I had a debate last week with one of our Systems Engineers about whether our customers needed McAfee Global Threat Intelligence (GTI) in our SIEM (Security Incident and Event Management) product if we already delivered it via our network IPS. Of course they do.
If you’re not familiar with McAfee GTI, it’s our cloud-based threat reputation engine. McAfee GTI collects and shares reputation data across dozens of McAfee security solutions. This reputation data includes billions of file, IP, mail, web, and other data points, each of which is assessed and assigned a risk score. Through testing, we’ve found that McAfee GTI can improve detection rates by up to 30%. Perhaps more importantly, these real-time reputation feeds can shrink response times from days down to minutes.
So, back to the question: If you already get the benefits of McAfee GTI via network IPS, does it need to be incorporated into your SIEM? The answer is yes, and here’s why:
- Not everyone owns both – While McAfee has security solutions in nearly every major category, it’s safe to assume that most of our customers don’t own all those solutions. The only way to ensure that all our customers can take advantage of GTI is to include it in all of our product offerings.
- These solutions may be managed by different teams – Most enterprise organizations have different teams for managing the network (IPS) and incident response (SIEM). Having GTI built directly into the IPS not only allows for easy access to the data by that team, but it also allows for inline blocking based on reputation. Having GTI at the SIEM level gives IT incident response teams global insight into potential risks that most SIEM solutions can’t offer.
- SIEM data is a superset of events – More and more organizations are adopting SIEM tools to get a holistic view of what’s happening on the network. Network IPS events are just one of many data sources that feed into the SIEM. When you add firewall logs, netflows, system logs, database logs, etc., you get a much broader picture of what’s happening. Even if GTI is already part of the IPS solution, including it in the SIEM solution improves protection. By incorporating GTI into McAfee Enterprise Security Manager, we turn Global Threat Intelligence into global threat event correlation.
- Data persistence – Many of today’s sophisticated attacks happen over longer periods of time. Hackers may wait weeks or months in between pushing down custom malware and issuing data extraction commands. McAfee Network Security Platform, with GTI and other advanced detection methods, has the ability to detect and log many of these stealthy events, but McAfee Enterprise Security Manager has the ability to persist the events (data) for longer periods of time. Being able to apply the GTI lens over months of data can bring interesting trends to the surface.
When we first introduced McAfee GTI integration with Network Security Platform, adoption was a bit slower than we expected. As we dug into the reasons, we found that one common (and entirely ironic) concern was that by enabling GTI, security teams found new events that they had to respond to. We couldn’t argue with that. It wasn’t long, however, before customers started seeing the benefits of GTI, and now the vast majority of our IPS customers turn it on.
But as I think back to the concern of too many security events, I realize that GTI with SIEM helps solve the ‘too many security events’ dilemma. While individual security products may trigger on the same event independently – and kick off independent efforts to resolve an issue – having a correlated view of security events at the SIEM level helps streamline the incident response process, ultimately delivering the best of both worlds.