McAfee - Enterprise Security Manager (ESM) - SIEM
Download as PPTX, PDF0 likes1,353 views
The document provides an overview of McAfee's Enterprise Security Manager (ESM) and its Security Information and Event Management (SIEM) capabilities, highlighting its advanced analytics, threat detection, and compliance features. It details the security operations landscape, including integration with various McAfee products and third-party solutions, along with use cases for threat management and incident response. The ESM aims to enhance organizational cybersecurity through improved visibility, data collection, and automation.
McAfee - Enterprise Security Manager (ESM) - SIEM
- 1. McAfee Enterprise Security Manager (ESM) Security Information & Event Management (SIEM) Iftikhar Ali Iqbal, CISSP, CCSP, CISM https://www.linkedin.com/in/iftikhariqbal/ Valid till Jan 2020
- 2. 2 AGENDA Target Partners & RTM 1 2 3 Company Overview Security Operations Enterprise Security Manager (ESM) 4 Use Cases / Scenarios
- 4. 4 SOLUTIONS SERVICES OPEN ARCHITECTURE BRIEF McAfee – the device-to-cloud cybersecurity company – is one of the largest pureplay cybersecurity companies in the world, with 30+ years of market leadership and 1,550+ patents worldwide. CASB Connect OpenDXL MCAFEE: OVERVIEW
- 5. 5 Portfolio Strategy An Integrated And Open Security System Threat Defense Lifecycle Together, Is Far More Powerful Than Sum Of The Parts SECURITY OPERATIONS DEVICE CLOUD MANAGEMENT THREAT INTELLIGENCE ANALYTICS AUTOMATION / ORCHESTRATION INFRASTRUCTURE MCAFEE: STRATEGY
- 6. 6 SIEM: Broad Data Collection Advanced Analytics: Risk scoring, anomaly detection SIEM: Long-term Compliance, archive & forensics SIEM: Real-time correlation & detection SIEM: Short-term Search & hunting Sandboxing: Malware Analysis EDR: Endpoint telemetry, process trace SIEM View all alerts, coordinate action Investigator: Automated analysis, guided investigation EDR: Response Collaboration with 3rd party solutions SIA Partner and Open Solutions Advanced Analytics Investigate and Act Collect, Enrich, and Share Data at any Scale Turn Data into Insight Data Platform Expert-guided Investigation for Confident Action ATDESMESM MAR/M EDR MAR /MEDRSIA MVISION EDR MCAFEE: SECURITY OPERATIONS
- 7. 7 Time to Identify Time to Investigate Time to Contain Mean Time to Respond (MTTR) Mean Time to Detect (MTTD) 3-15 Months Dwell Time SECOPS: CHALLENGE
- 8. ENTERPRISE SECURITY MANAGER (ESM) Security Information & Event Management (SIEM)
- 9. 9 Real Time Advanced Analytics Threat and Risk Prioritization INTELLIGENT INTEGRATED ACTIONABLE Comprehensive Security Broad Data Collection, Including Cloud Support Security Connected Integrations Active and Customizable Dashboards High Performance Data Management Engine Ease of Operation ! ESM: STRATEGIC OVERVIEW
- 10. 10 ESM: ESSENTIALS CORRELATION • Event Normalization • Receiver & Advanced Correlation • Real-Time & Historical ‘Modes’ • Rule & Risk ’Engines’ MANAGEMENT • Dashboard Views • Threat Management & Intelligence • Content Packs (Use-Case Driven) • Policies & Rules ALARMS • Visual and Auditory • Text and Email • Case Management • Remote Commands • Watchlist DATA SOURCES • Security Events • Network Flow Data • Multi-Vendor • Various Types • Multi Method
- 11. 11 ESM: COMPONENTS McAfee Enterprise Security Manager McAfee Enterprise Log Manager McAfee Application Data Monitor McAfee Database Security McAfee Advanced Correlation Engine McAfee Event Receivers Adaptive Risk Analysis and Historical Correlation Integrated SIEM & Log Management Rich Application and Database Context Scalable Collection and Distributed Correlation TIE/DXL SIA PartnersePO GTINSM Connected SolutionsIntegration and Operational Efficiency McAfee solutions empower organizations with visibility across systems, networks, and data, helping counter threats and mitigate risks. Physical & Virtual Appliances ATDMAR
- 12. 12 Data Sources Enterprise Security Manager Application Data Monitor Event Receiver Advanced Correlation Engine (Real Time) Enterprise Log Manager TIP FW SEG DNS SEC IPS APT CASB Global Threat Intelligence Datacenter Security for Databases Advanced Correlation Engine (Historical) ESM: ARCHITECTURE Enterprise Log Search
- 13. 13 ePolicy Orchestrator ICAP SMTP DLP Monitor DLP Discover DLP Prevent Web DLP Prevent Email DLP Prevent Mobile Mobile Device Management Secure Web Gateway Egress Switch MVISION Cloud API Threat Intelligence Exchange + Data Exchange Layer + Active Response Server Web Gateway (Pooled) Load Balancer McAfee Labs Global Threat Intelligence (GTI) Active Response – Cloud Storage Agent Handlers Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Data Loss Prevention Device Control DLP Endpoint Data Classification Web Proxy Client Proxy Physical Servers Virtual Servers McAfee Agent Next-Gen Server Protection Endpoint Security for Servers Adaptive Threat Protection Active Response Data Loss Prevention DLP Endpoint Data Classification Web Proxy Client Proxy HEADQUARTERS – MAIN DATA CENTER McAfee Agent Endpoints Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Device Control Client Proxy McAfee Agent Endpoints SITE # 1 Next-Gen Endpoint Protection Endpoint Security Adaptive Threat Protection Active Response Device Control Client Proxy McAfee Agent Endpoints SITE # 2 Active Directory Rights Management Services (RMS) Data Classification Enterprise Security Manager TIP FWSEG DNS SECIPSAPT CASB ApplicationData Monitor Event Receiver Advanced CorrelationEngine Enterprise Log Manager ` DataSources KafkaServiceBus Security Operations Center (SOC)
- 14. 14 ESM: INTEGRATIONS OpenDXL ePolicy Orchestrator Advanced Threat Defense (Malware Analysis) Threat Intelligence Exchange Active Response MVISION EDR
- 15. USE CASES & SCENARIOS
- 16. 16 ESM: USE CASES SCENARIOS MANAGEMENT MCAFEE SOLUTIONS THIRD PARTY COMPLIANCE BASEL II EU 8th Directive FISMA GLBA CPG 13 HIPAA ISO 27002 NERC PCI Compliance SOX . . . Aruba Cofense Interset PhishMe ThreatConnect Vormetric . . . Application Control Change Control Application Data Monitor Database Activity Database Event Monitor General Host Intrusion Prevention Network Security Platform Threat Intelligence Web Gateway . . . Executive Case Management Hardware Health . . . User Behavior Analytics Suspicious Activity Exfiltration Reconnaissance Asset, Threat & Risk Authentication Doman Name Service (DNS) Database Denial-of-Service (DoS) Domain Policy Exploit Firewall Malware . . . AlarmsViews ReportsCorrelation Rules WatchlistsData Sources (Product)
- 17. 17 ESM: USE CASES – User Behavioral Analytics (UBA) • McAfee Advance Correlation Engine (ACE) • McAfee Global Threat Intelligence • Microsoft Windows Data Sources DATA SOURCES / PRODUCTS • Source User • Risk Suspicious Geo Events • User Behavior Events VIEWS • Security Groups • Accounts Not Requiring a Password • Accounts with Expired Password • Computer Accounts • Default Usernames • . • . • . WATCHLISTS • Domain Policy x 10 Rules • GTI x 2 Rules • UBA x 13 Rules • Windows Authentication x 8 Rules CORRELATION RULES Source User 1 Week REPORTS New User Logon Detected ALARMS
- 18. 18 McAfee Endpoint Security ESM 2 DXL Fabric 3 MAR ESM: SCENARIO – ENDPOINT INCIDENT Identify malware activity early in the kill chain Security Analyst 2 ESM correlation rule alerts security analysts to possible attack using fileless techniques 4 Analyst performs validation with ELS and logs from web gateway Scenario Overview 5 Analyst performs scoping with Active Response 7 Analyst uses ESM to update Cyber Defense Countermeasures via OpenDXL 8 1 ENS logs Powershell and Blocks MimiKatz installation Incident Identification Incident Investigation Analysts pivots around events and declares incidents 6 Incident Containment Endpoint, Server, Cloud DNS and Network countermeasures are updated automatically via OpenDXL 1 Analyst performs validation with Active Response and ATD 4 5 6 7 8 8 Perimeter Firewall Data Center Firewall McAfee vIPS Cloud Protection 8 8 McAfee Server Security ATDELS 8 DNS Security
- 19. 19 Time to Detect Time to Investigate Time to Contain Security Effectiveness Goals Process Efficiency Goals AVG 50% Process Automation with MTTR of under 10 Minutes 2 Analysts in this Use Case accessed 3 consoles only Detection – ENS, ATP Process Automation – 50% Analysts – 1 Consoles - 1 Investigation – ESM, ELS, MAR and ATD Process Automation – 25% Analysts – 1 Consoles - 3 Containment – ESM, DXL, Third Party Process Automation – 70% Analysts – 1 Consoles - 1 ESM: SCENARIO - ENDPOINT RESULTS
- 20. 20 Modern, scalable platform for Sec Ops Security focus from day one Deep, high-quality integrations Modular scale-out data platform makes costs predictable Open source Kafka message bus removes data sharing tax Out-of-the-box use cases and analytics that require less configuration and professional support Innovative advanced analytics for detection and investigation assistance Tight integrations with other McAfee products Expansive dashboarding, automation, and orchestration with 130 SIA partners via DXL and direct capabilities ESM: KEY POINTS
- 21. 21 SECURITY OPERATIONS: OPEN & INTEGRATED Local Threat Intelligence Reputation-based Protection File and Certificates STIX support Collaborative Ecosystem Data Exchange Layer Global Threat Intelligence (GTI) Sec. Info. & Event Mgmt. Integrated Log Management Scalable Collection Distributed Correlation Adaptive Risk Analysis Historical Correlation Rich Application Context Rich Database Context Various Integrations Integrations Local Threat Intelligence Advanced Threat Protection Intrusion Prevention System Endpoint Detection & Response Security Orchestration User & Entity Behavior Machine Learning User and Devices McAfee SIEM & Non-McAfee Remediation Actions Incident Response Evidence Collection Investigation Guides Coaching SIEM Ingestion
- 22. THANK YOU