1MCAFEE CONFIDENTIAL

McAfee Confidential

The Evolve Your Security Operations

Toshi Iijima, Regional SIEM Specialist, McAfee

2MCAFEE CONFIDENTIAL

The Objective:Security Operations at 30,000 Feet…. Simple Right?

Time to Identify

Time to Investigate

Time to Contain

Mean Time to Respond (MTTR)

Mean Time to Detect (MTTD)

Industry Average: 3-15 Months Dwell Time

Collect and parse relevant security data

Discover evidence of missed attacks and determine what to pursue

Investigate to disposition and coordinate response

Organizations do this… …with the goal of reducing this…

…to avoid this

3MCAFEE CONFIDENTIAL

The Reality: Most Organizations Are Spending Too Much and Getting Too Little

2017 Cost of Cyber Crime Study.

Percentage increase in cost of

cybersecurity in a year

Average annualized cost of cybersecurity

(USD) $11.7M 22.7%

Average number of security breaches

each year 130Percentage

increase in average annual number of security breaches 27.4%

4MCAFEE CONFIDENTIAL

The Problem:Why is Reducing Mean Time To Respond So Difficult

High Cost for More Data

Closed Architecture

Poor Detection Efficacy

Inefficient Manual Investigation

$$$$ to ingest more data & scale

Not designed to ingest at scale – poor APIs

False positives – Missed attacks – Triage efficiency

Scare expertise – Time to investigate –Inconsistent outcomes

77% add 1TB+ / mo.

63% of SOCs spend 10hrs/mo. customizing

100k+ alerts / week

66% need better training for hunting

5MCAFEE CONFIDENTIAL

The Technology:Not just the SIEM anymore; complementary innovation & new capabilities

SIEM

User & Entity Behavioral Analytics

Network Analytics

Deception

Threat Intelligence

PlatformEndpoint

Detection & Response

Automation & Orchestration

Big Data & Open Source

...

Data Ingestion

Parsing / Normalization

Data Mgmt

Streaming Analytics

Batch / Historical Analytics

Log Mgmt, Compliance, & Forensics

Security Monitoring

Incident Response

Incident Investigation

Last ~10-15 years Present and Future

SIEM

6MCAFEE CONFIDENTIAL

The Vision: Modular, Open, Integrated, Content-driven Sec Ops Architecture

Data Ingestion

Parsing / Normalization

Data Mgmt

Streaming Analytics

Batch / Historical Analytics

Log Mgmt, Compliance, &

Forensics

Security Monitoring

Incident Response

Incident Investigation

Detection & Prioritization Investigation & Response

Malware Analysis

Case Management

Other sources (Network, Deception)

Threat IntelPlatforms

Analyst Operations

“Insights & Actions”

Data Platform & Optimized Sources

“Senses and Memory”

Advanced Analytics

“Signal from Noise”

7MCAFEE CONFIDENTIAL

Correlation

Rule based

correlation.

Real-time. Fast.

Efficient.

Kafka Databus

Data Platform:Traditional Legacy SIEM Architecture All data flows through the SIEM. Costly. Slow. Inefficient.

ESM Cluster

ESM

ESM

EDB

ESM

EDB

EventsLog Retention &

Compliance

Compressed.

Signed. Long

term retention

for compliance

Analytics

Periodic Batch

Analytics. Machine

Learning. Easy.

Effective.

Log Search &

Threat Hunting

Uncompressed.

Short term storage.

Optimized for search

and hunting.

Nitro EDB Data store

Elastic Search

HadoopNitro EDB Data store

In Memory (no Data store)

Data Source

Data Source

Data Source

Data Source

…

Receiver

Receiver

SIEM

Big Database

UI

API?

Analytics

Apps

Performance Bottleneck!!

8MCAFEE CONFIDENTIAL

Correlation

Rule based

correlation.

Real-time. Fast.

Efficient.

Kafka Databus

Data Platform:ESM 11 = No Compromises. High Performance. Low Cost.Data flows to the apps that need it. Each app fit for purpose and can scale independently.

ESM Cluster

ESM

ESM

EDB

ESM

EDB

EventsLog Retention &

Compliance

Compressed.

Signed. Long

term retention

for compliance

Analytics

Periodic Batch

Analytics. Machine

Learning. Easy.

Effective.

Log Search &

Threat Hunting

Uncompressed.

Short term storage.

Optimized for search

and hunting.

EDB Data store

Elastic Search

Hadoop EDB Data store

In Memory (no Data store)

9MCAFEE CONFIDENTIAL

Advanced Analytics:MBA: Rapidly Turn Data into Insights

Real-time analytics

▪ Onboard fast with preconfigured security use cases

▪ Continuous critical event and state change endpoint monitoring

Go deep with Big Data and Behavioral Analytics

▪ Empower the team with high quality leads and fewer false positives

▪ Unsupervised machine learning automatically creates a baseline of normal behavior without human intervention and detects near-invisible insider threats

▪ Broad data coverage covers the entire attack lifecycle and exposes threats other analytics offers cannot see

▪ Risk scoring allows for pro-active security response

Range of analytic capabilities to fit diverse needs

10MCAFEE CONFIDENTIAL

Activity

User/Machine Asset MethodBehavioral

Risk Score

Rentity = importance(t)´vulnerability(t)

User

Machine

Rbehavior = P(event | y)´wy ´

wu 2-i ×Ru[i]uÎU

å +w f 2- j ×R f [ j ]fÎF

å +wm 2-k ×Rm[k ]

mÎM

åé

ëêê

ù

ûúú

wu +w f +wm

Advanced Analytics: Aggregating Behaviors for Entity Risk

• Joshua Newman works at an unusual hour 15

• … and accesses repositories that he and his peers do not usually access 65

• … and takes from a folder on a repository an unusual number of times 80

• … and moves a significantly high volume of data than normal 96

• … VPN’s in from China 46

11MCAFEE CONFIDENTIAL

Human-Machine-Teaming

Analyst Operations:McAfee Investigator : Quickly Investigate and ActReduce incident response time

Artifacts selectively collected at

machine speed

1413Key Findings summarized

11Expert Guided

triage process

12MCAFEE CONFIDENTIAL

Multiple Indicators on Confirming Conviction

ESM

MBA Investigator

ePO

2

MBA generates risk scores1

2

3

ESM correlation detects { multiple threat indicators }

Trigger to Investigator initiates case generation

Investigator selectively gathers additional evidence

4

Case is ready for review by analyst5

4

3

Automation, Bridging Analysts to Insights and Decisions

ePO dispatches real-time search

Decision Respond

5

Analyst

Video Demo

1

13MCAFEE CONFIDENTIAL

Call to Action:How Can We Help ?

Connect with your local sales teams !!

▪McAfee Security Operations Workshop▪Tech-checks for existing SIEM customers▪Technical product deep dives –Investigator, McAfee Behavioral Analytics

Follow McAfee on….

14MCAFEE CONFIDENTIAL

The McAfee Reality:Open, Integrated Security OperationsCollaboration across Security Operations enables faster response times and operational efficiencies

SIEM: Broad Data Collection

Advanced Analytics:

Risk scoring, anomaly detection

SIEM: Long-termCompliance,

archive & forensics

SIEM:Real-time

correlation & detection

SIEM: Short-term

Search & hunting

Sandboxing:Malware Analysis

EDR:Endpoint telemetry,

process trace

SIEMView all alerts,

coordinate action

Investigator:Automated

analysis, guided investigation

EDR:Response

Collaboration with 3rd party solutions

SIA Partner and Open Solutions

Advanced Analytics Investigate and Act

Collect, Enrich, and Share Data at any Scale

Turn Data into Insight

Data Platform

Expert-guided investigation for confident action

15MCAFEE CONFIDENTIAL

Q&A

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.