The presentation provides the following: - McAfee Company Overview - McAfee Strategy - McAfee Security Operations Overview - Security Operations Challenges - ESM Overview - ESM Components - ESM Architecture - ESM Architecture - Large Customer Sample - ESM Integrations - ESM Use Cases - Sample - ESM Incident Scenario - Sample - ESM - Security Operations Please note all the information is based prior to Jan 2020.

1. McAfee Enterprise Security
Manager (ESM)
Security Information & Event Management (SIEM)
Iftikhar Ali Iqbal, CISSP, CCSP, CISM
https://www.linkedin.com/in/iftikhariqbal/
Valid till Jan 2020

2. 2
AGENDA
Target
Partners &
RTM
1
2
3
Company Overview
Security Operations
Enterprise Security Manager (ESM)
4 Use Cases / Scenarios

3. OVERVIEW
Company and Portfolio

4. 4
SOLUTIONS
SERVICES
OPEN
ARCHITECTURE
BRIEF
McAfee – the device-to-cloud
cybersecurity company – is one of the
largest pureplay cybersecurity companies
in the world, with 30+ years of market
leadership and 1,550+ patents worldwide.
CASB Connect
OpenDXL
MCAFEE: OVERVIEW

5. 5
Portfolio Strategy
An Integrated And Open Security System
Threat Defense Lifecycle
Together, Is Far More Powerful Than Sum Of The Parts
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTURE
MCAFEE: STRATEGY

6. 6
SIEM:
Broad Data
Collection
Advanced
Analytics:
Risk scoring, anomaly
detection
SIEM:
Long-term
Compliance, archive &
forensics
SIEM:
Real-time correlation &
detection
SIEM:
Short-term
Search & hunting
Sandboxing:
Malware Analysis
EDR:
Endpoint telemetry,
process trace
SIEM
View all alerts,
coordinate action
Investigator:
Automated analysis,
guided investigation
EDR:
Response
Collaboration with 3rd party solutions
SIA Partner and Open
Solutions
Advanced Analytics Investigate and Act
Collect, Enrich, and Share
Data at any Scale
Turn Data into Insight
Data Platform
Expert-guided Investigation for Confident
Action
ATDESMESM
MAR/M
EDR
MAR
/MEDRSIA MVISION EDR
MCAFEE: SECURITY OPERATIONS

7. 7
Time to
Identify
Time to
Investigate
Time to
Contain
Mean Time to Respond
(MTTR)
Mean Time to Detect
(MTTD)
3-15 Months
Dwell Time
SECOPS: CHALLENGE

8. ENTERPRISE SECURITY MANAGER (ESM)
Security Information & Event Management (SIEM)

9. 9
Real Time Advanced Analytics
Threat and Risk Prioritization
INTELLIGENT
INTEGRATED
ACTIONABLE
Comprehensive Security
Broad Data Collection, Including Cloud Support
Security Connected Integrations
Active and Customizable Dashboards
High Performance Data Management Engine
Ease of Operation
!
ESM: STRATEGIC OVERVIEW

10. 10
ESM: ESSENTIALS
CORRELATION
• Event Normalization
• Receiver & Advanced Correlation
• Real-Time & Historical ‘Modes’
• Rule & Risk ’Engines’
MANAGEMENT
• Dashboard Views
• Threat Management & Intelligence
• Content Packs (Use-Case Driven)
• Policies & Rules
ALARMS
• Visual and Auditory
• Text and Email
• Case Management
• Remote Commands
• Watchlist
DATA SOURCES
• Security Events
• Network Flow Data
• Multi-Vendor
• Various Types
• Multi Method

11. 11
ESM: COMPONENTS
McAfee Enterprise Security Manager
McAfee Enterprise Log Manager
McAfee Application
Data Monitor
McAfee Database Security
McAfee Advanced Correlation Engine
McAfee Event Receivers
Adaptive Risk Analysis and
Historical Correlation
Integrated SIEM & Log
Management
Rich Application and
Database Context
Scalable Collection and
Distributed Correlation
TIE/DXL SIA PartnersePO GTINSM
Connected SolutionsIntegration and
Operational Efficiency
McAfee solutions empower organizations with visibility across systems, networks, and
data, helping counter threats and mitigate risks.
Physical & Virtual
Appliances
ATDMAR

12. 12
Data Sources
Enterprise Security Manager
Application Data Monitor
Event Receiver
Advanced Correlation Engine
(Real Time)
Enterprise Log Manager
TIP
FW
SEG
DNS SEC
IPS
APT
CASB
Global
Threat Intelligence
Datacenter Security
for Databases
Advanced Correlation Engine
(Historical)
ESM: ARCHITECTURE
Enterprise Log Search

13. 13
ePolicy Orchestrator
ICAP
SMTP
DLP Monitor
DLP Discover
DLP Prevent Web
DLP Prevent Email
DLP Prevent Mobile
Mobile Device Management
Secure Web Gateway
Egress Switch
MVISION Cloud
API
Threat Intelligence Exchange +
Data Exchange Layer +
Active Response Server
Web Gateway
(Pooled)
Load Balancer
McAfee Labs
Global Threat Intelligence (GTI)
Active Response – Cloud Storage
Agent Handlers
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Data Loss Prevention
Device Control
DLP Endpoint
Data Classification
Web Proxy
Client Proxy
Physical Servers Virtual Servers
McAfee Agent
Next-Gen Server Protection
Endpoint Security for Servers
Adaptive Threat Protection
Active Response
Data Loss Prevention
DLP Endpoint
Data Classification
Web Proxy
Client Proxy
HEADQUARTERS – MAIN DATA CENTER
McAfee Agent
Endpoints
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Device Control
Client Proxy
McAfee Agent
Endpoints
SITE # 1
Next-Gen Endpoint Protection
Endpoint Security
Adaptive Threat Protection
Active Response
Device Control
Client Proxy
McAfee Agent
Endpoints
SITE # 2
Active Directory
Rights Management Services (RMS)
Data Classification
Enterprise Security Manager
TIP FWSEG DNS SECIPSAPT CASB
ApplicationData Monitor
Event Receiver
Advanced CorrelationEngine
Enterprise Log Manager
`
DataSources
KafkaServiceBus
Security Operations Center (SOC)

14. 14
ESM: INTEGRATIONS
OpenDXL
ePolicy Orchestrator
Advanced Threat Defense
(Malware Analysis)
Threat Intelligence Exchange
Active Response
MVISION EDR

15. USE CASES & SCENARIOS

16. 16
ESM: USE CASES
SCENARIOS MANAGEMENT MCAFEE
SOLUTIONS
THIRD
PARTY
COMPLIANCE
BASEL II
EU 8th Directive
FISMA
GLBA
CPG 13
HIPAA
ISO 27002
NERC
PCI Compliance
SOX
.
.
.
Aruba
Cofense
Interset
PhishMe
ThreatConnect
Vormetric
.
.
.
Application Control
Change Control
Application Data Monitor
Database Activity
Database Event Monitor
General
Host Intrusion Prevention
Network Security Platform
Threat Intelligence
Web Gateway
.
.
.
Executive
Case Management
Hardware Health
.
.
.
User Behavior Analytics
Suspicious Activity
Exfiltration
Reconnaissance
Asset, Threat & Risk
Authentication
Doman Name Service (DNS)
Database
Denial-of-Service (DoS)
Domain Policy
Exploit
Firewall
Malware . . .
AlarmsViews ReportsCorrelation Rules WatchlistsData Sources
(Product)

17. 17
ESM: USE CASES – User Behavioral Analytics (UBA)
• McAfee Advance Correlation Engine (ACE)
• McAfee Global Threat Intelligence
• Microsoft Windows Data Sources
DATA SOURCES / PRODUCTS
• Source User
• Risk Suspicious Geo Events
• User Behavior Events
VIEWS
• Security Groups
• Accounts Not Requiring a Password
• Accounts with Expired Password
• Computer Accounts
• Default Usernames
• .
• .
• .
WATCHLISTS
• Domain Policy x 10 Rules
• GTI x 2 Rules
• UBA x 13 Rules
• Windows Authentication x 8 Rules
CORRELATION RULES
Source User 1 Week
REPORTS
New User Logon Detected
ALARMS

18. 18
McAfee Endpoint
Security
ESM
2
DXL Fabric
3
MAR
ESM: SCENARIO – ENDPOINT INCIDENT
Identify malware activity early in the kill chain
Security
Analyst
2 ESM correlation rule alerts security analysts to possible
attack using fileless techniques
4 Analyst performs validation with ELS and logs from
web gateway
Scenario Overview
5
Analyst performs scoping with Active Response
7 Analyst uses ESM to update Cyber Defense
Countermeasures via OpenDXL
8
1 ENS logs Powershell and Blocks MimiKatz
installation
Incident Identification
Incident Investigation
Analysts pivots around events and declares
incidents
6
Incident Containment
Endpoint, Server, Cloud DNS and Network
countermeasures are updated automatically via
OpenDXL
1
Analyst performs validation with Active Response and
ATD
4 5 6
7
8 8
Perimeter
Firewall
Data Center
Firewall
McAfee vIPS
Cloud Protection
8 8
McAfee Server Security
ATDELS
8
DNS Security

19. 19
Time to
Detect
Time to
Investigate
Time to
Contain
Security
Effectiveness
Goals
Process
Efficiency
Goals
AVG 50% Process Automation with MTTR of under 10 Minutes
2 Analysts in this Use Case accessed 3 consoles only
Detection – ENS, ATP
Process Automation – 50%
Analysts – 1
Consoles - 1
Investigation – ESM, ELS, MAR and ATD
Process Automation – 25%
Analysts – 1
Consoles - 3
Containment – ESM, DXL, Third Party
Process Automation – 70%
Analysts – 1
Consoles - 1
ESM: SCENARIO - ENDPOINT RESULTS

20. 20
Modern, scalable platform
for Sec Ops
Security focus from
day one
Deep, high-quality
integrations
Modular scale-out data platform makes costs predictable
Open source Kafka message bus removes data sharing tax
Out-of-the-box use cases and analytics that require less configuration and
professional support
Innovative advanced analytics for detection and investigation assistance
Tight integrations with other McAfee products
Expansive dashboarding, automation, and orchestration with 130 SIA
partners via DXL and direct capabilities
ESM: KEY POINTS

21. 21
SECURITY OPERATIONS: OPEN & INTEGRATED
Local Threat
Intelligence
Reputation-based Protection
File and Certificates
STIX support
Collaborative Ecosystem
Data Exchange Layer
Global Threat
Intelligence (GTI)
Sec. Info. & Event Mgmt.
Integrated Log Management
Scalable Collection
Distributed Correlation
Adaptive Risk Analysis
Historical Correlation
Rich Application Context
Rich Database Context
Various Integrations
Integrations
Local Threat Intelligence
Advanced Threat Protection
Intrusion Prevention System
Endpoint Detection & Response
Security Orchestration
User & Entity Behavior
Machine Learning
User and Devices
McAfee SIEM & Non-McAfee
Remediation Actions
Incident Response
Evidence Collection
Investigation Guides
Coaching
SIEM Ingestion

22. THANK YOU