McAfee’s soon to be announced endpoint suite will provide a new level of assurance with real-time protection, management and more importantly results. Incorporating Intel hardware-assisted security through Deep Defender assures that systems are free of rootkits and blocks these kinds of APT’s. Some may argue that this type of advanced protection would be hard to cost-justify but having it included in our suite now provides one of the industry-changing ways to stronger security.  What used to be a nice-to have can now be a key component to keeping things on-track and secured.  It’s been estimated that up to 5 hours could be spend per system re-imaging them after detection of a rootkit.  Isn’t our time and resources better spent elsewhere than dealing with aftermath of a preventable situation?

But it’s also important to prove that the right level of protection has been enabled and where you may have gaps. Today this has to be accessible within minutes. McAfee Risk Advisor’s global risk dashboard allows you to quickly drill down to get granular details of a threat and how it relates to the specific assets in your organization. It lets you know where additional controls might be needed to combat the current threats of concern and target activities that will make the most of your time combating security risks. Time is precious and we want to make it easier for you to get the security that will protect the systems and infrastructure so you can provide the privacy controls that are right for your business.

Competition helps inspire two teams to push further and the fans to cheer harder.

In business, as in the case of McAfee and Symantec, our rivalry means we create better products, push to stay on top, and help our partners do the same.

Head-to-Head in CRN

As you may have seen, CRN’s Head-to-Head slideshow featured McAfee and Symantec competing in the security arena around spyware protection, intrusion prevention, and overall channel profitability.

As with any good rivalry, the game is always exciting. While CRN’s consensus is that Symantec does have a strong portfolio, McAfee came out on top for Security Management Console (ePolicy Orchestrator), cutting-edge hardware-based security, and overall partner profitability.

“Show me the money” –  Keeping Partners Profitable

While industry accolades validate the work we do at McAfee–and we’re always flattered to receive them—one of the biggest success metrics for me is to see partners’ profitability increase. So we were especially thrilled to hear that partners told CRN that our channel program is more profitable and that our efforts to increase support for your businesses haven’t gone unnoticed.

And customers appreciate the results, too. For customers, we’re setting a new industry standard for time to respond. We know it can be difficult to share intelligence across different solutions and that’s an issue for customers who are dealing with threats and want to respond quickly.

Transforming Security, Together

As I wrote back in February in my post Transforming the Security Industry…Together, you can’t adequately protect customers from the volume and sophistication of today’s cyber attacks without an integrated security platform that proactively and intelligently protects. That’s why using an end-to-end McAfee solution is so key to network security for customers.

We’ve got the tools to respond to threats in real time with Real Time ePolicy Orchestrator (ePO) that queries information from all of your customer’s endpoints in seconds, leading to more intelligent analysis and quick decision making on the part of IT.

With new devices and new threats hitting networks every day, it’s our goal to work together to ensure customers’ networks stay secure through innovative products and help you stay profitable through innovative channel programs.

When it comes to phishing, anyone is susceptible.  Take the recent breach at satirical news source The Onion, where foreign attackers used a campaign of social engineering to infiltrate The Onion’s corporate network. The campaign began with an email to a small group of Onion employees – starting with a minimal footprint to avoid detection. This email contained a link which appeared to be from The Washington Post, but actually led to a phishing site asking for credentials to the corporate Google Apps account.

At least one employee entered their credentials, and that’s all the attackers needed.

Let’s take a moment to discuss where security measures failed in this incident. First, the incoming phishing email contained a link which redirected to an alternate address. At the time the email was sent and scanned by The Onion’s email filtering solution of choice, this link may have registered as safe. The inflection point however, was the exact moment when the employee clicked on the link. This action initiated the series of events which resulted in stolen credentials, and eventually expanded access to internal email and social media accounts.

You may be asking at this point, but that was just human error – right?

Well, partially. Employees educated in the potential threats that can make it into their inbox can sometimes spot phishing emails based on something feeling (no pun intended) “fishy”. People are busy however, and don’t always take the time to mentally evaluate the content of an email before clicking.  A quick judgment call can lead to a data breach if the right precautions aren’t in place.

The fact is, companies don’t have to rely exclusively on the quick judgment calls of their employees to detect questionable email content anymore. We’ve made strides in this area, and I’m excited to share a great advancement with you here. We call this email security feature McAfee ClickProtect, and it does just that – protects users right when they click.

Take the example above, where The Onion employee clicked on a link that directed to a phishing page. With McAfee ClickProtect, the moment someone clicks a link, we send the web request off to our cloud-based web protection service where it is scanned for URL reputation based on our Global Threat Intelligence (GTI) network and for threats using our award-winning Gateway Anti-Malware engine. This engine, unique to McAfee, dissects and proactively emulates web page content, uncovering zero-day malware at an industry-leading 95% detection rate (see third party analysis here). If the page isn’t blocked for malicious content at that point, we even provide the option to show users a non-functioning preview of the page they’re about to visit, giving them an opportunity to judge for themselves whether the link they clicked actually goes to the right page.

Figure 1 – McAfee ClickProtect Web Page Preview

When malicious web content tries to hide secretly behind a link, McAfee ClickProtect puts it front and center and exposes its true nature.  The inactive preview, as shown above, allows users to easily detect the difference between the link they see, and the page it brings them to. So whether a phishing attack uses malware or just social engineering – the attempt is stopped right at the click.

Think about your email security solution – and what it can really do to stop these attacks. If you can’t come up with a good answer, check out our cloud-based email protection service that protects users in any location and on any device, now featuring McAfee ClickProtect.

The result? While Symantec continues to have a strong portfolio, McAfee came out on top for its central policy management through ePolicy Orchestrator, innovation with hardware-based security technologies, and its profitable McAfee Channels program!

Here’s a quick rundown of McAfee’s top-mark capabilities:

Antivirus-Antimalware

According to CRN, McAfee’s strengths lie in McAfee SiteAdvisor Enterprise, which can be configured by administrators to block access to malicious websites. In addition, McAfee provides behavioral protection to prevent buffer overflow and zero-day attacks. We’re also working closely with Intel on new hardware-based security defenses, demonstrating “a desire to grow beyond traditional signature-based technologies to detect advanced threats.”

Security Management Console

ePolicy Orchestrator (ePO), McAfee’s core management console, provides unparalleled scalability, policy management and reporting capabilities that make it simple to get security right. In addition, Real Time for McAfee ePO collects McAfee endpoint security product status instantly, providing real-time visibility that enables organizations to quickly identify and remediate under-protected and noncompliant endpoints.

Encryption

As CRN states, “McAfee partners swear by the company’s SafeBoot foundation.” McAfee Endpoint Encryption solutions use industry-leading algorithms and offer multiple layers of data protection, allowing organizations to transparently secure a broader scope of confidential information without system performance degradation.

Channel Program

The endpoint market is projected to grow from $3.8B in 2012 to $4.88B in 2017, according to the IDC. Real Time for ePO and real time intelligence is something no other security vendor can provide, just one of McAfee’s competitive displacement endpoint security opportunities.

Channel View

Symantec partners interviewed by CRN noted that McAfee’s program is less complex and in many cases provides higher margins and is more profitable.  McAfee’s flexible SecurityAlliance program enables resellers to jump-start sales, and provides detailed training, education, and support to boost knowledge of McAfee security technology – ensuring partners meet their customers’ needs for a secure network.

The Bottom Line

#1 in endpoint protection, McAfee protects where others fail. In addition to this most recent analysis from CRN, NSS Labs ranked McAfee as the leader against day zero exploit and evasion attacks. AV Test also measured 100% protection against stealthy attacks using McAfee Deep Defender, while West Coast Labs shows McAfee Application Control provides 100% malware protection with very low system overhead.

Numbers don’t lie, and McAfee’s comprehensive, tailored solutions are proven to reduce complexity to achieve multi-layer endpoint defense that won’t impact productivity.

You can imagine that with all of these issues, companies are moving cautiously and may very well run out of ramp before XP becomes EOL. Continuing in this mode opens businesses to risk, as there will no longer be vendor-supplied patches to address vulnerabilities. As risky as an outdated operating system may be, additional risk may also come from everyday business applications. Until you are ready to change your desktop environment, McAfee suggests three basic steps to combat risk:

1. Remove Admin privilege from standard users
2. Enable memory and buffer overflow protection;
3. Enable whitelisting for 0-day vulnerability protection.

One of the key metrics many auditors look at when evaluating a compensating control is to see that the control goes above and beyond. An unsupported operating system, or even any software code, can potentially be exploited through memory and buffer manipulation. 0-day vulnerabilities are being aggressively found and used to trigger zero-day attacks, like the recent Java zero-day vulnerability that pushed out crimeware payloads to unprotected users.

Mitigate these issues by normalizing user privileges commensurate with their roles and responsibilities – for example, users should not be Admin level unless they are part of your IT organization. Continue to leverage the McAfee Host Intrusion Protection for Desktop (HIPS) for memory and buffer overflow protection. Prevent unauthorized software from executing on your systems by adding McAfee’s dynamic whitelisting capability through McAfee Application Control.

Managing risk and going beyond with these steps ensures you can address the potential vulnerabilities that may be at hand by continuing on Windows XP for a limited time.

To learn more about today’s evolving landscape of desktop security, be sure to download our whitepaper.

This past April (4/19 to 4/21) I had the great pleasure and experience of joining the Red Team at 9^th NCCDC competition.   It was actually my 2^nd year on the Red Team and 4^th year to attend in total (I judged in 2010 and 2011).  McAfee is actually a perpetual sponsor of this event.  That being said, I have my own selfish agenda when I attend.

Joining in as part of the Red Team is, by far, on of the most educational experiences I could possibly put myself in.   Not only are you tossed into a room w/ folks like Mubix, Vyrus, Raphael Mudge, and others – but also you are on a limited schedule and from the time that the competition starts it’s heated and non-stop.

The general strategy this year was to lay down all our toys and persistence (backdoors, beacons, RATs and other tools) on Day 1.   We made very little noise, hoping that the competing teams would gain a false sense of confidence and not notice our presence on their systems.   This way on Day 2 when the chaos commences, and the teams choose to just ‘restore from backup’ or ‘revert snapshots’ and the like, they end up restoring all our persistent tools and we retain access and ownership.

DarkComet Client Console

And . . . .. . It worked!

Different individuals on the Red Team had their unique tools and methods to gain and retain access and unset the teams’ activities.   As the McAfee guy, I choose to rely on some old, tried and true (and very accessible RATs).  Most of my activities centered on the use of DarkComet and, to a far lesser degree, DNA.

RAT Remote Process View

My philosophy was driven by two primacy goals.   First, I know these things work realllllllllly well.  And with these RATs on the box, I can control and own everything.  Second, and possibly more interesting, is that if these tools work, I know that the teams are not putting any effort into installing/deploying even the most basic endpoint/host-based AV solutions.   This is especially intriguing because, as a sponsor, McAfee provided the competition with our software.   I purposely did NOT do any crypting/packing/obfuscation on the RATs I generated.   I know that McAfee (and just about all other) vendors DID detect these things.  Yet, I still managed to install and persist on most of the hosts that I deployed to (deployed via Cobalt Strike btw).

When the competition was over, I chatted with a few competitors, and mentioned this fact.  I immediately saw the gears start turning.  I could tell they had a real “Ahhhh we should have done that” moment.  Not to mention, that McAfee (and others) detect meterpreter/MSF listeners and Trojans as malware/PUPs.  Those could have been curtailed as well.

Each year, the teams have to setup, maintain, and safeguard an environment for a faux company/entity.  This year the teams were tasked with tasked with the environment of a Correctional Institute.   This includes databases for tracking the whereabouts of prisoners, an e-commerce site for a prisoner commissary, and more.  From the Red Team perspective, this gives us some of our big bets for getting points deducted from the teams.   For example if you kill/mangle/destroy the database for tracking prisoner and personnel, that’s one of the high point items.   After all, they don’t want an IT issue to allow prisoners to go unaccounted for or escape, etc.   Other hot items include public web site defacement and acquisition of PII (personally identifiable information).  For added fun, many of us defaced the web sites by posting the company’s PII for all to see.

Defaced with PII

All and all it was a fantastic experience.   I look forward to future activities with this competition.

UTSA shot a documentary this year.  I’ll post details on that once it’s released.    However, if you’d like to get some really detailed info, Hak5 released a documentary filmed at the 2012 event.   It features great interviews and ‘behind the scenes’ Red Team action.   I’m not interviewed, but you can see the top of my head in a couple shots!!

Hak5 Doc – Jim’s Head

2012 Hak5 Documentary

Additional Blogs on NCCDC 2013

• David Cowen - http://mcaf.ee/wid10
• Raphael Mudge - http://mcaf.ee/ageor
• Alex Levinson - http://mcaf.ee/limh1

NCCDC 2013 Red Team Brief - http://mcaf.ee/uodvk

Bonus:   We recently did our 2^nd AudioParasitics episode with the great Raphael Mudge.   This time we have a full and glorious video demo of Cobalt Strike in action.  We actually walk though scenarios and give you details on how some of these Red Team activities actually occur.

AudioParasitics Episode 141 (video) - http://mcaf.ee/gep69

You probably also know that to improve your security, you should set a unique password for each of those accounts.  And each password should be lengthy, with a combination of letters, symbols and numbers. In addition, each unique, complex password should be changed often. At least once every 3-4 months.

Do you do all of this?

Probably not.  Most people don’t.  The password problem is that being security-minded does not usually equate with ease-of-use. Most people use the same password for all services. Or they choose different, but simple, easy-to-remember, and easy-to-break, passwords.  These simple passwords are often the name of their children, their family name, their user account name, or the street on which they live.  McAfee Labs reports that some of the top, famous ‘secret’ passwords breached frequently include “password”, “qwerty” and “123456”. And worse, some people combine both approaches and use the same, simple password for multiple accounts.

Unfortunately, ease-of-use comes at a cost. For the simple, memorable password, ease-of-use has also just been given to the person trying to breach the account.  They can simply use a “brute force” method and have a computer continually guess the password until it is found.

Then, if the same password has been used for all services, once one of the services gets breached, all the other accounts are also at risk. And with the number of accounts and services constantly increasing, the risk of a breach increases too.  And yet, so does the size of the password problem.

So how can you solve the password problem? One solution that reduces the account-overload is called “single sign-on”. A single sign-on solution allows users the ability to login once, and then that authentication instantly enables access across multiple applications. As a result, the user only has to create, remember and then refresh one password that complies with password best practices.

A solution that addresses the challenge of the strength of the password itself is called “one-time password.” It does this by adding another layer of security. Once the username and password are entered, the user is prompted to also provide a one-time password.  The one-time password is a unique code generated by an application that may be on a mobile device or PC, and is associated with that specific user. This approach or method requiring both authentication steps is referred to as two-factor authentication, strong authentication or two-step authentication.  By using this method, no one can breach an account by just knowing the username and password.  They also need physical access to the mobile phone or PC that runs the one-time password application. Because of its ease-of-use and improved security, many popular, online and cloud-based services like Facebook and Google are moving to adopt two-factor authentication.

The password problem can be solved. Reduce the number of accounts you need a unique password for by implementing a single sign-on solution. Improve the security of that password with a simple, easy-to-use one-time password utility.  With these two solutions, people and the companies they work for can feel confident that their accounts, and their identities, are more secure and easier to manage.

If you have any questions about single sign-on or one-time password solutions or technologies, feel free to ask or comment here in this post.  I’m here to help.  Or, feel free to open an interactive chat with us at the Center now by using our Click-to-Consult option.

Also, considering checking into our Intel and McAfee Password Day on May 7^th.  Join us for a Tweet Chat, or enter a sweepstakes using Intel’s password grader tool through May 26^th.

We look forward to hearing from you.

Why were we rated the Best Buy? Its simple. While other vendors struggle to provide the intelligence or the performance needed to deliver on the promise of real-time actionable intelligence – McAfee ESM started by solving the information management challenge first. By developing a database that was specifically designed to handle the massive insertion rates, real time analysis, and simultaneous query use the SIEM application demands – we started fast, which allows us to continually build on that platform to deliver the industry standard for “smart”.

Its not an easy problem to solve. In fact, you’ll see us solidly beat other “next generation” SIEM data management architectures on performance, value for money and ease of use. And with Security Connected at McAfee, we are not only delivering actionable intelligence – but turning it into intelligent action. With recently introduced active integration with McAfee ePO, Network Security Platform and Vulnerability Manager, organizations can automatically turn smart information into automatic policy change, quarantine and scan actions.

“From a functionality standpoint, this appliance has it all. On top of prebuilt dashboards, many interactive charts and graphs, the ability to take data and logs from almost any source that has an IP address, and the ability to drill down into raw log data quickly and easily, this product also features a multitude of pre-
built compliance 
reporting tools.”

You can download the full SCMagazine report to read more, or follow @McAfeeSIEM on Twitter to get the most up-to-date content.

McAfee acquired NitroSecurity because it was the only SIEM that combined strong intelligence with speed and ease of management.   We are excited to continue our efforts to be the best standalone SIEM and offer added value to McAfee customers through Security Connected.

I am excited and honored to share that McAfee has entered into a definitive agreement to acquire Stonesoft Oyj, a leading innovator in next-generation firewalls. If you’ve been following my posts, you know that I am constantly blown away by the innovation and expertise of the McAfee engineers and developers. For the last year, I’ve shared all the latest advances in our Network Security Platform, our competitive differentiators, and our positioning in the market. I’ve been so proud of our successes.

Now, it’s just getting better. McAfee already designs and deploys a high-assurance firewall, which provides protection to the world’s most critical networks including government agencies. With this acquisition, I am extremely confident that we can deliver a next-generation firewall with the cutting-edge, technology from Stonesoft that is designed to meet the needs of an entirely new larger enterprise segment.

I’m also proud of Intel, our parent company. Intel is an incredible powerhouse in the world of technology and this solid investment proves that network security is, in fact, vital to Intel and a core foundation in its third pillar of computing. This is also a confidence-builder for our enterprise customers who value our solutions and for the teams that spend their days and nights strategizing ways to deliver the best network security products on the market.

With Intel’s backing, we can now provide two leading firewall solutions that will be a critical layer in our Security Connected strategy. This investment in Stonesoft will also allow us to focus our resources on evolving our IPS platform to be the market-leading solution to help businesses defend against the most sophisticated and advanced threats. Couple IPS and firewall with our advanced threat intelligence, threat evasion expertise, and leading web and email protection solutions, and there is no question McAfee will be leading the way in the network security space.

Stonesoft is also passionate about security. And, like McAfee, this commitment and passion has led to notable successes. Together, once the acquisition closes, we will design and deliver network security solutions that will stand alone in a new market space. There is no time like the present to create a more secure future. I’m really looking forward to being part of it.

You can read the complete press release here

http://www.mcafee.com/us/about/news/2013/q2/20130505-01.aspx

The latest hacker victim is daily deal site LivingSocial, which put more than 50 million customers’ data at risk.  These types of attacks give hackers access to not only customers’ credit card information, but also any personal information stored in databases, such as home address, phone number and email.

These hacks are continuing at an alarming rate and unfortunately, small- and medium-sized businesses (SMBs) are valuable targets for cybercriminals. Hackers count on companies who underestimate their exposure, and more than 75 percent of data breaches in 2011 targeted SMBs. With limited budgets, time and resources, SMBs often tend to overlook the importance of a well-rounded security solution. This puts SMBs at greater risk for an attack.

Now more than ever, SMBs should also be aware of the potentially damaging implications of such hacks. LivingSocial is a prime example. Since SMBs are increasingly looking for new channels to market their goods and services, daily deal sites such as LivingSocial are attractive services since they offer a platform to reach a broader customer base. Unfortunately, these new channels also come with potential risks that can leave SMBs vulnerable. SMBs should think of these daily deal sites as another service provider or another database that they need to secure.

To protect themselves, their business and their customers, SMBs need to enact additional security protocols. Specifically, SMBs should:

1. Ensure any discount outlets they use implement full encryption across all aspects of their customer data

2. Confirm they do not store credit card information in the same database as customer data
3. Verify that discount outlets and digital channels digitally shred customer data once the transaction is completed
4. Require all employees to use their business systems passwords for work purposes ONLY. Employees should not use their work emails or passwords to register on sites such as LivingSocial. Doing so exposes the business to vulnerabilities from hackers who can gain access to sensitive business information from within