SALES SOLUTIONS ARCHITECT, MCAFEE

ANDY WALDEN

McAfee SIEMNext Generation SIEM

April 9, 2023

Confidential McAfee Internal Use Only

First Gen SIEM Deficiencies

April 9, 20233

• The primary issue with SIEM today is the inability to gather, correlate and analyze the large volume of data in any kind of time efficient manner.

• The lack of visibility caused by insufficient data collection/analysis in a time sensitive manner leaves the network exposed.

• Deeper, broader visibility requires MORE, not less, data analysis which further stresses SIEMs into an almost useless state from an operational, risk and remediation perspective.

• SIEM must migrate from just compliance to compliance AND security.

• Only NitroView offers the breadth of data, the deeper correlation rules, and the real time access to the data which turns “SIEM” into a critical asset for risk, compliance and security

Confidential McAfee Internal Use Only

Content Aware SIEM

• Ability to inspect, analyze and correlate on network content and usage

• Application decode and protocol anomaliesWebMail, Email

Web Access (HTTP)Chat (IRC, AOL/ICQ, SIPYahoo, MSN, Jabber)

Protocol Anomalies

P2P File Sharing (Gnutella)

Network Flows

Exploits Vulnerabilities

MalwareVirusesTrojans

Confidential McAfee Internal Use Only

Broad Correlation

Events from security devices

Database transactions

OS events

Application Contents

User Identity

VA Scan Data

Device & Application Log Files

Authentication & IAM

Location

Confidential McAfee Internal Use Only

Focus on Exceptions

Confidential McAfee Internal Use Only

Advanced Threat Level Correlation Engine

Rule Based

• Rules trigger on a specific set of events

• Important to detect known attack vectors – Example: brute force login attempt

• Used widely throughout the enterprise to look for fraud, attacks, and other malicious activity.

Threat Based

• A complementary technology which broadens the visibility into threats on a network.

• Does not depend on specific rules to trigger.

• Assigns a weight to all events and maintains a series of “thermometers” for different assets.

• Threat level based correlation takes a different approach than traditional correlation engines

• Combination of the two creates a more comprehensive approach to threat detection.

Confidential McAfee Internal Use Only

How McAfee Global Threat Intelligence WorksDelivering the Most Comprehensive Intelligence in the Market

McAfee Labs

8

File Reputation Engine

Web Reputation Engine

Network Reputation Engine

Email Reputation Engine

EmailFirewallIPS Web HIPSAV

Vulnerability Information

Threat Intelligence FeedsOther feeds & analysis

Servers FirewallsEndpoints Appliances

Confidential McAfee Internal Use OnlyApril 9, 2023HBSS – McAfee Business Brief9

Integrated with Vulnerability Posture

Integrated with Foundstone scanners and penetration testing tools

Confidential McAfee Internal Use Only10