Building Resilience in a Digital Enterprise

Similar documents
McAfee Advanced Threat Defense

Security by Default: Enabling Transformation Through Cyber Resilience

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

McAfee Endpoint Security

Petroleum Refiner Overhauls Security Infrastructure

RSA NetWitness Suite Respond in Minutes, Not Months

Sandboxing and the SOC

Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security

How Breaches Really Happen

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

McAfee Public Cloud Server Security Suite

SIEM Solutions from McAfee

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

McAfee Endpoint Threat Defense and Response Family

Automating the Top 20 CIS Critical Security Controls

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

McAfee Embedded Control

Defend Against the Unknown

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Intelligent, Collaborative Endpoint Security

Securing Your Microsoft Azure Virtual Networks

ANATOMY OF AN ATTACK!

McAfee epolicy Orchestrator

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

ForeScout ControlFabric TM Architecture

with Advanced Protection

K12 Cybersecurity Roadmap

United Automotive Electronic Systems Co., Ltd Relies on McAfee for Comprehensive Security

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

SIEM: Five Requirements that Solve the Bigger Business Issues

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Seven Steps to Ease the Pain of Managing a SOC

CloudSOC and Security.cloud for Microsoft Office 365

Securing Your Amazon Web Services Virtual Networks

Services solutions for Managed Service Providers (MSPs)

align security instill confidence

THE ACCENTURE CYBER DEFENSE SOLUTION

Un SOC avanzato per una efficace risposta al cybercrime

RSA INCIDENT RESPONSE SERVICES

Sustainable Security Operations

Advanced Endpoint Protection

McAfee Application Control/ McAfee Change Control Administration

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Designing and Building a Cybersecurity Program

McAfee Network Security Platform Administration Course

Ten Ways to Prepare for Incident Response

RSA INCIDENT RESPONSE SERVICES

McAfee Embedded Control

Are we breached? Deloitte's Cyber Threat Hunting

McAfee Virtual Network Security Platform

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Comprehensive Database Security

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

GUIDE. Navigating the General Data Protection Regulation Mini Guide

McAfee Total Protection for Data Loss Prevention

Securing the Software-Defined Data Center

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

McAfee Complete Endpoint Threat Protection Advanced threat protection for sophisticated attacks

Stopping Advanced Persistent Threats In Cloud and DataCenters

McAfee Web Gateway Administration

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

GDPR: An Opportunity to Transform Your Security Operations

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

Put an end to cyberthreats

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

TRAPS ADVANCED ENDPOINT PROTECTION

Combating APTs with the Custom Defense Solution. Hans Liljedahl Peter Szendröi

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

WHITEPAPER. Protecting Against Account Takeover Based Attacks

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Automated Threat Management - in Real Time. Vectra Networks

McAfee Embedded Control for Retail

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

McAfee Host Intrusion Prevention Administration Course

Symantec Ransomware Protection

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

The Cognito automated threat detection and response platform

Intelligent Protection

Symantec Advanced Threat Protection: Endpoint

Proactive Approach to Cyber Security

Symantec Endpoint Protection

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Security. Risk Management. Compliance.

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Transcription:

Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain. We re in a period of unprecedented change, where transformative technology is creating new opportunities for business innovation and new ways for cybercriminals or state actors to threaten the business. Building resilient digital services and safeguarding sensitive data are essential to establishing trust with customers and maintaining business continuity. As such, improving business resilience against targeted and persistent cyberattacks should be an executive priority. The goal of this paper is to help business and security executives prioritize their security control investments in key areas to maximize protection against advanced targeted attacks. However, these steps represent only a starting point. Building cyber resilience against advanced targeted attacks takes a long-term approach that involves security architecture, insights, and cultural change in the organization. Building Resilience in a Digital Enterprise

Understanding Advanced Targeted Threats According to the SANS Critical Security Controls guide, one of the key tenets of an effective cyberdefense program is Offense informs defense. Targeted threats designed to steal or destroy sensitive business data follow a common pattern. By understanding an adversary s methods, an enterprise CISO can prioritize investments in the right security architecture layers to have the most impact on business risk reduction. The external attack model paints a more complete picture of adversary s methods by identifying pre- and post-exploit actions, rather than narrowly focusing on one aspect of the attack itself. With better alignment to real-world threat operations, the external attack model provides an excellent guide for security executives to focus defense-in-depth controls and increase the value of security to the business. Awareness of adversary tactics and techniques offers the key insights necessary to prevent, detect, or respond faster and more effectively. Using this model, an enterprise should prioritize building security capability to prevent and detect adversary actions in stage two, commonly called the infection stage of the attack model. The infection stage has three main components: delivery, exploit, and communication. The major adversary actions at each stage are listed in the table below: Infection Stage Exploit Communication Adversary Actions Socially engineered email with malicious link or attachment Download of malicious file or content from the web Vulnerability exploit in Adobe, Flash, MSOffice, Java, browsers Installation of advanced or zero-day malware Installation of a remote access Trojan SQL Injection against web applications Command and control over DNS, HTTP, HTTP protocols Remote access Trojan Table. The infection stage of an attack. is defined as the initial attack vector and is typically accomplished via email or removable media. According to industry statistics from the Verizon Data Breach Report and the SANS Institute, spear phishing is still the most effective way for an attacker to deliver advanced malware and gain a foothold in an enterprise network. The malware is usually packaged inside a PDF or other document created with a common user Stopping or detecting at or before this step eliminates the impact to the business Detecting and responding quickly after this step reduces the impact to the business WEAPONIZATION EXPLOIT ESCALATION IMPACT RECONNAISSANCE DELIVERY COMMUNICATION MOVEMENT Figure. External attack model. STAGE ONE STAGE TWO STAGE THREE 2 Building Resilience in a Digital Enterprise

application. The malware has a high success rate due to application vulnerabilities and the likelihood that it will bypass antivirus controls. Exploit is the actual vulnerability exploitation that results in the installation of a backdoor, such as a remote access Trojan. Finally, the communication stage is where the attacker interacts with the exploited machine through the backdoor Trojan and attempts to escalate or steal administrative credentials. If an attacker completes each of these stages, he has gained a foothold and can move around the enterprise network in stealth mode. It becomes very difficult at this point to prevent or detect the movement and the potential theft of data. So it is important to maximize prevention, detection, and response capability as early as possible in the attack model. Top Five Steps to Reduce the Risk of Advanced Targeted Attacks Designing the enterprise security architecture with operational knowledge of targeted threat methods will help organizations prioritize investments at each security layer for the most effectiveness and value. The SANs Critical Security Controls guide states that one of the key tenets of a good cyberdefense program is as follows: Prioritize controls that will provide the greatest risk reduction. When looking at the attack model, preventing, detecting, and containing an attack in stage two will provide the greatest risk reduction capability. In stage two, the goal is to prevent an attacker from going any further, as he is most exposed to detection because of all the attack indicators he leaves in his wake during an exploit attempt. Many organizations are at risk and need to quickly improve capability to prevent, detect, or respond to a breach. 3 Building Resilience in a Digital Enterprise The following represent the top five steps an organization can take to reduce risk immediately.. User awareness: Train all users on anti-malware procedures and how to recognize, respond to, and report phishing emails. Proper user education will greatly reduce the chance of exploitation and will speed up response actions. 2. Endpoint client anti-malware: Deploy and implement application whitelisting on user workstations and laptops. Application whitelisting will prevent advanced and zero-day malware from exploiting your system. This is also recommended as a Quick Win from the SANS Critical Security Controls. 3. Network anti-malware: Maximize email and web protocol anti-malware capability with integrated intelligence and malware sandboxing on the Internet boundary. Email and web are the primary delivery vectors for advanced malware. Using intelligence and malware sandboxing are also recommended by SANS Critical Security Controls (CSC- 5).. Incident response program and trusted cyberintelligence sources for incident detection: Trusted cyberintelligence sources could come from vendor subscriptions, open source, or your industry ISAC. Developing incident response is recommended by SANS Critical Security Controls (CSC- 5). 5. Centralized collection of essential data sources (proxy, DNS, IP flow, Microsoft Active Directory, and DHCP) and correlation against trusted intelligence sources: Use incident response to validate and contain any compromised systems. Collecting proxy logs and DNS data is recommended by SANS Critical Security Controls (CSC- 5).

Using Standards as a Measurement The SANS Critical Security Controls and recommended Quick Wins provide an excellent guide to maximize antimalware prevention and detection capability. The SANS Critical Security Control 5 are practical steps that will significantly reduce exposure to advanced malware and provide a measurable way to improve security. Below is a chart that demonstrates how McAfee solutions can simplify implementation of the all the recommended antimalware controls. NIST Control SANS CSC Control Description Attack Chain Stage McAfee Solution Prevention CSC 2- Deploy application whitelisting. Exploit McAfee epolicy Orchestrator (McAfee epo ) software/mcafee Application Control Prevention CSC 5- Deploy antivirus/antispam, host intrusion prevention, and firewall to end-user devices and servers; centrally collect logs. Prevention CSC 5-2 Use anti-malware with cloud-based reputation intelligence and perform central updates. Exploit Exploit Prevention CSC 5-3 Disable auto-run., Exploit OS function McAfee epo software/ McAfee VirusScan / McAfee Host Intrusion Prevention McAfee Global Threat Intelligence is integrated to all endpoint and network products. Prevention CSC 5- Perform auto virus scan of removable media., Exploit McAfee epo software/ McAfee VirusScan Enterprise/McAfee Application Control Prevention CSC 5-5 Scan and block all email attachments with malicious code or unauthorized file content. Prevention CSC 5-6 Enable anti-exploitation features in the OS. Exploit OS function Prevention CSC 5-7 Limit the use of external devices and monitor for violations. Prevention CSC 5-8 Use behavior- and signature-based protection tools. Prevention CSC 5-9 Use network based anti-malware to identify executables and malicious content., Exploit, C2 McAfee Web Gateway, McAfee Email Gateway, and McAfee Advanced Threat Defense with integrated McAfee Data Loss Prevention McAfee epo software/ McAfee Data Loss Prevention Endpoint All McAfee products use a combination of behavior- and signature-based capability. McAfee Web Gateway and McAfee Email Gateway with McAfee Advanced Threat Defense Building Resilience in a Digital Enterprise

Implementing the Top Five with McAfee Solutions User awareness The user is the first line of defense against advanced targeted attacks. Spear phishing is still the most common and most successful technique for the delivery of malware. Developing a repeatable user awareness and training program will help turn the user into part of the security solution. McAfee Professional Services can help design and implement this program, as well as measure its success through testing. Anti-malware As the web is the most prevalent vector for malware delivery, it is important to maximize anti-malware inspection on HTTP and HTTPS protocols. McAfee Web Gateway is continuously rated as the top solution for gateway anti-malware, with more than 95% effectiveness against known and unknown malware. McAfee Advanced Threat Defense, an integrated malware analytics platform, will extend the prevention and detection capability of McAfee Web Gateway even higher. In addition, McAfee Advanced Threat Defense produces critical indicators of compromise in the form of STIX or Open IOC, enabling faster detection capability. For client protection, McAfee Application Control is a whitelisting solution that will immediately reduce the attack surface for targeted threats and provide improved protection against unknown malware. McAfee Web Gateway and McAfee Email Gateway 2 McAfee Advanced Threat Defense 2 McAfee Web Gateway and McAfee Email Gateway are deployed on the Internet boundary to provide initial anti-malware protection. Both products are Gartner top-rated solutions for protecting against advanced malware using signature and behavior techniques with integrated intelligence. The anti-malware capability of McAfee Web Gateway and McAfee Email Gateway can be extended with the integration of McAfee Advanced Threat Defense, a malware analysis sandbox interoperable with both products. McAfee Advanced Threat Defense provides advanced analysis and intelligence capability. McAfee Application Control is a whitelisting solution that is centrally managed through McAfee epo software. It can be deployed on client endpoints or servers. McAfee Application Control stops advanced malware installation and sends alerts to McAfee epo software for reporting and management. McAfee epo software provides a central logging and policy configuration point for endpoints and servers. Events and alerts from McAfee epo software can be sent to McAfee Enterprise Security Manager. McAfee Enterprise Security Manager is an SIEM that acts as a central repository for all security and system logs. McAfee Enterprise Security Manager can be used by security operations security analysts to detect compromised assets and for management reporting. McAfee epo software 5 McAfee Enterprise Security Manager 3 5 3 3 Figure 2. Web anti-malware, analytics, SIEM, and whitelisting in action. 5 Building Resilience in a Digital Enterprise

Security operations Effective incident detection and response is essential to protect the enterprise against advanced targeted attacks. The first step is developing an incident response process with analysts trained in malware and attack techniques. McAfee Professional Services can help design and implement an incident response program, train analysts on malware analysis techniques, and test process effectiveness through penetration testing or tabletop drills. Identifying attacks early requires having the right operational data and the right trusted intelligence sources. In the infection stage, we recommended that organizations focus detection use cases on command and control initially. McAfee Enterprise Security Manager simplifies the intelligence integration and analysis process with Cyber Threat Manager and BackTrace, an automated program to search through historical data. Improved security with McAfee solutions The recommendations in this solution guide are designed to improve security capability for the customer. By using a threat-focused approach, we are able to place security investments into areas that will reduce risk to the business. By aligning security capability building blocks with the attack model, the value is clearly recognizable. McAfee Global Threat Intelligence 3 Intelligence Sources Vendor or Open Source CTIP McAfee Email Gateway Logs Logs and events from key data sources can be centrally collected in McAfee Enterprise Security Manager. It is recommended that data is stored for six months to one year. McAfee Web Gateway Logs McAfee Enterprise Security Manager 2 McAfee Professional Services can optimize the collection of data, integrate intelligence, and help design uses cases for effective incident response. McAfee Professional Services can also develop the incident response program and train analysts in key skills such as malware analysis. DNS Logs 3 Various intelligence sources are needed to identify malicious activity. Customers should test and validate various sources. IP or Flow Logs Cyber Threat Manager is a function within McAfee Enterprise Security Manager that simplifies the integration of outside intelligence sources and provides retrospective analysis against captured data. 2 5 Security Operations Team 5 Cyberthreat analysts in the security operations team are now trained and ready to identify and respond to targeted threats. Figure 3. Effective incident detection and response rely on SIEM and automated tools that sift through historical data. 6 Building Resilience in a Digital Enterprise

By focusing on balanced controls across user training, anti-malware backed by intelligence and security operations, the solutions enable an enterprise to: Prevent more attacks earlier: The anti-malware steps are focused on key vectors, are enhanced by intelligence, and are aligned to best practice recommendations. Detect and contain more attacks faster: Focused data collection combined with simplified intelligence management and trained analysts increases the efficiency, effectiveness, and capacity of security operations. Summary McAfee solutions can enable business resilience in the cyberdomain through an integrated enterprise security architecture with balanced controls and integrated security multipliers. By leveraging McAfee solutions and a connected architecture, an organization can improve cyber resilience and confidently move in new business directions. Increasing Impact to the Business User training and awareness will help stop or identify attacks before they impact the business. ANTICIPATION Prepare-Predict Maximized anti-malware on all key attack vectors. All sensors enhanced with analytics and intelligence as per best practice. PROTECT Prevent-Deter Increasing Time-to-Protect Central log collection enhanced with intelligence to focus detection on all the key vectors. Faster containment with integrated host intrusion prevention. DETECT Identify-Contain CORRECT Eradicate-Remediate WEAPONIZATION EXPLOIT ESCALATION IMPACT RECONNAISSANCE DELIVERY COMMUNICATION MOVEMENT Figure. A threat-focused approach to increasing time-to-protection and decreasing impact to the business.. McAfee Web Gateway Security Appliance Test, January 2, 203 http://www.mcafee.com/us/resources/reports/rp-avtest-comparative-web-gateway.pdf 282 Mission College Boulevard Santa Clara, CA 9505 888 87 8766 www.mcafee.com McAfee and the McAfee logo, McAfee epo, and VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. Copyright 207 McAfee, LLC. 686brf_5-steps-ata-risk_055 MAY 205 7 Building Resilience in a Digital Enterprise

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback