Applying Next Generation Security Principles to Today’s Changing Networks
Confidential McAfee Internal Use Only2 Title of presentation
Every 18 Months, the Amount of Data on the
Planet Doubles
But to Your Network Team, It Probably Feels Like the Data Doubles Every Few
Weeks…
Confidential McAfee Internal Use Only3 Title of presentation
2004. No Facebook
2006: 440K salesforce.com subscriptions
June 2008 No iPhone apps
2010. Facebook: 400M+ users, 52K apps
2010: 2.1M salesforce.com subscriptions
June 2010 3 billion iPhone apps downloaded
1 Day: 148K machines infected w/ Bots (Hourly botnet rental: $9)
1 Day: 1M victims of scareware scams
1 Day: 33K+ malware samples analyzed by McAfee
Confidential McAfee Internal Use Only4 Title of presentation
2006-10 Avg GDP Growth
(USDL)
How Do These Facts Impact Us?
1%IT security
product sales growth Avg 2008-9 (IDC)
8%
2009-10 Growth, Network Security
appliances and sw (Infonetics)
10%Growth in unique malware samples,
last 6 months (McAfee)
58%
Average incidents per year, large co
(Bloor)
45
Average cost of large incident 2010,
large co (Bloor)
$772K
Confidential McAfee Internal Use Only5 Title of presentation
2006-10 Avg GDP Growth
(USDL)
How Do These Facts Impact Us?
1%IT security
product sales growth Avg 2008-9 (IDC)
8%
2009-10 Growth, Network Security
appliances and sw (Infonetics)
10%Growth in unique malware samples,
last 6 months (McAfee)
58%
Average incidents per year, large co
(Bloor)
45
Average cost of large incident 2010,
large co (Bloor)
$772K
Confidential McAfee Internal Use Only6 Title of presentation
Key Challenges We Face in Architecting Next Generation Security
Open & Agile Networks. Targeted Threats, APTs
1.Advanced and targeted attacks
2.Insider Threats & data loss concerns, needle in haystack
3.MalApps the new reality; must detect and prevent
Operational Efficiency
1.Spending controls (Opex, Capex), resource re-allocation
2.“Enable business” (data centers, consolidation, segmentation, virtualization
3.Streamline compliance reporting
1.Apps over port 80, on- premise, SaaS, Web 2.0, lack of visibility, control
2.Consumerization of IT
3.Perimeter disappearing; Must extend trust model
4.Difficult to enforce policies
Confidential McAfee Internal Use Only7 Title of presentation
“Borderless network… Effectively extend trust
boundaries?
“100’s of new applications…
See & control use?”
“Data center project…Improve protection…
Consolidate vendors?”
“Advanced Threats (APTs, Botnets, Insider Risk)… Best practice prevention?”
Recent Customer Conversations…
“Network security shouldn’t be the ‘brakes on the car’ that hold us back…it should be like the stability control enabling us to take the twists and turns faster…but safer…
“…I need to spend time deploying more apps…not time on controlling them…”
“…For my datacenter upgrade – give me world-class protection… cut costs 40%…don’t slow me down…
“…To beat competitors to market, I want to extend trust boundaries for collaboration with partners & contractors…”
“…Advanced Persistent Threats? Show me the ‘needle in the haystack’ without human analysis…”
Confidential McAfee Internal Use Only8 Title of presentation
Conventional Approach to Network Security
Ticket Oriented Resolution Protection Focused on Identifying Attack Packets
Configuration Focused on Features Multi-Vendor Strategies
How to get to resolution? File tickets. Wait. How to protect? Find attack packets on wire
How to implement policy? Rely on product features. Defense in Depth? Manage multiple silo’d products.
101101100010010111010111100010101
Confidential McAfee Internal Use Only9 Title of presentation
Conventional Gets Obsolete Fast…How Fast We Forget…
Confidential McAfee Internal Use Only10 Title of presentation
Sometimes, Optimization is the Only Answer
Confidential McAfee Internal Use Only11 Title of presentation
Optimized Network Security Adapts to Change
11
RISK
OPTIMIZATION
Optimized spend ~4%
Very low risk
Compliant/Proactive spend ~8% of IT
budget on security
Medium risk
Reactive spend ~3% of IT
budget on security
High risk
Why has it been so challenging to reduce risk?11
DYNAMICPredictive and agile, the enterprise instantiates
policy, illuminates events and helps the operators find, fix and target for
response
Tools BasedApplying tools and
technologies to assist people in reacting faster
REACTIVE and ManualPeople only. No tools or
processes. “Putting out fires”
McAfee ePO integrated products, plus GRC and GTI
Point products for System, network
and data
• Reactive tools
• Firewalls
• Log analysis
• Trouble tickets
• Ineffective change control
• Ad hoc firewall rules
• Audit findings
REACTIVE & MANUAL
• Point products
• IDS (compliance)
• SI/EM (logs)
• Structured firewall rule management
• Standard configurations
• Distributed consoles/mgmt
• Tedious audit preparation
COMPLIANT
• Integrated tools
• IPS (threats)
• SI/EM (events)
• Automatic updates
• Automated firewall rule mgmt
• Centralized consoles/mgmt
• Streamlined compliance reports
PROACTIVE
• Multi-layered, correlated solutions
• Predictive threat protection
• Policy-based control
• Proactive management
• Extensible architecture
• Automated compliance
OPTIMIZED
New Requirements for Optimized Network Security
Ticket Oriented Resolution Protection Focused on Identifying Attack Packets
Configuration Focused on Features Multi-Vendor Strategies
Turn days of process into clicks Characterize future threats today
Focus on real organization, people, applications, usage Integrated, collaborative, easily add new capabilities
Proactive Management Predictive Threat Protection
Policy-Based Control Extensible Architecture
Consider Optimized Network Security Solutions
GLOBALTHREAT
INTELLIGENCE
ePO
NBA
Web
IPS SIA
NDLPRisk
Advisor Email
Firewall NAC
Network IPS: must be best performing
Firewall: must have next gen features
NAC: now is the time
NBA: emerging visibility tool
NDLP: more important than ever
When OptimizedLow Effort, Low Risk
Not OptimizedHigh Effort, High Risk
Protecting Critical Data Center from ZeuS Malware
Malware infects, McAfee Labs IDs, updates website reputations…
…Threat dissected, analyzed…
…Predictive action stops threat
Malware infects websites
Malware hits network
Wait on signature
Apply signature, update signature
Future variants covered
Benefit: Protection meets (and beats) hacker’s timelines, reduces alerts
Predictive Threat Protection with NSP + GTI
Controlling Google Calendar Use Before a Merger
User directory auto-imports groups…
Profiler sees similar rule. 1 click to add. Avoid duplicate
Hours or days to review, deploy
Identify M&A team
Map users to network address
Create new rule (duplicate?)
Weeks to review, test, deploy. Repeat?
New M&A members automatically added
Benefit: No need to map network topology to user, protects critical data
Policy-Based Control with Next Gen Firewall
When OptimizedLow Effort, Low Risk
Not OptimizedHigh Effort, High Risk
Blocking Bot Command and Control Traffic
Right click to get details from management console
Right click to scan and patch
Visual view of traffic and connections
See Bot activity on network
Hours: open ticket w/ system team
Days: open ticket to plan outage/upgrade
Weeks: detailed review of network events
Have a second cup of coffee
Benefit: Eliminates days and weeks of effort while improving time to resolution
Proactive Management in Action
When OptimizedLow Effort, Low Risk
Not OptimizedHigh Effort, High Risk
Confidential McAfee Internal Use Only17 Title of presentation
Move Customer Portal to Cloud Data Center
User directory auto-imports groups; admins assigned to group
Create rule: use SSH only for remote admin
Future admins automatically added
A. Identify portal admins
Map users to network address
Open SSH/port 22 for services
Constantly maintain as team, network change
Benefit: No need to map network topology to user, eliminates SSH blind spot
Policy-Based Control with Next Gen Firewall
When OptimizedLow Effort, Low Risk
Not OptimizedHigh Effort, High Risk
Confidential McAfee Internal Use Only18 Title of presentation
Enabling IM, But Controlling IM Fileshare
Admin sees similar rule exists for finance
Adds all other groups to that rule with a few clicks
Bob from finance tries to upload a file. File is blocked. Bob is notified of policy
A. How would you do this today?
Benefit: Users enabled with IM, but risk reduced w/o file share; Rule reduction
Policy-Based Control with Next Gen Firewall
When OptimizedLow Effort, Low Risk
Not OptimizedHigh Effort, High Risk
ePO
Example: Extensible Management PlatformSecurity Innovation Alliance (SIA) Delivers a Rich Security Ecosystem
Associate Partner
Technology Partner(McAfee Compatible)
1919
Authenticationand Encryption Theft and Forensics
Risk and ComplianceSecurity Event andLog Management
Other Security, IT & Services
Application andDatabase Security
Single Sign-OnSIA
Example: Global Threat IntelligenceWhat it is and what it means for our customers
McAfee Labs
MFE Products
Other feeds & analysisServers FirewallsEndpoints Appliances
File Reputation Engine
Web Reputation Engine
Network Threat Information
IP and Sender Reputation Engine
Vulnerability Information
Global Threat Intelligence
NBAFirewallIPS NDLPNACRisk
AdvisorePO NSM
Confidential McAfee Internal Use Only21 Title of presentation
Optimized: Relieves Pressure Points, Reduces Risk
Network Upgrade
Next Gen Firewall simplifies policy
management, scales to 10G+
APT Threat
IPS, NBA, NTR detect
reconnaissance, anomalies, targeted
malware; NDLP finds data at risk
Vulnerability Management
IPS, Vulnerability Manager
pinpoint ‘at risk’ systems, IPS acts as
‘pre-patch shield’
Data Center Consolidation
Virtualized IPS and Firewalls collapse
security OpEx, scale to 10G+
Enabling Apps
Next Gen Firewall user and application aware, both grouped and fine grain policy
enforcement
While We’ve Been Chatting…
Our global sensor grid characterized 229 unique pieces of malicious or unknowncode, based on:
570,000 file reputation queries
460,000 IP reputation queries
69,000 attacks were stopped by McAfee IPS across all our customers
Eliminated 64 trouble tickets and 8 critical escalations for our customers
sdfafasd