The presentation provides the following:
- McAfee Company Overview
- McAfee Strategy
- Whitelisting Strategy - Gartner
- McAfee Endpoint Protection
- McAfee Application Control (MAC) Overview
- McAfee Application Control (MAC) Modes
- McAfee Application Control (MAC) Features
- McAfee Application Control (MAC) Trust Model
- McAfee Application Control (MAC) Architecture
- McAfee Application Control (MAC) Licenses & Packaging
Please note all the information is based prior to Aug 2019.
4. Application Control
MCAFEE: OVERVIEW
• Founded in 1987
• Headquartered in California, United States
• Provides Software and Services
• Focus is on Consumer and Enterprise
Security
• 125,000+ Corporate Customers
• 120 Countries
• 217+ Innovation Alliance Partners
• 800+ Security Patents
• Solution Offering:
• Cloud Security
• Device Security
• Network Security
• Data Protection and Encryption
• Intelligent Security Operations
• Service Offering:
• Technical Support
• Professional Services
• Education
5. Application Control
Portfolio Strategy
An Integrated And Open Security System
Threat Defense Lifecycle
Together, Is Far More Powerful Than Sum Of The Parts
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTUR
E
MCAFEE: STRATEGY
7. Application Control
UNKOWNKNOWN GOOD KNOWN BAD
WHITELISTING: STRATEGY
0
Viruses
Worms
Trojans
Polymorphic
APTs 0-Day Threats
File Inventories
Certificate
Owner
Directory
Reputation
B L A C K L I S TW H I T E L I S T
Most Challenging
Suspicious
Custom/Local
Mario de Boer. “Protecting Endpoints From Malware Using Application Whitelisting, Isolation and Privilege Management”. 6 JULY 2016. GARTNER. Technical Professional Advice
G R E Y L I S T
9. Application Control
ENDPOINT
SECURITY
ADAPTIVE THREAT
PROTECTION
ACTIVE
RESPONSE
THREAT
INTELLIGENCE
EXCHANGE
APP + DEV
CONTROL
McAfee ePolicy
Orchestrator
Endpoint Detection &
Response
Signature-based
Protection + Firewall +
Web Control
Machine Learning +
Application Containment
Reputation-based
Protection
Whitelistin
g
McAfee
Agent
Data Exchange
Layer (DXL)
ADVANCED THREAT
DEFENSE
Malware Analysis
(including
Sandboxing)
PUBLISH THREAT EVENTS + PRODUCT INTEGRATIONS
MCAFEE: ENDPOINT SECURITY
10. Application Control
MAC: OVERVIEW
APPLICATION VISIBILITY
REPUTATION-BASED
DYNAMIC WHITELISTING
MEMORY PROTECTION
DYNAMIC ANALYSIS
Discovery scans to identify Known Good, Known Bad and Unknown applications
Allow only trusted processes, certificates, users and directories to run (lockdown
Prevent vulnerable trusted applications from being exploited
Integrate with McAfee Global Threat Intelligence (GTI) + Local Intelligence for fe
Integrate with McAfee Advanced Threat Defense (ATD) for dynamic analysis
11. Application Control
MAC: MODES
OBSERVE ENABLED UPDATEDISABLED
APPLICATION CONTROL - RUNNING RUNNING RUNNING
APPLICATION VISIBILITY - RUNNING RUNNING RUNNING
DYNAMIC WHITELISTING - MONITOR RUNNING RUNNING
MEMORY PROTECTION - - RUNNING RUNNING
REPUTATION-BASED* - RUNNING RUNNING RUNNING
DYNAMIC ANALYSIS# RUNNING RUNNING RUNNING
*Requires integration with McAfee Threat Intelligence Exchange (TIE) for Local reputation feeds. McAfee Global Threat Intelligence
(GTI) is included.
#Requires McAfee Threat Intelligence Exchange (TIE) to be integrated with McAfee Advanced Threat Defense (ATD).
-
12. Application Control
MAC: FEATURES
APPLICATION VISIBILITY Discovery scans to identify Known Good, Known Bad and Unknown applications
Applications
- Trusted
- Malicious
- Unknown
Other Files
- Trusted
- Malicious
- Unknown
STAGING INVENTORY ANALYTICS
APPLICATION
FILE NAME
FILE SHA-1
FILE SHA-256
FILE MD5
VENDOR
REPUTATION
SYSTEM
13. Application Control
DYNAMIC WHITELISTING Allow only trusted processes, certificates, users and directories to run (lockdown
Applications
- Trusted
- Malicious
- Unknown
Other Files
- Trusted
- Malicious
- Unknown
Trusted
Processes
Trusted
Directories
Trusted Certificates
Trusted Users
Default Deny
Allow software execution based on
approved whitelist or trusted
updaters
WHITELIST EXECUTION CONTROL TRUST MODEL
MAC: FEATURES
14. Application Control
MEMORY PROTECTION Prevent vulnerable trusted applications from being exploited
Trusted
Processes
Trusted
Directories
Trusted Certificates
Trusted Users
Default Deny
Allow software execution based on
approved whitelist or trusted
updaters
WHITELIST EXECUTION CONTROL TRUST MODEL2nd LAYER DEFENCE
MAC: FEATURES
15. Application Control
REPUTATION-BASED Integrate with McAfee Global Threat Intelligence (GTI) + Local Intelligence for fe
Default Deny
Allow software execution based on
approved whitelist or trusted
updaters
TRUST MODEL
Detect and Deny
Allow software execution based on
reputation
REPUTATION SOURCES
THREAT INTELLIGENCE
EXCHANGE
Local File Reputation
(OPTIONAL)
McAfee ePolicy Orchestrator
MAC
KNOWN
BAD
KNOWN
GOOD
GLOBAL THREAT
INTELLIGENCE
Cloud File Reputation
MAC: FEATURES
16. Application Control
DYNAMIC ANALYSIS Integrate with McAfee Advanced Threat Defense (ATD) for dynamic analysis
Default Deny
Allow software execution based on
approved whitelist or trusted
updaters
TRUST MODEL
Detect and Deny
Allow software execution based on
reputation
REPUTATION SOURCES
THREAT INTELLIGENCE
EXCHANGE
Local File Reputation
(OPTIONAL)
McAfee ePolicy Orchestrator
MAC
KNOWN
BAD
KNOWN
GOOD
GLOBAL THREAT
INTELLIGENCE
Cloud File Reputation
Verify and
Deny
Allow execution of applications
verified by sandbox testing
ADVANCED THREAT
DEFENSE
Malware Analysis
(OPTIONAL)
MAC: FEATURES
17. Application Control
Default Deny
Allow software execution based on
approved whitelist or trusted
updaters
Detect and Deny
Allow software execution based on
reputation
Verify and
Deny
Allow execution of applications
verified by sandbox testing
MAC: SUMMARY
Execution Control and Management
Signature-less Memory Protection
DYANMIC TRUST MODEL