Why were we rated the Best Buy? Its simple. While other vendors struggle to provide the intelligence or the performance needed to deliver on the promise of real-time actionable intelligence – McAfee ESM started by solving the information management challenge first. By developing a database that was specifically designed to handle the massive insertion rates, real time analysis, and simultaneous query use the SIEM application demands – we started fast, which allows us to continually build on that platform to deliver the industry standard for “smart”.

Its not an easy problem to solve. In fact, you’ll see us solidly beat other “next generation” SIEM data management architectures on performance, value for money and ease of use. And with Security Connected at McAfee, we are not only delivering actionable intelligence – but turning it into intelligent action. With recently introduced active integration with McAfee ePO, Network Security Platform and Vulnerability Manager, organizations can automatically turn smart information into automatic policy change, quarantine and scan actions.

“From a functionality standpoint, this appliance has it all. On top of prebuilt dashboards, many interactive charts and graphs, the ability to take data and logs from almost any source that has an IP address, and the ability to drill down into raw log data quickly and easily, this product also features a multitude of pre-
built compliance 
reporting tools.”

You can download the full SCMagazine report to read more, or follow @McAfeeSIEM on Twitter to get the most up-to-date content.

McAfee acquired NitroSecurity because it was the only SIEM that combined strong intelligence with speed and ease of management.   We are excited to continue our efforts to be the best standalone SIEM and offer added value to McAfee customers through Security Connected.

Generic Dropper.p (XtremeRAT)

This is where, from the research side, things begin to get fun.

Automated malware analysis is nothing new to our industry. Most vendors (ourselves included) have tools to handle this internally, and assist our skilled human analysts with proper classification, documentation, and other recurring tasks that must occur with the daily barrage of new and unique malicious binaries. The bar for this threat, however, has been raised. With ValidEdge, we were able to generate enormous amounts of usable and actionable data from the execution of malware samples. We get feedback from basic static analysis, as well as from runtime data. We get all the usual system modification data, and full and complete network/communication data, and samples and memory dumps from second-level threats (dropped, created, downloaded entities). And it’s all done in a safe environment, with extremely robust reporting.

To fully illustrate, let’s focus on the Trojan that affected the Israeli police. In the McAfee universe, we detect this threat as Generic Dropper.p.

To start with, you simply submit your sample(s) to the ValidEdge appliance/host. The ways to do that vary depending on implementation. In my setup, it’s as simple as dropping the file, via FTP, on the appliance, then picking up the results set the same way (different directory on the FTP server). Easy and fast. I immediately had a set of results from my submission of the following sample:

The result sets are organized as a specific directory structure.

Analysis report sample

This is where we typically end with most tools. The exception here, from my experience, is that there is much more data generated by the appliance to start taking action on.  The way in which the information is organized is also very friendly and workable. Some basic examples follow:

Sample Data	Sample Data 2
Sample Data 3	Sample Data 4

From here we can get enough static data to build a picture of the malware and its behavior. We also have network data and full memory dumps and screenshots at our disposal should we need to dig further.

Memory dumps

PCAPs

All the secondary/dropped files are presented as well. As such, these can be easily analyzed in context.

Dropped files

Dropped files, specific to this threat, are detected via McAfee Global Threat Intelligence along with the current DATs.

Example:

Name: word.exe
MD5: 2BFE41D7FDB6F4C1E38DB4A5C3EB1211
Detection: Artemis!2BFE41D7FDB6

At this point you have plenty of information to understand what this threat is doing, how it communicates, and much more. Some would argue that deep malware analysis is an art form. But to embark on that sort of journey you need enough data to make constructive, creative, and accurate decisions. Tools like ValidEdge do exactly that.

If you would like to learn more, you can read the following sources:

• http://www.opswat.com/partners/technology-partners
• http://www.mcafee.com/us/products/network-threat-response.aspx

• Spear-phishing remains the leading infection vector.
• Most attacks were from sophisticated threat actors (despite the simple infection vectors).
• The majority of the incidents could have been thwarted, detected or at least minimized through the use of security recommended practices.

It’s encouraging how well these findings map to McAfee’s “Secure Connected” strategy, which combines a variety of security controls into a larger framework for centralized threat detection and policy management—and even more so to McAfee’s strategy for securing Critical Infrastructures.  Critical infrastructure cyber security involves a few key products that have been tailed for industrial control systems and that, when used together under the Secure Connected framework, provide a reliable solution for ICS cyber security.   One of these keystone products is Application Control, which provides application whitelisting and change control for endpoint protection.  Whitelisting is a useful technology in ICS because it addresses the unique challenges of patch management in a control environment, where uptime is the single most important consideration.

The applicability of whitelisting was recently confirmed by an assessment of McAfee Application Control, Change Control and Integrity Control by the Pacific Northwest National Labs (PNNL).

The PNL report also highlights the importance of a security management framework as a critical component of a cyber security plan. “PNNL’s assessment … provides very high assurances (in many cases absolute assurance), that the software executives, configurations, processing environments, and external data communications endpoints possess the highest level of platform protection available for ICS environments today. Many challenges related to technical security requirements, ranging from best practice to regulatory, can be mitigate with a diligent application of this technology.”

The key is the framework, which creates a whole that is greater than the sum of it’s parts.  For example, consider another finding of ICS-CERT:  “Properly developed and implemented detection methods are the best strategy to quickly identify and implement a mitigation and recovery procedures … 10 [out of 17] organizations could have detected the incident by using ingress/egress filtering of known bad IP addresses or domain names.”  So connect McAfee’s Global Threat Intelligence to the SIEM and instantly see all activity to pinpoint actions involving known bad actors.

Download the PNNL Assessment of McAfee for Capabilities and applicability to Energy Sector Industrial Control Systems

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

• McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
• McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.