2012-12-12 Seminar McAfee Risk Management
- 1. Risk Management
Fix what matters most….first
Drs. René Pieëte, CISSP
Senior SE Manager Northern Europe
December 12th , 2012
- 2. Current Threat Landscape
“TJ MAXX’s $1 billion
data breach”
Playstation breach called one TJ MAXX first large database Biggest breach so far, over Security leak in MySQL easy
of the largest ever; Sony breach. 45 mln. credit card 150 mln. credit card records to use. Huge amount of
should have alerted customers records stolen. stolen. exploits expected by security
sooner, some say experts. (CVE-2012-2122)
50% of EMEA healthcare Mcdonald's and Walgreens: Lockheed strengthens network Hackers get Symantec anti-
organizations unaware of email addresses, birth dates security after hacker attack virus source code
security threats stolen by hackers
- 3. The Need
Companies struggle to determine where to
focus security efforts
Threats increasing at an alarming rate
97% of organizations lack visibility into risk posture
- 6. Risk & Compliance: Diagnose
DISCOVER ASSESS QUANTIFY RISK
Automatic asset discovery Uncover vulnerabilities Real-time risk profile
Comprehensive and Audit configurations and Address highest risks to
customized views policies optimize protection and
minimize cost
Eliminate disruption to
critical business apps
- 7. McAfee Vulnerability Manager
DIAGNOSE MANAGE PROTECT
• Agentless Vulnerability Scanner with the broadest checks of any in the
market (>40,000 and growing)
Policy Auditor • Automatic asset discovery includes a dozen techniques to find everything
• Scalable to millions of IP addresses
MVM Database • Detects over 437 operating system types
• False positives next to zero
MVM Web • Credentialed, non-credentialed
• Open database allows unparalleled access to vulnerability data
MVM • Integration with McAfee products and your applications via an open API
• Deployment options include appliance, software, virtual, and SaaS
- 8. MVM for Web Apps
DIAGNOSE MANAGE PROTECT
• Web Application Scanner fully integrated into MVM assets and workflow
• Web app discovery/crawl and map; sitemap report
Policy Auditor
• Scanning covers OWASP, PCI, CWE
• Capable of authenticating and scanning protected web applications
MVM Database • Web scan configurations (entry URLs, exclude URLs, etc) and credential
sets
MVM Web • Meaningful reports: request made, injection point, response given
• “Safe mode” scanning
MVM
- 9. MVM for Databases
DIAGNOSE MANAGE PROTECT
• Over 4,300 vulnerability checks
Patch levels, Weak passwords, Configuration baselining (CIS/STIG)
Policy Auditor Backdoor detection, Sensitive data discovery (PII, SSN, etc)
Vulnerable PL/SQL code, Unused features, Custom checks
MVM Database • Reports in countless formats according to stakeholders:
DBA, Developers, InfoSec, Audit
• Fully Managed from ePO
MVM Web
MVM
- 11. McAfee Policy Auditor
DIAGNOSE MANAGE PROTECT
• Agent based audit automation against regulations, standards, and best
practices
Policy Auditor PCI, SOX, HIPAA, FISMA
ISO, COBIT
MVM Database CIS, DISA, FDCC, STIG
• Broad Win/UNIX/Linux/Mac support
MVM Web • Supports industry standard SCAP and supporting protocols
(CVE, CPE, CCE, OVAL, XCCDF, CVSS)
• Integration with MVM for agentless SCAP scanning
MVM • PA Content Creater
• Gold system baselining
• ePO Integration
- 12. Risk & Compliance: Protect
ENFORCE DENY ACCESS CONTROL
Enforce policies Deny unauthorized access Increase control and visibility
Real-time change Dynamic Application Whitelisting Improve system integrity,
monitoring Zero-day protection availability and performance
Prevent compliance drift by Protection for embedded Reduce operating expense
enforcing policies and systems
configurations
- 13. McAfee Application Control
DIAGNOSE MANAGE PROTECT
• Dynamic Whitelisting prevents unauthorized applications from
running
Database Activity Application attempts to launch
Monitoring Could be an executable or OS component
MAC verifies binary code from Whitelist
Change Control If not in Whitelist, then program is not launched
Attempt is logged for alerts and auditing
• Memory Protection (three different types) protects against known
Application and unknown buffer overflow attacks
Control • Image deviation allows customers to compare their deployed
images to a desired standard image with on-demand reporting.
- 14. McAfee Change Control
DIAGNOSE MANAGE PROTECT
• Integrity Monitoring alerts on critical and unauthorized changes
Database Activity • File Integrity Monitoring provides real-time tracking across
Monitoring Win/UNIX/Linux
• Change Reconciliation tracks changes to their corresponding
Change Requests within Remedy
Change Control • Change Prevention selectively prevents out-of-policy changes
and logs any attempted out-of-policy change
Application
Control
- 15. McAfee Database Activity Monitoring
DIAGNOSE MANAGE PROTECT
• “Inside Out” protection leveraging unique memory-based, read-only sensor in memory
• Just another process at OS level
Database Activity • No kernel changes or reboots
Monitoring • No database packages or scripts
• High performance, zero latency
• Full segregation of duties and audit trails
Change Control DBA, sysadmins, InfoSec
• Optimized for Virtualization & Cloud
Memory-based monitoring sees VM-to-VM traffic
Application Agent-based model supports distributed /cloud environments
• Virtual Patching (vPatch) protects against known and unknown attacks without downtime
Control or code changes until you can patch
- 16. McAfee Risk Advisor
DIAGNOSE MANAGE PROTECT
• Correlates vulnerabilities, global threat data, and countermeasures
• Improves security effectiveness using risk scores and ROI of deployed security products
• Enables risk-based approach to critical patching decisions
• Fully customizable IT Risk Dashboards
• Rule driven alerts
• “What If” Analysis for new countermeasures
- 17. COUNTERMEASURE AWARE
Risk Management
Stuxnet
McAfee Risk Advisor Conficker
001 100 110 010011 100 1001 100110 11 1 110 10 010011
010011 100 1001 100110 11 100 1 110 10 010011 001 100 110
GTI
11 001 100 010011 100 10010001 100110 11 1 110 10 110
Threat feed
Aurora
AV
LOW HIGH
Vulnerabilities
HIPS Configuration
Countermeasures System State
Patch level
NSP Applications
MAC
Critical systems