integrations; they can just leverage OpenDXL topics and Jesse’s new service wrapper.

Looking ahead, Jesse is considering his next OpenDXL development, but we won’t know until he formally submits it to the programming contest. In the meantime, please stay tuned to github.com/opendxl-community for more examples, and fuel your own projects with the new Idea Book.

The post OpenDXL Case Study: Sandbox Mania featuring Cuckoo and Wildfire appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/opendxl-case-study-sandbox-mania-featuring-cuckoo-wildfire/feed/ 0
The Power of an Integrated UEBA/SIEM Solution https://securingtomorrow.mcafee.com/business/optimize-operations/power-integrated-uebasiem-solution/ https://securingtomorrow.mcafee.com/business/optimize-operations/power-integrated-uebasiem-solution/#respond Mon, 17 Apr 2017 15:00:14 +0000 https://securingtomorrow.mcafee.com/?p=70980 If you’ve read our previous blog, “Leveraging UEBA Capabilities in Your Existing SIEM,” you understand how McAfee Enterprise Security Manager can perform many essential UEBA functions leveraging its built-in advanced analytics and behavior modeling. Doing It Better Together For several specific use cases, you may find that you need a third-party UEBA product. Fortunately, through …

The post The Power of an Integrated UEBA/SIEM Solution appeared first on McAfee Blogs.

]]>
If you’ve read our previous blog, “Leveraging UEBA Capabilities in Your Existing SIEM,” you understand how McAfee Enterprise Security Manager can perform many essential UEBA functions leveraging its built-in advanced analytics and behavior modeling.

Doing It Better Together

For several specific use cases, you may find that you need a third-party UEBA product. Fortunately, through the McAfee ecosystem approach to security, you can integrate UEBA solutions from other vendors for expanded visibility of McAfee Enterprise Security Manager’s user monitoring and analytics. Such tight integrations with McAfee Enterprise Security Manager optimize security operations by:

  • Adding user and entity threat data to McAfee Enterprise Security Manager’s threat and contextual parameters to trigger rapid response actions, such as policy changes, alerts, and escalations.
  • Leveraging response activities for deeper forensic investigations.
  • Enabling enhanced reporting, visibility, and management. Data collected by the UEBA solution can be sent to the McAfee Enterprise Security Manager reporting engine, which can then create visualizations of that information and synthesize it within its existing operational reports, dashboards, and workflows.

The McAfee and UEBA Vendor Partnerships

McAfee Security Innovation Alliance partnerships include numerous UEBA vendors that offer an advanced UEBA solution with a flexible analytics engine covering insider threats, targeted attacks, and unknown threats. These smart and powerful platforms utilize machine learning and advanced analytics models that are well suited for large, complex enterprise environments.

McAfee Enterprise Security Manager and UEBA vendor integrations increase visibility to:

  • Insider threats across endpoints, servers, networks, and log data: It connects high-risk actions to users and provides clear context.
  • Privileged accounts: Time, authentication, access, application usage, and data movement are monitored and compared to baseline behavior parameters.
  • Targeted attacks: It quickly surfaces attack paths as they unfold, including malware that propagates laterally.
  • Healthcare compliance: Policy violations and risky user behaviors are identified by monitoring users, files, applications, and all types of medical and computing devices.

UEBA solution integrations with both the McAfee Enterprise Security Manager SIEM solution and the McAfee Data Exchange Layer threat intelligence sharing fabric can identify indicators of attack and feed those back into the SIEM to facilitate threat hunting. False positives are minimized, and analysts can focus on high-priority actionable items. In effect, these integrations create a closed-loop system, with continuous interaction between the products. Integration with McAfee Data Exchange Layer enables and accelerates communication of threat intelligence across multiple security solutions. This can dramatically speed detection and remediation across the entire enterprise security ecosystem, supporting the entire threat lifecycle.

Learn more about how McAfee Enterprise Security Manager can be leveraged to perform UEBA functions in our white paper, Entity Behavior Analytics for McAfee Enterprise Security Manager. Also, explore the UEBA vendors who are part of the McAfee Security Innovation Alliance.

The post The Power of an Integrated UEBA/SIEM Solution appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/power-integrated-uebasiem-solution/feed/ 0
How Coordinated, Collaborative Security Can Help You Defeat Unknown Malware https://securingtomorrow.mcafee.com/business/optimize-operations/coordinated-collaborative-security-can-help-defeat-unknown-malware/ https://securingtomorrow.mcafee.com/business/optimize-operations/coordinated-collaborative-security-can-help-defeat-unknown-malware/#respond Wed, 12 Apr 2017 19:00:51 +0000 https://securingtomorrow.mcafee.com/?p=71001 In a previous blog, “How to Gain a Competitive Advantage with an Integrated Approach to Security,” we’ve shown you how adding an advanced threat analysis technology to a large enterprise security ecosystem is contributing to its success both operationally and from a business perspective. This time, we’ll step through the technical details of how to …

The post How Coordinated, Collaborative Security Can Help You Defeat Unknown Malware appeared first on McAfee Blogs.

]]>
In a previous blog, “How to Gain a Competitive Advantage with an Integrated Approach to Security,” we’ve shown you how adding an advanced threat analysis technology to a large enterprise security ecosystem is contributing to its success both operationally and from a business perspective.

This time, we’ll step through the technical details of how to combat unknown malware in a typical enterprise environment. Let’s look at a company that has just gone through an acquisition. As a result of the acquisition, employees are being required to use many new applications. One of the employees clicks a link in an email for an application that appeared legitimate but is, in fact, malicious and installs a keylogger that captures users’ keystrokes.

Here’s how the McAfee integrated ecosystem approach to security rapidly responds to unknown files of this kind and prevents them from executing and doing damage across the organization.

Step 1:

McAfee Threat Intelligence Exchange discovers the keylogger on endpoints and blocks the file from executing. The Threat Intelligence Exchange client then queries the McAfee Threat Intelligence Exchange server on file reputation and simultaneously queries McAfee Global Threat Intelligence, which gathers file reputation intelligence from millions of sensors all over the world. The file is cached on the server while McAfee Threat Intelligence Exchange checks its blacklist and whitelist. After this query-response process, McAfee Threat Intelligence can update the reputation as “good” or “bad.” However, in this case, the file is unknown and requires further analysis.

McAfee Advanced Threat Defense combines sandboxing dynamic code analysis with in-depth static code analysis to identify any potentially malicious code.

Step 2:

Through REST API, McAfee Threat Intelligence communicates with McAfee Advanced Threat Defense, where the unknown file is sent for further analysis via sandboxing. McAfee Advanced Threat Defense spins up a virtual machine (VM) to detonate the file via dynamic analysis, which enables examination of any malicious behavior. At the same time, McAfee Advanced Threat Defense will perform static code analysis by unpacking the file and reverse engineering the code, allowing comparison to known malware families leveraging code reuse and identifying any potentially malicious code. Obfuscated and metamorphic code, which can be highly evasive, can be unveiled through the combination of dynamic and static code analysis. If any malicious intent is identified, McAfee Advanced Threat Defense then convicts the file and updates the reputation, applying a high-severity rating, in this case. This process reveals several indicators of compromise (IoCs) about the file: it attempts to bypass security controls, it installs a keylogger, and it makes connections to risky websites. The file is then sent back to the McAfee Threat Intelligence Exchange server, which updates its local repository and any integrated vector from endpoint to network. McAfee Advanced Threat Defense will also publish IoCs across the McAfee Data Exchange Layer (McAfee DXL), to any subscriber. 

Step 3:

McAfee Data Exchange Layer, which enables sharing of threat information across McAfee security components and third-party security products, publishes these IoCs for ingestion by other solutions in the environment.

Step 4:

McAfee Data Exchange Layer will publish IoCs generated from McAfee Advanced Threat Defense to the security information and event management system (SIEM), McAfee Enterprise Security Manager. The SIEM then aggregates the IoCs and correlates these events. For example, it can do historic investigation, looking into its archives of networks or systems to find evidence of this malware and correlate these IoCs with other events. If it finds that systems have connected to malicious URLs associated with the keylogger, it can send out additional alerts so that remediation can be applied. Once the correlation has been done, McAfee Endpoint Threat Defense and Response uses its automated search capability to get access to this information and generates a URL that will open up the McAfee ePolicy Orchestrator (McAfee ePO) management console where McAfee Active Response is housed, and the pivot to remediation can take place.

Step 5:

Since the malware has a high-severity rating, McAfee Enterprise Security Manager triggers an alert, which enables the administrator to take remediation actions, such as killing the process or removing the file—along with any trace files—from the affected machines.

This use case illustrates the value of a unified architecture, where collaboration of all your security components can dramatically improve security operation response and efficiency, reduce threat dwell time, and increase your capacity to handle security events. In a recent McAfee survey, 70% of participants believe that this approach results in reduction of manual efforts through integrated workflows and automation and 65% believe it provides more effective triage automation.

Watch our video, and see the power of McAfee integration and intelligence sharing in action: “Defeat the Grey.”

The post How Coordinated, Collaborative Security Can Help You Defeat Unknown Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/coordinated-collaborative-security-can-help-defeat-unknown-malware/feed/ 0
Leveraging SIEM and Security Analytics for Improved Monitoring of Advanced Threats https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-siem-security-analytics-improved-monitoring-advanced-threats/ https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-siem-security-analytics-improved-monitoring-advanced-threats/#respond Fri, 07 Apr 2017 19:00:40 +0000 https://securingtomorrow.mcafee.com/?p=71166 For more than a decade, in response to higher volumes of alerts, security information and event monitoring (SIEM) became an integral component of enterprise security programs. However, the increasing sophistication and complexity of attacks are driving the need for advanced analytics—beyond the log aggregation of older SIEM solutions. Security analytics, which uses Big Data technologies, …

The post Leveraging SIEM and Security Analytics for Improved Monitoring of Advanced Threats appeared first on McAfee Blogs.

]]>
For more than a decade, in response to higher volumes of alerts, security information and event monitoring (SIEM) became an integral component of enterprise security programs. However, the increasing sophistication and complexity of attacks are driving the need for advanced analytics—beyond the log aggregation of older SIEM solutions. Security analytics, which uses Big Data technologies, has emerged to fill in the gaps.

In its recent report, “Security Analytics Team of Rivals,” consulting firm Securosis contends that security analytics solutions provide maximum value when integrated with advanced SIEM solutions and vice versa. One is not a replacement for the other, nor should they be viewed as competing solutions.

Most enterprises have had a SIEM in place for a number of years. Its main strengths include: data aggregation, correlation, forensics and incident response, and reporting. The data sets that are generally handled best by a SIEM are network data, endpoint activity, server and data logs and change control activity, identity data, application logs, and threat intelligence feeds.

One thing that some SIEMs struggle with is finding patterns in large volumes of data. Security analytics solutions, on the other hand, are intentionally designed to crunch through SIEM’s huge data sets, looking for indicators of malicious activity, such as anomalous patterns of activity, misconfiguration, or privilege escalation. The integrated solutions are particularly good at advanced threat detection and tracing insider attacks.

How do you benefit from integrating analytics solutions with your SIEM? For one thing, today’s security analytics solutions don’t allow you to search for an alert and then set in motion an incident response process—SIEMs handle that job and lend themselves well to easy and comprehensive threat activity visualizations and reporting. There are two key integration points where you’ll find the combination invaluable:

  • Automated Data Analysis: SIEMs have been proficient at collecting and aggregating data for a long time. In order to extract this data for further analysis, ensure that your integration of SIEM and security analytics has sufficiently robust automated processes. This can save an enormous amount of time.
  • Alert Prioritization: Both your SIEM and your security analytics tools will create and send out alerts. Bi-directional information sharing between the SIEM and security analytics solutions is essential so that your team can prioritize investigative actions and maintain context.

Let’s look at a scenario where SIEM and security analytics can complement one another to detect what appears to be an advanced insider attack. In this use case, the security team of a fast-growing retail operation receives an alert from its SIEM solution. It appears that an insider is probing the internal network, which is highly unusual activity for an employee. For a more complete picture of the situation, the team accesses its integrated SIEM and security analytics solution for additional insights on what the adversary is up to. The integrated investigation reveals several types of unusual activity—like privilege escalations and configuration changes on multiple devices. The SIEM reports the trajectory of the attacker, which results in compromise of the device that triggered the alert in the first place, and this enables smarter and faster remediation.

To learn more about how your SIEM and security analytics tool can coordinate and complement each other, read the Securosis report, “Security Analytics Team of Rivals.”

The post Leveraging SIEM and Security Analytics for Improved Monitoring of Advanced Threats appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-siem-security-analytics-improved-monitoring-advanced-threats/feed/ 0
How to Gain a Competitive Advantage with an Integrated Approach to Security https://securingtomorrow.mcafee.com/business/optimize-operations/gain-competitive-advantage-integrated-approach-security/ https://securingtomorrow.mcafee.com/business/optimize-operations/gain-competitive-advantage-integrated-approach-security/#respond Mon, 03 Apr 2017 15:00:06 +0000 https://securingtomorrow.mcafee.com/?p=70992 Simply adding an advanced threat analysis technology to your security stack can expand detection and solve some immediate security issues. But thinking beyond standalone detection to an integrated ecosystem can not only improve detection and protection throughout your organization, it can also enhance your business by optimizing security operations response time, giving you a competitive …

The post How to Gain a Competitive Advantage with an Integrated Approach to Security appeared first on McAfee Blogs.

]]>
Simply adding an advanced threat analysis technology to your security stack can expand detection and solve some immediate security issues. But thinking beyond standalone detection to an integrated ecosystem can not only improve detection and protection throughout your organization, it can also enhance your business by optimizing security operations response time, giving you a competitive edge.

A case in point is Vidant Health, eastern North Carolina’s largest healthcare provider, with eight hospitals and 80 clinics that serve 1.4 million people. Vidant is one of the first healthcare organizations in the US to successfully deploy a tightly integrated McAfee solution combining McAfee Advanced Threat Defense, McAfee Threat Intelligence Exchange, McAfee Enterprise Security Manager, and McAfee Data Exchange Layer.

Vidant’s information security director, Kirk Davis, explains that prior to adopting this solution, his team was on “alert overload” and experienced long delays in receiving information about threat activity. The McAfee solution answered the need for a security decision support platform that would allow the information services group to spend most of their time enabling growth, innovation, and delivery of patient-centered services, such managing and tracking rounds by medical staff, protecting electronic health records, and streamlining clinical workflows.

Just days after the brief deployment period, Davis was seeing results from the solution. The SIEM component, McAfee Enterprise Security Manager, dramatically increased visibility into security events and suspicious files detected and convicted by dynamic and static analysis technologies used by McAfee Advanced Threat Defense.

“Now we can consolidate threats and alerts and provide actionable information to our team,” says Davis, “And, because we don’t operate in an API-to-API environment, McAfee Data Exchange Layer, through the McAfee Threat Intelligence Exchange/McAfee Advanced Threat Detection integration, can share threat information in seconds.”

Tight integration and automation greatly reduce the time from detection to protection and correction across the entire organization. As Davis suggests, “Being able to have that immediate visibility to threats and being able to guard against them without any human intervention really allows us to focus on our core business, which, believe it or not, is not running down malicious code.”

According to Davis, implementation of the integrated solution resulted in a positive ROI in just six months. For example, Vidant and its care partners no longer experience costly losses in productivity and operational expense associated with the amount of time and effort spent combating evasive and complex threats like CryptoWall ransomware.

Vidant has derived significant business value from the open and collaborative approach to security enabled by McAfee solutions. With greater visibility to potential threats, this approach empowers security operations teams to act swiftly, optimizing response and efficiency. For Vidant, automated and coordinated security is essential. “If we want to have information services as a competitive advantage, we need to make sure we know exactly how to package and scale our infrastructure, security, and support services as we grow,” says Davis. And, as he can tell you, McAfee integrations have already contributed to his organization’s success.

To learn more about how an integrated ecosystem like the one implemented by Vidant can help you combat unknown malware, watch our video, “Defeat the Grey.”

 

 

The post How to Gain a Competitive Advantage with an Integrated Approach to Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/gain-competitive-advantage-integrated-approach-security/feed/ 0
Leveraging UEBA Capabilities in Your Existing SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-ueba-capabilities-existing-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-ueba-capabilities-existing-siem/#respond Fri, 31 Mar 2017 19:00:15 +0000 https://securingtomorrow.mcafee.com/?p=70971 User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts. There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include: Increasing …

The post Leveraging UEBA Capabilities in Your Existing SIEM appeared first on McAfee Blogs.

]]>
User and entity behavior analytics (UEBA) uses advanced analytics to track and flag suspicious behaviors of both users and assets, such as networked assets, sensors, databases, devices, and hosts.
There are many reasons why UEBA is gaining traction as both an integrated tool with SIEM as well as a standalone solution. A few include:

  • Increasing concerns over insider threats, whether intentional or accidental.
  • The rise of credential theft.
  • The need to add additional context to SIEM and orchestration systems for more effective continuous monitoring, detection, and remediation.

Some SIEM vendors, like McAfee, not only deliver integrations with UEBA solutions, but also already include UEBA capabilities in their products. McAfee Enterprise Security Manager employs a combination of intelligent anomaly detection and user and entity specific rules, along with other correlation models, to perform many UEBA functions efficiently and effectively—right out of the box!

McAfee Enterprise Security Manager factors in anomalous behavior—including user activities—as part of its continuous monitoring and incident prioritization. User behaviors are incorporated into calculations of security and risk to help security teams identify and prioritize security events. Some of the user behaviors that McAfee Enterprise Security Manager detects as unusual activities include: creation of new accounts or account lockouts, possible data exfiltration behaviors (emailing sensitive data outside the network), an increase in traffic to business applications, and events like late-night logins from unexpected locations or simultaneous remote logins to multiple locations.

Security professionals agree that speed and accuracy is of the essence when it comes to detecting, analyzing, and triaging threats. McAfee Enterprise Security Manager addresses this requirement by using multiple types of correlations to gather, parse, and process the user behavior data it receives.

An additional component of the McAfee SIEM solution is the McAfee Advanced Correlation Engine, which is purpose-built to analyze huge volumes of data without impacting your SIEM’s performance. It performs four types of correlation—rule-based, risk-based, standard deviation, and historical—for a real-time look at threats initiated by users against high-value assets and sensitive data.

For a better understanding of how McAfee Enterprise Security Manager can be leveraged to perform UEBA functions, we’ve described multiple use cases in our recent white paper, User and Entity Behavior Analytics for McAfee Enterprise Security Manager. Download it today!

The post Leveraging UEBA Capabilities in Your Existing SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/leveraging-ueba-capabilities-existing-siem/feed/ 0
Continuous IT audits are needed to combat today’s cyber threats https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-it-audits-are-needed-to-combat-todays-cyber-threats/ Fri, 31 Mar 2017 17:35:42 +0000 https://securingtomorrow.mcafee.com/?p=70956 We find that many IT departments within our clients’ organizations have very talented IT staff, but all too often they don’t have an information security and compliance staff member on board. All too often this role is not in place. So the question is, how can they meet compliance and maintain security of their vital …

The post Continuous IT audits are needed to combat today’s cyber threats appeared first on McAfee Blogs.

]]>
We find that many IT departments within our clients’ organizations have very talented IT staff, but all too often they don’t have an information security and compliance staff member on board. All too often this role is not in place. So the question is, how can they meet compliance and maintain security of their vital business assets? We believe it’s difficult with a yearly IT audit, Let’s face it, IT audits done this way go back many decades, to when cyber threats were nonexistent.

Our CEO recently decided it was time to offer a continuous total audit solution. As you know, IT audits are often done on a yearly basis, and that leaves IT departments scrambling to fix everything once a year. Imagine an IT audit that starts with an initial risk assessment that determines the yearly continuous audit plan. Enter continuous auditing. For a little more than the cost of a yearly audit that only looks at your People, Process and Technology once a year, now audit teams can be engaging with your IT team monthly.

It starts with a risk assessment that sets the audit scope for the year, next auditor’s custom tailor an IT audit plan based on your business risk. For example: A HIPAA organization signs up for a yearly service, and it’s determined that they have firewall issues as their number one risk. Auditors begin the first month’s audit focusing on this critical priority; the next month they will target the next-highest risk area. It might be Active Directory permissions issues.

Auditors follow through each month, focusing all their effort on the next technical element. Some elements include: mobile devices, workstations, servers, intrusion prevention, email protection, web filtering, anti-virus, OS, network and applications patching, network infrastructure, policies, vulnerability scanning, and any critical business application that contains electronically protected health information (ePHI).

If an organization has multiple critical issues that can be addressed immediately and lower priorities that can be addressed throughout the year, we believe both industry executive leadership and IT staff will fully embrace this new shift in IT audit, as it’s continuously looking at all the major elements in depth vs a quick once-a-year audit.

Why continuous IT auditing is necessary

1. The majority of phishing cases feature phishing as a means to install persistent malware. As detailed in Verizon’s 2016 Data Breach investigations Report, “What we have here is a failure to communicate.” Apparently, the communication between the criminal and the victim is more effective than the communication between employees and security staff. Thirty percent of phishing messages were opened by the target across all campaigns. About 12 percent went on to click the malicious attachment or link and thus enabled the attack to succeed. A static once-a-year IT audit is not proactive and will not see this trend until it’s too late.

2. Mitigation is often just as useful as remediation – and sometimes your only option, according to Verizon’s latest repost. This gets at a core and often-ignored vulnerability management constraint: sometimes you just can’t fix a vulnerability, be it because of a business process, a lack of a patch or incompatibilities. At that point, for whatever reason, you may have to live with those residual vulnerabilities. It’s important to realize that mitigation is often just as useful as remediation – and sometimes it’s your only option. A static once-a-year IT audit is not proactive and can’t address the latest vulnerabilities and how to mitigate them if a patch can’t be applied.

3. Sixty-three percent of confirmed data breaches involved weak, default or stolen passwords, Verizon states. The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge and is not glamorous, but boy howdy it works. Static authentication mechanisms have been attacked for as long as we can remember. Password guessing from an InfoSec perspective has been around at least as long as the Morris worm, and has evolved to prominent malware families like Dyre and Zeus that are designed to (among other bad things) capture keystrokes from an infected device. All those efforts to get users to use special characters, upper/lower case numbers and minimum lengths are nullified by this ubiquitous malware functionality. A static once-a-year IT audit is not proactive and thus will only ask for an additional character added to password length when what’s needed is a plan to implement two-factor authentication.

4. The great complexity of their infrastructure makes web application servers a target for attackers. Verizon brings up a good point: web sites are not static pages anymore; they are highly interactive and more complex. Users are not merely reading a homepage and clicking on a couple of links to basic information about store hours, but are increasingly more interactive and issue various types of inputs to be read and acted upon by the web infrastructure. The greater complexity, including the web application code and underlying business logic, and their potential as a vector to sensitive data in storage, or in process, makes web application servers an obvious target for attackers. A static once-a-year IT audit is not proactive and will not focus on website vulnerabilities and how they translate to business risk.

5. You can’t effectively protect your data if you don’t know where it resides. It does you little good to know where it is but then pay no attention to who has access to it. Make sure that you are aware of exactly where your data is and be careful who you give privileges to and to what degree. It makes sense to give the valet attendant your keys to park your car, but not to hand over your credit cards as well. A static once-a-year IT audit is not proactive and will not be there continuously and thus will miss the many opportunities to identify and protect data.

Summary

Static once-a-year IT audits started at a time when computers were not on a public internet. A once-a-year or bi-yearly IT audit snapshot was adequate. Now the entire globe is connected via the internet, and each one of your corporate computers is just waiting to be attacked 24×7. This is why we need continuous IT audits. Your systems are being targeted every minute of every day, so why only spot check your critical IT systems yearly?

The headlines: 70 percent of mobile devices of top networks vulnerable, GiftGhostBot botnet stealing retailer gift card balances, W2 phishing scam, hack of ABC’s Twitter account. I could go on, but with 390,000 new malicious programs released daily per AV test, you can see that it’s a very dynamic threat landscape, one that has outgrown yesterday’s static yearly IT audits.

It’s time to raise the bar once again, just as my colleague Mark Wolfgang has done with continuous PEN testing. We can no longer afford to be reactive; we must be proactive, and that means a cyber strategy that includes 100 percent compliance and Advanced Persistent Security, as outlined in my colleague Ira Winkler’s latest publication.

 

This article was written by George Grachis from CSO Magazine and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Continuous IT audits are needed to combat today’s cyber threats appeared first on McAfee Blogs.

]]>
Well-funded doesn’t mean well-secured https://securingtomorrow.mcafee.com/business/optimize-operations/well-funded-doesnt-mean-well-secured/ Thu, 16 Mar 2017 20:46:33 +0000 https://securingtomorrow.mcafee.com/?p=70487 Three of my four children are of school-going age. When they arrive home in the afternoon, the youngest usually makes a dash for the games console, the middle one is tired to the point of being miserable, and the eldest announces herself loudly, wanting to share every detail from her day with anyone who will …

The post Well-funded doesn’t mean well-secured appeared first on McAfee Blogs.

]]>
Three of my four children are of school-going age. When they arrive home in the afternoon, the youngest usually makes a dash for the games console, the middle one is tired to the point of being miserable, and the eldest announces herself loudly, wanting to share every detail from her day with anyone who will lend an ear. The only thing they all seem to have in common is that they are hungry and want dinner.

While I’m the type of parent who makes the children fish-finger sandwiches and declares them fed, my wife prefers to serve a lavish five-course meal. In the past, she would often customize meals to meet each child’s individual taste and preference. After a while, I had to put a stop to it.

“This isn’t a restaurant!” I declared one afternoon. “We can’t make three or four different meals every night. When I was young, I didn’t have a choice. I had to eat what I was given, or else sleep hungry!”

While cooking only one meal doesn’t make all the children happy all the time, no one goes hungry, and it tremendously simplifies both food shopping and dinner time.

IT security purchasing mistake

How does all of that relate to cybersecurity, you might ask? Well, unfortunately, we see many enterprises consistently fall into a similar trap as parents when it comes to their IT security purchasing strategies.

Each business unit, division and purchasing code is like a different child with unique preferences. One area demands host IDS, another wants net flow analysis, while yet another needs threat intelligence. It’s a jumble of requests, and in an attempt to appease everyone, companies can quickly find themselves layering tools upon tools in their environment with little or no integration. This creates not only an expensive situation but also one in which discrete technologies operating in silos end up offering little security overall.

It’s not the case that many breaches are caused by companies lacking the funds to purchase, install and run products. Rather, it’s that they lack a well-defined and integrated security strategy. In other words, a well-funded organization does not necessarily equal a well-secured organization.

Security technologies operating in silos are destined to fail.

Security technologies operating in silos are destined to fail. Every product and tool generates its own sea of noise that over-burdened analysts need to sift through – making it easy for them to miss alerts. This approach also hinders the overall security management process because a disjointed environment makes it difficult to extract or apply any meaningful threat intelligence and makes it nearly impossible to gain full visibility or undertake any form of orchestration.

3 tips for an integrated, security technology strategy

Below are three tips that can help companies develop and implement an integrated, security technology strategy despite ever-present challenges, such as disparate business units with varying priorities.

1. Define security objectives

With so many security technologies to choose from, it’s easy to be swayed into making a purchase by a compelling feature and then find a problem for it to solve. But having a security strategy that covers fundamental needs will help define what objectives your company is trying to achieve.

Taking input from risk appetite and threat models, and then combining all of this information, can put purchases into perspective. If the technology you are considering doesn’t align with your security strategy, then it is not worth buying – no matter how dazzling its features sound.

2. Make use of security technology you have

By looking around and getting creative, you may be surprised at how much existing technology can be leveraged to meet previously defined objectives. Ripping out and throwing away an established technology can be a painful process. Instead, look for ways that existing technology can be integrated into a larger workflow. This can often be easier and cheaper than buying a new product.

3. Pre-integration is better than post

The latest and greatest point technology may be the best thing since sliced bread, but it comes with the hidden cost of having to integrate its data into your existing infrastructure. Buying from vendors that have integrated multiple capabilities into one balanced offering can result in faster deployment, easier operation and greater return on investment.

Having a plan and sticking to it by trying to gain more value from existing products, or choosing integrated products with a broad range of features, may not sound like a recipe that will keep every division and business unit completely happy all the time. However, just like a well-balanced meal provides all necessary nutrients, a strategic approach will help companies achieve comprehensive security that is sufficient for their needs and, more importantly, will keep them protected.

 

This article was written by Javvad Malik from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post Well-funded doesn’t mean well-secured appeared first on McAfee Blogs.

]]>
Please Vote: Fourth Annual SANS IR Survey Wants You! https://securingtomorrow.mcafee.com/business/optimize-operations/please-vote-fourth-annual-sans-ir-survey-wants/ https://securingtomorrow.mcafee.com/business/optimize-operations/please-vote-fourth-annual-sans-ir-survey-wants/#respond Mon, 13 Mar 2017 15:00:59 +0000 https://securingtomorrow.mcafee.com/?p=70346 Share your perspective and help benchmark the industry. [And SANS will enter you to win a $400 Amazon gift card!] This is the 4th year that Intel Security/McAfee has co-sponsored the SANS Incident Response survey. We would appreciate your help capturing this year’s insights by completing this survey: https://www.surveymonkey.com/r/2017SANSIRSurvey Past survey findings have helped us …

The post Please Vote: Fourth Annual SANS IR Survey Wants You! appeared first on McAfee Blogs.

]]>
Share your perspective and help benchmark the industry. [And SANS will enter you to win a $400 Amazon gift card!] This is the 4th year that Intel Security/McAfee has co-sponsored the SANS Incident Response survey. We would appreciate your help capturing this year’s insights by completing this survey: https://www.surveymonkey.com/r/2017SANSIRSurvey

Past survey findings have helped us understand key trends such as the hurdles holding back success, the evolution of SOC maturity, the data being targeted, use of automation, and priority investments for improving results. This market is changing quickly, and surveys are an excellent way to benchmark your experience against your peers and identify opportunities. Whether you want to commiserate or collaborate, data makes the conversation more compelling.

Below are two of my favorite charts from last year’s survey, with my prognostications for this year’s survey. I’ll review my predictions after the 2017 survey is published and grade myself!

What’s causing the breaches?

  • Malware will continue to dominate given malware’s contribution to so many phases of so many forms of attack, and the ubiquity of toolkits and tool sharing as well as ransomware.
  • Access—oriented attacks (unauthorized, insider breach, privilege escalation, and data breach) should remain a top concern, and cloud services and shadow IT should continue to make these attacks both likely and challenging. Silver bullets like UBA won’t change this dynamic much.
  • Network-based attacks will continue to decline as the formal perimeter focuses on the data center rather than the entire enterprise estate.
  • I’m curious if insider breach will show an uptick rather than continued decline, as it has been trending higher in industry conversations recently.

How well are we automating our remediation?

  • Last year’s data showed a (to me) disappointing degree of manual remediation still, despite the availability of simple automation for basic remediation processes through assorted tools. But this year I think (and other surveys validate) that the industry has turned the corner and is actively pursuing “safe” automation. I certainly expect to see greater adoption of automation as we attempt to survive the expanding range and volume of incidents.
  • Automated quarantine (the top response) or taking offline are totally in scope for automation today. I’d like to see a big jump in the use of automation there. Identifying similar systems, removing malicious artifacts without rebuilding the machine, and updating policies and rules are also easily done now. Here’s hoping we see all of these make a big shift to automation.

These two data sets are from 2016. As reference, here are all of the previous surveys:

Thanks for your help capturing the evidence of change in incident response.

The post Please Vote: Fourth Annual SANS IR Survey Wants You! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/please-vote-fourth-annual-sans-ir-survey-wants/feed/ 0
IT Experience Can Be Beneficial for a Cybersecurity Career https://securingtomorrow.mcafee.com/business/optimize-operations/it-experience-can-be-beneficial-for-a-cybersecurity-career/ Tue, 07 Mar 2017 23:27:49 +0000 https://securingtomorrow.mcafee.com/?p=70238 Given my interest in cybersecurity skills and training, I’m contacted by academic institutions, professional organizations, and training companies with news about some type of cybersecurity education curriculum.  This isn’t surprising given the global shortage of cybersecurity skills.  New ESG research discloses that 45% of organizations report a “problematic shortage” of cybersecurity skills in 2017 (note: …

The post IT Experience Can Be Beneficial for a Cybersecurity Career appeared first on McAfee Blogs.

]]>
Given my interest in cybersecurity skills and training, I’m contacted by academic institutions, professional organizations, and training companies with news about some type of cybersecurity education curriculum.  This isn’t surprising given the global shortage of cybersecurity skills.  New ESG research discloses that 45% of organizations report a “problematic shortage” of cybersecurity skills in 2017 (note: I am an ESG employee).

Clearly we need more smart and well-prepared people to enter the cybersecurity ranks but it’s important to note that most cybersecurity professionals don’t enter the workforce directly from college or training programs.  According to research conducted in 2016 by ESG and the Information Systems Security Association (ISSA), 78% of cybersecurity professionals follow a more indirect route.  These folks start their careers as IT professionals and make their way into cybersecurity as their careers progress.  (Note:  The two ESG/ISSA research reports are available for free download here).

This circuitous route to cybersecurity comes with some added benefits as IT professionals arrive with plenty of organizational and technical experience.  This begs the question: Which experiences are most helpful as IT professionals transition to cybersecurity.  The ESG/ISSA research reveals that:

  • 46% of those who transitioned from IT to cybersecurity say that their IT career helped them gain experience with different types of technologies.  This is certainly worthwhile as cybersecurity pros need to understand everything from identity management, to networking concepts, to application development.  Hands-on IT experience can only help provide a well-rounded education in multiple areas.
  • 44% of those who transitioned from IT to cybersecurity say that their IT career helped them gain IT operations knowledge and skills.  Security teams work closely with IT operations in areas like configuration management, change management, and risk mitigation.  It is extremely useful when you understand the challenges and responsibilities of your collaboration partners.
  • 28% of those who transitioned from IT to cybersecurity say that their IT career helped them understand collaboration between IT and business units on business initiatives, processes, and strategic planning.  This is an important point – IT personnel have had to develop a close relationship with business management over the past 25 years or so.  Alternatively, security personnel were viewed as backroom geeks until the past few years.  IT’s business experience and acumen could be a crucial addition to most cybersecurity teams.
  • 18% of those who transitioned from IT to cybersecurity say that their IT career helped them with software programming knowledge and skills.  Another important qualification as there is a lot of insecure software out there.  Understanding programming can help security teams anticipate and address common software vulnerabilities and configuration errors.

With the uptake in cloud computing, a lot of old-school IT infrastructure personnel will likely find themselves on the chopping block over the next few years.  These folks would certainly be well served by leveraging their valuable IT experience in a cybersecurity career.  My advice to this group is to pursue training, watch market developments, and actively manage your careers.  This could turn a dead-end IT job into a lucrative cybersecurity career over the next 12 to 18 months.

 

This article was written by Jon Oltsik from NetworkWorld and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

The post IT Experience Can Be Beneficial for a Cybersecurity Career appeared first on McAfee Blogs.

]]>
Super Hero like Speed on DXL https://securingtomorrow.mcafee.com/business/optimize-operations/super-hero-like-speed-dxl/ https://securingtomorrow.mcafee.com/business/optimize-operations/super-hero-like-speed-dxl/#respond Fri, 03 Mar 2017 16:00:21 +0000 https://securingtomorrow.mcafee.com/?p=64690 Superheroes are part of the lore of American culture — the thought of human-being acquiring superhuman power such as flight, invisibility, breathing underwater has always been intriguing to many.  The thought of speed and agility is one of those sets of powers that has caught a lot of attention — the ability to transcend time …

The post Super Hero like Speed on DXL appeared first on McAfee Blogs.

]]>
Speed and Agility
Speed and Agility

Superheroes are part of the lore of American culture — the thought of human-being acquiring superhuman power such as flight, invisibility, breathing underwater has always been intriguing to many.  The thought of speed and agility is one of those sets of powers that has caught a lot of attention — the ability to transcend time and achieve a goal such as getting somebody out of the way of a speeding bullet.  One particular superhero is The Flash.  His ability to move rapidly has amazing advantages that ultimately can protect against disaster. It’s time to adapt our cyber security abilities to be more like The Flash.

Enter the days of Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL), which do exactly that for the threat landscape: provide a new approach to producing a different outcome.

So many of us are living the in the past regarding how we have implemented security technologies.   It’s imperative that we start to focus our time on the unknown to shrink the gap between malicious and safe.   Moreover, the way to change security outcomes is by changing the fundamental ways technologies interact no matter their manufacturing origin.  Let’s face it we’re tired and we need automation.

Many of us are still leveraging anti-virus signatures, which are important, and some of us leverage cloud detection plus signatures, but it’s still a basic approach.  Signatures reflect a point in time and only address what is known.   It’s a challenge to know every piece of malware and keep up signatures for each one. About 10 years ago, McAfee Labs would get about 20 or so new and unique pieces of malware a day – truly never been seen before.  Fast forward 10 years and we see about 500,000 new pieces of malware a day.  It’s time to automate and collaborate.

We are accustomed to the process of submitting malicious code to McAfee Labs, which can be time-consuming. While waiting for a response the business isn’t protected.  The malware is able to replicate itself and perhaps move laterally.

Here’s the general process that many of us use day to day –

  1. Hunt to find the infected endpoint
  2. Capture the malicious code
  3. Submit the malicious code to McAfee Labs.
  4. Now we wait for a response.  This could take a long time – 48 hours in some cases, depending on the complexity of the code.
  5. McAfee Labs distributes and Extra.DAT to the customer.
  6. The Extra.DAT is deployed to the environment over time.
  7. Next, a full scan of the endpoints would be done across the environment (hoping that the malicious code was eradicated and wasn’t polymorphic).
  8. If polymorphic – go back to #1 and start over.
  9. Reimage the endpoint and move on.

There is hope, however!  Advancements in architecture are enabling businesses to derive context out of every new file as it emerges in the environment.  For example, a new file is downloaded that invokes the endpoint and network controls to work together to understand the file.  What is it?  Why is it packed a certain way?  What is its source?  These simple questions, if not answered in a way that says “Safe,” will trigger an automated workflow.  They start to correlate and analyze the file.  The process checks public and private threat intelligence, leverages a sandbox, and collaborates with other security controls.

The sum of the security controls working together obtains a “composite reputation,” meaning many security controls will work together to establish the true reputation of the file.  Even if there is no signature, the file can still be eradicated from the architecture.  No more long drawn-out process.  How does that sound?

Enter the age of the Threat Intelligence Exchange (TIE).  In the TIE scenario, the architecture can quickly use many sources of information to answer the question of good or bad, safe or malicious.  If there are no local detection capabilities such as a signature in a DAT, a workflow is invoked that works to solve the problem.  The composite score is an aggregation of the engines working together to score the unknown file as good or bad.  By obtaining the score in this manner TIE is writing a signature on the fly with little chance of error.  This eradicates the file and socializes it to all countermeasures in the architecture that are listening for updates on DXL – a simple connection fabric that provides a secure, real-time way to unite data and actions across multiple applications from different vendors as well as your own.

Now the kicker – the whole process may seem like this takes a long time. In fact, this process happens in seconds.  This is the speed and agility that is needed.  This solves the issue of the large increase in malicious code that we see every day.  The days of automation are here, thanks to TIE and DXL. Together, they too warrant the name “The Flash.”

Here are some questions to consider –

  • Are you approaching anti-malware with the same approach?
  • Are you using any 3rd parties to help with detection?
  • Is your organization accustomed to just re-imaging an endpoint and moving on? What is that cost to you?
  • Do you need automation to provide time back to your security team?

The post Super Hero like Speed on DXL appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/super-hero-like-speed-dxl/feed/ 0
SIEM is your Analyst’s Best Technology Partner https://securingtomorrow.mcafee.com/business/optimize-operations/siem-analysts-best-technology-partner/ https://securingtomorrow.mcafee.com/business/optimize-operations/siem-analysts-best-technology-partner/#respond Fri, 03 Mar 2017 01:00:21 +0000 https://securingtomorrow.mcafee.com/?p=70100 For the average security analyst, it’s no secret that their days are overloaded with more “hair on fire” moments than “Zen” moments. The 2016 SANS Incident Response Survey paints a clear and sobering picture of the demands being placed on security analysts. The survey lists, in order, the following impediments to effective incident response: Lack …

The post SIEM is your Analyst’s Best Technology Partner appeared first on McAfee Blogs.

]]>
For the average security analyst, it’s no secret that their days are overloaded with more “hair on fire” moments than “Zen” moments.

The 2016 SANS Incident Response Survey paints a clear and sobering picture of the demands being placed on security analysts. The survey lists, in order, the following impediments to effective incident response:

  • Lack of staffing and proper skills
  • Not enough visibility across systems and domains
  • Lack of budget for needed tools or technology
  • Processes and owners not clearly defined
  • Organizational siloes
  • Difficulties in detecting sophisticated attacks

All of the above results in:

  • Further weight on your analyst’s shoulders
  • Too much dwell time in mean-time-to-remediate (MTTR)

So we get it. You’ve got too many unknowns, not enough relevant insight, and functions and technologies tripping over each other trying to help sort out what is really going on!  Your analysts need a technology security partner to help detect, investigate and remediate today’s never-ending threat sources.

As the threats and responsibilities have expanded, the role of the security information and event management (SIEM) solution has morphed into one of the greatest assets an analyst has, becoming the Swiss Army Knife of incident response and orchestration. Further, you reach to your SIEM for advanced analytics including user and behavior analysis, real-time monitoring, and data and application monitoring. The problem, as Barbara Kay outlines in her blog, “Eating an Elephant: How the ESM 10 UX team reenergized SecOps,” is the amount of information that the average analyst has to retain as she or he swivels from incident response, to advanced threat management, to user monitoring.

So as your SOC makes the move to more proactive threat management and predictive, contextual analysis and orchestration, we’re evolving McAfee Enterprise Security Manager (ESM) to reduce the cognitive strain, and guide and automate more of the routine tasks, such as watchlist management, incident tracking and advanced correlation rule set-up, so that you can focus on the critical decision-making responsibilities. McAfee ESM 10.0 is an important step in that evolution.

As more changes are rolled out, we want to make it easier for you to find the information you need and to stay informed. So we are providing some new communications tools for you beginning this month.

The new McAfee Enterprise Security Manager (SIEM) Information Center is a one-stop site for answers to both common and unusual SIEM challenges.

We have heard from customer surveys and from calls to McAfee Support Services that you need more guidance on where to go for more information. So we have responded with a new SIEM Information Center page – your one-stop shop for all things SIEM. On this page, you’ll find the latest and greatest advice from our SIEM subject matter experts, as well as access to shared wisdom from our SIEM user community. To make such invaluable content easier to find, we are categorizing all of our SIEM content according to the commonly recognized SIEM capability categories and use cases that our customers reference. Bookmark this page and check it frequently for updates.

As a member of our McAfee ESM user community, you will be interested in the Intel Security SIEM Focus newsletter that debuts this month. For those of you who subscribe to the Intel Security Support Notification Service, you know how valuable and timely the ProTips, Weekly Roundup, and monthly SNS Digest emails can be. Because of the fast-moving and complex environment in which security analysts and other SIEM users operate, we want to provide you with a dedicated newsletter featuring practical use cases, demonstrations, and other in-depth, roll-up-your-sleeves examples of how to get the most from the McAfee ESM solution. Subscribe now so you don’t miss a single issue.

Finally, don’t miss out on the action on our SIEM Community site. We encourage you to sign up and participate with our 219 active users. We are all learning from each other. Join today, stay connected and discover for yourself how Together is Power.

The post SIEM is your Analyst’s Best Technology Partner appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/siem-analysts-best-technology-partner/feed/ 0
McAfee – Cybercrime is a firefight! Time for Automation. https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-cybercrime-firefight-time-automation/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-cybercrime-firefight-time-automation/#respond Wed, 01 Mar 2017 16:00:14 +0000 https://securingtomorrow.mcafee.com/?p=68784 Those who have experienced them know how scary their world becomes when a grass fire or forest fire gets out of control. As these fires become more intense, they create their own weather, generating their own winds, making them more difficult to fight and often moving far faster than firefighters can.  The outcome is often …

The post McAfee – Cybercrime is a firefight! Time for Automation. appeared first on McAfee Blogs.

]]>
Fighting a grass fire in high winds

Those who have experienced them know how scary their world becomes when a grass fire or forest fire gets out of control. As these fires become more intense, they create their own weather, generating their own winds, making them more difficult to fight and often moving far faster than firefighters can.  The outcome is often a huge loss of property and frequently, a significant loss of lives, both animal, and human. As temperatures continue to rise, as we experience longer and longer periods of drought, these fires are becoming more and more frequent and more severe.

Local, state and federal agencies have come together to address these frequent events and the disasters they cause.  They are looking at strategies to be more prepared, to respond more quickly and to be more effective.  They can’t afford all the resources they need, and even if they could, they’d need an improved infrastructure to deploy and manage these resources. They know they need all the manpower and equipment they can find but just as important, they know that communications, coordination, and cooperation are absolutely essential to their success.

Isn’t this the same problem one faces in fighting cybercrime?  Malicious activity is occurring all the time, and it’s difficult to know immediately when the event happens, where it takes place, what it’s doing, what’s at risk.  You also have purchased and deployed many tools to assist in the fight.  However, it still takes too much time and too many resources just to identify what’s happening.  Once you have, it still makes take costly minutes, hours or days to identify and implement a plan to kill the exploit and its ability to steal your valuable data, causing loss of PCI, PII, financial data or IP or its ability to impact your operations or ability to conduct business.

Over the past 15 years, Intel Security (soon again to be McAfee), has continued to be laser focused on providing our customers with an enterprise-ready infrastructure or framework to protect their connected world.  We began with ePO over 15 years ago.  It was the very first product to be able to deploy, configure and manage security solutions for over 100,000 systems.  We added functionality to put new protections in place over the years: Host IPS, Web Protection, Whitelisting, Change Control, File Integrity Management, Encryption, Device Control, Data Loss Prevention and more.  This framework was, by far, the most effective solution in the market and helped to improve security and drive down the cost of security operations.

However, just like we’ve seen the impact of climate change on strategies required to fight fires, today’s threat landscape also requires new strategies.  To that end, we’ve taken a very hard look at today’s requirements and are now delivering solutions/technologies that are far more comprehensive, along with a new framework that allows for real-time visibility to our infrastructures and the ability to respond in real time.  We’ve introduced new solutions, including Advanced Threat Defense (ATD), Dynamic Access Control (DAC) and Real Protect to improve our ability to detect new threats and protect your users and systems. And with the introduction of the Data Exchange Layer (DXL) and the Threat Intelligence Exchange (TIE), we not only have the ability to know what’s happening in real time, but we have the intelligence to analyze the data and automate the real-time prevention of attacks.  Today, Intel Security solutions will detect issues and take action on a very high percentage of advanced threats, leaving your valuable resources time to address the most difficult issues.  With the introduction of McAfee Active Response (MAR), we provide our customers with the ability to perform extensive forensics as well.

These new tools are allowing Intel Security users to significantly improve their effectiveness and efficiency, greatly improving their time to identification and resolution of issues and driving down their cost of operations.

A courtesy shout out to my colleagues in Northern California for this critical thinking – Thank you Bruce, Brook & Mike.

The post McAfee – Cybercrime is a firefight! Time for Automation. appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-cybercrime-firefight-time-automation/feed/ 0
Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2) https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops-2/ https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops-2/#respond Mon, 27 Feb 2017 16:46:51 +0000 https://securingtomorrow.mcafee.com/?p=69755 The second of a two-part series. In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and …

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2) appeared first on McAfee Blogs.

]]>
The second of a two-part series.

In the previous post in this series, we described how re-creating the user experience for overburdened SOC analysts was a task like “eating an elephant.” To help analysts who are constrained by time and cognitive overload, we needed a vision, a strategy and a plan to “save time and save mental energy.”

After extensive, in-depth interviews with users, we realized that the majority of user time is spent in analysis and research. This finding drove our plan. We focused first on the analysts and the workflows and workspaces where they spend the majority of their time.

Now you can see the results in ESM 10.0. The user experience team recommends these 3 things to appreciate first:

  • Quick start: you will find that the organization simplifies building and navigating relationships, so you can create views and get started without reading manuals (although we still recommend looking at the ESM expert center!). The most commonly used views appear together by default, and help you make use of associated content packs and their views, dashboards, rules, and alerts (including correct placement of related updates to keep you organized). While the donut visualizations will help you identify trends and pursue relationships, the right clicks help you navigate to next steps. And, if you are a current user, you can import existing views from within the console to bring forward your preferred processes and organizational knowledge.
Analysts can manage several tabs active at once, enabling them to toggle back and forth to pursue different tasks. This means less holding of information in your memory and less repetition, including defining complex searches.
  • Centralized, dynamic workspaces: Multiple tabs within the same dashboard pane organize parallel exploration of ideas. The analyst can simultaneously drill down and filter through different lenses of the data without losing context and state or re-applying searches and filters. With several tabs active at once, you can toggle back and forth to pursue different tasks, or within a task, collect and guide analysis or research hypotheses. This means less holding of information in your memory and less repetition, including defining complex searches. Further, a majority of our configuration, advanced settings, and set up tools now live in panels that slide in to the side of the dashboard instead of popping up in a window in front of the dashboard. This allows users to stay in context with their current investigation (stay in the same mental “room”) while they adjust settings in the various tools. In addition, the context menus mean that right clicking on a specific item—such as a field on a record within a table chart—will provide the user with quick access to actions specific to that field.
ESM 10.0 features directed search to help users quickly navigate to desired content without remembering folder structures or even the exact names of things.
  • Directed search: Detecting signal from the noise means filtering and searching through alerts and events, and avoiding the distraction of unneeded data. The new advanced search and filter organization includes auto-complete to help guide users to find or choose from relevant associations quickly, rather than needing to know what choices are appropriate to the data or investigation type. Auto-complete simplifies device selection, view management, queries, and filters, to name a few, as the user quickly navigates to the content they desire, without having to remember exactly where it resides within the folder structure of these tools. For example, we prompt for the best visualization options for each search result type to quickly filter and customize data. As you navigate, the process creates bindings that you can save for later. You can then take quick actions on data points, such as creating watchlists and case management, by accessing right-click contextual menus. Synthesizing all these workflow steps into a single place helps the right thing happen, consistently, with less effort, repetition, and time. Our improved search also means you do not need to be a software developer to extract insights quickly.

Each of the above examples reduces clock time and conserves mental energy. They are small steps in our larger plan to help you conquer that other elephant, the elephant in the room: security operations efficiency. See for yourself by downloading the new version now.

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 2) appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops-2/feed/ 0
Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 1) https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops/ https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops/#respond Wed, 22 Feb 2017 20:35:02 +0000 https://securingtomorrow.mcafee.com/?p=69745 The first of a two-part series For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience …

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 1) appeared first on McAfee Blogs.

]]>
The first of a two-part series

For some reason, elephants figure frequently in our conversations – “seeing different parts of the elephant”, “memory like an elephant,” and now, “eating an elephant.” This phrase, definitely meant as an analogy, expresses the lengthy, enormous, and daunting task that our development team faced in reimagining the user experience in our McAfee Enterprise Security Manager (ESM) SIEM solution. To succeed, they needed a vision, strategy, and plan.

The new ESM 10.0 user interface has been designed to reduce cognitive strain – providing content in context as the user goes about tasks

First, a vision. In the last few years, driven by increasingly complex incidents, the security operations mantra has shifted to real-time analysis coupled with individual and team efficiency. Countless research studies document the shortage of skilled security analysts and researchers. Time clearly needed to be a part of the vision.

But for the user experience team, productivity isn’t just about elapsed time. It also includes the cognitive workload that can subtly wear down and exhaust the analyst. You probably experience cognitive overload today. You walk from the kitchen into the bedroom and stand there wondering why you came in. This is true when we move between physical rooms, and it’s true when we move between virtual rooms, such as in a video game or user interface. In this context switch, it turns out we are 2-3 times more likely to forget! And it gets worse. This memory lapse is aggravated if you are sleep deprived or over-stressed, like new parents, air traffic controllers, and security analysts.

Once we hit our cognitive threshold, we have only emotion to fall back on. So the typical analyst has faulty memory plus frustration. This combination makes for poor security decisions. It is why we design for “high context” UIs. We are striving for one room with all the relevant data so the analyst can focus on making good decisions.

From a design perspective, here are some specific cognitive workload tests:

  • The “data fragmentation” load: How much data does the user have to keep in his memory as he changes screens, modes, and tasks, or retain over a series of tasks?
  • The “navigation” burden: How many times does the user traverse up and down task flows and screens in pursuit of a task?
  • The “mind-numbing” factor: How many times does that task need to be repeated per hour/day/week?
  • The “clutter” factor: How much data is displayed all at once? How hard is it to identify and navigate relationships?

Instead of simply looking at faster functioning of the same processes, we wanted to reduce the cognitive burden of the user – to keep them as effective as possible for as many hours of their day as possible. This “save time, save mental energy” approach formed the core of our vision. Our logic was this: Anything we could do to improve their productivity and enhance concentration would pay off in speed of results, capacity of analysts, and quality of life for them and their management team.

This illustrates the complexity of SIEM, showing first and second level nodes in the ESM 9.X user interface.

Next, a strategy. As the epicenter of security operations, a SIEM is a complex animal, and the UI and user design can mask or multiply this complexity. The graphic gives you an idea of the scope of this effort, the first and second level nodes in the ESM 9.X user interface. Every node has multiple screens under it.

Lots to do, clearly, but where could we best affect time spent? After dozens of site visits and in-depth, interactive usage interviews, we discovered more than half of the users were security operations, and another 29% were Infrastructure Operations. Given these day-to-day jobs, the majority of user time is spent in analysis and research.

In the second part of this series, we’ll continue the user experience journey with the ESM 10.0 UX design team as they build out the plan for the new ESM 10.0 solution.

The post Eating an Elephant: How the ESM 10 UX Team Reenergized SecOps (Part 1) appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/eating-elephant-esm-10-ux-team-reenergized-secops/feed/ 0
Change, embrace it – Why you need to change the way you look at security https://securingtomorrow.mcafee.com/trusted-advisor/change-embrace-need-change-way-look-security/ https://securingtomorrow.mcafee.com/trusted-advisor/change-embrace-need-change-way-look-security/#respond Tue, 21 Feb 2017 14:00:13 +0000 https://securingtomorrow.mcafee.com/?p=69052 Change.  “There is a time appointed for everything and a time for every purpose—” Imagine trying to change a cowboy wagon to upgrade its performance to make it comparable to a Ferrari?  Crazy right?  We’d never try right?  Because the wagon has a fundamentally different architecture and was built for a different purpose.   So merely upgrading the …

The post Change, embrace it – Why you need to change the way you look at security appeared first on McAfee Blogs.

]]>
Change.  “There is a time appointed for everything and a time for every purpose—”

Imagine trying to change a cowboy wagon to upgrade its performance to make it comparable to a Ferrari?  Crazy right?  We’d never try right?  Because the wagon has a fundamentally different architecture and was built for a different purpose.   So merely upgrading the engine (for example) obviously would not work.  Yet, this is what we often set out to do in cyber security.

Change at RSA Conference 2017

The major security vendors are back and they are drawing a line in the sand.  A line between legacy security strategies and new.  It is becoming clear that some major vendors are undertaking a strategy of, “don’t buy your security tools from 50 different vendors.”

This concept is old, and is based on fairly solid market research that most large entities do not use a homogeneous security tool-set.  However entities suffer from this diverse tool-set “problem” because the cyber security industry created it.  Specifically, for every new threat, we spin up a new product (often nowadays a whole startup).   These products / startups try to solve today’s problem, for tomorrow’s problem…rinse and repeat.

Maybe thought leadership says we need to help our clients extract maximum value out of all their (often times widely diverse) security tools not just the ones from brand-x.  Because of this the age old idea of competing on everything from detection methodology to actual threat information is a dying paradigm.

Change in crime

change in criminal revenuesIf one thing is obvious it’s that in cyber security change is constant. It is noteworthy that long ago, in 2011 Interpol stated for the first time that the costs of  cyber crime had overtaken the combined costs of illicit sales of marijuana, cocaine and heroin.

Consequently, did existing criminal organizations, who for ages had built infrastructure to support narcotics sale, human trafficking and other forms of crime stagnate?  No, they changed. Rather now, Interpol states, those same organizations are thriving organized cyber crime businesses.

Change our approach

First and foremost a partner needs to show the intellectual honesty to admit what they can and cannot do for your security.  This is why I message passionately around the need to help our clients build effective security infrastructures.  Additionally, rather than a bunch of diverse tools, I try to point clients to the value of a connected and orchestrated bunch of diverse tools.  As a result the choice becomes less best of breed vs. integrated and more your tools: integrated.  This change in approach allows us to measurably increase security effectiveness.  Additionally, we improve efficiency, improving time to protect / remediate.  Most of all security stops being an impediment to the business’ primary objectives and changes into a facilitator.

Next steps

First re-assess your security approach today, determine a baseline (current state) then implement methods to measure the results of every action you take.

Challenge any vendor to show how their product(s) will add a measurable improvement to your security baseline.

Furthermore demand that your vendors position solutions, not products.  Does the tool you’re considering stand on it’s own, or does will it become an integral part of your security?

Finally, ensure that you benefit at multiple infrastructural layers with every new threat that is detected regardless of detection tool.  Why?  Because:

“Strategic planning is the key to warfare; to win, you need shared intelligence from multiple sources.”

The post Change, embrace it – Why you need to change the way you look at security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/trusted-advisor/change-embrace-need-change-way-look-security/feed/ 0
How To Build A Cybersecurity Strategy For 2017 https://securingtomorrow.mcafee.com/business/optimize-operations/how-to-build-a-cybersecurity-strategy-for-2017/ Thu, 16 Feb 2017 18:57:43 +0000 https://securingtomorrow.mcafee.com/?p=69522 Technology changes faster than most business can keep up with. The proliferation of mobile technology, the Internet of Things (IoT) and cloud computing has changed the types of “assets” connected to networks. Implementing cybersecurity “best practices” across an increasingly unstructured and decentralized network is one of the most vexing challenges facing companies today. Traditional cybersecurity …

The post How To Build A Cybersecurity Strategy For 2017 appeared first on McAfee Blogs.

]]>
Technology changes faster than most business can keep up with. The proliferation of mobile technology, the Internet of Things (IoT) and cloud computing has changed the types of “assets” connected to networks. Implementing cybersecurity “best practices” across an increasingly unstructured and decentralized network is one of the most vexing challenges facing companies today.

Traditional cybersecurity approaches revolved around the medieval concept of “protecting the crown jewels” – a concentric circle view of layered security focused on protecting the important data at the center through successive layers of defenses such as application, host-based, network (internal and external perimeter) and physical controls. This defensive strategy works in a centralized, controlled and managed-device network, which is becoming increasingly extinct.

Companies have the most control over devices that they purchase, configure and issue to users. But as consumer-driven technology drives new devices and systems, organizations are losing control over devices their users and network interacts with. More often than not, companies fail at deploying traditional security controls to “nodes” connecting to their network.

For example, with IoT devices it isn’t possible to change or install software. In an enterprise context, IoT includes medical devices in hospitals or monitoring devices deployed in manufacturing or agriculture. This technology is particularly attractive for these traditionally unconnected industries as it offers new leaps into interconnected systems and monitoring what was once impractical due to safety or geographical reasons.

The question then becomes how to apply “best practices” to this new ecosystem? Organizations need to rethink how they view capabilities in terms of security controls. Companies need to reevaluate and establish the context of the users and actions taken on their systems. And, most importantly, businesses need to challenge themselves through constant improvement that provides the necessary feedback loop to make real changes.

Companies can address current network challenges with a future-proof cybersecurity strategy for 2017 and beyond by integrating the following concepts into their near-term plans.

Build your foundation. Approach your security capabilities from a device-level, bottom-up perspective instead of the centrally-controlled, top-down view. Security capabilities have not dramatically changed — traditional controls such as firewalls, intrusion prevention systems (IPS) and two-factor authentication (2FA) remain relevant. It’s the application of these controls that needs to be re-applied depending on the context of the device or node.

Context is king. Context helps a company understand what a device is, whether it can be trusted, and how the network can interact with it. The more control over the device, the higher ability you have to interrogate it and establish context. When you have more control over your nodes, you can establish paths of access and consider devices more trusted. But if you have less control, you can only observe behavior.

For IoT devices, which offer the least control, consider the larger “ring-fence” approach. Drawing a perimeter around devices that require access to similar resources can help categorize their abilities, even though the devices cannot ultimately be controlled. Context is not about getting all the available data, but getting the right data.

Play offense and defense. Consistently challenge your organization through proactive testing, often referred to as “red team, blue team exercises.” Develop a continual feedback process between these teams to test your assumptions and prioritize or close each discovered attack avenue. Through exercises such as penetration tests and threat modeling, a red team will pinpoint residual and unaddressed attack vectors as well as assist in remediation efforts. Your defensive side blue team can help improve on what was previously missed, increase available information over time, and develop metrics to demonstrate improvement.

In this rapidly changing technology landscape, the mindful decentralization of your organization’s security controls becomes an asset. It’s security by (known) obscurity, where the obscurity is only seen as such by external entities and attackers. What could resemble an unraveling of controls transforms into a stronger web of both traditional and new technical capabilities. This allows for a more customized approach to security in the face of new technologies and more vectors over which you have less control.

 

This article was written by Christie Terrill from Forbes and was legally licensed through the NewsCred publisher network.

The post How To Build A Cybersecurity Strategy For 2017 appeared first on McAfee Blogs.

]]>
Mission Made Possible: The Open Integration Time Machine https://securingtomorrow.mcafee.com/business/optimize-operations/mission-made-possible-open-integration-time-machine/ https://securingtomorrow.mcafee.com/business/optimize-operations/mission-made-possible-open-integration-time-machine/#respond Mon, 06 Feb 2017 17:16:44 +0000 https://securingtomorrow.mcafee.com/?p=68833 A fast-forward button for integration to a unified security architecture. One of the reasons why the Mission Impossible premise has resonated across the generations is that all of us, at one time or another, are handed projects that seem to come with that label. Unfortunately, if you’re like me, you feel more like Wile. E. …

The post Mission Made Possible: The Open Integration Time Machine appeared first on McAfee Blogs.

]]>
A fast-forward button for integration to a unified security architecture.

One of the reasons why the Mission Impossible premise has resonated across the generations is that all of us, at one time or another, are handed projects that seem to come with that label. Unfortunately, if you’re like me, you feel more like Wile. E. Coyote holding that bomb as it explodes, rather than the cool Tom Cruise or unflappable Peter Graves if you are an old-school fan.

It seems I am always searching for the magical fast-forward button or time machine that allows me to bend the laws of time and physics to defuse the bomb and save the day.

Impossible? Maybe not always. Consider the following scenario:

The architect for ALPHA, which is merging with another company, ZED, is trying to sort through and integrate ZED’s application software and data with ALPHA’s systems to create a unified security operations environment. In 60 days, the security infrastructure has to be 1) functional 2) compliant 3) reliable. And of course, the analysts won’t tolerate any visible change –such as slower performance, loss of features, and longer wait times for searches, reports, or visualizations.

Our hero has figured out which data and applications to keep and connect. In some cases systems will run side by side, before eventually replacing one system with another – some of Zed’s software is more modern and capable than ALPHA’s, and both companies have some existing (legacy) software that can’t be shut down anytime soon because of compliance or mission-critical functions. So our hero knows which assets he cares about. Now he has to make it all talk together. In 60 days.

One day, our hero, is blissfully sipping tea while researching integrations from his key vendors, looking for APIs and scripting options. Suddenly, the CISO comes in with an update from the board meeting: Accelerate the merger’s close by 30 days, because the timing is helping the competition disrupt deals. That means he has to get the integrations done in half the time. Our hero needs a fast forward button for the plan.

Now the bomb is ticking down. There’s no peace in the architect’s cube. The “to do” list of integrations looks way too long. Precious few of the commercial vendors offer the necessary integrations off the shelf, and he can’t believe how few publish APIs or scripting frameworks for self-service. Open source would help, but that code requires validation and testing. How the heck is he going to pull this off? 16 hour days?

Our scene advances as the CISO checks back in the next morning. While the architect was caffeinating for a long day of writing custom integrations, the manager was breakfasting with a CISO for a health care provider. That CISO was talking about the rollercoaster of the last few years, with one merger per year. But they had found a time machine. Last year, her team used OpenDXL to integrate the two companies’ applications and had great results. OpenDXL Python scripts connected all the apps to a common application framework. This approach made it easier to add apps and data sources as they matured their requirements, and also to insulate systems from direct dependencies. This abstraction gave them more flexibility to distribute and evolve the underlying systems as well. It was the best merger experience they’d had in 5 years, and the CISO felt ready to handle whatever the Board dealt out next with aplomb.

The architect was already googling for “OpenDXL”. Even if the story were only half true, it had to be worth a shot. On GitHub.com/opendxl lay a treasure trove of integration examples, free downloads, and test software for integrating applications. A link to mcafee.com/dxl showed that several of the company’s targeted applications and vendors were already integrated with DXL. Best of all, an architecture guide for best practices showed how to integrate applications through OpenDXL. The integration to do list was looking shorter and more realistic by the minute.

Fast forward. It’s 30 days later, and our hero has made it. Systems running, compliance audits passed, uptime goals met. Whew. And an unexpected benefit – because DXL has a real-time data exchange, several of the SecOps team’s tedious serial workflows had gotten FASTER. Maybe the fast forward button was stuck on. That was a technology glitch to get excited about. And when the CISO handed out a bonus check for meeting the date, the day got even better.

If you think about it, the best stories on Mission Impossible were always the ones where the tools to solve the case were already available. It was just a matter of knowing where to look. So what are you waiting for? The clock is ticking…

The post Mission Made Possible: The Open Integration Time Machine appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mission-made-possible-open-integration-time-machine/feed/ 0
Do You Need to Pull Up Your SOCs? https://securingtomorrow.mcafee.com/mcafee-labs/do-you-need-to-pull-up-your-socs/ https://securingtomorrow.mcafee.com/mcafee-labs/do-you-need-to-pull-up-your-socs/#respond Tue, 13 Dec 2016 05:01:42 +0000 https://securingtomorrow.mcafee.com/?p=66964 This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article. A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams …

The post Do You Need to Pull Up Your SOCs? appeared first on McAfee Blogs.

]]>
This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article.

A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams of analysts seemed ready to be replaced by distributed teams, outsourced, or disbanded entirely. If you were not in the Defense Department or on Wall Street, many thought, then you did not need a SOC. Then targeted attacks and insider threats moved from movie and government plots to an everyday reality for enterprises. According to an Intel Security survey, 68% of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.

Today, almost all commercial (1,000–5,000 employees) and enterprise (more than 5,000 employees) organizations run some type of SOC, and half of them have had one for more than a year, according to the latest research study from Intel Security. As the number of incidents continues to increase, security organizations appear to be maturing and using what they learn to educate and improve prevention in a virtuous cycle. For instance, survey respondents documented their expanding investments in SOCs and attributed an increase in investigations to an improved ability to detect attacks. Those who reported a decline in investigations of incidents attributed this improvement to better protection and processes, which mature organizations perform as the final stage of a security investigation.

These are some of the findings in a primary research study commissioned by Intel Security on the current state of security management environments and threat detection capabilities, as well as priority areas for future growth.

Almost nine out of 10 organizations in this study reported that they have an internal or external SOC, although commercial organizations are slightly less likely to have one (84%) compared with enterprises (91%). Smaller organizations in general are implementing SOCs a bit later than enterprises, as only 44% of commercial groups have had one for more than 12 months, whereas 56% of enterprise SOCs have been around for that long. Most SOCs (60%) are currently run internally, with 23% operating a mix of internal and external support, and 17% fully external. For the few that have not established a SOC, only 2% of enterprises have no plans to do so, versus 7% of commercial companies.

Of the 88% of organizations operating a SOC, the majority (56%) reported that they use a multifunction model combining SOC and network operations center (NOC) functionality. Organizations in the United Kingdom (64%) and Germany (63%) are even more likely to operate in this model. Dedicated SOCs are in use by 15% of companies and are more prevalent in the United States (21%). Virtual SOCs are the third model, also used by about 15% of respondents, followed by a distributed or co-managed SOC, at 11%. Only 2% reported operating a command SOC.

This distribution of SOC implementations has several implications. The majority operate at or past the midpoint of SOC maturity, progressing toward the goal of a proactive and optimized security operation. However, more than a quarter (26%) still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response. This can significantly extend detection and response times, leaving the business at greater risk of significant damage, as well as facing a higher cleanup cost.

Whether from an increase in attacks or better monitoring capabilities, most companies (67%) reported an increase in security incidents, with 51% saying they have increased a little, and 16% that they have increased a lot. This is analogous to findings from the key topic “Information theft: the who, how, and prevention of data leakage” in the McAfee Labs Threats Report: September 2016. That primary research study found that organizations which watched data more closely for leakage reported more data-loss incidents.

Only 7% overall indicate that incidents have decreased, and the remaining 25% say that they have remained stable over the past year. There was little variance reported by country, but incidents increased as organizations get smaller, possibly indicating that criminals have broadened their attack targets. Only 45% of the largest organizations (more than 20,000 employees) reported an increase, compared with 73% of the smallest (fewer than 5,000 employees).

The small group that reported a decrease in incidents overwhelmingly (96%) believe that this was due to better prevention and processes. Of those who said that incidents increased, the majority feel that it was due to a combination of improved detection capabilities (73%) and more attacks (57%).

Most organizations are overwhelmed by alerts, and 93% are unable to triage all relevant threats. On average, organizations are unable to sufficiently investigate 25% of their alerts, with no significant variation by country or company size. Almost one-quarter (22%) feel that they were lucky to escape with no business impact as a result of not investigating these alerts. The majority (53%) reported only minor impact, but 25% say they have suffered moderate or severe business impact as a result of uninvestigated alerts. The largest organizations, perhaps because of their better monitoring capabilities and stable incident levels, are more likely to report no business impact (33%).

 

To learn more about the SOC survey findings, visit www.mcafee.com for the full report.

The post Do You Need to Pull Up Your SOCs? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/do-you-need-to-pull-up-your-socs/feed/ 0
How Might a Technology Ecosystem Help Address Today’s Security Challenges https://securingtomorrow.mcafee.com/mcafee-partners/might-technology-ecosystem-help-address-todays-security-challenges/ Tue, 13 Sep 2016 17:39:55 +0000 https://blogs.mcafee.com/?p=52532 Intel Security Innovation Alliance technology partnering program comprises more than 150 ISV security partners who deliver tightly integrated, differentiated, and lab-tested solutions that enhance, augment, strengthen, and broaden the core functionality of Intel Security products. The Intel Security Innovation Alliance is a key building block supporting an ecosystem security model that drives positive business outcomes …

The post How Might a Technology Ecosystem Help Address Today’s Security Challenges appeared first on McAfee Blogs.

]]>
Intel Security Innovation Alliance technology partnering program comprises more than 150 ISV security partners who deliver tightly integrated, differentiated, and lab-tested solutions that enhance, augment, strengthen, and broaden the core functionality of Intel Security products. The Intel Security Innovation Alliance is a key building block supporting an ecosystem security model that drives positive business outcomes for your organization.

Security solutions provided through SIA Partners help our customers increase agility, helping them adapt quickly to constantly shifting security requirements and rapidly evolving, sophisticated threats.   At the core of the Intel Security open approach are advanced technologies such as Data Exchange Layer (DXL), which streamlines integration with partner solutions.  DXL unites disparate collections of security technologies into a single coordinated system with the ability to share threat intelligence. These integrated solutions provide automation capabilities to streamline and speed security and compliance.   Instead of engaging in laborious, time-consuming routine tasks, security teams can focus on threat analysis and prioritization to enable informed decision-making when security incidents occur.

Close collaboration between Intel Security technology experts and third-party partners in the SIA Program help customers deploy technologies that facilitate faster innovation cycles, build a coordinated, unified defense, and deliver security-based business outcomes. The Intel Security Innovation Alliance mission is to empower our customers to address all stages of the Threat Defense Lifecycle by protecting, detecting, and correcting threats faster and more effectively than any single vendor solution.

The post How Might a Technology Ecosystem Help Address Today’s Security Challenges appeared first on McAfee Blogs.

]]>
Building Bridges to a More Connected Security Environment https://securingtomorrow.mcafee.com/mcafee-partners/building-bridges-connected-security-environment/ Tue, 13 Sep 2016 17:33:05 +0000 https://blogs.mcafee.com/?p=52534 For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this era of rapidly evolving and advanced threats, we needed to find a way to build …

The post Building Bridges to a More Connected Security Environment appeared first on McAfee Blogs.

]]>
For a long time, the threat intelligence landscape could be likened to an archipelago; a collection of islands. There were a few bridges here and there but the various islands remained largely inaccessible. It became clear, however, that in this era of rapidly evolving and advanced threats, we needed to find a way to build those bridges, to join the dots and ensure each part of the ‘security archipelago’ is not only connected, but integrated, with open channels of communication.

Well-funded crime organizations have continued to strain the capabilities of traditional security infrastructures, so an approach that allows organizations to draw on all available resources and make more informed and educated decisions is vital.

Security Connected

Intel Security introduced the McAfee Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) in response to these challenges. It is a secure communication platform that connects and unites disparate security technologies into a single coordinated system, allowing customers to make smarter security decisions, faster.

Customers can strengthen their threat defenses by drawing upon 3rd party vendor technologies that are integrated into the Intel Security platform to optimize their security operations, neutralize emerging threats, fortify critical environments and safeguard data.

In essence, McAfee TIE/DXL ushers in a new era in security where the whole is greater than the sum of its parts. All components come together to work as a single cohesive system, regardless of vendor or underlying architecture.

Avecto, an Intel Security Innovation Alliance partner has completed a fully integrated TIE/DXL solution to Avecto Defendpoint. This joint solution gives customers actionable intelligence on application reputation allowing them to drive configuration changes and make risk-based policy adjustments, all helping to create stronger defences against today’s threats.  You can learn more about Avecto’s integration with Intel Security on a live webinar, Sept 21.   Chris Sherman, Analyst at Forrester will present on the Six Pillars of an Effective Endpoint Security Strategy, and hear from Avecto and Intel Security on how to deal with the multitude of threats targeting endpoints through a balance of attack surface reduction and threat detection.   Register to attend: https://www.brighttalk.com/webcast/1743/221445 .

The post Building Bridges to a More Connected Security Environment appeared first on McAfee Blogs.

]]>
Upcoming Intel Security webcast on SIEM, with cybersecurity expert Peter Stephenson https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-webcast-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-webcast-siem/#respond Mon, 12 Sep 2016 23:09:23 +0000 https://blogs.mcafee.com/?p=52536 Each month, we’ll highlight upcoming webcasts and Tech Talks on industry trends and topics in a blog post. See below for can’t-miss online events coming up with Intel Security: Prepare Your SOC for the Convergence of Advanced Threat Management & SIEM Learn from cybersecurity expert Peter Stephenson and Intel Security’s Michael Leland as they discuss …

The post Upcoming Intel Security webcast on SIEM, with cybersecurity expert Peter Stephenson appeared first on McAfee Blogs.

]]>
Each month, we’ll highlight upcoming webcasts and Tech Talks on industry trends and topics in a blog post. See below for can’t-miss online events coming up with Intel Security:

Prepare Your SOC for the Convergence of Advanced Threat Management & SIEM

Learn from cybersecurity expert Peter Stephenson and Intel Security’s Michael Leland as they discuss why enterprises are now turning to advanced threat and incident management (ATIM) TTPs that integrate with their SIEM. This continued shift from perimeter-focused, reactive approaches—to continuously monitored, collaborative and proactive methods, leverages analytics and crowdsourced threat feeds, and requires as much focus on the context as the incident. Is your SOC prepared for this next-generation of security operations?

Join renowned cybersecurity expert Peter Stephenson and Intel Security’s Michael Leland as they discuss:

  • Use of shared technical data to automate out the noise and focus on the signal.
  • How to define the effects of each step in the attack chain to apply effective defenses and respond quickly.
  • Integrating technical data context and organizational data for enhanced understanding of what is happening in the environment.

Register here.

Be sure to follow us @IntelSecurity or @IntelSec_Biz for the latest on online events.

The post Upcoming Intel Security webcast on SIEM, with cybersecurity expert Peter Stephenson appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-webcast-siem/feed/ 0
¿Qué tan buena es su respuesta a las Fugas de Datos? https://securingtomorrow.mcafee.com/languages/espanol/que-tan-buena-es-su-respuesta-las-fugas-de-datos/ Sat, 03 Sep 2016 00:59:58 +0000 https://blogs.mcafee.com/?p=52428 Las fugas de datos son comunes. Toda organización que maneja datos confidenciales o privados, debe tener una capacidad de respuesta adecuada ante un incidente. Muchas compañías cuentan con un conjunto de procedimientos básicos, mientras que otras mantienen un conjunto de personas y procesos maduros. Un pequeño porcentaje de las organizaciones a lo largo de los …

The post ¿Qué tan buena es su respuesta a las Fugas de Datos? appeared first on McAfee Blogs.

]]>
how good 1

Las fugas de datos son comunes. Toda organización que maneja datos confidenciales o privados, debe tener una capacidad de respuesta adecuada ante un incidente. Muchas compañías cuentan con un conjunto de procedimientos básicos, mientras que otras mantienen un conjunto de personas y procesos maduros. Un pequeño porcentaje de las organizaciones a lo largo de los años, han perfeccionado sus capacidades a un nivel profesional. Saber dónde se encuentra y cómo se puede mejorar es la clave para encontrar el nivel adecuado de preparación para la seguridad de la información.

how good 2

 

Fuente: Information is beautiful.

  

Las fugas de datos son una epidemia

La industria de la salud fue golpeada en 2015. Una cantidad récord de archivos de salud que son confidenciales, fueron sustraídos o desaparecieron. Según la Oficina de Derechos Civiles del Departamento de Salud y Servicios Humanos de EU, alrededor del 35% de la población de los Estados Unidos tuvo sus registros de salud expuestos en 2015.

El gobierno y las organizaciones financieras y de tecnología, y también fueron víctimas. En total, más de 707 millones de registros fueron perdidos o robados en 2015, de acuerdo con el Índice de Niveles de Violaciones de Gemalto. En realidad, ninguna compañía está a salvo.

Esta frecuencia es la razón por la cual es importante no sólo contar con controles preventivos robustos, sino también con un buen conjunto de procesos y recursos para responder a un incidente. La respuesta a crisis adecuada puede limitar los daños y prevenir las recurrencias.

 

Respuestas a una fuga de datos

Se emplean controles básicos para gestionar la crisis y cerrar la vulnerabilidad de las fugas. Esto es lo mínimo. Muchas empresas carecen de planificación e instalan equipo después de que se detecta la primera gran fuga de datos. Sin embargo, este escenario es un caos. El tratar de lidiar con una situación poco familiar, mientras que se está bajo el escrutinio de los clientes, reguladores y ejecutivos, puede ser una pesadilla. Este nivel de capacidad suele ser lento y se enfoca exclusivamente en aspectos de una única fuga en particular.

La gerencia comúnmente puede ser mal informada en el sentido de que esto fue un evento puntual y nunca volverá a suceder. Las órdenes son las de encontrar este problema, resolverlo y volver a las actividades normales. La debilidad radica en no comprender que la vulnerabilidad es probablemente sistémica. Tapar un agujero en la represa con un dedo, no sirve de nada si se ignoran todas las demás grietas.

Las capacidades maduras usualmente son señal de la experiencia. Esas compañías han sufrido fugas de datos antes, y se dieron cuenta de que necesitaban buscar otras debilidades para estar preparadas para las siguientes. Este abordaje representa una forma realista de pensar, aunque no es muy popular con los ejecutivos. Ellos preferirían no tener ningún incidente, y posteriormente se dan cuenta de que el costo de dichos controles sería exageradamente caro. Así que buscan un equilibrio. Estas organizaciones realizan evaluaciones de riesgo para encontrar vulnerabilidades en su manejo de datos, pueden optar por pagar un seguro contra violaciones, y tendrán claramente establecida la responsabilidad interna.

Las capacidades contra fugas de datos a nivel profesional se encuentran en las organizaciones que comprenden el valor de sus datos, la conformidad regulatoria y la confianza de sus clientes y asociados. Los mejores equipos de consultores externos también poseen estas habilidades. Ellos pueden zambullirse y abordar todos los aspectos, pero por un precio. Las organizaciones de clase profesional protegen cuidadosamente la información bajo su control, pero también toman medidas serias para la detección de violaciones y la respuesta rápida. Ellas planifican y prueban periódicamente sus capacidades de respuesta, trabajando para mantenerlas actualizadas con los cambios en negocios e infraestructura. Los expertos trabajan con los equipos de producción para ayudar a establecer controles de compensación, de manera que los negocios puedan continuar funcionando, incluso durante un incidente. Por último, trabajan para mantener los costos bajos y afinar las capacidades para mantener el equilibrio óptimo de seguridad corporativa, productividad y costos.

 

El nivel correcto

No existe un nivel universal de preparación adecuado. Cada organización es diferente. Las compañías tienen diferentes apetitos de riesgo, diversos requisitos reglamentarios y supervisan distintos tipos de datos. En general, mientras más serias sean las consecuencias de una fuga de datos, mayor debe ser el grado en que una organización debe considerar niveles maduros o profesionales.

Los datos son valiosos y violaciones seguirán produciéndose. Ninguna organización es inmune. Cuando fallan los controles preventivos, la rápida detección y la respuesta competente son necesarias para minimizar las pérdidas inmediatas y a largo plazo.

¿Desea saber más? Sígame en Twitter (@Matt_Rosenquist) y LinkedIn para enterarse de lo que sucede en el ámbito de la ciberseguridad.

The post ¿Qué tan buena es su respuesta a las Fugas de Datos? appeared first on McAfee Blogs.

]]>
Intel Security at work: A brief recap of Black Hat 2016 https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-work-brief-recap-black-hat-2016/ https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-work-brief-recap-black-hat-2016/#respond Wed, 17 Aug 2016 01:09:37 +0000 https://blogs.mcafee.com/?p=52047 Another Black Hat USA conference has come and gone, but, much like every year, a lot of incredible insights remain. And Intel Security was a major contributor to those insights. Our presenting researchers offered several great demonstrations this year, but three sessions stood out particular for their insight into future ransomware scenarios: Enjoy Your Coffee, …

The post Intel Security at work: A brief recap of Black Hat 2016 appeared first on McAfee Blogs.

]]>
Another Black Hat USA conference has come and gone, but, much like every year, a lot of incredible insights remain. And Intel Security was a major contributor to those insights. Our presenting researchers offered several great demonstrations this year, but three sessions stood out particular for their insight into future ransomware scenarios:

  • Enjoy Your Coffee, Pay Me for Your Business — This session gave a few great examples of just how damaging the combination of ransomware and the Internet of Things can be. For example, our researchers presented attacks ranging from controlling IoT-connected lights (which would flicker until a victim paid a ransom) to using rogue Wi-Fi access points to infect a targeted organization’s smartphones. These infected smartphones could then be used to cripple office systems, networks or hold access to critical files hostage.
  • Your Home is Hacked… Pay Me! — This yet-to-be-publicly-released session detailed a scenario of how ransomware could affect, and infect, a smart home. Our researchers were able to show how we could identify a vulnerability in a home automation appliance and execute an exploit of the vulnerability — even if it’s been patched — allowing an attacker to plant ransomware or malware on the device. More on that session soon…
  • I’m Watching You Through Your Car Wi-Fi — Our researched also presented a ransomware scenario for smart cars. Through an exploit targeting auto-entertainment system hubs, our teams were able to show how an attacker could track the location of a targeted car and harass the target-car’s owner through status messages. This, of course, could last until the car owner paid a ransom.

The rise of the Internet of Things (IoT) and ransomware are two of the biggest security stories in years. We’re looking forward to contributing more towards consumer safety in these arenas.

We also announced a few promising partnerships at Black Hat 2016. For example, we’re partnering with CompuCom to help alleviate companies burdened by the cybersecurity skills shortage. To do this, CompuCom is deploying Intel Security’s McAfee Enterprise Security Manager as its SIEM tool as a completely cloud hosted and delivered solution. This will enable CompuCom to respond to client needs quickly and inexpensively. You can read more about that deal here.

A big hats-off to everyone who helped make Black Hat 2016 a huge success! We certainly learned a lot during our time at one of the largest annual cybersecurity events, and we hope we’ve imparted a lot of valuable cybersecurity information to our session attendees. ‘Till next year!

The post Intel Security at work: A brief recap of Black Hat 2016 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-work-brief-recap-black-hat-2016/feed/ 0
CompuCom Launches Cloud-Based Managed Service Powered by Intel Security https://securingtomorrow.mcafee.com/business/optimize-operations/compucom-launches-cloud-based-managed-service-powered-by-intel-security/ https://securingtomorrow.mcafee.com/business/optimize-operations/compucom-launches-cloud-based-managed-service-powered-by-intel-security/#respond Wed, 03 Aug 2016 12:00:39 +0000 https://blogs.mcafee.com/?p=51660 Today, from Black Hat 2016 in Las Vegas, CompuCom announced the expansion of its Managed Security Services (MSS) through  the release of its upgraded Security Information and Event Management (SIEM) services. In my earlier blog, I spoke about the cyberskills shortage  and the active role that partners can play in helping to alleviate this problem …

The post CompuCom Launches Cloud-Based Managed Service Powered by Intel Security appeared first on McAfee Blogs.

]]>
Today, from Black Hat 2016 in Las Vegas, CompuCom announced the expansion of its Managed Security Services (MSS) through  the release of its upgraded Security Information and Event Management (SIEM) services. In my earlier blog, I spoke about the cyberskills shortage  and the active role that partners can play in helping to alleviate this problem for customers. This is a great example of a partner who is helping enterprise, commercial and small- and medium-sized businesses (SMBs) safely embrace public cloud adoption, enable their employees to use personal devices for company work and leverage the Internet of Things (IoT) to collect and process Big Data.

CompuCom now provides the latest in security event monitoring to identify and halt threats before they become a breach. When combined with its other network, service desk, data center and cloud managed services, the portfolio delivers an exclusive, comprehensive managed IT service that is smarter, safer and more affordable. This helps businesses respond to threats faster, leading to faster remediation times and minimized costs.

To achieve these new capabilities, CompuCom has deployed Intel Security’s McAfee Enterprise Security Manager (ESM) as its SIEM tool in a new and exciting way, as a completely cloud hosted and delivered solution. By leveraging a cloud delivered ESM service, CompuCom can respond to our client’s needs in a faster, agile and more cost effective manner.

CompuCom’s SIEM and Intel Security’s ESM partnership include:

  • CompuCom’s SIEM and Intel Security’s endpoint, which deliver more security features and functions, including real-time threat management on servers and desktops, virtualized or physical, on premises or in the cloud.
  • Advanced correlation of events across multiple systems and platforms. Today’s attacks are often coordinated across different vulnerabilities.
  • CompuCom’s comprehensive Managed Security Service that can be delivered on almost any manufacturer’s endpoint hardware.

For those of you at Black Hat this week, you can stop by Intel Security booth #1465 on August 3 at 3:15pm PT for a presentation from Chad Atchley, Cloud Product Director, CompuCom.

The post CompuCom Launches Cloud-Based Managed Service Powered by Intel Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/compucom-launches-cloud-based-managed-service-powered-by-intel-security/feed/ 0
Boston Medical Center Finds Security Integration With Intel https://securingtomorrow.mcafee.com/business/optimize-operations/boston-medical-center-finds-security-integration-intel/ https://securingtomorrow.mcafee.com/business/optimize-operations/boston-medical-center-finds-security-integration-intel/#respond Thu, 21 Jul 2016 16:06:15 +0000 https://blogs.mcafee.com/?p=51431 How important is a comprehensive, fully integrated security strategy for an enterprise? Just ask Michelle Duprey, Manager of Information Security at Boston Medical Center (BMC). The academic medical center, based in Boston, is the largest safety-net hospital in New England. A business that robust demands a modern security defense. When Duprey first joined the hospital …

The post Boston Medical Center Finds Security Integration With Intel appeared first on McAfee Blogs.

]]>
How important is a comprehensive, fully integrated security strategy for an enterprise? Just ask Michelle Duprey, Manager of Information Security at Boston Medical Center (BMC). The academic medical center, based in Boston, is the largest safety-net hospital in New England. A business that robust demands a modern security defense.

When Duprey first joined the hospital she faced a security nightmare—an environment of disjointed security applications that didn’t communicate with each other. “We run a lean group, and it was challenging to pull data out of all of those disparate products and turn it into useful information,” she says. When security applications start to work against you instead of with you, it’s time to reevaluate.

BMC Case Study 1

“We chose Intel Security because we needed a powerful and effective suite that could be managed with a single pane of glass. Not only do the McAfee products work extremely well together, but ePO makes our jobs so much easier. In one console we’re able to see what’s going on with all 10,000 endpoints, and we can push policies out to the entire network in just a few minutes.”

Three years ago, BMC partnered with McAfee to consolidate their portfolio of tools to build a single, integrated security environment. Today, this environment consists of McAfee Web Protection, Network Security Manager, Threat Intelligence Exchange, and Advanced Threat Defense. Within a month, BMC will complete its rollout of McAfee Enterprise Security Manager for SIEM. McAfee ePolicy Orchestrator (ePO) ties everything together with a single, unified management console.

Duprey comments that the powerful TIE/ATD combo gives the team a better picture of endpoint status and where the vulnerabilities are, capabilities that will be strengthened even further with the addition of SIEM. “Now that we’ve consolidated our portfolio around McAfee, we’ll spend the next few years optimizing those technologies and getting to a fluid operational state,” she adds.

Transitioning to Intel Security’s integrated security platform grants Boston Medical Center a clearer view of their endpoints and security ecosystem as a whole. Breaking down siloed tools in exchange for centralized solutions provides the hospital the support it needs to supply patients with quality care.

Have a question? Tweet us at @IntelSec_Biz.

The post Boston Medical Center Finds Security Integration With Intel appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/boston-medical-center-finds-security-integration-intel/feed/ 0
McAfee Network Security Platform:  Five Times a Winner https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-network-security-platform-five-times-winner/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-network-security-platform-five-times-winner/#respond Fri, 08 Jul 2016 15:38:37 +0000 https://blogs.mcafee.com/?p=51113 NSS Labs Recommends McAfee NSP NS9100 for Data Center Security That’s the takeaway from NSS Labs’ just-released test report on high-throughput intrusion prevention systems (IPS) for the data center, in which the McAfee Network Security Platform (NSP) NS9100 appliance won a hard-earned “Recommended” rating.  This is the fifth time that McAfee NSP has achieved this …

The post McAfee Network Security Platform:  Five Times a Winner appeared first on McAfee Blogs.

]]>
NSS Labs Recommends McAfee NSP NS9100 for Data Center Security

That’s the takeaway from NSS Labs’ just-released test report on high-throughput intrusion prevention systems (IPS) for the data center, in which the McAfee Network Security Platform (NSP) NS9100 appliance won a hard-earned “Recommended” rating.  This is the fifth time that McAfee NSP has achieved this level of excellence from NSS Labs for IPS overall.   As a combination of blocking, throughput and TCO, McAfee NSP clearly delivers industry leading security for todays and tomorrows Data Center.

Screen Shot 2016-07-08 at 8.24.19 AM

NSS Labs’ 2016 Security Value Map (SVM) for Data Center Intrusion Prevention System (DCIPS)

Data center applications make unique demands on an IPS system as traffic levels can be significantly higher than at the corporate perimeter. Also, traffic mixes can vary with security strategies, which may prioritize specific servers, protocols, or applications. Latency is also of great concern, as application performance may be adversely affected if an IPS introduces significant delays.   While handling the rigors of a physical network is key, one must keep in mind the growing trends of the virtual Data Center.   As the only dedicated IPS certified for VMware’s NSX SDN solution, McAfee NSP finds itself as the security platform of choice for growing your physical Data Center into tomorrow’s virtual software defined data center (SDDC).

IPS Testing Criteria

To discover what the current crop of IPS solutions offers data center security teams, NSS Labs tested a cross section of products claiming effective threat blocking and high throughput capabilities. Each system was subjected to a library of server exploits curated for malicious behaviors that range from opening reverse shell, executing arbitrary code, installing a payload, or rendering a system unresponsive. Selection criteria also included evasive tactics such as IP packet fragmentation, stream segmentation, RPC fragmentation, URL obfuscation, and FTP evasion — deployed singly or in layers.

These threats were embedded in multi-Gigabit traffic streams designed to stress the inspection engine and reveal its performance and behavior in a range of real-world operating scenarios.  To complete the assessment, NSS Labs investigators also evaluated each IPS for stability and reliability, ease of management and configuration, and total cost of ownership.

The Envelope Please!

Tested with tuned policy settings, the Network Security Platform NS 9100 blocked 99.4 percent of all exploits in the NSS library and effectively detected and countered all of the evasion techniques employed.

Testers pegged the NS9100’s overall throughput at 19.949 Gbps, almost twice our advertised capacity for this appliance. This calculated rate represents the average of NSS Labs’ real-world protocol mix tests and its 21 KB-response HTTP capacity test.

Finally, the NS9100 passed all assessments for stability, reliability, configurability and manageability.  Based on current street pricing, three-year TCO was calculated at just $12 per protected Mbps of data center traffic.

The NSS Labs Security Value Map (SVM) report is available here. I recommend you read it and hope you’ll join me in a sincere “Well Done” to everyone on the McAfee Network Security Platform product team.

The post McAfee Network Security Platform:  Five Times a Winner appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-network-security-platform-five-times-winner/feed/ 0
Banking on Advanced Protection: Comprehensive and Integrated Security at a Regional Commercial Bank https://securingtomorrow.mcafee.com/business/optimize-operations/banking-advanced-protection-comprehensive-integrated-security-regional-commercial-bank/ https://securingtomorrow.mcafee.com/business/optimize-operations/banking-advanced-protection-comprehensive-integrated-security-regional-commercial-bank/#comments Thu, 09 Jun 2016 16:53:15 +0000 https://blogs.mcafee.com/?p=50440 Isn’t it time to invest in a security solution that doesn’t break the bank? One bank offers a textbook case study in corporate data security, since by definition it’s required to safeguard clients’ highly sensitive personal and financial data. This U.S.-based regional commercial bank has undergone a sea of change in its approach to security …

The post Banking on Advanced Protection: Comprehensive and Integrated Security at a Regional Commercial Bank appeared first on McAfee Blogs.

]]>
Isn’t it time to invest in a security solution that doesn’t break the bank? One bank offers a textbook case study in corporate data security, since by definition it’s required to safeguard clients’ highly sensitive personal and financial data. This U.S.-based regional commercial bank has undergone a sea of change in its approach to security over the past seven years, a remarkable transformation overseen by the bank’s CISO.

 

This bank has migrated from disconnected point solutions to a fully integrated security platform based on Intel Security solutions, and the result is nothing short of amazing. Their security team is better and more efficient at detecting malware of all kinds, equipping the bank to deal with advanced, targeted cyber threats and ward off costly data breaches.

 

With the help of Intel Security Professional Services, the CISO and his team took existing deployments of McAfee® Enterprise Security Manager and McAfee Complete Endpoint Protection Enterprise software and enabled them to communicate seamlessly with one another. In addition, the security team added McAfee Threat Intelligence Exchange with Advanced Threat Defense to improve detection of advanced, targeted threats and further overcome the effects of siloed point systems. McAfee ePO provides the central management console for managing endpoint protection and other security solutions.

RCB Pull Quote

The open, interconnected Intel Security infrastructure is driven by an adaptive feedback loop in which security evolves and learns in an iterative cycle that improves over time. This not only delivers a much more sustainable advantage against complex threats, but it’s also much more efficient than the bank’s previous traditional, unintegrated security architecture. The strategy paid off recently when the bank was targeted by a zero-day phishing attack. In the end, McAfee Advanced Threat Defense and McAfee Threat Intelligence Exchange did exactly what was expected—kept the bank safe.

 

“With the Intel Security interconnected security approach, communication between solutions becomes a non-issue,” says the CISO. “Planning, technical design process, deployment, implementation, and maintenance have all become so much easier.”

 

He adds, “Intel Security has treated us as an important customer from the very beginning, when all we had was antivirus software. Our security transformation is still under way, but we are so much more secure now than we were before. I expect Intel Security to be partnering with us for the long haul, helping us tackle our strategic priorities, from better controlling employee behavior to securely leveraging the cloud.”

 

After the zero-day phishing attack, two subsequent attacks were also easily thwarted. Thanks to a truly integrated security approach, this bank’s security environment looks extremely different today than it did just a few years ago, and its security posture is stronger and more sustainable.

 

Want more? Read the full case study here. Questions? We have answers on Twitter at @IntelSec_Biz.

The post Banking on Advanced Protection: Comprehensive and Integrated Security at a Regional Commercial Bank appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/banking-advanced-protection-comprehensive-integrated-security-regional-commercial-bank/feed/ 1
Ciclo de vida de protección contra amenazas https://securingtomorrow.mcafee.com/languages/espanol/ciclo-de-vida-de-proteccion-contra-amenazas/ Fri, 20 May 2016 17:15:03 +0000 https://blogs.mcafee.com/?p=49817 En materia de seguridad digital el único factor que se mantiene invariable es el cambio, nuestra área de trabajo se transforma de acuerdo con varios elementos: la permanente evolución de la tecnología (el Internet de la Cosas es una nueva tendencia); el costo que pueda tener un objetivo para los atacantes (cuánta información valiosa posee); …

The post Ciclo de vida de protección contra amenazas appeared first on McAfee Blogs.

]]>
En materia de seguridad digital el único factor que se mantiene invariable es el cambio, nuestra área de trabajo se transforma de acuerdo con varios elementos: la permanente evolución de la tecnología (el Internet de la Cosas es una nueva tendencia); el costo que pueda tener un objetivo para los atacantes (cuánta información valiosa posee); el poderío de los agresores y la repercusión que pueda tener un ataque (contra una gran empresa o un gobierno, por ejemplo). Todos estos componentes influyen en lo que en Intel Security denominamos como Ciclo de Vida de protección contra Amenazas o Threat Defense Cycle.

Las tendencias en seguridad más importantes para el futuro son el creciente aumento de lo que en Intel Security llamamos la superficie de ataque (más usuarios, más dispositivos móviles, más tráfico de datos); agresores cada vez más complejos; un mayor precio de las agresiones (por el aumento de operaciones en línea); la falta de tecnologías de seguridad integrada y el insuficiente número de expertos en seguridad capacitados para enfrentar este problema.

superficie ciberataque

Un indicador muy importante es la cantidad de amenazas y el tiempo en que se producen: en el año 2005 McAfee Labs reportaba la aparición de una amenaza cada hora; hoy en día nuestros laboratorios hablan de 316 amenazas cada minuto, o lo que es lo mismo ¡5 amenazas cada segundo y esta cifra continúa creciendo!

threat statistics

¿Viejas estrategias contra nuevas armas?

Ante este panorama nos preguntamos ¿Cuál debería ser la mejor forma de enfrentar estas amenazas de seguridad digital? ¿Reaccionar una vez que ha ocurrido un ataque y se han comprometido los activos de una empresa, o bien poder detectar con anticipación los ataques, preparar la defensa y mejorar la seguridad en cualquier capa que contenga puntos débiles?

En Intel Security creemos que la mejor estrategia para enfrentar las amenazas digitales es concentrarnos en disminuir la fragmentación de la seguridad mediante el control de los puntos terminales (endpoints por su terminología en inglés) y de la nube (cloud) con lo cual podemos tener protección contra el malware, cuidar los datos de nuestros clientes y tener seguridad en la web mediante una plataforma central y abierta que nos permita tener una visión integral, no sólo del ataque sino de nuestras defensas, con lo cual podemos acelerar el ciclo de vida de la protección contra amenazas.

Nuestra solución no sólo permite bloquear las amenazas e identificar riesgos, sino también aumentar la velocidad con que podemos hacer cualquier corrección de manera eficiente, así como utilizar información y procesarla; automatizar procesos selectivamente y colaborar en tiempo real. ¿De qué manera lo logramos?

Existen tres pasos que seguimos en el Ciclo de vida de la protección contra amenazas:

Proteger. Bloqueamos los ataques más generalizados y se interrumpen las técnicas y descargas nunca antes vistas, de esta forma al mismo tiempo los usuarios son más productivos. Para lograr esto, nuestro sistema híbrido tiene controles en los puntos terminales (endpoints) y en la nube para proteger contra el malware, cuidar los datos y tener seguridad en la web, todo lo cual se realiza desde una plataforma centralizada. Gracias a esto disminuye la fragmentación, automatizamos la seguridad y reforzamos las funciones para luchar contra los ataques de forma más eficaz y con menor esfuerzo.

Detectar. Buscamos comportamientos atípicos de ataques de umbral bajo que podrían pasar desapercibidos, mediante la inteligencia y análisis avanzados de distintos aspectos en capas, en vez de limitarnos a un sólo tipo de análisis o fuente de información. Gracias a estas técnicas es posible detectar, detener y solucionar más problemas al tiempo que se disminuyen los daños. Nuestra solución reúne información tanto de seguridad local como global, integra una serie de análisis del comportamiento y el contexto, y aprovecha al máximo la administración centralizada. Así se consigue la mejor información, se identifican las amenazas de forma más eficaz, e investigamos los eventos con mayor rapidez.

Corregir. Simplificamos el ciclo de vida de la protección contra amenazas al facilitar las operaciones de clasificación, la investigación y las correcciones. Además al tener una administración basada en la nube reducimos el mantenimiento y hacemos más fácil tanto proteger como implementar políticas de seguridad. Nuestro sistema es capaz de aprender de los incidentes de seguridad y evolucionar de manera constante, todo lo cual mejora la protección conforme pasa el tiempo.

pdc

El Ciclo de Vida de la Protección contra Amenazas tiene varios elementos:

  • McAfee Active Response: nuestra solución innovadora en la detección de puntos terminales y respuesta a las amenazas.
  • McAfee Data Exchange Layer (DXL): se trata de una vía rápida mediante la cual intercambiamos información de amenazas para mejorar la integración ya sea con soluciones de McAfee como de otras compañías.
  • McAfee Endpoint Security: permite mejorar la velocidad con que se detectan las amenazas, así como la corrección ya que permite analizar más rápidamente, al tiempo que actualiza automáticamente la información de amenazas y aprovecha al máximo el uso de CPU.
  • McAfee Enterprise Security Manager: situado en el centro nuestra estrategia SIEM, aporta información procesable acerca del rendimiento y la situación en tiempo real, la cual es indispensable para identificar, entender y contestar a las amenazas difíciles de detectar.
  • McAfee Threat Intelligence Exchange: mejora la detección de amenazas, así como la respuesta, la cual permite proteger todos los puntos de las empresas si aparecen amenazas nuevas.

 

The post Ciclo de vida de protección contra amenazas appeared first on McAfee Blogs.

]]>
La vulnerabilidad del IoT, un riesgo para las empresas https://securingtomorrow.mcafee.com/languages/espanol/la-vulnerabilidad-del-iot-un-riesgo-para-las-empresas/ https://securingtomorrow.mcafee.com/languages/espanol/la-vulnerabilidad-del-iot-un-riesgo-para-las-empresas/#respond Tue, 10 May 2016 03:17:45 +0000 https://blogs.mcafee.com/?p=49508 La reducción del tamaño de los componentes electrónicos y la disminución de sus precios han permitido, gradualmente, añadir características inteligentes a las máquinas y conectarlas a Internet, desde aquellas usadas para enfriar el aire en las casas u oficinas hasta las que permiten el funcionamiento de grandes trenes. A este cambio tecnológico se le denomina …

The post La vulnerabilidad del IoT, un riesgo para las empresas appeared first on McAfee Blogs.

]]>
La reducción del tamaño de los componentes electrónicos y la disminución de sus precios han permitido, gradualmente, añadir características inteligentes a las máquinas y conectarlas a Internet, desde aquellas usadas para enfriar el aire en las casas u oficinas hasta las que permiten el funcionamiento de grandes trenes. A este cambio tecnológico se le denomina comúnmente Internet de las Cosas (Internet of Things o IoT, por su siglas en inglés), lo que junto a Big Data, Ciudadano Inteligente, computación en la nube (Cloud) y Seguridad es una de las cinco grandes tendencias en tecnologías de la información y Comunicación (TIC).

Y es precisamente gracias al IoT que hoy podemos cuidar de mejor forma nuestra salud utilizando un weareable, es decir, un dispositivo que recopile información sobre nuestra presión arterial y los pasos que hemos dado en un día; podemos conocer la relación entre el consumo de combustible de nuestro auto y los kilómetros recorridos en cada ocasión para calcular las mejores opciones con el objetivo de contaminar menos y ahorrar más; también podemos usar drones (robots que pueden volar con cámaras integradas) para capturar información que permita a las compañías constructoras elegir el mejor sitio para edificar o a las autoridades para saber si se cumple con el reglamento de construcción.

Para una mejor referencia, Intel cuenta con un una serie de documentos en línea agrupados como Estudio de caso de Internet de las cosas, instantáneas y planos en la cual, además de información amplia sobre el IoT, existen ejemplos del uso de esta tendencia tecnológica en diferentes industrias.

iot platform

Fuente: Infografía de Intel, aquí la referencia

Para lograr esto, es necesario agregar a cada una de las máquinas: sensores, una Unidad Central de Procesos (CPU) y una conexión a Internet, a partir de lo cual además de existir en el mundo físico el equipo también tendrá presencia en la web con su propia dirección IP y las vulnerabilidades a las amenazas informáticas que tienen cualquier otra máquina.

Las estimaciones del número de “cosas” conectadas a Internet en el futuro varían; sin embargo, se calculan que serán entre 26 mil y 212 mil millones de unidades conectadas al IoT en 2020.

Riesgos del IoT, una amenaza oculta

Todos los desarrollos que se realizan en el Internet de las Cosas (IoT) pueden agruparse en dos grupos de acuerdo con sus funciones: o son dispositivos que recogen información mediante sensores del ambiente en el que se encuentran para transmitirla de manera constante o bien reciben instrucciones vía internet y realizan alguna actividad en el sitio donde estén ubicados, aunque también de manera viable pueden realizar ambas funciones.

En cualquiera de los casos existen dos puntos que deberían preocuparnos: la privacidad y la seguridad. En el primer punto se trata de preguntarnos ¿quién puede tener acceso a los datos recolectados por cualquier dispositivo y para qué?; mientras que en el segundo, la interrogación es ¿quién podría decirle qué hacer?, por ejemplo en lo referente a las funcionalidades de un ferrocarril o una central atómica.

Ataques en el IoT, ¿qué tanto sabemos?

Entre las amenazas más probables contra los dispositivos conectados al IoT figuran los códigos llamados zero-day, los cuales tienen la capacidad de aprovechar las vulnerabilidades existentes en los nuevos programas o plataformas creadas por los fabricantes de dispositivos, quienes usualmente no prevén los riesgos. Un claro ejemplo son las televisiones inteligentes, las cuales son capaces de transmitir las conversaciones de los usuarios por el mismo micrófono por el que reciben instrucciones.

Asimismo, otra área de riesgo la constituyen los dispositivos médicos, los que conectados en red poco a poco se vuelven parte del tejido del Internet de las Cosas. Estos accesorios son aquellos que pueden llevarse puestos, que pueden ingerirse de manera temporal o que incluso pueden introducirse en el cuerpo humano para curar ciertas enfermedades o proporcionar medicamentos. Ante este escenario, Intel Security publicó La Internet de las Cosas en la atención sanitaria: oportunidades y riesgos, un resumen del informe The healthcare Internet of things rewards and risks en el que se hace un interesante análisis sobre si ocurrieran fallos de gran impacto en tales accesorios, la sociedad sin duda alguna opondría resistencia para su utilización, lo que –remarca el documento- retrasaría su despliegue en años o décadas.

Con el fin de proteger los desarrollos para el IoT, Intel Security cuenta con la solución McAfee Advanced Threat Defense (ATD), una solución que además de efectuar un análisis estático más allá de observar simplemente el header de un archivo, es capaz de examinar también a fondo el código ejecutable y desmontar de forma compleja el archivo (ingeniería reversa) con el fin de efectuar un análisis integral de los datos que circulan y que podrían evadirlo. La solución ATD se integra con McAfee ePolicy Orchestrator®, lo que la convierte en una opción muy robusta para cualquier usuario.

The post La vulnerabilidad del IoT, un riesgo para las empresas appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/espanol/la-vulnerabilidad-del-iot-un-riesgo-para-las-empresas/feed/ 0
5 Things You Need to Know About Integrated Security in the Cloud https://securingtomorrow.mcafee.com/business/optimize-operations/5-things-need-know-integrated-security-cloud/ https://securingtomorrow.mcafee.com/business/optimize-operations/5-things-need-know-integrated-security-cloud/#respond Tue, 03 May 2016 14:00:33 +0000 https://blogs.mcafee.com/?p=49398 Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren’t immediately apparent, ranging from the technical to organizational to issues of governance. Here are five things you need to know about integrating security across your multiple cloud deployments for optimal security. 1) Know …

The post 5 Things You Need to Know About Integrated Security in the Cloud appeared first on McAfee Blogs.

]]>
Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren’t immediately apparent, ranging from the technical to organizational to issues of governance. Here are five things you need to know about integrating security across your multiple cloud deployments for optimal security.

1) Know where your data is

Keeping your eye on where your data is located can be more difficult than you think, especially because of shadow IT. The cloud makes it easy for individual departments to have their own cloud-based applications and data storage. But you can’t protect what you don’t know exists—and even if you do know it exists, there are still unique issues to solve for. If you think there is no shadow IT in your organization, think again: In a Frost and Sullivan study, more than 80% of respondents admit to using non-approved SaaS applications in their enterprises.

Here’s the issue: shadow IT makes it possible for data to be stored and processed in the cloud without proper security controls. And when users and departments store and share sensitive data in the cloud or run applications in the cloud without IT’s knowledge, the enterprise can be exposed in many ways.

The answer: make sure you have a single system to track and secure your data. Consider requiring that IT perform security and compliance reviews for any SaaS contracts and services. IT may also want to launch a campaign to educate department managers about the governance and security issues that go along with SaaS applications and the cloud.

2) Secure your east-west traffic

Enterprises are moving to virtualized data centers, including private and public clouds, and beyond that to software-defined data centers. This has created a new pattern of east-west traffic from server to server or workload to workload. North-south traffic (between client and server) has also changed, because servers no longer sit on a dedicated appliance in a data center but are virtualized, generally in some kind of cloud configuration. In addition, the number and variety of clients has grown to encompass tablets, mobile devices, wearables, and IoT sensors.

This creates a new set of security challenges, particularly for east-west traffic. Firewalls placed at the edge of a data center or its virtual clone can compromise the security of east-west traffic, because east-west traffic depends on static routes and known entities—or else requires that IT manually configure and direct the east-west traffic to the security appliance.

One way to solve this is with software-defined security, which virtualizes an enterprise’s security infrastructure. In this approach, a controller automatically provisions security wherever and whenever it’s needed. The system can connect to multiple data centers of different types, and works with many security solutions—meaning it works with multiple types of cloud configurations. Intrusion protection systems for virtual environments are key tools as well, and work in concert with software-defined security.

3) Protection from malware

Many enterprises move to the cloud after having virtualized servers and applications in their data center, and may not be used to the unique security issues posed by a cloud configuration. Here’s an example. As some enterprises move to a private cloud, they run traditional anti-virus products in virtualized machines to fight malware. But in doing so they bring those virtualized machines to their knees, dramatically slowing performance. (For more details, see this interview about hybrid cloud security with Intel Security’s Loretta Nierat.)

To avoid those kinds of problems, look for security and data solutions specifically designed for the hybrid cloud. For anti-malware protection, that means special techniques such as avoiding scanning in virtual machines, and instead using a scan appliance. Or using scan-avoidance, which tracks which files have already been scanned, and prevents re-scanning if they haven’t changed.

4) The difficulties with compliance

Compliance in the hybrid cloud is particularly thorny: in a word, your compliance policies for your private cloud and public cloud provider have to match. Even the way they communicate must be compliant. The issue is significant enough that 38% of companies in a survey by the Cloud Security Alliance said that a major barrier to cloud adoption is their concern about regulatory compliance.

As a starting point, centralize all governance related to cloud deployments in IT where they can ensure consistent compliance policies across both public and private clouds. Individual departments and shadow IT simply can’t handle it.

Raise any industry-specific compliance issues such as HIPAA with public cloud providers before any contracts are signed. Any prospective cloud providers should detail exactly how they handle those and other compliance issues—and that they match an enterprise’s rules and approach.

Finally, delve into the ways your public and private clouds communicate, and ensure they meet privacy, security, and other governance regulations.

5) Take care with your SLA

Crafting SLAs for the hybrid cloud can be extremely complex. You’ll need to make sure that your public-cloud SLAs spells out specific data protection and security features and guarantees. But that’s just a first step. You’ll also need to ensure that your private-cloud SLA matches the public one, and that both are in line with your business needs.

Start by tracking your private cloud’s availability and performance, and then evaluate what kind of security issues might arise when integrating with the public cloud. If you are required to keep confidential data on-premises in your private cloud, for example, make sure your SLA details that you won’t be using that data in the public cloud.

Closely review all the terms and conditions—don’t breeze by the legalese and fine print. This is particularly important because there are few standards and benchmarks for SLAs in the cloud, according to a study from Nova Southeastern University.

Pay attention to security clauses, such as who has access to your data, whether the provider outsources data storage, how data is deleted, and whether certifications and third-party audits will be performed. Also important: how is privacy handled, such as what data will be collected about your organization, and what steps will be taken to keep it private. Find out how the data will be used, and how long it will be retained. And look for operational details such as backup frequency, recovery time from failure, and the provider’s database and storage architecture redundancy model.

If you follow all these five steps, you’ll be well on your way to making sure that your hybrid cloud is secure as possible.

Read the original post on CSO Online.

The post 5 Things You Need to Know About Integrated Security in the Cloud appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/5-things-need-know-integrated-security-cloud/feed/ 0
Códigos Zero-Day, multiplataforma creciente para 2016 https://securingtomorrow.mcafee.com/languages/espanol/codigos-zero-day-multiplataforma-creciente-para-2016/ Thu, 31 Mar 2016 23:02:02 +0000 https://blogs.mcafee.com/?p=48790 Actualizar la aplicación utilizada diariamente en una empresa es una actividad que un usuario —o tal vez el administrador— de la red empresarial decide realizar en algún momento para aprovechar las nuevas funcionalidades de la versión reciente de algún programa que seguramente mejorará la productividad, sin embargo, horas más tarde la red de la compañía …

The post Códigos Zero-Day, multiplataforma creciente para 2016 appeared first on McAfee Blogs.

]]>
Actualizar la aplicación utilizada diariamente en una empresa es una actividad que un usuario —o tal vez el administrador— de la red empresarial decide realizar en algún momento para aprovechar las nuevas funcionalidades de la versión reciente de algún programa que seguramente mejorará la productividad, sin embargo, horas más tarde la red de la compañía ha sido comprometida con un malware de los llamados zero-day o día cero, para los cuales no hay ninguna descripción, firma o parche.

El malware zero-day aprovecha las vulnerabilidades que pueden existir en los nuevos programas creados por los desarrolladores que no son capaces de prever las múltiples combinaciones posibles de los usuarios de su código.

De acuerdo con el Informe sobre predicciones y amenazas para 2016 de McAfee Labs, estos son los resultados de los ataques zero-day ocurridos en 2014-2015:

codzeroday

Fuente: Informe sobre predicciones y amenazas para 2016 de McAfee Labs

De acuerdo con el mismo informe, existe peligro en entornos empresariales donde se utiliza la tecnología de vinculación e incrustación de objetos (OLE)1, los cuales podrían ser introducidos en una red empresarial de manera cifrada para evadir la detección de amenazas.

Además, los código zero-day tienen una tendencia a ser usados en otros sistemas, como los sistemas incrustados, el Internet de las cosas (IoT, por sus siglas en inglés) y el software de infraestructuras. Los sistemas en los que podrían lanzarse esos ataques son variantes de UNIX, plataformas populares para teléfonos inteligentes, IoT (Project Brillo y Tizen), además de bibliotecas y componentes básicos subyacentes (Glibc y OpenSSL entre otros). En otras palabras las herramientas de código abierto no son completamente seguras como deberían serlo.

La detección del código malicioso zero-day que ingresa a la red empresarial es uno de los principales retos que enfrentan las áreas de seguridad de cualquier compañía junto con la cantidad de operaciones que implica la protección de la red interna que consumen esfuerzos y tiempo.

La detección de amenazas se realiza usualmente mediante un análisis dinámico en un entorno controlado, es decir con base en el comportamiento de los archivos, sin embargo con este procedimiento podría no detectarse al malware capaz de activarse después de pasar por un sandbox.

Una solución de seguridad que sólo detecte amenazas ya no es competitiva, evalué soluciones de detección de amenazas avanzadas que le ofrezcan:

  • Análisis estático. Que vaya más allá de observar sólo el header de un archivo y que examine a fondo el código ejecutable para realizar un análisis integral de los archivos que pasan por un sandbox y que podrían evadirlo si sólo se aplicara un análisis dinámico.
  • Localización. Del código malicioso avanzado mediante la filtración por varias capas, como: AV, heurística, filtrado web, la emulación, y, al final, sandboxing.
  • Generación automática de firmas. Al igual que conjuntos de reglas para gateways y servidores de seguridad con las que se bloquearán ataques parecidos en un futuro.

 

La solución de Intel Security, McAfee Advanced Threat Defense (ATD) es capaz de realizar, además de lo anterior, también el “arreglo” de los equipos comprometidos, en conjunto con McAfee ePolicy Orchestrator®. ATD no sólo resuelve problemas, sino que permite el ahorro de tiempo a los administradores al facilitarles la operaciones de TI, al tiempo que mantiene a salvo la red de su empresa.

Para obtener más información sobre vulnerabilidades en entornos empresariales, visite: http://www.intel.es/content/www/es/es/architecture-and-technology/authenticate/intel-2016-security-threats-report.html

 

The post Códigos Zero-Day, multiplataforma creciente para 2016 appeared first on McAfee Blogs.

]]>
Velocidad, una característica de las amenazas recientes a su red https://securingtomorrow.mcafee.com/languages/espanol/velocidad-una-caracteristica-de-la-amenazas-recientes-su-red/ https://securingtomorrow.mcafee.com/languages/espanol/velocidad-una-caracteristica-de-la-amenazas-recientes-su-red/#respond Wed, 23 Mar 2016 13:00:30 +0000 https://blogs.mcafee.com/?p=48538 Una de las preguntas más frecuentes de los administradores de sistemas de seguridad es ¿cuándo estará lista la firma para poder enfrentar esta nueva amenaza que vulneró mi red? El hecho es que una vez que ocurrió un ataque, la solución puede tardar desde varios días hasta semanas. El informe “Cuando los minutos cuentan” en …

The post Velocidad, una característica de las amenazas recientes a su red appeared first on McAfee Blogs.

]]>
Una de las preguntas más frecuentes de los administradores de sistemas de seguridad es ¿cuándo estará lista la firma para poder enfrentar esta nueva amenaza que vulneró mi red? El hecho es que una vez que ocurrió un ataque, la solución puede tardar desde varios días hasta semanas.

El informe “Cuando los minutos cuentan” en el que se evalúan las capacidades de las organizaciones para detectar y bloquear ataques dirigidos, señala que la mayoría de las empresas no confían en su capacidad para identificar a tiempo los ataques dirigidos. Incluso las compañías mejor preparadas para lidiar con ataques dirigidos invierten tiempo en la investigación de grandes volúmenes de eventos, lo que contribuye a establecer una urgencia y un enfoque organizativo en estrategias creativas para una detección más temprana y una mitigación más eficaz.

Algunos de los descubrimientos clave son:

  • El 74 % de las personas encuestadas informó que los ataques dirigidos son una de las principales preocupaciones en sus organizaciones.
  • El 58 % de las organizaciones investigó 10 o más ataques el último año.
  • El 78 % de las organizaciones que pueden detectar ataques en minutos contaban con un sistema de información de seguridad y gestión de eventos (SIEM, Security Information and Event Management) proactivo y en tiempo real.
  • Solo el 24 % de las compañías confían en su capacidad de detectar un ataque en minutos y un poco menos de la mitad informó que tardarían días, semanas o incluso meses antes de observar un comportamiento sospechoso.

¿Pero sólo es posible actuar reactivamente y esperar a que exista una solución para remediar estos problemas?

Actualmente ya no debería ser necesario aguardar mucho tiempo para enfrentar una amenaza, pues un sistema de seguridad de avanzada debería permitir actuar en segundos: imaginemos un sistema de defensa unificado contra ataques en el que los endpoints, los controladores y los sensores de seguridad sean capaces de compartir información rápidamente por medio de una capa de datos abiertos sin importar que algunos de los componentes sean de diversas empresas de seguridad, todo ello en el propósito de mejorar la protección de su red.

Dicho sistema de defensa unificado debería permitir a los responsables de la seguridad de la red de la empresa contar con una perspectiva amplia más integral que descanse en la evidencia de ataques a su información digital, al hallazgo anticipado de ataques probables, a la disminución del tiempo de respuesta a las amenazas, además de mejores plazos para fijar o remediar los problemas originados por un ataque.

Todo debe comenzar por el conocimiento del entorno, un sistema de seguridad adaptable protege y reacciona contra la amenazas, además de adaptarse a ellas de manera semejante a un cerebro vigilante; después debe comunicarse con otros productos de seguridad diferentes por medio de una infraestructura de comunicación que los conecte y permita actuar como si fueran un solo sistema.

Imaginemos cómo funcionaría un sistema de seguridad avanzado: un usuario de una red corporativa descarga un archivo de un sitio web que no está incluido en ninguna lista de direcciones IP blancas o negras e intenta abrirlo inmediatamente, sin embargo el componente del sistema de seguridad más cercano no puede determinar si es seguro o no, por lo que lo envía a un dispositivo sandbox donde, en un entorno controlado, lo examina, todo esto en segundos.

Mientras tanto al usuario que descargó el archivo se le permite operar, sin embargo su unidad ya está en cuarentena, sus comunicaciones han sido bloqueadas. Si el sistema de seguridad determina que el programa es seguro y puede ejecutarse lo clasifica como confiable y restablece las comunicaciones y permite a todos los usuarios ejecutarlo, si por el contrario lo clasificara como inseguro o no confiable pide a todas las puertas de acceso (gateways), servidores de seguridad —sin importar quién sea el fabricante— y puntos finales (endpoints) que bloque en la ejecución del archivo para eliminar la amenaza y todo esto en cuestión de segundos.

En resumen, un sistema de seguridad de avanzada debería:

  • Reaccionar en segundos, no en minutos u horas, ante posibles amenazas.
  • Aislar automáticamente la ejecución de cualquier archivo sospechoso.
  • Ejecutarlo en un ambiente controlado (sandbox).
  • Trabajar de manera coordinada con diversas soluciones de seguridad sin importar el fabricante de las mismas.
  • Determinar en segundos si el ejecutable es confiable o no y después informar a todos los componentes del sistema de los resultados del análisis.

 

Con las tecnologías existentes, es posible proporcionar una mejor protección y una respuesta a incidentes más rápida de la que obtienen las empresas en la actualidad.

La versión más reciente de McAfee Threat Intelligence Exchange le permite reaccionar a las amenazas en milisegundos dentro de un ambiente colaborativo incluso con soluciones de terceros al tiempo que protege a toda su red.

The post Velocidad, una característica de las amenazas recientes a su red appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/espanol/velocidad-una-caracteristica-de-la-amenazas-recientes-su-red/feed/ 0
SIEM, línea de defensa contra amenazas de última generación https://securingtomorrow.mcafee.com/languages/espanol/siem-una-linea-de-defensa-adecuada-contra-las-amenazas-de-ultima-generacion/ https://securingtomorrow.mcafee.com/languages/espanol/siem-una-linea-de-defensa-adecuada-contra-las-amenazas-de-ultima-generacion/#respond Wed, 09 Mar 2016 17:08:25 +0000 https://blogs.mcafee.com/?p=48139 Son las 3 de la mañana y en uno de los servidores de una empresa un código malicioso se “despierta” después que el sistema de seguridad, luego de revisarlo, aprobó su traslado fuera del área de cuarentena a otra máquina donde se manejan archivos seguros. A la mañana siguiente los responsables de sistemas descubren el …

The post SIEM, línea de defensa contra amenazas de última generación appeared first on McAfee Blogs.

]]>
Son las 3 de la mañana y en uno de los servidores de una empresa un código malicioso se “despierta” después que el sistema de seguridad, luego de revisarlo, aprobó su traslado fuera del área de cuarentena a otra máquina donde se manejan archivos seguros. A la mañana siguiente los responsables de sistemas descubren el robo de datos valiosos de la compañía, (amenazas de última generación).

Este escenario que pareciera de ciencia ficción es enfrentado cada vez más por empresas que no están preparadas para protegerse de estas vulnerabilidades avanzadas. Por otra parte, la dinámica evolución de las Tecnologías de Información y Comunicación (TICS) ha hecho realidad las fantasías de más de un visionario de la tecnología: computación en la punta de los dedos; las videoconferencias al otro lado del mundo (inclusive desde nuestros teléfonos inteligentes) y el manejo de Big Data que permiten a las empresas predecir tendencias de consumo; sin embargo los grandes adelantos tecnológicos traen consigo retos en seguridad.

De acuerdo con el Informe sobre predicciones y amenazas para 2016 de McAfee Labs, para 2019 los usuarios serán 4 mil millones contra 3,000 de 2015; en tanto que los teléfonos inteligentes pasarán de 3,300 millones en 2015 a 5,900 millones en 2019. Lo datos crecerán de 8.9 zettabytes en 2015 a 44 zettabytes en 2019.

El ambiente de desarrollo de las amenazas es tan dinámico como el de las tecnologías de vanguardia, un ejemplo de esto son las técnicas de evasión avanzadas de hoy (AETs), capaces de borrar las huellas que dejan, con las que los creadores de malware pueden burlar sistemas de seguridad comunes.

Contra estas amenazas, un sistema de última generación de Administración de Información y Eventos de Seguridad (SIEM), es la mejor opción. La SIEM inició con la compilación de informes de registros y reportes sobre el cumplimiento de políticas y es ahora una herramienta compleja que recolecta, almacena, normaliza, correlaciona y analiza información de datos de un gran número de dispositivos de red con los cuales es capaz de entregar inteligencia de seguridad, además de una referencia sobre el comportamiento típico de una red.

Estas son las características de un SIEM de próxima generación:

  • Un sistema SIEM avanzado debe ser diseñado para las velocidades de Big Data y los requerimientos de volumen, para ser capaz de aumentar la recolección de datos con alimentación de más fuentes, además de poder procesar conjuntos más grandes y diversos a tasas muy grandes de eventos así como almacenar millones de registros para analizar datos en tiempo real e históricos para encontrar indicadores de que una red está comprometida.
  • Debe operar en un contexto dinámico pues los profesionales de la seguridad enfocan su vigilancia en los activos valiosos que tienen mayor riesgo; en este entorno pueden satisfacer esta necesidad de seguridad ya que es posible filtrar información irrelevante al mismo tiempo que categorizan los sistemas externos e internos con base en su conducta anterior
  • Puede realizar Analítica de Seguridad, ya que genera análisis profundos que son más avanzados si se integran otras soluciones de seguridad. Por ejemplo con los datos de vulnerabilidad un sistema SIEM puede crear un mapa de las vulnerabilidades de activos para cumplir con la confidencialidad e integridad definidas por una compañía.
  •  Ser fáciles de usar, pues su administración centralizada permite una accesibilidad mejorada mediante una interfaz para usuario web, de esta forma los equipos de TI determinan la magnitud del riesgo.

“A grandes males, grandes remedios”, dice una frase muy conocida, y en el combate de las amenazas de seguridad de última generación está mejor aplicada que nunca, por eso es conveniente que usted evalúe si su línea de defensa está a la altura del reto que representa el malware complejo de nuestros días.

La última versión de McAfee Enterprise Security Manager (ESM), v9.5, aumenta las capacidades de su equipo con una mayor supervisión en tiempo real, análisis automatizado del historial, operaciones simplificadas, y una mayor integración con la inteligencia de amenazas. Lo invitamos a visitar el soporte de McAfee Service Portal para  SIEM.

 

The post SIEM, línea de defensa contra amenazas de última generación appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/espanol/siem-una-linea-de-defensa-adecuada-contra-las-amenazas-de-ultima-generacion/feed/ 0
When You’re Overwhelmed With Alerts, It’s Time to Automate https://securingtomorrow.mcafee.com/business/optimize-operations/when-youre-overwhelmed-with-alerts-its-time-to-automate/ https://securingtomorrow.mcafee.com/business/optimize-operations/when-youre-overwhelmed-with-alerts-its-time-to-automate/#respond Tue, 08 Mar 2016 14:00:24 +0000 https://blogs.mcafee.com/?p=48068 In a number of recently publicized breaches, and probably many other attacks, information that could have enabled the security team to catch and contain the attack were lost in the sheer volume of alerts. Your security team is getting alerts from internal sensors, threat intelligence from multiple sources, and potential indicators of attack or compromise …

The post When You’re Overwhelmed With Alerts, It’s Time to Automate appeared first on McAfee Blogs.

]]>
In a number of recently publicized breaches, and probably many other attacks, information that could have enabled the security team to catch and contain the attack were lost in the sheer volume of alerts. Your security team is getting alerts from internal sensors, threat intelligence from multiple sources, and potential indicators of attack or compromise from your security countermeasures. Relying on these human filters to decode, deduce, and decide what is relevant takes valuable time and can result in long delays between attack, detection, and containment.

I believe that the solution to this volume of data is to build into the SIEMs automation and active awareness of their environment. Security analysts need timely and relevant information to be most effective. Wading through wave after wave of data from a variety of sources, looking for highly credible threat artifacts and correlating with the organization’s inventory of digital assets, is not the best use of these skilled resources. Taking appropriate action may require their knowledge and judgment, but filtering and correlating the flow of data is a rules-based task that can be delegated to adaptive machine algorithms.

Threat intelligence comes from a wide range of sources, of varying credibility. I am not proposing that we automate and delegate all of the threat remediation actions. Nor do we do not want a system that can be gamed by someone with malicious intent, for example by injecting false positives into the intelligence stream to prevent communication between legitimate partners. Incoming threat data includes information on the source and how the data was gathered, whether it is from a public report, sandbox isolation and execution of the code, or activity captured on an infected endpoint. The headers of the threat notices also contain details to verify that the contents of the message have not been tampered with and to enable you to calculate the trust level of the source.

The trust level of the source and the method of data collection provide the foundation for a threat credibility score. As additional notices come in, they are evaluated to substantiate the initial threat, increasing or decreasing the credibility score appropriately. As vendors, government organizations, or other companies identify suspicious or confirmed threats in their environment, that info can be quickly shared via community-based information sharing and analysis centers. If you receive multiple indicators of a similar threat, you can compound the credibility score. Then, depending on the nature of the threat and the credibility score, you can decide if this an issue that can be remediated automatically or whether it requires further investigation and the judgment of a security analyst.

Another advantage of automating the collection and parsing of this info is the ability to look back in time. Once you have identified the key characteristics of a particular threat, whether it is code samples, hash values, registry changes, or other effects, the system can automatically scan your network looking for previous occurrences of the threat over previous weeks or months, and isolate or eradicate them.

Every security team I have spoken with is trying to do more with less, and the increasing volume of alerts and attack surface is certainly contributing to the more part. As we are inundated with security event info, we need to quickly filter that flood to focus on what is most credible and most important. Reducing time to detection and time to containment or remediation are the goals, and SIEM automation is at least part of the answer.

Click here to learn more about SIEM, and for all the latest industry updates, follow us on Twitter at @IntelSecurity.

The post When You’re Overwhelmed With Alerts, It’s Time to Automate appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/when-youre-overwhelmed-with-alerts-its-time-to-automate/feed/ 0
McAfee Application Control 7.0: New Threat Intelligence-Based Approaches and Strategies https://securingtomorrow.mcafee.com/business/optimize-operations/application-control-7-0/ https://securingtomorrow.mcafee.com/business/optimize-operations/application-control-7-0/#respond Tue, 16 Feb 2016 16:32:14 +0000 https://blogs.mcafee.com/?p=47602 Security experts have long debated the merits of whitelisting versus blacklisting. While the first intuitively seems more secure, the reality is that whitelisting is also more difficult to implement and manage. Strategic decisions are driven by organizational needs, which seems to recast the question: do businesses prioritize security over efficiency with whitelisting, or vice versa? …

The post McAfee Application Control 7.0: New Threat Intelligence-Based Approaches and Strategies appeared first on McAfee Blogs.

]]>
Security experts have long debated the merits of whitelisting versus blacklisting. While the first intuitively seems more secure, the reality is that whitelisting is also more difficult to implement and manage. Strategic decisions are driven by organizational needs, which seems to recast the question: do businesses prioritize security over efficiency with whitelisting, or vice versa?

In fact, this type of thinking extends beyond the choice between whitelisting or blacklisting. While trade-offs are an unavoidable aspect of decision-making, shouldn’t we be finding solutions that can maximize the yield of both factors?

We need adaptive solutions, ones that can accommodate today’s IT environment. With the proliferation of applications in the cloud and the data center, users want flexible access which simultaneously increases risk. We can’t live with solutions trading off between efficiency and security to meet increasing demand anymore, we need security solutions that are efficient and secure.

Several factors demonstrate this need.

  • There are more unknown and unwanted applications than ever before.
  • Global intelligence alone is becoming insufficient due to the large number of unique malware samples.
  • We need quicker response speeds to contain malware.

When new challenges like these arise, it’s not IT’s job to simply identify the easiest method with the least trade-off, but to find a solution to accomplish the necessary tasks with the smartest method. What if there was an intelligent and efficient method of whitelisting, suited to today’s environment?

The beauty is that more data leads to better decision making. What if observations from multiple sources could inform each other in real time? We designed McAfee Application Control 7.0 with this in mind.

Historically, McAfee Application Control has taken advantage of global data to benefit organizations. McAfee Global Threat Intelligence (GTI), an exclusive technology based on real-time information from millions of sensors worldwide, provides threat intelligence. Data from our large network allows the reputation of files, messages, and senders to be classified for monitoring purposes.

While that is certainly useful, we’ve realized that global information is even more valuable when complemented with local data. We’ve extended the use of local knowledge to threat containment in McAfee Application Control 7.0. With our latest release, users can leverage McAfee Threat Intelligence Exchange (TIE) for local intelligence.  And, they can use McAfee Advanced Threat Defense (ATD) to analyze the behavior of unknown applications in a sandbox. All endpoints are automatically immunized from newly detected malware, shortening the response time from days or weeks to milliseconds.  Users get complete and fast protection detailed in the image below.

Picture1

In addition to allowing software execution based on an approved whitelist, local and global reputation and sandbox test verification, McAfee Application Control can also use a Dynamic Trust Model.  In this model, some programs are identified as trusted, which allows them to create or modify applications. For example, provisioning and patching tools are obvious choices, but an observation mode feature automatically suggests new programs to be included as well. In addition, by also including trusted certificates, directories, and users, you have a lot of flexibility.

The essential emphasis is on adaptive intelligence, or getting the most useful insights from the most relevant information and implementing the security posture that is right for you. These are what make McAfee Application Control 7.0 unique.

It’s clear that today’s environment is rendering forced trade-offs between security, business efficiency, and adaptability quite undesirable. Instead, the task should be to find IT solutions that remove these limitations in the first place. Using McAfee Application Control 7.0 is a jump towards this direction.

Click here to learn more about McAfee Application Control 7.0 and for all the latest industry updates, follow us on Twitter at @IntelSecurity.

The post McAfee Application Control 7.0: New Threat Intelligence-Based Approaches and Strategies appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/application-control-7-0/feed/ 0
It’s Time Your Defenses Started Talking https://securingtomorrow.mcafee.com/business/optimize-operations/defenses-start-talking/ https://securingtomorrow.mcafee.com/business/optimize-operations/defenses-start-talking/#respond Thu, 21 Jan 2016 19:18:21 +0000 https://blogs.mcafee.com/?p=47114 In today’s enterprise environment, cybersecurity demands a multi-pronged approach. Usually, this involves different solutions for various endpoints, networks and clouds. This approach however, follows a familiar plot: different security technologies wind up giving you similar stories, without insight into what you actually need to know to adjust and harden your defenses or policies. If your …

The post It’s Time Your Defenses Started Talking appeared first on McAfee Blogs.

]]>
In today’s enterprise environment, cybersecurity demands a multi-pronged approach. Usually, this involves different solutions for various endpoints, networks and clouds. This approach however, follows a familiar plot: different security technologies wind up giving you similar stories, without insight into what you actually need to know to adjust and harden your defenses or policies. If your security solutions could talk to each other and tell you in plain language what they are seeing and doing, these stories might change into something useful.

With McAfee Endpoint Security 10 (ENS 10), your organization is provided with a  framework that brings multiple defenses together enabling them to talk and collaborate against new and advanced threats in real time. Not only does it do all of this quickly (unnoticeably to your users) it will summarize in common, understandable reporting, what, why and how it took actions so you can understand how to make adjustments to tighten your policies.

ENS 10 accomplishes this through a communication fabric that allows Threat Prevention, Web Firewall and the available Threat Intelligence Exchange modules to consult, leverage and inform each other whenever suspicious files, network activities or web traffic are detected.  For example, if a web traffic request is suspected of malicious activity, the Threat Prevention module will be consulted and used to scan for threats, automatically blocking them while informing the other modules and flagging suspicious activities for deeper inspection. This saves time, money, and, most importantly, valuable security resources. It’s like an automated committee meeting for your security solutions: it gets rid of redundant information and technologies and provides you with a simplified framework for stronger security today that you can continue to build upon in the future.

McAfee Threat Intelligence Exchange (TIE) is a good example of how the ENS 10 architecture lets you easily add technologies. TIE pulls multiple threat information sources together to better detect and flag known and newly found malicious files and activities. It can receive unknown files from ENS 10, and work to establish a verdict on the file’s risk. Files unique to your organization are the most worrisome and likely to be involved in a targeted attack. That verdict can be simultaneously communicated with ENS 10 to inform it of the latest threats and suspected advanced targeted attacks (ATAs) witnessed around the globe. ENS 10 can then flag and take action using the massive intelligence TIE offers to automatically defend against the very latest forms of attack as they emerge. You can also set up your own rules to filter out files and certificates that you know are safe or unsafe. This helps focus your protections and limited resources on the truly unknown – where the risk is.

Picture1

Figure 1 – This diagram show how TIE works with the Endpoint Security and other security solutions to connect defenses together to stop new and unknown threats.

It’s time for your defenses to start talking to each other with ENS 10. By calling a conference of integrated security solutions, ENS 10 brings multiple endpoint defense technologies together, rather than alone, to block new and advanced threats before they affect systems and users. It does so with minimal impact to end users, thanks to its zero-impact scanning technology, while providing maximum protection to your systems.

Click here to learn more about ENS 10 and for all the latest updates on Endpoint Security follow us on Twitter at @IntelSecurity.

You can also visit the Intel Security Booth #N3705, North Expo at the RSA conference in San Francisco to learn more about Endpoint Security 10.

The post It’s Time Your Defenses Started Talking appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/defenses-start-talking/feed/ 0
Customers Get a Jump on Targeted Attacks with McAfee Threat Intelligence Exchange https://securingtomorrow.mcafee.com/business/optimize-operations/customers-get-jump-on-targeted-attacks/ https://securingtomorrow.mcafee.com/business/optimize-operations/customers-get-jump-on-targeted-attacks/#respond Mon, 28 Sep 2015 22:44:29 +0000 https://blogs.mcafee.com/?p=45479 Targeted attacks are alive and well. According to the Verizon 2015 Data Breach and Investigations Report, 70% to 90% of malware samples are unique to a single organization. Detection and analysis of unique threat indicators are huge challenges for any organization, especially in a typical enterprise environment with security solutions from multiple vendors. Today’s dynamic threat …

The post Customers Get a Jump on Targeted Attacks with McAfee Threat Intelligence Exchange appeared first on McAfee Blogs.

]]>
Targeted attacks are alive and well. According to the Verizon 2015 Data Breach and Investigations Report, 70% to 90% of malware samples are unique to a single organization. Detection and analysis of unique threat indicators are huge challenges for any organization, especially in a typical enterprise environment with security solutions from multiple vendors.

Today’s dynamic threat environment demands instant detection, analysis, and remediation of never-before-seen files when and where they first appear—on an endpoint, in the data center, at the gateway, or on the network. New threats need to be evaluated in real time against locally collected security data, as well as industry-shared threat intelligence, to enable detection of more threats at first exposure. The power of McAfee Threat Intelligence Exchange comes from its ability to detect emerging threats by operationalizing threat intelligence across an entire security infrastructure—regardless of industry.

From healthcare to banking, customers are using McAfee Threat Intelligence Exchange to uncover new threats as they appear.  Let’s take a look at Vidant Health, for example. This non-profit hospital headquartered in North Carolina implemented McAfee Threat Intelligence Exchange to close the gap between threat detection and protection.

“The last year has brought about substantial changes to advanced targeted threats—from the use of SSL to polymorphism. The jump is truly remarkable. A security team’s strength comes from making key decisions and acting very quickly, which has not been my experience with outsourced provider solutions,” said Kirk Davis, director of information security at Vidant Health. “The tools we choose today absolutely have to have the ability to dramatically improve, and, in some cases, automate that decision making in real time. McAfee Threat Intelligence Exchange promised to be the lynchpin in a connected security architecture, and, to my amazement, it works exactly as promised.”

What makes McAfee Threat Intelligence Exchange so revolutionary? It’s all about the shared communication across the entire security architecture, which helps detect threats and deliver protection in a timely manner. When it comes to targeted attacks, every second counts. “McAfee Threat Intelligence Exchange has been proven to reduce our exposure time from newly introduced advanced targeted attacks by delivering protection in real time when unknown files appear on our network,” Davis explained.

Here’s another McAfee Threat Intelligence Exchange success story in the banking sector. Yilmaz Ak, information security manager at Al Baraka Turk Participation Bank, has similar thoughts on the effectiveness of McAfee Threat Intelligence Exchange.

“McAfee Threat Intelligence Exchange has dramatically improved collaboration among our security solutions. Sharing threat data in real time to all of our systems has enabled us to achieve our security targets,” said Ak. Additionally, Al Baraka Turk Participation Bank was able to create automated, integrated, and easily manageable defense systems against current and future attacks with Intel Security technologies.

Success stories like these illustrate the key benefit of McAfee Threat Intelligence Exchange: it allows security products to communicate and share threat intelligence, so that no solution operates in a silo. This is the only way to combat today’s targeted attacks.

Join us at Intel Security’s FOCUS 15 Conference to learn more about what McAfee Threat Intelligence Exchange can do for your security infrastructure and how Intel Security customers use McAfee Threat Intelligence Exchange, including details about Vidant Health and Al Baraka Turk Participation Bank.

If you can’t make it to Las Vegas this year, be sure to check out our McAfee Threat Intelligence Exchange product page, and follow @McAfee on Twitter for all of the latest product updates.

The post Customers Get a Jump on Targeted Attacks with McAfee Threat Intelligence Exchange appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/customers-get-jump-on-targeted-attacks/feed/ 0
What’s Better than McAfee Threat Intelligence Exchange? A Brand New McAfee Threat Intelligence Exchange 1.2! https://securingtomorrow.mcafee.com/business/optimize-operations/brand_new_tie/ https://securingtomorrow.mcafee.com/business/optimize-operations/brand_new_tie/#respond Mon, 21 Sep 2015 21:30:46 +0000 https://blogs.mcafee.com/?p=45398 In their recent 2015 Global Business Technographics® Security Survey, Forrester reports that improving threat intelligence capabilities is a top priority for 71% of enterprises. But enterprises don’t need to improve their ability to gather threat intelligence—the abundance of shared intelligence and threat inputs is already overwhelming for security teams. Operationalizing the intelligence once you have …

The post What’s Better than McAfee Threat Intelligence Exchange? A Brand New McAfee Threat Intelligence Exchange 1.2! appeared first on McAfee Blogs.

]]>
In their recent 2015 Global Business Technographics® Security Survey, Forrester reports that improving threat intelligence capabilities is a top priority for 71% of enterprises. But enterprises don’t need to improve their ability to gather threat intelligence—the abundance of shared intelligence and threat inputs is already overwhelming for security teams. Operationalizing the intelligence once you have collected it is the big challenge. It’s crucial to have a system that not only collects threat information, but also prioritizes and disseminates it to all your security control points in a timely and efficient manner. McAfee Threat Intelligence Exchange can operationalize threat intelligence in real time. It now allows inputs from more sources and is expanding its connection to more security solutions—from Intel Security and other security vendors.

Available today, McAfee Threat Intelligence Exchange 1.2 imports threat information from McAfee Global Threat Intelligence, third-party threat information, and Structured Threat Information eXpression (STIX) files. This information is harmonized with locally collected threat information, originating on your endpoints and servers, your sandboxing solution, and now, McAfee Web Gateway.

This global and local threat information is then shared throughout your entire Security Connected ecosystem in milliseconds, so that all your security control points can receive this data and can act on it, applying appropriate remediations when and where they’re needed. Collaborating with McAfee Data Exchange Layer, the Intel Security ecosystem acts as one—with seamless, real-time communication among all your solutions via the McAfee Data Exchange Layer. That includes Intel Security products and solutions from other vendors, including ForesScout, TITUS, InfoReliance, CyberArk, TrapX and Avecto.

More details on McAfee Threat Intelligence Exchange 1.2, including partner and customer case studies and a live demo, will be shared at Intel Security FOCUS 15, October 26 to October 28.

The post What’s Better than McAfee Threat Intelligence Exchange? A Brand New McAfee Threat Intelligence Exchange 1.2! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/brand_new_tie/feed/ 0
Fastpass to SIEM ROI via Pre-built content for analysts and responders https://securingtomorrow.mcafee.com/business/optimize-operations/fastpass-to-siem-roi/ https://securingtomorrow.mcafee.com/business/optimize-operations/fastpass-to-siem-roi/#respond Thu, 17 Sep 2015 17:32:43 +0000 https://blogs.mcafee.com/?p=45341 In our previous Blog, we covered how customizing SIEM for threat management requires both resources and expertise.  As a result, Intel security created “ready to go” content packs based on Gartner’s Top Use cases.  targeting aspiring users to expand their SIEM detection and response use cases without spending countless hours and resources on tuning. Over …

The post Fastpass to SIEM ROI via Pre-built content for analysts and responders appeared first on McAfee Blogs.

]]>
In our previous Blog, we covered how customizing SIEM for threat management requires both resources and expertise.  As a result, Intel security created “ready to go” content packs based on Gartner’s Top Use cases.  targeting aspiring users to expand their SIEM detection and response use cases without spending countless hours and resources on tuning.

Over the past 6 months multiple content packs have been delivered to all licensed ESM customers and are intended to assist members of Security Operations teams.

  • For instance, the threat analyst will get new Threat Detection capabilities via 100’s of correlation rules and views enabling visibility into cyber attack chain steps such as Reconnaissance, Exploit or Command & Control
  • Incident response and security operations users can improve their visibility and understanding of the security infrastructure by reviewing Firewall traffic, authentications or top blocked web domains trends.
  • Senior Security Management staff can assess their team productivity by getting more insights into escalated cases, progress of investigations and summary of all detected malware and correlations activity.
  • And finally the SIEM Administrator who will be able implement these new use cases faster with detailed instructions and related McAfee ESM system setting accompanied in the content pack.

Outcomes for the organizations are of course around maturing security analytics and investigations and move more towards a proactive, streamlined  threat management model. Use cases and elements to enable these analytics are multifold.

  • Use Case 1 : Expand detection across the cyber-attach chain : More than just throwing 100’s or thousands of rules or alarms at users, correlation rules have been grouped inside the Content packs to helps security organizations detect, prioritize and take corrective actions across the cyber-attack chain spectrum. For instance, reconnaissance activity can be detected via 58 new correlation rules grouped under the “Recon” Content Pack, weapon-ization steps can be revealed via abnormal traffic pattern discovery rules provided in the Web Filtering Content Pack and control activity can be is analyzed via alarms and views in Authentication Content Packs.
  • Use Case 2 : Same is true for provided Views and reports, which have especially been designed to help the user accelerate investigations. For instance by opening “web filtering view” the analyst can review all external web connections, dive down into denied connections and prioritize via single click only those end points with potential unwanted applications and redirections.
  • Use Case 3: Peer analysis : Another popular security analytics use case is based on peer analysis; comparing – on a user-by-user or host-by-host basis – geolocations or zones inside the organization and allowing the analyst to filter high risk users or hosts based on all evidence stored in ESM. This analysis is less dependent on predefined correlation rules and leverages contextual elements to detect adversarial activity as well as potential weaknesses in the existing security infrastructure.

In brief, content packs are great enabler for organizations to expand the breadth and depth of the detection against the cyber-attack chain as well as reducing response efforts via their SIEM.  Insights, implementation guidelines and examples are described for each content pack on the expert center and KB articles.

For more information on the content packs please visit expert center.

Access the knowledge based articles at McAfee knowledge center.

 

 

The post Fastpass to SIEM ROI via Pre-built content for analysts and responders appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/fastpass-to-siem-roi/feed/ 0
Is Your SIEM ‘Ready To Go?’ https://securingtomorrow.mcafee.com/business/optimize-operations/siem-ready-go-2/ https://securingtomorrow.mcafee.com/business/optimize-operations/siem-ready-go-2/#comments Mon, 24 Aug 2015 18:47:52 +0000 https://blogs.mcafee.com/?p=44973 The massive amount of log, event and flow data within the SIEM offers security analysts answers to essential security questions such as “who is accessing critical business systems,” or, more importantly, “was there any anomalous activity before, during or after the connection?” To get all these answers, though, users need to filter, correlate, and view …

The post Is Your SIEM ‘Ready To Go?’ appeared first on McAfee Blogs.

]]>
The massive amount of log, event and flow data within the SIEM offers security analysts answers to essential security questions such as “who is accessing critical business systems,” or, more importantly, “was there any anomalous activity before, during or after the connection?”

To get all these answers, though, users need to filter, correlate, and view relevant events by adding knowledge or “Content” to the SIEM system. Typically, the SIEM expert creates and maintains the arsenal of dashboard views, correlation rules, watchlists, alarms, and reports related to this data processing. They draw on knowledge of event sources, related semantics and of course the targeted use cases. For example, creating correlation rules not only requires deep insights into the adversary activity, it also requires knowledge of the SIEM data system to create the right content without affecting system performance. The combination of the threat knowledge and required system configuration can be time consuming and challenging before the SIEM delivers on all of its value.

There’s new help for this operational burden and training hurdle. Starting in version 9.5, McAfee Enterprise Security Manager (ESM) customers can simplify operations with “ready to go” content packs for top security use cases such as those described by Gartner Analyst Anton Chuvakin in one of his blogs. Now SIEM users can respond to threats or compliance needs without wasting time understanding the event source output or creating the content from scratch. Additionally, SIEM administrators are unencumbered from the task of creating, tuning and maintaining use case-specific content.

Free, and easy to use

The frequently updated content packs include not only ‘best practices’ on how to setup McAfee ESM for a specific threat monitoring use case, they also hold all the ingredients (rules, dashboards, and reports) to get the desired outcome. Systems administrators save time and avoid trial and error as they employ vendor-supplied content as they mature their related policies and procedures.

Built by Intel Security SIEM experts, these content packs are distributed free of charge. Users can review, select, download and deploy the SIEM content configurations directly from within the McAfee SIEM User Interface. Guidelines on intended usage, related device types, pre and post installation steps are explained to the system administrator for better insights and expected outcomes of the targeted use case. After installation, most of the content, including reports and correlation rules, can be tailored to user-specific enterprise environments. Distribution of the content packs is provided via the existing McAfee ESM Rules Server so no additional network or firewall changes are required to get access to the updates. This also allows for new content to be published and deployed between software release cycles and for updates to be applied without requiring any operational downtime for the SIEM platform.

For more information on the content packs, please visit the expert center, here.

The kb articles are available by logging onto kb.mcafee.com and then typing in “siem content pack”:*/title” in the search term bar

The post Is Your SIEM ‘Ready To Go?’ appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/siem-ready-go-2/feed/ 1
Intel Security Named a Leader in Gartner Magic Quadrant for Security Information and Event Management https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-named-leader-gartner-magic-quadrant-security-information-event-management/ https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-named-leader-gartner-magic-quadrant-security-information-event-management/#respond Tue, 11 Aug 2015 17:56:04 +0000 https://blogs.mcafee.com/?p=44845 For the fourth year in a row, McAfee landed in the leader’s quadrant of the Magic Quadrant for Security Information and Event Management (SIEM) report, published by Gartner, Inc. The annual report, which came out in late July, evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. The …

The post Intel Security Named a Leader in Gartner Magic Quadrant for Security Information and Event Management appeared first on McAfee Blogs.

]]>
For the fourth year in a row, McAfee landed in the leader’s quadrant of the Magic Quadrant for Security Information and Event Management (SIEM) report, published by Gartner, Inc. The annual report, which came out in late July, evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision.

The report serves as a survey of the enterprise security landscape with Gartner highlighting early detection of targeted attacks and breach occurrences as the greatest area of unmet need. “Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition of behavior profiling and better analytics.”

Intel Security’s Security Connected integrations, breadth of device support, ease of data consumption, querying capabilities and enterprise scalability of McAfee Enterprise Security Manager (ESM) comprised a “completeness of vision” that helped it retain its placement in the top three vendors.

The active integrations that McAfee Enterprise Security Manager offers with McAfee ePolicy Orchestrator software for policy-based endpoint management, McAfee Network Security Manager for intrusion prevention and McAfee Vulnerability Manager for vulnerability scanning and remediation—in addition to recent enhancements like McAfee’s Advanced Threat Defense (ATD), Threat Intelligence Exchange (TIE) and support for AWS deployment—all helped Intel Security stay ahead of the competition.

McAfee provides the threat intelligence needed for combating today’s advanced threats. In order to detect threats, McAfee Enterprise Security Manager prioritizes potential threat alerts before they occur and analyzes data for patterns indicating larger threats. McAfee ESM also leverages contextual information (such as threat feeds, IOCs, vulnerability scans, asset and identity management systems) for a better understanding of the impact security events can can have on business processes—all of which is available in dedicated dashboards for cyber threat management and risk analytics .

To learn more about how McAfee® ESM can benefit your organization, visit our website and read the full Gartner report here.

Gartner, Inc., “Magic Quadrant for Security Information and Event Management,” by Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford July 20, 2015. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

 

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post Intel Security Named a Leader in Gartner Magic Quadrant for Security Information and Event Management appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/intel-security-named-leader-gartner-magic-quadrant-security-information-event-management/feed/ 0
Beat the Ticking Clock Against Emerging Threats https://securingtomorrow.mcafee.com/business/optimize-operations/beat-ticking-clock-emerging-threats/ https://securingtomorrow.mcafee.com/business/optimize-operations/beat-ticking-clock-emerging-threats/#respond Wed, 01 Jul 2015 21:29:06 +0000 https://blogs.mcafee.com/?p=44222 In order to beat todays advanced threats, your security defense system relies on good communication. However, when your security posture is dependent on a slew of different products from a spread of vendors, communication can break down. This breakdown in communication means you’re losing valuable time in detecting cyberthreats. To address this communication breakdown, there …

The post Beat the Ticking Clock Against Emerging Threats appeared first on McAfee Blogs.

]]>
In order to beat todays advanced threats, your security defense system relies on good communication. However, when your security posture is dependent on a slew of different products from a spread of vendors, communication can break down. This breakdown in communication means you’re losing valuable time in detecting cyberthreats.

To address this communication breakdown, there needs to be a way to tie separate security solutions together for coordinated, more comprehensive protection

Luckily, McAfee Threat Intelligence Exchange (TIE) brings individual security components together to work as a single security system This puts endpoint networks and gateways, global threat intelligence, local reputation and third party intelligence all in the same plane. Organizations are benefiting from having a unified system sharing threat intelligence on emerging threats as they appear.

“McAfee’s Threat Intelligence Exchange will dramatically reduce the time from threat encounter to containment by delivering protection from new and unknown advanced threats,” said Paul Baltzell, CIO at State of Indiana, Office of Technology. “Our continued investment in the McAfee Security Connected platform makes our security solutions more efficient and flexible, optimizing the security for our organization while driving down our operational costs.”

tie1

TIE helps to detect new and emerging threats wherever they appear, apply universal protection and deliver instantaneous responses. It also allows each separate element of your security infrastructure to communicate with one another easily, enabling your organization to detect advanced threats without interruption. This improved communication, flowing between McAfee security solutions as well as other vendor security solutions, lowers incident response time, makes for easy containment, and in turn, gives you an advantage over cybercriminals.

Cyberattacks unfold and progress though a number of predictable stages. We call this the cyberattack chain, which runs from information gathering and scanning all the way down to penetration and pillaging. Understanding each step of the chain, and what a hacker aims to accomplish during them, is the key to disrupting an attack.

For example, when using a unified threat intelligence system like TIE, you can inspect contextual attributes, examine suspicious packages and uncover the prevalence of an executable throughout a network. If the executable in question has a low trust score, your system can then quarantine, detonate or inspect the file, which would otherwise remain undetected.

tie 2

With McAfee TIE, this can be done regardless of the infrastructure involved. That’s because TIE provides admins with centralized control, making it easy to take immediate actions across distributed infrastructures without having to use DAT file updates. Threat information is instantly shared everywhere in the organization.

In security, time really is the name of the game. Nineteen percent of advanced targeted attacks take weeks to discover, another 14 percent take months to find and another two percent take years to even detect. TIE enables you to cut your detection and remediation time drastically, reducing your risks of exposure

Want more info on how TIE can be used to fight digital threats in your organization? Check out our TIE community page here for additional resources, and don’t forget to follow @McAfee for the latest product updates.

FOCUS 15 is just a few months away, where we will be demonstrating how you can tie the disparate security solutions in your environment into a comprehensive and actionable Security Connected architecture. Don’t miss it!

The post Beat the Ticking Clock Against Emerging Threats appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/beat-ticking-clock-emerging-threats/feed/ 0
Hackers Gonna Hack! Here’s How to Fight Back https://securingtomorrow.mcafee.com/business/optimize-operations/hackers-gonna-hack-heres-fight-back/ https://securingtomorrow.mcafee.com/business/optimize-operations/hackers-gonna-hack-heres-fight-back/#respond Tue, 23 Jun 2015 16:50:09 +0000 https://blogs.mcafee.com/?p=44127 Nobody ever said network defense was easy. If you’re in charge of protecting your enterprise’s digital assets, the one thing you always seem to be fighting is time. Even after you have read every security analyst report on the market and deployed best-of-breed security products, if your IT security and data protection tools don’t work …

The post Hackers Gonna Hack! Here’s How to Fight Back appeared first on McAfee Blogs.

]]>
Nobody ever said network defense was easy.

If you’re in charge of protecting your enterprise’s digital assets, the one thing you always seem to be fighting is time. Even after you have read every security analyst report on the market and deployed best-of-breed security products, if your IT security and data protection tools don’t work together, time will still not be on your side during an attack.

Most organizations today attempt to create an IT security masterpiece with a slew of products from multiple vendors, each addressing a different aspect of your IT environment and different areas of risk. However, when you don’t understand how hackers find vulnerabilities within your siloed endpoint, gateway and datacenter security systems, you wont stand a chance at stopping them.

At FOCUS 14, we had the opportunity to challenge attendees to think like a hacker– demonstrating the six steps that hackers take when launching attacks. While hackers improve the technologies they use every year, their methodologies have been the same for decades. Once you learn to spot their 6 phases of intrusion within your network, you’re one step closer to a hacker-proof enterprise:

  1. Information gathering

When hackers plan an attack, the first thing they do is pick a target organization, and identify the address space they will be attacking. Then, they begin gathering IP addresses and names of high-profile people within the environment who are likely to hold sensitive corporate or personal data.

  1. Scanning

After a hacker has a full list of employee targets, they begin the scanning process. That includes scanning for specific instances of vulnerable applications running in an environment.

  1. Enumeration

Once a hacker has identified the application they are after, they determine the precise versions of the technology they can penetrate. For example, a hacker might target an Apache HTTP server, and hone in on Apache Struts.

tie 2

  1. Penetration

Once they find a point of entry, the hacker begins compromising your web server, leveraging vulnerabilities or configuration issues to gain access. By determining how they can interact with the target application and underlying operation system, they infiltrate to survey how far they can expand an attack within your network.

  1. Escalation

Following penetration of your environment, a hacker’s next step is to create user profiles and escalate access privileges to spread threats as widely as possible.

  1. Pillaging

The final step of a hacker’s malicious process is pillaging. Unlike hacks of the past, today’s attacks are no longer about just compromising a server and defacing a website. Their mission is gaining access to credit card data, company trade secrets, customer information and personal identity information. The “real” hackers that we are concerned about are the ones with the tools to mine your data, and use it for their own benefit.

Knowing how hackers think and act is the first step in the direction of keeping your network safe, and fortunately for you there are tools, like McAfee Threat Intelligence Exchange (TIE), that you can implement to keep attacks at bay.

Want more info on how you can use TIE in your organization to fight digital threats? Make a stop on our TIE community page here for more information, and don’t forget to follow McAfee for the latest product updates.

If you missed this presentation at FOCUS 14, don’t worry! We will present a live, updated version at FOCUS 15, this October 26-28.

The post Hackers Gonna Hack! Here’s How to Fight Back appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/hackers-gonna-hack-heres-fight-back/feed/ 0
Stop Malware Dead in Its Tracks – 4 Steps to Detect & Eradicate Threats https://securingtomorrow.mcafee.com/business/optimize-operations/stop-malware-dead-tracks-4-steps-detect-eradicate-threats/ https://securingtomorrow.mcafee.com/business/optimize-operations/stop-malware-dead-tracks-4-steps-detect-eradicate-threats/#respond Wed, 10 Jun 2015 16:00:26 +0000 https://blogs.mcafee.com/?p=43921 Nineteen percent of advanced targeted attacks take weeks to discover. Fourteen percent take months to find. And, unfortunately two percent take several years to surface. With undetected attacks lurking around every corner, you need tools that can identify and eradicate threats fast. The State of Detection and Correction Unfortunately, even after an initial abnormality or …

The post Stop Malware Dead in Its Tracks – 4 Steps to Detect & Eradicate Threats appeared first on McAfee Blogs.

]]>
Nineteen percent of advanced targeted attacks take weeks to discover. Fourteen percent take months to find. And, unfortunately two percent take several years to surface.

With undetected attacks lurking around every corner, you need tools that can identify and eradicate threats fast.

The State of Detection and Correction

Unfortunately, even after an initial abnormality or threat is discovered, it can still take days or months to reach full discovery and containment. Well-funded hackers are continuing to hone their skills and create more sophisticated attacks that are even more complex in their tactics. Additionally, the most destructive malware is designed to evolve over time, making it increasingly difficult to detect.

TIE

Source: Driving Efficiency into Malware Detection and Eradication – FOCUS 14 Presentation.

Threats on the Horizon 

When targeted attacks are launched against your organization, you face the risk of stolen data and compromised devices, which not only means a possible data breach disclosure, but also leaked information reaching your competitors, extensive threat containment costs, and spoiled brand reputation.

Here are four simple steps to help you protect, detect and correct targeted attacks.

  1. Know Your Cyberattack Chain

While every cyberattack is unique in destruction capability, most still unfold and progress through a number of predictable stages, known as the cyberattack chain. When you understand the typical strategies intruders use to get into your network, you are better armed to defend your systems. Once you have identified the attack chain that cyberthreats could follow within your network, you can apply protection and mitigation strategies. In addition, it is essential to create a baseline of normal data flows to be use as a benchmark for detecting anomalies in your network.

  1. Adapt Your Security Solutions

In 2015, it is predicted that global IT security spending will hit over $76 billion. In a world where 362 new threats are occurring every minute, threat protection is more vital than ever. Isolated point products, no matter how great they are, will not stand up to the complexity of today’s attacks. It’s time for security to be as sophisticated as the attack—with integrated solutions that share threat intelligence and move from a reactive to proactive security posture, adapting with changes in the threat landscape.

  1. Use External Data 

As a business, you have a vast amount of data at your disposal, which can be helpful in detecting and preventing cyberattacks. By collecting data on file reputation, for example, you can block known malicious files that could threaten your network. You can also analyze data from phishing emails to collect URL and domain data, use malware indicators to comprehend how malicious code affects various devices, or even leverage information about adversary networks so you know what web addresses to block.

  1. TIE It Up

When it comes to threats to your data, one of the biggest issues for enterprises is identifying how many systems have been infected. By using tools like McAfee Threat Intelligence Exchange (TIE), you can hone in on where a malicious file was introduced. This feature also extends to how it spreads; such as if the file comes up in ad-remove programs, drops items in the C-temp folder, or hook registry keys. TIE features the ability to integrate external threat feeds with local intelligence, enabling you to evaluate threats with third-party data.

That is just a taste of what McAfee Threat Intelligence Exchange can do to help you detect and eradicate malware in your organization. Want to learn more? Check out our Senior Director of Sales Engineering, Chris Cole’s, FOCUS 14 presentation or our Tech Talk Event, and follow @McAfee for new product updates.

The post Stop Malware Dead in Its Tracks – 4 Steps to Detect & Eradicate Threats appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/stop-malware-dead-tracks-4-steps-detect-eradicate-threats/feed/ 0
Four Ways to Stretch Your SIEM For Complete Protection https://securingtomorrow.mcafee.com/business/optimize-operations/four-ways-stretch-siem-complete-protection/ https://securingtomorrow.mcafee.com/business/optimize-operations/four-ways-stretch-siem-complete-protection/#respond Mon, 11 May 2015 16:51:18 +0000 https://blogs.mcafee.com/?p=43288 Organizations and enterprises today are more aware than ever of the dangers posed by cybercriminals and advanced persistent threats (APTs). So, how can they fight back against these online threats in a situation where one size never fits all? One solution that we tout in our ‘When Minutes Count’ report: stretch your Security Information and …

The post Four Ways to Stretch Your SIEM For Complete Protection appeared first on McAfee Blogs.

]]>
Organizations and enterprises today are more aware than ever of the dangers posed by cybercriminals and advanced persistent threats (APTs). So, how can they fight back against these online threats in a situation where one size never fits all?

One solution that we tout in our ‘When Minutes Count’ report: stretch your Security Information and Event Management (SIEM) solution! Getting the best protection out of your SIEM solution hinges on you taking the time to learn how to leverage your tools to their fullest extent. That is something we can provide right here, in this blog.

We’ve discussed how you can take into account the eight most common Indicators of Attack (IoAs) and the importance of going on the offensive with your SIEM solution to detect and disrupt threats in real-time. But there’s one last thing we need to cover: automating your SIEM solution for quicker detection and optimized threat prioritization.

To do this, CISOs and security admins must take advantage of all that a SIEM has to offer through its automation capabilities. Here’s how:

Use Threat Intelligence

Threat intelligence is a simple concept: protect your business with the shared security experiences from thousands of organizations and security vendors from around the globe. With access to up-to-date reputations for bad destinations and other dynamic attributes, using threat intelligence is critical for the success of your team. According to a customer base survey, McAfee Global Threat Intelligence users saw at least a 20 percent bump in prevention and a 29 percent reduced time to detection. Every percentage point counts when talking about protecting corporate information!

Data Collection and Aggregation.

Knowing what your attackers are looking for is key to securing your organization, and that means identifying and hardening your organization’s valuable data. Documenting and baselining the characteristics of an asset — how it’s used, who is using it and how it could be attacked — can help to alert IT teams to unusual behavior, allowing them to act quickly. By getting IT and security teams to work together with business partners, you can better secure your organization.

Correlation and Rich Rules

With a proactive approach to security, organizations can significantly raise the barrier to entry for many cybercriminals. Correlation by a real-time SIEM solution can help IT teams achieve this goal by detecting suspicious activity automatically, immediately bringing a potential threat to their attention. But, barring the limitations of legacy tools, this can only be done when IT teams take the time to establish multiple-step rules and multiple-attribute logic with their SIEM solution.

Appropriate Automation

All of these efforts help to build an automated SIEM solution that helps security teams to receive and react to event and threat data faster than before. And, with both manual and automated approval steps for workflows, companies can achieve a consistent and more effective response to threats while still keeping critical decision makers in the loop.

When minutes count, you have to shave off every second between an IoA and appropriate action. Otherwise, you risk compromise.

To learn more about what steps your organization can take to protect and detect in real-time, download our report, “When Minutes Count,” here and check out its accompanying infographic here.

Read more about how McAfee has helped organizations create comprehensive, scalable security here and visit the McAfee Service Portal for SIEM support.

To learn about what McAfee SIEM has to offer, follow @IntelSec_Biz on Twitter, or explore our SIEM community site to get the latest techniques to protect your organization.

The post Four Ways to Stretch Your SIEM For Complete Protection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/four-ways-stretch-siem-complete-protection/feed/ 0
Seven key SIEM actions to thwart attacks in the security “Golden Hour” https://securingtomorrow.mcafee.com/business/optimize-operations/seven-key-siem-actions-thwart-attacks-security-golden-hour/ https://securingtomorrow.mcafee.com/business/optimize-operations/seven-key-siem-actions-thwart-attacks-security-golden-hour/#respond Wed, 06 May 2015 16:33:34 +0000 https://blogs.mcafee.com/?p=43080 As cyber criminals move faster and stealthier, taking advantage of new tools provided through an adversarial community, security teams need to be able to respond with equal or greater speed. Every second counts after a cyber attack. Therefore, it is imperative to have a solid plan in place for actions that take place during the …

The post Seven key SIEM actions to thwart attacks in the security “Golden Hour” appeared first on McAfee Blogs.

]]>
As cyber criminals move faster and stealthier, taking advantage of new tools provided through an adversarial community, security teams need to be able to respond with equal or greater speed. Every second counts after a cyber attack. Therefore, it is imperative to have a solid plan in place for actions that take place during the moments immediately following an incident or what we call the “Security Golden Hour.”

In a recent ESG survey “Tackling Attack Detection and Incident Response” commissioned by Intel Security, responders indicated they spend their time on five key tasks. Top of the list included:
1. Determining the impact of the incident
2. Tacking action to minimize the attack
3. Analyzing security intelligence
4. Determining which assets remain vulnerable
5. Performing forensic analysis

When asked which initiatives would help boost staff efficiency, three SIEM key capabilities came to surface: first of all “better detection tools” to find potential malware accurately, followed by “better analysis tools” and “process automation to free up staff”. These last findings also form the foundation of the seven key actions McAfee’s Enterprise Security Manager (ESM) provides during the golden hour.

The first group of SIEM actions is related to the identification of the threat. Importance here is to reduce false positives and bring quickly and accurately potential adversarial activity in front of the security analyst. McAfee ESM advanced analytics (action #1) provides an overview who, when and where valuable infrastructure is used. During this analysis, ESM will calculate baselines, bring known and unknown threats to surface via rule and risk-based correlation, and leverage enterprise contextual information for better insights. A second action (#2) that ESM supports includes the collection and harvesting of threat intelligence. This step helps users to identify threats based on the misfortune of others and confirms the security analyst if the threat has already been seen somewhere else. A unique third action (#3) from McAfee ESM is both real time and historical correlation. Where most SIEM’s will only leverage threat intelligence going forward, McAfee ESM verifies if the organization has already been impacted by a known IOC (Indication of Compromise) via the BackTrace feature.

After the identification, users need to review, prioritize and decide on what to do next. During this second phase, visualization (#4) and isolation (#5) of threat activities are the next key actions SIEM should provide. Pre-built or custom dashboards, with fast and easy access to data, allow the user to run investigations quickly and reduce the time to prioritize the threat. Additionally, Asset Threat Risk dashboards aggregate known external threats, assets vulnerabilities and available countermeasures to help the security analyst pinpoint which enterprise assets are truly at risk.

In the last step, the incident responder acts by eradicating (#6) the adversary and communicating (#7) the required actions within the IT operations teams. These 2 actions can be taken directly from the console or can be fully automated to optimize security resources. Via built-in case management tool, the security operations manager can review open and closed Incident response tasks as well as spot recurring incident types for improved automation.

Review examples of known threats, SIEM best practices and the 7 key SIEM actions in a recent Secure World Webinar: https://goto.webcasts.com/starthere.jsp?ei=1056214

Read the ESG study: http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf

The post Seven key SIEM actions to thwart attacks in the security “Golden Hour” appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/seven-key-siem-actions-thwart-attacks-security-golden-hour/feed/ 0
We Discuss: Detection and Incident Response in the ‘Golden Hour’ https://securingtomorrow.mcafee.com/business/optimize-operations/we-discuss-golden-hour/ https://securingtomorrow.mcafee.com/business/optimize-operations/we-discuss-golden-hour/#respond Wed, 06 May 2015 00:14:51 +0000 https://blogs.mcafee.com/?p=43166 In a recent report with ESG, Tackling Attack Detection and Incident Response, we surveyed 700 IT professionals to better understand the security challenges faced by organizations today. The report also expands on the concept of the ‘Golden Hour,’ the narrow window of time in which threat detection and response can greatly minimize the ultimate impact …

The post We Discuss: Detection and Incident Response in the ‘Golden Hour’ appeared first on McAfee Blogs.

]]>
In a recent report with ESG, Tackling Attack Detection and Incident Response, we surveyed 700 IT professionals to better understand the security challenges faced by organizations today. The report also expands on the concept of the ‘Golden Hour,’ the narrow window of time in which threat detection and response can greatly minimize the ultimate impact of an attack.

According to the survey, in 2014:

  • 88% of organizations faced a targeted attack
  • Organizations conducted an average of 38 security investigations
  • Organizations reported an average of 78 security incidents

Our own Sal Viveros, Rick Simon, and Paul Zimski gathered to discuss key findings from the report, from IT skills shortages across industries to the nature of targeted attacks. Watch their full discussion below.

To learn more about Intel Security research findings, see the full report with ESG here. You can also follow along with us as we share the latest in security, on Twitter and LinkedIn.

The post We Discuss: Detection and Incident Response in the ‘Golden Hour’ appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/we-discuss-golden-hour/feed/ 0
Defending Against Ransomware with McAfee Threat Intelligence Exchange https://securingtomorrow.mcafee.com/business/optimize-operations/defending-ransomware-mcafee-threat-intelligence-exchange/ https://securingtomorrow.mcafee.com/business/optimize-operations/defending-ransomware-mcafee-threat-intelligence-exchange/#respond Thu, 30 Apr 2015 19:21:00 +0000 https://blogs.mcafee.com/?p=43063 In a blog last week, I discussed CryptoLocker, a particularly nefarious family of ransomware, and how to defend against it. I thought it would be worthwhile to demonstrate how McAfee Threat Intelligence Exchange can detect and stop malware like ransomware, even if the suspicious file has not been flagged as malware by antivirus signatures. In …

The post Defending Against Ransomware with McAfee Threat Intelligence Exchange appeared first on McAfee Blogs.

]]>
In a blog last week, I discussed CryptoLocker, a particularly nefarious family of ransomware, and how to defend against it.

I thought it would be worthwhile to demonstrate how McAfee Threat Intelligence Exchange can detect and stop malware like ransomware, even if the suspicious file has not been flagged as malware by antivirus signatures.

In addition to showing McAfee Threat Intelligence Exchange in action, I also show how McAfee Advanced Threat Defense performs deep analysis, including dynamic sandboxing and static code analysis, to confirm that the file flagged is malware and is indeed malevolent.

In the upcoming McAfee Labs Threats Report: May 2015, McAfee Labs will explore ransomware and the huge rise in the volume of attacks in Q1. As CryptoLocker and other forms of ransomware continue to morph and become more aggressive, it is vitally important to understand how ransomware works and what can be done to protect against it.

The post Defending Against Ransomware with McAfee Threat Intelligence Exchange appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/defending-ransomware-mcafee-threat-intelligence-exchange/feed/ 0
Intelligent, Actionable, Integrated https://securingtomorrow.mcafee.com/business/optimize-operations/intelligent-actionable-integrated/ https://securingtomorrow.mcafee.com/business/optimize-operations/intelligent-actionable-integrated/#respond Tue, 21 Apr 2015 16:30:26 +0000 https://blogs.mcafee.com/?p=42704 Reaping the benefits of SIEM For automated tools such as Security Information and Event Management (SIEM) to improve your security posture and reduce your response time, they need to be intelligent, actionable, and integrated. They need to help you find what’s important so your team can spend more time with the most critical issues and …

The post Intelligent, Actionable, Integrated appeared first on McAfee Blogs.

]]>
Reaping the benefits of SIEM

For automated tools such as Security Information and Event Management (SIEM) to improve your security posture and reduce your response time, they need to be intelligent, actionable, and integrated. They need to help you find what’s important so your team can spend more time with the most critical issues and less time trying to understand what’s important and what’s not. The latest release of McAfee Enterprise Security Manager (ESM), v9.5, augments your team’s abilities with enhanced real-time monitoring, automated historical analysis, simplified operations, and tighter integration with threat intelligence.

Automation that is not intelligent is just an amplifier – it increases both the good and the bad. McAfee ESM 9.5 gets smarter by enhancing its real-time monitoring capabilities with a threat management dashboard that can receive and understand information on emerging suspicious and malicious threats reported via STIX/TAXII, McAfee Advanced Threat Defense, and third-party URLs. Instead of having to collect this information manually, you can now quickly and easily review and manage cyber threat intelligence at a glance from a centralized dashboard. McAfee Advanced Threat Defense (ATD) sandboxing functions investigate potential indicators of attack or compromise. ESM now integrates and automates communications with ATD, receiving notification of convicted files, asking for additional details, and adding the necessary information to watch lists and alerts.

Making decisions on whether a threat is relevant and its risk level is becoming increasingly complicated. McAfee simplifies deployment and ongoing risk monitoring with hundreds of out-of-the-box rules and reports, as well as pre-defined content packs that include views, reports, watch lists, key variable, and alarm rules for specific use cases. The first 12 content packs include monitoring for insider threats, data leakage, email content, suspicious activity, malicious activity, malware, reconnaissance, web filtering, and Microsoft Windows authentication. Using the risk advisor dashboard, you can now get information instantly about a threat, its severity, and the risk it presents through a risk score that unifies vulnerability status, asset criticality, and countermeasure protection available for the threat. This assessment helps prioritize security and patching efforts according to an asset’s value

Perhaps most important is the ability to automatically act on this intelligence, in the future and the past. When a new relevant threat is reported, you add it to your watch list to catch future events or flows with that hash or IP address. But what if your company was attacked before the threat was published? McAfee’s Backtrace feature looks for evidence that your organization has already been attacked, analyzing historical information to see if any machines are already affected. Backtrace will parse the threat notification and look through existing events to see if any elements, such as hash, file name, or IP address, match the event details. If it finds a match, it can generate an alarm, and perform a number of automated events to quickly mitigate and contain the attack.

Sophisticated criminal activity is overwhelming current piecemeal security solutions. McAfee ESM and Integrated Security Connected solutions enable broad data collection and automation of first response actions, helping you respond to attacks more quickly and efficiently.

The post Intelligent, Actionable, Integrated appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/intelligent-actionable-integrated/feed/ 0
Why SIEM is a Winning Security Strategy https://securingtomorrow.mcafee.com/business/optimize-operations/why-siem-is-a-winning-security-strategy/ https://securingtomorrow.mcafee.com/business/optimize-operations/why-siem-is-a-winning-security-strategy/#respond Wed, 25 Mar 2015 15:30:46 +0000 https://blogs.mcafee.com/?p=42260 Like most things in life, successful planning for a secure network takes a pre-baked strategy. And, with that strategy comes the actions and tasks needed to carry it out. It’s much like sports – you want to enable your organization to be the one with the ball, dictating the offense to successfully execute plays that …

The post Why SIEM is a Winning Security Strategy appeared first on McAfee Blogs.

]]>
Like most things in life, successful planning for a secure network takes a pre-baked strategy. And, with that strategy comes the actions and tasks needed to carry it out. It’s much like sports – you want to enable your organization to be the one with the ball, dictating the offense to successfully execute plays that result in a score. You should control pace of the game. Don’t let the opponent (in this case, the hackers) dictate the pace, or your strategy.

Companies are tasked with protecting their organizations from advanced threats. For many, the most troublesome threats are Advanced Persistent Threats (APTs), those that quietly monitor a network over time to gather and extract sensitive information and intellectual property – and targeted attacks against a single organization. In fact, according to an Evalueserve survey commissioned by McAfee, part of Intel Security, 74 percent of the 473 surveyed companies said they are highly concerned about these two specific attacks. Hackers, it seems, are setting the pace of the game.

However, an agile offensive strategy can put you in a more proactive position. In the same Evaluserve survey, 53 percent of organizations said they discovered an attack within hours or minutes, allowing them to disrupt the instance. Behind those detections was the presence of technology that integrates threat intelligence, correlation, analytics, active response and adaptive technologies. They employ advanced Security Information and Event Management (SIEM) technology specifically geared to help incident response.

It works.

Here are the three key findings from the survey:

  • 57 percent of companies capable of detecting targeted attacks within minutes experienced 10 or fewer attacks in 2013
  • 78 percent of those companies employ a real-time SIEM solution.
  • Only 12 percent of SIEM-enabled organizations had to investigate more than 50 incidents in 2015.

This forms a recognizable pattern: hackers usually look elsewhere when faced with the competent execution of existing security solutions.

McAfee-When-Minutes-Count-LinkedIn-1

A SIEM solution capable of real-time threat detection and prioritization offers the actionable intelligence and advanced analysis for security personnel to identify indicators of attack quickly and accurately. Additionally, a real-time SIEM solution integrates threat intelligence, correlation and analytics to detect the eight most common indicators of attack (IoAs) highlighted in our special report, “When Minutes Count.”

To learn more about how APTs affect businesses across the globe and how you can defend your enterprise against them, download the report, “When Minutes Count.”

To learn more about McAfee’s SIEM solutions and get information on the latest security techniques, explore our SIEM community and follow along with @IntelSec_Biz on Twitter.

The post Why SIEM is a Winning Security Strategy appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/why-siem-is-a-winning-security-strategy/feed/ 0
Cyber Threat Management: A Perfect Fit for McAfee SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/cyber-threat-management-perfect-fit-mcafee-siem-solution/ https://securingtomorrow.mcafee.com/business/optimize-operations/cyber-threat-management-perfect-fit-mcafee-siem-solution/#respond Wed, 11 Mar 2015 19:49:00 +0000 https://blogs.mcafee.com/?p=41643 Driven by the misfortune of many, Cyber Threat Intelligence exchange and consumption is becoming more proliferated, accessible and standardized. Together with legacy security technologies like Firewall, IPS and Vulnerability Assessment tools, SIEMs have used threat intelligence initially for the most common use-case of detection and – unique for SIEM – as context during attacks. However, …

The post Cyber Threat Management: A Perfect Fit for McAfee SIEM appeared first on McAfee Blogs.

]]>
Driven by the misfortune of many, Cyber Threat Intelligence exchange and consumption is becoming more proliferated, accessible and standardized. Together with legacy security technologies like Firewall, IPS and Vulnerability Assessment tools, SIEMs have used threat intelligence initially for the most common use-case of detection and – unique for SIEM – as context during attacks. However, threat intelligence can offer more to security teams, for instance, to prioritize or prepare response to recently reported exposures and exploits. SIEM is also one of the few technologies to unlock the full power of threat intelligence via some new use cases.

A new emerging use case for SIEM and threat intelligence is around managing and presenting cyber threat intelligence data itself. Because SIEM has been designed from the ground-up to interpret and manage large sets of data; harvesting, organizing and cycling threat data is a perfect fit for SIEM. The recently released McAfee Enterprise Security Manager (ESM) version 9.5 has taken the cyber threat management to a new level by collecting and translating suspicious or confirmed threat information into actionable intelligence for security operations teams. McAfee ESM 9.5 can import a wealth of security threat data including STIX/TAXII feeds; third party URL’s and Indicators of Compromise (IOC’s) reported via McAfee Advanced Threat Defense providing security operations teams with directly readable and usable intelligence for security analytics.

A second important use case for SIEM and threat intelligence is around historical analysis of recently reported threats. Where many SIEMs correlate threat intelligence only for new event data after the threat has been reported – McAfee ESM 9.5 can automate historical analysis via the new Backtrace feature and discover if an organization has already been impacted by recently reported cyber threats.

Benefits for the above use cases are multi-fold, first of all it will automated digestion of cyber threat intelligence help reduce manual operational efforts.  The real advantage for security teams is deeper detection, real-time monitoring and the progress of a new reported threat through the IT environment. McAfee ESM 9.5 will even help security teams vet the accuracy of the configured threat feed by reporting from a single view, the indicator name, date it was received and hit rate. Also, important to highlight is that McAfee ESM also offers drill downs from the cyber threat dashboard into the IOC details, individual source events or flows records.

With these use cases, SIEM remains not only a very popular tool to aggregate, analyze and present threat intelligence, it is also one of the few tools that can be used for detection and response which aligns very well with the initial purpose of integrating threat intelligence: better visibility, rapid detection and responses based on known facts.

The post Cyber Threat Management: A Perfect Fit for McAfee SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/cyber-threat-management-perfect-fit-mcafee-siem-solution/feed/ 0
You’re Under Attack! Eight Ways to Know for Sure https://securingtomorrow.mcafee.com/business/optimize-operations/youre-under-attack-eight-ways-to-know/ https://securingtomorrow.mcafee.com/business/optimize-operations/youre-under-attack-eight-ways-to-know/#respond Mon, 23 Feb 2015 18:47:18 +0000 https://blogs.mcafee.com/?p=41462 The parade of breaches, attacks and various other digital maladies hitting corporations in 2014 made it clear that default, out-of-the-box compliance and security isn’t enough to protect organizations. But the nature of advanced persistent threats (APTs), and other forms of malware, makes it difficult to find an investment that can keep the next threat from …

The post You’re Under Attack! Eight Ways to Know for Sure appeared first on McAfee Blogs.

]]>
The parade of breaches, attacks and various other digital maladies hitting corporations in 2014 made it clear that default, out-of-the-box compliance and security isn’t enough to protect organizations. But the nature of advanced persistent threats (APTs), and other forms of malware, makes it difficult to find an investment that can keep the next threat from growing into the next breach.

As with any security situation, shortening the time from detection to protection is key in surviving an attempted attack. By leveraging a Security Information and Event Management (SIEM) solution and looking to common Indicators of Attack (IoAs), organizations can shave minutes off of their detection process and stop threats before they morph into a full-blown breach.

IoAs are exactly as they sound: common behaviors that could indicate the rumblings of an attack. The goal behind properly identifying and addressing an IoA is to prevent it from becoming an Indicator of Compromise – or, an IoC. Once an IoA goes undetected and becomes an IoC, the business in question is faced with the risk of becoming an embarrassing headline.

So, how can businesses know what to look for? McAfee, part of Intel Security, has compiled a list of the eight most common IoAs and the warning signs of each to help your organization separate the signal from the noise.

With these IoAs you can figure out the who, the what, the when, the where and the how to shut any threat down before it potentially becomes an IoC and, then inevitably, a breach:

1. Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.

Suspicious communications from internal hosts, where a computer or other device connects to a network, is great indicator of attack. The reason: some malicious programs need to connect to their command and control servers, often located in different countries, in order to relay information and to receive orders.

2. Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches.

Events like such as sending command shells (SSH) rather than HTTP traffic over port 80, the default web port, can indicate an infected host trying to communicate with either a command and control server, or an attacker trying to extract data.

3. Publicly accessible or demilitarized zone (DMZ) hosts communicating to internal hosts.

Communication coming from external hosts, or from your DMZ hosts, to your internal network could indicate an attack. This action could allow for leapfrogging from outside actors to your inside network and back, allowing for data exfiltration and remote access to your assets.

4. Off-hour malware detection

Network activity during off hours may not always indicate an attack, but communications from specific devices at odd hours can be an indicator. Setting your SIEM to detect these suspicious communications could signal a compromised host.

5. Network scans by internal hosts communicating with multiple hosts in a short time frame.

Rapid-fire communications and network scans from internal hosts to other hosts could indicate an attacker attempting to move laterally within a network.

6. Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over 24-hour period.

Multiple alarm events from a single host, or duplicate alarms from multiple hosts, in a short period of time could indicate an attacker attempting to compromise a network or computer.

7. A system is re-infected with malware within five minutes after being cleaned.

While infection is a clear attack, re-infection within minutes of cleaning the compromised host could indicate the presence of an ATP – a far more serious issue than simple malware.

8. A user account trying to login to multiple resources within a few minutes from or to different regions.

A user rapidly attempting to gain access to multiple resources, either from or to different regions, could indicate an active attacker trying to extract data.

Through such critical analyses, SIEM solutions can help keep the many types of IoAs from becoming IoCs or outright breaches – an evolution that can happen within minutes and quickly turn into a make or break scenario. That’s why having a fast acting security solution is crucial. It’s also why 78 percent of companies capable of detecting attacks in minutes have a real-time, proactive SIEM solution in place. That’s the kind of threat detection that can keep your company out of the paper and in the public’s good will.

To learn more about what steps your organization can take to protect and detect in real-time, download our report, “When Minutes Count,” here and check out its accompanying infographic here.

Read more about how McAfee has helped organizations create comprehensive, scalable security here and visit the McAfee Service Portal for SIEM support.

To learn about what McAfee SIEM has to offer, follow @IntelSec_Biz on Twitter, or explore our SIEM community site to get the latest techniques to protect your organization.

The post You’re Under Attack! Eight Ways to Know for Sure appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/youre-under-attack-eight-ways-to-know/feed/ 0
McAfee SIEM Offers Real Time Information on Data Breaches – When Minutes Count https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-offers-real-time-information-data-breaches-minutes-count/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-offers-real-time-information-data-breaches-minutes-count/#respond Tue, 09 Dec 2014 18:35:25 +0000 http://blogs.mcafee.com/?p=40039 We all know that 2014 has been marked by a huge uptick in high-profile data breaches in both the public and private sectors. What everyone is asking is this: How do we avoid a repeat of this situation in 2015?  This is an especially important question in government. With the sensitivity of the data government …

The post McAfee SIEM Offers Real Time Information on Data Breaches – When Minutes Count appeared first on McAfee Blogs.

]]>
We all know that 2014 has been marked by a huge uptick in high-profile data breaches in both the public and private sectors. What everyone is asking is this: How do we avoid a repeat of this situation in 2015?  This is an especially important question in government. With the sensitivity of the data government organizations hold, identifying and mitigating a breach immediately is of the utmost importance.

The experts at McAfee Labs have been examining this string of breaches and have learned that of all variables, time is the single most important factor in whether an enterprise-level organization can mitigate a threat. McAfee has recapped these findings in a report called When Minutes Count, which surveyed hundreds of individuals from organizations that were recently affected by data breaches.

The report found that 58% of organizations that responded suffered 10 or more data breaches last year and that only 24% of them were confident in their ability to even detect a cyberbreach within minutes. Thus 74% of surveyed organizations considered cyberattacks a major threat to their organizations. But the report wasn’t all doom and gloom: Early event detection and prioritization systems like SIEM have proven to be effective in mitigating these threats. Seventy-eight percent of surveyed organizations that were able to detect attacks within minutes had SIEM technology in place, and 57% of organizations using SIEM suffered 10 or less targeted attacks over the last year.

McAfee SIEM alone will not solve all data breaches and must be thought of as part of a broader, security connected approach that brings together interoperable network security and endpoint security. Still, the report shows that McAfee SIEM may be one of the most effective tools at identifying and mitigating threats in real time.

For our public sector readers, there’s more good news McAfee SIEM was recently added to the DoD’s Unified Capabilities Approved Product List (UC-ALP), becoming the first and only SIEM product to undergo rigorous testing and meet extremely stringent criteria. Being added to this list also means that McAfee SIEM is now interoperable with other components of the DoD network infrastructure.

The report makes clear that data breaches are on the rise and that SIEM is a most effective tool in identifying them and mitigating their risks. This helps answer the question, “How do we avoid a repeat of the [breach] situation in 2015.”

The post McAfee SIEM Offers Real Time Information on Data Breaches – When Minutes Count appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-offers-real-time-information-data-breaches-minutes-count/feed/ 0
When Your Organization is Under Attack, Minutes Count https://securingtomorrow.mcafee.com/business/optimize-operations/organization-attack-minutes-count/ https://securingtomorrow.mcafee.com/business/optimize-operations/organization-attack-minutes-count/#respond Wed, 19 Nov 2014 17:05:33 +0000 http://blogs.mcafee.com/?p=39460 In 2014, companies continued to be shaken out of their contented relationship with corporate security efforts. Retailers were hacked. Millions of emails were lifted. Thousands of Social Security numbers were stolen. Gone is the era of “set it and forget it” security, where enterprises use only default security settings. This epiphany, motivated by news headlines, …

The post When Your Organization is Under Attack, Minutes Count appeared first on McAfee Blogs.

]]>
In 2014, companies continued to be shaken out of their contented relationship with corporate security efforts. Retailers were hacked. Millions of emails were lifted. Thousands of Social Security numbers were stolen. Gone is the era of “set it and forget it” security, where enterprises use only default security settings. This epiphany, motivated by news headlines, has forced organizations into a mad dash for security solutions that meet their real-time needs.

But a frantic search for a security replacement isn’t always warranted. In fact, many organizations can bolster their security posture by better leveraging their current solutions, without investing in new technologies. Understanding the most common Indicators of Attack (IoAs) and automating their next generation Security Information and Event Management (SIEM) system to detect those events in real-time, companies can dramatically reduce risk potential. In fact, 57 percent of companies using real-time detection suffered only 10 or fewer targeted attacks in 2013.

McAfee-When-Minutes-Count-LinkedIn-2

That’s the take-away from our Special Report, “When Minutes Count,” which aggregates front-line experiences from security events with actionable advice that any organization can undertake. Businesses looking to optimize their security environment should be on the lookout for the eight common IoAs discovered by experts at McAfee® Foundstone®.

Those IoAs are:

  1. Internal traffic communicating with known bad destinations or countries where business isn’t conducted
  2. Internal traffic communicating to external hosts over non-standard ports or protocol mismatches
  3. Publically accessible or demilitarized zone (DMZ) hosts communicating with internal hosts
  4. Using off-hour malware detection
  5. Rapid network scans by internal hosts to multiple hosts
  6. Multiple alarms from a single host or duplicate events across multiple machines
  7. Systems reinfected with malware after being cleaned
  8. User accounts attempting to login to multiple resources within a few minutes from and to different regions

Over the next few weeks we’ll be taking a deeper dive into these IoAs and the additional findings derived from “When Minutes Count.” We’ll explain why these eight events are the most common indicators of an advanced threat and examine how your organization can defend itself from exploitation. We’ll also look at which organizations are worried about advanced threats and why, and the difference an optimized SIEM can make.

Read more about how McAfee has helped organizations create comprehensive, scalable security here and visit the McAfee Service Portal for SIEM support.

To lean about what McAfee SIEM has to offer, follow @McAfeeBusiness on Twitter, or explore our SIEM community site to get the latest techniques to protect your organization. For additional reading material, see Mike Fey’s latest article on Dark Reading.

 

The post When Your Organization is Under Attack, Minutes Count appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/organization-attack-minutes-count/feed/ 0
McAfee SIEM receives TechTarget Reader’s Choice Awards 2014 https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-receives-techtarget-readers-choice-awards-2014/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-receives-techtarget-readers-choice-awards-2014/#respond Mon, 17 Nov 2014 21:41:18 +0000 http://blogs.mcafee.com/?p=39424 After top three ranking in 2012 and 2013, McAfee Enterprise Security Manager won last week the TechTarget Security Reader’s 2014 SIEM award. The product received high marks for  event correlation, data archiving, and flexible policy definition; all key capabilities to accomplish actionable intelligence out of mountains of collected event, flow and log data. The mentioned criteria also indicates further evolution in …

The post McAfee SIEM receives TechTarget Reader’s Choice Awards 2014 appeared first on McAfee Blogs.

]]>
After top three ranking in 2012 and 2013, McAfee Enterprise Security Manager won last week the TechTarget Security Reader’s 2014 SIEM award. The product received high marks for  event correlation, data archiving, and flexible policy definition; all key capabilities to accomplish actionable intelligence out of mountains of collected event, flow and log data. The mentioned criteria also indicates further evolution in the popularity of SIEM use cases especially toward advanced threat detection and remediation.   McAfee ESM  offers users a comprehensive way to leverage traditional archiving and correlation capabilities via the unique “Advanced Correlation Engine” (ACE) enabling rule and risk based correlation against real time  feeds as well as historical event data already stored in the SIEM. These use cases provide security analysts not only ad-hoc detection of  recent discovered attacks but allows them to go back in time and discover if the threat may already have impacted their environment. In addition to the time and flexibility dimension, ESM also offers more in depth, less intrusive monitoring. For instance, via the agent less,  Database Event Monitoring appliance, users can watch all access to critical business databases or via the Application Data Monitor appliance, customers can inspect application content to achieve deep visibility.

McAfee Enterprise Security Manager is one of four McAfee products to receive this year’s TechTarget Reader’s Choice award next to the next-generation Firewall which can be integrated into the SIEM together with many other McAfee and third party products offering users the option to take action and remediate discovered threats directly from the SIEM console.  Readers lauded these and many other SIEM’s integration and compatibility with existing systems, devices and applications always a key factor when considering SIEM technology. 

award

 

 

 

 

 

 

The post McAfee SIEM receives TechTarget Reader’s Choice Awards 2014 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-receives-techtarget-readers-choice-awards-2014/feed/ 0
The Evolution of SIEM: Part 3 https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-3/ https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-3/#respond Mon, 10 Nov 2014 18:15:07 +0000 http://blogs.mcafee.com/?p=39023 In this series so far, we’ve covered the McAfee Enterprise Security Manager (ESM), capabilities that make our SIEM solution stand out and how this solution can benefit your organization. In this final installment of our ‘Evolution of SIEM’ series, I am going to highlight a few of the orchestration options for ESM to help you …

The post The Evolution of SIEM: Part 3 appeared first on McAfee Blogs.

]]>
In this series so far, we’ve covered the McAfee Enterprise Security Manager (ESM), capabilities that make our SIEM solution stand out and how this solution can benefit your organization. In this final installment of our ‘Evolution of SIEM’ series, I am going to highlight a few of the orchestration options for ESM to help you get the most out of your SIEM solution.

Within McAfee Enterprise Security Manger, actions are driven by alarms that have been configured to go off whenever a variety of events occur. However, there are a few different possibilities for how you can orchestrate your system and receive these alarms. Let’s take a look at two products that both complement ESM and offer a variety of orchestration options: the ePolicy Orchestrator and Network Security Platform.

ePolicy Orchestrator (ePO) allows administrators to categorize systems by manual or criteria-based “tags.” These tags can be used to assign configuration profiles to assets, launch tasks on managed endpoints, or filter dashboards and reports. You have the option to set these tags manually or as a triggered alarm action, which allows for the following use cases:

  • Flagging suspicious systems for follow-up. Tagging is a great way for incident response staff to track which systems require investigation and in turn, helps to drive immediate remediation activities. As a result, your endpoint security staff is able to prioritize remediation efforts based on the systems with the most critical security issues.
  • Quarantine and remediation of compromised systems. When investigating an ongoing attack or breach, there are sometimes repeated behaviors that indicate a compromised system. By leveraging ePO policy assignment rules and tasks, the SIEM can conduct real-time responses, neutering the threat and effectively minimizing the amount of damage that could have been done.

Another product that is a natural complement to ESM is the Network Security Platform (NSP). Administrators can set network access control lists on NSP sensors manually, or as a triggered alarm action to assist with behavior-based blacklisting. Often times, high volumes of reconnaissance activity make it difficult for security analysts to follow up directly on each incident, which makes it difficult to effectively block communication with malicious hosts. This is where SIEM comes in. You can leverage a SIEM solution to carry out an automated response at the network layer, which will successfully block all future connections from the attacker.

When properly leveraged, a SIEM solution allows you to respond to threats faster and with less effort. The above are just a few of the various orchestration actions and responses that are available for a SIEM solution.

For more information on this subject, be sure to check out the McAfee SNS Journal for the latest news, product spotlights and technical briefs. You can subscribe for monthly updates here. You can also stay up to date on what McAfee has to offer by following @McAfeeBusiness on Twitter, and exploring our SIEM community.

The post The Evolution of SIEM: Part 3 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-3/feed/ 0
Go Ahead, Make My Zero Day Blog Series: A Deeper Dive in a Layered Sandbox https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-deeper-dive-layered-sandbox/ https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-deeper-dive-layered-sandbox/#respond Tue, 30 Sep 2014 15:00:42 +0000 http://blogs.mcafee.com/?p=38104 Read our new blog series and uncover your chance to win big!  It’s a contest, and you can play:  We’ll be publishing a series of four blog posts over the next few weeks.  Each post will contain a hidden clue to help you solve the puzzle below.  Track all four clue words over the blog …

The post Go Ahead, Make My Zero Day Blog Series: A Deeper Dive in a Layered Sandbox appeared first on McAfee Blogs.

]]>
Read our new blog series and uncover your chance to win big!  It’s a contest, and you can play:  We’ll be publishing a series of four blog posts over the next few weeks.  Each post will contain a hidden clue to help you solve the puzzle below.  Track all four clue words over the blog series to help solve the final puzzle.  Email us <mbnetwork_ips@mcafee.com> the correct answer along with all four clue words and we’ll enter your name in the drawing for a great prize!

The puzzle:  This actor is best known for his roles as an action hero.

How to find today’s clue:

  • The clue word is a characteristic of the final answer.
  • The clue word has been repeated five times in this blog post.

Keep an eye out for the next blog and clue in the series, coming Thursday, Oct 2nd!

Contest Prize:  Apple iPad Mini

mini


Blog Series: Go Ahead, Make My Zero Day
Blog 2 of 4:  A Deeper Dive in a Layered Sandbox

My first blog post called out the recent laboratory validation of McAfee Advanced Threat Defense conducted by the Enterprise Strategy Group. In particular, I noted their conclusion that it delivers both highly effective detection of zero-day attacks and other advanced malware threats AND outstanding inspection throughput performance. Today I’d like to dig a little more deeply into where Advanced Threat Defense gets its muscle and speed.

We’ve come to accept a layered security strategy as the most effective way to find attacks for which we don’t have effective signatures, but we usually think of those layers as separate systems that apply different analytical techniques to different flows or payloads.

Advanced Threat Defense takes a different approach by stacking multiple file inspection engines in a single device. To optimize catch rate, it uses a combination of high-speed methods (signatures, reputation and emulation) and big-muscle analytics (dynamic and true static code analysis). To optimize performance, it applies the analytics in a downselect sequence of increasing computational intensity. Anything that can be convicted quickly and inexpensively will be. The big muscle only comes out when all else fails.

The complete inspection sequence stacks up like this:

  • Signature-based detection of viruses, worms, spyware, bots, Trojans, buffer overflows, and blended attacks using a comprehensive knowledgebase created and maintained by McAfee Labs, which currently includes close to 150 million signatures.
  • Reputation-based detection using the McAfee Global Threat Intelligence network to detect newly emerging threats.
  • Real-time static analysis and emulation to quickly find malware and zero-day threats not identified with signature-based techniques or reputation.
  • Full static code analysis is where the muscle meets the malware. Advanced Threat Defense reverse engineers file code to assess all attributes and instruction sets, and fully analyzes the source code without execution. Comprehensive unpacking capabilities open all types of packed and compressed files to enable complete analysis and malware classification, helping organizations better understand the specific malware they are dealing with and the impact it has on their organization. Full static code analysis provides critical insight into input-dependent behaviors and delayed or hidden execution paths that often do not execute during dynamic analysis and are overlooked by less comprehensive sandbox solutions.
  • Dynamic sandbox analysis that executes the file code in a virtual run-time environment and observes the resulting behavior. Uniquely among existing sandbox solutions, Advanced Threat Defense configures virtual run-time environments to match the target host based on queries to McAfee® ePolicy OrchestratorTM software. Analyzing file behavior under the exact conditions of the intended host produces accurate results quickly and efficiently, revealing malicious behaviors that might not be triggered in a generic environment. And since many advanced attacks are designed to evade sandbox detection, McAfee Advanced Threat Defense includes innovative techniques to ensure code execution during dynamic analysis.

Multiple inspection engines in a downselect sequence: that’s how McAfee Advanced Threat Defense packs muscle and speed in the same malware detection package. You can read more in our white paper Building a Better Sandbox.

The post Go Ahead, Make My Zero Day Blog Series: A Deeper Dive in a Layered Sandbox appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-deeper-dive-layered-sandbox/feed/ 0
Go Ahead, Make My Zero Day Blog Series: Emerging Malware Meets the Evolved Sandbox https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-emerging-malware-meets-evolved-sandbox/ https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-emerging-malware-meets-evolved-sandbox/#respond Thu, 25 Sep 2014 15:00:17 +0000 http://blogs.mcafee.com/?p=38099 Read our new blog series and uncover your chance to win big!  It’s a contest, and you can play:  We’ll be publishing a series of four blog posts over the next few weeks.  Each post will contain a hidden clue to help you solve the puzzle below.  Track all four clue words over the blog series …

The post Go Ahead, Make My Zero Day Blog Series: Emerging Malware Meets the Evolved Sandbox appeared first on McAfee Blogs.

]]>
Read our new blog series and uncover your chance to win big!  It’s a contest, and you can play:  We’ll be publishing a series of four blog posts over the next few weeks.  Each post will contain a hidden clue to help you solve the puzzle below.  Track all four clue words over the blog series to help solve the final puzzle.  Email us <mbnetwork_ips@mcafee.com> the correct answer along with all four clue words and we’ll enter your name in the drawing for a great prize!

The puzzle:  This actor is best known for his roles as an action hero.

How to find today’s clue:

  • The clue word is a movie related to the final answer
  • The clue word has been repeated three times in this blog post.

Keep and eye out for the next blog post and clue in the series, coming Tuesday, Sept 30th!

Contest Prize:  Apple iPad Mini

mini


Blog Series:  Go Ahead, Make My Zero Day
Blog 1 of 4:  Emerging Malware Meets the Evolved Sandbox

In malware security, as in any counter-insurgency, the most dangerous threats are the ones we don’t recognize until they’ve slipped past our defenses and attacked us from within. To paraphrase a former US defense secretary, we face a mix of known threats, unknown threats, and unknown unknown threats, and the unknowns are becoming more unknowable every day. That’s why most security experts believe our defense-in-depth models need still more depth. Unless our systems and data are expendable it’s time to get serious about stopping the zero-day, camouflaged, and evasive attacks that our signature-based defenses are missing, before every information asset is spirited off and sold to the highest bidder.

For many IT organizations, the obvious response to repeat malware penetrations has been an inline sandbox (or a fleet of them), to ferret out the better-concealed attacks. But these devices have hardly proven a panacea. Many deliver mediocre throughput performance, poor integration with other security controls, no automatic blocking, and limited support for incident response and remediation. More seriously, many are easily rendered expendable by a simple execution delay, especially if detected by increasingly sophisticated malware.

The sandbox we really need can’t rely on dynamic analysis alone. It must bring its own stack of layered inspection techniques. It must have the performance to efficiently support security controls across the network from a single central deployment. Finally, it must integrate seamlessly with all front-line gateways and IPS devices to enable instant blocking of newly detected threats and complete remediation of attacks caught within the perimeter.

These requirements were actually the design criteria for McAfee Advanced Threat defense, and a recent lab evaluation by the Enterprise Strategy Group indicates we’ve successfully hit the mark. ESG analysts performed hands-on testing of McAfee Advanced Threat Defense to validate its ability to find advanced malware, then freeze and fix each threat through integration with other McAfee security solutions. In his report, senior analyst Tony Parker concludes that:

  • McAfee Advanced Threat Defense integrates smoothly into a network environment, with one-click importing of customized gold images and one-step integration with the McAfee Web Gateway and Network Security Platform.
  • Its layered inspection architecture enables efficient, accurate detection and analysis of malware from all vectors.
  • Its integration with other McAfee security products such as the Web Gateway, Network Security Platform, and Global Threat Intelligence enables fast identification and remediation of most threats, leaving fewer objects for the resource-intensive inspections: dynamic analysis and true static code analysis.
  • Target-specific sandboxing, enabled through integration with McAfee ePolicy Orchestrator® software enables execution behavior analysis under the exact conditions of the intended host and produces accurate results quickly and efficiently.
  • Advanced Threat Defense’s static code analysis is able to unpack and analyze malware code, providing visibility into potential file behaviors that failed to execute during dynamic analysis.

If you’ve been unimpressed by the expendable capabilities of other malware sandbox solutions, The ESG team’s report on McAfee Advanced Threat Defense may be a revelation. You’ll find the full document here.

The post Go Ahead, Make My Zero Day Blog Series: Emerging Malware Meets the Evolved Sandbox appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/go-ahead-make-zero-day-blog-series-emerging-malware-meets-evolved-sandbox/feed/ 0
The Evolution of SIEM: Part 2 https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-2/ https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-2/#respond Thu, 25 Sep 2014 02:06:08 +0000 http://blogs.mcafee.com/?p=38240 In our last blog, The Evolution of SIEM: Part 1, we briefly touched on the capabilities that make our SIEM solution, McAfee Enterprise Security Manager (ESM), stand out. In this blog, I am going to drill down into the individual capabilities and discuss the benefits of each for you, and your organization. Today’s threat environment …

The post The Evolution of SIEM: Part 2 appeared first on McAfee Blogs.

]]>
In our last blog, The Evolution of SIEM: Part 1, we briefly touched on the capabilities that make our SIEM solution, McAfee Enterprise Security Manager (ESM), stand out. In this blog, I am going to drill down into the individual capabilities and discuss the benefits of each for you, and your organization.

Today’s threat environment is no stagnant matter – with attacks increasing in complexity and frequency everyday, driving the need for enterprise security goals to be reevaluated in order to cope. While a Security Information and Event Management (SIEM) system should be an integral part of your security strategy, traditional SIEM solutions are no match for today’s advanced evasion techniques (AETs).

This is where next-generation SIEM solutions come in. By leveraging the following four key capabilities of a true next-generation SIEM, these solutions are able to deliver situational awareness and faster response times.

Big Data Scalability

Designed for big data speed and volume requirements, next-generation SIEMs can expand data capture with more feeds from more sources. They can process larger, more diverse data sets at high event rates and store billions of logs and flows for real-time data analysis, as well as correlate against historical data to identify indicators of compromise. 

Dynamic Context

Most security professionals focus their monitoring efforts on valuable assets with the highest risk, and advanced SIEM solutions are critical for addressing this security need. By filtering out irrelevant noise, while categorizing external and internal systems based on past behavior, next-generation SIEM solutions are able to zero in on the threat risks that matter most.

Security Analytics

Next-generation SIEM’s provide in-depth analytics that can be advanced even further with the integration of additional security solutions. By pulling in data from other security solutions, such as vulnerability data.  With vulnerability data as an example, such SIEMs are able to map asset vulnerabilities against any confidentiality and integrity factors defined by company policies.

Ease of Use

Next-generation SIEM solutions offer centralized management, allowing for improved accessibility through one web user interface. This makes it easier for IT teams to correlate data, gauge risk or deploy software updates. Integrated tools for configuration and case management coupled with built-in and easily customizable dashboards provide an unparalleled ease of use, further reducing time to investigation and remediation.

As you can see, a SIEM solution can play an important role in making security more strategic and invaluable to your business by enabling faster and smarter threat detection and response times.

To learn more about McAfee’s SIEM solutions and get information on the latest security techniques, explore our SIEM community and follow along with @McAfeeBusiness on Twitter.

For the latest news, product spotlights and technical briefs, check out the McAfee SNS Journal and subscribe to receive monthly updates here.

 

The post The Evolution of SIEM: Part 2 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-2/feed/ 0
Progress Report: Critical Security Controls Adoption https://securingtomorrow.mcafee.com/business/optimize-operations/sans-critical-security-controls-survey/ https://securingtomorrow.mcafee.com/business/optimize-operations/sans-critical-security-controls-survey/#respond Tue, 09 Sep 2014 22:12:40 +0000 http://blogs.mcafee.com/?p=37875 Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings …

The post Progress Report: Critical Security Controls Adoption appeared first on McAfee Blogs.

]]>
Today the SANS Institute released its survey on adoption of the Top 20 Critical Security Controls (CSCs) for Effective Cyber Defense. It’s a worthwhile read for CISOs and security analysts charged with overseeing security and risk management. The survey documents adoption highlights and hurdles, primarily experienced by financial services and government organizations. Three sets of findings underscore the importance of “horizontal” elements that act across infrastructure and organizational silos. First, the top measured benefits all pay off the most when systems and data are unified:

  • 24% cite clearer visibility as their top improvement
  • 16% cite improvements to overall risk posture, vulnerability reduction, and compliance improvements
  • 11% cite detecting advanced attacks as an area of improvement

Secondly, the issues that are holding people back the most are often best addressed by integration and automation across controls: Graph1             Finally, the survey also examined the steps organizations had taken to adopt the controls, and I was struck in particular by the top technologies that were added. SIEM, vulnerability management, and threat intelligence are all capabilities that concentrate insights to make decision-making easier. The latest incarnations of these capabilities substantially advance an organization’s ability to automate decisions with confidence. [Read my Black Hat blog for more on this topic.] Graph2             This emphasis on horizontal integration across point defenses is a great sign of the maturation of risk management. It matches our discussions with customers who have indicated that the more optimized and integrated a security architecture is – an approach we call Security Connected – the less organizations spend on security operations while still achieving a better risk posture. A final comment: I’m pleased to point out that McAfee, now part of Intel Security, contributes its expertise to support development and maintenance of the CSCs as an industry framework. As the 2014 SANS Critical Security Controls poster shows, we also offer the broadest available product support for the controls directly, and we team with partners to provide complete coverage. Download your copy of the survey, our CSC white paper, and more at mcafee.com/securityconnected. Graph3

The post Progress Report: Critical Security Controls Adoption appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/sans-critical-security-controls-survey/feed/ 0
In New Brunswick, life is SIEM-ple. https://securingtomorrow.mcafee.com/business/optimize-operations/new-brunswick-life-is-siem-ple/ https://securingtomorrow.mcafee.com/business/optimize-operations/new-brunswick-life-is-siem-ple/#respond Tue, 09 Sep 2014 13:00:48 +0000 http://blogs.mcafee.com/?p=37826 What do you do when: You are the source for security goals, processes, and reports for 33 different business units? Everyone has your mobile number in their cell phone under “crisis management”? But you don’t actually own all the resources required to maintain the peace? You buy a world-class SIEM. In June, Jamie Rees, the …

The post In New Brunswick, life is SIEM-ple. appeared first on McAfee Blogs.

]]>
What do you do when:

  • You are the source for security goals, processes, and reports for 33 different business units?
  • Everyone has your mobile number in their cell phone under “crisis management”?
  • But you don’t actually own all the resources required to maintain the peace?

You buy a world-class SIEM.

In June, Jamie Rees, the Director of Information Assurance & CISO, Province of New Brunswick, presented “SIEM in Incident response” at the Gartner Security Summit. With availability of this new case study, his wisdom is available to everyone.

The New Brunswick SIEM deployment serves both strategic and tactical goals: it helps Mr. Rees educate the stakeholder organization about risks in the context of each department’s balanced scorecards, and also dig directly into data to assemble cogent pictures of risk and security posture. The combination helps his team of three guide response and priorities during breaking events such as this spring’s Heartbleed announcement. Rees says,

“Very early, we were able to tune McAfee Enterprise Security Manager to help determine if any potential exploit traffic was infiltrating our network. This was a huge boon to our operation because it enabled us to be proactive and have mitigations and workarounds in place before Heartbleed ever became a threat, and we could show management that we were well-prepared.”

Rees is one of the visionary CISOs leading the use of Security Information and Event Management (SIEM) for continuous incident response. This trend was recently validated in a McAfee-cosponsored SANS Institute survey on incident response:

“When asked about the areas of their organizations’ IR process they planned to improve upon over the next 24 months, a full 68% of participants indicated they plan more integration with the SIEM. Improved visibility into threats and vulnerabilities was the second most frequent improvement, cited by 59% of respondents.”

graph

Actually, Rees uses the McAfee Enterprise Security Manager to help with both of the top improvements survey respondents listed – automation and integration of IR processes via SIEM and visibility into threats and vulnerabilities. Here’s his description:

“With McAfee SIEM, we have the ability to generate comprehensive and up-to-the-minute data about our overall security situation, but without the right team, data is just data. We have a fantastic group of security professionals working at all levels in our government, and McAfee SIEM solutions help them use their skills to the utmost to keep our entire network safe.”

The ability to integrate, normalize, correlate, and make sense of vast volumes of data is one reason the McAfee Enterprise Security Manager continues to occupy a leader position in the Gartner Magic Quadrant for SIEM.

If you can’t use this as an excuse to road trip to gorgeous eastern Canada, please read about Jamie’s experiences in the case study.

To learn more about what McAfee SIEM has to offer, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

The post In New Brunswick, life is SIEM-ple. appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/new-brunswick-life-is-siem-ple/feed/ 0
McAfee ocupa un lugar en el cuadrante de líderes para información de seguridad y administración de eventos https://securingtomorrow.mcafee.com/languages/espanol/mcafee-ocupa-un-lugar-en-el-cuadrante-de-lideres-para-informacion-de-seguridad-y-administracion-de-eventos/ https://securingtomorrow.mcafee.com/languages/espanol/mcafee-ocupa-un-lugar-en-el-cuadrante-de-lideres-para-informacion-de-seguridad-y-administracion-de-eventos/#respond Mon, 25 Aug 2014 13:08:31 +0000 http://blogs.mcafee.com/?p=37491 En junio, Gartner, Inc. publicó su informe Magic Quadrant anual para la categoría de información de seguridad y administración de eventos (SIEM), que evalúa los proveedores que ofrecen productos SIEM en cuanto a su capacidad de ejecución y su visión global. Y este año, McAfee ocupa un lugar en el cuadrante de líderes. En un …

The post McAfee ocupa un lugar en el cuadrante de líderes para información de seguridad y administración de eventos appeared first on McAfee Blogs.

]]>
En junio, Gartner, Inc. publicó su informe Magic Quadrant anual para la categoría de información de seguridad y administración de eventos (SIEM), que evalúa los proveedores que ofrecen productos SIEM en cuanto a su capacidad de ejecución y su visión global. Y este año, McAfee ocupa un lugar en el cuadrante de líderes.

En un momento en el que el panorama de las amenazas sigue creciendo a un ritmo increíble, las organizaciones deben ser más ágiles para mejorar la detección anticipada. Ya no es cuestión de prever la posibilidad de que se presente un ataque a la seguridad; ahora se debe tener la certeza de que se producirá, lo que implica que los equipos de seguridad de TI deben ser capaces de analizar los datos de los eventos de seguridad en tiempo real, además de recopilar, almacenar, analizar y comunicar los datos registrados cuando ocurre un incidente. Estos nuevos retos y requisitos de cumplimiento de normativas han motivado un aumento de la adopción de tecnologías SIEM.

Una de las funciones más importantes que necesitan ofrecer los proveedores de soluciones SIEM a las empresas es el descubrimiento anticipado de los ataques, y en McAfee sabemos que para conseguirlo es preciso supervisar la actividad real de los usuarios, el acceso a los datos y la actividad de las aplicaciones. Para luchar contra los fantasmas de las técnicas de evasión avanzadas (AET) y las amenazas persistentes avanzadas (APT), las soluciones SIEM deben incluir una combinación de monitoreo de la seguridad en tiempo real, análisis históricos y asistencia para la investigación de incidentes, así como herramientas de generación de informes sobre el cumplimiento de normativas.

Conscientes de la naturaleza de estas ciberamenazas de próxima generación, nosotros hemos optado por un enfoque de SIEM diferente con la solución McAfee Enterprise Security Manager (ESM). Además de las funciones de administración de la información de seguridad (SIM) y SEM, ofrecemos también una serie de productos complementarios y un extenso portfolio de seguridad para proporcionar a los clientes un mejor contexto sobre las vulnerabilidades,endpoints, así como respuesta y bloqueo automatizados.

Supervise la actividad de bases de datos y aplicaciones a nivel de paquetes mediante los complementos Database Event Monitor (DEM) y Application Data Monitor (ADM).

  • Utilice el monitoreo de datos de flujo y anomalías estadísticas en conectores Hadoop de big data para reproducir las listas de vigilancia para su uso en correlación y alimentación de consultas de datos de SIEM.
  • Cumpla los requisitos relativos a la supervisión de aplicaciones de bases de datos y sistemas de control industrial con la nueva suite de informes de cumplimiento normativo de McAfee ESM.

Para obtener más información sobre las ventajas que puede aportar McAfee® ESM a su empresa, visite nuestro sitio web y lea el informe completo de Gartner aquí

Para mais, siga @McAfee_BrCorp no Twitter.

SIEM_MQ

Gartner, Inc., “Magic Quadrant for Security Information and Event Management,” by Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford June 25, 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

The post McAfee ocupa un lugar en el cuadrante de líderes para información de seguridad y administración de eventos appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/espanol/mcafee-ocupa-un-lugar-en-el-cuadrante-de-lideres-para-informacion-de-seguridad-y-administracion-de-eventos/feed/ 0
How McAfee SIEM Helped Cologne Bonn Airport’s Security Take Flight https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-cologne-bonn-airport/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-cologne-bonn-airport/#respond Wed, 20 Aug 2014 13:00:01 +0000 http://blogs.mcafee.com/?p=37404 Timing is everything in an airport and to handle the growth in travelers and airlines at Cologne Bonn, the IT infrastructure includes several large networks and various system architectures, which must be harmonized and centrally operated. Cologne Bonn is a thoroughly modern airport that has many advanced procedures in place to help them manage everything efficiently. …

The post How McAfee SIEM Helped Cologne Bonn Airport’s Security Take Flight appeared first on McAfee Blogs.

]]>
Timing is everything in an airport and to handle the growth in travelers and airlines at Cologne Bonn, the IT infrastructure includes several large networks and various system architectures, which must be harmonized and centrally operated. Cologne Bonn is a thoroughly modern airport that has many advanced procedures in place to help them manage everything efficiently. This proactive approach to handling their high volume of flights and passengers is the same approach that Cologne Bonn Airport needed in its own IT infrastructure.

However, whenever Cologne Bonn’s IT team needed to generate a risk analysis and process security incidents, they found that correlating existing information was virtually impossible. Instead, the team had to identify potentially vulnerable areas and manually assign them to relevant information systems, which made complying with IT security requirements a difficult and manual process. Precious seconds lost in chasing down security data was something that Cologne Bonn could not afford.

René Koch, IT Security Manager at Cologne Bonn, needed a solution that would improve the security and usability of the airport’s networks. Increased transparency would make the IT landscape more controllable and able to determine the status of their security posture in near real-time. The information also needed to be partially controlled, influenced and documented via a central dashboard.

With this in mind, the Cologne Bonn Airport chose McAfee Enterprise Security Manager (ESM) to centralize and manage their Security investigations, response, and compliance needs. McAfee ESM fulfilled the requirements for robust reports and offered the IT team the ability to react to security incidents quickly.

Once McAfee ESM was implemented, Cologne Bonn gained visibility into the relevant events on their computer network, and further allowed teams to customize the McAfee ESM security dashboard to suit their individual needs.

“It saves time during ongoing operations and allows teams to focus on training on one solution,” said René Koch.

Additionally, by integrating McAfee ESM with McAfee Vulnerability Manager and McAfee ePolicy Orchestrator (McAfee ePO) , Cologne Bonn Airport was able to identify security vulnerabilities faster and more accurately, as well as combat IT threats in a targeted manner. By implementing these integrated McAfee solutions, administrators are now always informed about potential security related incidents.

McAfee helped Cologne Bonn Airport create a comprehensive solution to manage security information and network events, while at the same time simplifying the controls of their complex IT infrastructure.

“Security is the highest priority at an airport and McAfee is an important partner for us in this regard. McAfee ESM helps us to create transparency and to control our IT according to the requirements.” said René Koch.

Read more about how McAfee helped The Cologne Bonn Airport optimize its IT security in this case study.

To learn about what McAfee SIEM has to offer, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

The post How McAfee SIEM Helped Cologne Bonn Airport’s Security Take Flight appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-cologne-bonn-airport/feed/ 0
The Evolution of SIEM: Part 1 https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-1/ https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-1/#comments Thu, 07 Aug 2014 13:00:47 +0000 http://blogs.mcafee.com/?p=37185 They say you can’t teach an old dog, new tricks—or can you? The technology landscape has changed dramatically over the last 10 years, and many security approaches organizations previously relied on are no match for today’s advanced threats. Tools like Security Information and Event Management (SIEM) have become critical to securing an increasingly complex network …

The post The Evolution of SIEM: Part 1 appeared first on McAfee Blogs.

]]>
They say you can’t teach an old dog, new tricks—or can you? The technology landscape has changed dramatically over the last 10 years, and many security approaches organizations previously relied on are no match for today’s advanced threats. Tools like Security Information and Event Management (SIEM) have become critical to securing an increasingly complex network infrastructure.

Understanding how SIEM has evolved over time is crucial to developing effective security and risk management strategies that align with business priorities and can better accommodate distributed IT, cloud, and virtual environments.

Previously, SIEM was a two-blade solution that consisted mainly of log collection and compliance reporting. Today, SIEM solutions act as a Swiss Army knife collecting, storing, normalizing, correlating, and analyzing data from dozens of security and network devices, and providing security intelligence as well as a baseline of typical network behavior.

The basics are no longer enough, however, and next-generation SIEM solutions must have expanded feature sets to provide greater business value.

With this in mind, I’m excited to kick off the Evolution of SIEM Series to share how SIEM can become an integral part of a larger security program. Over the following weeks, I will highlight how the latest McAfee SIEM solution, Enterprise Security Manager (ESM), can improve Big Data Security, situational awareness, advanced evasion, and incident response times.

As businesses face more targeted and persistent threats, a trusted SIEM solution can be an essential security component, critical to detecting and mitigating those risks.

Stay tuned for the next installment, where we will discuss the capabilities that make the McAfee SIEM solution stand out.

In the meantime, be sure to check out the McAfee SNS Journal for technical briefs, news, and product spotlights. Subscribe for monthly updates here.

See what McAfee has to offer by following @McAfeeSIEM on Twitter, and explore our SIEM community to get the latest techniques to protect your organization.

The post The Evolution of SIEM: Part 1 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/evolution-siem-part-1/feed/ 1
Continuous Incident Response https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-incident-response/ https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-incident-response/#respond Tue, 15 Jul 2014 13:00:02 +0000 http://blogs.mcafee.com/?p=36633 At last week’s Gartner Risk and Security Management Summit, Anton Chuvakin mentioned that 1-3% of systems are compromised today. He called it “a low intensity fire, not a conflagration.” This seemed like a great analogy for our challenge with incident response. As a security industry—indeed, as a society—it’s much more straightforward to detect, contain, and …

The post Continuous Incident Response appeared first on McAfee Blogs.

]]>
At last week’s Gartner Risk and Security Management Summit, Anton Chuvakin mentioned that 1-3% of systems are compromised today. He called it “a low intensity fire, not a conflagration.” This seemed like a great analogy for our challenge with incident response. As a security industry—indeed, as a society—it’s much more straightforward to detect, contain, and clean up after a 5 alarm blaze than catch a subtle and determined arsonist. We are better at putting out forest fires than dealing with water restrictions. We pay for emergency room care and don’t cover preventative care and early diagnosis.

Incident response creates heroes and stories to tell at the next happy hour. It also leaves permanently scarred victims, both corporate and individual.

We’ve already had lots of victims this year. What’s a better way?

I was struck by the term “Continuous Response” used by several analysts last week, including Eric Ahlm, Neil MacDonald, and Mr. Chuvakin. The term takes the federal government’s initiatives for Continuous Monitoring/Continuous Diagnostics and Mitigation and goes one step farther. Now that you can see what is happening, what can you do about it?

The idea is that you create a continuous loop of sensors, skills, and systems, perpetually iterating through short, efficient cycles, learning and capturing intelligence as you act. Instead of thinking of parallel universes, cyberforensics investigators wielding EnCase and their cyberhistorian colleagues wielding SIEM solutions connect this data and processes it together with aggressive analytics and contextual intelligence to create cyberhunters. These people, enabled but not replaced by systems, can work continually to detect anomalies and “footprints” and piece together motive and opportunity into an actionable—and disruptable—image of an attack.

It seems clear that the data and process glue for continuous incident response will build on security management infrastructure. With 15 years of security management success in McAfee ePolicy Orchestrator allied with our leadership-recognized SIEM and innovative Threat Intelligence Exchange and Advanced Threat Defense, McAfee has an exceptional set of resources to help security innovators move to continuous incident response.  If you aren’t too busy putting out conflagrations, this is a good time for some summer reading.

Related Endnotes:

  • Chuvakin’s SIEM MQ blog makes some great points about SIEM’s expanding role in incident response.
  • McAfee customer, Jamie Rees, CISO for the Province of New Brunswick, presented a SIEM in incident response case study at the Gartner event (link Govt of New Brunswick case study).
  • Most targeted attacks start with phishing. Phishing URLs were up 25% in Q1 2014, according to the latest McAfee Labs Threats Report.

The post Continuous Incident Response appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-incident-response/feed/ 0
CISO: El nuevo estudio sobre el costo global de la ciberdelincuencia del CSIS y McAfee, y las implicaciones para su empresa https://securingtomorrow.mcafee.com/languages/espanol/ciso-el-nuevo-estudio-sobre-el-costo-global-de-la-ciberdelincuencia-y-las-implicaciones-para-su-empresa/ https://securingtomorrow.mcafee.com/languages/espanol/ciso-el-nuevo-estudio-sobre-el-costo-global-de-la-ciberdelincuencia-y-las-implicaciones-para-su-empresa/#respond Thu, 10 Jul 2014 12:00:16 +0000 http://blogs.mcafee.com/?p=36495 ¿Le gustaría ofrecer a sus directivos una imagen cuantificada del riesgo de la ciberdelincuencia? Un nuevo estudio realizado por McAfee y el CSIS (Center for Strategic and International Studies) pone límites y aplica una detallada metodología a un tema muy propenso a la exageración. En un profundo análisis patrocinado por McAfee, se reúne una evaluación …

The post CISO: El nuevo estudio sobre el costo global de la ciberdelincuencia del CSIS y McAfee, y las implicaciones para su empresa appeared first on McAfee Blogs.

]]>
¿Le gustaría ofrecer a sus directivos una imagen cuantificada del riesgo de la ciberdelincuencia? Un nuevo estudio realizado por McAfee y el CSIS (Center for Strategic and International Studies) pone límites y aplica una detallada metodología a un tema muy propenso a la exageración. En un profundo análisis patrocinado por McAfee, se reúne una evaluación global de los costos tangibles, en términos financieros y de puestos de trabajo, de las actividades delictivas en Internet.

Si entre los planes de su empresa se encuentran crecer por:

…Digitalización, o transformación digital, la ciberdelincuencia extrae entre el 15 y el 20 % del valor creado por Internet. Extrapolando los resultados, 1 de cada 5 o 6 empresas o nuevas líneas de negocio centradas en Internet fracasarán debido a estafas y robos de datos.

…Globalización, los países en vías de desarrollo son desproporcionadamente vulnerables y, a menudo, muy inmaduros en la protección de su infraestructura de seguridad de Internet y su propiedad intelectual. Por lo tanto, el diseño y el éxito de sus servicios pueden verse afectados.

Si una buena parte del valor de su negocio y su participación de mercado dependen de la protección de la propiedad intelectual, como código fuente, documentos de diseño de productos o estructuras químicas:

…el robo de propiedad intelectual es el impacto más importante de la ciberdelincuencia para las empresas. En los sectores en los que es fácil implementar la propiedad intelectual, como en diseño industrial o fórmulas farmacéuticas, por ejemplo, la propiedad intelectual recibe más ataques y se rentabiliza más rápidamente.

…los hackers dirigen sus ataques a nuevas empresas y firmas empresariales que crean innovación, así como a las grandes corporaciones de prestigio. El robo de propiedad intelectual por ciberdelincuentes afecta a la salud, la competitividad y la posición de la empresa en el mercado en un proceso que el informe denomina “canibalismo de innovación”.

Si las transacciones financieras forman parte de las operaciones de su negocio:

…existe la percepción de que el fraude financiero no está sujeto a sanciones, lo que lo convierte en la segunda fuente de pérdidas a causa de actos de ciberdelincuencia. Los incidentes más importantes pueden llegar a 100 millones de dólares, pero en este negocio, solo los hurtos ya implican grandes cantidades; algunos de ellos ascienden a cientos de millones en muchos países. El informe documenta la amplia ausencia de denuncias, por lo que es posible que estas cifras de pérdidas estén infravaloradas.

…Esto sí que es delincuencia organizada. “Hay entre 20 y 30 grupos de ciberdelincuentes que tienen capacidad de nivel estatal. Dichos grupos demuestran una y otra vez que pueden enfrentarse a casi cualquier ciberdefensa. Los delitos financieros en el ciberespacio se producen a escala industrial”.

…Y no solo está organizada, la industria de la ciberdelincuencia es madura y tiene un impacto comparable al del narcotráfico y los delitos financieros. En el estudio del CSIS, la ciberdelincuencia se encuentra detrás del narcotráfico y la falsificación/pirateo en cuanto a efectos en el PIB. Para hacernos una idea, según estimaciones de la OCDE (Organización para la Cooperación y Desarrollo Económicos), la falsificación y la piratería han costado a las empresas hasta 638,000 millones de dólares al año.

MX CSIS Table

Si estas cifras le hacen pensar que su empresa debería dedicarseal ciberespionaje, el informe ofrece un elemento disuasorio: La empresa de la ciberdelicuencia nunca madura conocimientos y disciplinas en investigación y desarrollo, lo que les inhabilita para crear negocios relacionados con la innovación y la propiedad intelectual.

Para leer el informe completo, visite: http://www.mcafee.com/mx/resources/reports/rp-economic-impact-cybercrime2-summary.pdf

The post CISO: El nuevo estudio sobre el costo global de la ciberdelincuencia del CSIS y McAfee, y las implicaciones para su empresa appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/espanol/ciso-el-nuevo-estudio-sobre-el-costo-global-de-la-ciberdelincuencia-y-las-implicaciones-para-su-empresa/feed/ 0
McAfee Named a Leader in Gartner Magic Quadrant for Security Information and Event Management https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-leader-in-gartner-magic-quadrant-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-leader-in-gartner-magic-quadrant-siem/#respond Tue, 08 Jul 2014 13:00:57 +0000 http://blogs.mcafee.com/?p=36432 In June, Gartner, Inc. published its annual Magic Quadrant for Security Information and Event Management (SIEM), which evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. And this year, McAfee holds a spot in the leader’s quadrant. As the threat landscape continues to expand at an astounding rate, organizations …

The post McAfee Named a Leader in Gartner Magic Quadrant for Security Information and Event Management appeared first on McAfee Blogs.

]]>
In June, Gartner, Inc. published its annual Magic Quadrant for Security Information and Event Management (SIEM), which evaluates vendors who offer SIEM products on both the ability to execute and completeness of vision. And this year, McAfee holds a spot in the leader’s quadrant.

As the threat landscape continues to expand at an astounding rate, organizations need to be even more nimble when it comes to early detection. It’s no longer a question of if, but when in terms of a security breach—meaning IT security teams must be able to analyze security event data in real time in addition to collecting, storing, analyzing and reporting on log data after an incident has occurred. The increased adoption of SIEM technology is being driven by these new challenges and compliance requirements.

Early breach discovery is one of the most important features SIEM vendors need to offer businesses, and at McAfee we understand that achieving this requires effective user activity, data access and application activity monitoring. To combat the looming specters of advanced evasion techniques (AET) and advanced persistent threats (APT), SIEM solutions must include a combination of real-time security monitoring, historical analysis, and support for incident investigation and compliance reporting tools.

With these next-generation cyber threats in mind, we took a different approach to SIEM with the McAfee Enterprise Security Manager (ESM) solution. In addition to the security information management (SIM) and SEM functions, we also offer a range of specialized add-on products and an extensive security portfolio to give customers better context around vulnerabilities, endpoints, and automated response and blocking.

  • Monitor database and application activity at the packet level by using the Database Event Monitor (DEM) and Application Data Monitor (ADM) add-ons.
  • Use flow data and statistical anomaly tracking in big data Hadoop connectors to populate watch lists for correlation and enrich SIEM data queries.
  • Stay in line with requirements for database application monitoring and industrial control systems with the new suite of regulatory compliance reports for McAfee ESM.

To learn more about how McAfee® ESM can benefit your organization, visit our website and read the full Gartner report here.

SIEM_MQ

Gartner, Inc., “Magic Quadrant for Security Information and Event Management,” by Kelly M. Kavanagh, Mark Nicolett, Oliver Rochford June 25, 2014. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About the Magic Quadrant

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose

The post McAfee Named a Leader in Gartner Magic Quadrant for Security Information and Event Management appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-leader-in-gartner-magic-quadrant-siem/feed/ 0
Understanding The Ever-Changing Security Landscape https://securingtomorrow.mcafee.com/business/dynamic-endpoint/understanding-security-landscape/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/understanding-security-landscape/#respond Tue, 08 Jul 2014 13:00:50 +0000 http://blogs.mcafee.com/?p=36439 Since starting my career at McAfee in 2002, I have seen so many changes within the company and the security industry at large. New technologies have transformed the relationship between enterprises, their employees, and their critical systems—for better or for worse. And in my role overseeing McAfee’s Security Management business, I have had the opportunity …

The post Understanding The Ever-Changing Security Landscape appeared first on McAfee Blogs.

]]>
Since starting my career at McAfee in 2002, I have seen so many changes within the company and the security industry at large. New technologies have transformed the relationship between enterprises, their employees, and their critical systems—for better or for worse. And in my role overseeing McAfee’s Security Management business, I have had the opportunity to be at the ground floor with each new milestone. Working with my team and partners to drive innovation and worldwide growth for this area of the business, I have had a front seat to these changes and how they have impacted our customers and partners. Some of the most notable changes have been around the Mobile and Security Information and Event Management (SIEM) industries, with McAfee spearheading the services built to address each new threat.

When I began working with McAfee customers to develop their SIEM solutions 12 years ago, it served as more of a box to check rather than an essential tool for fighting cybercrime. SIEM used to be synonymous with log management and was only really implemented for security audit purposes. That isn’t the case anymore and many organizations are using SIEM solutions to better secure their networks and meet compliance mandates within the confines of tight security budgets and limited resources.

Today, Advanced Persistent Threats (APT) and zero-day exploits alone have made the monitoring and management capabilities that SIEM provides a necessity. Companies can use the valuable information provided to take action on anomalies and prepare against new attacks. As SIEM adoption becomes more widespread, from enterprises down to small and medium-sized businesses, having that information work in tandem with other security systems will be crucial to managing risk.

Much like SIEM, the Mobile space has also changed drastically—going from disparate devices and management to an interconnected system with the rapid adoption of smartphones, tablets, wearables, smart sensors, etc. Previously, PDA protection was the only mobile security needed, but now that devices of all forms and operating systems can connect to enterprise applications and data, increased visibility is crucial. IT teams must be able to see what devices are accessing the enterprise and what they are doing with corporate data on and off the network in order to prevent mission critical information from being compromised.

McAfee has been there since the beginning of these paradigm shifts, providing advanced security platforms that extend to every endpoint available today. Previously, SIEM and Mobile did not have much in common, but the information that each provides linked together through the McAfee Security Connected framework can have a huge impact on our customers’ security today and into the future.

I am excited to take on this new task, in upcoming blogs, to explore how unified solutions can help businesses defend against ever-changing cyber threats, as well as key trends related to SIEM, Risk Management, Vulnerability Management, Policy Compliance, Mobility with Internet of Things (IoT), and Security-as-a-Service.

Tune in for my next post and stay on top of the latest enterprise security threats by following @McAfeeBusiness on Twitter.

The post Understanding The Ever-Changing Security Landscape appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/understanding-security-landscape/feed/ 0
How Volusion Used McAfee SIEM to Meet New Security Needs https://securingtomorrow.mcafee.com/business/optimize-operations/volusion-security-mcafee-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/volusion-security-mcafee-siem/#respond Tue, 01 Jul 2014 13:00:28 +0000 http://blogs.mcafee.com/?p=36306 As a leader in e-commerce solutions, Volusion not only has to manage its own endpoints, but also those of its 40,000 customers worldwide. Online shopping is now a major aspect of global retail sales culture, and criminals are naturally following the money. While network security should be a crucial part of every business, e-commerce providers …

The post How Volusion Used McAfee SIEM to Meet New Security Needs appeared first on McAfee Blogs.

]]>
As a leader in e-commerce solutions, Volusion not only has to manage its own endpoints, but also those of its 40,000 customers worldwide. Online shopping is now a major aspect of global retail sales culture, and criminals are naturally following the money. While network security should be a crucial part of every business, e-commerce providers deal in some of the most valuable data—customer credit card numbers and personally identifiable information (PII), which is regulated by strict PCI compliance standards for retailers.

With this dilemma in mind, Volusion turned to McAfee to replace their aging security management solution, which lacked the ability to handle the company’s current growth. Volusion’s information security manager, Lance Wright realized that they needed a tool that would quickly and cost-effectively scale as the business expanded. After exploring several of the available options, Wright chose the McAfee® Security Information and Event Management (SIEM) solution, McAfee Enterprise Security Manager (ESM), to better accommodate their network and growing customer base.

With help from the McAfee support team, Volusion was able to implement a comprehensive system that could monitor all web application servers, database servers, and mail controllers in a stack, as well as offer both defensive and offensive security strategies. Additionally, they were able to translate rules from the previous solution to McAfee ESM and add new data centers as needed.

“We’re able to use the McAfee SIEM to quickly and cost-effectively scale to meet growth, which is key,” said Wright.

Once implemented, McAfee ESM helped Wright continue to meet compliance requirements and improve the quality of reporting data. McAfee ESM’s automated intelligence actions even helped them to reduce management time and improve operational efficiency by 40% overall.

Speed was a key factor when choosing a new SIEM solution, and creating a scalable alternative that matched Volusion’s needs was made possible by utilizing McAfee’s Security Connected framework. Event, threat, and risk data work together to provide Wright and his team with key security intelligence and flexibility. McAfee ESM is tightly integrated with other high-performance products like McAfee ePolicy Orchestrator (McAfee ePO), McAfee Risk Advisor, and McAfee Global Threat Intelligence to protect businesses and state governments alike.

Read more about how McAfee helped Volusion create comprehensive and scalable security here and visit the McAfee Service Portal for SIEM support.

To learn about what McAfee SIEM has to offer, follow @McAfeeSIEM on Twitter, or explore our SIEM community site to get the latest techniques to protect your organization.

The post How Volusion Used McAfee SIEM to Meet New Security Needs appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/volusion-security-mcafee-siem/feed/ 0
Eat or be Eaten: How Tomorrow’s IT Threats will Shape Enterprise Security https://securingtomorrow.mcafee.com/business/optimize-operations/tomorrows-threats-shape-security/ https://securingtomorrow.mcafee.com/business/optimize-operations/tomorrows-threats-shape-security/#respond Wed, 25 Jun 2014 13:00:33 +0000 http://blogs.mcafee.com/?p=36189 Effective network security doesn’t focus on today’s threats, it focuses on tomorrow’s. That’s because cyber threats, from malware to botnets, are constantly evolving. To meet that challenge, enterprise solutions have to move even faster. McAfee ePolicy Orchestrator 5.1 is the latest real-time security solution that offers the power, sophistication, and scalability organizations need in a …

The post Eat or be Eaten: How Tomorrow’s IT Threats will Shape Enterprise Security appeared first on McAfee Blogs.

]]>
Effective network security doesn’t focus on today’s threats, it focuses on tomorrow’s. That’s because cyber threats, from malware to botnets, are constantly evolving. To meet that challenge, enterprise solutions have to move even faster.

McAfee ePolicy Orchestrator 5.1 is the latest real-time security solution that offers the power, sophistication, and scalability organizations need in a comprehensive endpoint defense system. Real-time tools help your frontline security responders to see the state of endpoints in seconds, analyze advanced threats, as well as scale with the IT footprint of your organization.

The future of IT will have to depend on the evolution of security to deal with tomorrow’s threats. Today’s IT space is dealing with the consequences of device and cloud sprawl, which enables hackers to take advantage of multiple attack vectors simultaneously. In the very near future, organizations will have to reconcile their security solutions with an endpoint explosion fueled by the Internet of Things, multiple devices per user, and the proliferation of Bring Your Own Devices and Apps.

With an ever-increasing number of threats, IT teams have their work cut out for them. In 2014, mobile malware is expected to drive the overall volume of attacks in the malware market. In fact, enterprises face 152 new threats a minute, yet less than 10% have security budget allocated to rapid detection and response. As a result, 66% of breaches will remain undiscovered for months or more.

These threats are only going to grow, especially as nation states and wealthy private individuals increasingly fund hacker groups. Everything from digitally signed malware to attacks requiring sandboxing tools are already in the wild. IT departments will also have to contend with self-deleting malware and malware that makes legitimate applications behave badly.

So how can organizations defend themselves against the future of malware and advanced persistent threats? Well, the answer is to have an advanced security solution built for tomorrow’s IT environment. By utilizing a real-time security product to see what’s happening now, rather than what happened in the past, IT teams can stay one step ahead. The latest update to McAfee® ePolicy Orchestrator® (McAfee ePO), version 5.1, is designed to meet these security challenges through an easy to navigate interface with role-based access to prevent backlog and greatly improve operational efficiency.

infographic-real-time-security copy

Head to http://www.mcafee.com/ePO for more information about McAfee ePO 5.1 and check out our McAfee Real Time Command video here.

The post Eat or be Eaten: How Tomorrow’s IT Threats will Shape Enterprise Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/tomorrows-threats-shape-security/feed/ 0
How The State of Colorado Secured its Infrastructure with McAfee SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/colorado-secured-infrastructure-mcafee-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/colorado-secured-infrastructure-mcafee-siem/#respond Wed, 18 Jun 2014 13:00:05 +0000 http://blogs.mcafee.com/?p=36054 We at McAfee obviously believe that Enterprise Security Manager (ESM), our Security Information and Event Management (SIEM) solution, is a fantastic tool to help harden networks from cyber attacks. Corporations trust us to deliver the clearest picture of their network’s security in an instant. Taking this reputation a step further, we are now working with …

The post How The State of Colorado Secured its Infrastructure with McAfee SIEM appeared first on McAfee Blogs.

]]>
We at McAfee obviously believe that Enterprise Security Manager (ESM), our Security Information and Event Management (SIEM) solution, is a fantastic tool to help harden networks from cyber attacks. Corporations trust us to deliver the clearest picture of their network’s security in an instant. Taking this reputation a step further, we are now working with state governments – who often operate with limited budgets and staff resources – to develop comprehensive security plans that address their unique needs. With this in mind, the state of Colorado serves as one of our best SIEM success stories to date.

When Jonathan Trull accepted his place as Chief Information Security Officer for the Governor’s Office of Information Technology in Colorado, he was tasked with updating the governor’s IT security department. Trull had a $6,000 budget to work with — for the entire state.

A difficult task for anyone, but complicating matters was the National Institute of Standards and Technology’s security control framework — the NIST 800-53 — which contained hard-to-implement guidelines for a limited staff with a limited budget. What Trull needed was a tool enabling situational awareness to reduce risk while still complying with regulations like PCI and HIPAA.

“From my position, what I seek more than anything is situational awareness in real time,” Trull said. “I knew if I could get the money and the tools, I could achieve greater risk reduction.”

Trull found his solution with McAfee ESM. McAfee ESM was the only product that met all of his criteria while allowing data to integrate into one dashboard. This streamlined control enabled better practices, helping to protect the state of Colorado’s systems from cyber attacks.

The McAfee team, working with Governor’s Office of Information Technology (OIT), took inventory of Colorado’s technologies, graphing where the state’s security infrastructure lacked and how it could improve before striking a deal to provide flexible McAfee product licensing and three years of on-site consultation.

That consultation started with the Council on Cyber Security’s Top 20 Critical Security Controls — important standards for every organization looking to harden their network to attacks. With McAfee’s guidance, OIT started with the first five controls:

  • Inventory of all network devices
  • Inventory of all authorized and unauthorized software
  • Establishing secure standard configuration of devices
  • Vulnerability remediation assessment
  • Malware defense

Combined with 15 products addressing the Top 20 Critical Security controls, OIT was able to use the McAfee SIEM solution to establish a secure network, giving Trull the situational awareness he needed with the decision making guidance that helps teams protect networks and stay in compliancy.

Part of creating a comprehensive security solution tailored to Colorado’s needs was tapping into McAfee’s Global Threat Intelligence network. Through our high-performance, powerful SIEM solution, organizations have the ability to locate and respond to malicious activity in real time. With McAfee’s centralized dynamic dashboard, event, threat, and risk data worked together to provide Trull and his team with key security intelligence without the bulk of bolted on solutions. As part of the Security Connected framework, McAfee ESM tightly integrates with McAfee ePolicy Orchestrator (McAfee ePO) software, McAfee Risk Advisor, and Global Threat Intelligence to protect mission critical systems of top companies and state governments.

Read more about how McAfee helped the State of Colorado lock down its networks in the whitepaper here.

To learn about what McAfee SIEM has to offer, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

The post How The State of Colorado Secured its Infrastructure with McAfee SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/colorado-secured-infrastructure-mcafee-siem/feed/ 0
Capacite os times de segurança para que tenham sucesso com o SIEM da McAfee https://securingtomorrow.mcafee.com/languages/portugues/capacite-os-times-de-seguranca-para-que-tenham-sucesso-com-o-siem-da-mcafee/ https://securingtomorrow.mcafee.com/languages/portugues/capacite-os-times-de-seguranca-para-que-tenham-sucesso-com-o-siem-da-mcafee/#respond Mon, 09 Jun 2014 11:00:11 +0000 http://blogs.mcafee.com/?p=35644 Um piloto responsável jamais decolaria sem antes conferir toda uma lista de pré-condições de voo . Pode ser demorado, mas é absolutamente necessário. É a ferramenta visual necessária para assegurar que todos os controles estejam em ordem e que a tripulação tenha um bom voo. Caso algo esteja errado, a lista de itens ajuda a …

The post Capacite os times de segurança para que tenham sucesso com o SIEM da McAfee appeared first on McAfee Blogs.

]]>
Um piloto responsável jamais decolaria sem antes conferir toda uma lista de pré-condições de voo . Pode ser demorado, mas é absolutamente necessário. É a ferramenta visual necessária para assegurar que todos os controles estejam em ordem e que a tripulação tenha um bom voo. Caso algo esteja errado, a lista de itens ajuda a corrigir.

O mesmo princípio aplica-se à segurança de TI: os administradores precisam de um guia para se certificarem do que todos os controles da organização estão no lugar certo. Se os mostradores indicarem uma violação de política ou de segurança, esse guia precisa sinalizar instantaneamente esse perigo para o administrador. O gerenciamento de eventos e informações de segurança [SIEM] da McAfee é esse guia: ele ajuda os profissionais de segurança a consolidar as ferramentas necessárias para monitorar dinamicamente os eventos de segurança em tempo real, e não após o ocorrido.

Talvez seja por isso que Edward Pardo, engenheiro sênior de segurança de TI do Roswell Park Cancer Institute, citou o SIEM da McAfee como um de seus produtos de TI favoritos.

“Eu sou uma pessoa visual e a capacidade de representar dados de TI como um painel dinâmico é um grande aprimoramento em relação aos métodos anteriores”, disse Pardo à networkworld.com. “O tempo economizado na conversão de dados brutos de TI em eventos com base nos quais é possível agir permite que nos concentremos em outros objetivos de negócios importantes”.

Trata-se de ter as informações certas ao alcance, antes que um evento de segurança tome maiores proporções. O McAfee Enterprise Security Manager facilita o gerenciamento de conformidade com painéis, trilhas de auditoria e relatórios. Nossa estrutura de controle unificada também possibilita que os administradores gerem relatórios sobre suas políticas em relação a mais de 240 estruturas de controle e regulamentos globais. Tudo isso é gerenciado através de um painel centralizado e personalizável que processa os dados para que a sua equipe de TI não tenha de fazê-lo. Esse recurso poupa tempo e trabalho.

Assim como a lista de verificação antes de um voo, ter percepção e monitoramento corretos é essencial em qualquer programa de segurança eficaz. Com a McAfee, você sempre tem a sua lista dinâmica de itens ao seu lado.

Para saber mais sobre como a McAfee pode ajudar as suas equipes de segurança a avançar, siga @McAfee_BrCorp no Twitter.

 

 

The post Capacite os times de segurança para que tenham sucesso com o SIEM da McAfee appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/languages/portugues/capacite-os-times-de-seguranca-para-que-tenham-sucesso-com-o-siem-da-mcafee/feed/ 0
McAfee Advanced Threat Defense Lures then Catches Spear Phishing Malware https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-advanced-threat-defense-lures-catches-spear-phishing-malware/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-advanced-threat-defense-lures-catches-spear-phishing-malware/#respond Thu, 29 May 2014 15:00:42 +0000 http://blogs.mcafee.com/?p=35681 I meet with an impressive set of customers on a weekly basis and I find those interactions educational, but also exciting. It gives me a better understanding of their pain points, perspective and helps me set our team’s strategy. One area that continues to baffle me is the lack of awareness around the advancements in …

The post McAfee Advanced Threat Defense Lures then Catches Spear Phishing Malware appeared first on McAfee Blogs.

]]>
I meet with an impressive set of customers on a weekly basis and I find those interactions educational, but also exciting. It gives me a better understanding of their pain points, perspective and helps me set our team’s strategy. One area that continues to baffle me is the lack of awareness around the advancements in email security. I have found that more often than not, customers view email security as a “commodity,” as they are thinking simply of spam protection.  The reality is that the email challenge is no longer about spam, which is a relatively well-known science, it’s about spear phishing.  Although not new, we’re finding that spear phishing has grown in sophistication and frequency during the last few years.  Most attacks, especially those that are targeted at a specific organization, primarily enter through email.  In fact, Network World recently reported that 95 percent of all attacks on enterprise networks are the result of successful spear phishing.

At McAfee, what we’re finding is that human beings are the missing security link when it comes to traditional email protection.  You see, when a threat like phishing comes into the organization through email, it’s often so authentic-looking that it’s nearly impossible for the average employee to detect – that is – until it’s too late.  My team recently designed and promoted a Phishing Quiz to raise awareness around the sophistication of these types of attacks and the dangers behind a naïve click.   To evade detection, these messages use sophisticated social engineering and advanced malware to be both convincing and carry a payload undetectable by traditional solutions. I took the quiz and was fascinated by how authentic these phishing emails can look and how we can easily be ‘social engineered’ to click on a link that could have devastating potential.

While we work hard to help educate the public about online security and safety, we understand that even the most seasoned security experts cannot always identify fake emails.  That’s why we’ve invested in technology and development that can do that for our customers and our consumers.  McAfee recently unveiled its latest defense against advanced malware:  McAfee Advanced Threat Defense.  This solution is built on the exciting technology we gained from the acquisition of ValidEdge and combines sandboxing and in-depth static code analysis with the leading McAfee emulation engine, anti-virus technology, and global reputation feeds.  McAfee has created the market’s most advanced approach to stealthy malware detection that identifies sophisticated, hard-to-detect threats by running suspected malware in a “sandbox,” observing its behavior, analyzing the code and assessing the potential impact the malware may have on an endpoint and a network.

This Advanced Threat Defense technology, and our strategy to integrate it with our core security products, is the answer to protecting organizations from advanced malware, delivered through virtually any protocol.  Along with the integration into our IPS solution and our Web Gateway, we now have Advanced Threat Defense technology integrated with our Email Gateway, which protects our customers against threats like spear phishing.  To detect stealthy attacks, McAfee Email Gateway runs in-band threat detection, and sends over remaining suspicious files to Advanced Threat Defense for further analysis.

The bottom line:  Messages, like spear phishing that contain malware, will no longer reach the end-user because this tight integration allows Advanced Threat Defense to inform the email gateway of the threat. McAfee Email Gateway can then immediately block the message. This is a closed-loop approach to malware detection and response that eliminates the need for manual intervention.   Unlike most standalone sandboxing technology, McAfee Advanced Threat Defense finds advanced malware and works with other McAfee solutions to freeze the threat and fix impacted systems.  Find. Freeze. Fix. That’s innovation.

At McAfee, we are steadfast in our belief that a complete layered solution is critical to the foundation of an advanced malware detection infrastructure – with McAfee Email Gateway being just one piece of the ideal infrastructure to detect advanced malware. You can find out more about our other network security defenses on www.mcafee.com, and to help keep organizations educated and up-to-date on how our Email Gateway plus Advanced Threat Defense stops sophisticated malware in email, we’ve created resources that you can access here.

The post McAfee Advanced Threat Defense Lures then Catches Spear Phishing Malware appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-advanced-threat-defense-lures-catches-spear-phishing-malware/feed/ 0
SIEM Basics Change as Fast as Malware – Get up to Speed with Securosis and McAfee https://securingtomorrow.mcafee.com/business/optimize-operations/siem-basics-change-fast-malware-get-speed-securosis-mcafee/ https://securingtomorrow.mcafee.com/business/optimize-operations/siem-basics-change-fast-malware-get-speed-securosis-mcafee/#respond Wed, 28 May 2014 23:14:19 +0000 http://blogs.mcafee.com/?p=35699 Like all technologies, SIEM must adapt to the environment surrounding it. If SIEMs are left without updates or review, companies run the risk of having critical data stolen, compromised or both. But reviewing and updating SIEM isn’t as complicated as it’s perceived. On our live webcast on May 14th, the Securosis team and McAfee guided …

The post SIEM Basics Change as Fast as Malware – Get up to Speed with Securosis and McAfee appeared first on McAfee Blogs.

]]>
Like all technologies, SIEM must adapt to the environment surrounding it. If SIEMs are left without updates or review, companies run the risk of having critical data stolen, compromised or both. But reviewing and updating SIEM isn’t as complicated as it’s perceived.

On our live webcast on May 14th, the Securosis team and McAfee guided attendees through the latest in reviewing, procuring and updating SIEM solutions.

The webcast discussed how companies could securely update their SIEM solution based on Securosis’ white paper, “Security Management 2.5: Replacing Your SIEM Yet?” and on the extensive SIEM experience of McAfee’s Michael Leland. During the webcast, Securosis expert Mike Rothman and Michael Leland were on hand to guide the attendees through the latest in SIEM standards and answer any questions organizations might have.

If you missed the live webcast, you can click here to play the on-demand recording. By listening to this webcast, you can expect to:

  • Learn what to look for in SIEM solutions
  • Realize if your current SIEM solution is sufficient for protection
  • Master negotiation techniques for SIEM renewal and implementation
  • Discover how the evolution of SIEM architecture affects security

Don’t forget to follow @McAfeeSIEM on Twitter and like McAfee on Facebook for the latest in security provision.

The post SIEM Basics Change as Fast as Malware – Get up to Speed with Securosis and McAfee appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/siem-basics-change-fast-malware-get-speed-securosis-mcafee/feed/ 0
Enable Security Teams to Succeed with McAfee SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/enable-security-teams-succeed-mcafee-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/enable-security-teams-succeed-mcafee-siem/#respond Tue, 13 May 2014 18:45:14 +0000 http://blogs.mcafee.com/?p=35403 No responsible pilot takes off without going through a pre-flight checklist. It’s cumbersome, it’s time-consuming and it’s absolutely necessary. It’s the visual tool needed to make sure everything is in order so the crew can have a smooth flight. If something’s off, the checklist is there to help correct it. The same principal goes for …

The post Enable Security Teams to Succeed with McAfee SIEM appeared first on McAfee Blogs.

]]>
No responsible pilot takes off without going through a pre-flight checklist. It’s cumbersome, it’s time-consuming and it’s absolutely necessary. It’s the visual tool needed to make sure everything is in order so the crew can have a smooth flight. If something’s off, the checklist is there to help correct it.

The same principal goes for IT security: administrators need a guide to make sure all of the organization’s dials and levers are in the right spot. If they’re not in the right spot — if the dials and levers indicate a policy violation, compliancy issue or security breach — that guide needs to signal the danger to the security administrator instantly. McAfee Security Information and Event Management [SIEM] is that guide: it helps security professionals consolidate the necessary tools needed to dynamically monitor security events as they happen, not after.

Perhaps that’s why Edward Pardo, Senior IT Security Engineer at Roswell Park Cancer Institute, listed McAfee SIEM as one of his favorite IT products.

“I’m a visual person, and the ability to represent IT data as a dynamic dashboard is a vast improvement over previous methods,” Pardo said to networkworld.com. “Each area of IT can use the solutions that meet their requirements, while IT Security can minimize the number of solutions we need to be proficient with in order to protect our organization.”

It’s all about having the right information within reach before a security or compliancy event grows out of control. McAfee Enterprise Security Manager makes compliance management easy with hundreds of pre-built dashboards, audit trails and reports for PCI DSS, HIPAA, NERC-CIP and more. Our Unified Control Framework also empowers you to report your policies against more than 240 global regulations and control frameworks. All managed through a centralized, customizable dashboard that processes data so your IT team doesn’t have to.

That feature saves time and energy.

“The time saved in processing raw IT data into actionable events allows us to focus on other important business objectives,” Pardo said.

McAfee’s Global Threat Intelligence also provides organizations with the ability to pinpoint malicious activity in real time, allowing your IT security team to respond to threats before they turn into disasters. With McAfee’s centralized dynamic dashboard, organizations can head off any potential threats before they grow into damaging security breaches.

Just like that pre-flight checklist, having the right awareness and monitoring is essential to any effective security program. With McAfee, you always have your dynamic checklist at your side.

slide_fave-raves-2014-3 (1)To learn about what McAfee SIEM has to offer, follow @McAfeeSIEM on Twitter.

The post Enable Security Teams to Succeed with McAfee SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/enable-security-teams-succeed-mcafee-siem/feed/ 0
React to Security Events as They Happen with Real Time for McAfee ePO https://securingtomorrow.mcafee.com/business/optimize-operations/react-fast-real-time-for-epo/ https://securingtomorrow.mcafee.com/business/optimize-operations/react-fast-real-time-for-epo/#respond Wed, 07 May 2014 13:00:03 +0000 http://blogs.mcafee.com/?p=35266 IT teams need the right security tools so that they can react to incidents, as they happen—not after the fact. However, this can be difficult for enterprises to accomplish. Different business units, each with differing security standards, regulatory mandates, clients and goals, still need to fall under the security guidelines set out by the IT …

The post React to Security Events as They Happen with Real Time for McAfee ePO appeared first on McAfee Blogs.

]]>
IT teams need the right security tools so that they can react to incidents, as they happen—not after the fact. However, this can be difficult for enterprises to accomplish. Different business units, each with differing security standards, regulatory mandates, clients and goals, still need to fall under the security guidelines set out by the IT administration.

It’s a growing problem across multiple industries — especially industries faced with compliance mandates when handling sensitive data. Not knowing what’s going on, where, and when it happens puts enterprises at risk for data breaches and damaged reputations.

Executives and IT personnel both need the most accurate up-to-date information on a critical event as it evolves. But neither can wait hours, or in some cases, minutes, for a prolonged analysis. That’s where intuition, experience and groundbreaking technology come into play. Intuition cuts out misleading variables and gives the IT personnel context, experience tells the executive how long the event has to go on before more people are brought in and notified of the issue and the groundbreaking technology helps the everyone diagnose, if not treat, the event faster then ever before.

The latest update to McAfee® ePolicy Orchestrator® (McAfee ePO) version 5.1 is designed with those challenges in mind. McAfee ePO 5.1 allows organizations to improve disaster recovery, add additional browser support, enable Real Time for ePO, and much more! Real Time for McAfee ePolicy Orchestrator collects endpoint security product status instantly, helping your team quickly identify and remediate under-protected and noncompliant endpoints. Through a client-to-client architecture, Real Time for ePO provides IT administrators with current, real time security information, rather than historical data in order to help you understand “what is,” rather than “what was.”

With insight from Real Time for ePO, administrators see critical events in context, with details and with possible remediation solutions. This gives your IT team the means to remediate security events as they’re happening. Unlike the stressful environment of an emergency room, all it takes for IT teams to resolve a problem are a few drop-down menu clicks to confirm, adjust and expand protection. Pre-defined scripts, tools and actions cut down on reaction time and reduce your company’s exposure to threats and brand-damaging breaches.

Enterprise businesses fight an uphill battle when faced with protecting internal data. Being able to react as events happen, not after, protects your business from data breaches, outages, forced disclosures and damaged reputations. With McAfee ePolicy Orchestrator 5.1, your business is protected with the most advanced security platform today. Upgrade today.

Click here for complete ePO upgrade information or head to http://www.mcafee.com/ePO for general information about McAfee ePO 5.1. Check out our McAfee Real Time video here.

The post React to Security Events as They Happen with Real Time for McAfee ePO appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/react-fast-real-time-for-epo/feed/ 0
Encryption: An Easy Safeguard to Protect Your Valuable Data https://securingtomorrow.mcafee.com/business/optimize-operations/encryption-easy-safeguard-protect-valuable-data/ https://securingtomorrow.mcafee.com/business/optimize-operations/encryption-easy-safeguard-protect-valuable-data/#respond Thu, 24 Apr 2014 16:39:17 +0000 http://blogs.mcafee.com/?p=34943 I just read though the 2014 Verizon Data Breach Investigations Report (DBIR) which was made available on Verizon’s Enterprise site this week. Wow, 1,367 confirmed data breaches! It’s good to know that there are tools available to help prevent these incidents. And it’s our job to help businesses deploy these tools in a cost-effective and …

The post Encryption: An Easy Safeguard to Protect Your Valuable Data appeared first on McAfee Blogs.

]]>
I just read though the 2014 Verizon Data Breach Investigations Report (DBIR) which was made available on Verizon’s Enterprise site this week. Wow, 1,367 confirmed data breaches! It’s good to know that there are tools available to help prevent these incidents. And it’s our job to help businesses deploy these tools in a cost-effective and timely manner.

But regarding the DBIR; I really like how it’s written in plain English and how you don’t have to be a Rocket Scientist, or in this case, a Data Scientist, to understand the threats to the digital environment we live and work in. McAfee, part of Intel Security also contributed to the DBIR report. And being that I’m in the Data Protection world, and that encryption is our mainstay, I really like this DBIR quote,  “Considering the high frequency of lost assets, encryption is as close to a no-brainer solution as it gets for this incident pattern.” You can say that again! Instead, I should mention that there was a reported 9, 704 total incidents in the Physical Theft and Loss category. With 116 confirmed data disclosures. And unfortunately, it appears that Healthcare, Public and the Mining sectors may be getting the worst of it. As you would guess laptops are a high incident type as well as desktops and removable media. Like most Data Protection solution providers, we help businesses protect the data on those devices and media.

There is also evidence that desktops should be protected as well, not just laptops! Industry Analysts have also come to that same conclusion several years ago. These incidents may happen, but practically all the exposure can be dramatically reduced by deploying data protection software. It’s interesting to note that in the Insider and Privilege Misuse category, the “Top 10 Assets Affected” had Desktops at 26%, and Laptops at 5%, the reverse of other sections. The reason stated is that desktop computers are an employee’s primary interface to the rest of the network. I’d have to agree. Since we have ePolicy Orchestrator (ePO) managing all the business endpoints, policies can be set with our Data Loss Prevention (DLP) software to monitor specific aspects of data types, in effect, helping businesses to better manage security, without end user intervention or end user burden. Also, businesses should consider DLP software for email, as pointed out in the Miscellaneous Errors section of DBIR. DLP can look for sensitive documents and associated keywords, and take the necessary steps to block and/or track email traffic. The activity from this traffic are summarized in reports and made available to the IT Admin via the ePO console. Just the fact that this info is available and made known that it’s present tends to put more compliance into a business’s security policy.

The use of USB memory devices are widespread. And since the devices are so cheap and small, it’s no stretch to say that these devices are an area of concern. The Insider and Privilege Misuse section of DBIR pointed that out. Yes, our software covers the data at rest and in flight as well. The basic function that most business require is to encrypt data on the device or media. We can also block writes to the destination as well. This is really a key value, i.e. seamless data protection. If an encrypted device is lost or stolen from someone’s desk or at the coffee shop, the exposure a business has is then dramatically limited.

We know that encryption can be a bit esoteric, so organizations like IT World Canada are organizing a Twitter Chat “insights on best practices in encryption” on Thursday, April 24 at 1pm ET to 2pm ET for anyone who wants to learn about safeguarding their data. I’ll be online participating as well, using the hashtag #EncryptITWC.  Also, it just so happens, Jason Kennedy from Intel, and myself, will be presenting a Data Protection webinar on Thursday, May 1, 2014, 10:00 – 10:45 AM Pacific US Time, that highlights how you can protect your data in very powerful ways through the combined use of McAfee software and Intel technologies. Also, if you happen to be at Microsoft’s  TechEd North America, the Microsoft tech conference for IT professionals and enterprise developers, McAfee will join Intel — a TechEd Gold Sponsor — at Booth #709. That would be yours truly as the McAfee Rep! We will highlight the latest in performance, security, and manageability for clients as well as key aspects of cloud innovation and big data for servers. Please attend the webinar or stop by Booth #709 if you happen to be in Houston next month, I’d certainly like to hear your thoughts on the DBIR report and the data protection area. You can find me on twitter:  https://twitter.com/PatCorreia1

The post Encryption: An Easy Safeguard to Protect Your Valuable Data appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/encryption-easy-safeguard-protect-valuable-data/feed/ 0
Siemens and McAfee Expand Partnership to Offer Comprehensive Security https://securingtomorrow.mcafee.com/business/optimize-operations/siemens-mcafee-expand-partnership/ https://securingtomorrow.mcafee.com/business/optimize-operations/siemens-mcafee-expand-partnership/#respond Mon, 07 Apr 2014 16:30:30 +0000 http://blogs.mcafee.com/?p=34550 The Industrial sector often faces unique challenges when it comes to cybersecurity, with more threats targeting critical infrastructure and manufacturing than ever before. The Internet of Things has created new risks as the world and industries within it become increasingly interconnected. Securing the critical infrastructure isn’t just about risk, it’s about retrofitting security into existing …

The post Siemens and McAfee Expand Partnership to Offer Comprehensive Security appeared first on McAfee Blogs.

]]>
The Industrial sector often faces unique challenges when it comes to cybersecurity, with more threats targeting critical infrastructure and manufacturing than ever before. The Internet of Things has created new risks as the world and industries within it become increasingly interconnected. Securing the critical infrastructure isn’t just about risk, it’s about retrofitting security into existing facilities—instead of waiting around for next layer of infrastructure to be built.

With these issues in mind, the Siemens Industry Sector and McAfee have extended their partnership in order to help industrial customers defend against ever-evolving global cyber threats. Together with Siemens’ Industrial Security service offerings, we will now be able to provide wide-ranging security solutions and services to our industrial customer base. This partnership with Siemens not only provides access to key devices, labs, and other environments, but also a calculated understanding of the vulnerabilities unique to critical infrastructure.

Building on a joint effort started in 2011, this partnership will help us enhance the critical infrastructure solutions that we currently offer by adding Siemens’ expertise in building, servicing, and managing these critical areas. Along with our next generation firewall, security information and event management (SIEM), and endpoint security solutions, customers will have greater visibility and control of their manufacturing environments.

In addition to this extended partnership, we will also continue to work with Siemens on developing new industrial-focused security products and solutions. These solutions will enhance existing security capabilities by connecting systems on the factory floor to the command center and beyond. As the Internet of Things continues to expand and smart devices infiltrate every level of the manufacturing process, new touch points are created for threats to exploit. Industrial customers will need visibility across the entire company to address these distinct security requirements, and our continued collaboration with Siemens will do just that.

An Information Security team based at company headquarters must to be able to see what is happening at the manufacturing center, as well as the delivery stations all over the world. If a threat enters the system at the factory level, it is crucial to be able to identify and stop it before any damage is caused. Security must be built in, not bolted on, and together with Siemens we will be able to offer customers security by design across multiple industrial systems.

For more information, check out this video from McAfee Executive Vice President and CTO, Mike Fey on the benefits of this extended partnership. Additionally, visit the Siemens industrial security portfolio here.

Be sure to follow @McAfeeBusiness for more updates on this partnership and other exciting news.

The post Siemens and McAfee Expand Partnership to Offer Comprehensive Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/siemens-mcafee-expand-partnership/feed/ 0
Get SIEM on your side https://securingtomorrow.mcafee.com/business/optimize-operations/get-siem-on-your-side/ https://securingtomorrow.mcafee.com/business/optimize-operations/get-siem-on-your-side/#respond Mon, 07 Apr 2014 13:00:36 +0000 http://blogs.mcafee.com/?p=34556 McAfee’s Enterprise Security Manager, a security information and event management (SIEM) solution, is easy to use and can be customized to fit almost any security and compliance team’s needs. Our SIEM is backed by a purpose-built database that allows it to analyze logs and deliver alerts as soon as a potential threat is detected. McAfee …

The post Get SIEM on your side appeared first on McAfee Blogs.

]]>
McAfee’s Enterprise Security Manager, a security information and event management (SIEM) solution, is easy to use and can be customized to fit almost any security and compliance team’s needs. Our SIEM is backed by a purpose-built database that allows it to analyze logs and deliver alerts as soon as a potential threat is detected.

McAfee Global Threat Intelligence (GTI) for Enterprise Security Manager puts the power of McAfee Labs directly into the security monitoring flow through high-speed, highly intelligent McAfee SIEM, which is built for Big Security Data. This optional subscription service continually delivers and adjusts source reputations for more than 140 million IP addresses, bringing the context of external system reputations directly into the security event stream and quickly identifying current and past interactions with known bad actors. McAfee GTI™ IP reputation is derived from the correlation of threat intelligence from all major threat vectors, leveraging more than 100 million global sensors and more than 350 researchers.

McAfee Enterprise Security Managers can store, retrieve, and perform historical correlation over years’ worth of data. Combined with McAfee GTI, security analysts can go back in time, over years’ worth of data, to understand interactions with bad actors in the past. This is critical to detecting low and slow attacks, repeated activity from botnets, cross-site scripting, and SQL injection attempts.

Learn more about McAfee SIEM in our latest webinar:

The post Get SIEM on your side appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/get-siem-on-your-side/feed/ 0
McAfee SIEM Enables Cloud Security and Reduces time and resources for Compliance demands for DTS https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-enables-cloud-security-reduces-time-resources-compliance-demands-dts/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-enables-cloud-security-reduces-time-resources-compliance-demands-dts/#respond Mon, 24 Mar 2014 17:15:34 +0000 http://blogs.mcafee.com/?p=34145 DTS is one of the larger systems companies in Germany, with around 140 team members in six locations.  Mid-sized and enterprise companies, as well as public institutions, rely on DTS to meet high data security demands and remain compliant with domestic and international regulations. The challenge for the security professionals at DTS was one of …

The post McAfee SIEM Enables Cloud Security and Reduces time and resources for Compliance demands for DTS appeared first on McAfee Blogs.

]]>
DTS is one of the larger systems companies in Germany, with around 140 team members in six locations.  Mid-sized and enterprise companies, as well as public institutions, rely on DTS to meet high data security demands and remain compliant with domestic and international regulations.

The challenge for the security professionals at DTS was one of scalability: company growth, an array of expensive security systems, and the increased demand of securing cloud computing applications among its customers required extensive administration and management time. To solve this problem, DTS committed itself to finding an integrated security and compliance solution capable of relieving internal resource pressures and fulfilling current and future security requirements, including cloud applications. It found that solution in McAfee’s SIEM offering, Enterprise Security Manager (ESM).

Implementing McAfee’s SIEM solution relieved pressure on the DTS Data Centre Team, which faced the challenge of processing and evaluating exponentially growing data from its cloud business model.

Effective security requires real-time visibility into all systems, networks, databases, applications, and users; Enterprise Security Manager made this possible and easily scalable across a growing customer base.

Today, security specialists at DTS spend roughly 50% less time on evaluation and structural management of event and system information.  Security experts also receive risk-relevant, real-time information that allows shorter reaction times when threats arise. Complete audits protocols and reports for common compliance standards such as PCI-DSS, HIPAA, FISMA, GLBA, BASEL II, or SOX can be created at any time, helping DTS and its customers to ensure compliance.

With McAfee Enterprise Security Manager, DTS achieved two important goals: First, the ability to offer their customers professional services for adhering to compliance and statutory guidelines. ESM’s Hundreds of pre-installed dashboards and reports allow to more quickly and efficiently respond to the different compliance requirements of their customers. Second, rather than letting routine administration and management tasks devour time, security specialists at DTS can now spend more time to focus on innovative new services and projects for their customers.

For more tips and tricks with McAfee SIEM, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization

The post McAfee SIEM Enables Cloud Security and Reduces time and resources for Compliance demands for DTS appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-enables-cloud-security-reduces-time-resources-compliance-demands-dts/feed/ 0
Four Pillars Build the Foundation of Successful SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/four-pillars-build-foundation-successful-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/four-pillars-build-foundation-successful-siem/#respond Tue, 18 Mar 2014 19:30:26 +0000 http://blogs.mcafee.com/?p=34057 Talking with customers during the past few months, the key topics and questions we heard were all about targeted attacks, threat intelligence, and security information and event management (SIEM). However, there seems be a myth that “once we have SIEM, we will have visibility into threats”—as if SIEM will give us all the answers. To …

The post Four Pillars Build the Foundation of Successful SIEM appeared first on McAfee Blogs.

]]>
Talking with customers during the past few months, the key topics and questions we heard were all about targeted attacks, threat intelligence, and security information and event management (SIEM). However, there seems be a myth that “once we have SIEM, we will have visibility into threats”—as if SIEM will give us all the answers.

To successfully deploy SIEM and benefit from its capacity and functionality, you must first lay a proper foundation. Like building a house, you don’t build it on sand, but on solid ground. The foundation is deeply anchored. Your solution needs to withstand and survive a (log and event) storm and report what you need to see.

To lay the foundation for SIEM, you must carefully review the following pillars:

  • Identify what to protect: critical assets
  • Log management
  • Event cases
  • Incident response management and capacity

Identify what to protect

In many of our engagements to build a security operations center, we’re told “everything needs to be protected.” If that’s the case, you have just decided to overflow your SIEM with tons of events. You will certainly miss the events you need to react to. We recommend first monitoring your critical assets. What are they? Those are the systems and services that are the moneymakers for your company. If they were down/lost/damaged, it would have a huge impact on you and could ruin your business, resulting in financial loss. An example of a critical asset might be your SAP or ticket-booking system.

Log management

Once you have identified the critical assets, what kind of logging is available for the systems that are involved? Is logging enabled? What is the retention policy of the log files? Are all assets in sync with regards to time, or is there an offset causing a gap during a timeline analysis of an incident?

Event cases

Once the critical assets are identified and you have an insight on the logs you’re maintaining and what log artifacts are available for those systems, you can build event cases for these systems. Think like an attacker: How would you try to access or compromise your critical assets? What would be abnormal versus normal behavior with regards to these systems? Of course, event cases need fine-tuning now and then, especially after changes have been made to your critical environment.

Incident response management and capacity

What if the fire-alert system of your house detects a fire but there is no sprinkler system and the nearest fire brigade is miles away? This is something to think about before deploying SIEM. You need procedures that define what to do if events are triggered for a critical component and, after initial analysis, escalate as an incident. Who has the capacity to respond to respond to incidents?

Deploying SIEM is not simply putting a box on the network. That’s only the technology part. What about people and processes? Preparing for a SIEM deployment requires having the right visibility of your company’s critical assets and responding in a timely matter to events. These pillars are a guide that we have successfully used in many deployments of SIEM and building a security operations center.

 

The post Four Pillars Build the Foundation of Successful SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/four-pillars-build-foundation-successful-siem/feed/ 0
Beyond Compliance: Security at the San Francisco Police Credit Union https://securingtomorrow.mcafee.com/business/optimize-operations/beyond-compliance-security-san-francisco-police-credit-union/ https://securingtomorrow.mcafee.com/business/optimize-operations/beyond-compliance-security-san-francisco-police-credit-union/#respond Wed, 12 Mar 2014 16:04:23 +0000 http://blogs.mcafee.com/?p=33891 The San Francisco Police Credit Union (SFPCU) provides financial services to the first responders — from emergency medical to firefighters and police officers — who protect the San Francisco Bay Area. The credit union, with five branches covering some 32,500 members, is charged with protecting not only the finances of public safety personnel, but personal …

The post Beyond Compliance: Security at the San Francisco Police Credit Union appeared first on McAfee Blogs.

]]>
The San Francisco Police Credit Union (SFPCU) provides financial services to the first responders — from emergency medical to firefighters and police officers — who protect the San Francisco Bay Area. The credit union, with five branches covering some 32,500 members, is charged with protecting not only the finances of public safety personnel, but personal information as well.
As a credit union, the SFPCU must stay in compliance with a series of complex laws and standards ranging from the Gramm-Leach-Bliley Act to guidelines established by the National Credit Union Association. To enforce these rules, the SFPCU uses McAfee’s SIEM solution, Enterprise Security Manager (ESM) to monitor the union’s networks, track security events, and analyze possible threats. Enterprise Security Manager’s out-of-the-box compliance dashboards help the SFPCU meet regulatory requirements and standards.

Threats and compliance are two of the major challenges facing many security teams, but compliance is just one part of the security jigsaw puzzle. Compliance standards set a minimum requirement for securing private information, but compliance alone does not mean a network is secure from today’s threats.

As a SIEM solution designed for real-world threats, Enterprise Security Manager consolidates, correlates, assesses and prioritizes security events for both third-party and McAfee solutions. It also takes advantage of McAfee’s Global Threat Intelligence, offering McAfee Enterprise Security Manager enhanced situational awareness by enabling rapid discovery of events involving communications with suspicious or malicious IPs. The automatic and integrated nature of McAfee Enterprise Security Manager streamlines reporting and auditing processes, enabling faster response times when threats are detected.

McAfee Enterprise Security Manager continues to meet the evolving needs of SFPCU’s security and compliance team, offering automated reporting, and compliance audits as well as the ability to investigate and manage incidents. Dataway, a global managed services provider specializing in network security services, implemented ESM on behalf of SFPCU and manages the solution on an ongoing basis.

Compliance is a major facet of information security for many organizations, but compliance alone is not a gold standard for security in today’s threat ecosystem.

For more tips and tricks with McAfee’s SIEM solution, Enterprise Security Manager , follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

The post Beyond Compliance: Security at the San Francisco Police Credit Union appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/beyond-compliance-security-san-francisco-police-credit-union/feed/ 0
McAfee SIEM with Ease https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-ease/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-ease/#respond Mon, 03 Feb 2014 20:34:31 +0000 http://blogs.mcafee.com/?p=32991 Think security and event management is hard from the get go? Think again. The initial set up of McAfee Enterprise Security Manager (ESM) within McAfee’s Security Information and Event Manager (SIEM) ecosystem is a breeze, and takes less than 10 minutes from start to finish. With McAfee, it’s simple: log into the ESM installation wizard …

The post McAfee SIEM with Ease appeared first on McAfee Blogs.

]]>
Think security and event management is hard from the get go? Think again. The initial set up of McAfee Enterprise Security Manager (ESM) within McAfee’s Security Information and Event Manager (SIEM) ecosystem is a breeze, and takes less than 10 minutes from start to finish.

With McAfee, it’s simple: log into the ESM installation wizard with your McAfee-provided details (if you don’t have any, don’t worry: we can give you yours later on), approve the end-use license agreement, and update your default passwords. From there you can choose to set up McAfee in Federal Information Processing Standards (FIPS) mode, or as a normal account. From there you can choose to set up McAfee in Federal Information Processing Standards (FIPS) mode, or as a normal account. or in non-fips mode, since fips limits the types of data and other features of the SIEM Finally, you’ll be prompted to set up additional settings like how you’d like to — if at all — receive ICMP messages, establish pings, connect to proxy IP addresses, port settings, time synchronization, policy updates, and much moreAllow ICMP, and pings, and even connect to a proxy server if you need it.

And that’s it! After that initial setup, you’re well on your way to protecting yourself with the industry’s leading security and event management platform.

For more tips and tricks with McAfee SIEM, follow @McAfeeSIEM on Twitter, or explore our SIEM community blog to get the latest techniques to protect your organization.

The post McAfee SIEM with Ease appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-siem-ease/feed/ 0
McAfee Enterprise Security Manager Stole The Show At The 2013 RSA Conference, And We’re Looking Forward To Doing It Again in 2014 https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-enterprise-security-manager-stole-the-show-at-the-2013-rsa-conference-and-were-looking-forward-to-doing-it-again-in-2014/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-enterprise-security-manager-stole-the-show-at-the-2013-rsa-conference-and-were-looking-forward-to-doing-it-again-in-2014/#respond Thu, 05 Dec 2013 12:55:07 +0000 http://blogs.mcafee.com/?p=31788 At the 2013 RSA Security Conference, Scott Taschler, Systems Engineer at McAfee, helped sum up the McAfee ESM experience: fast, efficient, and easy to use. McAfee Enterprise Security Manager (ESM) delivers fast, intelligent, and accurate SIEM and log management on all systems, networks databases, and applications. McAfee ESM stands out thanks to its tight integration …

The post McAfee Enterprise Security Manager Stole The Show At The 2013 RSA Conference, And We’re Looking Forward To Doing It Again in 2014 appeared first on McAfee Blogs.

]]>
At the 2013 RSA Security Conference, Scott Taschler, Systems Engineer at McAfee, helped sum up the McAfee ESM experience: fast, efficient, and easy to use. McAfee Enterprise Security Manager (ESM) delivers fast, intelligent, and accurate SIEM and log management on all systems, networks databases, and applications.

McAfee ESM stands out thanks to its tight integration with the McAfee ecosystem, including ePolicy Orchestrator (ePO) software, McAfee Network Security Manager (NSM), McAfee Global Threat Intelligence, and McAfee Vulnerability Manager (MVM).

Taschler says “These integrations enable McAfee ESM to take intelligent actions – changing policies at the endpoint, quarantining suspicious and malicious systems at the network and gathering critical intelligence through vulnerability scanning.”

In addition, McAfee ESM integrates with McAfee Real Time to proactively inspect the real-time system state of endpoints and servers, effectively moving from passive monitoring to an “endpoint aware” SIEM.

Keep tuned to McAfee, either on our blogs or by following us on Twitter at @McAfee and @McAfeeSIEM, to see what McAfee has in store for the security industry in the upcoming 2014 RSA conference.

The post McAfee Enterprise Security Manager Stole The Show At The 2013 RSA Conference, And We’re Looking Forward To Doing It Again in 2014 appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-enterprise-security-manager-stole-the-show-at-the-2013-rsa-conference-and-were-looking-forward-to-doing-it-again-in-2014/feed/ 0
For Security, More Real Time Information Is Better Information — And On That, McAfee Delivers https://securingtomorrow.mcafee.com/business/optimize-operations/for-security-more-real-time-information-is-better-information-and-on-that-mcafee-delivers/ https://securingtomorrow.mcafee.com/business/optimize-operations/for-security-more-real-time-information-is-better-information-and-on-that-mcafee-delivers/#respond Wed, 06 Nov 2013 18:42:12 +0000 http://blogs.mcafee.com/?p=31105 For security teams, the holy grail of security management is a tool which provides as much information as possible on an event as it unfolds. And then provide the intelligence to be able to act on it. That dream is now a reality: McAfee’s Enterprise Security Manager (ESM), integrated with McAfee Real Time, now delivers …

The post For Security, More Real Time Information Is Better Information — And On That, McAfee Delivers appeared first on McAfee Blogs.

]]>
For security teams, the holy grail of security management is a tool which provides as much information as possible on an event as it unfolds. And then provide the intelligence to be able to act on it.

That dream is now a reality: McAfee’s Enterprise Security Manager (ESM), integrated with McAfee Real Time, now delivers the industry’s first endpoint aware security information and event management solution (SIEM). That means more information is analyzed, prioritized and provided to security teams, enabling them to react to any event as it happens.

A swift reaction to a security event is no small accomplishment: according to the 2013 Verizon Data Breach Report, 69 percent of all breaches went from initial compromise to data exfiltration in hours. It doesn’t help that over a third of those breaches took weeks to months to address. When data is involved, the ability to identify, collect, and analyze events in real time gives security experts the intelligent edge in responding to advance security threats.

And, with McAfee Security Connected, security teams can quarantine, scan and issue policy changes directly from any console running McAfee SIEM.

Cut down on response times to advance threats the industry’s first endpoint aware SIEM — only with McAfee.

For exclusive updates on enterprise security threats, be sure to follow us on Twitter @McAfeeSIEM.

The post For Security, More Real Time Information Is Better Information — And On That, McAfee Delivers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/for-security-more-real-time-information-is-better-information-and-on-that-mcafee-delivers/feed/ 0
Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906) https://securingtomorrow.mcafee.com/business/optimize-operations/updates-and-mitigation-to-cve-2013-3906-zero-day-threat/ https://securingtomorrow.mcafee.com/business/optimize-operations/updates-and-mitigation-to-cve-2013-3906-zero-day-threat/#respond Wed, 06 Nov 2013 14:04:10 +0000 http://blogs.mcafee.com/?p=31080 On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability). The issue (an integer overflow) lies in the handling of maliciously …

The post Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906) appeared first on McAfee Blogs.

]]>
On November 5, Microsoft posted Security Advisory 2896666. This vulnerability, discovered by Haifei Li of McAfee Labs, affects multiple versions of Microsoft Office, Windows, and Lync. Successful exploitation could result in the ability to execute arbitrary code on a vulnerable host (a remote code execution vulnerability).

The issue (an integer overflow) lies in the handling of maliciously crafted TIFF files. A remote attacker can potentially exploit this flaw via a specially designed email message, distribution of a malicious binary, or via a maliciously crafted web page. Successful exploitation of the vulnerability will result in the attacker’s acquiring the same user rights as the current user.

Our blog post (McAfee Labs Detects Zero-Day Exploit Targeting Microsoft Office) describes the issue in further detail:

 

McAfee Product Coverage/Mitigation

  • McAfee VirusScan (Updated Nov 5)
    • MD5: 97bcb5031d28f55f20e6f3637270751d (Payload) – BackDoor-FBKI!920FEFDC36DA
    • MD5: cb28d93d9eb3c38058a24ad3b05ec3eb (Payload) – Generic Backdoor.u
    • MD5: 5ba7ed3956f76df0e12b8ae7985aa171 (Payload) – Artemis!5BA7ED3956F7
    • MD5: 5a95ca7da496d8bd22b779c4e6f41df9 (Payload) – Generic Backdoor.u
    • MD5: b44359628d7b03b68b41b14536314083 (Office Document) – Exploit-CVE2013-3906
    • MD5: 1FD4F3F063D641F84C5776C2C15E4621 (Office Document) – Exploit-CVE2013-3906
  • McAfee Network Security Platform (Updated Nov 5)
    • UDS-ShantiMalwareDetected
  • McAfee Vulnerability Manager (Updated Nov 5)
    • MVM / FSL Check to release 11/5/2013

 

General Indicators:

MD5 hash list:

  • b44359628d7b03b68b41b14536314083
  • 97bcb5031d28f55f20e6f3637270751d
  • cb28d93d9eb3c38058a24ad3b05ec3eb
  • 1FD4F3F063D641F84C5776C2C15E4621
  • 5ba7ed3956f76df0e12b8ae7985aa171
  • 5a95ca7da496d8bd22b779c4e6f41df9
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 4e878b13459f652a99168aad2dce7c9a
  • 6a57cda67939806359a03a86fd0eabc2
  • 1510821831c6e2bcbffba909bb48a437
  • fd75a23d8b3345e550c4a9bbc6dd2a0e
  • 654f558cf824e98dde09b197dbdfd407
  • 0d51296e5c74a22339ec8b7e318f274a
  • 701a6063458120943a6d3a4eb4440373
  • 654f558cf824e98dde09b197dbdfd407
  • 4f73248a2641a5bc1a14bda3ef11f454 (Embedded)
  • 6cad22128a105c455bd4a5152272239d (Embedded)
  • 7523a56ea1526fa027735e09bffff00e (Embedded)
  • abc311f99a72002457f28fe26bd2e59d (Embedded)
  • c035acd1c10d8b17773d23be4059754f (Embedded)
  • e6fa16d2e808103ab9bec5676146520b (Embedded)

Network:

  • h x x p: // myflatnet[.]com
  • 31[.]210[.]96[.]213
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / ralph_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / new_red/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / bruce_3/ winword.exe
  • http query: h x x p: / / myflatnet[.]com[:]80 GET / blue / winword.exe

 

The post Updates and Mitigation to Microsoft Office Zero-Day Threat (CVE-2013-3906) appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/updates-and-mitigation-to-cve-2013-3906-zero-day-threat/feed/ 0
Using the McAfee SIEM to Augment Successful Detection of Fraudulent Financial Transactions https://securingtomorrow.mcafee.com/business/optimize-operations/using-the-mcafee-siem-to-augment-successful-detection-of-fraudulent-financial-transactions/ https://securingtomorrow.mcafee.com/business/optimize-operations/using-the-mcafee-siem-to-augment-successful-detection-of-fraudulent-financial-transactions/#respond Thu, 17 Oct 2013 13:00:35 +0000 http://blogs.mcafee.com/?p=30602 Financial fraud has a wide range of impact across a society: Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder. Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a …

The post Using the McAfee SIEM to Augment Successful Detection of Fraudulent Financial Transactions appeared first on McAfee Blogs.

]]>
Financial fraud has a wide range of impact across a society: Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder. Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a society. For example, the United Kingdom’s Annual Fraud Indicator 2012 report estimated losses to the financial services sector at 3.5 billion. This does not include identity fraud, which adds more than a billion to the number.

While analytics-based fraud detection has helped to stem the rapid growth of these losses, the attractiveness of the industry to fraudsters remains strong. Two criminal endeavors targeting the financial services sector, Operation High Roller and Project Blitzkrieg have been identified and researched by McAfee in 2012. The analysis of these attacks show that their sophistication has grown significantly.

The McAfee SIEM aids fraud analysts in two ways: both by enabling the combination of transaction analysis with analysis of network events, and also by bringing the products of McAfee research to identify known bad actors around the world.

Combining Fraud Analysis with Network Analysis

Current research has shown that a successful way to improve the efficiency of fraud detection, seen as unusual activity in a system, is to combine it with other measures of unusual activity, such as on a network. A useful example is combining the output of a Benford test and then some of the built-in correlation rules that identify unusual activity on a network.

Benford’s Law, informally stated, says that in certain sets of numbers, the digits 1 through 9 are not equally likely to occur. The dollar amounts of checking account transactions are an example of such a set. Fraud analysts use Benford’s law and some related formulas to identify transactions that cause the set to break the law, often indicating some form of financial fraud. Below is an example of how a Benford test is used.

While the Benford Test is a powerful tool for fraud detection, it can be limited in the insight it provides. If multiple spikes come out of a test, the fraud analyst may struggle to eliminate the ones that have a reasonable explanation, or may need additional context that the transaction amounts alone cannot provide.

The McAfee SIEM can provide correlation rules that identify unusual activity on a network by combining events from several sources such as OS logs, firewalls, databases, and even applications. Built-in rules, shipped with the product, that are valuable for fraud analysis include:

  • Same User Logon from Different Geolocation
  • Same User Logon from Different Host
  • Same User Logon from Different IP
  • Successful database logons after repeated failed logons
  • Successful login after suspicious activity

These rules match up well to the records of recent attacks against financial institutions.

If the output of a Benford test is setup as a custom data source, and the transaction IDs are set up as a custom datatype, then spikes in the Benford test can be correlated with the network events raised by the McAfee SIEM. This helps to both focus the response effort from security and fraud teams, and to add some needed context to the numerical data provided by fraud detection algorithms.

Combining Fraud Analysis with Threat Intelligence

McAfee lives and breathes security. In addition to teams providing tools that reduce risk for a company, other teams focus on content that makes the tools more effective. For detection of fraud, two important sources are the correlation rules created to combat specific pervasive threats, and the Global Threat Intelligence feed that identifies suspicious and malicious IP traffic based on a continuous big data analysis of worldwide traffic.

While a financial services company may have its own mature fraud detection program, any program can benefit from solid external intelligence. It may fill in missing gaps, or it may supplement existing work and allow the group to better focus its efforts. Companies using the McAfee SIEM can avail themselves of content teams who identify global threats and create correlation rules on the SIEM to detect them. One example is a recently published rule, “Project Blitzkrieg – Communication with Known Command and Control Server” to aid detection of a threat directed at the financial services sector.

In addition to correlation rules, the McAfee SIEM has a component called the Advanced Correlation Engine (ACE), which is both unique and invaluable to enhancing fraud detection. The ACE allow risk-based correlation, which goes beyond the power of real-time rule based correlation (tells you quickly what you want to know), and gives you a dynamic picture of the evolving risk at your company (tells what you didn’t know). When the GTI feed is used as an input for a risk correlation manager, your organization can gauge how much traffic from malicious sources like bot-nets or other known bad actors is directed at your organization and filter traffic so that only traffic with a malicious reputation is in the risk calculation.

You can configure the risk correlation manager to reflect business rules at your company.

Combining fraud analysis with network analysis and incorporating external intelligence are two important enhancements to detecting fraud. Each alone is a worthwhile effort for a fraud detection program; a company could choose to adopt both to gain even more benefits in its efforts to stem fraud losses. Both leverage the unique capabilities and advantages of the McAfee SIEM.

Keep up with the latest in security and fraud detection by following @McAfeeSIEM on Twitter

The post Using the McAfee SIEM to Augment Successful Detection of Fraudulent Financial Transactions appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/using-the-mcafee-siem-to-augment-successful-detection-of-fraudulent-financial-transactions/feed/ 0
New in SIEM – Advanced Correlation Features https://securingtomorrow.mcafee.com/business/optimize-operations/new-in-9-2-advanced-correlation-features/ https://securingtomorrow.mcafee.com/business/optimize-operations/new-in-9-2-advanced-correlation-features/#respond Wed, 09 Oct 2013 17:42:32 +0000 http://blogs.mcafee.com/?p=30307 Now that 9.2 has been out for some time, it’s time to document some of the very cool things the McAfee SIEM can do. While the documentation is a must read for the how, this post is meant to bring you up to speed of the why of some advanced correlation features in 9.2.  Remember, …

The post New in SIEM – Advanced Correlation Features appeared first on McAfee Blogs.

]]>
Now that 9.2 has been out for some time, it’s time to document some of the very cool things the McAfee SIEM can do. While the documentation is a must read for the how, this post is meant to bring you up to speed of the why of some advanced correlation features in 9.2.  Remember, correlation using flows is only available in the Advanced Correlation Engine (ACE).  Flows are not available in receiver-based (REC) correlation.

Let’s start by taking a look at the correlation rules:

new in 9.22

This screen is essentially your home-base when setting up and modifying correlation rules. Notice the blue components: these are instances of the deviation component. If you look closer at the toolbar, you’ll notice an icon for the deviation component second from the right — it’s the icon containing a plus and minus sign.

When you drag that icon onto the panel and edit it, you’ll see a new window titled “Deviation Component.” This is where you can see the two biggest features in 9.2 for correlation: you can correlate on flows and events, and you can set components to fire based on deviations from the norm. Baselines have been in the product for a while, but 9.2 deviations from the baseline can be the basis of correlation rules. From a use case perspective, this enables network anomaly detection, user anomaly detection, even combinations of the two. You can also use the other components to add context or other supporting conditions, to tune out random noise and false positives.

There’s a wealth of use cases and implementation guides that we’ve published, and complied here, but it doesn’t hurt to get you up to speed on how to detect anomalous behavior. The deviation component gives you a lot of options for picking out something unusual in the stream of events, changing any of them can give you a very different means of detection. Think of one instance of one deviation component as an indicator (some call it an observable). It’s a unit of behavior, something you can capture in a sentence that can be answered with a “yes” or “no.” One example sentence would be: “An unusual increase in the amount of traffic leaving a host (outlier bytes).” This corresponds to data exfiltration in the APT killchain or an active botnet member performing its assignment. There a variety of options 9.2 possesses that you can use to detect these instances. We’ll go through the options top to bottom and talk about how they change the indicator:

Events vs. Flows: What you select depends on what data sources you need for your threat model. If you are looking for deviations in events that have a clear footprint in a log (even combinations of them) you would select events. If you were looking for anomalies in traffic (no clear footprint in a log) you would select flows. Your choice of events and flows will impact what choices are available in the the filter and deviation field options.

Filter: This is actually a second filter, but possibly the most challenging option on the component. This options filters events or flows before the deviation logic is applied. If you don’t filter these, then the deviation logic will be applied on practically all the events or flows. If you have multiple rules (who doesn’t?) using the deviation components (who wouldn’t?), you could lead yourself to a performance issue. No doubt there are some use cases that may require this. This is where looking at your indicator definition helps. My input would be that if you are not filtering these events or flows, your indicator may be a little too vague.

Deviation Type and Threshold: Similar to the features available in an alarm, these are alternatives to comparisons like equal, greater than, less than, etc. Raw value allows you to look at deviations over a specific amount, which requires you to have some analysis available that gives you those numbers. If you don’t have that, the others might be a better choice to determine “unusual.” While you can get a more detailed explanation here, you can use standard deviation for an indicator to identify when a value in a set of data falls far outside the range of expected values. What’s cool about the correlation in the SIEM is that you can group by things like source user. Now you have an indicator that tells you when a value is unusual for that user, which is much more powerful. Statistics can give you gems like “the average US family has 2.3 kids,” but the group by functionality gives you something much more meaningful and powerful. Power users would alarm on an arbitrary threshold, but they would not trigger on a deviation threshold grouped by user. Infrequent users would fall below an arbitrary average threshold, but even small changes in their usage pattern would trigger on a deviation threshold grouped by user (there is a way around this, future blog post for sure).

Besides the deviation type, you have to pick a threshold. This is a measure of how unusual the value you are looking for is in the scheme of things.

Deviation Operator: This is closely related to the deviation threshold. Standard deviations can be a symmetric thing, allowing you to go “n” standard deviations above and “n” standard deviations below. The question is: do you want that? If you are looking for unusual upticks, then you would select “Greater Than.” If you were looking for unusual downswings, you go with “Less Than.” Again, the indicator should be specific enough to make this choice a no-brainer.

Calculation Type: Differentiating these options could be an entire post or series of posts. Putting it in terms of how you implement an indicator: average per event looks the individual event for some outlier attribute picking out surges in the stream; total sum looks at buckets and picks out unusually large or small ones; cardinality tells you if you are looking at an unusual variety than an unusual number. But for now, let’s take a knee together and say that Total Sum and Cardinality are your best bets. Whether you go with one or the other depends on your indicator: if you can say something like “count” or “quantity” to describe it, go with Total Sum; if you can say something like “distinct” or “variety.” If you think of a threat model as something composed of indicators, a good threat model will have some indicators that use Total Sum, and some indicators that use Cardinality.

Deviation Field: Your choices here will be determined by whether you selected Events, Flows, or both at the top of the deviation component. This is what you measuring for unusual; since we were looking at outbound traffic (in our example of data exfiltration) destination bytes is the way to go. The work you put into the indicator should drive you to your choice of field. I can’t say that is easy, but it is made possible by defining the behavior well and knowing the data well. These are not always available at the same time, we hope to add content on our rules server to help out in this respect.

Sample Size: Statistical measures in themselves are a bit oblique in how they describe data. The key piece in making statistical measures work for threat detection is to make them time-based. By this I mean, that the time period that you choose to compare events helps you tie numbers to behavior. The time range you choose here causes the data to be put in buckets based on time and then calculations performed on them. It is key for tuning false positives. For instance, for user behavior indicators, I find that going with 7 days is a solid sample size. We aren’t robots, we don’t do the same activities the same amount every day. When you go up to a week, this smooths out. For machine behavior indicators, a week is “too smooth.” Everything will look normal over a long enough time period, go for a day or even an hour in this case. The deviation component sets the sample size, so you can and should have different sample sizes for different components in your rule. I gave the example of user vs. machine behavior, there are many other things to consider.

I have given an overview of the deviation component, and how you can use network flows with it as well. The use case drives the threat model which drives the indicators, but it helps to understand what choices you have in shaping those indicators.

Keep up with the latest in security by following @McAfeeSIEM on Twitter.

The post New in SIEM – Advanced Correlation Features appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/new-in-9-2-advanced-correlation-features/feed/ 0
Thinking Outside of the Sandbox: McAfee Advanced Threat Defense Unveiled https://securingtomorrow.mcafee.com/business/optimize-operations/thinking-outside-of-the-sandbox-mcafee-advanced-threat-defense-unveiled/ https://securingtomorrow.mcafee.com/business/optimize-operations/thinking-outside-of-the-sandbox-mcafee-advanced-threat-defense-unveiled/#respond Wed, 02 Oct 2013 17:00:11 +0000 http://blogs.mcafee.com/?p=30099 It’s always a great day when you can share something so innovative that it will surely change the game in the industry. Today, at the McAfee FOCUS 2013 conference, McAfee and my team announced the development and launch of McAfee Advanced Threat Defense – the newest addition to our Security Connected portfolio. If you read …

The post Thinking Outside of the Sandbox: McAfee Advanced Threat Defense Unveiled appeared first on McAfee Blogs.

]]>
It’s always a great day when you can share something so innovative that it will surely change the game in the industry. Today, at the McAfee FOCUS 2013 conference, McAfee and my team announced the development and launch of McAfee Advanced Threat Defense – the newest addition to our Security Connected portfolio. If you read my post entitled, “Developing the Ultimate Defense against Advanced Malware,” I gave you a preview of what to expect in the hopes of piquing interest and raising awareness without giving away the big reveal.

At McAfee, we monitor the threat landscape and work to develop security solutions that can help organizations stay ahead of predicted threats. McAfee Labs believes that advanced malware shows no sign of changing its steady growth trajectory, which has risen steeply during the last two quarters. These threats are extremely stealthy and designed to evade detection and reside on a system for prolonged periods. As a security professional, you know that organizations can no longer rely on traditional security solutions to protect their digital assets against this strain of malware.

McAfee Advanced Threat Defense was built on the exciting technology we acquired from ValidEdge and combines sandboxing with the leading McAfee anti-malware engine, anti-virus technology, and global reputation feeds to create the market’s most complete approach to advanced malware detection. This new technology identifies sophisticated, hard-to-detect threats by running suspected malware in a “sandbox,” analyzing its behavior and assessing the potential impact the malware may have on an endpoint and a network.

Better Detection Accuracy

  • Advanced static code and dynamic analysis together provide the most detailed analysis and data on malware classification
  • Malware can be packed or obfuscated to evade detection. Strong unpacking enables thorough analysis and accurate classification
  • Broad operating system support enables threats to be analyzed under the same conditions as the actual host profile, reducing the chances of missed malware or false positives.

Faster Response Time

  • Integrated solutions from McAfee quickly and seamlessly move from malware analysis and conviction to protection and resolution; a more comprehensive, efficient approach
  • Down selection (mix of signatures, reputation and real-time emulation) quickly identifies a broad range of malware, producing fast detection results and reducing the number of files requiring resource-intensive sandbox analysis

Lower Cost of Ownership

  • Centralized deployment enables multiple McAfee network devices to share the same malware analysis appliance, reducing the number of required appliances, simplifying administration and cost-effectively scaling across the network

Unlike most standalone sandboxing technology, McAfee Advanced Threat Defense finds advanced malware and works with other McAfee solutions to freeze the threat and fix impacted systems. Find. Freeze. Fix. Talk about innovation. (Oh, and they will be talking about it.)

The post Thinking Outside of the Sandbox: McAfee Advanced Threat Defense Unveiled appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/thinking-outside-of-the-sandbox-mcafee-advanced-threat-defense-unveiled/feed/ 0
Importance Of Today’s McAfee Advanced Threat Defense Announcement https://securingtomorrow.mcafee.com/business/dynamic-endpoint/importance-of-todays-mcafee-advanced-threat-defense-announcement/ https://securingtomorrow.mcafee.com/business/dynamic-endpoint/importance-of-todays-mcafee-advanced-threat-defense-announcement/#respond Wed, 02 Oct 2013 16:45:38 +0000 http://blogs.mcafee.com/?p=30091 We tracked down Gavin Struthers while at the 2013 Partner Summit and asked him to talk about the importance of today’s Advanced Threat Defense announcement to our partners.

The post Importance Of Today’s McAfee Advanced Threat Defense Announcement appeared first on McAfee Blogs.

]]>
We tracked down Gavin Struthers while at the 2013 Partner Summit and asked him to talk about the importance of today’s Advanced Threat Defense announcement to our partners.

The post Importance Of Today’s McAfee Advanced Threat Defense Announcement appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/dynamic-endpoint/importance-of-todays-mcafee-advanced-threat-defense-announcement/feed/ 0
What Makes McAfee ESM unique? Speed! https://securingtomorrow.mcafee.com/business/optimize-operations/what-makes-mcafee-esm-unique-speed/ https://securingtomorrow.mcafee.com/business/optimize-operations/what-makes-mcafee-esm-unique-speed/#respond Tue, 17 Sep 2013 17:51:50 +0000 http://blogs.mcafee.com/?p=29342 McAfee Enterprise Security Manager (ESM) provides businesses with real-time security and protection. McAfee ESM, a security information and event management (SIEM) solution, was designed for today’s problems, combining cost-effectiveness, intelligence and speed into a solution that leverages SIEM technology in an intelligent and effective manner. There are a variety of ways that McAfee ESM stands …

The post What Makes McAfee ESM unique? Speed! appeared first on McAfee Blogs.

]]>
McAfee Enterprise Security Manager (ESM) provides businesses with real-time security and protection. McAfee ESM, a security information and event management (SIEM) solution, was designed for today’s problems, combining cost-effectiveness, intelligence and speed into a solution that leverages SIEM technology in an intelligent and effective manner.

There are a variety of ways that McAfee ESM stands above the competition, but here are four of the best examples:

  • Unlike legacy SIEM solutions, McAfee ESM is built for high-volume, high-traffic situations, with a database built for speed acting at its foundation. This allows all information to be collected and processed in real-time.
  • McAfee ESM goes well beyond simple compliance reporting, offering enterprises true network security through speed, scale and rich context. That context can deliver detailed actionable information about malicious attacks from both external and internal sources to company security teams.
  • ESM integrates with McAfee’s ePolicy Orchestrator, McAfee Global Threat Intelligence, and McAfee Risk Advisor into one manageable system. With these solutions working together, McAfee ESM can offer detailed situational awareness and analysis.
  • That analysis addresses one of the most difficult challenges faced by SIEMs today: identifying an attack, like an advanced persistent threat, and determining its risk before a significant attack occurs. By combining global and local security and network usage data, security teams can also learn how an attack came into the company’s environment, what data was accessed, and whether or not that data has been exposed.

It’s thanks to these advanced features – features which provide real-time security intelligence – that McAfee ESM continues to be placed in the Leaders Quadrant for Security Information in Gartner’s Magic Quadrant.

The post What Makes McAfee ESM unique? Speed! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/what-makes-mcafee-esm-unique-speed/feed/ 0
Continuous Diagnostics and Mitigation: A Major Leap for Government Cyber Security https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-diagnostics-and-mitigation-a-major-leap-for-government-cyber-security/ https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-diagnostics-and-mitigation-a-major-leap-for-government-cyber-security/#respond Thu, 22 Aug 2013 16:14:34 +0000 http://blogs.mcafee.com/?p=28677 The General Services Administration recently announced contract awards that will allow government agencies to partner with the Department of Homeland Security (DHS) to deploy Continuous Diagnostics and Mitigation (CDM) technology that will enhance the security and resilience of their networks – better safeguarding both the sensitive data on those networks and the critical functions they provide …

The post Continuous Diagnostics and Mitigation: A Major Leap for Government Cyber Security appeared first on McAfee Blogs.

]]>
The General Services Administration recently announced contract awards that will allow government agencies to partner with the Department of Homeland Security (DHS) to deploy Continuous Diagnostics and Mitigation (CDM) technology that will enhance the security and resilience of their networks – better safeguarding both the sensitive data on those networks and the critical functions they provide to all Americans.

DHS deserves a lot of credit for spearheading this initiative, for CDM will be transformative. It will allow departments and agencies to understand where their vulnerabilities and risks are, to prioritize those risks, and also to remediate them, protecting their networks, infrastructures and assets.  You can think of it as a three-part process:  assess, prioritize and manage. And the information generated by CDM won’t just reside at the network management level. By means of an agency-level dashboard, everyone up to the CISO and CIO will have visibility into that data.  If an agency receives a high or low grade on its cyber security “report card,” CIOs and CISOs will be able to know precisely why  (not universally the case today). The plan is also for summary-level information to funnel into a central dashboard maintained by DHS.

This is not to say that several departments and agencies aren’t employing good cyber security tools now and that some aren’t doing what CDM calls for already; they are. The test is whether the tools and practices will integrate well into this new environment. The exciting part about CDM is that it enables scale and standardization, which in turn enable rolling everything up into an agency-level dashboard for enterprise-wide visibility. Also, when you get into that kind of scale, you can drive down costs – another virtue of CDM.

We’re thrilled that McAfee technology is at the heart of so many of the winning solutions (11 out of 17) and will provide the security nuts and bolts of CDM. This fact really validates the approach of our Security Connected platform:  the foundation that enables us to consistently monitor the state of all endpoint and network components and how they integrate into an ever-changing ecosystem.  This is precisely why CDM was developed.

I was quoted in the press saying that CDM represents not just a step but a leap forward for the cyber security of civilian government agencies.  I’ll go even further: CDM could catapult them into a dynamic position of continual situational awareness and remediation/mitigation.  That’s good news not only for agencies but also for all the people they serve.

The post Continuous Diagnostics and Mitigation: A Major Leap for Government Cyber Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/continuous-diagnostics-and-mitigation-a-major-leap-for-government-cyber-security/feed/ 0
SANS Institute Gives McAfee’s ESM 9.2 A Solid Review https://securingtomorrow.mcafee.com/business/optimize-operations/sans-institute-gives-mcafees-esm-9-2-a-solid-review/ https://securingtomorrow.mcafee.com/business/optimize-operations/sans-institute-gives-mcafees-esm-9-2-a-solid-review/#respond Wed, 07 Aug 2013 17:05:25 +0000 http://blogs.mcafee.com/?p=28208 Security teams today need a Security Information and Event Management (SIEM) tool which can identify incidents on the spot and produce quick and accurate analysis from a mass of data. This requires a system which can extract meaningful data from different sources to analyze and correlate events in a small time-frame — and it needs …

The post SANS Institute Gives McAfee’s ESM 9.2 A Solid Review appeared first on McAfee Blogs.

]]>
Security teams today need a Security Information and Event Management (SIEM) tool which can identify incidents on the spot and produce quick and accurate analysis from a mass of data. This requires a system which can extract meaningful data from different sources to analyze and correlate events in a small time-frame — and it needs to be easily manageable for the security team or system admin.

The best solution: McAfee’s Enterprise Security Manager (ESM) 9.2.

SANS Institute’s analysis team took a peek into McAfee’s latest ESM software with a particular bent towards SIEM applications, and found an “easy-to-use SIEM system that can perform broad and deep event analysis as well as provide a quick assessment.”

Most organizations, according to SANS, are using security event data to detect and track suspicious behavior, support forensic analysis, and gaining or proving regulatory requirements. But complicating these security goals is the growing number and sophistication of attacks. As the perennial arms-race between security and hackers continues, McAfee has the leverage enterprises need to keep their data secure, and help them to identify attacks and vulnerabilities in an ocean of data.

According to SANS, McAfee’s ESM strength is derived from its ease of use, speed, and its flexibility in setting rules and correlations. Here’s a quick overview of SANS’s analysis:

  • ESM Interface — SANS said McAfee’s ESM interface can be learned within minutes, and feels “almost infinitely customizable.”
  • Rapid Event Analysis — Using their own tests, SANS was able to zoom in on a finely grained level of detail in a matter of seconds — providing security times with the rapid information they need address any breach or attack scenario.
  • Polices and Advanced Correlation Engine — SANS found McAfee’s rule type engine intuitive and exhaustive, as well as easy to use. The ability to drag and drop data and analysis operators makes for easy correlations rules, giving McAfee ESM users the best tools to easily fend off attacks.
  • Situational Awareness — McAfee’s integration of its many products into a central monitoring structure was considered “stood out” to SANS. This integrations allows McAfee’s ESM users to communicate with a huge amount of security data and prepare for the most acute vulnerabilities.

When it comes to security event management tools, McAfee is the gold standard.

You can download the full SANS Analyst report to gain more insights into McAfee’s Enterprise Security Manager, or follow @McAfeeSIEM on Twitter to get the latest information on SIEM solutions.

The post SANS Institute Gives McAfee’s ESM 9.2 A Solid Review appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/sans-institute-gives-mcafees-esm-9-2-a-solid-review/feed/ 0
McAfee’s Global Threat Intelligence and SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/mcafees-global-threat-intelligence-and-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafees-global-threat-intelligence-and-siem/#respond Tue, 30 Jul 2013 15:53:36 +0000 http://blogs.mcafee.com/?p=27879 Security events carry important information – but they don’t have the whole story.  Left to themselves – without the essential contextual information of who and what – reviewing security events alone can make analysts miss attacks.  Also, the faster an organization knows about a potentially threatening interaction, the faster they can contain and minimize the …

The post McAfee’s Global Threat Intelligence and SIEM appeared first on McAfee Blogs.

]]>
Security events carry important information – but they don’t have the whole story.  Left to themselves – without the essential contextual information of who and what – reviewing security events alone can make analysts miss attacks.  Also, the faster an organization knows about a potentially threatening interaction, the faster they can contain and minimize the damage.

McAfee Enterprise Security Manager integrates with McAfee Global Threat Intelligence Reputation Feed to maintain an up-to-date understanding of bad actors that exist on the global network.  Our solution brings the powerful perspective of external system reputation to perform real-time reputation checks – immediately alerting analysts when any device on their network has interacted with a known bad actor.

There’s been a lot of discussion around reputation feeds and SIEM – but not all are created equal.  The implementation of the threat feed in the SIEM, combined with the quality and timeliness of reputation updates dramatically effect the value of these integrations.

Here are a few reasons why McAfee’s offerings stand apart from the rest.  Many SIEM solutions have trouble identifying bad actors because they neither have access to the data needed to do so nor the ability to search through high quantities of that data. McAfee SIEM is able to overcome these challenges by leveraging our powerful database to manage tens of millions of reputations.. Through real-time reputation checks, every SIEM connected device has now become a security device – allowing analysts to be alerted immediately on interaction with bad actors.  In addition, our ruleless risk scoring engine dynamically adjusts risk based on these interactions  – providing an intelligent tracking system for at-risk systems.

Finally, active integration with McAfee ePolicy Orchestrator, Network Security Platform and McAfee Vulnerabilty Manager allow organizations to take automated, intelligent actions to reduce the risk when interaction with a bad actor occurs.  These external systems can be automatically quarantined, endpoint security policies can be automatically tightened, and scans can be run on internal systems automatically – reducing time to respond and automating common pieces of the incident response process.

Follow @McAfeeSIEM on Twitter to get the most up-to-date content.

The post McAfee’s Global Threat Intelligence and SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafees-global-threat-intelligence-and-siem/feed/ 0
Have you met McAfee SIEM? https://securingtomorrow.mcafee.com/business/optimize-operations/have-you-met-mcafees-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/have-you-met-mcafees-siem/#respond Tue, 07 May 2013 17:17:50 +0000 http://blogs.mcafee.com/?p=24510 If you haven’t heard much about McAfee’s fast and smart SIEM, now is the right time to take a look at what the experts are saying. After performing a hands-on review of 12 SIEM products, SC Magazine recently rated McAfee Enterprise Security Manager (ESM) as the SIEM “Best Buy,” with five stars in every category. …

The post Have you met McAfee SIEM? appeared first on McAfee Blogs.

]]>
If you haven’t heard much about McAfee’s fast and smart SIEM, now is the right time to take a look at what the experts are saying. After performing a hands-on review of 12 SIEM products, SC Magazine recently rated McAfee Enterprise Security Manager (ESM) as the SIEM “Best Buy,” with five stars in every category.

Why were we rated the Best Buy? Its simple. While other vendors struggle to provide the intelligence or the performance needed to deliver on the promise of real-time actionable intelligence – McAfee ESM started by solving the information management challenge first. By developing a database that was specifically designed to handle the massive insertion rates, real time analysis, and simultaneous query use the SIEM application demands – we started fast, which allows us to continually build on that platform to deliver the industry standard for “smart”.

Its not an easy problem to solve. In fact, you’ll see us solidly beat other “next generation” SIEM data management architectures on performance, value for money and ease of use. And with Security Connected at McAfee, we are not only delivering actionable intelligence – but turning it into intelligent action. With recently introduced active integration with McAfee ePO, Network Security Platform and Vulnerability Manager, organizations can automatically turn smart information into automatic policy change, quarantine and scan actions.

“From a functionality standpoint, this appliance has it all. On top of prebuilt dashboards, many interactive charts and graphs, the ability to take data and logs from almost any source that has an IP address, and the ability to drill down into raw log data quickly and easily, this product also features a multitude of pre-
built compliance 
reporting tools.”

You can download the full SCMagazine report to read more, or follow @McAfeeSIEM on Twitter to get the most up-to-date content.

McAfee acquired NitroSecurity because it was the only SIEM that combined strong intelligence with speed and ease of management.   We are excited to continue our efforts to be the best standalone SIEM and offer added value to McAfee customers through Security Connected.

The post Have you met McAfee SIEM? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/have-you-met-mcafees-siem/feed/ 0
Botnets Remain a Leading Threat https://securingtomorrow.mcafee.com/mcafee-labs/tackling-the-botnet-threat/ https://securingtomorrow.mcafee.com/mcafee-labs/tackling-the-botnet-threat/#respond Thu, 28 Mar 2013 12:45:37 +0000 http://blogs.mcafee.com/?p=23262 One threat has evolved and dominated the threats landscape like no other: botnets. Practically every day a new set of online criminals attempt to exploit users in some way or the other. The best way to stop this threat at the perimeter is to identify its communication channel and block the bot from connecting to …

The post Botnets Remain a Leading Threat appeared first on McAfee Blogs.

]]>
One threat has evolved and dominated the threats landscape like no other: botnets. Practically every day a new set of online criminals attempt to exploit users in some way or the other. The best way to stop this threat at the perimeter is to identify its communication channel and block the bot from connecting to its control server. Blocking the communication will also prevent data exfiltration and the downloading of other threats.

But that’s easier said than done. Bot masters have become so advanced and organized that they can churn out thousands of undetectable and unique malware binaries each day. That coupled with the ability to rapidly change the control-server hosting infrastructure allows them to stay active longer without being taken down. At McAfee, we deal with thousands of such samples every day.

tackling-Botnet-threat-pie

To give you an idea of the magnitude, here are some mind-boggling statistics. Starting in January to date, we processed close to 8.5 million distinct malicious binaries in our automation system. Of those, 2 million had the ability to communicate on a control channel. Of those, 37% were already known botnets!

The pie chart shows the Top 10 bot families during this period. You can see that some bots are very old, but we still see new binaries today. Zeus and its variants continue to dominate the botnet scene. There were in all 9,000 distinct domains and IPs that the malwares used for hosting their communication channels during this period. Some of them are active today.

One of the ways of handling such a daily onslaught of malware is to use advanced automation systems that can very rapidly extract the control server information from the binaries. But running automatic analysis systems comes with its own set of challenges. To start with, the bad guys are becoming smarter and the malware they create these days have anti-sandbox techniques that simply abort execution or act benign if it detects automatic analysis systems. Most of these techniques are already known and some of these have already been discussed by my fellow researchers in previous blogs. Then there are bots that use a domain-generation algorithm to connect to a large number of domains that do not exist, so we need to identify which are active and which are not. And finally there are “noisy” malwares that generate lot of network activity. Not only do they connect to the control server but they also connect to a lot of benign sites to either check connectivity or simulate “clicks” on advertisements.

Through months of research, we have built a system that not only uses advanced techniques to extract the control information but also helps us differentiate “known bad” from new “unknown” sites. Despite these challenges, our systems continue to process thousands of malware samples daily and we see new control server sites added to our database every day. This volume tells us how well organized the bot masters are and how fast they are able to switch channels to prevent their bots from being taken down.

Our automation system is just one of the ways we collect botnet intelligence. The system has limitations but by complementing it with other tactics, we stay a step ahead of these bad guys.

The data that this system generates feeds our Global Threat Intelligence database, McAfee’s cloud-based threat intelligence service. The Advanced Malware and Botnet protection feature in the latest release of the McAfee Network Security Platform (NSP 7.5) makes use of this intelligence to offer the best network protection to our customers. You can find more information about that here.

I offer special thanks to my colleagues Amit Malik and Vikas Taneja for their analysis on anti-sandbox/automation techniques.

The post Botnets Remain a Leading Threat appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/tackling-the-botnet-threat/feed/ 0
Advanced Malware Protection with Network Security Platform https://securingtomorrow.mcafee.com/business/optimize-operations/advanced-malware-protection-with-network-security-platform/ https://securingtomorrow.mcafee.com/business/optimize-operations/advanced-malware-protection-with-network-security-platform/#respond Wed, 13 Feb 2013 21:18:29 +0000 http://blogs.mcafee.com/?p=22092 McAfee Network Security Platform customers have benefited from malware protection for some time now. Most customers already use McAfee Global Threat Intelligence (GTI), which has been available since the 6.0 release. The largest and most used reputation service, with over 64 Billion queries per day, GTI classifies files as either good (whitelist) or bad (blacklist), …

The post Advanced Malware Protection with Network Security Platform appeared first on McAfee Blogs.

]]>
McAfee Network Security Platform customers have benefited from malware protection for some time now. Most customers already use McAfee Global Threat Intelligence (GTI), which has been available since the 6.0 release. The largest and most used reputation service, with over 64 Billion queries per day, GTI classifies files as either good (whitelist) or bad (blacklist), and also supports gray listing through levels of file suspiciousness.

Network Security Platform release 7.5 takes network security malware protection to an unprecedented level. It starts with a vision to provide the best malware protection

  • One engine is not enough – use various engines and heuristic analysis
  • Provide import options for custom fingerprints
  • Inspect virtually every type of file (MS Office, PDF, EXE & DLL files, Android packages, etc.)
  • PDF needs special attention – build signature-less protection against PDF-based attacks
  • Build an extensible framework that delivers target-aware dynamic analysis
  • Save the file for further investigation and forensics

Network Security Platform malware protection policy is simple. Select engines for inspecting file types, edit blocking actions, and configure file storage – that’s all.

nsp 1

As of release 7.5, the following engines are supported:

  1. Custom fingerprints – Build a local database of custom fingerprints (MD5 hashes). For example, one of our customers had almost 2000 Android 3rd party apps that they wanted to detect, and all they did was to import the customer fingerprints.
  2. McAfee GTI file reputation – Since release 6.0, customers have had access to the largest cloud-based security intelligence network.PDF-based JavaScript emulation – Sophisticated emulation technology, which extracts JavaScript, detects shellcode in the PDF, and then alerts the system. For example, 13 out of 17 Metasploit PDF based attacks use JavaScript.
  3. Advanced Anti-Malware – McAfee Network Threat Behavior Analysis now includes an advanced anti-malware engine that inspects files forwarded to it from Network Security Platform sensors, including common formats such as MS Office files, PDF files, DLLs, compressed files, archive files, and Android Application Packages.
  4. Cloud-based sandbox analysis (limited Beta only) – If a suspicious file cannot be classified as good or bad by the previous engines, it can be sent to the cloud for an in-depth dynamic analysis.

How does it all come together?  Network Security Platform combines the responses from the different engines to calculate a confidence score for each file, taking blocking actions as needed.

So far, customers who deployed release 7.5 are seeing great results and we encourage all customers to try it out and let us know how it goes.

The post Advanced Malware Protection with Network Security Platform appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/advanced-malware-protection-with-network-security-platform/feed/ 0
Looking into the Cyber Threats Crystal Ball: McAfee Threats Predictions Report https://securingtomorrow.mcafee.com/business/looking-into-the-cyber-threats-crystal-ball-mcafee-threats-predictions-report/ https://securingtomorrow.mcafee.com/business/looking-into-the-cyber-threats-crystal-ball-mcafee-threats-predictions-report/#respond Thu, 27 Dec 2012 19:00:11 +0000 http://blogs.mcafee.com/?p=20935 Proactive and preemptive.  That’s the caliber of protection we are working toward integrating into all of our network security products.  Because without proactive and preemptive protection, online security will never be completely secure.  Thankfully for all of us, McAfee Labs knows this is the key too. That’s why, every year McAfee Labs publishes its Threat …

The post Looking into the Cyber Threats Crystal Ball: McAfee Threats Predictions Report appeared first on McAfee Blogs.

]]>
Proactive and preemptive.  That’s the caliber of protection we are working toward integrating into all of our network security products.  Because without proactive and preemptive protection, online security will never be completely secure.  Thankfully for all of us, McAfee Labs knows this is the key too.

That’s why, every year McAfee Labs publishes its Threat Prediction Report that examines the key trends and top threats it foresees will affect the security landscape.  The recently published 2013 Threat Predictions Report highlights the top threats that over 500 researchers uncovered by analyzing data on malware, vulnerabilities and online threats from 2012.  I’ve written about the discoveries made by McAfee Labs and I’m always blown away by what the team finds.  All of this is critical to creating stronger and more effective solutions.  After reading the predictions for the coming year, I am even more confident that McAfee is clearly on the right track to preemptive and proactive security.

Sometimes, in the ridiculously unpredictable world of cyber security, I joke that I could use a crystal ball to see what’s ahead.  Well, the McAfee Labs Threat Predictions Report is about as close to that as I’ll ever get.  Many of the trends I’ve seen and my own personal beliefs were confirmed in this year’s report – along with their expectations that threats to mobile devices will become greater targets to cybercriminals, the influence of the hacktivist group called Anonymous will decline, and large-scale attacks on infrastructures will increase.

Not only will my teams be able to use these predictions to bolster our security products and tools to create more solid solutions, but the report provides invaluable education for the general public, government organizations and businesses.  I’m grateful that McAfee has sophisticated Global Threat Intelligence that’s analyzed carefully by McAfee Labs and then shared with the public.  Education really is one of the most valuable offers we can provide – it empowers businesses and consumers to be better prepared and more aware.

As the year unfolds, my teams will be working to integrate the technology necessary to address the risks that McAfee Labs believes will impact our network security solutions – including Network IPS, Firewall, Web Protection, Email Protection, and Data Loss Prevention.  We will be watchful of threats from hacktivists launching cyberthreats capable of penetrating state and government networks.  We will look for more and better ways to be proactive and preemptive as we try to stay ahead of the crimeware and cybercrime rings that are predicted to grow.  Finally, we now know that big scale attacks will be even more destructive and devastating.  With this incredible intelligence, I don’t really think I need a crystal ball after all.  Thanks McAfee Labs.

Read the full report here: http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdf

The post Looking into the Cyber Threats Crystal Ball: McAfee Threats Predictions Report appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/looking-into-the-cyber-threats-crystal-ball-mcafee-threats-predictions-report/feed/ 0
Want Network Behavior Analysis? You Got It! https://securingtomorrow.mcafee.com/business/optimize-operations/want-network-behavior-analysis-you-got-it/ https://securingtomorrow.mcafee.com/business/optimize-operations/want-network-behavior-analysis-you-got-it/#respond Wed, 11 Jul 2012 15:00:14 +0000 http://blogs.mcafee.com/?p=17438 We recently made the decision to provide ALL of our new and existing McAfee Network Security Platform customers with a virtual, production-ready instance of McAfee Network Threat Behavior Analysis (NTBA).  For those already familiar with NTBA, this makes a ton of sense.  For those of you that aren’t, allow me to explain… McAfee Network Threat …

The post Want Network Behavior Analysis? You Got It! appeared first on McAfee Blogs.

]]>
We recently made the decision to provide ALL of our new and existing McAfee Network Security Platform customers with a virtual, production-ready instance of McAfee Network Threat Behavior Analysis (NTBA).  For those already familiar with NTBA, this makes a ton of sense.  For those of you that aren’t, allow me to explain…

McAfee Network Threat Behavior Analysis (NTBA) is the perfect complement to Network IPS.  Whereas traditional IPS makes inline assessments of what is happening on the network right now, NTBA provides a historical view of threat behavior over the course of days, weeks, or even months.  By trending application flow information (I.e. netflow, url, file, ftp, smtp etc.), NTBA can positively identify previously undetected threats and facilitate faster event resolution.   It is fully integrated with both McAfee Network Security Manager and McAfee GTI; and it provides both security and network visibility down to application level.

NTBA sits passively in the network and you can connect it directly to a monitoring port of your NSP, so deployment is very straightforward.  You can also use it in network segments where you don’t have an IPS by pulling netflow data from routers and switches.  This virtual instance of McAfee Network Threat Behavior Analysis is available at no extra cost to McAfee Network Security Platform customers; every McAfee Network Security Manager comes with a single virtual instance of NTBA, downloadable from the McAfee download site. If you have 5 Network Security Managers in your network, then you’re entitled to 5 virtual NTBA appliances. 

And NO hidden tricks either:

  • Fully functional, no feature restrictions
  • You can run in 3 different configurations (2core/6GB, 4core/8GB, 8core/16GB) for capacity 6k flows/s to 25k flows/s.
  • No restrictions on routers/switches exporting netflow data.

The only restriction is that a maximum of 2 Network Security Platform exporters can send flow data to NTBA.

Considering the fact that some existing netflow analysis tools with similar throughput capacity (25k flows/sec) can go for upwards of $100K, this represents a significant value to McAfee Network Security Platform customers.  But don’t just take our word for it.  Please download your entitled copy today and let us know what you think in the comments below or with @IntelSec_Biz on Twitter.

Download location (requires grant ID to log in):

https://menshen.intruvert.com

http://www.mcafee.com/us/downloads/downloads.aspx

The post Want Network Behavior Analysis? You Got It! appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/want-network-behavior-analysis-you-got-it/feed/ 0
High Roller Protection is Not Only For High Rollers https://securingtomorrow.mcafee.com/business/optimize-operations/high-roller-protection-is-not-only-for-high-rollers/ https://securingtomorrow.mcafee.com/business/optimize-operations/high-roller-protection-is-not-only-for-high-rollers/#respond Tue, 26 Jun 2012 16:59:37 +0000 http://blogs.mcafee.com/?p=17183 Like Zeus, it appears that Operation High Roller is a banking trojan much more advanced in terms of quality, applicability to broad platforms and automation. Its ability to scale far beyond current banking malware is of great concern. So you want to know what you can do now to protect yourself?  Here are some tips …

The post High Roller Protection is Not Only For High Rollers appeared first on McAfee Blogs.

]]>
Like Zeus, it appears that Operation High Roller is a banking trojan much more advanced in terms of quality, applicability to broad platforms and automation. Its ability to scale far beyond current banking malware is of great concern. So you want to know what you can do now to protect yourself?  Here are some tips that we will update as we know more:

Since High Roller appears to be introduced via a malicious website or social engineering attack, McAfee SiteAdvisor Enterprise and McAfee Web Gateway can prevent users from accessing malicious host sites.  McAfee Host Intrusion Prevention (HIPS) can block drive-by vulnerability exploits, preventing the malware from running for the first time on a target machine. McAfee Application Control can prevent any unknown or unapproved application from being installed or allowed to run.  McAfee VirusScan Enterprise protects the machine from any known variants. McAfee Deep Defender will block the vast majority of kernel mode rootkits that High Roller variants may contain, day zero, with no need to update any signatures. Additionally, both McAfee VirusScan Enterprise and McAfee Host Intrusion Prevention prevent registry modifications and other configuration changes. And finally the McAfee Desktop Firewall can block outbound command and control communication to sites deemed malicious by McAfee Global Threat Intelligence technology.

 

Read the full report on Operation High Roller here:

http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf

 

For more on the four phases of every attack, please see my blog:

https://securingtomorrow.mcafee.com/enterprise/the-four-phases-of-every-attack

 

And more detail about protecting yourself against the 4 phases of every attack is here:

https://securingtomorrow.mcafee.com/enterprise/how-todays-new-generation-of-security-products-protect-you-in-each-of-the-4-phases-of-every-attack

 

More on High Roller as it comes out.

Be SAFE!

 

The post High Roller Protection is Not Only For High Rollers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/high-roller-protection-is-not-only-for-high-rollers/feed/ 0
McAfee Named a Leader in 2012 Gartner Magic Quadrant for SIEM https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-named-a-leader-in-2012-gartner-magic-quadrant-for-siem/ https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-named-a-leader-in-2012-gartner-magic-quadrant-for-siem/#respond Mon, 25 Jun 2012 18:06:42 +0000 http://blogs.mcafee.com/?p=16988 Following our acquisition of NitroSecurity last year, we have been working towards fully integrating their Security Information and Event Management (SIEM) technology into our portfolio of solutions. McAfee Enterprise Security Manager (the fruit of our combined efforts) recently received a 5-star rating from SC Magazine, and now we are proud to announce that McAfee has …

The post McAfee Named a Leader in 2012 Gartner Magic Quadrant for SIEM appeared first on McAfee Blogs.

]]>
Following our acquisition of NitroSecurity last year, we have been working towards fully integrating their Security Information and Event Management (SIEM) technology into our portfolio of solutions. McAfee Enterprise Security Manager (the fruit of our combined efforts) recently received a 5-star rating from SC Magazine, and now we are proud to announce that McAfee has been named a leader in the 2012 Gartner Magic Quadrant for SIEM.

Our Strengths

Gartner’s research evaluates leading vendors who offer solutions in the SIEM marketplace based on ability to execute and completeness of vision. This includes key criteria such as the customers’ need to analyze security event data in real-time for internal and external threat management, and to collect, store, analyze, and report on log data for regulatory compliance and forensics.

We believe our position in Gartner’s Magic Quadrant illustrates how McAfee Enterprise Security Manager is really taking performance, value and strength to the next level, as at its core, our SIEM offerings are all about our unique commitment to security connected. Our ability to integrate with other key security solutions in order to deliver an autonomous and adaptive security risk management platform is one asset that sets us apart, and we’re excited to continue our innovations in this space alongside our integration partners.

But don’t take our word for it. According to SC Magazine’s 5-star review, from its powerful correlation engine to its intuitive management interface, McAfee ESM provides security event management and analysis along with forensic capability that is easy to deploy for almost any size environment.

The 2012 Gartner Magic Quadrant for SIEM:

Later this year, we’ll be releasing version 9.1 of our Enterprise Security Manager, which will include the integration of threat intelligence from McAfee Global Threat Intelligence, risk data from McAfee Risk Advisor, and asset data from McAfee Vulnerability Manager and McAfee ePolicy Orchestrator.

If you’re interested in learning more about McAfee SIEM, check out our full list of offerings and resources online. You can also join the conversation on Twitter @IntelSec_Biz, where we’ll be hosting our monthly #SecChat on the topic of SIEM solutions on Thursday, 6/28 at 11am PT.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee at, http://mcaf.ee/samh2.
 
[1] Gartner “Magic Quadrant for Security Information and Event Management” by Mark Nicolett and Kelly M. Kavanagh, May 24, 2012

The post McAfee Named a Leader in 2012 Gartner Magic Quadrant for SIEM appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/mcafee-named-a-leader-in-2012-gartner-magic-quadrant-for-siem/feed/ 0
Skywiper – Fanning the ‘Flames’ of Cyberwarfare https://securingtomorrow.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare/ https://securingtomorrow.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare/#respond Mon, 28 May 2012 17:30:10 +0000 http://blogs.mcafee.com/?p=16413 A few weeks ago, Iran reported intensified cyberattacks on its energy sector that they observed as a direct continuation of the Stuxnet and Duqu attacks. Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called  the attack …

The post Skywiper – Fanning the ‘Flames’ of Cyberwarfare appeared first on McAfee Blogs.

]]>
A few weeks ago, Iran reported intensified cyberattacks on its energy sector that they observed as a direct continuation of the Stuxnet and Duqu attacks.

Over the weekend, the IR Cert (Iran’s emergency response team) published a new report that describes this attack as Flame and/or Flamer. Some other news agencies also called  the attack Viper. The complex functionality of the malware is controlled by command servers, of which there are possibly dozens. The malware is also capable of slowly spreading via USB drives.

CrySys Lab, a Hungarian security team, noticed that a complex threat it had been analyzing for weeks was clearly the same threat as Flamer. They published a large, preliminary document, several dozen pages in size, that described the complex malware. The report shows that a lot more work has to be done to analyze the full details of this malware, as it has some extraordinary complexity.

Previously, other cyberthreats such as Stuxnet and Duqu required months of analysis; this threat is clearly a magnitude more complex. Just to give an idea of the complexity, one of its smallest encrypted modules is more than 70,000 lines of C decompiled code, which contains over 170 encrypted “strings”!

Evidently, the threat has been developed over many years, possibly by a large group or dedicated team.

We found publicly available reports from antispyware companies, and log files in public help forums that could indicate infections of early variants of Skywiper in Europe and Iran several years ago (for example, in March 2010). Skywiper appears to be more wildly spread than Duqu, with similarly large numbers of variants.

Skywiper is a modular, extendable, and updateable threat. It is capable of, but not limited to, the following key espionage functions:

– Scanning network resources
– Stealing information as specified
– Communicating to control servers over SSH and HTTPS protocols
– Detecting the presence of over 100 security products (AV, antispyware, FW, etc)
– Using both kernel- and user-mode logic
– Employing complex internal functionality using Windows APC calls and and threads start manipulation, and code injections to key processes
– Loading as part of Winlogon.exe and then injecting itself into Internet Explorer and services
– Concealing its presence as ~ named temp files, just like Stuxnet and Duqu
– Capable of attacking new systems over USB flash memory and local network (spreading slowly)
– Creating screen captures
– Recording voice conversations
– Running on Windows XP, Windows Vista, and Windows 7 systems
– Containing known exploits, such as the print spooler and lnk exploits found in Stuxnet
– Using SQLite database to store collected information
– Using a custom database for attack modules (this is very unusual, but shows the modularity and extendability of the malware)
– Often located on nearby systems: a local network for both control and target infection cases
– Using PE-encrypted resources

To summarize, the threat shows great similarity to Stuxnet and Duqu in some of its ways of operation, yet its code base and implementation are very different, and much more complex and robust in its basic structure.

Skywiper’s main executable files:

Windows\System32\mssecmgr.ocx – Main module
Windows\System32\msglu32.ocx
Windows\System32\nteps32.ocx
Windows\System32\advnetcfg.ocx
Windows\System32\soapr32.ocx

Misleading Program Information Blocks

According to its program information block, the main module pretends to be written by Microsoft Corporation. It claims to be a “Windows Authentication Client” for Microsoft Windows Version 5.1 (2600 Build). Several other modules also claim to be Microsoft Windows components. However, none of the files analyzed so far are signed with a valid (or even possibly stolen) key, as it was the case with Duqu and Stuxnet.

Further key filenames of the threat can include:

~dra52.tmp
target.lnk
zff042
urpd.ocx
ccalc32.sys
boot32drv.sys
Pcldrvx.ocx
~KWI
guninst32
~HLV
~DEB93D.tmp
~DEB83C.tmp
~dra53.tmp
cmutlcfg.ocx
~DFL983.tmp
~DF05AC8.tmp
~DFD85D3.tmp
~a29.tmp
dsmgr.ocx
~f28.tmp
~dra51k.tmp
~d43a37b.tmp
~dfc855.tmp
Ef_trace.log
contents.btr
wrm3f0
scrcons.exe
wmiprvse.exe
wlndh32
mprhlp
kbdinai
~ZLM0D1.ocx
~ZLM0D2.ocx
sstab
~rcf0
~rcj0

Mutex usage

The threat files also use the TH_POOL_SHD_PQOISNG_#PID#SYNCMTX Mutex name to identify already infected systems, a common technique in modern malware. The #PID# is the process ID of the process in which the injection of the threat occurred.

I change my name; I change my extension

The threat files can change both filenames and extensions, according to specific control server requests, as well as configuration usage. In some cases, Skywiper detects specific antivirus software. The malware might then change the extension of the executable files (DLLs) from OCX to TMP, for example. However, we have not always seen this functionality on affected systems, especially if the threat has been installed prior to the security product in question.

Skywiper’s main module is over 6MB in size, while the completely deployed set is close to 20MB. Yes, this is a lot of code for malware, but this is necessary to carry the complex libraries such as Zlib, LUA interpreter, SQLite support, custom database support code, and so on.

Encryption includes simple obfuscation like XOR with a byte value. The XOR key, 0xAE, has appeared in some other cases–showing a potential relationship to Duqu and Stuxnet, as they also used this value. However, Stuxnet and Duqu always used other values in conjunction with this byte, which included dates of possible meaning.

Other than the above, Skywiper does not show a direct relationship in its code to Stuxnet or Duqu at this point. It uses a similar yet more complex structure, which in many ways reminds researchers of these attacks. In some ways it could be a parallel project, as the early date may suggest. The attack files showed recent development in January and August 2011, according to some of the leftover date values in its files. The dates in the file headers have been purposely changed (claiming to be from 1994, etc.), but export-table date values and dates elsewhere in the files indicate 2011.

The main module of Skywiper starts via the registry, over an exported function:

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\Lsa\Authentication Packages
– mssecmgr.ocx

Initial infections gathered by our network sensors are shown on the map below:

Generally, attackers try to conceal their presence by infecting locations unrelated to the main targets, possibly to further conceal their identity, and then use these locations as control servers. Continuing research will certainly need to take this into consideration.

McAfee antivirus products will detect and clean the threat as W32/Skywiper from infected systems. Our initial data indicates that there are multiple variants of this threat in the field.

The post Skywiper – Fanning the ‘Flames’ of Cyberwarfare appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/mcafee-labs/skywiper-fanning-the-flames-of-cyber-warfare/feed/ 0
Get Your Arms Around Big Security Data https://securingtomorrow.mcafee.com/business/optimize-operations/get-your-arms-around-big-security-data/ https://securingtomorrow.mcafee.com/business/optimize-operations/get-your-arms-around-big-security-data/#respond Tue, 22 May 2012 18:51:43 +0000 http://blogs.mcafee.com/?p=16269 The more data you have, the more insight and knowledge you possess, right? But what happens when your data stores grow so large that securing and managing them effectively is no longer in the cards? A few extra gigabytes here and terabytes there, and before you know it, you’ve got a big security data problem. …

The post Get Your Arms Around Big Security Data appeared first on McAfee Blogs.

]]>
The more data you have, the more insight and knowledge you possess, right? But what happens when your data stores grow so large that securing and managing them effectively is no longer in the cards? A few extra gigabytes here and terabytes there, and before you know it, you’ve got a big security data problem. Every new security control that’s put in place to protect data adds administrative burden—increasing the security event data that must be monitored, logged, shared between security components, analyzed, and reported on.

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

  • McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
  • McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

The post Get Your Arms Around Big Security Data appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/optimize-operations/get-your-arms-around-big-security-data/feed/ 0
An Update on DNSChanger and Rogue DNS Servers https://securingtomorrow.mcafee.com/business/an-update-on-dnschanger-and-rogue-dns-servers/ https://securingtomorrow.mcafee.com/business/an-update-on-dnschanger-and-rogue-dns-servers/#respond Tue, 06 Mar 2012 18:48:08 +0000 http://blogs.mcafee.com/?p=14315 In late 2011, the FBI released documents and data focusing on “Operation Ghost Click.” This malicious operation, leveraging a variety of DNSChanger-type malware, was defined by the FBI as an “international cyber ring that infected millions of computers.” Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain …

The post An Update on DNSChanger and Rogue DNS Servers appeared first on McAfee Blogs.

]]>
In late 2011, the FBI released documents and data focusing on “Operation Ghost Click.” This malicious operation, leveraging a variety of DNSChanger-type malware, was defined by the FBI as an “international cyber ring that infected millions of computers.”

Associated malware samples and events can be traced back several years, and multiple platforms were targeted. To this day many remain affected or infected and are still open to compromise.

The amount of helpful data around this issue is plentiful. Even the FBI has provided a tool to check whether your host/IP is affected.

https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

So, fast-forward to the present: Within McAfee Labs we have been flooded with queries (forgive the DNS pun) on what will happen on March 8, and what other impacts might ripple through our environments as the FBI takes the next steps toward concluding Operation Ghost Click.

The Good News!

On March 5, a U.S. District Court in New York signed an order to extend the March 8 deadline to July 9.

This extension will allow all affected entities to continue to track down and remediate against hosts that are still compromised. Current data indicates that there are still several million infected or affected hosts worldwide.

Also, as a handy reminder, the offensive Netblocks are well documented:

  • 67.210.0.0 through 67.210.15.255
  • 93.188.160.0 through 93.188.167.255
  • 77.67.83.0 through 77.67.83.255
  • 213.109.64.0 through 213.109.79.255
  • 64.28.176.0 through 64.28.191.255

To learn more about how to maintain your online connection and to protect against this malware family, read our new Threat Advisory:

https://kc.mcafee.com/corporate/index?page=content&id=PD23652

For McAfee Customers: Detection for associated malware is provided under the DNSChanger Trojan family.

For example: http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=141841

Other Resources:

 

 

The post An Update on DNSChanger and Rogue DNS Servers appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/an-update-on-dnschanger-and-rogue-dns-servers/feed/ 0