A Well-Connected Sandbox
Transcription
A Well-Connected Sandbox
Solution Brief A Well-Connected Sandbox Ensure the success of your advanced threat defense strategy Top of mind for most CSOs is the growing risk of advanced threats and the technical requirements to effectively defend against them. Threats are constantly evolving to mask their intent, conceal malicious payloads, exploit newly disclosed vulnerabilities, and evade detection. Today’s most effective method to address these challenges includes sandbox technology, which provides in-depth analysis of new or unknown files and executables in a secure environment. The effectiveness of a sandbox technology is determined by several factors. The first is the ability to detect evasive threats. Another key factor is how well the sandbox is integrated into the existing security infrastructure—from network edge through the endpoint. A well-connected sandbox is critical to the success of an effective threat defense strategy. Unlike stand-alone sandboxes that add complexity through isolation, McAfee® Advanced Threat Defense adds in-depth analysis as a tightly integrated, shared resource that strengthens and synchronizes defensive capabilities throughout the network. In this brief, we’ll take a look at common use cases that show how integration between McAfee Advanced Threat Defense and other security controls from McAfee, a part of Intel Security, create a multipronged strategy designed to make enterprise defenses both more effective in detecting previously unknown malware and globally responsive when a new attack occurs. Start with a Great Sandbox The first factor that extends—or limits—sandbox detection capabilities is the range of inspection techniques available. Many provide dynamic analysis only, which most commonly includes file detonation and observation of the resulting behavior. Dynamic analysis, while a good start, is vulnerable to evasive techniques, such as delayed execution and hidden execution paths. McAfee Advanced Threat Defense McAfee Advanced Threat Defense represents the next generation of advanced threat detection. This multilayered solution wraps a dynamic inspection engine with additional tools to detect evasive tactics. It applies a series of analytics in a down-select sequence of increasing computa tional intensity to deliver high levels of detection accuracy with extremely high throughput performance. Solution Brief The on-board features include: ■■ ■■ ■■ ■■ ■■ Signature-based detection of viruses, worms, spyware, bots, Trojans, buffer overflows, and blended attacks using a comprehensive knowledgebase created and maintained by McAfee Labs, which currently includes more than 300 million signatures. Reputation-based detection using the McAfee Global Threat Intelligence (McAfee GTI) network to detect newly emerging threats. Real-time emulation that simulates code execution using lightweight runtime environments and heuristic behavioral analytics to quickly find malware threats that evade signatures and reputation-based inspection. Dynamic sandbox analysis that executes files in a run-time environment and observes the resulting behavior. While requiring more resources and time than real-time emulation, it accurately discovers more sophisticated threats. McAfee Advanced Threat Defense uniquely configures virtual run-time environments to match the target host based on queries to McAfee® ePolicy Orchestrator® (McAfee ePO™) software. Analyzing behavior under the conditions of an intended host quickly produces accurate results, revealing behaviors often not triggered in a generic environment. Full static code analysis that analyzes the source code and instruction sets without execution. Comprehensive unpacking capabilities open all types of packed and compressed files to enable complete analysis and classification. Full static code analysis provides critical insight into input-dependent behaviors and delayed or hidden execution paths that often do not execute during dynamic analysis and are overlooked by less comprehensive solutions. Connect the Sandbox The in-depth inspection capabilities of McAfee Advanced Threat Defense are of most value when deeply integrated with inline security controls that can intercept and forward unknown files for analysis. With integration, sandbox convictions are quickly communicated so that security controls can take immediate action: blocking a malicious file, preventing its execution on an endpoint, or updating the defenses on other potential targets. Tight integration between McAfee Advanced Threat Defense and other Intel Security solutions creates new opportunities to reinforce malware security throughout the environment. Use Cases The well-connected sandbox offers robust protection against advanced threats across the entire enterprise environment. Let’s take a look at some use cases that clearly demonstrate how the Security Connected approach supports and extends the capabilities of McAfee Advanced Threat Defense throughout the infrastructure—from the network to content gateways to endpoints. Use case 1: Strengthening malware security at the network edge Intel Security products on deck: Deploy McAfee Advanced Threat Defense with McAfee Network Security Platform (IPS) and/or McAfee Next Generation Firewall to find and freeze emerging malware threats. Security Connected in action: When the intrusion prevention system (IPS) or firewall intercepts a file or executable, and cannot make a positive conviction with the real-time analytics available onboard, they forward a copy of the file or executable to McAfee Advanced Threat Defense for further analysis. McAfee Advanced Threat Defense applies its inspection engines in sequence, avoiding any that have already been run by the referring system. McAfee Advanced Threat Defense then posts the resulting score and report to the referring solution, which immediately incorporates the score into its own policy enforcement processes. The convictions appear in IPS and firewall A Well-Connected Sandbox Intel Security Security for the Network Edge McAfee Network Security Platform discovers and blocks sophisticated threats in the network using a set of real-time detection technologies. It delivers inline speeds up to 40 Gbps on a single appliance and maintains exceptional throughput performance and accuracy, regardless of security settings. McAfee Next Generation Firewall combines security with high availability and manageability, delivering advanced protection for corporate headquarters, data centers, or branch offices. It integrates layer 7 network application control, intrusion prevention, virtual private networking, and evasion prevention functionality on a unified software core. 2 Solution Brief logs and dashboards in near real time, as if the entire analysis had been completed onboard. This streamlines investigative workflows, allowing administrators to efficiently manage alerts through a single interface. Key advantages: Both McAfee Network Security Platform and McAfee Next Generation Firewall can leverage the complete McAfee Advanced Threat Defense inspection stack to find and stop stealthy malware attacks that would otherwise defeat their onboard defenses. McAfee Advanced Threat Defense McAfee Email Gateway McAfee Enterprise Security Manager (SIEM) McAfee Web Gateway McAfee Network Security Platform McAfee Next Generation Firewall Internet Corporate User McAfee Global Threat Intelligence McAfee ePO Figure 1. Integration points for finding, freezing, and fixing malware. Use case 2: Strengthening malware security at content service gateways Intel Security products on deck: Deploy McAfee Advanced Threat Defense with direct integration to McAfee Web Gateway or McAfee Email Gateway to find and freeze stealthy, evasive malware attacks embedded in web and email traffic. Security Connected in action: McAfee Web Gateway and McAfee Email Gateway scan their assigned traffic flows for potential threats embedded in web traffic and email messages. Any files that cannot be cleared or convicted with onboard analytics are forwarded to McAfee Advanced Threat Defense for further analysis. The referring gateway receives the score and automatically incorporates it in policy enforcement workflows and dashboards. Convicted files are blocked immediately and on all future appearances. Unlike most web security solutions, McAfee Web Gateway features onboard SSL decryption. This allows the gateway to send decrypted files to McAfee Advanced Threat Defense for faster, more accurate analysis. And because both gateways offer device profiling, suspect files can be sent to McAfee Advanced Threat Defense along with header information indicating the target platform (if McAfee ePO software is not available to provide that information). This helps the dynamic analysis engine load a matching virtual machine image for more accurate and complete analysis. Key advantages: With McAfee Advanced Threat Defense in the environment, McAfee Web Gateway and McAfee Email Gateway can leverage its complete file inspection stack to find and stop stealthy malware attacks that might otherwise slip past their onboard defenses. Because email traffic can tolerate small amounts of latency, suspect files can be held at the gateway until analysis is complete. And the web gateway’s flexible rules engine lets administrators set policy for whether files are held during analysis or allowed and tracked. Both instances allow “patient zero protection,” in which the first detected instance of a new threat is blocked, eliminating the need to locate and remediate one or more infected endpoints. A Well-Connected Sandbox Intel Security for Content Gateways McAfee Email Gateway McAfee Email Gateway combines inbound threat protection, outbound encryption, advanced compliance, data loss prevention, and adminis tration in a single, easy-todeploy appliance. McAfee Web Gateway McAfee Web Gateway provides broad capabilities, from web filtering and anti-malware scanning to deep content inspection and granular control over how websites and applications are used. 3 Solution Brief Use case 3: Strengthening malware security on the endpoint and beyond McAfee Next Generation Firewall McAfee Global Threat Intelligence McAfee Network Security Platform McAfee McAfee Web Gateway Email Gateway McAfee McAfee Threat Intelligence Advanced Threat Exchange Server Defense Third-Party Feeds Data Exchange Layer McAfee ePO McAfee Enterprise Security Manager McAfee McAfee VIrusScan Threat VIrusScan® Intelligence Enterprise Threat Module Intelligence Module Figure 2. Security components operate as one to immediately share relevant data among endpoint, gateway, and other security products. Intel Security products on deck: Deploy McAfee Advanced Threat Defense along with McAfee Threat Intelligence Exchange, McAfee ePolicy Orchestrator (ePO) and McAfee Endpoint Protection products to prevent patient-zero infections and remove convicted files from endpoints across the network. Leverage the data exchange layer to integrate additional security products and share new threat discoveries throughout the entire security environment in near real time. Security Connected in action: McAfee Advanced Threat Defense and McAfee Threat Intelligence Exchange work with McAfee ePO software to provide endpoint systems with real-time situational awareness about security events throughout the network. When a new file attempts to execute on an endpoint, it is initially inspected by endpoint security using signatures, rules, and reputation from McAfee Global Threat Intelligence. If endpoint security cannot convict or clear the file, it forwards a hash to McAfee Threat Intelligence Exchange, which consults local hash files, whitelists, blacklists, and various reputation sources to make a decision. If no reputation is available, McAfee Threat Intelligence Exchange forwards the file to McAfee Advanced Threat Defense for in-depth static code analysis and dynamic interrogation. Endpoint security is configurable to either hold execution of the unknown file until McAfee Advanced Threat Defense returns a verdict, or to allow execution of the file while McAfee Advanced Threat Defense completes its analysis. These results are returned to McAfee Threat Intelligence Exchange and immediately published to all endpoints and other security measures, including the referring endpoint, which will immediately close malicious process execution if it started during the analysis period. Additionally, McAfee Threat Intelligence Exchange-enabled endpoints continue to receive file conviction updates when off the network, extending protection to off-network assets and eliminating blind spots from out-of-band payload delivery. Intel Security Security for Network Endpoints and Beyond McAfee Threat Intelligence Exchange This tool enables adaptive threat prevention by sharing relevant security data across endpoints, gateways, and other security products. It relies on the data exchange layer, a bi-directional communications fabric that provides a persistent connection over which connected components share intelligence in real time, regardless of their location. McAfee ePO Software Our centralized manage ment console provides enterprise-class, unified management of endpoint, network, and data security. End-to-end visibility and powerful automations slash incident response times. McAfee Endpoint Security This comprehensive solution integrates numerous techn ologies for coordinated, complete protection against all five threat vectors— system, email, web, data, and network. Beyond endpoint protection, connecting McAfee Advanced Threat Defense to McAfee Threat Intelligence Exchange and other security measures through the data exchange layer creates a single collaborative system. New malware threats uncovered by McAfee Advanced Threat Defense working in tandem with edge, gateway, or endpoint security measures are instantly reported to connected security measures in near real time. The result is adaptive, cross-vector detection, blocking, and containment of advanced targeted attacks. The entire enterprise environment can now be secured against a newly discovered attack within a fraction of a second. Endpoints are protected against executing a known malicious file, and gateways are on alert to block subsequent instances at the network edge. A Well-Connected Sandbox 4 Solution Brief Key advantages: Any newly identified malicious file, no matter where it is first detected, can now be recognized and blocked at every endpoint and across the network. This adaptive response provides instant protection across the entire environment, including network, gateway, and endpoints. Responsive agility is increased, while the time-to-containment and time-to-remediation are dramatically reduced, all without the need to re-architect the network. Use case 4: FInding and fixing infected endpoints fast Intel Security products on deck: Deploy McAfee Enterprise Security Manager (SIEM) with McAfee Advanced Threat Defense, McAfee Complete Endpoint Protection, and McAfee ePO software to dramatically reduce the time required to track down and remediate compromised endpoint systems. Security Connected in action: When deployed in a network, McAfee Enterprise Security Manager collects, parses, correlates, and stores log and event information from security systems and other network devices. When McAfee Advanced Threat Defense convicts a suspect file, it funnels a CybOX STIX formatted indicator of compromise (IoC) to McAfee Enterprise Security Manager, which can then interpret and act on these artifacts. For both the original payload and any nested (unpacked) payloads revealed in the analysis, the data transferred includes the name, hash (MD5 or SHA-1), and severity of the convicted file; the gateway or device that first detected it; the message that carried it; the source and destination systems; and the source URL. The cyberthreat manager in McAfee Enterprise Security Manager incorporates this data in its correlations and analysis. All values are parsed and can be used to trigger security responses—both automated and interactive. Security analysts can query McAfee Enterprise Security Manager to correlate security event histories with IoCs reported by McAfee Advanced Threat Defense. Destination hosts can be listed to indicate potentially compromised machines. Source domains and IP addresses involved in multiple attacks can be identified. McAfee Enterprise Security Manager can also coordinate a variety of attack responses. It can create a blacklist of suspect IP addresses and instruct McAfee Network Security Platform or McAfee ePO software to disallow any connection requests. It can also create a watch list of suspect IP addresses and alert whenever it sees a connection attempt to or from an internal host. Solutions for Incident Analysis and Response McAfee Enterprise Security Manager McAfee Enterprise Security Manager brings together security intelligence and information management (SIEM) to provide situational awareness across the entire environment. It collects, processes, and correlates billions of log events and flow data from a distributed network of receivers, making years of data continuously available for immediate access and analysis. It calculates baseline activity norms and alerts on varia tions that might indicate an imminent threat. Tight integration between products from McAfee Enterprise Security Manager, McAfee Threat Intelligence Exchange, and others enables coordinated, timely response. A newly discovered file can be flagged as malicious, initiating a search across the network for additional instances of the same file, removal of the file, or blocked execution. Remediation actions can also include issuing new configurations, implementing new policies, removing files, and deploying software updates that can proactively mitigate risk. Key advantages: Security analysts can correlate IoCs extracted from malware analytics against aggregated security event histories to quickly identify compromised endpoints, contain attacks, mitigate damages, and remediate all affected systems. Learn more about McAfee Advanced Threat Defense at: www.mcafee.com/atd. Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, ePolicy Orchestrator, McAfee ePO, and VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc. 61642brf_well-connected-sandbox_0115_fnl_ETMG McAfee. Part of Intel Security. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.intelsecurity.com