security and information management
DESCRIPTION
Andy Walden, Sales Solution Architect, McAfeeTRANSCRIPT
SALES SOLUTIONS ARCHITECT, MCAFEE
ANDY WALDEN
McAfee SIEMNext Generation SIEM
April 9, 2023
Confidential McAfee Internal Use Only
First Gen SIEM Deficiencies
April 9, 20233
• The primary issue with SIEM today is the inability to gather, correlate and analyze the large volume of data in any kind of time efficient manner.
• The lack of visibility caused by insufficient data collection/analysis in a time sensitive manner leaves the network exposed.
• Deeper, broader visibility requires MORE, not less, data analysis which further stresses SIEMs into an almost useless state from an operational, risk and remediation perspective.
• SIEM must migrate from just compliance to compliance AND security.
• Only NitroView offers the breadth of data, the deeper correlation rules, and the real time access to the data which turns “SIEM” into a critical asset for risk, compliance and security
Confidential McAfee Internal Use Only
Content Aware SIEM
• Ability to inspect, analyze and correlate on network content and usage
• Application decode and protocol anomaliesWebMail, Email
Web Access (HTTP)Chat (IRC, AOL/ICQ, SIPYahoo, MSN, Jabber)
Protocol Anomalies
P2P File Sharing (Gnutella)
Network Flows
Exploits Vulnerabilities
MalwareVirusesTrojans
Confidential McAfee Internal Use Only
Broad Correlation
Events from security devices
Database transactions
OS events
Application Contents
User Identity
VA Scan Data
Device & Application Log Files
Authentication & IAM
Location
Confidential McAfee Internal Use Only
Focus on Exceptions
Confidential McAfee Internal Use Only
Advanced Threat Level Correlation Engine
Rule Based
• Rules trigger on a specific set of events
• Important to detect known attack vectors – Example: brute force login attempt
• Used widely throughout the enterprise to look for fraud, attacks, and other malicious activity.
Threat Based
• A complementary technology which broadens the visibility into threats on a network.
• Does not depend on specific rules to trigger.
• Assigns a weight to all events and maintains a series of “thermometers” for different assets.
• Threat level based correlation takes a different approach than traditional correlation engines
• Combination of the two creates a more comprehensive approach to threat detection.
Confidential McAfee Internal Use Only
How McAfee Global Threat Intelligence WorksDelivering the Most Comprehensive Intelligence in the Market
McAfee Labs
8
File Reputation Engine
Web Reputation Engine
Network Reputation Engine
Email Reputation Engine
EmailFirewallIPS Web HIPSAV
Vulnerability Information
Threat Intelligence FeedsOther feeds & analysis
Servers FirewallsEndpoints Appliances
Confidential McAfee Internal Use OnlyApril 9, 2023HBSS – McAfee Business Brief9
Integrated with Vulnerability Posture
Integrated with Foundstone scanners and penetration testing tools
Confidential McAfee Internal Use Only10