m14 threat analyzer

Click here to load reader

Post on 05-Dec-2015

222 views

Category:

Documents

1 download

Embed Size (px)

DESCRIPTION

analyzer mcafee

TRANSCRIPT

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 1

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 2

    Upon successful completion of this module you will be able to: Navigate the Threat Analyzer page Explain the life cycle of an alert Differentiate between Real-time versus Historical alerts View summary and drill-down alert information Create a Dashboard and a Monitor within the Threat Analyzer Install and configure the Incident Generator

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 3

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 4

    The Threat Analyzer is used for the analysis of the alerts detected by the Sensors (as well as those processed by an integrated Host Intrusion Prevention client). The Threat Analyzer works in conjunction with the policies applied to the Sensors. When a transmission violating an enforced security policies is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this "attack" data to NSP Manager in the form of an alert. Alert details include transmission data such as source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity. Alerts are backed up to the database and archived in order of occurrence.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 5

    An attack is a violation of set policy parameters. An alert is one or more attack instances. In many cases, an alert represents a single detected attack. A multi-attack alert is generated when multiple instances of identical attacks (same source IP, destination IP, and specific attack) are detected within a two minute period; data for all attacks is throttled into one alert instance, however, you can also choose to configure how many of each throttled attacks you want to see an individual alert.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 6

    Alerts exist in one of three states: Unacknowledged Acknowledged Marked for deletion

    Alerts exist in one of three states: unacknowledged/acknowledged, and marked for deletion. When an alert is raised, it appears in the Manager in an unacknowledged state. Unacknowledged means that you have not officially recognized its presence by marking it acknowledged. An alert remains in an unacknowledged state until you either acknowledge or delete it. Deleted alerts are removed from the database. Unacknowledged alerts are displayed in the various monitors available for the Manager Dashboard page and the Real-time view in the Threat Analyzer. Acknowledging alerts dismisses them from these views. Acknowledged alerts display only in the Historical view in the Threat Analyzer and in reports. Deleting an alert both acknowledges it and marks it for deletion. The alert is not actually deleted until a scheduled Disk Space Maintenance takes place. At that time, McAfee Network Security Platform deletes those alerts marked for deletion and those alerts meeting the deletion criteria specified in the scheduler-older than 30 days, for example, whether or not they have been manually marked for deletion.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 7

    Over the course of time, customers will become very familiar with the Network Security Platform alert data as they perform forensic analysis using the Threat Analyzer. At some point, they may even become tired of seeing some of the same alerts time and time again. Network Security Platform provides multiple options for suppressing alerts, that is, lessening the number of alerts in either the Threat Analyzer and/or database, so that an administrator can work on higher priority issues. The following alert suppression options are available using various actions within the Manager interface: Disable alerting Auto Acknowledge Alert throttling

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 8

    Step a. All alerts are received by the Manager from the reporting Sensors. The alerts are sent to both the alert cache and the database.

    Step b. Once the alert caches buffer begins to overflow, the oldest alerts are dropped from the cache. Since no modifications have been made, the database version is maintained and the cached version is deleted.

    Step c. A Real-Time View query is started requesting x number of alerts. These alerts are pulled from the alert cache.

    Step d. If during a Real-Time analysis an alert is Acknowledge[d] or Delete[d], the altered alert file is forwarded to the database and the database version is updated with the recent changes. The interaction between a Real-Time Threat Analyzer and the database is one way; that is, alert record changes can be pushed from the Real-Time Threat Analyzer, but a Real-Time Threat Analyzer does not receive any data from the database.

    Step e. During a Real-Time analysis, new alerts are received from the alert cache as they are reported, refreshing every 5 seconds. Since the Real-Time Threat Analyzer has a maximum number of alerts that can be viewed at a time, the oldest alerts are dropped to accommodate new alerts. Since no modifications have been made, the database version is maintained and the cached version is deleted.

    Step f. An Historical query pulls alerts only from the database; there is no interaction between the alert cache and a Historical query. There is no refresh of newer alerts because the Historical Threat Analyzer only requests alerts from a specific time frame. Any alert file alteration (acknowledgement, deletion, and so forth) is simultaneously saved to the database. Thus, the Historical Threat Analyzer can pull and push alert records directly from the database.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 9

    Threat Analyzer The Threat Analyzer is used for the analysis of the alerts detected by the Sensors. When a transmission violating a policy is detected by a Sensor, the Sensor compiles information about the offending transmission and sends this "attack" data to the Manager in the form of an alert. Alert details include transmission data such as source and destination IP addresses in the packet, as well as security analysis information (performed by the Sensor) such as attack type and severity.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 10

    The Real-Time Threat Analyzer displays unacknowledged alerts from the alert cache. Once opened, the Real-Time Threat Analyzer refreshes frequently to display the alerts that are being detected by your Sensors, so you can view the alerts as they happen in real time. NOTE: Alerts that are auto-acknowledged, will not be displayed in the Real-Time Threat Analyzer. The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and unacknowledged alerts archived in the database during a specified time frame. The Historical Threat Analyzer does not refresh with new alerts.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 11

    When the Threat Analyzer is launched, a check is made for role access. This controls what a user can actually see in the Threat Analyzer (Real-Time or Historical). To view or modify the various role names and assigned access you need to be a super user in the root domain.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 12

    Lets start with the Real-Time Threat Analyzer. Real-time Threat Analyzer The Real-Time Threat Analyzer sets the attack filter to display information retrieved from the alert cache for a specified number of unacknowledged alerts. Once opened, the Real-Time Threat Analyzer refreshes frequently to display the alerts that are being detected by the Sensors, allowing you to view the alerts as they happen in real time. The Real-Time Threat Analyzer opens in a separate browser window from that of the Manager UI, providing a concentrated view for alert analysis. Once you have retrieved alerts either from a particular time period or in real time, the Threat Analyzer Dashboards page is displayed. The Real-Time Threat Analyzer is logically divided into 2 sections: the top menu bar and the lower display summary area.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 13

    The menu bar of the Real-Time Threat Analyzer presents you with the following navigation options: Dashboard: links to the Threat Analyzer NSP Health view page. The Dashboards page provides

    two default dashboards namely, NSP Health and IPS. Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for the selected time

    span in order of occurrence. Hosts: links to the Hosts page. You can view the list of IPS hosts. Incident Viewer: links to the Incident Viewer page. You can create user-generated incidents to

    track alerts by parameters. Host Forensics: links to the Host Forensics page. You can view the ePO and Vulnerability Manager

    scan information. Preferences: links to the Preferences page. Enables you to personally set various options related

    to Threat Analyzer functionality and presentation.

  • Threat Analyzer 2012 McAfee, Inc. All Rights Reserved. 14

    Historical Threat Analyzer The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and unacknowledged alerts that are archived in the database, during a specified time. The Historical Threat Analyzer does not refresh with new alerts, thus you can focus on analyzing all alerts within the time frame that you requested. When you click Historical Threat Analyzer from within the Manager, the Historical Constraints page is displayed. Here you can select the Start Time and End Time for viewing alert historical data from the datab