stackArmor - Security MicroSummit - McAfee

Editor's Notes

• #3: What was Security Connected 3-4 years ago? Intel was extremely important for us New Strategy -> Customer Centric New organization PM/R&D New UX team
• #4: Cloud computing is a new name for an old concept: the delivery of computing services from a remote location, analogous to the way electricity, water, and other utilities are provided to most customers. Cloud computing services are delivered through a network, usually the Internet. Some cloud services are adaptations of familiar applications, such as e-mail and word processing. Others are new applications that never existed as a local application, such as online maps and social networks. Since 2009, the federal government has been shifting its data storage needs to cloud-based services and away from agency-owned data centers. This shift is intended to reduce the total investment by the federal government in information technology (IT) (data centers), as well as realize other stated advantages of cloud adoption: efficiency, accessibility, collaboration, rapidity of innovation, reliability, and security
• #6: When evaluating the security of a cloud solution, it is important for customers to understand and distinguish between: Security measures that the cloud service provider (AWS) implements and operates – "security of the cloud" Security measures that the customer implements and operates, related to the security of customer content and applications that make use of AWS services – "security in the cloud" While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.
• #7: Public cloud is a multi-tenant environment where customers pay and use shared resources. Customers have seemingly endless pool of resources available that can be procured through web user interface or application programming interface. The customers only pay for the resources they use, allowing to scale resources up or down to meet fluctuating demand. Customers leverage cloud provider’s expertise in managing infrastructure, tools or applications. This frees-up customer resources to focus on running their business. Customers do need to rely on vendor to meet security, availability and performance SLAs. Public cloud services may be free or offered on a pay-per-usage model. Private cloud is hosted by the customer organization themselves to support their business units. It allows customers to control the type and configuration of hardware procured. The customers have complete control over security aspects of the cloud deployment. They also have greater flexibility in enforcing compliance related requirements around data ownership and privacy. The disadvantages include reduced flexibility in scaling computing resources and no cost sharing option due to single ownership. Community cloud is a multi-tenant environment that is targeted to a limited set of organizations (such as banks or investment firms). The organizations come together to share computing resources and reap benefits. The organizations typically have similar security, privacy, performance and compliance requirements. The community generally restricts participants from the same industry or with similar needs. Hybrid Cloud Enterprises typically use hybrid cloud option, which is a combination of above three cloud deployment options viz. public cloud, private cloud and community cloud satisfying the unique needs of each enterprise. A best practice is to use public cloud as much as possible to get all benefits of cloud computing like rapid elasticity and cost sharing but leverage the private cloud where security and privacy needs are too high. 
• #8: Time: 5 Mins
• #9: Insights into weak security controls for cloud workloads, unsafe firewall settings, unencrypted volumes and indicators of compromise such as suspicious traffic lead to faster detection while McAfee ePolicy Orchestrator (McAfee ePO) or DevOps tools enable quick remediation.  So why do customers buy our server and cloud workload security? Because it solves the key challenges that I mentioned at the beginning of my presentation: Instantly discover all servers and cloud workloads and then apply proper security policies Comprehensive protection including dynamic whitelisting which protects from unknown threats and change control to meet regulatory compliance needs. Performance-optimized server security across physical, virtualized and cloud deployments. End-to-end visibility and security across all deployments More details --------- Instant Discovery and Control Provide Datacenter Connectors to import virtual machines from VMware vSphere & OpenStack Cloud Workload Discovery for AWS and Microsoft Azure offer full visibility into infrastructure, workloads, traffic and threats Security posture assessment of AWS security groups to identify unsafe firewall, encryption and anti-malware settings Encryption of Amazon EBS McAfee ePO provides end-to-end visibility and security across all deployments Comprehensive Protection Unique combination of intrusion prevention, blacklisting, white listing, and change control Optional local reputation intelligence and sandbox testing Cloud Workload Discovery offers visibility, assessment and remediation for compute, storage, and network.  It provides 3 main capabilities - #1 Discovery of weak security controls for VMware, OpenStack, AWS and Microsoft Azure, #2 Platform Security Audit including firewall and encryption settings for AWS and Microsoft Azure, #3 Traffic & Network threat Visibility for AWS. These insights lead to faster detection while McAfee ePO or DevOps tools enable quick remediation. Instant discovery and control discover and monitor workloads and threats for continuous and consistent protection Comprehensive protection from advanced threats with whitelisting and change control to comply with laws and regulations
• #10: Elements in our suites work together to deliver comprehensive security and protect against memory buffer overflow attacks on Windows 32- and 64- bit systems. ENS Threat Prevention for cloud servers ENS Firewall for Linux and Windows—prevents malware from entering and propagating cloud servers Host-Based Intrusion Protection—safeguards against complex security threats Application Control—dynamic whitelisting with lower operational overhead than legacy techniques Integrity Monitoring (Change Control)—continuous detection of system-level changes across distributed and remote locations Data Protection—ensuring cloud volumes are encrypted. Optional add-ons: McAfee Threat Intelligence Exchange—shares local reputation intelligence across security solutions for layered security protection and to instantly identify and combat the ever-increasing unique malware samples. McAfee Advanced Threat Defense—analyzes the behavior of unknwn applications in a sandbox and automatically immunizes infected endpoints. We partner with Rapid7 for vulnerability management. Rapid7’s Nexpose solution discovers and prioritizes vulnerabilities and confirms when exposures are fixed. Suites are designed to provide comprehensive security across both Windows and Linux environments. We also make sure that our software is deployable and configurable using DevOps-friendly tools including Puppet Labs, Chef, and OpsWorks. Seamlessly integrating with the tools you already use makes it easier and less costly to achieve comprehensive cloud security.
• #11: Cloud security can be complicated because there are a lot of different cloud workloads with unique risk profiles and security requirements. Cloud Workload Discovery’s policy-driven assessment makes it easy to determine exactly what security controls these diverse workloads require versus what they actually have to ensure adequate protection and compliance. Once you've discovered security risks, you can move to complete protection in just a few clicks. Cloud Workload Discovery’s integration with McAfee ePO™ management console gives organizations effective control across all of their physical, virtual and cloud environments and across all critical security solutions. With this integration, security experts and administrators can use a single management platform to address threat alerts and enforce policies with simplified workflows, reducing the time to identify and resolve security issues. Cloud Workload Discovery offers visibility, assessment and remediation for compute, storage, and network.  It provides 3 main capabilities - #1 Discovery of weak security controls for VMware, OpenStack, AWS and Microsoft Azure, #2 Platform Security Audit including firewall and encryption settings for AWS and Microsoft Azure, #3 Traffic & Network threat Visibility for AWS. These insights lead to faster detection while McAfee ePO or DevOps tools enable quick remediation.
• #13: Speaker Note: This slide addresses the technologies that find Attack Behavior, as explained in the approach to signature-less protection slide Emulation - GAM(Browser) No other vendor has this type of capability integrated inline on an IPS This engine, in real time, emulates real browser environments to give a quick test of a suspicious inbound web conent. This is similar to sandboxing, but uses much more lightweight ‘emulated’ environment (instead of real runtime environments) and analysis. This is one of the main reasons that Network Security Platform scored 99% block rate of malware with AV-Test. All without signatures. Deep File Analysis - JavaScript/Adobe PDF/Adobe Flash Other vendors do not do anything like this, and don’t even have an Adobe flash engine. Sourcefire, with the closest capability to this, allows operators to filter PDF files, automatically dropping any PDF file with JavaScript. This pre-supposes that all JavaScript in PDFs is bad, which is far from the truth Deep File Analysis are dedicated inspection engines that go deep on analysis of inbound files. They focus on the most common file formats attackers love to use to deliver malicious payloads: - Javascript hidden in Adobe PDF Malicious scripts hidden in Adobe flash These inspect engines use lightweight emulation and heuristic analysis to identify any malicious behaviour hidding in the files…before they detonate on the endpoint. Bad files can be blocked…all without signatures. Sandboxing – Dynamic Analysis (via Advanced Threat Defense) Many vendors claim sandboxing technologies, but not all are created equal. Dynamic Analysis is common across all, but when paired with Static Code below, McAfee differentiates The process of putting a file into a sandbox and letting it run and analyze is called Dynamic Anlaysis. Dynamic analysis is a safe way to analyze the behavior of a suspect file. No signatures are needed – conviction as malware is done solely on the basis of observed behavior. And while a good method for detecting malware, it’s only based on what the sandbox actually observes. So while good, it’s not good enough for today’s stealthy malware. Sandboxing – Static Code Analysis (via Advanced Threat Defense) No other vendor can claim this deep and comprehensive of analysis in a sandbox The addition of full static code analysis to sandboxing provides detailed malware classification information and broadens protection against highly camouflaged, evasive threats and allows identification of associated malware leveraging code re-use. Delayed or contingent execution paths, often not executed in a dynamic environment, can be detected through unpacking and full Together, static code and dynamic analysis provide a complete evaluation and detailed information such as behavior summary, malware severity, malware family associations, execution paths, and percentage of code executed during dynamic analysis.
• #15: McAfee Virtual Probes
• #16: Here is a quick look at the comprehensive layout of the DLP solution. Endpoint and Network Data Protection is what organizations have been using for quite a while. But now the real question is how to organizations extend these capabilities out to the cloud environment. McAfee does this with McAfee Cloud Data Protection. This is a cloud-based solution that allows an organization to leverage existing policies, and synchronize policies from the endpoint to the cloud, and leverage these same policies against sensitive data stored in cloud applications. This is McAfee’s new CASB technology. You can see McAfee DLP offers solution at every egress point whether its at the endpoint, in storage or on the network. Please note that McAfee DLP does NOT have to work with McAfee Email or Web Gateway, it can work with any email and web gateways.
• #17: Three overarching challenges continue to drive security strategies: an expanding and increasingly complex attack surface growing time pressure fewer resources relative to the growth of the problem When we compound these factors with the already growing labor shortfall, there’s an urgent need for efficiency. We need to resolve more risk, faster and with fewer resources to scale to our growing security challen ------------- Increasing Complexity: With IoT there is exponential growth in data and devices: 200B connected devices by 2020 - Intel forecast ; 200B smart objects / 7.6B estimated population in 2020 = 26 smart objects per capita There is a strong trend towards “Shift to cloud”. This erodes visibility and control thus resulting into complexity. Security environment is becoming more fragmented. 70-90% of malware samples detected were unique to the organizations they were targeting. This creates a huge challenge for organizations. Time becomes extremely important in this complex situation It takes a large organization an average of 31 days at a cost of $20,000/day to clean up and remediate after a cyber-attack. Average total price tag for a data breach now approaching $640,000. (Ponemon 2014) In 60% of cases, attackers are able to compromise an organization within minutes. (2015 Verizon DBIR) Rising Security needs and growing product complexity, resulting in shortage of qualified security talent Staffing and skills shortages were the #1 impediment to effective incident response expressed by 66% of organizations surveyed by SANS Institute in mid-2015. (SANS Institute Incident Response survey, 2015) With 50+ security tools in use within many large companies, this fragmented, patchworked IT security environment leads to gaps in protection and decreased visibility resulting in increased time and manual processes associated with exploit-to-discovery-to-remediation. (Verizon DBIR 2014 & Intel Security) Increasing Complexity = Expanding attack surface: Billions of connected devices and a paradigm shift to the cloud, resulting in an increased number of threats Time imperative = Golden Hour of response: Increased attacker sophistication and rising cost of breaches, resulting an a need to detect and respond to threats faster Resource Constraints = Talent Shortage: Rising Security needs and growing product complexity, resulting in shortage of qualified security talent
• #18: Most attempts at cross-technology data integration and unification to date have been disjointed and API-based. Around the industry, tactical alliances based on 1:1 integration models are typically negotiated between small vendors, and despite the efforts put forth – the integrations are brittle, expensive and overall visibility remains fragmented.   So far, McAfee has delivered the best ecosystem example with the Security Innovation Alliance program. More than 130 partners work with ePO and ESM APIs, but this effort takes significant work to implement and maintain. While we have the scope and commitment to succeed, we know that each product change requires testing and updates by vendors and customers. We have seen a better way. McAfee is building on its industry leadership and changing the model entirely with the delivery of the data exchange layer . This standardized integration and communication layer provides a collaborative “fabric” for all products—both from Intel Security and from partners who become DXL-ready—to share insights and communicate regardless of their underlying proprietary architecture. The collaborative fabric is an elegant  approach that dramatically simplifies and streamlines integrations, while encouraging open vendor participation. The increased speed, agility and scalability realized from the DXL-enabled fabric provides the foundation for holistic visibility across the IT landscape.    A primary benefit of this  new collaborative fabric (DXL) is central to the ability to improve the clarity (contextual awareness and visibility) within organizations.   The security management business unit now leverages DXL to connect advanced and contextual intelligence analytics in the McAfee Threat Intelligence Exchange with the aggregation, correlation, and data analytics horsepower of the McAfee Enterprise Security Manager to turn raw data into actionable intelligence.  
• #19: Most attempts at cross-technology data integration and unification to date have been disjointed and API-based. Around the industry, tactical alliances based on 1:1 integration models are typically negotiated between small vendors, and despite the efforts put forth – the integrations are brittle, expensive and overall visibility remains fragmented.   So far, McAfee has delivered the best ecosystem example with the Security Innovation Alliance program. More than 130 partners work with ePO and ESM APIs, but this effort takes significant work to implement and maintain. While we have the scope and commitment to succeed, we know that each product change requires testing and updates by vendors and customers. We have seen a better way. McAfee is building on its industry leadership and changing the model entirely with the delivery of the data exchange layer . This standardized integration and communication layer provides a collaborative “fabric” for all products—both from Intel Security and from partners who become DXL-ready—to share insights and communicate regardless of their underlying proprietary architecture. The collaborative fabric is an elegant  approach that dramatically simplifies and streamlines integrations, while encouraging open vendor participation. The increased speed, agility and scalability realized from the DXL-enabled fabric provides the foundation for holistic visibility across the IT landscape.    A primary benefit of this  new collaborative fabric (DXL) is central to the ability to improve the clarity (contextual awareness and visibility) within organizations.   The security management business unit now leverages DXL to connect advanced and contextual intelligence analytics in the McAfee Threat Intelligence Exchange with the aggregation, correlation, and data analytics horsepower of the McAfee Enterprise Security Manager to turn raw data into actionable intelligence.  
• #20: TIE is an optional module that is available which like ENS 10, uses our data exchange layer to communicate with your endpoint defenses. It is a combination of Intel and third party feeds that offers visibility across network, gateway endpoint and cloud-based countermeasures and threat intelligence. Accessing the latest information is easy thanks to its centralized visibility and control where incident response and local intelligence resources are available. TIE complements ENS 10 because it is able to be integrated easily with it and collaborate with the ENS 10 modules using it’s real time insights to inform actions against new and emerging threats