This document is a sample report on the POC (proof of concept) document of MVISION Cloud (MVC), McAfee's Cloud Access Security Broker (CASB) solution - formerly Skyhigh Networks. It includes the following:
- MVISION Cloud (MVC) Overview
- MVISION Cloud (MVC) Architecture
- MVISION Cloud (MVC) for Shadow IT
-- Observations and Recommendations
- MVISION Cloud (MVC) for Sanctioned SaaS
-- Observations and Recommendations
- MVISION Cloud (MVC) for Sanctioned IaaS
-- Observations and Recommendations
- End User Experience
- Administrator Experience
Goes well with the MVC POC document uploaded.
Please note all the information is based prior to July 2019.
4. 4
MCAFEE: OVERVIEW
• Founded in 1987
• Headquartered in California, United States
• Provides Software and Services
• Focus is on Consumer and Enterprise Security
• 125,000+ Corporate Customers
• 120 Countries
• 217+ Innovation Alliance Partners
• 800+ Security Patents
• Solution Offering:
• Cloud Security
• Device Security
• Network Security
• Data Protection and Encryption
• Intelligent Security Operations
• Service Offering:
• Technical Support
• Professional Services
• Education
5. 5
Portfolio Strategy
An Integrated And Open Security System
Threat Defense Lifecycle
Together, Is Far More Powerful Than Sum Of The Parts
SECURITY
OPERATIONS
DEVICE CLOUD
MANAGEMENT
THREAT INTELLIGENCE
ANALYTICS
AUTOMATION / ORCHESTRATION
INFRASTRUCTURE
MCAFEE: STRATEGY
8. “Through 2023, at least 99% of cloud security failures will be the customer’s
fault.”
Steve Riley, Craig Lawson. “Magic Quadrant for Cloud Access Security Brokers.” Gartner, 29 October 2018.
“CASB is a required security platform for organizations using cloud services...”
Craig Lawson, Neil MacDonald, Brian Lowans. “Market Guide for Cloud Access Security Brokers.” Gartner, 22 October 2015.
9. 9
MVISION CLOUD: THREAT LANDSCAPE
McAfee Discovers
Knock Knock
Hacker Exploiting
Compromised
Admin Account to
hack into Office
365
McAfee Discovers Ghost Writer – S3
Buckets Configured for Write Access
open up Customers to Major
Vulnerabilities
10. 10
Unmanaged
Devices
SaaS
IaaS/PaaS
MVISION Cloud
No User Friction Complete Visibility
and Policies Across
Multiple Cloud Services
Real Time
Complete Coverage
§ Data at rest
§ Data uploaded/downloaded
§ Data created in cloud
§ Shared Cloud-to-cloud
§ Certificate pinned apps
MVISION CLOUD: OVERVIEW
SHADOW IT
PUBLIC API, M
CAFEE API
PUBLIC API
SIEM
11. 11
ThirdPartyIntegration(DXL)
Platform Extensibility
Visibility Data Security Compliance Threat Protection
Common Security Services
IaaS and PaaS—Custom AppsSaaS
CASB Connect—APIs
Long-tail SaaS
CASB Proxy—Workload Security
Lift-and-shift Custom Apps
MVISION CLOUD: THE PLATFORM
13. 13
NOTE: As of January 2018, MVISION Cloud (Skyhigh Networks) is the now part of McAfee.
• Overall Leadership
• Innovation Leadership
• Market Leadership
MVISION CLOUD: QUINTUPLE LEADERSHIP + COMMENDATION
15. 15
POC: REQUIREMENTS
VISIBILITY
Through Shadow IT discovery, provide a consolidated view of the organization’s cloud service landscape, and details
about the users who access data in cloud services from any device or location. Furthermore, it should also provide a
cloud service security rating database to check attributes of trustworthiness and associated risks of a Cloud Service
Provider (CSP).
Enforce Data Loss Prevention policies to prevent unwanted activity based on data discovery, data classification, user
groups and collaboration to Sanctioned Software as a Service (SaaS). Controls such as quarantine, block, revocation,
delete and view only.
DATA SECURITY
Demonstrate Governance of usage of cloud services across Sanctioned Software as a Service (SaaS) and Infrastructure
as a Services (IaaS). Visibility, control and reporting mechanism should incorporate internal policies, best practices,
security standards and regulatory compliance requirements.
COMPLIANCE
Prevent unmanaged devices and users from accessing cloud services by providing Access Controls. Furthermore,
provide detailed Activity Monitoring with embedded user and entity behavior analytics (UEBA) for identifying
anomalous behavior. These should be available for Sanctioned Software as a Service (SaaS) and Infrastructure as a
Services (IaaS).
THREAT PROTECTION
17. 17
POC: SHADOW IT
Discover Cloud Services
Discover all SaaS, PaaS, IaaS, and custom applications in use and visually
summarizes traffic patterns, access count, and usage over time.
Data Center
Provide a risk rating for each service based on attributes and be able to modify
attribute and weights and add custom attributes to generate personalized ratings.
Risk-based Score
SaaS
IaaS/PaaS
Provide a workflow to automatically or manually classify services based on risk
criteria and enforces acceptable use policies through coaching and/or blocking
(out of scope).
Cloud Service Governance
Have a clickable drilldown to navigate from service-level upload statistics to
granular user-level and event-level statistics with a complete activity feed for
additional context.
Activity Drilldown
Detect if perimeter security allowed high risk services to operate and provide
recommendations to close gaps.
Cloud Enforcement Gap Analysis
LMH
1 TB
970 GB
854 GB
Cloud Storage IT Services
Cloud StorageDevelopmentCollaboration
19. 19
POC: EXECUTIVE SUMMARY April 26 to May 16 2019
179
Services used with
known vulnerability
40
High Risk Services
of 2,286 Total Services
75
Services need
additional controls
Total Data to High Risk Services
6.8 GB
Total Services
2,286
Users of High Risk Services
102
Access Attempts to High Risk Services
164.9 K
20. 20
POC: HIGH RISK SERVICES April 26 to May 16 2019
40
High Risk Services
of 2,286 Total Services
2
Partially
Allowed
5.9 GB
Uploaded to
Cloud Storage
38
Completely
Allowed
Inconsistent Egress Policies
High Risk Services Allowed by your Perimeter Security
0
Completely
Denied
bilibili
Collaboration
8 WikiSend
Cloud Storage
7
18
File Sharing
Services
Total Data to High Risk Services
6.8 GB
Total Services
2,286
Users of High Risk Services
102
Access Attempts to High Risk Services
164.9 K
21. 21
POC: VULNERABLE SERVICES April 26 to May 16 2019
179
Services used with
known vulnerability
4
DROWN
0
Heartbleed
4
FREAK/Logjam
141
Cloudbleed
30
POODLE
Allows remote attackers to
obtain sensitive
information
Makes it easier for man-
in-the-middle attackers
to obtain cleartext data
Man-in-the-middle attack
that could break the security
of any website
Makes it easier for remote
attackers to decrypt TLS
ciphertext data
Affecting Cloudflare's reverse
proxies, which caused their edge
servers to return their customer’s
sensitive information.
Total Data to High Risk Services
6.8 GB
Total Services
2,286
Users of High Risk Services
102
Access Attempts to High Risk Services
164.9 K
22. 22
POC: ADDITIONAL CONTROL REQUIREMENTS April 26 to May 16 2019
75
Services need
additional controls
Total Data to High Risk Services
6.8 GB
Total Services
2,286
Users of High Risk Services
102
Access Attempts to High Risk Services
164.9 K
23. 23
62
High Risk GDPR
of 2,286 Total Services
56
Anonymous Use
of 2,286 Total Services
POC: HIGH RISK SERVICES BY CATEGORY April 26 to May 16 2019
6.9 GB313 57.1 K
6
Breached in 1 Year
of 2,286 Total Services
8
High Risk Collaboration
of 2,286 Total Services
0
High Risk IaaS
of 2,286 Total Services
12
High Risk Cloud Storage
of 2,286 Total Services
38.7 GB794 133.5 K
409.3 GB1,017 1.9 M
5.9 GB31 77 K
237 MB10 619
0 GB0 0
Data TransferredUsers Access Attempts
24. 24
39
Approved McAfee CT
of 2,286 Total Services
POC: LOW RISK SERVICES BY CATEGORY April 26 to May 16 2019
57
Approved CSA Star
of 2,286 Total Services
48
Low Risk Collaboration
of 2,286 Total Services
3
Low Risk IaaS
of 2,286 Total Services
12
Low Risk Cloud Storage
of 2,286 Total Services
2.6 TB39 3.7 M
4.2 TB1,071 5.8 M
1.8 TB1,016 9.1 M
687.8 MB18 4.8 K
8.3 TB1,148 15.2 M
Data TransferredUsers Access Attempts
25. 25
POC: LOW RISK SERVICES COMPARISION April 26 to May 16 2019
48
Low Risk Collaboration
3
Low Risk IaaS
12
Low Risk Cloud Storage
Services compared have been provided based on several validations
made by the McAfee CloudTrust Program and/ or Cloud Security
Alliance’s Security Trust Assurance and Risk (STAR) Program.
Furthermore, McAfee MVISION Cloud provides discovery and various
protection controls across these recommended services for your
organization.
MVISION Cloud for Box
MVISION Cloud for Microsoft Office 365
MVISION Cloud for Slack
MVISION Cloud for Exchange Online
MVISION Cloud for Amazon Web Services (AWS)
26. 26
POC: UNMATCHED SERVICES April 26 to May 16 2019
3,876
Unmatched Services
of 6,162 Total Services
23 GB
Uploads to
thepiratebay.se
51.8 GB
Unmatched Uploads
of 2.2518 TB Total Upload Data
6.5 GB
Uploads to
74.112.184.85
7.2 GB
Uploads to
74.112.185.182
Unmatched Services
824 intranet.rks.com
Unmatched Services
735rks-usw.accesscontrol.windows.net
Unmatched Services
653 show.rks.com
Unmatched Services
474 p.rfihub.com
Unmatched Services
462 sync.adaptv.advertising.com
URL STATUS CATEGORIZATION REPUTATION
http://thepiratebay.se Categorized URL Potential Illegal Software Unverified
http://74.112.185.182 Categorized URL Internet Services Minimal Risk
http://74.112.184.85 Categorized URL Personal Network Storage Minimal Risk
http://intranet.rks.com Categorized URL Blogs/Wiki Minimal Risk
http://rks-usw.accesscontrol.windows.net Categorized URL Software/Hardware Minimal Risk
http://show.rks.com Categorized URL Blogs/Wiki Minimal Risk
http://sync.adaptv.advertising.com Categorized URL Internet Services Minimal Risk
http://p.rfihub.com Categorized URL Content Server Minimal Risk
Categorization information based on McAfee Web Gateway 7.x
Customer URL Ticketing System*
*For more information you can visit https://www.trustedsource.org/en/feedback/url or McAfee Threat Center (https://www.mcafee.com/enterprise/en-us/threat-center.html)
28. 28
Vulnerable Services
• Find out who's using these services, and what information was shared with them.
• Coach employees on lower-risk sanctioned or permitted alternatives.
Additional Control Requirements
• Although some services have a severity of medium or low risk, they would require additional control based on risky attributes.
• Use the risk-based scoring of cloud services to identify them and assess them as per your risk appetite.
Low Risk Services
• Compare known good services that can be easily adopted by the organization for less user friction and with security controls
• Validations can be made via the McAfee CloudTrust Program and/ or Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) Program.
• Discovery and various protection controls can be provided by MVISION Cloud for Sanctioned SaaS/IaaS.
High Risk Services
• Block high risk services, and coach your employees to use lower-risk sanctioned or permitted alternatives.
• Ensure acceptable use governance policies are fully enforced by existing SWGs/NGFWs, and to ensure that there is no proxy leakage.
Comprehensive Approach
• Integrate with Active Directory to gather additional context of which cloud services are used based on users, departments, locations, etc.
• Integrate with existing SWGs/NGFWs to enforce real-time governance policies by ensuring no proxy leakage.
• With McAfee Web Gateway (MWG)’s, auto-classification of High Risk services by MVISION Cloud can be used to provide Closed Loop Remediation (CLR).
POC: RECOMMENDATIONS
29. 29
POC: EXECUTIVE SUMMARY (+21 Days) April 26 to Jun 6 2019
179
Services used with
known vulnerability
47
High Risk Services
of 2,313 Total Services
75
Services need
additional controls
Total Data to High Risk Services
35.5 GB
Total Services
2,313
Users of High Risk Services
129
Access Attempts to High Risk Services
295.6 K
+27 +28.7 GB +130.7 K+27
+7
31. 31
POC: SANCTIONED SAAS
Data Loss Prevention Discover & prevent sensitive data from being stored in Sanctioned SaaS.
Prevent sharing of sensitive data with unauthorized parties.Collaboration Control
Gain visibility into Sanctioned SaaS usage and accelerate post-incident forensic investigations by capturing a
comprehensive audit trail of all activity (out of scope).
Activity Monitoring
Protect corporate data from unauthorized access by enforcing granular, context-aware access policies such as
preventing download of sensitive data from Sanctioned SaaS to unmanaged devices.
Access Control
Automatically build models of typical user behavior and identifies behavior that may be indicative of a threat, such as
Insider Threats, Compromised Accounts and Privileged User Threats.
User Behavior Analytics
Malware Detection
Block known malware signatures, sandbox suspicious files, and identify behavior indicative of malware data exfiltration
or ransomware activity (out of scope).
Incident Management Response Provide a unified interface to triage, resolve incidents and response through autonomous remediation
33. 33
POC: EXECUTIVE SUMMARY May 22 to Jun 5 2019
Services
4
Microsoft Exchange Online
Microsoft OneDrive
Microsoft SharePoint Online
Google Drive
Data Loss Prevention
84
Activity Monitoring
948
Cloud Access Control
354
840 – O365
108 – G Suite
of 948 Activities
351 – O365
3 – G Suite
of 354 Access Violations
58 – OneDrive
12 – SharePoint
5 – Exchange
9 – Google Drive
of 84 Policy Violations
34. 34
46
LOGIN SUCCESS
43
DATA UPLOAD
643
SERVICE USAGE
POC: ACTIVITY MONITORING
0
ANOMALIES
5
DATA DELETE
64
DATA ACCESS
1
DATA UPDATE
7
DATA SHARING
iai@iaispace.com
189 actions
Services Data Loss Prevention
84
Activity Monitoring
948
Cloud Access Control
3544
May 22 to Jun 5 2019
Microsoft Exchange Online
Microsoft OneDrive
Microsoft SharePoint Online
Google Drive
11
DATA UPDATES
42
DATA DOWNLOAD
840 – O365
108 – G Suite
of 948 Activities
88
ADMINISTRATION
iai@iairecord.com
98 actions
7 – O365
4 – G Suite
of 11 users
35. 35
POC: CLOUD ACCESS CONTROL
127
High Severity
of 354 Access Violations
127H
0M
224L
20
Times Unmanaged Devices
Used to Access
Desktop17
Mobile3
11
Download Attempts on
Unmanaged Devices
Desktop9
Mobile2
Services Data Loss Prevention
84
Activity Monitoring
948
Cloud Access Control
3544
May 22 to Jun 5 2019
Microsoft Exchange Online
Microsoft OneDrive
Microsoft SharePoint Online
Google Drive
351 – O365
3 – G Suite
of 354 Access Violations
0H
0M
3L
36. 36
POC: DATA LOSS PREVENTION
74
High Severity
of 84 Incidents
74H
10M
0L
OneDrive
49
31
Invited Collaborators
Of 84 Incidents
Enabled Shared Link5
Email5
Modified31
Invited Collaborators31
Services Data Loss Prevention
84
Activity Monitoring
948
Cloud Access Control
3544
May 22 to Jun 5 2019
Microsoft Exchange Online
Microsoft OneDrive
Microsoft SharePoint Online
Google Drive
58 – OneDrive
12 – SharePoint
5 – Exchange
9 – Google Drive
of 84 Policy Violations
On-Demand Scan3
Uploaded7
Role Change of Collaborators2
37. 37
POC: CONNECTED APPS May 22 to Jun 5 2019
7
Applications
Blocked1
Allowed1
Under Audit1
Unassigned4
39. 39
Data Loss Prevention
• Prevent unauthorized data from being collaborated on except for trusted partners with specific permission levels.
• Discover and prevent regulated and high-value data from being stored in cloud services using content and context based rules.
Access Control
• Block downloads of data to unauthorized (unmanaged/personal) devices by performing certificate checks.
• You can also block access to cloud services from unauthorized devices or view but no download policy.
Activity Monitoring
• Detect compromised accounts and insider/privileged user threats by leveraging machine learning which builds user behavior models.
• Cross-reference activities across various cloud services in order detect anomalies + incorporate false positive feedback.
• Capture an audit trail of all user activity (automatically categorized) with geolocation analytics for forensic investigation.
Data Classification
• Data owned by the organization and who is the data owner
• How the data is being created, where is it being stored, how is it used and collaborated and with whom.
• Helps understand if there are any regulatory compliance or jurisdictional requirements associated with the data.
Comprehensive Approach
• Integrate with Active Directory to enforce user or group-based policies based on user and custom attributes.
• For Data Loss Prevention, integrate with on-premise DLP for complete coverage.
• Integrate with SIEM via syslog to populate policy violations.
POC: RECOMMENDATIONS
41. 41
POC: SANCTIONED IAAS
Security Configuration and
Compliance Audit
Audit and monitor the security configurations of all your IaaS services to detect and correct misconfigurations to
reduce risk and comply with internal/external policies.
Gain visibility into usage across managed and unmanaged IaaS accounts and accelerate post-incident forensic
investigations by capturing a comprehensive audit trail of all activity.
Activity Monitoring
Prevent unauthorized regulated data from being stored in IaaS storage services.Data Loss Prevention
Automatically build models of typical user behavior and identifies behavior that may be indicative of a threat, such as
Insider Threats, Compromised Accounts and Privileged User Threats.
User Behavior Analytics
Malware Detection
Block known malware signatures, sandbox suspicious files, and identify behavior indicative of malware data exfiltration
or ransomware activity (out of scope).
Incident Management Response Provide a unified interface to triage, resolve incidents and response through autonomous remediation
43. 43
POC: EXECUTIVE SUMMARY May 22 to May 30 2019
Data Loss Prevention
7
Activity Monitoring
1,448
Services
2
Amazon Web Services
Microsoft Azure
Security Configuration Audit
160
0 – AWS
7 – Azure
of 7 Policy Violations
1,353 – AWS
97 – Azure
of 1,448 Activities
146 – AWS
14 – Azure
of 160 Audit Violations
44. 44
POC: ACTIVITY MONITORING May 22 to May 30 2019
Data Loss Prevention
7
Activity Monitoring
1,448
Services
2
Amazon Web Services
Microsoft Azure
Security Configuration Audit
160
1,353 – AWS
97 – Azure
of 1,448 Activities
0
ANOMALIES
1
DATA DELETE
5
DATA ACCESS
108
ADMINISTRATION
20
DATA UPDATES
10
USER ACCOUNT
CREATION
1,302
SERVICE USAGE
4
LOGIN SUCCESS
3 – AWS
4 – Azure
of 7 users
iaispace-s3
1,277 actions
admin
79 actions
45. 45
POC: SECURITY CONFOGIRATION AUDIT May 22 to May 30 2019
Data Loss Prevention
7
Activity Monitoring
1,448
Services
2
Amazon Web Services
Microsoft Azure
Security Configuration Audit
160
146 – AWS
14 – Azure
of 160 Audit Violations
36
High Severity
of 160 Audit Violations
9
Services affected of
9 Total Services
64
Non-compliant
with CIS Benchmarks
32H
73M
41L
4H
8M
2L
CloudTrail4
S310
IAM11
EC216
Web Services105
Subscriptions2
Storage Accounts2
Network Security Group3
Security Center7
LEVEL 233
LEVEL 128
LEVEL 13
46. 46
POC: DATA LOSS PREVENTION May 22 to May 30 2019
Data Loss Prevention
7
Activity Monitoring
1,448
Services
2
Amazon Web Services
Microsoft Azure
Security Configuration Audit
160
0 – AWS
7 – Azure
of 7 Policy Violations
4
High Severity
of 7 Policy Violations
0H
0M
0L
4H
3M
0L
48. 48
Data Loss Prevention
• Discover regulated and high-value data from being stored in cloud services using content and context based rules.
• Run scheduled on-demand scan to detect violations
Security Configuration Audit
• Run scheduled on-demand scans to detect security violations and misconfigurations of your cloud services.
• Scans based on CIS benchmarks, Security Center (Azure) and McAfee best practices should be reviewed for incidents and remediation steps.
Activity Monitoring
• Detect compromised accounts and insider/privileged user threats by leveraging machine learning which builds user behavior models.
• Cross-reference activities across various cloud services in order detect anomalies + incorporate false positive feedback.
• Capture an audit trail of all user activity (automatically categorized) with geolocation analytics for forensic investigation.
Data Classification
• Data owned by the organization and who is the data owner
• How the data is being created, where is it being stored, how is it used and collaborated and with whom.
• Helps understand if there are any regulatory compliance or jurisdictional requirements associated with the data.
Comprehensive Approach
• Integrate with Active Directory to get additional context on users, departments, locations, etc
• Integrate with SIEM via syslog to populate policy violations.
POC: RECOMMENDATIONS
51. 51
May 19 to May 22 2019
BUSINESS LOGIC
SERVICES SharePoint Online, OneDrive, Exchange Online
USERS Everyone
RULES Redirect Managed Clients (Device Certificates)
EXCEPTIONS -
RESPONSE Allow Service Activities
POC: CLOUD ACCESS CONTROL
MVISION Cloud
52. 52
May 19 to May 22 2019
BUSINESS LOGIC
SERVICES SharePoint Online, OneDrive, Exchange Online
USERS Everyone
RULES Unmanaged Clients trying to Download
EXCEPTIONS -
RESPONSE Block Downloads
POC: CLOUD ACCESS CONTROL
MVISION Cloud
53. 53
May 19 to May 22 2019
BUSINESS LOGIC
SERVICES SharePoint Online, OneDrive
USERS Everyone
RULES High Severity for Credit Card Data
EXCEPTIONS -
RESPONSE Quarantine for High Severity | Send Email to User
MVISION Cloud
POC: DATA LOSS PREVENTION
54. 54
May 19 to May 22 2019
BUSINESS LOGIC
SERVICES Exchange Online
USERS Everyone
RULES High Severity for Credit Card Data | Daily Scan
EXCEPTIONS -
RESPONSE Monitor for High Severity | Send Email to Admin
MVISION Cloud
POC: ON-DEMAND SCAN
55. 55
May 19 to May 22 2019
BUSINESS LOGIC
SERVICES SharePoint Online, OneDrive
USERS Everyone
RULES High Severity for Collaborated Confidential (classification) Files
EXCEPTIONS -
RESPONSE Block for High Severity | Send Email to Admin
POC: CONTENT COLLABORATION
MVISION Cloud
57. 57
POC: RECOMMENDATIONS – ACTIVITY MONITORING
Monitor the activity of the users within your organization and detect risk trends for the entire organization over time.
Break down individual usage over activity, time, users, and role development.
Users with administrative access have the greatest access to sensitive data and user information, ensure they have only the
necessary access and permissions to perform the required job.
58. 58
POC: RECOMMENDATIONS – SECURITY AUDIT CONFIGURATION
Regularly run security audit configuration scans.
Review incidents and make remediations based on your requirements such as company security policy, best
practices and benchmarks.
After taking remediation measures run scan again to ensure that same violations are not being produced.
Remediation strategy could be based on resolving High Severity incidents first, resolve all incidents affecting CIS
Level benchmarks (High, Medium and Low) or as per organization’s risk appetite.
MVISION Cloud provides remediation steps within the incident details.