Sandboxing and the SOC

Similar documents
McAfee Advanced Threat Defense

SIEM Solutions from McAfee

Building Resilience in a Digital Enterprise

Defend Against the Unknown

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

McAfee Endpoint Threat Defense and Response Family

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Sustainable Security Operations

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Seven Steps to Ease the Pain of Managing a SOC

McAfee Endpoint Security

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

McAfee epolicy Orchestrator

RSA NetWitness Suite Respond in Minutes, Not Months

Services solutions for Managed Service Providers (MSPs)

GDPR: An Opportunity to Transform Your Security Operations

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

McAfee Embedded Control

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SIEM: Five Requirements that Solve the Bigger Business Issues

Securing Your Microsoft Azure Virtual Networks

McAfee Public Cloud Server Security Suite

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

CloudSOC and Security.cloud for Microsoft Office 365

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Symantec Ransomware Protection

Fast Incident Investigation and Response with CylanceOPTICS

How Vectra Cognito enables the implementation of an adaptive security architecture

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security

Securing Your Amazon Web Services Virtual Networks

Petroleum Refiner Overhauls Security Infrastructure

The Cognito automated threat detection and response platform

Securing the Software-Defined Data Center

Novetta Cyber Analytics

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

Cisco Advanced Malware Protection for Endpoints

RSA INCIDENT RESPONSE SERVICES

RSA INCIDENT RESPONSE SERVICES

McAfee Database Security Insights

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

McAfee Total Protection for Data Loss Prevention

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Un SOC avanzato per una efficace risposta al cybercrime

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Traditional Security Solutions Have Reached Their Limit

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

McAfee Skyhigh Security Cloud for Citrix ShareFile

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Cyber Threat Intelligence Standards - A high-level overview

McAfee Network Security Platform Administration Course

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Comprehensive Database Security

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

McAfee Skyhigh Security Cloud for Amazon Web Services

An All-Source Approach to Threat Intelligence Using Recorded Future

THE EVOLUTION OF SIEM

Intelligent, Collaborative Endpoint Security

Security by Default: Enabling Transformation Through Cyber Resilience

Advanced Malware Protection: A Buyer s Guide

Endpoint Security for the Enterprise. Multilayered Defense for the Cloud Generation FAMILY BROCHURE

McAfee Advanced Threat Defense Release Notes

United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

McAfee MVISION Cloud. Data Security for the Cloud Era

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

ForeScout ControlFabric TM Architecture

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Security. Made Smarter.

Expand Virtualization. Maintain Security.

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

MITIGATE CYBER ATTACK RISK

Isla Web Malware Isolation and Network Sandbox Solutions Security Technology Comparison and Integration Guide

Technical Brief: Domain Risk Score Proactively uncover threats using DNS and data science

Reducing the Cost of Incident Response

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Ten Ways to Prepare for Incident Response

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Compare Security Analytics Solutions

Unmask Evasive Threats

CA Security Management

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

CyberArk Privileged Threat Analytics

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

GUIDE. Navigating the General Data Protection Regulation Mini Guide

IT-Security Symposium in Stuttgart. Workshop McAfee Device-to-Cloud, Erweiterte Endpunktsicherheit für Microsoft Umgebungen

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

Transcription:

Sandboxing and the SOC Place McAfee Advanced Threat Defense at the center of your investigation workflow As you strive to further enable your security operations center (SOC), you want your analysts and threat hunters to do their best detective work to pinpoint true positives so that triage and remediation efforts are properly prioritized and acted on. While threat hunting is a human-centric activity that relies on clues, intuitive hunches, and knowledge of adversaries tactics, techniques, and procedures (TTPs), automation can greatly improve the efficacy of SOC team members focused on this activity. When analysts and threat hunters have multiple tools at their disposal tools that are coordinated by integration, threat sharing, and automation they ll be more successful. Our study, Disrupting the Disruptors, Art or Science?, 1 reveals that, for the majority of investigations 61% to 80% across SOCs of all maturity levels an advanced sandbox solution like McAfee Advanced Threat Defense is essential. Why We Analyze Malware As we evaluate advanced technologies that help us improve our threat-hunting capabilities, let s not lose sight of why we analyze malware in the first place: Determine the nature of an unknown file is it benign or malicious? Get a better understanding of what a malicious file is actually doing Assess the impact of a malware infection Enhance detection by looking for indicators of compromise (IoCs) Make more informed choices and communicate this information to management Connect With Us 1 Sandboxing and the SOC

Why an Advanced Sandbox Is Integral to a Successful SOC Sandboxing is a foundational tool for SOC analysts and threat hunters across every level of maturity. In more mature organizations, sandboxing is complemented by a mix of other tools, including security information and event management (SIEM) solutions. McAfee Advanced Threat Defense provides not only static and dynamic malware analysis but also other capabilities that place it at the core of a comprehensive threat hunting and intelligence-sharing ecosystem. Providing more than basic behavioral analysis with file execution or sandboxing, McAfee Advanced Threat Defense also features in-depth static code analysis and McAfee Network Security Platform McAfee Web Gateway McAfee Threat Intelligence Exchange additional detection capabilities powered by machine learning. Automation is enabled by tight integration with solutions in the McAfee product portfolio, along with partner products; support for open standards; and a REST application programming interface (API). Serving as the nexus of the threat-hunting workflow, McAfee Advanced Threat Defense can collect and analyze samples from multiple sources, including manual submission, and provide indicators of compromise (IoC) information to any technology that is capable of ingesting it and using it in an actionable and intelligent manner for remediation. Technologies that make use of the IoCs range from perimeter intrusion prevention systems to threat intelligence platforms (TIPS) and security automation and orchestration platforms. STIX If McAfee Advanced Threat Defense deems the file to be malicious, its reputation is then automatically broadcast via McAfee Threat Intelligence Exchange to all the endpoints connected to DXL. This automatic distribution of threat reputation information helps us block zero-day threats before they can harm our environment. Senior Manager, Security Engineering, Large Software Company Any third-party secure email gateway McAfee Advanced Threat Defense Share McAfee Advanced Threat Defense IoCs with any product that consumes TAXII McAfee Enterprise Security Manager DXL Bro IDS Sensor Figure 1. A collaborative security ecosystem with McAfee Advance Threat Defense at the core increases the efficacy, efficiency, and accuracy of SOC investigations. 2 Sandboxing and the SOC

Collect, Ingest, and Analyze Let s take a deeper look at how McAfee Advanced Threat Defense enables automation and supports SOC investigation processes. The first step in the process involves collecting and ingesting threat data. Suspicious samples can be manually uploaded by SOC analysts or automatically delivered through tight integration between McAfee Advanced Threat Defense and security devices from the network edge through the endpoint. McAfee Advanced Threat Defense then uses a variety of analysis techniques to uncover malware from lowerintensity methods like file reputation and signatures to more sophisticated methods like dynamic analysis to analyze malware behavior and in-depth static code analysis to help classify samples. McAfee Advanced Threat Defense also uses machine learning to help uncover patterns in code to identify emerging threats, analyze behavioral patterns to identify maliciousness, and assess code to determine similarity to other malware families. Interoperability with McAfee products McAfee Advanced Threat Defense integrates with multiple products from the McAfee security portfolio currently McAfee Network Security Platform, McAfee Web Gateway, and McAfee Threat Intelligence Exchange. McAfee Threat Intelligence Exchange integrations with McAfee Application Control, McAfee Endpoint Security solutions, McAfee Server Security Suite, and McAfee Security for Microsoft Exchange further extend interoperability. Ingesting malware samples from these vectors, McAfee Advanced Threat Defense then applies its sandboxing analysis capabilities to arrive at usable threat data. Interoperability with non-mcafee technologies: email gateways and Bro sensors In addition to integrating with McAfee technologies, McAfee Advanced Threat Defense is also compatible with third-party security tools such as email gateways. SMTP traffic can be forwarded into any secure email gateway, such as Cisco ESA and Proofpoint, and those email gateways, in turn, can forward an email attachment to McAfee Advanced Threat Defense for analysis. On the network side, McAfee Advanced Threat Defense is interoperable with open source Bro Network Security Monitor (bro.org). While Bro is an intrusion detection system (IDS) and not a replacement for a robust intrusion prevention system (IPS), like McAfee Network Security Platform, Bro sensors are often used by SOCs and deployed as a temporary IDS to a suspected network segment to monitor and capture traffic. Bro carves files from network traffic and places them in a file directory. McAfee Advanced Threat Defense integrates with this directory and can read those files. Bro uses scripts that can automatically extract a file from network traffic in milliseconds and, through the use of a Python script and the McAfee Advanced Threat Defense REST daemon, Bro sends it to McAfee Advanced Threat McAfee Advanced Threat Defense offers numerous advanced capabilities that can support investigations, including: Comprehensive OS support that covers the most widely used operating systems for endpoint, servers, and mobile devices Detailed reports that provide critical information for investigation assembly output, network packet captures (pcaps), graphical function call diagrams, and memory dumps User interactive mode, which enables analysts and threat hunters to interact directly with malware samples Deeper sample analysis by forcing additional execution paths that remain dormant in typical sandbox environments Sample submission to multiple virtual environments to speed investigation by determining which environment variables are needed for file execution Extensive unpacking capabilities, which reduce investigation time from days to minutes 3 Sandboxing and the SOC

Defense for analysis. By using more network sensors to get a second look at potentially malicious traffic, your investigators can gain greater confidence that they are getting a true positive. It also provides your SOC team with a better understanding of threat behavior and a deeper analysis of what s happening on your network. Features that Support Deeper, More Accurate Investigations X-Mode or interactive mode Hunters and analysts alike can leverage McAfee Advanced Threat Defense X-Mode, or Interactive Mode, to find useful clues about threats that piggyback on legitimate applications. This is particularly applicable to large organizations, which are often the targets of advanced persistent threats (APTs). As a result of reconnaissance missions, bad actors gain insights into whitelisted applications used by the targeted organization on a daily basis. From there, they create threats wrapped into the code of a known whitelisted application and embed malicious payloads, like keyloggers. The user can t see the threat. However, on the back end, if your analyst or threat hunter interacts with the malicious code in the McAfee Advance Threat Defense sandbox which is constantly on the lookout for anomalous or malicious activity it will identify malicious activity. Once a suspicious file is uploaded, the analyst can interact with the sample and gain a better understanding of the user experience since they actually see what the user would see. For example, within an isolated sandbox, your analyst can click through features of the whitelisted application and execute various operations, like running an embedded macro. Your analysts and threat hunters now have free reign to do deeper manual investigation without worrying about lateral propagation to other assets in your network and causing harm. X-mode is especially helpful when it comes to extremely evasive malware that requires human interaction in order to execute. For example, let s say a bad actor sends an email with a password-protected spreadsheet attachment along with the password. If the user opens the spreadsheet and enters the password, the hidden malware is triggered, and it infects the system. In X-mode, analysts can interact with the malware within the sandbox, such as entering a password to unlock the sample and trigger the malware so that they can better understand how such evasive threats work and the associated user experience. X-mode is also a great tool for training junior analysts. Customize for your unique operating system Threats targeted at a specific organization based on user activity, authorized applications, and the predominant operating system in use have become an overriding point of focus for many enterprises. If a malware author knows the specific version of Microsoft Windows OS that an enterprise uses, for example, they can leverage that information to optimize the malware and make it as damaging as possible, but less obvious than malware running on a completely different operating system. They can also tailor the malware according to various OS versions in order to infiltrate as many systems as possible. 4 Sandboxing and the SOC

Another mechanism to help analysts and threat hunters track down and thwart these APTs is the ability to customize the analysis environment in McAfee Advanced Threat Defense. You can analyze potential threats in an environment with a specific OS version or specific applications. Malware samples can then be safely detonated inside the customized analysis VMs. This is a great boon for your threat-hunting efforts, as it mirrors your own environment and helps your team extract IoCs that will accelerate the remediation process and maximize its effectiveness. Share and Publish After rigorous analysis using a variety of methods, McAfee Advanced Threat Defense can share its IoCs and convictions. Outputs include critical investigation information, such as disassembly, function call diagrams, dropped file detail, processes, and registry changes. McAfee Advanced Threat Defense becomes the publisher sharing metadata and results with threat intelligence platforms, machine data analysis solutions, and SIEMs. Data Exchange Layer and Open Data Exchange Layer By leveraging the bi-directional communication fabric Data Exchange Layer (DXL), McAfee Advanced Threat Defense can publish its threat intelligence to McAfee Threat Intelligence Exchange, which instantly shares this information across your entire security ecosystem, enabling your solutions both McAfee products and compatible third-party products to work together to adapt their policies and more quickly address threats with appropriate protection and remediation. Open Data Exchange Layer (OpenDXL), the open source version of DXL, further extends the playing field by providing simple open source tools, expertise, and a supportive community. Any application, whether internally developed or vendor supplied, can tap into the real-time capabilities of the DXL communications fabric, and thereby take advantage of the rich store of threat intelligence made available by McAfee Advanced Threat Defense. STIX/OpenTAXII McAfee Advanced Threat Defense further demonstrates our ability to create, support, and expand a collaborative security ecosystem by embracing widely used standards that enable sharing of cyberthreat intelligence. It publishes the information in Open Source format, notably Structured Threat Information Expression (STIX)- formatted threat information via Trusted Automated exchange of Indicator Information (TAXII), a transport mechanism for sharing threat intelligence. As a STIX/TAXII publisher, McAfee Advanced Threat Defense allows solutions that are not directly integrated with it to easily consume IoCs with details like hashes, malicious IPs, and user IDs. Information of this kind allows SOC analysts and threat hunters to get a clearer understanding of the intent of a file or action. Support for STIX/TAXII open standards has real value in that the information generated by McAfee Advanced Threat Defense can be parsed and correlated through 5 Sandboxing and the SOC

virtually any SIEM solution that supports TAXII. Analysts and threat hunters can then get a more holistic understanding of what s happening in their environment, both historically and in real time. Detailed analysis reports Rich and thorough analysis reports from McAfee Advanced Threat Defense provide meaningful data that enables analysts and threat hunters to pivot into action quickly. These easy-to-understand reports provide value across the entire organization from the SOC to the C-suite. Mapping directly to the MITRE ATT&CK framework: The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) framework can help analysts gain a better understanding of adversaries and their work. By including the ATT&CK framework in McAfee Advanced Threat Defense, McAfee has made it easier for analysts to more quickly understand the techniques, tactics, and procedures (TTPs) of a given threat. Once they have this information, they can act faster to implement corresponding defenses or discovery methods. Some of the most significant and useful information presented in the McAfee Advanced Threat Defense report includes the following: Behavior classification: This high-level indicator of the classification of malware offers a great deal of value to analysts and threat hunters by providing immediate insights into the intent of files that have been analyzed. Figure 3. Detailed McAfee Advanced Threat Defense reports provide critical information for investigation including MITRE ATT&CK framework mapping. Figure 2. Sample of behavior classification and severity level reporting. Figure 4. A filtered view of the MITRE ATT&CK report focuses on identified techniques. 6 Sandboxing and the SOC

Detailed information and IoCs: McAfee Advanced Threat Defense produces in-depth threat intelligence for investigation, including disassembly output, memory dumps, graphical function call diagrams, embedded or dropped file information, user API logs, and PCAP information. Threat time lines help visualize attack execution steps. Figure 6. The Timeline Activity report visualizes execution steps of the analyzed threat. Figure 5. Assembly code, graph analysis, and IoCs. 7 Sandboxing and the SOC

Conclusion McAfee Advanced Threat Defense offers numerous advanced capabilities that can support security operations teams, analyst investigations, and threat hunting, including: Comprehensive OS support that covers the most widely used operating systems for endpoint, servers, and mobile devices Detailed reports that provide critical information for investigation from assembly output, network packet captures (pcaps), graphical function call diagrams, and memory dumps User interactive mode, which enables analysts and threat hunters to interact directly with malware samples Deeper sample analysis by forcing additional execution paths that remain dormant in typical sandbox environments Sample submission to multiple virtual environments to speed investigation by determining which environment variables are needed for file execution Extensive unpacking capabilities, which reduce investigation time from days to minutes To learn more about what Advanced Threat Defense can do for your team, visit http://www.mcafee.com/atd 1. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-survey-results-disrupting-disruptors-art-science.pdf McAfee technologies features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure. 2821 Mission College Blvd. Santa Clara, CA 95054 888.847.8766 www.mcafee.com McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Copyright 2019 McAfee, LLC. 44226_0119 JANUARY 2019 8 Sandboxing and the SOC

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback