SOCs – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Mon, 18 Feb 2019 11:29:40 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png SOCs – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 Building a Sustainable Model for Cybersecurity Talent https://securingtomorrow.mcafee.com/business/building-sustainable-model-cybersecurity-talent/ https://securingtomorrow.mcafee.com/business/building-sustainable-model-cybersecurity-talent/#respond Wed, 04 Apr 2018 11:02:32 +0000 https://securingtomorrow.mcafee.com/?p=88135 Depending on whose study you believe, there is going to be a shortage of 1.5 million or more cybersecurity professionals in 2020.

The post Building a Sustainable Model for Cybersecurity Talent appeared first on McAfee Blogs.

]]>
Depending on whose study you believe, there is going to be a shortage of 1.5 million or more cybersecurity professionals in 2020. As McAfee re-emerged from Intel as an independent company, we have stood up our own fusion of converged physical and security operations center (SOC) functions in the past nine months. We have been very mindful of both the problem and the opportunity.

Working on building out our SOC capabilities, we’ve needed to hire analysts, advanced threat researchers, and engineers in short order. Then there has been the need to standardize the knowledge and approach to managing cyber threats for one of the world’s leading cybersecurity software companies.

So we have gone through a fairly intense period of training. Everyone has received 80 hours of online training, 40 hours of classroom training, and 40 hours of on-the-job training. We have also hired SOC staff from within our own professional service, engineering teams, and sales engineers.

But all of this can be undone quickly by the pressures of working in an intense, demanding 24/7 environment and by other companies making our people offers that they can’t refuse. McAfee just published a new study on this never-ending challenge, Winning the Game.

In this study of 950 cybersecurity professionals and managers in seven developed economy countries across the globe, we found that there are three clear factors with which organizations can win the game when it comes to cybersecurity. These are:

  • Happy workers
  • Automation
  • Playing more games

In organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours).

Similarly, automation is also a positive indicator for the ability of an organization to attract and retain top talent. Nearly one-third of respondents cite the opportunity to work with new technology such as automation, machine learning, and AI as a key factor that would attract them to a job and influence their decision to move.

And, there is a correlation between the use of gamification and happier cybersecurity staff. More than half (54 percent) of respondents who are extremely satisfied in their roles say they use “capture the flag” gaming once or more a year, compared to just 14 percent of those employees who are dissatisfied in their roles. (At McAfee, we run table-top exercises every two weeks, and red team exercises monthly.)

So what does this say for building a model for talent development and management that is sustainable for now and for the future?

I think of the staffing challenge as a series of waves that are constantly churning one upon the other. To ride these waves, we need to design talent programs that are nimble at inception.

At the beginning, we build strong teams with interns and new hires focusing on investing in investing in strategic talent. The objective is to invest in talent so the entire organization can be successful – IT/Engineering/SE/Sales/Support. Hopefully, some will stay in the company.  This helps us to strengthen the enterprise by creating more secure aware teams, instilling a security culture that will carry across the business.

But it’s the middle range that is the challenge. As people become more skilled, they become more marketable, and turnover increases. To use a sports analogy: It’s easy to draft rookies. It’s easy to hold onto longtime veterans. It’s hard to keep free agents in a hot market. If you don’t have mid-level free agents, you have to either ask the rookies to play above their experience, or ask the veterans to do their old jobs. To mitigate the churn, we need to invest in talent we identify as strategic, knowing that some of them will go to other firms.

And from a talent management perspective, I think that it is vital to nurture the natural interests and passions that team members possess. We support this natural development process by providing assigned mentoring, outside reading, and outside vendor training. We encourage gaming, creative problem solving, curiosity, and collaboration. Additionally, everyone in the SOC is being required to develop specializations. This encourages a diverse domain of skills and expertise, which is vital to developing a sustainable model for security operations that can adapt as the threat landscape evolves.

As a chief information security officer, I think you have to recognize that this is always going to be an evolving, never-ending adaptation to meet the changing threat landscape and the dynamic flow of people in your organization. Cybersecurity isn’t just an industry; it’s a robust, active ecosystem. The threats landscape never stands still, and neither does the workforce.

A great summation of this comes from Bill Woods, our Director of Information Security for our converged physical and cyber security operations.

“You have to accept the fact that you are never going to have impenetrable systems. It’s always going to be a game of chess. The opposer is always going to be making moves, some of which will hurt you. It’s always going to be a battle. But that is what keeps the job interesting.”

You can look for Grant Bourzikas on Twitter and LinkedIn. To learn more about how McAfee is growing the cybersecurity innovation pipeline and addressing talent management, be sure to attend the session, “Building the Cybersecurity Innovation Pipeline,” presented by Grant Bourzikas, CISO and VP of McAfee Labs Operations, and Chatelle Lynch, Chief Human Resources Officer, at RSA 2018, April 17 in San Francisco, CA.

The post Building a Sustainable Model for Cybersecurity Talent appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/building-sustainable-model-cybersecurity-talent/feed/ 0
Is Your SOC Caught in the Slow Lane? https://securingtomorrow.mcafee.com/business/soc-caught-slow-lane/ https://securingtomorrow.mcafee.com/business/soc-caught-slow-lane/#respond Tue, 27 Mar 2018 04:02:13 +0000 https://securingtomorrow.mcafee.com/?p=87914 Everybody’s got a device. And the data on that device is moving into the public cloud. Massive amounts of data.  In a world of massive amounts of data, who’s the traffic cop? The Security Operation Center (SOC). But these days the daily flow of data traffic resembles a Formula One race car going full out, […]

The post Is Your SOC Caught in the Slow Lane? appeared first on McAfee Blogs.

]]>
Everybody’s got a device. And the data on that device is moving into the public cloud. Massive amounts of data.  In a world of massive amounts of data, who’s the traffic cop? The Security Operation Center (SOC).

But these days the daily flow of data traffic resembles a Formula One race car going full out, and some traffic monitors are a single cop on the beat.

Research shows this analogy is not far off: 25% of security events go unanalyzed. And 39% of cybersecurity organizations manually collect, process, and analyze external intelligence feeds.

Think about this. At the dawn of the Digital Century, more than a third of all companies are approaching cybersecurity manually.

This is not sustainable.

In short, there are simply not enough people to keep up with the security challenges. But it’s not a question of training or hiring more people. The idea is for humans to do less and machines to do more. Automating threat defense has many advantages: speed, the ability to learn, and the ability to collaborate with other solutions. Integration of data, analytics, and machine learning are the foundations of the advanced SOC.

For about a year now McAfee engineers have been developing a new architecture for an existing SIEM tool called McAfee© Enterprise Security Manager version 11 (“McAfee ESM 11”), which can serve as the foundation of a modern SOC.

As cybercriminals get smarter, the need for SOC operations to evolve becomes more important. McAfee ESM 11 can help customers transition their SOC from silos of isolated data and manual investigations to faster operations based on machine learning and behavioral analytics.

What makes ESM 11 different from other SIEM tools is its flexible architecture and scalability.

The open and scalable data bus architecture at the heart of McAfee ESM 11 shares huge volumes of raw, parsed and correlated events to allow threat hunters to easily search recent events, while reliably retaining and storing data for compliance and forensics.

The scalability of McAfee ESM 11 architecture allows for flexible horizontal expansion with high availability, giving organizations the ability to rapidly query billions of events. Additional McAfee ESM appliances or virtual machines can be added at any point to add ingestion, query performance, and redundancy.

ESM 11 also includes the ability to partner. An extensible and distributed design integrates with more than three dozen partners, hundreds of standardized data sources, and industry threat intelligence.

By deploying advanced analytics to quickly elevate key insights and context, analysts and members of a security team tasked with examining cyberthreats can focus their attention on high-value next tasks, like understanding a threat’s impact across the organization and what’s needed to respond.

This human-machine teaming, enabled by McAfee’s new and enhanced security operations solutions like McAfee Investigator, McAfee Behavioral Analytics, and McAfee Advanced Threat Defense, allows organizations to more efficiently collect, enrich and share data, turn security events into actionable insights and act to confidently detect and correct sophisticated threats faster. The strategy was outlined in my last SOC blog.

We’ve been testing these products together at the new McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. These facilities were built last year and are designed to support full visibility and global management of risks, in a simulated environment. The Security Fusion Centers give customers a blueprint for building out their own SOCs.

In short – we are revving up the SOC: critical facts in minutes, not hours. Highly-tuned appliances to collect, process, and correlate log events from multiple years with other data streams, including STIX-based threat intelligence feeds. And the storage of billions of events and flows, with quick access long-term event data storage to investigate attacks.

Let your security travel as fast as your data. And get your SOC out of the slow lane.

The post Is Your SOC Caught in the Slow Lane? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/soc-caught-slow-lane/feed/ 0
Separating the Signal from Noise https://securingtomorrow.mcafee.com/business/separating-signal-noise/ https://securingtomorrow.mcafee.com/business/separating-signal-noise/#respond Tue, 27 Mar 2018 04:01:21 +0000 https://securingtomorrow.mcafee.com/?p=87655 In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop. As the chief information security officer (CISO) for McAfee, I am aware at multiple levels […]

The post Separating the Signal from Noise appeared first on McAfee Blogs.

]]>
In security operations, we frequently talk about the difficulties in separating the signal from the noise to detect legitimate threats and disregard false alarms. Data overload is a common problem and triage becomes a critical skill to hone and develop.

As the chief information security officer (CISO) for McAfee, I am aware at multiple levels of the risks that come from a failure to focus on the right thing. If one of our security operations center (SOC) analysts fails to notice multiple login attempts by the same user from different countries in a short span of time, it could cost us both valuable company data and our reputation in the industry.

For these reasons, McAfee announced major enhancements today to our security operations portfolio in our security information and event management (SIEM) and Security Analytics product lines – enhancements that the McAfee Information Security team I am proud to lead helped to road-test. We also announced that our state-of-the-art converged physical and cyber Security Fusion Centers are now fully operational in Plano, Texas, USA and Cork, Ireland – less than a year after we emerged from Intel as a standalone company.

The big deal for the McAfee Security Fusion Centers is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems.

For Job 1, protect the enterprise, we believe in the primacy of fundamentals. We use the National Institute of Standards and Technology (NIST) cybersecurity framework, as well as the Factor Analysis of Information Risk (FAIR) method to quantify our risk posture, and continually manage for the framework’s core functions of Identify, Protect, Detect, Respond, and Recover. It’s critical that we understand what is happening in our environment and that is why we chose to converge our physical and cybersecurity functions into one operations center – a Security Fusion Center. We need to collect data across all aspects of our operating environment. Without that ability, we are flying blind.

Next, we focus on being able to answer a series of vital questions that help us complete the identification functions. We ask:

  1. What is on the network and how are our networks accessible? We must be able to identify our assets. That visibility into what is connected to us is critical. We use tools like Rapid7 Nexpose, McAfee Rogue System Detection, and network access control (NAC) to constantly monitor the network to tell us what is connected to us.
  2. How are we managing access to vital systems and stores of data? We decided from the beginning that we could not take access to information assets for granted. At McAfee, there is no implicit right of access – only explicit privilege. In this age of bring-your-own-device (BYOD), we have set up two-factor authentication when accessing the McAfee network. If your role requires access to sensitive information, “need to know” access is applied, and the employees must and comply with other access control mechanisms like separation of duties, least privilege, and information management.
  3. Where are the vulnerabilities? We need to evaluate risk across our environment from device to cloud. This means more than just audits and vulnerability management. We had to design our systems so that they would be scalable and support our incident response functions like patch management and counter measures in a prioritized manner. We especially rely on McAfee ePO for visibility across on- and off-premises devices.
  4. How is the data protected? This is a matter of understanding where are the crown jewels of our data and what are the risks for exfiltration. It’s vital to set up policies in a very prioritized and strategic manner. Data loss prevention requires thinking through the data, the applications and the users.
  5. How are we doing against the basics? While it is great to have next generation toolsets, it is often the basics that most organizations miss that cause compromises. For example, we are constantly focused on basics like security architecture, access and authentication control, device configuration and baselines, operating system and third-party patch levels, security awareness training, and table-top exercises.  Even at McAfee with the entire product portfolio, we are diligent about instilling the basics across our security operations.
  6. Finally, what signals do we focus on? We need context and insight to answer this. This requires a place where all the data can be collected, enriched and shared. We have been using McAfee Enterprise Security Manager 11.0, which was announced today, for some time now. The open data bus architecture enables our SIEM to ingest a high volume of data, scaling to billions of events, and then enrich that raw data nearly immediately, turning noise into insights. We also appreciate that this architecture allows the SIEM to intelligently share data to any appropriate appliance, application, or data store. This is an evolved security operations infrastructure – it’s a mix of a SIEM platform with User Entity Behavior Analytics (UEBA) and threat investigation, using McAee Behavioral Analytics (MBA) and McAfee Investigator. Our Security Fusion Centers are the first places where all those pieces will be present and working together.

As for Job #2, helping McAfee build better products, by now you can see how we are living out a commitment to be Customer Zero for McAfee. Going forward, we are going to be the first organization to use McAfee’s new products. But we are doing that in a way that will help our customers implement better, faster and more smoothly before they have even seen the product. We’re working out the bugs and we’re working on feature requests with our Product Management and Engineering teams.

This helps us to be better, more innovative, and to solve cybersecurity challenges. It is meant to be a very tight collaboration – a place to try out our products in the real-world. We’re going to get there through collaboration.  From our learnings in the first year, we have observed that diversity is the single most important factor in developing a world class organization.  Diversity of thought challenges typical thinking and results in better outcomes.

In fact, collaboration is personally my number one thing. I wanted to work with the smartest people in the world. I will acknowledge that I am not the smartest person in the room. Somebody is going to know more about security than I do. Embracing that and bringing that all together will make us all stronger and better at our jobs. And that is what we mean when we say, “Together is Power.”

As for my personal third goal, helping all of you to be better, too, that’s why I’m sharing here. We’ll continue this dialogue about how McAfee is protecting itself and, in the process, learning more about helping you with another blog post soon. I’ll be sharing the byline with my colleague, Jason Rolleston, Vice President for Security Intelligence & Analytics.

Let me know what signals you are focused on and how we can help solve problems together.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.

 

The post Separating the Signal from Noise appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/separating-signal-noise/feed/ 0
A Model for Human and Machine Interaction: Human-Machine Teaming Grows up https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/ https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/#respond Fri, 23 Feb 2018 18:00:58 +0000 https://securingtomorrow.mcafee.com/?p=84665 Security operation centers (SOCs) are struggling to keep up with attackers, and artificial intelligence (AI) has failed to deliver significant improvements. The industry has been successful at applying AI to malware detection and user and entity behavior analytics (UEBA) using deep neural networks and anomaly detection. But other core SOC jobs such as monitoring, triage, […]

The post A Model for Human and Machine Interaction: Human-Machine Teaming Grows up appeared first on McAfee Blogs.

]]>
Security operation centers (SOCs) are struggling to keep up with attackers, and artificial intelligence (AI) has failed to deliver significant improvements. The industry has been successful at applying AI to malware detection and user and entity behavior analytics (UEBA) using deep neural networks and anomaly detection. But other core SOC jobs such as monitoring, triage, scoping, and remediation remain highly manual. Some repetitive and low-value tasks can be assisted with automation, but tasks that require analysis and creativity are hard to capture in code. Even worse: Imagine trying to automate the investigation of an undiscovered attack technique.

Automation and current AI solutions depend upon a human observing and understanding a threat, then building a model or writing code. The time gap between the human observing a phenomenon and the machine helping is the reason why attackers often have the upper hand. In order to get ahead, we need to make AI systems learn and interact directly with practitioners at the SOC.

The idea behind human-machine teaming (HMT see [1] and [2]) is to put the human in the AI algorithm loop. In a SOC context, the human has the intuition to find a new attack technique and the creativity to investigate it using company tools. Using human input, the machine gathers information and presents it back in a summary to manage the human cognitive workload. As a result of the human-machine interaction, the machine learns to better proceed in new scenarios, while the human continues to adapt, focusing on higher-value tasks.

Several products put the human in the loop, but few empower the human to perform high-order cognitive tasks.

Research shows that unsupervised anomaly detection can be improved by asking the human to examine alerts when classification confidence is low. This approach improves detection by 4X and reduces false positives by 5X [3]. More importantly, the system teaches itself to address adversaries’ changing tactics.

Our assessment of the current SOC tools landscape shows that several products put the human in the loop, but very few empower the human to perform high-order cognitive tasks. In order to understand where we stand as an industry and what the gap is, we clustered tools into four groups.

Most cybersecurity products today deliver HMT1 and HMT2 capabilities. McAfee Investigator delivers HMT3 and our engineers are working toward HMT4.

On the vertical axis, we have ascending levels of cognitive tasks that humans bring to the team, while on the horizontal axis we have machine capabilities. An assumption of this model is that a human is not able to exercise high-order tasks if she also has to perform low-level functions. This is similar to a Maslow pyramid psychology model. As the machine starts to interact with the human at a higher level of cognition, the team becomes more effective and the degree of human-machine teaming increases from HMT0 to HMT4.

Most of the products in the industry today revolve around the first two iterations of human-machine teaming, known as HMT1 and HMT2. In these scenarios, humans interact with products by analyzing data and providing explicit orders on how to drill down and gather additional data. In some products, humans are able to elevate their work by getting insights and applying their intuition and context to them.

What is clearly missing are products that can take directional feedback, for instance: “Get me evidence that supports potential lateral movement on this case”. We are also missing products that can learn by  observing the human at work, for instance, learning to dismiss the alerts that humans have investigated and dismissed in the past.

At McAfee we are using this HMT maturity model as a guide to building better features and tools for the SOC. We recently launched McAfee Investigator [4] to help triage alerts faster and more effectively. Investigator, which uses a question answering approach to leverage expert knowledge [5], can take directional feedback from the human to pivot an investigation (HMT3). Our goal is to develop Investigator to a point where it can learn directly from practitioners (HMT4).

Learn more about human-machine teaming here.

 

[1] S. Grobman, “Why Human-Machine Teaming Will Lead to Better Security Outcomes,” 13 July 2013. [Online]. Available: https://securingtomorrow.mcafee.com/executive-perspectives/human-machine-teaming-will-lead-better-security-outcomes/
[2] B. Kay, “News from Black Hat: Humans Collaborate and Team with Machines to Work Smarter,” 25 July 2017. [Online]. Available: https://securingtomorrow.mcafee.com/business/news-black-hat-humans-collaborate-team-machines-work-smarter/
[3] K. Veeramachaneni, I. Arnaldo and V. Korrapati, “AI^2 : Training a big data machine to defend,” IEEE 2nd International Conference on Big Data Security on Cloud, 2016.
[4] “McAfee Investigator,” [Online]. Available: https://www.mcafee.com/us/products/investigator.aspx
[5] F. M. Cuenca-Acuna and I. Valenzuela, “The Need for Investigation Playbooks at the SOC,” 2017. [Online]. Available: https://www.sans.org/summit-archives/file/summit-archive-1496695240.pdf   
McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.
McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.

The post A Model for Human and Machine Interaction: Human-Machine Teaming Grows up appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/feed/ 0
A Leader-Class SOC: The Sky’s the Limit https://securingtomorrow.mcafee.com/business/security-operations/leader-class-soc-skys-limit/ https://securingtomorrow.mcafee.com/business/security-operations/leader-class-soc-skys-limit/#respond Wed, 06 Dec 2017 19:44:17 +0000 https://securingtomorrow.mcafee.com/?p=82956 This has been quite a year for McAfee, as we not only roll out our vision, but also start to fulfill that vision. We’ve established our world view: endpoint and cloud as the critical control points for cybersecurity and the Security Operations Center (SOC) as the central analytics hub and situation room. While we’ve talked […]

The post A Leader-Class SOC: The Sky’s the Limit appeared first on McAfee Blogs.

]]>
This has been quite a year for McAfee, as we not only roll out our vision, but also start to fulfill that vision.

We’ve established our world view: endpoint and cloud as the critical control points for cybersecurity and the Security Operations Center (SOC) as the central analytics hub and situation room. While we’ve talked a lot about endpoint and cloud over the past year, we’ve only recently started exposing our thinking and our innovation in the SOC, and I would like to delve a bit deeper.

SOCs provide dedicated resources for incident detection, investigation, and response. For much of the past decade, the SOC has revolved around a single tool, the Security Incident and Event Manager (or SIEM). The SIEM was used to collect and retain log data, to correlate events and generate alerts, to monitor, to report, to investigate, and to respond. In many ways, the SIEM has been the SOC.

However, in the past couple of years, we’ve seen extensive innovation in the security operations center. This innovation is being fueled by an industry-wide acceptance of the increased importance of security operations, powerful technical innovations (analytics, machine learning), and the ever-evolving security landscape. The old ways of doing things are no longer sufficient to handle increasingly sophisticated attacks. We need do something different.

McAfee believes this next generation SOC will be modular, open, and content-driven.

And automated. Integration of data, analytics, and machine learning are the foundations of the advanced SOC.

The reason for this is simple: increased volume.  In the last two years, companies polled in a McAfee survey said the amount of data they collect to support cybersecurity activities has increased substantially (28%) or somewhat (49%). There are important clues in all that data, but the new and different attacks get lost in the noise. Individual alerts are not especially meaningful – patterns, context, and correlations are required to determine potential importance, and these constructs require analytics – at high speed and sophistication, with a model for perpetually remaining up-to-date as threat actors and patterns change. We need the machines to do more of the work, freeing the humans to understand business-specific patterns, design efficient processes, and manage the policies that protect each organization’s risk posture.

SIEM remains a crucial part of the SOC. The use cases for SIEM are extensive and fundamental to SOC success: data ingestion, parsing, threat monitoring, threat analysis, and incident response. The McAfee SIEM is especially effective at high performance correlations and real-time monitoring that are now mainstream for security operations. We are pleased to announce that McAfee has been recognized for the seventh consecutive time as a leader in the Gartner Magic Quadrant for Security Information and Event Management.* And we’re not stopping there — we’re continuing to evolve our SIEM with a high volume, open data pipeline that enables companies to collect more data without breaking the bank.

An advanced SOC builds on a SIEM to further optimize analytics, integrating data, and process elements of infrastructure to facilitate identification, interpretation, and automation. A modular and open architecture helps SOC teams add in the advanced analytics and inspection elements that take SOCs efficiently from initial alert triage through to scoping and active response.

Over the past year, we’ve worked extensively partnering with over eight UEBA vendors to drive integration with our SIEM. At our recent customer conference in Las Vegas, MPOWER, we announced our partnership with Interset to deliver McAfee Behavioral Analytics. Look for more information about that in the new year. I also want to reinforce our commitment to being open and working with the broader ecosystem in this space, even as we bring an offer to market. No one has a monopoly on good ideas and good math – we’ve got to work together. Together is Power.

We also launched McAfee Investigator at MPOWER, a net new offering that takes alerts from a SIEM and uses data from endpoints and other sources to discover key insights for SOC analysts at machine speed. Leveraging machine learning and artificial intelligence, McAfee Investigator helps analysts get to high quality and accurate answers, fast.

The initial response is great: we’ve seen early adopter customers experience a 5-16x increase in
analyst investigation efficiency. Investigations that took hours are taking minutes. Investigations that took days are taking hours. Customers are excited and so are we!

In short – we have a lot cooking in the SOC and we are just getting started.

Look for continued fulfillment of McAfee’s vision in 2018. The sky’s the limit.

Cheers,

Jason

 

*Gartner Magic Quadrant for Security Information and Event Management, Kelly M. Kavanagh, Toby Bussa, 4 December 2017. From 2015-16, McAfee was listed as Intel Security, and in 2011, McAfee was listed as Nitro Security since it acquired the company in 2011.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post A Leader-Class SOC: The Sky’s the Limit appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/security-operations/leader-class-soc-skys-limit/feed/ 0
Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/ https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/#respond Wed, 18 Oct 2017 20:01:24 +0000 https://securingtomorrow.mcafee.com/?p=80593 This blog was written by Barbara Kay. Security embodies the analogy of fixing a plane in flight. Every company has some variety of security people, process, and technology in place already. So, like a plane in flight, your security infrastructure needs an operational model that can be updated, adapted, repaired, or serviced while it is […]

The post Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

Security embodies the analogy of fixing a plane in flight. Every company has some variety of security people, process, and technology in place already. So, like a plane in flight, your security infrastructure needs an operational model that can be updated, adapted, repaired, or serviced while it is actively at work protecting your business infrastructure.

A successful model must accommodate several inconvenient truths. Security systems are not set-and-forget, nor does any product or service exist in a vacuum. There’s no single vendor. The people-process-technology trifecta takes a sound, extensible architecture and continual nourishment to support healthy and secure enterprise operations.

These truths are fundamental to the McAfee threat defense lifecycle model and human-machine teaming vision, which received new support this week in Las Vegas at the MPOWER Cybersecurity Summit. Here’s an overarching view and examples of the 360 degree approach McAfee is taking for customer success. We are innovating in products, in industry collaboration, in cloud enablement, and in the customer relationship model.

Innovating in Analytics

Multiple new and updated products increase the precision, efficiency, and efficacy of defenses and security operations through new analytics based on machine learning, artificial intelligence, and really smart people in our Foundstone consulting practice and McAfee Labs.

  • New McAfee Investigator solution applies advanced analytics to increase SOC productivity
  • Deep Learning integrated into McAfee Endpoint Security, leveraging knowledge gleaned from both pre- and post-execution review
  • New McAfee innovations feature ransomware decryption and a new “stegware” or steganography detection initiative

Breaking Glass (and Silos)

ESG research shows that enterprises want to embrace automation as a means of getting more done with existing resources, but automation is contingent on integration of data and processes between products. That’s been difficult because of the many moving parts: accessible APIs, vendor politics, and available integration skills and time.

We’ve taken the need for easier integration to heart, building on the success of the Data Exchange Layer and the OpenDXL initiative, announced one year ago. This week, McAfee unveiled a ground-breaking , bridging two communications fabrics and ecosystems for end-to-end visibility and risk mitigation. By linking the Data Exchange Layer with Cisco pxGrid, we have extended the reach of high-fidelity data and the range of automated actions companies can implement, and increased the possibilities when companies take advantage of the OpenDXL open source initiative and its community.

Industry leadership like this is one reason the McAfee Security Innovation Alliance ecosystem continues to flourish, and MPOWER celebrated a nearly 15% surge in new independent software vendors joining the community.

Protecting Hybrid Cloud

One challenge of enhancing our “plane in flight” is the heterogeneous nature of the infrastructure itself. Few, if any, organizations operate security and business systems purely on-premises or purely in the cloud. Hybrid infrastructures require adaptation of implementation, access control, visibility, policies, and reporting to span and accommodate this diversity.

McAfee has expanded our portfolio of hybrid products and services with new options for using and leveraging the cloud alongside other security and corporate infrastructure.

Re-imagining CX

Finally, let’s think about the experience of managing and maintaining the plane in flight. The pilot (CISO) needs to get the job done while he keeps the passengers (end-users) happy and safe and minimizes wear and tear on his co-pilot, flight crew, and ground personnel (CIO, architect, SOC analysts, and administrators). A unified plan for the flight experience will permeate calm and reliability through the flight, using best practices to implement features and updates, as well as anticipate challenges and inevitable changes.

This is the design center for a new team at McAfee. At MPOWER, McAfee announced the new Customer Success Group, which unifies services, support, education, and consulting. Their first deliverable is the new Premier Success Plan.

This plan understands that buying the right tools is just a starting point. Post-sales decisions around design, deployment, maintenance, risk management, escalations, education, and strategy will have a dramatic impact on an organization’s security posture, time to value, and value over time. With so many options to choose from, it’s not always easy to know which consulting, service, and support you need to be successful. Without tracking, your team may not capture full value from the ones you order.

Our new Premier Success Plan takes away the guesswork and fills in the gaps. A comprehensive roadmap combines professional and solutions services, training, and technical support with personalized management.

Benefits All Year Long

Each year, this fall conference ushers in a wave of products, programs, and ideas, just in time for planning for the next year. You don’t need to attend to capture all of the product and programs value, but the community, camaraderie, and creativity you experience can be a welcome rejuvenation from the ongoing stress of flying the security plane.

This year, it was especially important #VegasStrong.

We hope to see you next year. Soar safely.

Stay up to date on all things MPOWER17 by following us on Twitter at @McAfee.

The post Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/feed/ 0
Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/ https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/#respond Wed, 18 Oct 2017 16:02:18 +0000 https://securingtomorrow.mcafee.com/?p=80085 This blog was written by Barbara Kay. SOC analysts are getting beaten up by both commodity attacks and sophisticated ones, with many companies taking far more than a day or a week to close a case and few consistently digging all the way to root cause. McAfee research collected in May 2017 documented this dilemma […]

The post Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

SOC analysts are getting beaten up by both commodity attacks and sophisticated ones, with many companies taking far more than a day or a week to close a case and few consistently digging all the way to root cause. McAfee research collected in May 2017 documented this dilemma and showed that companies are investing in advanced analytics and automation as a way to fight back:

  • 85% of SOCS want to use more analytics
  • 84% of SOCs want to use automation to move up the maturity scale
  • Mature SOCs automate more than 3X more often than new SOC teams, but almost everyone is investing
  • Mature SOCs automate more than 50% of investigation processes, and want to automate more
  • Top active automation areas include real-time endpoint analysis, triage, forensics, and remediation.

We’re eager to help. As part of our expanding portfolio of automated threat and malware analytics based on machine learning, McAfee is proud to announce McAfee Investigator, a SaaS analytics subscription that transforms novice analysts into expert investigators. Rather than adding complexity with yet another product silo, it leverages the data sources and alerts of a SIEM and includes real-time endpoint visibility via McAfee ePolicy Orchestrator and a dissoluble agent.

McAfee Investigator automates data collection, organization, and case management within an expert system-driven workspace. Starting with prioritized triage, automation, Foundstone expertise, and machine learning (in fact, artificial intelligence as well) come together to guide analysts to consider the right questions and hypotheses for the specific situation. Insights with drill downs and visualizations help them explore the most relevant details and subtle indicators as they move rapidly through scoping, validation, documentation, and disposition.

Scott Howitt, senior vice president in the CISO organization of MGM International, says that McAfee Investigator helps them to spend more time on actual investigations:

“The way Investigator helps me mature my organization is with the automated playbooks, with the easier ability to go find like problems in my environment and things like that. My team spends less time switching between tools and focusing on how to make the tool work and actually focusing on the investigation than they did before.”

This service helps SOC teams mature operations as they fulfill several goals:

If you have an overworked SOC and a yen to try a new model that makes the most of the strengths of both humans and machines, this new service is worth a look. Visit mcafee.com/investigator or contact your sales manager to learn more.

For more news on McAfee Investigator and updates from MPOWER17 follow us on Twitter at @McAfee.

The post Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/feed/ 0
Tips for Effective Threat Hunting https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/tips-effective-threat-hunting/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/tips-effective-threat-hunting/#respond Wed, 18 Oct 2017 16:01:47 +0000 https://securingtomorrow.mcafee.com/?p=80172 This blog was co-written by Ramnath Venugopalan. In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: Disrupting the Disruptors, Art or Science? Understanding the […]

The post Tips for Effective Threat Hunting appeared first on McAfee Blogs.

]]>
This blog was co-written by Ramnath Venugopalan.

In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: Disrupting the Disruptors, Art or Science? Understanding the role of threat hunters and continuing evolution of the SOC in cybersecurity.

At the MPOWER Cybersecurity Summit, Oct. 17–19 in Las Vegas, McAfee will discuss the results of this survey and explain how our products can help customers run a next-level security operations center. We will also cover trends among threat hunters and answer questions such as:

  • What are a threat hunter’s core tools?
  • What level is your environment in the threat hunting maturity scale?
  • Do you want to improve on that scale?
  • What are top-tier SOCs doing that low-level SOCs are not?

One thing top-tier SOCs do is use six core logs to identify attacks:

  • DNS logs are one of the best sources of data within an organization. They should be compared with the various threat intelligence sources and mined for information.
  • Proxy logs are useful for exfiltration detection and forensics, identifying potential phishing attempts and suspicious domains, and identifying control server domains.
  • SMTP logs are useful but they do not necessarily capture all details due to privacy restrictions around email content. We can use them to capture header information, though not data on attachments or embedded links.
  • Windows logs can be a very rich source of data. They can also be very noisy and come in several flavors. Timeline analysis can best leverage these logs, and overlaying the other logs we describe is the key to leveraging this information. Each Windows log sheds light on a different part of the puzzle. Some of the most valuable are:
    • Authentication logs
    • Security logs
    • Application logs
    • System logs
  • DHCP logs are temporal entries that require timeline matching to correlate with log entries from other sources.
  • VPN logs are also temporal entries that require timeline matching to correlate with log entries from other sources. They are useful for detecting the theft of credentials.

Each of these logs provide insight for specific parts of the incident response process. This talk will walk through each log and identify the key insights that can be identified with specific data in that log as well as useful automation.

Are you collecting these logs? That’s only half the battle. Join us at MPOWER as we look at recent advanced persistent threats campaigns and show how these six logs can help identify breaches and create mitigations.

For more on Threat Hunting and for updates from MPOWER17, follow us on Twitter @McAfee_Labs.

The post Tips for Effective Threat Hunting appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/tips-effective-threat-hunting/feed/ 0
Time to Close vs. Root Cause – Are we measuring the wrong thing (again)? https://securingtomorrow.mcafee.com/business/security-operations/time-to-close-vs-root-cause/ https://securingtomorrow.mcafee.com/business/security-operations/time-to-close-vs-root-cause/#respond Tue, 22 Aug 2017 19:00:08 +0000 https://securingtomorrow.mcafee.com/?p=77013 This blog was written by Barbara Kay. “Human beings adjust behavior based on the metrics they’re held against. Anything you measure will impel a person to optimize his score on that metric. What you measure is what you’ll get. Period.” – Dan Ariely, Duke University behavioral economist in Harvard Business Review   When the Verizon Data […]

The post Time to Close vs. Root Cause – Are we measuring the wrong thing (again)? appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

“Human beings adjust behavior based on the metrics they’re held against. Anything you measure will impel a person to optimize his score on that metric. What you measure is what you’ll get. Period.” – Dan Ariely, Duke University behavioral economist in Harvard Business Review  

When the Verizon Data Breach Investigation Report started reporting “time to” metrics around 2013 (time to detect, time to contain, time to remediate), most security operations managers started to monitor their own team’s performance against these stats. That’s not a bad thing – I’ve certainly touted these numbers in my posts before. They help assess workloads and justify investment.

However, as managers, we need to add another lens to emphasize efficiency AND effectiveness.

Closing cases (time to contain, time to remediate) without getting to root cause is like chopping off the arm of the starfish – the arm will likely grow back and may come back bigger and nastier.

Why care about root cause?

Root cause is the secret to returning to a healthy state. Getting to root cause means you identify how the attacker got in, which systems provided cover, which credentials were abused, and how they manipulated system, countermeasure, and application software to hide their tracks. When you push investigations to the point of root cause analysis, you are more likely to fully scope the attacker’s activities and excise them from your estate. If you don’t get to root cause, an attacker may retain a foothold, ready to reactivate after you have reimaged the host or blocked an IP address and claimed “case closed.” That lingering presence means you still risk damage, as well as repeated cleanup costs.

In Disrupting the Disruptors, Art or Science?, we researched threat hunting practices in security operations centers. Time to close is an important stat, and the most mature orgs are closing faster than anyone else, by a huge margin. Mature orgs were 2 times more likely to close cases within a day than the merely innovative, and closer to three times more likely to close within a day than the SOCs just getting started. (For details on the maturity definitions and other findings, download the free report.)

Leaders close, with higher confidence the incident won’t recur

But – there’s another very important metric that clearly isn’t being rewarded as aggressively, or the numbers would be better, per the behavioral psychologists who say you get what you measure. The most advanced threat hunting organizations are winning on time to close AND aggressively uncovering root cause. Hunters at the minimal level typically determine the cause of just 20-30% of attacks, compared to leading hunters’ digging in to find 70% or more.

Net net: the leading SOCs are closing more cases faster AND getting to root cause most of the time – performing far better than their peer groups. As an industry, let’s start to measure both of these goals to increase overall cybersecurity health.

For insights on how leading SOCs are achieving these results, such as advanced use of automation and sandboxing, read the report.

The post Time to Close vs. Root Cause – Are we measuring the wrong thing (again)? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/security-operations/time-to-close-vs-root-cause/feed/ 0