mc afee conectando las piezas
DESCRIPTION
En la actualidad el crecimiento exponencial del malware sofisticado y los métodos de evasión utilizados por cibercriminales se han convertido en una combinación letal para las organizaciones. Los silos de información y la carencia de automatización entre ellos, convierte a las empresas en foco fácil de los atacantes. Hoy las empresas no solo buscan llenar el “check” de Compliance, sino realmente mitigar sus riesgos de seguridad de manera más eficiente y proactiva. Una seguridad conectada, a través de diferentes componentes tecnológicos mediante los cuales se “comparte” la información para tomar conciencia y reaccionar de manera inmediata hace la diferencia entre ser uno más de las estadísticas de incidentes de seguridad o no serlo. Dirigido a: Jefes o Coordinadores de TI, Gerentes de Sistemas o TI, CIO, CISO, CTOTRANSCRIPT
Conectando las piezas para mitigar el riesgo
Jorge Herrerías, CISSP Sales System Engineer
Malware Continues to Grow…
2
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Q1 2010
Q2 2010
Q3 2010
Q4 2010
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
Q4 2012
Q1 2013
14,000,000
Source: McAfee Labs ,2013
New Malware Samples New malware
samples grew 22%
from Q4’12 to Q1‘13
2012 new malware
sample discoveries
increased 50%
over 2011.
Malware continues to grow, and getting more sophisticated…
128M Total Malware Samples in the McAfee Labs Database
The number of new, unique samples this quarter is greater than 320,000, more than twice as many as in the first quarter of 2013.
During the past two quarters, McAfee Labs has catalogued more ransomware samples than in all previous periods combined.
Ransomware
3
New Ransomware Samples
0
50,000
100,000
150,000
200,000
250,000
300,000
350,000
Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013
Total Malware Samples
4
The McAfee “zoo” now contains more than 140 million unique malware samples.
Total Malware Samples
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-13 Feb-13 Mar-13 Apr-13 May-13 Jun-13
Suspicious Internet (MX)
5
As of December 31, 2012, nearly
1,100 suspicious Internet addresses
hosted in Mexico were analyzed by
McAfee. There were only 800 in late
2011. 62 percent of the current ones
are assigned with a maximum risk.
Nearly 51 percent of these URLs
hide malware. About 26 percent of
them are used in phishing
campaigns and 13 percent in spam
campaigns.
Comprehensive Malware Protection
First Layer of Defense:
Global Visibility and
Situational Awareness
Network
Anti Malware
Comprehensive Malware Protection
Second Layer of Defense:
McAfee Advanced Threat Defense
Comprehensive Malware Protection
IPS Web
IPS
IPS
Third Layer of Defense:
Network Threat Protection
Comprehensive Malware Protection
Fourth Layer of Defense:
Comprehensive Endpoint
Threat Defense
Comprehensive Malware Protection
Fifth layer of defense:
Real Time Endpoint Awareness
Comprehensive Malware Protection
Sixth Layer of Defense:
Heal Endpoints
Comprehensive Malware Protection
GTI Seventh Layer of Defense:
Global Threat Intelligence
Multi-Layering Defense | Interconnected
Network
Anti Malware
SIEM
Intrusion Prevention
System
Unified Administration
Web Protection
MOVE AV Application Control
Deep Defender
Email Protection
Security for Microsoft
Exchange
Device Control
Site Advisor
Host IPS
VirusScan
Firewall Enterprise
Data Center Security
Database Security
Mobilty
Device Control
Escena 1
Escena 2
Escena 3
Escena 4
Escena 5
Escena 6
Escena 7
Result: https://www.virustotal.com/en/file/59c878b9daa887167c1857edf1d121dddfa0fb30031058e0d87f46890e7456ad/analysis/
McAfee Comprehensive Malware Protection Solution Overview
FIND
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (ValidEdge)
McAfee Global Threat Intelligence
McAfee Endpoint Agent*
McAfee Web Gateway
McAfee Email Gateway
McAfee Network IPS
McAfee ePO
FREEZE
NSP
Gateways
GTI/LTI
FIX
Automated Host Cleaning (ePO)
Malware Fingerprint
Query (Real Time ePO)
McAfee Advanced Threat Defense
Discovering ZeroDay and Targeted Attacks Live Walkthrough
McAfee Global Threat Intelligence
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (MATD)
Advanced Threat
Defense
JAR Analysis
.exe Analysis
PDF Analysis
3rd Party Threat Data
MFE FINDS VIA CLOUD
Network Threat
Response
LIVE E-MAIL RECEIVED 08-27-2013
URL REDIRECT TO
MALWARE SITE
YOU FIND ON-PREM
Discovering ZeroDay and Targeted Attacks Live Walkthrough
McAfee Global Threat Intelligence
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (MATD)
Advanced Threat
Defense
JAR Analysis
.exe Analysis
PDF Analysis
3rd Party Threat Data
MFE FINDS VIA CLOUD
Network Threat
Response
YOU FIND ON-PREM REPUTATION CHECK OF THE URL PASSES
PAYLOAD APPEARS TO BE A .SCR INSIDE A .ZIP
Discovering ZeroDay and Targeted Attacks Live Walkthrough
McAfee Global Threat Intelligence
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (MATD)
Advanced Threat
Defense
JAR Analysis
.exe Analysis
PDF Analysis
3rd Party Threat Data
MFE FINDS VIA CLOUD
Network Threat
Response
YOU FIND ON-PREM DUE TO ZERO DAY, FEW A/V SIGNATURE CATCHES
MATD OR NTR EXECUTION DEMONSTRATES:
Discovering ZeroDay and Targeted Attacks Live Walkthrough
McAfee Global Threat Intelligence
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (MATD)
Advanced Threat
Defense
JAR Analysis
.exe Analysis
PDF Analysis
3rd Party Threat Data
MFE FINDS VIA CLOUD
Network Threat
Response
YOU FIND ON-PREM
WHAT’S LEARNED THROUGH EXECUTION:
Discovering ZeroDay and Targeted Attacks Live Walkthrough
McAfee Global Threat Intelligence
Efficient AV Signatures
GTI Reputation
Emulation Engine
Target-Specific Sandboxing (MATD)
Advanced Threat
Defense
JAR Analysis
.exe Analysis
PDF Analysis
3rd Party Threat Data
MFE FINDS VIA CLOUD
Network Threat
Response
YOU FIND ON-PREM
Escena 8 (Malware)
October 18, 2013 29
Usar los controles adecuados…
Defending Against Targeted Attacks Requires Lean-Forward Technologies and Processes
Medium Risk High Risk
Global Threat Intelligence and SIEM
McAfee Labs IP Reputation Updates
GOOD SUSPECT BAD
IP REPUTATION CHECK
Botnet/
DDos
Mail/
Spam
Sending
Web Access Malware
Hosting
Network
Probing
Network
Probing
Presence of
Malware
DNS Hosting
Activity
Intrusion
Attacks
EVENT
AUTOMATIC IDENTIFICATION
AUTOMATIC RISK ANALYSIS VIA ADVANCED CORRELATION
ENGINE
Manejo de Eventos…
Priorizar los eventos de seguridad
De arriba hacia abajo…
Si bueno, con quién hablo?
D
User on WinXPHost01
downloads “Windows update”
from fake site. Executes it,
nothing sinister appears.
October 18, 2013 37
Meanwhile, we start to see a
number of potentially malicious
events related to this host on
McAfee ESM.
October 18, 2013 38
Step 1: This external host looks
suspicious. Let's blacklist him.
October 18, 2013 39
October 18, 2013 40
October 18, 2013 41
October 18, 2013 42
October 18, 2013 43
Quarantine successfully
implemented through the McAfee
NSM. Link to C&C host blocked.
Step 2: This internal endpoint appears to have
been compromised. From McAfee ESM we can
lock it down and scan it immediately through
ePO.
Looking at the endpoint, we see
that the firewall started off
disabled.
ePO enables the firewall with a
restrictive policy.
The Trojan is contained on the
endpoint.
Simultaneously, ePO launches
an aggressive scan.
Additional malware on the infected
host discovered and cleaned.
October 18, 2013 50
• ESM Screeenshot to show remediation was successful in SIEM.
Confirmation back in the SIEM.
Remediation complete.
Comprehensive
malware protection,
,
is an orchestrated approach
to protect against malware.
October 18, 2013 52
Referencias de reportes de consumo