The presentation provides the following:
- McAfee Company Overview
- McAfee Strategy
- McAfee Portfolio Overview
- Endpoint Security Challenges
- McAfee Endpoint Protection Platform
- McAfee Active Response Overview
- McAfee Active Response Features
- McAfee Active Response Architecture
- McAfee Active Response Workflow
- McAfee Active Response Licenses & Packaging
Please note all the information is based prior to Aug 2019.
1. McAfee Active Response
Endpoint Detection & Response
Iftikhar Ali Iqbal, CISSP, CCSP, CISM
https://www.linkedin.com/in/iftikhariqbal/
Valid till Aug 2019
4. 4
MCAFEE: OVERVIEW
• Founded in 1987
• Headquartered in California, United States
• Provides Software and Services
• Focus is on Consumer and Enterprise Security
• 125,000+ Corporate Customers
• 120 Countries
• 217+ Innovation Alliance Partners
• 800+ Security Patents
• On April 4, 2017 – McAfee begun operating as a new
standalone company (spun back out of Intel).
• Solution Offering:
• Cloud Security
• Device Security
• Network Security
• Pervasive Data Protection
• Intelligent Security Operations
5. 5
Portfolio Strategy
An Integrated And Open Security System
Threat Defense Lifecycle
Together, Is Far More Powerful Than Sum Of The Parts
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTURE
MCAFEE: STRATEGY
6. 6
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTURE
• Endpoint Protection
• Endpoint Detection and Response
• Enforcement Controls
• File Integrity Monitoring
• Advanced Threat Protection
• Encryption
• Data Loss Prevention
• Cloud Workload Protection
• Cloud Access Security Broker
• Web Gateway Service
• Intrusion Prevention System
• Advanced Threat Protection
• Server Protection
• Advanced Threat Protection
• Database Security
• Mail Server Security
• Storage Security
• Secure Web Gateway
• Intrusion Prevention System
Local Threat Intelligence Global Threat Intelligence Skyhigh Threat Intelligence
Security Information and Event Management User and Entity Behavior Analytics Incident Response and Remediation
MCAFEE: TACTICAL OVERVIEW
8. 8
Detecting and preventing
advanced threats
Adding new defenses
in the future increases
management problems
Preventing deep
investigations to aid in
recovery
Causing manual processes
and delaying responses
ComplexityAccuracy Visibility Sustainability
ENDPOINT SECURITY: CHALLANGES
12. 12
ACTIVE RESPONSE: EDR
‘The EDR market is defined as solutions that record and store endpoint-system-level behaviors and events,
such as user, file, process, registry, memory and network events.
Multiple detection techniques are then used to continually search the stored data to detect security events
that require human intervention to respond rapidly.’
‘By 2021, endpoint protection platforms (EPPs) will provide automated, orchestrated incident investigation
and breach response. Separate, stand-alone endpoint detection and response (EDR) solutions will focus
on managed security service provider (MSSP) and large enterprise security operations center (SOC)
environments..’
Market Guide for Endpoint Detection and Response Solutions, 9 November 2017, Peter Firstbrook
Magic Quadrant for Endpoint Protection Platforms, 24 January 2018, Ian McShane, Avivah Litan, Eric Ouellet, Prateek Bhajanka
14. 14
Find and visualize data from your endpoints
Search for files, network flows, registry and process mapping
Hunt and kill threats
Hunt for file hashes, endpoints connected to specific IP and kill processes, remove files, etc
Continuously monitor a critical event
Initiate an action before hand for future threats
Leverage Data Exchange Layer (DXL) to communicate with other products
Reduce risk and response time
COLLECTORS
REACTONS
TRIGGERS
INTEGRATION
ACTIVE RESPONSE: FEATURES
15. 15
ePolicy Orchestrator
Data Exchange Layer
Advanced Threat Defense
(Malware Analysis)
McAfee Agent
Endpoints Physical Servers Virtual Servers
McAfee Agent
Threat Intelligence Exchange
Active Response
Endpoint Security
Adaptive Threat Protection
Active Response
Endpoint Security
Adaptive Threat Protection
Active Response
McAfee Linux OS
McAfee
Cloud Services
ACTIVE RESPONSE: ARCHITECTURE
16. 16
ePolicy Orchestrator
McAfee Agent
Endpoints Physical Servers Virtual Servers
McAfee Agent
Threat Intelligence Exchange
Active Response
Endpoint Security
Adaptive Threat Protection
Active Response
Endpoint Security
Adaptive Threat Protection
Active Response
McAfee
Cloud Services
ACTIVE RESPONSE: HOW IT WORKS
12
3
4 4
1 McAfee Active Response sends data to the cloud
2 McAfee ePO receives data from the cloud
3 Perform in-depth investigation in McAfee ePO
4 TIE updates the reputation of the threat
17. 17
ACTIVE RESPONSE: LICENSING AND PACKAGING
Complete Endpoint Protection (CEB)
(CEB)
Complete Endpoint Threat Protection
Protection (CTP)
Endpoint Threat Defense & Response
Response (EDR)
Endpoint Security
Adaptive Threat Protection
Device Control
Application Control
Encryption
Threat Intelligence Exchange
Active Response
ePolicy Orchestrator
18. 18
ACTIVE RESPONSE: SUMMARY
A single-pane for investigation, prioritization, genealogy, reputation, historical behavior, and response over potential threats.
Workflows
Single view to see, investigate, and
take action on threats
Visibility
A view into suspicious behaviors across
all Endpoints
Investigate
Analyze timelines and live searches to
find threats
Action
One click stops threats & updates
protection on all Endpoints
Simplify
View operational status of all
Endpoint threat defense services