mcafee dlp product guideb2b-download.mcafee.com/.../mra_270_beta_testscenarios.docx · web...

Use Case Scenarios

McAfee® Risk Advisor® 2.7For use with ePolicy Orchestrator® 4.5 and 4.6

McAfee Risk Advisor 2.7 — Use Case Scenarios

COPYRIGHTCopyright © 2012 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSAVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATIONLicense Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

About this guideMcAfee Risk Advisor 2.7.0 — Use Case Scenarios

Contents

Preface.......................................................................................4About this guide..........................................................................................................4

Audience..............................................................................................................4Conventions.........................................................................................................4

Use Case Scenarios.....................................................................51. Introduction......................................................................................................52. Post-installation Steps......................................................................................53. Risk Advisor Exceptions...................................................................................63.1 Suppressions..................................................................................................73.2 User Defined Countermeasure.......................................................................93.3 Advanced Reporting Group..........................................................................104 Patch Tuesday Reports...................................................................................125 Application Awareness....................................................................................135.1 McAfee Application Control..........................................................................146 Enhanced Automatic Response Events...........................................................14

McAfee Risk Advisor — Use Case Scenarios

This document provides the use case scenarios to help Beta users understand the features added in the McAfee Risk Advisor 2.7 release.

About this guideThis information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.The information in this guide is intended primarily for: Administrators — People who implement and enforce the company's security

program.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.User input, Path, or Code Commands and other text that the user types; the

path of a folder or program; a code sample.

Hypertext A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

PrefaceMcAfee Risk Advisor 2.7 — Use Case Scenarios

1. IntroductionThe purpose of this document is to provide guidance to Beta customers in evaluating the new features that are implemented in the McAfee Risk Advisor 2.7 (henceforth referred to as MRA 2.7) release.

2. Post-installation StepsAfter the installation of MRA 2.7, perform the following steps.

1) Verify that the ‘MRA’ extension is installed with MRA 2.7:a. In ePO console, click Menu | Software | Extensions, then click Risk Advisor from

the extensions list. b. Verify that:

Extensions are available for all the point-products chosen at the time of installation.

The status is Installed for the Risk Advisor and other MRA point-product extensions.

The screen capture below illustrates the Extensions page displaying a couple of MRA extensions.

2) Run the default MRA analysis task – MRA: Threat Download & Analysis. Consider these instructions to run the task:

a. McAfee Risk Advisor requires at least 50 MB of free space on the server.

Use Case ScenariosMcAfee Risk Advisor 2.7 — Use Case Scenarios

b.In

the ePO console, click Menu | Software | Server Tasks. c. Run the MRA: Threat Download & Analysis task. d. Ensure that the task is completed successfully.

Depending upon your network bandwidth and hardware configuration, the task might take couple of hours to download all the threats from MTIS Threat feed.The screen capture below illustrates the Server Task Log Details page.

3. Risk Advisor ExceptionsMRA analyzes data from all enabled assets, enabled threats, and installed point-products, then calculates the risk posture of an organization. Now MRA with the current 2.7 release provides more flexibility with the feature Risk Advisor Analysis Exceptions.

With this feature, you can provide exceptions if you’ve third party countermeasures installed in your enterprise or if you want to exclude set of assets and threats temporarily from analysis.

Use these options to provide Risk Analysis Exceptions:

User Defined Countermeasures Countermeasure Declarations Suppressions

Risk Advisor Exceptions can only be created by users with administrative privileges.

3.1 SuppressionsSuppression is the ability to temporarily exclude selected threats based on Threat Tags, and systems based on ePO Asset groups or Asset Tags, from Risk Analysis.

McAfee Risk Advisor 2.7.0 — Use Case Scenarios

For example, if the security administrator wants to exclude Apple threats from being analyzed against Windows systems forever, you could achieve it by creating Suppression with ‘No End Date’. So the selected set of threat data is never analyzed against the selected assets.

You need to create Asset Groups/Tags and Threat tags and apply them according to your organization’s needs before you can create Risk Advisor Exceptions.

How to create Suppression

1. In the ePO console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click Suppressions tab.

2. Click New Suppression, then type a name and a short description explaining the reason for creating the suppression (it's a mandatory field).

3. Select Start and End date for the suppression to be effective, then click Next. 4. Select the Asset Groups/Asset tags and Threat tags that should be suppressed (By default, all

assets and threats will be selected), then click Next. The screenshot below illustrates the Filter page to resolve the criteria for the suppression to be created.

5. Review the Summary, then click Save.6. Double-click the suppression from the list to view the Suppression Details page.


The next time you run MRA analysis, the assets and threats included in the above step will be excluded from analysis.

Another scenario

Microsoft releases patches on second Tuesday of each month and your company has given Microsoft patch deployment in your enterprise, to a third party vendor on SLA basis. Your company’s vendor will take care of Microsoft patches deployment. So the security admin needs to analyze rest of threats (like Adobe, Apple, Oracle, etc) on the enterprise servers and wants to suppress the Microsoft Patch Tuesday threats from risk analysis for a period of time.

You can selectively exclude the recent Microsoft Patch Tuesday threats from being analyzed against enterprise servers by using Suppression.

The screen capture below illustrates the Filter page for the same scenario.


More about Suppression

There's no restriction on the number of suppressions that can be created. Depending on the start date and end date, the possible state of a suppression can be:

o In-effect — The suppression is valid and will be considered for MRA analysis.o Expired — The end date for suppression is in the past and will no longer be considered

for MRA Analysis.o Upcoming — The start date of the suppression is in the future and will not be

considered for analysis until the start date is same as the current date when MRA analysis is run.

o Invalid — Any of the asset/threat tags used in the suppression have been deleted and the suppression will not be considered for analysis.

The number of In-effect suppressions that were considered for MRA analysis can be viewed in the Server Task Log for that task.

There are also custom queries to list the different suppressions which are in varied states.

3.2 User Defined CountermeasureMost of the enterprises may not be McAfee shops; they may have products from multiple vendors, (including McAfee). MRA until now has been supporting only McAfee products, but now with the current 2.7 release it provides the flexibility to take advantage of other countermeasure products that might be protecting your systems.

Imagine a scenario where you have TrendMicro protecting the endpoint machines. You know that they are protecting against some of the threats where the vendor is TrendMicro. Now the user has the flexibility to declare that these endpoint assets are protected by non-McAfee countermeasure.

It can be achieved by creating Risk Advisor Exception as described below.1. In the ePO console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click

User Defined Countermeasures tab.

2. Click New Countermeasure, then type a name and a short description, and then click Save.3. Now that you have created a user-defined countermeasure, let's declare it against assets and

threats.4. In the ePO console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click

Countermeasure Declarations tab.5. Click Declare Countermeasure, then type a name, select countermeasure from the list, type

the reason for the declaration, and then click Next.6. Select the Asset Groups/Asset tags and Threat tags that should be included as part of user-

defined countermeasure (By default all assets and threats will be selected), then click Next.7. Review the summary, then click Save.


The next time you run MRA analysis, the assets and threats included in the above step will be considered protected.

3.3 Advanced Reporting GroupAdvanced Reporting Group provides the ability to generate reports for selected threats based on Threat Tags, and systems based on groups or Asset Tags.

Imagine a scenario that admin wants to see the risk metrics for “Aurora” threat against set of desktop machines; User can create a Reporting group to get the consolidated risk score by enabling “Aurora” threat and set of desktop machines in your analysis.

You need to create Asset Groups/Tags and Threat tags and apply them according to your organization’s needs before creating reporting groups.

Threat & Asset risk scores are calculated for entire enterprise i.e. all enabled assets in the ePO System Tree against all enabled threats are analyzed. However, sometimes you might be interested in only a portion of it. For example, you need a risk analysis report only for your department/BU, to effectively answer questions like:

Which threats are most critical to *my* BU? How do I determine if one or more threats introduce the maximum risks to the sub-org than

the others? How do I determine which Assets introduce the most risk within the sub-org? How do I prioritize remediation based on the riskiest threats and riskiest assets information?

This could be different across sub-orgs? How do I determine the “most-critical” patch to be deployed for the sub-org?

Enhancements to the current reporting group feature will enable all of these.

How to use Reporting Groups

1. In the ePO console, click Menu | Risk & Compliance | Reporting Groups.2. Click Actions | Risk Advisor | New Reporting Group, then type a name and a description(if

required). Click Next. 3. Select the Asset Groups/Asset tags (Desktop) machines and Threat tags (Aurora) that should

be included, then click Next.4. Review the summary, then click Save.5. The Reporting group is added to the list as shown below.


6. Double click a reporting group to view the Reporting Group Details page(1 level drill down).

7. Now run the MRA: Reporting Group Analysis task. Once the task completes, you can go to Reporting Group Management page to view the risk metrics. The risk metrics calculated here is only for the assets and threats defined as part of the Reporting Group.

8. You can also see impacted assets/threats count, enabled assets/threats count and consolidated risk score for that particular Reporting Group.

The screen capture below illustrates a sample Reporting dashboard constructed from a group of inbuilt Reporting group queries.


4 Patch Tuesday ReportsMRA until now had two rudimentary queries which catered to the needs of administrators related to their monthly Patch Tuesday reports.

Now with the current release MRA has enhanced it so that it not only caters to the administrators who need to make decisions about their patching but also to the executives who need to assess the effectiveness of patching operations over a period of time and over a varied set of assets.

Imagine a scenario; Microsoft releases patches on second Tuesday of each month and your company has given Microsoft patch deployment in your enterprise, to a third party vendor on SLA basis. Your company’s vendor will take care of Microsoft patches deployment.

Admin wants to see the effectiveness of SLA Vendor patching on monthly basis, now he can achieve it with the help of Patch Tuesday Reports and dashboards in the current release.

Admin can analyze assets against set of Patch Tuesday threats and once analysis completes, MRA generates Patch Tuesday reports, where admin can check the patch Tuesday deployment effectiveness based on overall risk posture of assets.

Admin should have latest vulnerability information from the assets before checking for the patch effectiveness.

In this current release MRA has added a new dashboard just for the Patch Tuesday reports – MRA: Security Bulletin Dashboard.

The MRA: Security Bulletin Dashboard comes with four monitors comprising the following queries: MRA Patch Report: Microsoft Patch Tuesday Threats Trend — The query provides the

number of Microsoft Patch Tuesday threats released over the last three months. MRA Patch Report: Risk Score for System Groups across Patch Tuesday Threats —

The query provides the risk score of system tree groups over Microsoft Patch Tuesday threats released over the last three months.

MRA Patch Report: Assets at Risk from Patch Tuesday Threats by Criticality — The query provides the number of assets at risk segmented by Asset Criticality from Microsoft Patch Tuesday threats released over the last three months.


MRA Patch Report: Assets at Risk from Patch Tuesday Threats by System Group — The query provides the number of assets at risk across System Tree Groups from Microsoft Patch Tuesday threats released over the last three months.

Below snap shot illustrates the in-built Security bulletin dashboards of MRA

There are three more queries which can be used based on the needs of the user. They are

MRA Patch Report: Microsoft Patch Tuesday Threats by Security Bulletin — The query provides the number of threats that can be mitigated by Microsoft Patch Tuesday security bulletins.

MRA Patch Report: Microsoft Patch Tuesday Threats — The query provides the Microsoft Patch Tuesday threats. This query which was available in the previous releases has been enhanced so that the query remains consistent with the new queries.

MRA Patch Report: Microsoft Patch Tuesday Threats Exploitability Index — The query provides the exploitability index for Microsoft Patch Tuesday threats. This query which was available in the previous releases has been enhanced so that the query remains consistent with the new queries.

Most importantly all these queries can be customized according to the needs of the user.

5 Application AwarenessMost threats are applicable only to certain applications installed on assets. McAfee Risk Advisor considers threat applicability to an asset as Applicable only when the targeted application is installed on the asset. This helps deriving the correct Risk Analysis for the managed assets.


MRA comes with the McAfee Application Inventory plug-in, which is an agent based plug-in that can be deployed on the asset. Running a simple scan will collect all MSI installed application inventory from the asset. The use of Application Inventory in determining the relevancy of the threat to the asset can be found in the Threat Asset coverage details page.

5.1 McAfee Application ControlWith the current release, MRA can also collect Application Inventory details from McAfee Application Control (Solidcore). If Application Control agent is installed and the asset is solidified, application inventory from the asset can be used by Risk Advisor to correlate threat applicability.

For enterprises which have Solidcore already installed in their network, admins can use it for both countermeasure correlation and application awareness.

In case they want to use it for only one specific purpose then that option is also provided in the Server Settings page, where they can choose how to use Solidcore data.

6 Enhanced Automatic Response EventsWith automatic responses you can configure which actions are taken when specific events occur in your environment. Earlier MRA had the ability to create responses for threat-based events or for task-based events. Now this has been enhanced to include asset-based events and risk score-based events.


The new events included in the current release are:

Under the ‘Risk Advisor Analysis Events’ group — Asset Risk Metrics Reporting Group Analysis Completion

Under the ‘Risk Advisor Threat Events’ group — Individual Threat Reconciliation

With the enhanced Automatic Response Events, you can create responses for events like: Enterprise Risk Score changes by say 10% or even by value say it increases by 10 since the

last analysis. Risk Score for a Reporting Group changes by x% or ‘x’ value since the last analysis. Asset Risk Score changes by x% or ‘x’ value since the last analysis Asset Risk Score for a Reporting Group changes by x% or ‘x’ value since the last analysis. New events when an asset status changes to ‘Not Protected’ or ‘Insufficient Data’ for assets

that were protected by NSP. New Automatic Response

The screenshot below illustrates the Response Builder page.


mcafee dlp product guideb2b-download.mcafee.com/.../mra_270_beta_testscenarios.docx · web...

Documents