Risk Advisor 2.7 Product Guide for use with ePO 4.5 / 4.6

Product Guide

McAfee® Risk Advisor 2.7 SoftwareFor use with ePolicy Orchestrator 4.5.0 and 4.6.0 Software

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee® Risk Advisor 2.7 Software Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Data sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Product components and how they communicate . . . . . . . . . . . . . . . . . . . . . 11

2 Installation and configuration 15System requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Supported McAfee product versions . . . . . . . . . . . . . . . . . . . . . . . 16Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Install or upgrade the McAfee Risk Advisor extension . . . . . . . . . . . . . . . . 17Install the McAfee Risk Advisor online Help . . . . . . . . . . . . . . . . . . . . 18Modify the data import extensions . . . . . . . . . . . . . . . . . . . . . . . . 19

Post installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Verify that the extension is installed . . . . . . . . . . . . . . . . . . . . . . . 19Configuring data imports . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Run the default download and analysis task . . . . . . . . . . . . . . . . . . . . 28Register servers for rollup reporting . . . . . . . . . . . . . . . . . . . . . . . 29Configuring user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Enable threat localization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Remove the McAfee Risk Advisor extension . . . . . . . . . . . . . . . . . . . . . . . 32

3 Managing asset data 33Critical asset identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Define asset criticality labels . . . . . . . . . . . . . . . . . . . . . . . . . . 33Assign criticality to assets . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

McAfee Network Security Platform policy declaration . . . . . . . . . . . . . . . . . . . 35Declare McAfee Network Security Platform policies manually . . . . . . . . . . . . . 35Remove declared McAfee Network Security Platform policies manually . . . . . . . . . 36Override McAfee Network Security Platform declaration . . . . . . . . . . . . . . . 37Remove McAfee Network Security Platform countermeasure override . . . . . . . . . 37

Define asset risk category labels . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Enable or disable assets for analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 39Asset issue creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Create issues from the Assets tab on the Risk Metrics page . . . . . . . . . . . . . . 39Create issues from the System Tree . . . . . . . . . . . . . . . . . . . . . . . 40Create issues from the Tag Catalog . . . . . . . . . . . . . . . . . . . . . . . 40Create issues using a server task . . . . . . . . . . . . . . . . . . . . . . . . 40Create issues using automatic responses . . . . . . . . . . . . . . . . . . . . . 41

McAfee® Risk Advisor 2.7 Software Product Guide 3

4 Managing threat data 43Threat notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Add notes to threats manually . . . . . . . . . . . . . . . . . . . . . . . . . 43Edit notes manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Delete notes manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Read status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Filter threats by their read status . . . . . . . . . . . . . . . . . . . . . . . . 45Mark threats manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Threat tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Create threat tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Edit threat tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Delete threat tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Apply threat tags manually . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Remove threat tags manually . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Enable or disable threat for analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5 Performing risk assessment 49How McAfee Risk Advisor imports and analyzes data . . . . . . . . . . . . . . . . . . . 49

Download threats and analyze data . . . . . . . . . . . . . . . . . . . . . . . 50Separate the import and analysis server tasks . . . . . . . . . . . . . . . . . . . 50Data reconciliation process . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Data integrity process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

How risk is determined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Risk score calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

How threat actions are determined . . . . . . . . . . . . . . . . . . . . . . . . . . 57Actions you can perform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6 Managing tasks and responses 59Automatic responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Predefined automatic response event groups . . . . . . . . . . . . . . . . . . . 59Predefined automatic response actions . . . . . . . . . . . . . . . . . . . . . . 61

Server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Predefined server task actions . . . . . . . . . . . . . . . . . . . . . . . . . 61Predefined server task subactions . . . . . . . . . . . . . . . . . . . . . . . . 64

7 Customizing reports and analysis 65Application Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Enable or disable application awareness . . . . . . . . . . . . . . . . . . . . . 65Risk analysis exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Add a user-defined countermeasure . . . . . . . . . . . . . . . . . . . . . . . 66Edit a user-defined countermeasure . . . . . . . . . . . . . . . . . . . . . . . 67Delete a user-defined countermeasure . . . . . . . . . . . . . . . . . . . . . . 67Declare a user-defined countermeasure . . . . . . . . . . . . . . . . . . . . . 67Enable or disable a countermeasure declaration . . . . . . . . . . . . . . . . . . 68Edit a countermeasure declaration . . . . . . . . . . . . . . . . . . . . . . . . 68Delete a countermeasure declaration . . . . . . . . . . . . . . . . . . . . . . 69Create a suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Edit a suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Delete a suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Reporting groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Specify reporting groups limit . . . . . . . . . . . . . . . . . . . . . . . . . . 71Create a reporting group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Edit a reporting group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Delete a reporting group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Perform reporting group analysis . . . . . . . . . . . . . . . . . . . . . . . . 73

Rollup reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Contents


Perform rollup risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 74Purge rollup risk analysis data . . . . . . . . . . . . . . . . . . . . . . . . . 74

Perform what-if risk analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Add to the analysis queue . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Define enterprise risk category labels . . . . . . . . . . . . . . . . . . . . . . . . . 76

8 Monitoring with dashboards and querying database 79Dashboards and monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

MRA: Threat Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80MRA: Threat Action Advisory Dashboard . . . . . . . . . . . . . . . . . . . . . 84MRA Rollup: Risk Advisory Dashboard . . . . . . . . . . . . . . . . . . . . . . 87MRA: Security Bulletin Dashboard . . . . . . . . . . . . . . . . . . . . . . . . 90

Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Predefined queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Custom queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

9 Viewing reports 97Report navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Advanced filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Asset-centric report filters . . . . . . . . . . . . . . . . . . . . . . . . . . 100Threat-centric report filters . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Server Risk Metrics tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Asset-centric report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Threat-centric reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Threats page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108Threat Details page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109CVSS information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Threat-asset centric reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Threat Asset Coverage page . . . . . . . . . . . . . . . . . . . . . . . . . . 114Threat Asset Coverage Details page . . . . . . . . . . . . . . . . . . . . . . . 116How Am I At Risk page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Where Am I At Risk page . . . . . . . . . . . . . . . . . . . . . . . . . . . 118Assets Having Maximum Risk Score page . . . . . . . . . . . . . . . . . . . . 119Assets Impacted page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Threats Having Maximum Risk Score page . . . . . . . . . . . . . . . . . . . . 121Impacting Threats page . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Action-centric reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123What Threat Actions Required page . . . . . . . . . . . . . . . . . . . . . . . 123Actionable Threat Count page . . . . . . . . . . . . . . . . . . . . . . . . . 124No Immediate Action Required Threat Count page . . . . . . . . . . . . . . . . . 124

Rollup server reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Rolled up Risk Metrics tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Rolled up Servers Details page . . . . . . . . . . . . . . . . . . . . . . . . . 127Rolled up Threat Details page . . . . . . . . . . . . . . . . . . . . . . . . . 128Summary State page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Coverage State page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Threat Action Status page . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

What-if Risk Analysis tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Vulnerability-centric reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Vulnerability Centric Report tab . . . . . . . . . . . . . . . . . . . . . . . . 132Assets vulnerable to a vulnerability ID page . . . . . . . . . . . . . . . . . . . 132Assets not vulnerable to a vulnerability ID page . . . . . . . . . . . . . . . . . . 133Threats that exploit a vulnerability page . . . . . . . . . . . . . . . . . . . . . 133

Countermeasure-centric reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Countermeasure Centric Report tab . . . . . . . . . . . . . . . . . . . . . . . 133Vulnerabilities that can be mitigated page . . . . . . . . . . . . . . . . . . . . 134

Contents


Assets protected by countermeasure page . . . . . . . . . . . . . . . . . . . . 135Assets not protected by countermeasure page . . . . . . . . . . . . . . . . . . 135Threats Coverage page . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Risk analysis exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136User Defined Countermeasures tab . . . . . . . . . . . . . . . . . . . . . . . 136Countermeasure Declarations tab . . . . . . . . . . . . . . . . . . . . . . . 136Suppressions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137User Defined Countermeasure Details page . . . . . . . . . . . . . . . . . . . . 137Countermeasure Declaration Details page . . . . . . . . . . . . . . . . . . . . 138Suppression Details page . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Suppressed Assets page . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Suppressed Threats page . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Reporting groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Reporting Groups management page . . . . . . . . . . . . . . . . . . . . . . 140Reporting Group Details page . . . . . . . . . . . . . . . . . . . . . . . . . 141

10 Frequently asked questions 143

A Appendix 145Identify critical systems that are vulnerable . . . . . . . . . . . . . . . . . . . . . . 145Determine risk metrics for a set of threats and assets . . . . . . . . . . . . . . . . . . 146Exclude a set of threats from analysis temporarily . . . . . . . . . . . . . . . . . . . . 146Specify countermeasure protection for a set of assets . . . . . . . . . . . . . . . . . . 147

Index 149

Contents


Preface

This guide provides the information you need to install, configure and maintain your McAfee® RiskAdvisor software.

Contents

About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses the following typographical conventions and icons.

Book title or Emphasis Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input or Path Commands and other text that the user types; the path of a folder or program.

Code A code sample.

User interface Words in the user interface including options, menus, buttons, and dialogboxes.

Hypertext blue A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task

1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

1 Introduction

McAfee Risk Advisor is an analytics tool that assesses risk posture of assets in your organization toidentify which assets are at risk and which are not at risk against threats.

McAfee Risk Advisor works on McAfee® ePolicy Orchestrator® framework. It imports different types ofdata, including:

• Threat data from McAfee Labs (McAfee Threat Intelligence Service threat feed)

• Assets data from the ePolicy Orchestrator System Tree

• Vulnerability, countermeasure, and application data from both endpoint- and network-based products

McAfee Risk Advisor then correlates the threat data with the vulnerability, countermeasure, andapplication data to assess the risk magnitude based on risk score.

Certain metrics are used to determine the risk posture of your network based on risk score. Risk scoreof each asset and threat is calculated based on metrics such as threat applicability to an asset, asset'svulnerability state, countermeasure state on the asset, threat base score and asset criticality level.These scores are then aggregated to compute metrics such as Asset Overall Score, Threat OverallScore, and Enterprise Overall Score, to determine the overall risk posture.

The risk assessment information is combined with the availability of a patch for a threat to generatereports that help you in prioritizing patch efforts at the threat and the asset levels. By assigningcriticality levels to assets, McAfee Risk Advisor determines which assets you should address first.

McAfee Risk Advisor helps system administrators to identify, assess and prioritize risks, for bettermanagement of their resources.

Contents

Product features Data sources Product components and how they communicate

Product featuresMcAfee Risk Advisor offers features that help you assess and optimize risks in your organization.

Feature Description

Data imports andanalysis

Import data from McAfee Labs and the supported McAfee products tocorrelate threat data with vulnerability, countermeasure, and application data.

Application awareness Import application data from data sources such as McAfee Application Controland McAfee Application Inventory agent, to determine threat applicability forthe correct risk posture.

Patch prioritization Analyze risk areas and prioritize patch efforts based on the findings.

1


Feature Description

Risk categorization Categorize your risk based on enterprise and asset risk score to determineareas that need immediate attention.

Asset criticality Assign criticality levels to assets and determine which assets you shouldaddress first based on the analysis results.

Automatic responses Configure actions to take when specific events occur in your environment.For example, threat, asset, task, or risk score-based events can beconfigured to send a notification email to the system administrator.

What-if risk analysis Perform predictive risk analysis to view the possible changes in risk metrics ifthe selected countermeasures were installed and configured.

Rollup reporting Generate reports on McAfee Risk Advisor analysis data from multiple ePolicyOrchestrator servers.

Reporting groups Perform selective threat-asset reporting by creating groups of systems basedon groups or asset tags and threats based on tags.

User-definedcountermeasures

Ability to define custom "countermeasures" for threat-asset combinations.Declare a user-defined countermeasure to consider a set of assets asprotected against a set of threats during analysis.

Suppressions Suppress a selection of threats for a selection of assets to perform analysisbased on your requirements. The selected threat-asset combination istemporarily excluded from analysis.

Countermeasureoverride

Override a countermeasure for selected asset(s) from an asset-centric pageto consider them as not protected by the countermeasure during analysis.For example, override McAfee Network Security Platform countermeasuredeclaration for an asset.

Reports Generate and view reports, comprised of preconfigured charts and tables,containing risk assessment information such as information about assets andtheir risk posture, threats and how they affect your environment, overall riskposture of the enterprise, and custom reports based on requirements.

These reports can be obtained from McAfee Risk Advisor dashboards,predefined queries, custom queries, and reporting pages such as Risk Metricsand Risk Advisor Reports, from the ePolicy Orchestrator console.

Patch Tuesday reports Generate and view Patch Tuesday specific reports using the security bulletindashboard and patch report queries to make decisions on patching efforts,and assess the effectiveness of patching operations over a period of time.

Localization Product and threat data are localized in two languages: Chinese (Simplified)and Spanish; and documentation in six languages: Chinese (Simplified andTraditional), Japanese, Spanish, French, and German.

Data sourcesMcAfee Risk Advisor assesses the risk of threats to your environment by analyzing data from McAfeeLabs and McAfee products.

Data source Data type Data analyzed by Risk Advisor

McAfee ApplicationControl

Application andcountermeasure

McAfee Risk Advisor identifies whether McAfee ApplicationControl is installed and running on an asset. Also, theapplication inventory data is used for application awareness.

McAfee ApplicationInventory agent

Application McAfee Risk Advisor obtains the application inventoryinformation from the managed assets using the agent.

McAfee® HostIntrusion Prevention

Countermeasure McAfee Risk Advisor uses McAfee Host IntrusionPrevention Policies, presence of signatures and theirreactions, to determine if an asset is protected.

1 IntroductionData sources


Data source Data type Data analyzed by Risk Advisor

McAfee® NetworkSecurity Platform

Countermeasure McAfee Risk Advisor uses Attack ID and policy informationfrom McAfee Network Security Platform, a network-basedsensor with attack signature content, to determine if anasset is protected.

McAfee® VirusScan®

EnterpriseCountermeasure McAfee Risk Advisor uses the VirusScan Enterprise engine,

buffer overflow protection, and DAT files to determine if anasset is protected.

McAfee® PolicyAuditor

Vulnerability McAfee Risk Advisor obtains the vulnerability informationfrom the scan results of McAfee Policy Auditor.

McAfee®

VulnerabilityManager

Vulnerability McAfee Risk Advisor obtains the vulnerability andoperating system information from the scan results ofMcAfee Vulnerability Manager.

McAfee ThreatIntelligenceServices (MTIS)

Threat McAfee Risk Advisor uses the threat data from the MTISwebsite to associate vulnerabilities with assets. The MTISprovides the threat information and its associatedcountermeasures and detectors in .XML format.

Product components and how they communicate The main components of McAfee Risk Advisor are: MRA data import, MRA reconciliation, MRAanalytics, and MRA reports.

High-level architecture

The image below illustrates the McAfee Risk Advisor components and how they communicate.

IntroductionProduct components and how they communicate 1


Table 1-1 Abbreviations used

Acronym Term Description

ePO ePolicy Orchestrator A management platform that provides the framework anddata about managed assets.

HIP McAfee Host IntrusionPrevention

A managed endpoint protection product that provides thecountermeasure data.

NSP McAfee Network SecurityPlatform

A managed network security product that provides thecountermeasure data.

VSE VirusScan Enterprise A managed antivirus product that provides thecountermeasure data.

MAC McAfee ApplicationControl

A managed application management and securitycompliance product that provides the countermeasureand application inventory data.

MAI McAfee ApplicationInventory

An agent software that provides the application inventorydata from the managed assets.

MVM McAfee VulnerabilityManager

A vulnerability detector that provides the vulnerabilitydata.

PA McAfee Policy Auditor A managed security compliance product that provides thevulnerability data.

MTIS McAfee ThreatIntelligence Service

A threat feed website that provides the threat data.

MRA dataimport

McAfee Risk Advisordata import

A component that imports data from vulnerability, asset,threat, and countermeasure data sources, then reconcilesit to a format that can be interpreted.

MRA analytics McAfee Risk Advisoranalytics

A component that performs analysis to determine therisk posture of your assets, threats, and network basedon risk score.

MRA reports McAfee Risk Advisorreports

The reports can be viewed from the McAfee Risk Advisorspecific pages or sections in ePolicy Orchestrator console.

How it works

McAfee Risk Advisor works on the ePolicy Orchestrator framework. It imports data from asset, threat,vulnerability, countermeasure and application data sources, reconciles them and performs analytics togenerate reports providing the overall risk posture at assets, threats, and enterprise level.

Use the ePolicy Orchestrator standard features such as server tasks, dashboards, queries, andreporting to configure the product, schedule and perform analysis, generate reports, and querydatabase.

The communication workflow among the various components involves:

1 McAfee Risk Advisor is installed as an extension to the ePolicy Orchestrator server.

2 McAfee Risk Advisor uses the ePolicy Orchestrator database for storing and retrieving data.

3 McAfee Risk Advisor core extension includes data import extensions such as MRA MVM, MRA NSP, andMRA HIPS. The data import extensions help obtain:

• Vulnerability data (from McAfee vulnerability detectors)

• Countermeasure data (from McAfee countermeasure products)

• Application data (from McAfee Application Inventory agent and McAfee Application Control)

• Threat data (from McAfee Threat Intelligence Service)

1 IntroductionProduct components and how they communicate


4 McAfee Risk Advisor retrieves assets data from ePolicy Orchestrator.

5 McAfee Risk Advisor reconciles the threat, asset, vulnerability, and countermeasure data,converting it to a format that can be interpreted by McAfee Risk Advisor.

6 McAfee Risk Advisor analytics performs risk analysis to determine risks to assets.

7 McAfee Risk Advisor generates reports in quantitative and qualitative formats, to help youdetermine, analyze, and prioritize risks.

IntroductionProduct components and how they communicate 1


1 IntroductionProduct components and how they communicate


2 Installation and configuration

You need to perform a series of steps to set up your McAfee Risk Advisor software per your requirements.

1 Make sure that your system meets the requirements.

2 (Optional) Install and configure the supported McAfee products from which you want McAfee RiskAdvisor to import updates.

You can add the McAfee products later, but for the most complete data analysis, we recommenddoing this now. McAfee Risk Advisor analytics uses data from the product extensions that have beeninstalled and configured in ePolicy Orchestrator.

3 Install the McAfee Risk Advisor extension and select all data sources from which you want to importdata.

4 A server task is initiated to import and reconcile the prepackaged threat data. Make sure that theserver task is successfully executed.

5 Perform post installation steps to verify the installation and to configure data imports and userpreferences per your requirements.

Contents

System requirements Installation Post installation Enable threat localization Remove the McAfee Risk Advisor extension

System requirementsMcAfee Risk Advisor 2.7 supports all operating systems, browsers, databases, and virtualizationplatforms supported by ePolicy Orchestrator.

Supported upgrades

You can upgrade to McAfee Risk Advisor 2.7 from these versions:

• 2.5.x

• 2.6.x

2


Supported ePolicy Orchestrator versions

McAfee Risk Advisor 2.7 can be installed on these ePolicy Orchestrator versions:

• 4.5.0 patch 4 or higher

• 4.6.0

Rollup reporting requirements

Master refers to the reporting server and slave refers to the server from where the data is to be rolledup. The following master-slave server combinations are supported:

Product Master version Slave version

ePolicy Orchestrator 4.6.x 4.6.x or 4.5.x

4.5.x 4.5.x

McAfee Risk Advisor 2.7 2.7 or 2.6.x

Supported database

Microsoft SQL 2005 or later

Database requirements

McAfee Risk Advisor uses the ePolicy Orchestrator database for storing its files. However, consider this:

• McAfee Risk Advisor does not function properly if Microsoft SQL 2005 is running in SQL 2000Compatibility Mode. Any customization to the Microsoft SQL Server installation should follow thebest practice guidelines provided by the database vendor.

• McAfee Risk Advisor does not support the use of SQL Express.

• The database user must have sysadmin privilege.

• Make sure that the database collation is SQL_Latin1_General_Cp1_CI_AS.

• For application awareness, the Full Text Search service must be running prior to the installation andthe user should have permissions to use it. The Full Text Search service is used in application datareconciliation.

Disk space requirements

McAfee Risk Advisor requires a minimum of 4 GB of free disk space on the database where McAfeeRisk Advisor files are to be stored. The actual disk space required depends upon the number of assetsbeing managed by the ePolicy Orchestrator server. For database sizing guidelines, see the McAfee RiskAdvisor 2.7 Database Sizing and Resource Usage Guide.

Supported McAfee product versionsMcAfee Risk Advisor can analyze data from McAfee products that are integrated with ePolicyOrchestrator through their product extensions.

Your system must meet the requirements of all installed McAfee products. See each product'sdocumentation for more information.

McAfee product Product extension

McAfee Application Control Solidcore extension 5.0.2 or later

McAfee Host Intrusion Prevention 7.0.0 or later

2 Installation and configurationSystem requirements


McAfee product Product extension

McAfee Network Security Platform Rogue System Detection 2.0.2 or later

McAfee Policy Auditor 5.3.0 or later

McAfee Vulnerability Manager Foundstone 6.8.0 or later

VirusScan Enterprise No extension required

LicensesWhen McAfee Risk Advisor is running on an evaluation or beta license, features are restricted whenthe license expires.

If your license is going to be expired in six days or less, a warning message is displayed in the Edit RiskAdvisor page, the Threat Details page, and the Server Task Log page when these server tasks run.

When your license expires, the server tasks for McAfee Risk Advisor imports, analysis, and purges fail.You can view the failure log messages from Server Task Log.

InstallationMcAfee Risk Advisor 2.7 is installed in the ePolicy Orchestrator environment. The installation includesinstalling the data import extensions for the McAfee products that provide data for analysis.

For instructions about setting up ePolicy Orchestrator, see the installation guide for your version of theproduct.

Install or upgrade the McAfee Risk Advisor extensionTo install or upgrade McAfee Risk Advisor, you must run an installation program, which adds McAfeeRisk Advisor to ePolicy Orchestrator. Also, use this process to update or replace the existing McAfeeRisk Advisor extension.

Before you begin

• Make sure your system meets the McAfee Risk Advisor system requirements.

• Make sure you have adequate permissions to the ePolicy Orchestrator database.

• Make sure SQL Server Full Text Search service is enabled. This service is required forapplication awareness functionality.

• Make sure the Internet browser sessions which are running ePolicy Orchestrator areclosed. The installation causes ePolicy Orchestrator to restart and can disrupt theservices that are running.

• Make sure that NO McAfee Risk Advisor task is running while performing an upgrade.

The McAfee Risk Advisor installation program verifies that you are running the required software. Seethe respective products' documentation for its requirements.

If this is a reinstallation or upgrade, custom filters, server tasks, and queries provided by McAfee RiskAdvisor are removed. However, custom queries, custom server tasks, and custom automatic responsesremain, but are inoperable.

If you install McAfee Risk Advisor 2.7 on ePolicy Orchestrator 4.5 and later upgrade to ePolicyOrchestrator 4.6, then custom queries are moved to the Migrated Queries group. You can move thesequeries to the query group you want.

Installation and configurationInstallation 2


Task

1 Close the ePolicy Orchestrator console.

2 Run the installation program for McAfee Risk Advisor, Setup.exe.

If this is an upgrade, a message appears about the upgrade. Click Yes to continue.

3 In the Setup Requirements screen, verify that the message All required applications were foundappears, then click Next.

If this message does not appear, cancel the installation and install the applications specified, thenrun the McAfee Risk Advisor installation program again.

4 In the Welcome screen, click Next to display the license agreement screen.

5 From the drop-down lists, select a license type and the location where the product is to be used.Select I accept the terms in the license agreement, then click OK.

6 If this is an upgrade, skip to the next step. Otherwise, in the Choose Destination Location screen, acceptthe default location or browse to another location, then click Next.

7 In the Set Administrator Information screen, provide the ePolicy Orchestrator global administrator username and password, then click Next.

8 From the list that appears in the Set Optional Information screen, select the appropriate options and clickNext. Options are:

• Application Awareness — Select this to use Application Inventory data during risk analysis. (requiressupport for Full Text Search in your database)

• Risk Advisor Rollup Reporting — Select this for rollup reporting.

• Third party Vulnerability Detector extension — Select this to import vulnerability data from non-McAfeedetectors.

• Products — Select the McAfee product from which you want McAfee Risk Advisor to import data,or click Select All for all available McAfee product extensions.

Select all the products and features you want, even if you didn't select them during your previousinstallation.

9 In the Start Copying Files screen, review your installation settings, then click Next to continue.

10 When the installation is complete, click Finish.

The task to import pre-packaged threat data initiates. Please wait for the task to complete. To viewthe task status, log on to ePolicy Orchestrator console and navigate to the Server Task Log screen.

Install the McAfee Risk Advisor online HelpVerify that the McAfee Risk Advisor online Help is current. If it's not, upgrade to the latest version.

2 Installation and configurationInstallation


Task

For option definitions, click ? in the interface.

1 In the ePolicy Orchestrator console, click Menu | Software | Extensions, select Help Content from theExtensions list, then select Remove under mra_help.

2 To update the Help, click Install Extension and browse to the Help extension file, help_mra_270.zip.

3 Click OK. If prompted about overwriting a previously installed version, click OK again.

Modify the data import extensionsMcAfee Risk Advisor provides extensions for importing data from the McAfee products it supports. Youcan install these data import extensions the first time you run the McAfee Risk Advisor installationprogram or later.

Use these instructions to modify data import extensions after you've installed the McAfee Risk Advisor.

Task



3 In the Welcome screen, select Modify, then click Next.

4 From the list that appears in the Set Optional Information screen, select all the McAfee products andfeatures for which you want the data import extensions installed. For example, if you want to userollup reporting, select Risk Advisor Rollup Reporting.

Select all the McAfee products you want, even if you didn't select them during your previousinstallation. Data import extensions for the products that are not selected are uninstalled.

5 To verify that the data import extensions you want are installed, click Menu | Software | Extensions,then select Risk Advisor from the Extensions list.

The data import extensions are listed with the McAfee Risk Advisor extension.

Post installationVerify the installation, then configure data imports from the McAfee products and McAfee Labs.

After the McAfee Risk Advisor 2.7 is installed, perform these tasks:

1 Verify that McAfee Risk Advisor 2.7 extension is installed.

2 Configure data imports.

3 Run the default MRA: Threat Download and Analysis task.

4 (Optional) Configure rollup reporting.

5 Set user permissions.

Verify that the extension is installed Verify that the McAfee Risk Advisor 2.7 extension and all the data import extensions that you selectedduring installation are installed.

Installation and configurationPost installation 2


Task


1 In the ePolicy Orchestrator console, click Menu | Software | Extensions, then select Risk Advisor from theextensions list.

2 Verify that the McAfee Risk Advisor data import extensions for the features and McAfee productsselected during installation are available. For example, MRA Application Core, MRA Application Inventory, MRAFoundstone, MRA HIPS, MRA Network Security Platform, MRA Rollup Reporting, MRA Solidcore, MRA Third Party, MRAVSE, and MRA Policy Auditor.

3 Verify that the Version for all the extensions is 2.7.0.

4 Verify that the Status for all the extensions is Installed.

5 If application awareness was selected during installation, verify that:

• The Application Inventory extension is installed and the version is 2.7.0.

• The data import extensions for the application data sources such as MRA Application Inventory andMRA Solidcore, if selected, are available under Risk Advisor, and the version for these extensions is2.7.0.

• The McAfee Application Inventory package is installed under Menu | Software | Master Repository.

Configuring data importsConfigure McAfee Risk Advisor to import threat, vulnerability, countermeasure, and assets data.

McAfee Risk Advisor is preconfigured to download threat data from McAfee Labs, obtain asset datafrom ePolicy Orchestrator System Tree, and import vulnerability, countermeasure and application datafrom most of the McAfee products using their data import extensions. However, you need to performadditional configuration for some data sources.

Here are the supported data sources and information about whether they require any additionalconfiguration.

To import... From... Requires additional configuration?

Countermeasure data McAfee Application Control No

McAfee Network SecurityPlatform

Yes

VirusScan Enterprise No

McAfee Host IntrusionPrevention

No

Vulnerability data McAfee Vulnerability Manager Yes

Application data McAfee Application Control No

McAfee Application Inventoryagent

Yes

2 Installation and configurationPost installation


To import... From... Requires additional configuration?

Threat data McAfee Threat IntelligenceService

No

The settings for the threat feed URL hasbeen preconfigured; however, you requiremodifying these settings if you're using aproxy server and when there's a change inthe threat feed URL. You can also importthe threat data manually from a file.

Asset data ePolicy Orchestrator (SystemTree)

No

You might need to promote assets toePolicy Orchestrator System Tree whendetected by rogue system detection afterdata import from a product.

Configure McAfee Network Security Platform updatesPerform these tasks to configure countermeasure data import from a McAfee Network SecurityPlatform server.

You must register the McAfee Network Security Platform server, then create and run a server task toimport the data into McAfee Risk Advisor.

McAfee Risk Advisor does not support the McAfee Network Security Platform cluster management ormanager disaster recovery because McAfee Risk Advisor can communicate with only one database.McAfee Risk Advisor does not support the analysis of the VLAN or Dedicated Interface mode for McAfeeNetwork Security Platform.

Tasks

• Register the McAfee Network Security Platform server on page 21To enable the data import, the McAfee Network Security Platform server must beregistered.

• Import McAfee Network Security Platform updates on page 22Create a server task to import countermeasure data from a registered McAfee NetworkSecurity Platform server.

• Purge McAfee Network Security Platform data on page 23Create a server task to purge your McAfee Network Security Platform data at regularintervals for efficient disk management.

Register the McAfee Network Security Platform serverTo enable the data import, the McAfee Network Security Platform server must be registered.

Before you begin

• Verify that the MRA NSP data import extension is installed, and if not, rerun the McAfeeRisk Advisor installation program to install it.

• Create a new McAfee Network Security Platform MySQL user and password withappropriate permissions that allows data to be accessed remotely. Give the user remoteconnectivity privileges, which is typically not the default. Use this account informationwhen registering the server.



Task


1 In the ePolicy Orchestrator console, click Menu | Configuration | Registered Servers, then click New Server.

The Registered Server Builder screen appears.

2 Select Network Security Platform from Server type.

3 Type a unique name for the server (for example, NSP Data Import) and any notes.

4 Click Next.

The Details screen appears.

5 In the Details screen, complete these options:

• Server host IP address

• Port number used (By default, it's 3306)

• User name and password for accessing the server host

• Whether SSL connection is required

• Database name

• A throttling option to set the maximum number of rows fetched per query, and the number ofseconds to wait between each query.

To change the default settings, select Use custom settings. A warning message states that changingthese settings can adversely impact the performance of your McAfee Network Security Platform.

McAfee recommends that you use the default settings, which are set to no more than 3000 rowsfetched from the McAfee Network Security Platform database per query, with a 60-second waittime between fetches.

6 Click Test to verify the connection to the database on the server host.

A message states whether McAfee Risk Advisor successfully connected to the database. If the testfails, recheck your settings.

7 Click Save.

Import McAfee Network Security Platform updatesCreate a server task to import countermeasure data from a registered McAfee Network SecurityPlatform server.

McAfee Risk Advisor supports CIDR (Classless Inter-Domain Routing) ranges for McAfee NetworkSecurity Platform data import and analysis.

Task


1 In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click New Task.

The Server Task Builder screen appears.

2 In the Description step, type a unique name for the task (for example, Import NSP Data) and anynotes. Select whether the task to enable the task once it is created, then click Next.



3 For Actions, select Network Security Platform Data Import.

4 Select an import option.

If you are running this task for the first time, all of your alert data is imported, regardless of whichoption you select.

To import this... Do this

Configuration dataonly

Select Import Configuration Data.

Configuration andalert data

Select Import Configuration Data and Alert Data, then select whether to import All Alertsor Changes from last run only.• Select Changes from last run only for faster import times (after the task runs for

the first time).

• Select All Alerts to overwrite the alert data that is currently in your system.

• Select Create New Detected Systems from Alerts to have systems with McAfeeNetwork Security Platform inbound alerts added to the ePolicy Orchestratordetected systems list. You can then promote these systems to your ePolicyOrchestrator System Tree. Systems with only outbound alerts are notadded to the detected systems list.

5 Click Next.

6 Schedule the task as required, then click Next.

7 Review the task settings on the Summary page, then click Save.

The server task is added to the list under Server Task page. If you selected to enable the task, it runsat the next scheduled time.

8 To make sure that threats are analyzed against all of your assets, run the MRA: Threat Download andAnalysis task after you add McAfee Network Security Platform assets to the ePolicy OrchestratorSystem Tree.

Purge McAfee Network Security Platform dataCreate a server task to purge your McAfee Network Security Platform data at regular intervals forefficient disk management.

Task




2 In Description, type a unique name for the task (for example, Purge NSP Data) and any notes.Select whether the task is to be enabled once it is created, then click Next to continue.

3 For Actions, select Network Security Platform Alert Data Purge.

4 Under Purge alerts older than, type a number and select a time unit, then click Next.





The server task is added to the list under Server Task page. If you selected to enable the task, it runs atthe next scheduled time, and the McAfee Network Security Platform data older than the specified timeis purged.

Configure McAfee Vulnerability Manager updatesConfigure the vulnerability data import from McAfee Vulnerability Manager.

Task

1 Follow the setup instructions in the product guide for your version of the McAfee VulnerabilityManager, which includes installing the McAfee Vulnerability Manager extension, registering theMcAfee Vulnerability Manager server, and configuring and running the McAfee Vulnerability Managerimport server task.

2 Install the rogue detection sensor on ePolicy Orchestrator, then add the detected VulnerabilityManager systems to the System Tree.

See the appropriate ePolicy Orchestrator documentation for details about these tasks.

McAfee Vulnerability Manager uses Rogue System Detection (RSD) to introduce its assets intoePolicy Orchestrator. If you delete a system detected by McAfee Vulnerability Manager with an RSDsensor, the link between the system in the ePolicy Orchestrator System Tree and the McAfeeVulnerability Manager data is lost.

3 To make sure that threats are analyzed against all of your assets, run the MRA: Threat Download andAnalysis task after you add McAfee Vulnerability Manager assets to the ePolicy Orchestrator SystemTree.

Configure McAfee Application Inventory agent updatesPerform these tasks to configure application data import using McAfee Application Inventory agentfrom the managed assets.

Tasks

• Deploy the McAfee Application Inventory agent on page 24To configure application data import, deploy the McAfee Application Inventory agent toassets.

• Test agent deployment on page 25Verify whether the McAfee Application Inventory agent is deployed successfully.

• Schedule application data collection on page 25Schedule application data collection from the McAfee Application Inventory agent.

• Collect application data on demand on page 26You can collect data from the McAfee Application Inventory agent on demand.

Deploy the McAfee Application Inventory agentTo configure application data import, deploy the McAfee Application Inventory agent to assets.

Task


1 In the ePolicy Orchestrator console, click Menu | Systems | System Tree, then select the desired group orassets.

2 Complete these steps according to your version of ePolicy Orchestrator



Version 4.5 Version 4.6

1 Click the Client Task tab, then click NewTask. The Client Task Builder screenappears.

2 Type a name for the task, and anynotes.

3 Select Product Deployment as the tasktype, then click Next.

4 Select Target Platforms as Windows.

5 In Products and components, select McAfeeApplication Inventory 2.7.x, select Action asInstall, select the language, then clickNext.

1 Click the Assigned Client Tasks tab, then click Actions | NewClient Task Assignment. The Client Task Assignment Builderscreen appears.

2 In Product, select McAfee Agent.

3 In Task Type, select Product Deployment.

4 Click Create New Task. The Client Task Catalog screen appears.

5 Type a name for the task, and any notes.

6 Select Target Platforms as Windows.

7 In Products and components, select McAfee Application Inventory2.7.x, select Action as Install, select the language, thenclick Save. The task is listed in the Task Name.

8 Select the task and click Next.

3 Schedule the task to run immediately or as required, then click Next to view a summary of the task.

4 Review the summary of the task, then click Save.

The task is added to the list of client tasks for the selected group and any group that inherits the task,and is executed on the client system at the next agent-server communication.

Test agent deployment Verify whether the McAfee Application Inventory agent is deployed successfully.

Task


1 In the ePolicy Orchestrator console, click Menu | Systems | System Tree, then select the systems onwhich the McAfee Application Inventory agent is to be installed.

2 Click Wake Up Agent.

3 Once the McAfee Application Inventory agent installation task is complete, wait for the agent tocommunicate back to the server (this could take some time). Check the System Details page forthe managed system for details about the McAfee Application Inventory agent.

4 On the managed system, right-click the McAfee Agent icon in the system tray, then select McAfeeAgent Status Monitor. The Status Monitor displays the agent activity log. Check whether the McAfeeApplication Inventory agent is installed.

5 To verify the McAfee Application Inventory agent version, right-click the McAfee Agent icon in thesystem tray and select About. Look for McAfee Application Inventory Agent and verify the version.

Schedule application data collection Schedule application data collection from the McAfee Application Inventory agent.

Task


1 In the ePolicy Orchestrator console, click Menu | Policy | Policy Catalog.

2 Select McAfee Application Inventory 2.7 as a product.



3 Click Edit Settings.

4 Type a value for the frequency of application data collection. For example, if you want applicationdata to be collected every alternate day, type 2.

5 Click Save.

Collect application data on demandYou can collect data from the McAfee Application Inventory agent on demand.

Task


1 In the ePolicy Orchestrator console, click Menu | Systems | System Tree, then select the systems forwhich the application data is to be collected.

2 Click Actions | Application Inventory | Collect Application Data Now.

3 Click OK to confirm the action.

Application data for all the systems that share the policies of the selected systems is collected.

Configure McAfee Threat Intelligence updatesFor the latest updates, configure McAfee Risk Advisor to connect with this service automatically duringthe threat download task execution or import a file containing the updates manually.

Tasks

• Download threat updates from the threat feed on page 26Configure McAfee Risk Advisor to connect with McAfee Threat Intelligence service anddownload the threat feed automatically during the threat download task execution.

• Import threat updates from a file on page 27If you are in an air gap environment, import a file that contains the latest threat data fromMcAfee Threat Intelligence Services.

Download threat updates from the threat feedConfigure McAfee Risk Advisor to connect with McAfee Threat Intelligence service and download thethreat feed automatically during the threat download task execution.

This configuration requires Internet connectivity.

Task


1 In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings, then click Risk Advisor inSettings Categories.

2 In Settings Categories, click Risk Advisor, then click Edit.

The Edit Risk Advisor screen appears.

3 In Threat Feed Settings, make sure that the threat feed URL is preconfigured.

Threat feed URL: https://threatfeed.mtis.mcafee.com/ctp/1_1/Service.asmx?FeedVersion=2_3.



https://threatfeed.mtis.mcafee.com/ctp/1_1/Service.asmx?FeedVersion=2_3

4 If you require a proxy server to download the threat feed, select Use Proxy. Provide the followinginformation, then click Test Connection to verify that the proxy server can connect to the threat feed.

• Proxy Server — Type the address for the proxy server.

• HTTPS Proxy Port — Type the proxy port.

• User Name — Type the user name.

• Password/Confirm Password — Type the password.

McAfee Risk Advisor supports these authentication schemes: No authentication, basicauthentication, digest authentication, and NTLM authentication.

5 Click Save.

Import threat updates from a fileIf you are in an air gap environment, import a file that contains the latest threat data from McAfeeThreat Intelligence Services.

Before you begin

Download a LatestThreats_YYYY_MM_DD.zip file containing the threat updates from:

https://threatfeed.mtis.mcafee.com/ctp/data/2_3/LatestThreats_YYYY_MM_DD.zip

(Replace YYYY_MM_DD with the actual date.)

An air gap environment is an extreme security measure for computers and their networks. It ensuresthat the secure network is physically, electrically, and electromagnetically isolated from insecurenetworks such as public Internet. In such environment, you can manually import threat updates fromthe file.

The McAfee Threat Intelligence Service updates contain complete data. For the first time import,complete data is updated. For the subsequent imports, only delta changes are updated.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Threats.

2 In the Threats screen, click Actions | Risk Advisor | Import Threats from File.

The Import Threats from File action is also available in certain drill-down pages of charts in the McAfeeRisk Advisor dashboards, or by running a query that results a table of threats. See informationabout each monitor for details.

3 In the Import Threats From File screen, browse to the .zip file containing threat data from McAfee ThreatIntelligence Service.

4 Optionally, do one or more of the following:



To... Do this...

Import and reconcile systemand asset information fromePolicy Orchestrator McAfeeproducts into McAfee RiskAdvisor.

1 Select MRA: Data Import/Reconciliation.

2 Select these options:

• All Items to import all product data and applicability data.

• All OS Applicability Data to import all applicability data or OperatingSystem to import only the targeted operating system information.

• All Products to import data from all products or CountermeasureProducts, Vulnerability Products, or Application Aware Products, as required.

• A specific product to import only that data.

Only products installed and registered with McAfee Risk Advisorare displayed. For example, if the McAfee Vulnerability Managerdata import extension is not installed and configured, you willnot see it in the list of products.

Apply the threat analysiscalculations from McAfee RiskAdvisor to the data in thethreat file you are importing,and the data collected fromthe MRA: Data Import/Reconciliationtask, if selected.

1 Select MRA: Threat Asset Coverage Analysis.

2 Select Enable analysis for 'Risk Advisor Reports' to update theCountermeasure Centric and Vulnerability Centric reports.

5 Click Run.

The threat updates in the file are imported. This data is also reconciled and analyzed with otherdata collected by McAfee Risk Advisor, if you selected the options in step 3.

6 In the Server Task Log screen, monitor the status of the task.

Run the default download and analysis task Run the MRA: Threat Download and Analysis task to import and reconcile data and perform analytics to makesure that McAfee Risk Advisor is successfully installed and configured.

Task


1 In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click Run under Actionsfor MRA: Threat Download and Analysis.

2 Make sure that the task is completed successfully. In the Server Task Log screen, monitor the status ofthe task and view details about each action within the task.

This task runs successfully only when McAfee Risk Advisor is able to connect to the threat feedwebsite. If you're using proxy, provide the proxy details in the Menu | Configuration | Server Settings | EditRisk Advisor. If you're in air-gap environment, import updates from file and select options to run theMRA: Data Import/Reconciliation and MRA: Threat Asset Coverage Analysis tasks.



Register servers for rollup reportingTo perform consolidated risk analysis across servers, each ePolicy Orchestrator rollup server must beregistered to the ePolicy Orchestrator reporting server.

Task

1 In the ePolicy Orchestrator console, click Menu | Configuration | Registered Servers, then click New Server.The Registered Server Builder screen appears.

2 In the Descriptions step, select ePO from the Server Type menu, type a name and description, then clickNext.

3 In the Details step, complete these options:

• ePolicy Orchestrator server version

• DNS name or IP address of the server

• SQL server instance

• Name and port of the SQL database

• Windows authentication or SQL authentication

• Whether the server uses the NT LAN Manager authentication protocol

• SSL communication option

• User name and password for accessing the server

4 Click Test to verify the connection to the server.

A message states whether McAfee Risk Advisor successfully connected to the server. If the testfails, recheck your settings.

5 Select whether to enable or disable the policy sharing for the server.

6 Select whether to enable or disable the client task for the server.

7 Select whether to enable or disable the ability to transfer systems for this server. When enabled,select Automatic sitelist import or Manual sitelist import for importing the agent-server key.

8 Click Save.

The server is registered to the reporting server.

Configuring user permissionsView and configure user permissions for the permission sets specific to McAfee Risk Advisor.

A permission set is a group of permissions granted to a user account for specific products or featuresof a product. One or more permission sets can be assigned. For users who are global administrators,all permissions to all products and features are automatically assigned. Global administrators canassign existing permission sets when creating or editing user accounts and when creating or editingpermission sets.

When you install the McAfee Risk Advisor, it adds sections called Risk Advisor and Risk Advisor Roll Up in thePermission Sets page, without applying any permissions. The global administrator might need to givepermissions to handle other ePolicy Orchestrator areas that work with McAfee Risk Advisor, includingqueries and dashboards.

For further details about permission sets, refer to the appropriate ePolicy Orchestrator documentation.



Assign permission setsYou can assign permissions to users by modifying permission sets for each user group.

Task


1 In the ePolicy Orchestrator console, click Menu | User Management | Permission Sets.

2 On the Permission Sets page, select the permission set to which you want to assign McAfee RiskAdvisor permissions.

The details appear to the right.

3 Click Edit next to the permission set to be modified:

• Risk Advisor

• Risk Advisor Roll Up

• McAfee Application Inventory Agent

4 On the Edit Permissions Set page for the selected permission set, select the options as required, thenclick Save.

McAfee Risk Advisor permissionsThis permission set provides information about the user permissions for the McAfee Risk Advisorthreat and asset data, reporting groups, and server tasks.

In addition to this permission set, other general ePolicy Orchestrator permissions might need to be setto allow users to work with other areas of McAfee Risk Advisor. These include the dashboards, queries,notifications, event log, system details, and System Tree access permission sets.

To access this page, click Menu | User Management | Permission Sets. Click Edit next to Risk Advisor.

For thisfeature...

These permissions are available

ThreatInformation

• No permissions

• Assign permissions for threat information

• View general threat information

• View Threat Asset Coverage information including Risk Metrics. (requires"System Tree Access" permission)

• View threat exploit information

• Edit general threat information

• Add, edit and delete threat note

• Mark threat read or unread

• Tag threat

• Allows you to manage Threat Asset actions like Analysis Queue, Enable orDisable and managing Risk Analysis Exceptions. (requires "System Tree" and"System Tree Access" permission)

AssetInformation

• No permissions

• Assign asset criticality (requires "System Tree Access" permission)



For thisfeature...

These permissions are available

Reporting Group • No permissions

• View, Add, Edit or Delete Reporting Groups

Risk AdvisorTasks

• No Permissions

Users with "Server Tasks: View server tasks; view Server Task Log" permissionscan view McAfee Risk Advisor server tasks.

• Create, edit, and run threat tasks

The global administrator might need to give permissions to handle other ePolicy Orchestrator areasthat work with McAfee Risk Advisor, including queries and dashboards. See the ePolicy Orchestratordocumentation for details about additional permission requirements.

McAfee Risk Advisor rollup permissionsThis permission set provides information about the user permissions for the McAfee Risk Advisor rollupreports and server task.

Use this page to view McAfee Risk Advisor rollup permissions.

To access this page, click Menu | User Management | Permission Sets. Click Edit next to Risk Advisor Roll Up.

For this feature... These permissions are available

Risk Advisor rollup • No permissions

• View rolled up McAfee Risk Advisor server data.

To rollup McAfee Risk Advisor data, you must have the following permissions:

• Multi-server rollup data: Run and edit queries based on rollup data;schedule rollup data tasks; purge rollup data.

• Registered servers: Use registered servers.

McAfee Application Inventory agent permissionsThis permission set provides information about the user permissions for the McAfee ApplicationInventory agent.

To access this page, click Menu | User Management | Permission Sets. Click Edit next to McAfee Application InventoryAgent.

For this feature... These permissions are available

McAfee Application Inventory 2.7.0: Policy and Tasks • No permissions

• View policy and task settings

• View and change policy and task settings

Enable threat localization Select the required languages to import localized threat data.

Installation and configurationEnable threat localization 2


Task


1 In the ePolicy Orchestrator console, click Menu | Configuration | Server Settings, then click Risk Advisor inthe Settings Categories list.

2 In the McAfee Risk Advisor settings, click Edit.


3 In Enable Localized Threat Content, select the required languages.

The threat data is available in two languages: Chinese(Simplified) and Spanish.

4 Click Save.

Remove the McAfee Risk Advisor extensionRemove the McAfee Risk Advisor extension to remove the software and its features.

Task



3 In the Welcome screen, select Remove, then click Next.

4 In the Set Administrator Information screen, provide the ePolicy Orchestrator global administrator username and password, then click Next.

5 In the Remove McAfee Risk Advisor Server screen, click Remove.

6 Click Yes on the confirmation screen.

7 When the process is complete, click Finish.

All McAfee Risk Advisor extensions and features are removed.

2 Installation and configurationRemove the McAfee Risk Advisor extension


3 Managing asset data

McAfee Risk Advisor imports asset data from the ePolicy Orchestrator System Tree.

You can assign criticality levels to assets to prioritize your threat actions, declare McAfee NetworkSecurity Platform policies for countermeasures that were not detected by McAfee Risk Advisor, defineassets risk categories based on risk scores, change asset analysis status, and create asset issues.

Contents

Critical asset identification McAfee Network Security Platform policy declaration Define asset risk category labels Enable or disable assets for analysis Asset issue creation

Critical asset identificationIdentify how important each asset is to your organization, then assign criticality to them to prioritizeyour patch efforts based on which assets are most critical.

For example, if McAfee Risk Advisor recommends that you patch a set of assets now, you can viewwhich of those assets your organization feels are the most critical.

McAfee Risk Advisor assigns Medium level criticality to an asset by default, if the asset criticality is notexplicitly assigned. You can also assign criticality values to your assets automatically using servertasks or automatic responses, or manually.

McAfee Risk Advisor uses these criticality labels and associated colors by default:

• Most Critical — Red • Medium — Yellow

• Critical — Orange • Low — Green

• High — Brownish Yellow

You can modify the names of these labels and their colors by modifying McAfee Risk Advisorconfiguration in the ePolicy Orchestrator Server Settings. You can also assign different criticality valuesto each criticality level.

Define asset criticality labelsMcAfee Risk Advisor provides default settings for asset criticality. You can modify these labels and theirassociated colors to meet the needs of your organization.

3


Task



2 On the McAfee Risk Advisor settings page, click Edit.

3 On the Edit Risk Advisor page, click Modify against the labels that you to change under Asset Criticality.Then type the labels you want to represent Most Critical, Critical, High, Medium, and Low for assetcriticality. Also, select a color to associate with each label from the choices provided.

For example, for the Criticality Level — High, type the label you want to apply to assets with thehighest level of criticality, then select an appropriate color.

4 Click Save.

Assign criticality to assetsBy default, McAfee Risk Advisor assigns Medium criticality to all assets for analysis. You can assign adifferent criticality value based on your requirements.

You can also assign criticality values to your assets automatically by creating a server task that assignsa criticality value to the results of a query or by creating an automatic response that executes theserver task when an event is triggered.

Task

1 In the ePolicy Orchestrator console, do one of the following:

To... Do this...

Assign criticalityto multiple assets

Go to one of these pages, then select the assets:

• Where am I at Risk? • System Tree

• How am I at Risk? • Assets Impacted

• What Threat actions required?

You can also perform this task from some dashboard monitor pages. Seeinformation about each monitor for details.

Assign criticalityto a single asset

Go to one of these locations:

• Threat Asset Coverage Details page of the asset.

• System Details page of the asset.

• Go to one of the pages listed in the row above, then select the asset.

2 Click Actions | Risk Advisor | Assign Criticality to Assets.

3 In the Assign Criticality to Assets screen, select the criticality you want to assign, then click OK.

3 Managing asset dataCritical asset identification


McAfee Network Security Platform policy declaration McAfee Risk Advisor considers Attack ID in a policy which is active and blocks the suspect networktraffic to determine the protection status of assets.

McAfee Network Security Platform policy declaration means manually associating McAfee NetworkSecurity Platform policies to an asset. The manual declaration takes precedence over policyassociation imported from McAfee Network Security Platform. If you want McAfee Risk Advisor toconsider both the policies, the policy association imported from McAfee Network Security Platformmust also be declared. Otherwise, McAfee Network Security Platform policy is ignored by McAfee RiskAdvisor for that asset.

You can declare and remove McAfee Network Security Platform policies automatically using servertasks or automatic responses, or manually.

Once policies are declared, you can create queries and filters to include or exclude them. Usingautomatic responses, you can also have actions triggered automatically (such as an email notification)when policies are declared or removed.

You can view these policy details in Network Security Platform Countermeasures section of the System Details page.

Declare McAfee Network Security Platform policies manuallyYou can declare McAfee Network Security Platform policies manually.

After you declare McAfee Network Security Platform policies, run the MRA: Threat Download and Analysis task(or the MRA: Threat Asset Coverage Analysis task, if you are running the server tasks separately) to verifythat your assets now have the protection level you expect.

You can declare McAfee Network Security Platform policies automatically by creating a server task thatdeclares a policy for the results of a query or by creating an automatic response that executes theserver task when an event is triggered.

Task



To... Do this...

Declare a McAfeeNetwork SecurityPlatform policy onmultiple assets






Declare a McAfeeNetwork SecurityPlatform policy on asingle asset





2 Click Actions | Risk Advisor | NSP Countermeasure Declaration.

Managing asset dataMcAfee Network Security Platform policy declaration 3


3 In the NSP Countermeasure Declaration screen, select the Sensor:Port (Interface) you want to declare, thenclick OK.

Selecting No NSP Protection removes all the sensors you declared on the asset. Only McAfee NetworkSecurity Platform policies remain.

The sensor you selected is added to the assets.

4 To add another sensor port to the assets, repeat this task.

Remove declared McAfee Network Security Platform policiesmanuallyYou can remove declared McAfee Network Security Platform policies from assets manually.

After you remove declared McAfee Network Security Platform policies, run the MRA: Threat Download andAnalysis task (or the MRA: Threat Asset Coverage Analysis task, if you are running the server tasks separately)to verify that your assets now have the protection level you expect.

You can remove declared McAfee Network Security Platform policies automatically by creating a servertask that removes a declared policy from the results of a query or by creating an automatic responsethat executes the server task when an event is triggered.

Task



To... Do this...

Remove a declaredMcAfee NetworkSecurity Platform policyfrom multiple assets





You can also perform this task from some dashboard monitor pages.See information about each monitor for details.

Remove a declaredMcAfee NetworkSecurity Platform policyfrom a single asset





2 Click Actions | Risk Advisor | NSP Countermeasure Removal.

3 In the NSP Countermeasure Removal screen, select the Sensor:Port (Interface) you want removed, then clickOK.

Selecting No NSP Protection removes all the sensors you declared on the asset. Only McAfee NetworkSecurity Platform policies remain.

The sensor you selected is removed from the assets you selected.

4 To remove another sensor from the assets, repeat this task.

3 Managing asset dataMcAfee Network Security Platform policy declaration


Override McAfee Network Security Platform declarationYou can override McAfee Network Security Platform countermeasure declaration for certain assets.

Task



To... Do this...












2 Click Actions | Risk Advisor | Override NSP Countermeasure Status.

3 In the Override NSP Countermeasure Status screen, click OK to confirm.

The McAfee Network Security Platform countermeasure declaration for the selected assets areoverridden.

Remove McAfee Network Security Platform countermeasureoverride You can remove McAfee Network Security Platform countermeasure override when you need to applythe policies on the overridden assets again.

Task



Managing asset dataMcAfee Network Security Platform policy declaration 3


To... Do this...












2 Click Actions | Risk Advisor | Remove NSP Countermeasure Override.

3 Click Yes to confirm.

The McAfee Network Security Platform countermeasure override for the selected assets are removed.

Define asset risk category labelsMcAfee Risk Advisor provides default settings for Asset Risk Category. You can modify labels, theirassociated colors, and ranges to meet the needs of your organization.

Asset Risk Category can be used to identify the assets which have risk scores above a defined threshold.

McAfee Risk Advisor uses these criticality labels and associated colors and ranges by default:

Criticality Color Range

High Red 65–100 (more than 65 and equal to or less than 100)

Medium Light Orange 35–65 (more than 35 and equal to or less than 65)

Low Brownish Yellow 0–35 (equal to or below 35)

Make sure that you set the Asset Risk Categories in the range of 0 to 100. The minimum limit for thecategory Low starts from 0 and the maximum limit for the category High is 100.

Task



3 In the Edit Risk Advisor screen, click Modify against the label that you to change under Asset RiskCategories. Type the label you want to represent High, Medium, and Low Asset Risk Scores. Type riskscore limits and select a color to associate with each label from the choices provided.

For example, for Risk Category — High, type the label you want to apply to the highest Asset RiskScore range, then select an appropriate color.

4 Click Save.

3 Managing asset dataDefine asset risk category labels


Enable or disable assets for analysisBy default, all assets are enabled for risk analysis. If you don't want to consider certain assets, youcan disable those assets.

This feature is useful in scenarios where you are not interested in the data for certain assets managedby the same server.

Task


1 In the ePolicy Orchestrator console, go to the System Tree (or a reporting page displaying a table ofassets).

2 Select the assets that you want to enable or disable for risk analysis.

3 Click Actions | Risk Advisor | Change Analysis Status.

4 Select Enable or Disable, as required.

5 Click OK.

Asset issue creationYou can create issues based on assets, then query and report on these issues.

You can also use asset issues with an external ticketing system to create and update troubleshootingtickets.

Use Create Issue action to create issues from various McAfee Risk Advisor pages or automate issuecreation using server tasks. Administrators can then take appropriate actions on the issues created forassets. For example, an issue can be created when assets with High criticality are At Risk, so thatadministrator can take appropriate actions.

Asset issues can be created from these ePolicy Orchestrator locations:

• Dashboards & Charts • Tag Catalog

• Server Risk Metrics | Assets • Server Tasks

• System Tree

Create issues from the Assets tab on the Risk Metrics pageYou can create issues for the assets listed on the Risk Metrics page, which is a McAfee Risk Advisorreporting page.

You can also use Advanced Filters to filter a subset of assets based on attributes.

Task


1 In the ePolicy Orchestrator console, click Menu | Reporting | Risk Metrics | Server Risk Metrics | Assets.

2 Select the assets for which the issue is to be created, or use advanced filters to filter a subset ofassets.

3 Click Actions | Risk Advisor | Create Issue.

Managing asset dataEnable or disable assets for analysis 3


4 In the Create Issue screen, type the name and the description of the issue.

5 Click OK.

Create issues from the System TreeYou can create issues for the assets listed in the ePolicy Orchestrator System Tree based on SystemGroups or tags.

You can also apply filters to create issues on a subset of systems.

Task


1 In the ePolicy Orchestrator console, click Menu | Systems | System Tree, then select a group.

2 Select the assets for which the issue is to be created or use advanced filters to filter a subset of assets.



5 Click OK.

Create issues from the Tag CatalogYou can create issues for the assets with a specific tag from the Tag Catalog.

Task


1 In the ePolicy Orchestrator console, click Menu | Systems | Tag Catalog, then select a tag

2 Select the assets for which the issue is to be created or use advanced filters to filter a subset of assets.



5 Click OK.

Create issues using a server taskYou can automate Asset Issue creation by running a query using the Create Risk Advisor Asset Issue action.

Task


1 In the ePolicy Orchestrator console, create a query that returns a table of assets or Threat AssetCoverage objects.

For example, create a query that results the information about the assets that require immediatepatching efforts.

2 Create a new server task to run the query.

3 Select the subaction as Create Risk Advisor Asset Issue.

Run this task after the MRA: Threat Asset Coverage Analysis task to create issues based on analysis results.

3 Managing asset dataAsset issue creation


Create issues using automatic responsesYou can automate Asset Issue creation by configuring an automatic response with the Create Risk AdvisorAsset Issue action for an event.

Task


1 In the ePolicy Orchestrator console, create an automatic response and complete these options:

• Select Risk Advisor Analysis Events as the event group, and Asset Risk Metrics as the event type.

• For actions, select Create Risk Advisor Asset Issue.

2 Save the response and allow it to execute as configured.

Managing asset dataAsset issue creation 3


3 Managing asset dataAsset issue creation


4 Managing threat data

You can manage threats by customizing threat information using notes, tracking which threats youhave read, and using threat tags to include and exclude threats from queries.

Contents

Threat notes Read status Threat tags Enable or disable threat for analysis

Threat notesThreat notes can be used to add more information to the threat as recommended by your organization.

You can add and delete notes automatically (by creating a server task that adds or deletes them fromthe results of a query or by creating an automatic response that executes the server task when anevent is triggered) or manually.

You can add multiple notes to a threat without overwriting any previous notes, and you can manuallyedit notes you have added.

After notes are added, you can create queries and filters that include or exclude threats based on thenotes contents. For example, if your network is protected from certain threats by a non-McAfeeproduct, specify that product name in a note. Next, create a filter to exclude certain threats (thosewith notes containing that product name) from your threat coverage queries.

Using automatic responses, you can also have actions triggered automatically (such as an emailnotification) when notes are added.

Add notes to threats manuallyYou can add a note to one or more threats manually.

You can also add notes to threats automatically, by creating a server task that adds them to the resultsof a query or by creating an automatic response that executes the server task when an event istriggered. You can only add notes to the server task if the query generates a table.

Task



4


To... Do this...

Add a note to multiplethreats

Go to the Menu | Risk & Compliance | Threats, then select the threats.


Add a note to a singlethreat

Do one of the following:

• Go to the Threats page, then select the threat.

• Go to the Threat Details page of the threat.

2 Click Actions | Risk Advisor | Add Note.

3 In the Add Note screen, type the note, then click OK.

The note is added to the threat or threats you selected.

4 To add another note to the same set of threats, repeat this task.

Edit notes manuallyYou can modify the contents of a note that was added to a threat.

Task


1 In the ePolicy Orchestrator console, go to the Threat Details page.

2 In the Notes section, click Edit next to the note you want to modify.

3 In the Edit Threat Note screen, make necessary changes, then click OK.

The note you edited appears first in the list after the page is reloaded. The Last Modified Date and LastModified By are updated as needed.

Delete notes manuallyYou can remove a note that was added to a threat.

You can delete notes from threats automatically, by creating a server task that deletes them from theresults of a query or by creating an automatic response that executes the server task when an event istriggered.

Task


1 In the ePolicy Orchestrator console, go to the Threat Details page.

2 In the Notes section, click Delete next to the note you want to remove.

The note is deleted.

4 Managing threat dataThreat notes


Read statusYou can mark which threats you have read or not read by marking them as Read or Unread respectively.

You can do this automatically (by creating a server task that marks the threats returned in a query orby creating an automatic response that executes the server task when an event is triggered) or manually.

All threats are set to Unread by default. There are no restrictions on read status, so you can change athreat from Read to Unread, then back to Read. Using automatic responses, you can also have actionstriggered automatically (such as an email notification) when the read status of a threat is changed.

You can create queries and filters that include or exclude threats based on their read status (forexample, if you only want to view the threats you have not read). Marking a threat as Read or Unread isnot specific to each user. When a user marks a threat as Read, the same status is displayed whenanother user account logs on.

Filter threats by their read statusYou can filter threats based on their read status. For example, view only the threats you've not read.

Task


• In the ePolicy Orchestrator console, go to the Threats page, select Filter, then select All, Read, or Unread.

The list of threats is filtered by the option you selected.

Mark threats manuallyYou can mark one or more threats as Read or Unread.

You can also mark threats automatically by creating a server task that marks the threats returned in aquery or by creating an automatic response that executes the server task when an event is triggered.

Task



To... Do this...

Mark multiple threatsas Read or Unread

Go to the Threats page, then select the threats that you want to mark.

You can perform this task from some dashboard monitor pages. Seeinformation about each monitor for details.

Mark a single threatas read or unread


• Go to the Threats page, then select the threat that you want to mark.

• Go to the Threat Details page of the threat that you want to mark.

2 Click Actions | Risk Advisor, then click Mark Unread or Mark Read as required.

The read status of the threats you selected is changed.

Managing threat dataRead status 4


Threat tagsThreat tags, which are similar to ePolicy Orchestrator tags, allow you to group threats. After youcreate threat tags and apply them, you can create queries and filters to include or exclude them.

For example, you can create a tag and apply it to all threats that you feel are at high risk, then createa query that displays only assets that are vulnerable to those threats. You can apply multiple threattags to a single threat.

You can also apply and remove threat tags from threats automatically (by creating a server task thatapplies or removes them from the results of a query or by creating an automatic response thatexecutes the server task when an event is triggered) or manually. Using automatic responses, you canhave actions (such as an email notification) triggered automatically when threat tags are applied orremoved.

McAfee defined tags are maintained by McAfee Labs, and they can't be deleted or modified. You candifferentiate these tags in the Threat Tags page by their source: McAfee (McAfee defined tags) and User(Tags created by users). You might find these McAfee tags in the threat feed:

• Attack - Operation Aurora • Security Bulletin (OOB) - Microsoft

• Patch Tuesday • Zero-Day

• Security Advisories - Microsoft

Create threat tagsYou can create threat tags, then use them to group threats for the purpose of including or excludingthem from queries.

You can also perform this task from some dashboard monitor pages. See information about eachmonitor for details.

Task


1 In the ePolicy Orchestrator console, go to the Threats page, and click Actions | Risk Advisor | Manage Tags.

2 In the Threat Tags screen, click Actions | Add Tag.

3 In the Add Threat Tag screen, enter a name for the threat tag and a description, then click OK.

The threat tag is added.

4 To add another threat tag, repeat this task. When you are finished, click Close.

Edit threat tagsYou can make necessary changes to the threat tags, and update the tags applied to threats.


4 Managing threat dataThreat tags


Task


1 In the ePolicy Orchestrator console, go to the Threats page, and click Actions | Risk Advisor | Manage Tags.

2 In the Threat Tags screen, select the threat tag you want to edit. Then click Actions | Edit Tag.

You can't modify the McAfee defined tags such as Patch Tuesday.

3 In the Edit Threat Tag screen, edit the threat tag as needed, then click OK.

4 To edit another threat tag, repeat this task. When you are finished, click Close.

Delete threat tagsYou can delete threat tags that you no longer want. If you delete a threat tag that is applied to athreat, that tag is also removed from the threat.


Task


1 In the ePolicy Orchestrator console, go to the Threats page, then click Actions | Risk Advisor | Manage Tags.

2 In the Threat Tags screen, select the threat tags you want to delete. Then click Actions | Delete Tag(s).

The threat tags you selected are deleted. They are also removed from all threats to which theywere applied.

3 When you are finished, click Close.

Apply threat tags manuallyYou can apply a threat tag manually to threats, then create queries and filters to include or excludethem.

You can apply threat tags automatically, by creating a server task that applies them to the results of aquery or by creating an automatic response that executes the server task when an event is triggered.

Task



To... Do this...

Add threat tags tomultiple threats

Go to the Threats page, then select the threats.


Add threat tags to asingle threat




Managing threat dataThreat tags 4


2 Click Actions | Risk Advisor | Apply Tags.

3 In the Apply Tags screen, select the tags you want to apply, then click OK.

You can't apply McAfee defined threat tags to threats because they're applied automatically throughMcAfee Threat Intelligence Service updates.

The tags are applied to the threats.

Remove threat tags manuallyYou can remove a threat tag that you no longer want applied to a threat.

You can remove threat tags automatically, by creating a server task that removes them from the resultsof a query or by creating an automatic response that executes the server task when an event is triggered.

Task


1 Do one of the following:

To... Do this...

Remove threat tagsfrom multiple threats

Go to the Threats page, then select the threats.


Remove threat tagsfrom a single threat




2 Click Actions | Risk Advisor | Remove Tags.

3 In the Remove Tags screen, select the tags you want to remove, then click OK.

Enable or disable threat for analysisBy default, all new threats from threat feed are enabled for risk analysis. If you don't want to considercertain threats, you can disable those threats.

This feature is useful in scenarios where some threats might or might not apply to assets in yourenterprise but you do not want to consider them for the assets managed by you or your group.

Task


1 In the ePolicy Orchestrator console, go to the Threats page (or a reporting page listing threats).

2 Select the threats that you want to enable or disable for risk analysis.

3 Click Actions | Risk Advisor | Change Analysis Status.

4 Select Enable or Disable, as required.

5 Click OK.

4 Managing threat dataEnable or disable threat for analysis


5 Performing risk assessment

After you install and configure McAfee Risk Advisor, you can monitor and analyze risk posture of yourenvironment.

The McAfee Risk Advisor reports help you track and report on threats that affect your environment,and view recommendations about prioritizing your actions against them.

Contents

How McAfee Risk Advisor imports and analyzes data How risk is determined How threat actions are determined Actions you can perform

How McAfee Risk Advisor imports and analyzes dataMcAfee Risk Advisor imports data from products managed by ePolicy Orchestrator, creates a visualrepresentation of the potential vulnerabilities on your network, and recommends and prioritizes whatyou need to do to address them.

The default server task, MRA: Threat Download and Analysis, is comprised of these actions:

• MRA: Threat Feed Download — Updates McAfee Risk Advisor with the latest threat information fromMcAfee Threat Intelligence Services. Imports complete threat data (From Beginning) or selected threatdata (Since Last Run). This service requires Internet connectivity.

If you are in an air gap environment, you can use the Import Threats from File action to import a filecontaining the updates.

• MRA: Data Import/Reconciliation — Imports and reconciles system and asset information from thesupported McAfee products. If application awareness is enabled, reconciles application data fromthe McAfee Application Control and McAfee Application Inventory.

• MRA: Threat Asset Coverage Analysis — Applies the threat analysis calculations from McAfee Risk Advisorto the data collected from the MRA: Threat Feed Download and the MRA: Data Import/Reconciliation tasks.During this task, threat data applicable to an asset is compared against the countermeasures andvulnerability status of the asset to determine whether the asset is at risk. Also, it provides anoption to enable analysis for McAfee Risk Advisor reports.

You can view the status of these tasks in the Server Task Log.

5


You can separate the actions in the MRA: Threat Download and Analysis task into individual tasks for morecontrol over when and how frequently they run. Schedule the tasks in this sequence:

1 MRA: Threat Feed Download

2 MRA: Data Import/Reconciliation

3 MRA: Threat Asset Coverage Analysis

Do not schedule multiple tasks to run at the same time because they might have data dependencies.

For multiple servers, run the MRA Rollup: Roll up Risk Advisor Data task. This task rolls up the entire McAfeeRisk Advisor data comprising of Server Risk Metrics, Threat Data and Threat Risk Metrics.

Download threats and analyze dataYou need to run the MRA: Threat download and analysis task to download threat data, reconcile data from alldata sources, and perform analytics to generate reports providing information about your risk posture.

Before you begin

If you are running this task for the first time after installing or upgrading McAfee RiskAdvisor, make sure you have configured McAfee Risk Advisor to import updates from all ofthe McAfee products you want.

To reduce import time, McAfee Risk Advisor prepackages the threat data. We recommend that you runthe default MRA: Threat download and analysis task to download the most current threat data immediatelyafter installation.

The MRA: Threat download and analysis task gets all the latest threat data by downloading the delta updatesusing the Since last run action. By default, the MRA: Threat Download and Analysis task imports data from allproducts and it's enabled and scheduled to run daily. You can keep the default schedule or edit theserver task to run when you want. You can also separate the actions in this server task into individualserver tasks.

Task


1 Click Menu | Automation | Server Tasks, then click Run under Actions for MRA: Threat Download and Analysis.

2 In the Server Task Log screen, monitor the status of the task and view details about each action withinthe task.

Separate the import and analysis server tasksFor more control over when and how frequently the actions in the MRA: Threat Download and Analysis taskrun, you can modify and split the task actions into individual server tasks.

Before you begin

Disable or delete the default MRA: Threat Download and Analysis task to prevent duplicate tasksfrom running.

After the initial prepackaged threat import task, you can use the Since Last Run option to reduce the timerequired to download threat feed data. You can schedule the MRA: Threat Asset Coverage Analysis task to runmore frequently than the MRA: Threat Feed Download task. You can run the MRA: Threat Asset Coverage Analysistask whenever you want to know how threats were displayed on the MRA: Most Recent Threats monitorimpact your network.

5 Performing risk assessmentHow McAfee Risk Advisor imports and analyzes data


After installing or upgrading McAfee Risk Advisor, the actions in the MRA: Threat Download and Analysis taskmust run in the following order for the first-time execution:

1 MRA: Threat Feed Download

2 MRA: Data Import/Reconciliation

3 MRA: Threat Asset Coverage Analysis

Task




2 Type a unique name for the task (for example, MRA: Threat Feed Download, MRA: Data Import/Reconciliation, or MRA: Threat Asset Coverage Analysis) and any notes. Select whether thetask is to be enabled once it's created, then click Next.

3 For Actions, select a task from the drop-down list.

To... Do this...

Create an MRA:Threat Feed Downloadserver task

1 Select MRA: Threat Feed Download.

2 Select one of these options:

• Since Last Run: if this is the first time downloading the threat feed, or tomaintain the threat feed.

• From Beginning: if you need to overwrite the content from the threat feed. Aserver task with this option on a schedule overwrites threat data each timeit runs, which can take a considerable amount of time.

Create an MRA:Data Import/Reconciliationserver task

1 Select MRA: Data Import/Reconciliation.

2 Select these options:

• All Items to import all product data and applicability data.

• All OS Applicability Data to import all applicability data or Operating System toimport only the targeted operating system information.

• All Products to import data from all products or Countermeasure Products,Vulnerability Detector Products, or Application Aware Products, as required.

• A specific product or applicable data to import only that data.

Only products installed and registered with McAfee Risk Advisor aredisplayed. For example, while McAfee Vulnerability Manager is integratedwith McAfee Risk Advisor, if the McAfee Vulnerability Manager data importextension was not installed and configured, it doesn't appear in the list ofProducts.

Create an MRA:Threat AssetCoverage Analysisserver task

1 Select MRA: Threat Asset Coverage Analysis from the drop-down list.

2 Select Enable analysis for 'Risk Advisor Reports', if Countermeasure centric andVulnerability centric reports are required.

Analytics takes longer time when 'Risk Advisor Reports' analysis is enabled.

4 Click Next.

Performing risk assessmentHow McAfee Risk Advisor imports and analyzes data 5




The server task is added to the list under Server Task page. If you selected to enable the task, it runs atthe next scheduled time.

Data reconciliation processMcAfee products store information such as version numbers, protection levels, and vulnerability statesin different formats. McAfee Risk Advisor normalizes this data into a common data structure so that itcan be analyzed.

The MRA: Data Import/Reconciliation task handles this normalization and reconciliation. This task allows youto select which items you want to reconcile such as:

• All product data

• A specific product's data

• Only applicable data such as operating system

By selecting individual products, you can create separate tasks and separate import andsynchronization schedules for each.

You can create a separate task for each product or applicability data, then schedule each task at atime most convenient for that product. Remember to schedule any necessary product tasks to runbefore the MRA: Data Import/Reconciliation task. For example, if you want to conduct a vulnerability scanusing McAfee Vulnerability Manager and import this information into ePolicy Orchestrator for McAfeeRisk Advisor to use, schedule the McAfee Vulnerability Manager task so that it finishes before the MRA:Data Import/Reconciliation task is started.

Data integrity processThe data displayed in McAfee Risk Advisor is based on the last time the MRA: Threat Download and Analysistask was run. If anything in your environment has changed since then, you need to rerun this task tomaintain data integrity.

For example, you might see systems that were deleted, or you might not be able to find detailedinformation about a system because it was removed from the ePolicy Orchestrator System Tree.Similarly, the Rolled-Up Risk Metrics screen might display incorrect reports because the recent changesmade in one of the registered ePolicy Orchestrator servers were not included in the analysis.

To make sure the data in reports is accurate, rerun the server tasks.

How risk is determinedMcAfee Risk Advisor analyzes data from various sources to determine if an asset is at risk due to athreat, then uses that data to calculate the asset's overall risk status for that specific threat.

Related information about the threat actions can be found in the How Am I At Risk? chart in the SystemDetails | Risk Advisor | Threat Coverage section.

McAfee Risk Advisor groups the Asset Overall status for each asset over a specific threat intoSummary states to provide a quick view of your risk.

The data from the supported McAfee products is used to determine the vulnerability, countermeasureand threat applicability status of an asset.

5 Performing risk assessmentHow risk is determined


Use this datasource...

To determine...

Vulnerabilitydetectors

Vulnerability status:

• Vulnerable — The vulnerability for the threat is detected on the asset.

• Not Vulnerable — The vulnerability for the threat is not detected on the asset.

• Insufficient Data — Not enough data was available to determine Vulnerabilitystatus. Possible reasons include:

• Scan results are not updated due to data reconciliation issues or the scanresults are incorrect.

• Vulnerability detector is not installed.

• McAfee Risk Advisor extension for the vulnerability detector is not installed.

Countermeasureproducts

Countermeasure protection status:

• Protected — A countermeasure is detected on the asset that can protect it fromthe threat, or a countermeasure declaration for a user-defined countermeasureis available.

• Not Protected — No countermeasure or declaration is detected on the asset thatcan protect it from the threat, or countermeasure is not configured asmentioned in threat information.

• Insufficient Data — Not enough data is available to determine Countermeasurestatus. Possible reasons include:

• McAfee Risk Advisor extension for the countermeasure is not installed.

• Countermeasure is not installed on the asset.

• Expected version of the countermeasure is not running on the asset.

• Asset is not managed by ePolicy Orchestrator.

Threat applicabilitydata

Threat applicability status:

• Applicable — The threat is applicable to the asset.

• Not Applicable — The threat is not applicable to the asset.

• Insufficient Data — Not enough data is available to determine Applicability status.This could be caused if applicability data is not provided in the informationreceived about the threat or it's not known for the asset.

Based on the asset's status against the data sources, McAfee Risk Advisor determines the overall riskstatus of the asset.

Asset Overallstatus is...

If data source status for the asset are...

Protected • Countermeasure status is Protected, and Vulnerability Detector status is Vulnerable.

• Countermeasure status is Protected, Vulnerability Detector status is Insufficient Data,and Threat Applicability status is Applicable or Insufficient Data.

Not Protected Countermeasure status is Not Protected, Vulnerability Detector status is Insufficient Data,and Threat Applicability status is Applicable or Insufficient Data.

Vulnerable Countermeasure status is Not Protected or Insufficient Data, and Vulnerability Detectorstatus is Vulnerable.

Performing risk assessmentHow risk is determined 5


Asset Overallstatus is...

If data source status for the asset are...

Not Vulnerable • Vulnerability Detector status is Not Vulnerable.

• Threat Applicability is Not Applicable and Vulnerability Detector status is other thanVulnerable.

Insufficient Data Countermeasure status and Vulnerability Detector status are Insufficient Data.

If the Threat Applicability status of an asset for a threat is Applicable or Insufficient Data, the Asset Overallstatus is determined by the Vulnerability Detector and Countermeasure statuses.

Based on the overall status of an asset, McAfee Risk Advisor determines the overall risk summarystatus of the asset.

Summary state is.. If Asset Overall status is...

At Risk Vulnerable or Not Protected.

Not At Risk Not Vulnerable or Protected.

Potentially At Risk Insufficient Data and Threat Applicability status is Applicable or Insufficient Data.

Risk score calculationsRisk can be defined as the potential of a threat to exploit vulnerabilities of an asset and cause damageor unintended consequence. McAfee Risk Advisor uses both qualitative and quantitative approaches todescribe the nature of the risk and numerical values, respectively.

McAfee Risk Advisor uses data about assets, threats, countermeasures, and vulnerabilities, to help youanalyze and mitigate risks. McAfee Risk Advisor calculates security risks and enables you toconsistently monitor changes to your organization's risk score. Security architects and riskmanagement staff can use these risk metrics to identify the riskiest system in the organization,prioritize patching efforts, and recognize threats that are applicable to the maximum number of assets.

Risk score is directly proportional to certain attributes such as Applicability, Vulnerability, andCriticality, and inversely proportional to Protection or Countermeasure presence. For example,Enterprise Risk Score for an asset increases if a threat is Applicable to the asset, the asset isVulnerable, or the asset criticality is High. On the other hand, adding a countermeasure results in areduction in the risk score.

McAfee Risk Advisor generates various reports including asset-centric, threat-centric, server riskmetrics, what-if analysis, vulnerability-centric, countermeasure-centric, and rollup reporting reportsbased on risk scores.

Risk score is computed at four levels.

• For each threat-asset combination

• For each asset and threat

• For each server

• For multiple servers



Risk metrics used to derive risk scoreRisk score for each threat and asset is calculated using these basic risk metrics.

Attribute Range/Value

State Description

Basic threat score (T) 0–10 N/A This determines the probability of the threatoccurring. The value is derived from the CVSSBase Score with temporal values applied. If theNational Vulnerability Database (NVD) has a CVSSscore available, McAfee matches that with theMcAfee score, then adds the temporal values tothe McAfee data.

Applicability (Ap) 1 Applicable This determines whether the threat is applicableto the asset. For example, whether the asset isrunning the operating system associated with thethreat.

1 InsufficientData

0 Not applicable

Asset criticality (Ac) 10 Most Critical This determines how critical the asset is to theorganization. The value is derived from thecriticality level defined for an asset.8 Critical

6 High

4 Medium

2 Low

Countermeasurestatus (C)

10 Protected This determines the countermeasure status of theasset for the threat.

1 InsufficientData

1 Not Protected

Vulnerability (V) 1 Vulnerable This determines whether the vulnerability existson the asset.

0.5 InsufficientData

0 Not Vulnerable

Risk score 0–100 N/A Risk score for an asset or threat is determinedusing the formula: (T*Ap*V*Ac)÷C.

Risk metrics for assetsThe risk score of each asset is calculated by aggregating the risk scores of all the threat-assetcombinations for a particular asset. Only enabled assets are considered in risk score calculations.

Risk score is calculated when:

• Threat is applicable to asset or the data available is insufficient.

• Asset is enabled, and not suppressed.

Attribute Range/Value State Description

Absolute Risk Score N/A N/A Sum total of Asset Risk Scores for all impacting threats.

Asset Risk Category 65–100 High Risk Category of asset based on Asset Risk Score.

35–65 Medium

0–35 Low

Asset Risk Score 0–100 N/A Average Risk Score of an asset over all impactingthreats.

Performing risk assessmentHow risk is determined 5



Impacting Threats N/A N/A Number of threats that are applicable to the asset andthreats to which the asset is vulnerable.

Max Risk Score 0–100 N/A Maximum Risk Score among all the impacting threats.

Risk metrics for threatsThe risk score of each threat is calculated by aggregating the risk scores of all the threat-assetcombinations for a particular threat. Only enabled threats are considered in risk score calculations.

Risk score is calculated when:

• Threat is applicable to asset or the data available is insufficient.

• Threat is enabled, and not suppressed.

Attribute Range/Value Description

Absolute Risk Score N/A Sum total of Threat Risk Scores for all applicable assets.

Assets Impacted N/A Number of assets to which the threat is applicable and assetsthat are vulnerable to the threat.

Basic Threat Score 0–10 CVSS Base Score set by McAfee.

Max Risk Score 0–100 Maximum Risk Score among all applicable assets.

Threat Risk Score 0–100 Average Risk Score of threat against all applicable assets.

Risk metrics for a serverThe Enterprise Risk Score represents the cumulative impact of threats over all applicable assets. It iscomputed by aggregating risk scores of all the assets on the server over all the threats.

The percentage change in Enterprise Risk Score is derived by calculating the difference between thecurrent and previous value of Enterprise Risk Score.


Enterprise RiskCategory

65–100 High Risk category of the enterprise based onEnterprise Risk Score.

35–65 Medium

0–35 Low

Enterprise Risk Score 0–100 N/A Risk score of all the assets over all the threats.

Change in EnterpriseRisk Score

0–100 N/A Percentage change in the Enterprise Risk Scorefrom the previous analysis.

Risk metrics for rollup reportingThe rollup reporting feature is used in calculating the Overall Enterprise Risk Score that represents thesummarized risk score of all the assets over all the threats across servers.

The percentage change in the Overall Enterprise Risk Score is calculated from the previous time theMRA Rollup: Roll Up Risk Advisor Data task was executed.

In rollup reporting, the server settings at the reporting ePolicy Orchestrator server take precedence overthe child servers.


Overall EnterpriseRisk Category

65–100 High Overall risk category of the enterprise based onoverall Enterprise Risk Score.

35–65 Medium




0–35 Low

Enterprise Risk Score 0–100 N/A Risk score of all the assets over all the threatsacross servers.

Change in EnterpriseRisk Score

0–100 N/A Percentage change in the Overall Enterprise RiskScore from the previous time the MRA Rollup: Roll UpRisk Advisor Data task was run.

How threat actions are determinedMcAfee Risk Advisor uses the overall asset status for the threat along with applicable patchinformation to ascertain its recommendations, then provides a Threat Action Status.

Related information about threat actions can be found in the What Actions to take? chart, in the SystemDetails | Risk Advisor Threat Coverage section.

Threat ActionStatus is...

If data source status for the asset is...

Immediate action required(Install/Configure)

Countermeasure status is either Not Protected or Insufficient Data, vulnerabilitydetector status is Vulnerable, and a patch is available for the threat.

Action required but no patchavailable

A patch is not available, and one of following is true:

• Vulnerability detector status is Vulnerable, and countermeasure status iseither Not Protected or Insufficient Data.

• Vulnerability detector status is Insufficient Data and countermeasure status NotProtected.

Action can be deferred(Protected)

Countermeasure status is Protected, and vulnerability detector status is eitherVulnerable or Insufficient Data. Patch availability is not considered.

No action required (Notvulnerable)

Vulnerability detector status is Not Vulnerable.

Not applicable Threat applicability status is Not Applicable.

Investigation required (Notenough information)

Based on countermeasure and patch availability states, one of the followingis true for the assets:

• Vulnerability detector and countermeasure states are Insufficient Data andpatch availability is not considered.

• Vulnerability detector status is Insufficient Data, countermeasure status is NotProtected, and patch information is available for the threat.

Actions you can performMcAfee Risk Advisor provides certain actions such as Apply Tag or Add Note to perform on the assets orthreats listed in reporting pages.

Not all actions are available in every reporting page. They are specific to actions that can beperformed on assets or threats. In other words, the threat-centric pages have only threat specificactions, and the asset-centric pages have only asset specific actions. However, both threat-centric andasset-centric pages have the common actions Manage Reporting Group and Change Analysis Status.

Performing risk assessmentHow threat actions are determined 5


Action definitions

The actions are provided by McAfee Risk Advisor are grouped under Actions | Risk Advisor in the reportingpages.

Action Definition AppliesTo...

Add Note Adds the note you provide to the selected threats. Threats

Add to MRA AnalysisQueue

Adds the assets or threats you specify to the McAfee RiskAdvisor analysis queue to consider them during the nextanalysis cycle.

Threats andassets

Apply Tags Adds the threat tags you specify to the selected threats.

ePolicy Orchestrator provides these similar actions: Apply Tag toAssets, Exclude Tag, and Clear Tag. However, these actions arespecific to asset tags.

Threats

Assign Criticality to Assets Assigns the asset criticality label you specify to the selectedassets.

Assets

Change Analysis Status Allows enabling or disabling the selected threats or assets forMcAfee Risk Advisor analysis. By default all the threats andassets are enabled. The disabled threats or assets are notconsidered during the analysis and they're not displayed on theMcAfee Risk Advisor reporting pages.

Threats andassets

Create Issue Allows creating issues based on assets. Assets

Export Data Allows exporting threat details and risk information in PDF format. Threats

Import Threats From File Displays the Import Threats page, where you can import a .zip filecontaining threat data from McAfee Threat Intelligence Services.

Use this action if you do not have an Internet connection, forexample if you are in an air gap environment, and cannotreceive threat downloads from McAfee Threat IntelligenceServices.

Threats

Manage Reporting Group Displays the Reporting Groups page, where you can add or managegroups of assets and threats for McAfee Risk Advisor analysisreporting.

Threats andassets

Manage Tags Displays the Threat Tags page, where you can create, edit, anddelete threat tags.

Threats

Mark Read Changes the read status of the threats you specify to Read. Threats

Mark Unread Changes the read status of the threats you specify to Unread. Threats

NSP CountermeasureDeclaration

Assigns the McAfee Network Security Platform sensor:port youspecify to the selected assets.

Assets

NSP CountermeasureRemoval

Removes the McAfee Network Security Platform sensor:port youspecify from the selected assets.

Assets

Override NSPCountermeasure Status

Overrides the McAfee Network Security Platformcountermeasure declaration for selected assets.

Assets

Remove NSPCountermeasure Override

Removes the McAfee Network Security Platform countermeasureoverride

Assets

Remove Tags Removes the threat tags you specify from the selected threats. Threats

5 Performing risk assessmentActions you can perform


6 Managing tasks and responses

You can configure automatic responses to alert you about events and perform actions automatically,such as adding notes to threats. You can also schedule server tasks that import and analyze data, andrun queries automatically and on a schedule.

Contents

Automatic responses Server tasks

Automatic responsesWith automatic responses you can configure which actions to take when specific events occur in yourenvironment.

For example, you can configure the Execute Scheduled Task action to run a server task automatically afterthe threat download task finishes, which adds a note to each threat that is returned in a query. Youcan also be alerted by email if a note is added to a threat. You can specify the event groups and typesthat trigger these responses. You can also configure when these actions occur by setting thresholdsthat are based on aggregation and throttling. For further details, refer to the appropriate ePolicyOrchestrator documentation.

Predefined automatic response event groupsYou can create automatic responses for McAfee Risk Advisor event types using these event groups.

Predefined eventgroup

Event type Definition

Risk Advisor AnalysisEvents

Asset Risk Metrics Response is triggered when MRA: Threat Asset CoverageAnalysis task ends and risk score of the assetsmatching the selected criteria changes.

Reporting GroupAnalysis Completion

Response is triggered when MRA: Reporting Group Analysistask ends.

Reporting Group AssetRisk Metrics

Response is triggered when MRA: Reporting Group Analysistask ends and risk score of the assets matching theselection criteria, when contained in the reportinggroup(s), changes.

Threat Asset CoverageAnalysis Begin

Response is triggered when an MRA: Threat AssetCoverage Analysis task begins.

Threat Asset CoverageAnalysis End

Response is triggered when an MRA: Threat AssetCoverage Analysis task ends.

Risk Advisor NSPEvents

NSP Alert Data PurgeBegin

Response is triggered when a Network Security PlatformAlert Data Purge task begins.

6


Predefined eventgroup

Event type Definition

NSP Alert Data PurgeEnd

Response is triggered when a Network Security PlatformAlert Data Purge task ends.

NSP Data Import Begin Response is triggered when a Network Security PlatformData Import task begins.

NSP Data Import End Response is triggered when a Network Security PlatformData Import task ends.

NSP Detected SystemCreation Begin

Response is triggered when a Network Security PlatformData Import task, with the Create New Detected Systems fromAlerts option selected, begins.

NSP Detected SystemCreation End

Response is triggered when a Network Security PlatformData Import task, with the Create New Detected Systems fromAlerts option selected, ends.

Risk AdvisorPoint-Product Events

Individual PointProduct DataReconciliation Begin

Response is triggered when an MRA: Data Import/Reconciliation task, with the individual product optionselected, begins.

Individual PointProduct DataReconciliation End

Response is triggered when an MRA: Data Import/Reconciliation task, with the individual product optionselected, ends.

Point Product DataReconciliation Begin

Response is triggered when an MRA: Data Import/Reconciliation task, with the All Products option selected,begins.

Point Product DataReconciliation End

Response is triggered when an MRA: Data Import/Reconciliation task, with the All Products option selected,ends.

Risk Advisor ThreatEvents

Individual ThreatReconciliation

Response is triggered when Threat Reconciliationoccurs for the threats matching the selection criteria,as part of the MRA: Data Import/Reconciliation task.

Tags Applied to Threat Response is triggered when either a server task withthe Apply Tags to Threats subaction selected begins or auser adds tags to threats manually.

Tags Removed fromThreat

Response is triggered when either a server task withthe Apply Tags to Threats subaction selected begins or auser removes tags from threats manually.

Threat Download Begin Response is triggered when an MRA: Threat FeedDownload task begins.

Threat Download End Response is triggered when an MRA: Threat FeedDownload task ends.

Threat Note Added Response is triggered when either a server task withthe Add Threat Note subaction selected begins or a useradds a note to a threat manually.

Threat Read Status Set Response is triggered when either a server task withthe Set Threat Read Status subaction selected begins or auser sets the read status of a threat manually.

Threat ReconciliationBegin

Response is triggered when an MRA: Threat FeedDownload task begins or when the MRA: Threat FeedDownload action within the MRA: Threat Download andAnalysis task begins.

Threat ReconciliationEnd

Response is triggered when an MRA: Threat FeedDownload task ends or when the MRA: Threat FeedDownload action within the MRA: Threat Download andAnalysis task ends.

6 Managing tasks and responsesAutomatic responses


Predefined automatic response actionsYou can specify the actions to perform when a specific event occur.

Use these McAfee Risk Advisor actions available for the selected event types.

Predefined Actions Definition

Add Threat Note Type the note you want added to the threats matching the selected criteria.This action is available for the Individual Threat Reconciliation event type.

Apply Tags to Threats Select the tags you want added to the threats matching the selectedcriteria. This action is available for the Individual Threat Reconciliation event type.

Create Risk Advisor AssetIssue

Create issues based on assets matching the selected criteria. This action isavailable for the Asset Risk Metrics and Reporting Group Asset Risk Metrics event types.

Remove Tags from Threats Select the threat tags you want to remove from the threats returnedmatching the selected criteria. This action is available for the Individual ThreatReconciliation event type.

Set Threat Read Status Select the status you want to apply to the threats matching the selectedcriteria. Options are: Read and Unread. This action is available for the IndividualThreat Reconciliation event type.

Server tasksServer tasks can perform actions such as importing and analyzing data and running queries, andperform subactions on the results of a query. They can be scheduled or executed on demand.

You can also chain multiple actions and subactions together in a single server task. For example, theMRA: Threat Download and Analysis task is comprised of the MRA: Threat Feed Download, MRA: Data Import/Reconciliation, and MRA: Threat Asset Coverage Analysis actions. Once a server task starts, you can view itsstatus in the Server Task Log.

Predefined server task actionsMcAfee Risk Advisor provides a set of predefined server task actions. Use these actions to createserver tasks.

Task PredefinedActions

Options Definition

MRA: Threat Download andAnalysis

MRA: Threat FeedDownload

From Beginning Imports all threat data.

Since Last Run Imports new threat data since the lasttime the server task was run.

MRA: Data Import/Reconciliation

All Items Imports and reconciles data from allproducts and all applicability data.

All OS ApplicabilityData

Imports and reconciles all operatingsystem and application data. SelectOperating System for only operatingsystem data.

Managing tasks and responsesServer tasks 6



Options Definition

All Products Imports and reconciles data from all ofthese products, or only the ones youselect:

• Countermeasure Products: Select this forall countermeasure products, orselect specific products such as:

• McAfee Application Control

• McAfee Host Intrusion Prevention

• McAfee Network Security Platform

• VirusScan Enterprise

• Vulnerability Detector Products: Select thisfor all vulnerability detectors, orselect specific products such as:

• McAfee Vulnerability Manager

• McAfee Policy Auditor

• Application Aware Products: Select this forall application data sources, or selectspecific products such as:

• McAfee Application Control

• McAfee Application Inventory

MRA: Threat AssetCoverage Analysis

Enable analysis for'Risk AdvisorReports' notselected.

Analyzes threat data and the dataimported from McAfee products.

Enable analysis for'Risk AdvisorReports'selected.

Analyzes threat data and the dataimported from McAfee products, andgenerates additionalcountermeasure-centric andvulnerability-centric reports to bedisplayed on the Risk Advisor Reports page.

Network SecurityPlatform Alert DataPurge (You canadd this action)

Purge alerts olderthan

Defines how old alert data should be(number of days, weeks, months, oryears) before it is purged.

Network SecurityPlatform DataImport (You canadd this action)

Create NewDetected Systemsfrom Alerts

Creates detected systems from alerts.Systems with McAfee Network SecurityPlatform inbound alerts are added tothe ePolicy Orchestrator detectedsystems list, and you can thenpromote these systems to your ePolicyOrchestrator System Tree. Systems withonly outbound alerts are not added tothe detected systems list.

ImportConfiguration Data

Imports configuration data only.

ImportConfiguration andAlert Data

Imports configuration and alert data.

6 Managing tasks and responsesServer tasks



Options Definition

Changes from lastrun only

Provides faster import times (after thetask runs for the first time). Thisoption is available if you select ImportConfiguration and Alert Data.

All Alerts Overwrites the alert data currently inyour system. This option is available ifyou select Import Configuration and Alert Data.

MRA Rollup: Roll up Risk AdvisorData

This task is disabledby default. Do notconfigure this taskexcept for theselection ofregistered serversfor rollup reporting.

Roll Up data Roll up data from Allows you to select registered serversto be considered for rollup reporting.

By default all registered ePolicyOrchestrator servers are chosenfor rollup.

Data Type Allows you to select the data type tobe used for rollup reporting. Thedefault data type Risk Advisor Dataincludes Risk Advisor Threat Risk Metrics andRisk Advisor Threat Data. This option rollsup the entire data from all selectedservers. You can also configure topurge data prior to the rollup action.

MRA Rollup:Analyze Rolled-upRisk Advisor Data

Noconfiguration isrequired forthis task.

Analyzes rollup risk metrics data fromthe registered servers.

MRA Rollup: Purge Rolled-Up Data

This task is disabledby default. You canenable and schedulethis preconfiguredtask to purge Rollup data.

MRA Rollup: PurgeRollup Data

Purge Rolled-UpRisk Advisor data of:

Allows you to select registered serversto purge rolled up McAfee Risk Advisordata. Select All registered Servers to purgerolled up McAfee Risk Advisor data ofall the registered servers.

MRA Rollup:Analyze Rolled-upRisk Advisor Data


Analyzes rolled up threat data and thedata imported from McAfee productsconnected to the servers.

MRA: Reporting Group Analysis

This task is disabledby default. You canenable and schedulethis preconfiguredtask for selectiveAsset and Threatbased reporting.

MRA: ReportingGroup Analysis


Analyzes data for each reporting groupand calculates the consolidated riskscore for reporting purpose. SelectPurge older reporting group's information andenter the number of months or yearsfrom which you want to perform thepurge operation. By default, historydata for six months from the currentdate is kept for trending purpose.

If no purge setting is specified, allthe history data is deleted byexecuting this task.

Managing tasks and responsesServer tasks 6


Predefined server task subactionsIf you select the Run Query server task action, McAfee Risk Advisor provides a predefined set of subactions.

Use these subactions to create server tasks. The server task applies the subactions to the results ofthe query.

In ePolicy Orchestrator 4.6, only the subactions that are applicable to the selected query are displayed.For example, if the selected query results a table of assets, then the threats specific subactions such asAdd Threat Note and Delete Threat Notes are not displayed.

Predefined Subactions Definition

Add Threat Note Type the note you want added to the threats returned in the server taskquery.

Apply Tags to Threats Select the tags you want added to the threats returned in the server taskquery.

Assign Asset Criticality Select the criticality level you want applied to the assets returned in theserver task query. Options are: High, Medium, and Low.

Create Risk Advisor Asset Issue Create issues based on assets returned in the server task query.

Delete Threat Notes Delete all notes from the threats returned in the server task query.

Disable or Enable Threat(s) Enable or Disable the threats or assets returned in the server task query.

NSP Countermeasure Declaration Select the sensor or port options you want to declare for the assetsreturned in the server task query.

NSP Countermeasure Removal Select the sensor or port options you want to remove from the assetsreturned in the server task query.

Remove Tags from Threats Select the threat tags you want to remove from the threats returned inthe server task query.

Set Threat Read Status Select the status you want to apply to the threats returned in the servertask query. Options are: Read and Unread.

6 Managing tasks and responsesServer tasks


7 Customizing reports and analysis

You can customize reporting and analysis using the McAfee Risk Advisor features such as Risk AnalysisExceptions, Advanced Reporting Groups, What-if risk analysis, and Rollup reporting.

Contents

Application Awareness Risk analysis exceptions Reporting groups Rollup reporting Perform what-if risk analysis Add to the analysis queue Define enterprise risk category labels

Application AwarenessMcAfee Risk Advisor imports application inventory data from McAfee Application Inventory agent andMcAfee Application Control.

Most threats are applicable only to certain applications installed on assets. With application awareness,McAfee Risk Advisor considers an asset as Applicable to a threat only when the targeted application isinstalled. This helps determining the correct risk posture of the managed assets.

McAfee Risk Advisor considers both the OS attribute and applicability attribute to determine if a threatis applicable to an asset. For example, if both match or one matches but the other is not present,McAfee Risk Advisor considers the threat as Applicable to the asset.

Enable or disable application awarenessBy default, the application awareness feature is enabled. However, you can disable this feature andenable it again to consider application inventory data during analysis.

Task





7


3 In Application Data, select the required application data sources for application awareness, or deselectthem to disable the feature.

• McAfee Application Control — To use application data from this product in analysis (requires the MRASolidcore data import extension installed).

• McAfee Application Inventory — To use application inventory from the agent (requires the MRAApplication Inventory data import extension installed).

4 Click Save.

5 Run the MRA: Threat Download and Analysis task.

Reports are generated with the modified data settings.

Risk analysis exceptionsMcAfee Risk Advisor generates reports based on the installed and configured McAfee products for allenabled assets and threats; however, provide exceptions if you've installed additionalcountermeasures that are not configured for McAfee Risk Advisor data import, or suppress reports bytemporarily excluding a group of assets or threats based on your requirements.

Use these options to provide risk analysis exceptions:

• User-defined countermeasures — Add a user-defined countermeasure product that's protectingyour assets. When you declare the countermeasure, the assets covered by the countermeasure areconsidered protected in analysis.

• Countermeasure declarations — Declare a user-defined countermeasure that's protecting agroup of assets against a group of threats. Use System and Threat tags to define the threat-assetcombination.

• Suppressions — Temporarily exclude a set of threats and assets from analysis.

For user-defined countermeasures, perform these tasks sequentially to consider them in analysis:

1 Add a user-defined countermeasure.

2 Declare the user-defined countermeasure.

3 Make sure that the user-defined countermeasure declaration is enabled.

The default status for a countermeasure declaration is Enabled.

4 Run MRA: Threat Asset Coverage Analysis.

For using suppressions, create a new suppression and select the threat-asset combination. Thesuppressed threats and assets are discarded the next time you run MRA: Threat Asset Coverage Analysis.

Add a user-defined countermeasure Add a countermeasure that's not configured for McAfee Risk Advisor data import.

7 Customizing reports and analysisRisk analysis exceptions


Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click UserDefined Countermeasures tab.

2 In the User Defined Countermeasures screen, click New Countermeasure.

3 Type a name and description for the countermeasure, then click Save.

The user-defined countermeasure is added to the list.

Edit a user-defined countermeasure You can modify a user-defined countermeasure, as required.

Task



2 In User Defined Countermeasures screen, select the countermeasure to be modified, then click EditCountermeasures.

3 Make necessary changes to the countermeasure name and description, as required, then click Save.

The user-defined countermeasure is updated.

Delete a user-defined countermeasure You can remove one or more countermeasure, as required.

Task



2 In User Defined Countermeasures screen, select the countermeasure to be deleted, then click Actions |Delete Countermeasures.

A confirmation screen appears.


The selected user-defined countermeasure is deleted from the list.

Declare a user-defined countermeasure Declare the added user-defined countermeasure to specify the threat-asset combination it applies to.

Customizing reports and analysisRisk analysis exceptions 7


Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then clickCountermeasure Declarations tab.

2 In the Countermeasure Declarations screen, click Declare Countermeasure.


3 Type a name for the declaration.

4 Select the countermeasure that you added.

5 Type a reason for the declaration.

6 Select whether to enable or disable the countermeasure when declared, then click Next.

The Selection Criteria screen appears.

7 By default, all assets are selected. To select assets based on groups, select System is in group or Systemis in group or sub group and browse to the group of systems required. To select assets based on theirtags, click System Tag under Available Properties, then select an appropriate comparison parameter and atag value. To add more tags, click the + next to the tag criteria.

8 By default, all threats are selected. To select threats based on tags, click Threat Tag under AvailableProperties, then select an appropriate comparison parameter and a tag value. To add more tags, clickthe + next to the tag criteria.

9 Click Next.

10 Review the selected criteria and click Save to declare the countermeasure.

Enable or disable a countermeasure declaration Enable a countermeasure declaration to make the user-defined countermeasure in-effect duringanalysis. Disable the declaration to ignore it during analysis

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click theCountermeasure Declarations tab.

2 In the Countermeasure Declarations screen, select the declaration to be enabled, click Actions, then clickEnable Declaration(s) or Disable Declaration(s), as required.


Edit a countermeasure declarationYou can modify a countermeasure declaration, as required.



Task



2 In the Countermeasure Declarations screen, select the declaration to be modified, then click Edit Declaration.


3 Make necessary changes to the Name, Countermeasure, Reason and Status, as required. Click Saveto save the changes or click Next to make changes in the selection criteria.

4 In the Selection Criteria step, make necessary changes as required. Click Save to save the changes orclick Next to view the Summary screen.

5 Review the selected criteria and click Save to update the countermeasure declaration.

Delete a countermeasure declaration You can remove a countermeasure declaration, when required.

Task



2 In the Countermeasure Declarations screen, select the declaration to be deleted, then click DeleteDeclaration(s).


The selected declaration is deleted from the list.

Create a suppressionCreate a suppression and select the threat tags and asset tags or groups that you want to temporarilyexclude from the analysis.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, and then clickSuppressions tab.

2 In the Suppressions screen, click New Suppression.


3 In the Details screen, complete these options, then click Next:

• Name and description for the suppression

• Time period for which you would like to enable the suppression, or select No end date to enable itpermanently.

Customizing reports and analysisRisk analysis exceptions 7


4 In the Required Criteria for System, select System is in group or System is in group or sub group and browse tothe group of systems required. To select assets based on their tags, click System Tag under AvailableProperties, then select an appropriate comparison parameter and a tag value. To add more tags, click+ next to the tag criteria.

5 By default, all threats are selected. To select threats based on their tags, click Threat Tag underAvailable Properties, then select an appropriate comparison parameter and a tag value. To add moretags, click + next to the tag criteria.

6 Click Next.

7 The selected criteria displays the number of assets and threats that are currently matching thecriteria. Review the selected criteria and click Save to create the suppression.

The selected threat-asset combinations are excluded from the subsequent analysis.

Edit a suppression You can modify a suppression to make necessary changes, as required.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click theSuppressions tab.

2 In the Suppressions screen, select the suppression to be modified, then click Actions | Edit Suppression.


3 Make necessary changes to the name, description, and effective period for the suppression, asrequired. Click Save to save the changes or click Next to make changes in the selection criteria.

There's no validation for start date to be greater than current date because an existing suppression'sstart date might be older. However, even if you select a previous date, the suppression is effectivefrom the current date only.

4 In the Selection Criteria step, make necessary changes as required. Click Save to save the changes orclick Next to view the Summary screen.

5 Review the selected criteria and click Save to update the suppression.

Delete a suppressionYou can remove a suppression from the list, as required.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then clickSuppressions tab.

2 In Suppressions screen, select the suppression to be deleted, then click Actions | Delete Suppression.


The selected suppression is deleted from the list. Once a suppression is deleted, the suppressed assetsand threats take part in analysis.



Reporting groups You can create reporting groups for selective asset- and threat-based reporting in McAfee RiskAdvisor. This feature is useful when you want to generate reports for only a set of assets and threats.

For example, you want to generate reports for all the Windows machines in your organization againstall the Adobe threats. Tag the assets as "Windows" and Threats as "Adobe," and then select these tagsin the New Reporting Group screen to generate reports per your specific requirements.

You can specify a limit for the maximum number of reporting groups allowed to be created.

If the threat tags or asset tags/groups assigned to a reporting group are deleted, then the subsequenthistory data for the reporting groups also gets deleted, and the reporting group becomes invalid. Foran invalid reporting group to become valid the reporting group should be edited to select appropriatereporting group criteria and changes should be saved.

To use this feature:

1 Tag your threats, and tag or group assets.

2 Create a reporting group.

3 Run the MRA: Reporting Group Analysis task.

It's mandatory to successfully run the MRA: Threat Asset Coverage Analysis task at least once prior torunning the MRA: Reporting Group Analysis task for proper analysis.

4 View the reporting group analysis results: click Menu | Risk & Compliance | Reporting Groups.

You can also:

• Run these predefined queries:

• MRA: Reporting Group's Consolidated Risk Score History — Displays a chart for the reporting group'strends based on Consolidated Risk Score.

• MRA: Top 10 Reporting Groups based on Consolidated Risk Score — Displays a chart for the top 10reporting groups based on Consolidated Risk Score.

• MRA: Top 10 Assets for all Reporting Groups by Risk Score — Displays a chart for the top 10 assets for allreporting groups based on their risk scores.

• MRA: Top 10 Threats for all Reporting Groups by Risk Score — Displays a chart for the top 10 threats forall reporting groups based on their risk scores.

• Run these custom queries:

• Reporting Group Analysis Results History — Displays a chart for the analysis results of reporting groups.

• Reporting Groups — Displays a chart for the reporting groups created.

• Reporting Group Asset Risk Metrics — Displays a chart for the asset risk metrics of reporting groups.

• Reporting Group Threat Risk Metrics — Displays a chart for the threat risk metrics of reporting groups.

Also, run these reporting group queries or add the monitors in the dashboard, per your requirements:

It's mandatory to run the MRA: Reporting Group Analysis task before running these queries for properresults. For instructions on creating dashboards, see ePolicy Orchestrator documentation.

Specify reporting groups limitYou can specify the number of reporting groups that can be created in McAfee Risk Advisor.

Customizing reports and analysisReporting groups 7


Task



2 In the McAfee Risk Advisor settings, click Edit. The Edit Risk Advisor page appears.

3 Under Reporting Group Limit, type the maximum number of reporting groups that you want to allow.

By default, the reporting group limit is 25, and the maximum limit can be set to 50.

The reporting group limit should always be greater than or equal to the number of existing reportinggroups. For example, if 5 reporting groups are already being added, you can't reduce the limit to avalue less than 5.

4 Click Save.

Create a reporting groupCreate a reporting group for a set of assets based on groups or tags, and threats based on tags.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Reporting Groups.

2 In the Reporting Groups screen, click Actions | Risk Advisor | New Reporting Group.


3 Type a name and description for the reporting group, then click Next.

The Selection Criteria screen appears.

4 In the Required Criteria for system, select System is in group or System is in group or sub group and browse tothe group of systems required. To select assets based on their tags, click System Tag under AvailableProperties, then select an appropriate comparison parameter and a tag value. To add more tags, click+ next to the tag criteria.

5 By default, all threats are selected. To select threats based on their tags, click Threat Tag underAvailable Properties, then select an appropriate comparison parameter and a tag value. To add moretags, click + next to the tag criteria.

6 Click Next.

7 Review the selected criteria and click Save to create the reporting group.

The reporting group based on the selected criteria is added to the Reporting Groups screen.

Edit a reporting groupModify a reporting group to make necessary changes, when required.

7 Customizing reports and analysisReporting groups


Task



2 In the Reporting Groups screen, select the reporting group to be modified, then click Actions | Risk Advisor| Edit Reporting Group.


3 Make necessary changes to the reporting group name or description. Click Save to save thechanges, or click Next to update selection criteria.

4 In the Selection Criteria step, make necessary changes as required. Click Save to save the changes, orclick Next to view the Summary screen.

5 Review the selected criteria and click Save to update the reporting group.

Delete a reporting groupYou can remove a reporting group from the list, as required.

Task



2 In the Reporting Groups screen, select one or more reporting groups to be deleted, then click Actions |Risk Advisor | Delete Reporting Group.

3 In the Delete Reporting Group screen, click Yes to confirm.

Perform reporting group analysis Configure and run the MRA: Reporting Group Analysis task to analyze data for each reporting group andcalculate the consolidated risk score for reporting purpose.

Task


1 In the ePolicy Orchestrator console, start the analysis task in one of these ways:

• Click Menu | Automation | Server Tasks, then click Run under actions for the MRA: Reporting Group Analysistask.

• Click Menu | Risk & Compliance | Reporting Groups. In the Reporting Groups screen, click Actions | Risk Advisor| Run Reporting Group.

Go to the Server Task Log to view the task status.

2 In the Reporting Groups page, view the reporting group analysis results that include total number ofassets or threats, impacted assets, impacting threats, and consolidated risk score, for eachreporting group.

Customizing reports and analysisReporting groups 7


Rollup reportingRollup reporting allows you to generate reports on McAfee Risk Advisor analysis data from multipleePolicy Orchestrator servers.

Tasks

• Perform rollup risk analysis on page 74Configure the MRA Rollup: Roll Up Risk Advisor Data task on the server that performs themulti-server rollup.

• Purge rollup risk analysis data on page 74For data maintenance, you can enable and schedule the MRA Rollup: Purge Rolled-Up Data task topurge the rollup reporting data.

Perform rollup risk analysis Configure the MRA Rollup: Roll Up Risk Advisor Data task on the server that performs the multi-server rollup.

Before you begin

Register each ePolicy Orchestrator server with McAfee Risk Advisor installed that you wantto include.

The server task retrieves McAfee Risk Advisor specific data from the rollup ePolicy Orchestrator serversand generates reports on the reporting server.

Task


1 In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click Run under actionsfor the MRA Rollup: Roll Up Risk Advisor Data task.


Purge rollup risk analysis data For data maintenance, you can enable and schedule the MRA Rollup: Purge Rolled-Up Data task to purge therollup reporting data.

Task


1 In the ePolicy Orchestrator console, click Menu | Automation | Server Tasks, then click Run under actionsfor the MRA Rollup: Purge Rolled-Up Data task.


Perform what-if risk analysis Perform what-if risk analysis to view the possible changes in risk metrics if one or morecountermeasures were installed.

Before you begin

You must have successfully run the MRA: Threat Coverage Analysis task at least once.

7 Customizing reports and analysisRollup reporting


McAfee Risk Advisor computes the latest metrics by collating all the latest threats and assets data withtheir vulnerability statuses at that time. The What-if risk analysis considers the presence ofcountermeasures selected, and re-calculates the risk scores.

All enabled threats and selected enabled assets are considered in the What-if risk analysis.

Task


1 In the ePolicy Orchestrator console, click Menu | Reporting | Risk Metrics, then click the What if Risk Analysistab.

2 In Available Properties, select a system group or System Tag to perform analysis on selected assets.

• To select a system group, select System is in group or System is in group or sub group, and browse to thegroup of systems required.

• To select assets based on their tags, click System Tag, then select an appropriate comparisonparameter and a tag value. To add more tags, click + next to the tag criteria.

3 In Countermeasure Products, select the countermeasures that you want to add in the analysis, and thenclick Add.

The countermeasure products that are already installed on at least one of the assets managed bythe server, are marked with *. However, if a server task is in-progress, the system can't check forthe installed countermeasure products.

4 The selected products are listed in the Countermeasure Products Added. If you want to remove anyproduct, select it from Countermeasure Products Added, then click Remove.

5 Click Apply and Analyze to start risk analysis, assuming the selected countermeasures are installed. Toselect the products again, click Reset.

• When the analysis is performed on a high volume of data, the system goes intoin-progress mode. Go to the Server Task Log screen to view the task status, or clickRefresh on this page to retrieve the latest status of the results.

• This analysis can't be performed simultaneously with any other McAfee Risk Advisortask. Go to the Server Task Log screen to view status of other in-progress tasks. Run thisanalysis after the other McAfee Risk Advisor tasks are finished.

A report based on the What-if analysis appears with these details.

• Risk Score for selected assets — Risk score of the selected assets over all the threats.

• Risk Category — Risk category of the enterprise based on Enterprise Risk Score for the data collectedfrom ePolicy Orchestrator server. Possible types include: High, Medium, and Low.

• Number of Threats To Mitigate — The number of threats to protect against.

Add to the analysis queueAdd the assets and threats to the analysis queue for analyzing all the latest data applicable to thoseassets and threats.

After the MRA: Threat Download and Analysis task is executed for the first time, subsequent analyses ofassets are conducted only on those assets when their product attributes change, new products areadded, or when new threats are downloaded. When you add assets and threats to the analysis queue,

Customizing reports and analysisAdd to the analysis queue 7


McAfee Risk Advisor analyzes all the latest data applicable to those assets and threats, regardless ofwhether there are any new updates to that data since the previous analysis.

Task


1 Do one of the following in the ePolicy Orchestrator console:

To... Do this...

Add multiple assets to theanalysis queue

From the System Tree, select the assets.


Add a single asset to theanalysis queue


• From the System Tree, select the asset.

• Go to the System Details page of the asset.

Add multiple threats tothe analysis queue

From the Threats page, select the threats.


Add a single threat to theanalysis queue


• From the Threats page, select the threat.


Select only enabled threats or assets to add the selected threats or assets to the analysis queue.Even if you select a mix of enabled and disabled threats or click Select All, the disabled threats orassets are not considered for analysis.

2 Click Actions | Risk Advisor | Add to MRA Analysis Queue.

3 In the Add to MRA Analysis Queue screen, click Yes.

The threats or assets you selected are added to the McAfee Risk Advisor analysis queue.

Define enterprise risk category labelsMcAfee Risk Advisor provides default settings for Enterprise Risk Category. You can modify these labels,their associated colors, and ranges to meet the needs of your organization.

Enterprise Risk Category can be used to identify your organization's risk level.

McAfee Risk Advisor uses these criticality labels and associated colors and ranges by default:

Criticality Color Range

High Red 65–100 (more than 65 and equal to or less than 100)

Medium Light Orange 35–65 (more than 35 and equal to or less than 65)

Low Brownish Yellow 0–35 (equal to or below 35)

Make sure that you set the Enterprise Risk Categories in the range of 0 to 100. The minimum limit forthe category Low starts from 0 and the maximum limit for the category High is 100.

7 Customizing reports and analysisDefine enterprise risk category labels


Task



3 On the Edit Risk Advisor screen, click Modify against the label that you to change under Enterprise RiskCategory. Type the label you want to represent High, Medium, and Low Enterprise Risk Scores. Type riskscore limits and select a color to associate with each label from the choices provided.

For example, for Risk Category — High, type the label you want to apply to the highest Enterprise RiskScore range, then select an appropriate color.

4 Click Save.

Customizing reports and analysisDefine enterprise risk category labels 7


7 Customizing reports and analysisDefine enterprise risk category labels


8 Monitoring with dashboards andquerying database

After you've performed the analysis based on your custom settings, generate reports to view the riskposture of your assets, threats, and enterprise. You do this using the McAfee Risk Advisor dashboardmonitors and querying database.

Contents

Dashboards and monitors Queries

Dashboards and monitorsDashboards, which are comprised of monitors, are an essential tool for managing your environment.

McAfee Risk Advisor provides these predefined dashboards:

• MRA: Threat Dashboard

• MRA: Threat Action Advisory Dashboard

• MRA Rollup: Risk Advisory Dashboard

• MRA: Security Bulletin Dashboard

To customize dashboards in ePolicy Orchestrator 4.5, click Dashboards | Options | New Dashboard | NewMonitor, then select Risk Advisor from the Category list.

To customize dashboards in ePolicy Orchestrator 4.6, click Dashboards | Add Monitor, then select Risk Advisorfrom the Category list.

You can then select the monitor from the Monitor list. The monitors available in McAfee Risk AdvisorCategory list are:

• MRA: Action Required Assets - By Asset Criticality

• MRA: Investigation Required Assets - By Asset Criticality

• MRA: Overall Asset Action Status

• MRA: Overall Asset Coverage Summary

• MRA: Overall Threat Asset Coverage Summary

• MRA: Top 10 Threats by Risk Score

• MRA Rollup: Overall Asset Action Status

8


The risk information available on the McAfee Risk Advisor dashboards can be used in varioussituations. For example, an administrator can recognize the assets that require immediate patchdeployments using the Threat Action Advisory Dashboard monitors. The administrator can also prioritizepatch deployments per their criticality.

For more information about creating and using dashboards, see ePolicy Orchestrator documentation.

If your environment has changed since the last time the MRA: Threat Download and Analysis task was executed(for example, a system was deleted from the System Tree), some data might be inaccurate. To resolvethis, rerun the server task.

MRA: Threat DashboardThis dashboard provides information about new threats, threats with highest risk scores, assets withhighest risk scores, results of vendor and product risk analysis, and the overall risk summary of theassets on your network.

MRA: Most Recent Threats monitorThis monitor provides the list of recent threats from McAfee Threat Intelligence Services over a month.

Threats in this table are grouped by the date the threat information was released, starting with themost recent, then organized alphabetically by threat name.

Select a date or an individual threat to view more information. Selecting a date displays the MRA: MostRecent Threats page, which lists the threats modified on that date. If there is only one threat for a givendate, that threat information is displayed when the date is selected. Selecting an individual threatdisplays the Threat Details page for that threat.

Option Definition

Threat Name Displays the name of the threat, including the Microsoft (MS) number whenavailable.

Severity Displays the risk rating set by McAfee. This rating is calculated based on how easyit is to execute the threat, how popular the threat is, and the impact the threatcould have. The scale ranges from 0 (lowest risk) to 10 (highest risk).

Threat Last Modifiedin McAfee Labs

Displays the date and time the threat information was last modified.

Attack Vector Displays the point from which an attack could occur.

Vendor Displays the vendor affected by the threat.

Vendor Rating Displays the severity level of the threat as specified by the vendor, if provided.Each vendor's scoring system can be unique, so values displayed might vary. Forexample, some vendors use a numbering system (1–10), while others use labels("Low," "Medium," "High").

Basic Threat Score Displays the CVSS Base Score set by McAfee.

8 Monitoring with dashboards and querying databaseDashboards and monitors


Option Definition

Actions When selected, displays these actions:

• Add Note • Manage Reporting Groups

• Add to MRA Analysis Queue • Manage Tags

• Apply Tags • Mark Read

• Change Analysis Status • Mark Unread

• Export Data • Remove Tags

• Import Threats From File

Select a row ofdata

Displays the Threat Details page.

MRA: Threats By Vendor monitorThis monitor provides a chart that displays a list of vendors with the number of threats associated withtheir products.

The vendors listed in this monitor include:

• Adobe • Mozilla

• Apple • No Vendor Data

• Cisco • Oracle

• Microsoft • Other

The Other category represents all other vendors as one pie slice.

Selecting an area of the chart displays the MRA: Threats By Vendor page, which lists the threats associatedwith the vendor you selected.

Option Definition

Threat Name Displays the name of the threat.


Severity Displays the risk rating set by McAfee.

Threat Information Source Displays the source of the threat.

Vendor Rating Displays the severity level of the threat as specified by the vendor.



Threat Last Modified in McAfee Labs Displays the date and time the threat information was last modified.

Threat Created in McAfee Labs Displays the date and time the threat information was created.

Monitoring with dashboards and querying databaseDashboards and monitors 8


Option Definition








Select a row of data Displays the Threat Details page.

MRA: Top 10 Threats by Risk Score monitorThis monitor provides information about the top 10 threats with the highest Threat Risk Scores overall applicable assets.

This model considers assets with an overall status of Insufficient Data as Vulnerable.

Selecting a threat displays the Threat Details page, which provides detailed information about the threat,including threat details from McAfee Threat Intelligence Service and the threat risk information fromMcAfee Risk Advisor.

MRA: Top 10 Assets by Risk Score monitorThis monitor provides information about the top 10 assets with the highest Asset Risk Scores over allimpacting threats.

This model considers assets with an overall status of Insufficient Data to be Vulnerable.

Selecting an asset displays the System Details page with asset risk information such as Asset Criticality,Asset Risk Score, and Threat Coverage Details.

MRA: Product Threat Protection monitorThis monitor provides a chart that displays the number of threats that each McAfee product canprotect against and the number of threats for which patches exist. These numbers are based on thedata imported from McAfee Threat Intelligence Service.

Selecting an area of the chart displays the MRA: Product Threat Protection page, which lists the threats thatthe selected McAfee product can protect against, or the threats for which patches exist.

Option Definition


Threat Risk Score Displays the average risk score of the threat against all applicable assets.

Vector Displays the point from which an attack could occur.

Status Displays whether the current coverage exists for the threat.

Attribute Name Displays the name of the product attribute (for example, product version).

Attribute Value Displays the value of the product attribute (for example, product versionnumber).



Option Definition









MRA: Overall Asset Coverage Summary monitorThis monitor displays information about the number of assets per their Overall Asset CoverageSummary Status: At Risk, Not At Risk, and Potentially At Risk.

An asset is:

• At Risk — If the threat applicability status is Applicable or Insufficient Data, and one of these is true:

• Vulnerability detector status is Vulnerable and countermeasure status is Not Protected or InsufficientData.

• Vulnerability detector status is Insufficient Data and countermeasure status is Not Protected.

• Not At Risk — If one of these is true:

• Threat applicability status is Not Applicable.

• Vulnerability detector status is Not Vulnerable.

• Countermeasure status is Protected.

• Potentially At Risk — If all these are true:

• Vulnerability detector status is Insufficient Data.

• Countermeasure status is Insufficient Data.

• Threat applicability status is Applicable or Insufficient Data.

Selecting an area of the chart displays the MRA: Overall Threat Asset Coverage Summary page, which lists theassets with the selected overall status.

Option Definition

System Name Displays the name of asset.

Managed State Displays whether the asset is managed by the ePolicy Orchestrator server.

Analysis Status Displays whether the asset is Enabled or Disabled.

Criticality Displays the criticality of the asset:

• Most Critical • Medium

• Critical • Low

• High

Asset Risk Score Displays the average risk score of the asset over all the impacting threats.



Option Definition

Actionable Threat Count Displays the number of threats applicable to the asset where an action needsto be taken. These are the threats for which the threat action statusis:Immediate Action required, Investigation required, or Action Required But No Patch Available.

No Immediate ActionRequired Threat count

Displays the number of threats applicable to the asset where an action is notrequired or where action can be deferred. These are the threats for which thethreat action status is: No Action required, Action can be deferred, or Not applicable.


• Add to MRA Analysis Queue • NSP Countermeasure Declaration

• Assign Criticality to Assets • NSP Countermeasure Removal

• Change Analysis Status • Override NSP Countermeasure Status

• Create Issue • Remove NSP Countermeasure Override

• Manage Reporting Groups

Select a row of data Displays the System Details page.

Select a value underActionable Threat Count

Displays the Actionable Threat Count page.

Select a value underNo Immediate ActionRequired Threat Count

Displays the No Immediate Action Required Threat Count page.

MRA: Threat Action Advisory DashboardThis dashboard provides information about recommended actions that you can take against thethreats that affect your environment.

For the monitors that are organized by asset criticality, only criticality labels that have been applied toassets are displayed.

• These queries, predefined by McAfee Risk Advisor, can also be added as monitors:

• MRA: Most Critical Assets That Require Action But No Patch Available

• MRA: Most Critical Assets That Require Immediate Action

MRA: Threats with Available Patches monitorThis monitor provides a chart that displays the number of threats for which patch information isavailable and not available.

Available options are:

• Yes — Threats for which patches are available.

• No — Threats for which patches are not available.

Selecting an area of the chart displays the MRA: Threats with Available Patches page, which lists the threatswith the selected patch availability status.

Option Definition

McAfee Threat ID Displays the McAfee ID associated with the threat.


Assets Impacted Displays the number of assets to which the threat is applicable and assets thatare vulnerable to the threat.




Option Definition









MRA: Overall Asset Action Status monitorThis monitor displays a chart about the number of assets per their Overall Asset Action Status.

The monitor displays the number of assets under these categories:

• Action Required — Assets on which preventive action is required.

• Investigation Required — Assets for which sufficient data is not available to determine their patchingstatus.

• No Action Required — Assets on which no preventive effort is required.

Selecting an area of the chart displays the MRA: Overall Asset Action Status page, which lists the assets withthe selected overall action status.

Option Definition

System Name Displays the name of the asset.


Criticality Displays the level of criticality of the asset.

Asset Risk Category Displays the risk category of the asset based on the Asset Risk Score.

Asset Risk Status Displays the risk status of the asset:

• At Risk

• Not At Risk

• Potentially At Risk


Actionable Threat Count Displays the number of threats applicable to the asset where an actionneeds to be taken.

No Immediate Action RequiredThreat Count

Displays the number of threats applicable to the asset where an action isnot required or where action can be deferred.









Option Definition



Displays the Actionable Threat Count page.

Select a value under NoImmediate Action RequiredThreat Count

Displays the No Immediate Action Required Threat Count page.

MRA: Action Required Assets: By Asset Criticality monitorThis monitor provides a chart that displays criticality-wise number of assets that require immediateactions to be taken.

Selecting an area of the chart displays the MRA: Action Required Assets - By Asset Criticality page, which liststhe assets with the selected criticality that require immediate actions to be taken.

Option Definition



Analysis Status Displays whether the asset is enabled or disabled for analysis.



• At Risk

• Not At Risk




No Immediate Action requiredThreat Count

Displays the number of threats applicable to the asset where an action is notrequired or where action can be deferred.









Displays the Actionable Threat Count page for the selected system.

Select a value under NoAction Required Threat Count

Displays the No Action Required Threat Count page for the selected system.



MRA: Investigation Required Assets: By Asset Criticality monitorThis monitor displays a chart about the criticality-wise number of assets that require furtherinvestigation to know their risk status.

Selecting an area of the chart displays the MRA: Investigation Required Assets - By Asset Criticality page, whichlists the assets with the selected criticality level and the risk status as Investigation Required.

Option Definition



Analysis Status Displays whether the threat is Enabled or Disabled for analysis.



• At Risk

• Not At Risk




No Immediate ActionRequired Threat count

Displays the number of threats applicable to the asset where an action is notrequired or where action can be deferred.









Displays the Actionable Threat Count page for the selected system.

Select a value under NoAction Required Threat Count

Displays the No Action Required Threat Count page for the selected system.

MRA Rollup: Risk Advisory DashboardThis dashboard provides rollup risk analysis reports of consolidated data from all the registered ePolicyOrchestrator servers.

MRA Rollup: Server Risk Score Trend monitorThis monitor provides information about the variations in the average risk scores of assets on eachserver for the recent month.

The monitor displays a multi-line chart representing the change in Server Risk Score trends of eachregistered server used in rollup reporting.

Selecting an area of the graph displays the MRA Rollup: Server Risk Score Trend page, which lists theenterprise risk trends for the selected server.



Option Definition

Server Risk Score Displays the risk score of all the assets on the server over all the threats.

Server Risk Category Displays the risk category based on the risk score of the selected server.

At Risk Asset Count Displays the number of assets on the server that are At Risk.

High Risk Category Asset Count Displays the number of assets on the server that are under High risk category.

Action Required Asset Count Displays the number of assets on the server that require some action to beperformed.

Enabled Assets Displays the number of assets on the server that are enabled for McAfeeRisk Advisor analysis.

Enabled Threats Displays the number of threats on the server that are enabled for McAfeeRisk Advisor analysis.

Calculated Time Displays the time at which the report was generated.

Select a row of data Displays the Rolled-up Servers Details page.

MRA Rollup: Overall Asset Action Status monitorThis monitor displays a chart about the number of assets across servers per their Overall Asset ActionStatus: Action Required, Investigation Required , and No Action Required.

Selecting an area of the chart displays the MRA Rollup: Overall Asset Action Status page, which lists theservers that have the assets with the selected action status.

Option Definition

Server Name Displays the name of the server.

Assets Count Displays the number of assets on the server with selected Overall Asset ActionStatus.


MRA Rollup: Overall Asset Coverage Summary monitorThis monitor displays information about the number of assets across servers per their Overall AssetCoverage Summary Status: At Risk, Not At Risk, and Potentially At Risk.

Selecting an area of the chart displays the MRA Rollup: Overall Threat Asset Coverage Summary page, which liststhe servers managing the assets with the selected overall risk status.

Option Definition


Assets Count Displays the number of assets on the server that have the selected OverallAsset Coverage Summary Status.


MRA Rollup: Overall Enterprise Risk Status monitorThis monitor provides information about the overall enterprise risk status by representing a chart thatdisplays the number of servers per their Server Risk Category: Low, Medium and High.

Selecting an area of the chart displays the MRA Rollup: Overall Enterprise Risk Status page, which displays thelist of servers with the selected Server Risk Category.



Option Definition


Server Risk Score Displays the risk score of all the assets on the server over all the threats.

Server Risk Category Displays the enterprise risk category based on enterprise risk score of theselected server.

At Risk Asset Count Displays the number of assets on the server that are At risk.

High Risk Category Asset Count Displays the number of assets on the server that falls under High riskcategory.

Action Required Asset Count Displays the number of assets on the server that require some action to beperformed.

Enabled Assets Displays the number of assets whose status is set to Enabled in the server.

Enabled Threats Displays the number of threats whose status is set to Enabled in the server.


MRA Rollup: Overall Enterprise Risk Score Trend monitorThis monitor provides information about the variations of Overall Enterprise Risk Score across serversfor the recent month.

The monitor displays a single-line chart representing the aggregated Enterprise Risk Score of all theregistered servers used in rollup reporting.

Selecting an area of the graph displays the Rolled-Up Enterprise Risk Metrics Details page, which lists theoverall enterprise risk trends for the selected time unit.

Option Definition

Overall Enterprise Risk Score Displays the overall risk score of all the assets over all the threatsacross servers.


Enabled Assets Displays the number of assets on the server that are enabled for McAfeeRisk Advisor analysis.

Enabled Threats Displays the number of threats in the server database that are enabledfor McAfee Risk Advisor analysis.

Overall Enterprise Risk Category Displays the overall enterprise risk category based on overall enterpriserisk score.

At Risk Asset Count Displays the number of assets on the server that are At Risk.

Potentially At Risk Asset Count Displays the number of assets on the server that are Potentially At Risk.

Not At Risk Asset Count Displays the number of assets on the server that are Not At Risk.

Low Risk Category Asset Count Displays the number of assets on the server that falls in Low risk category.

Medium Risk Category AssetCount

Displays the number of assets on the server that falls in Medium riskcategory.

High Risk Category Asset Count Displays the number of assets on the server that falls in High risk category.

MRA Rollup: Top 10 Threats Across Servers monitorThis monitor provides information about the top 10 severe or indeterminate threats that have thehighest risk score across servers.

Selecting a threat displays the Rolled-Up Threat Details page, which provides rollup information about thethreat.



MRA: Security Bulletin DashboardThis dashboard provides information about the trends of Microsoft Patch Tuesday threats impactingover the assets in your environment.

MRA Patch Report: Microsoft Patch Tuesday Threats Trend monitor This monitor provides a chart that displays Microsoft Patch Tuesday threats trend based on thenumber of latest threats over the last six months.

Selecting a month displays the MRA Patch Report: Microsoft Patch Tuesday Threats Trend listing the threatsreleased over the month.

Option Definition

Threat Name Displays the name of the Patch Tuesday threat.


Vendor Rating Displays the severity level of the threat specified by Microsoft.

Security Bulletin Value Displays the Microsoft Security Bulletin (MS) number.

Release Date Displays the date and time when the threat information was released.


At Risk Asset Count Displays the number of assets that are at risk due to the threat.








MRA Patch Report: Risk Score for System Groups across Patch TuesdayThreats monitor This monitor provides a chart that displays the aggregated risk score of system groups over the latestMicrosoft Patch Tuesday threats.

Selecting a reporting group displays the MRA Patch Tuesday: Risk Score for System Groups across Patch TuesdayThreats page providing a detailed report of Microsoft Patch Tuesday threats of each asset in the selectedreporting group.

Option Definition


System Name Displays the name of the asset to which the threat is applicable.

Criticality Displays the criticality of the asset.

Risk Score Displays the risk score of the asset against the threat.

Countermeasure Status Displays the countermeasure status of the asset for the threat.




Option Definition








MRA Patch Report: Assets at Risk from Patch Tuesday Threats by CriticalitymonitorThis monitor provides a chart that displays the assets based on their criticality that are at risk by PatchTuesday threats released over the last three months.

Selecting an area of the graph displays the MRA Patch Report: Assets at Risk from Patch Tuesday by Criticality page,which provides a detailed report of Microsoft Patch Tuesday threats of each asset for the selectedmonth for all the criticality levels or a particular criticality.

Option Definition














MRA Patch Report: Assets at Risk from Patch Tuesday Threats by SystemGroup monitorThis monitor provides a chart that displays the assets based on their reporting groups that are at riskby Patch Tuesday threats released over the last three months.

Selecting an area of the graph displays the MRA Patch Report: Assets at Risk from Patch Tuesday by Criticality page,which provides a detailed report of Microsoft Patch Tuesday threats over each asset for the selectedreporting group for all the three months or a particular month.

Option Definition






Option Definition











QueriesMcAfee Risk Advisor includes query functionality through ePolicy Orchestrator.

You can:

• Create queries from events and properties stored in the database, or use predefined queries.

• Produce queries for a group of selected systems, or limit results by product or system criteria.

• Export results into a variety of file formats, including HTML, PDF and Microsoft Excel.

Predefined queriesMcAfee Risk Advisor includes predefined queries that you can use as-is, or you can edit them to obtainonly the information you need.

To access these queries, go to the Queries & Reports screen in the ePolicy Orchestrator console, then clickthe required McAfee Risk Advisor query group.

McAfee Risk Advisor provides these predefined queries:

Group Predefined Query Definition

ApplicationInventory

Inventory of All Applications Retrieves the list of applications installed on allthe assets.

Inventory of Applications on eachAsset

Retrieves the list of applications installed oneach asset.

Top 10 Applications on Desktop Retrieves the top 10 applications installed ondesktops.

Top 10 Applications on Server Retrieves the top 10 applications installed onservers.

Risk Advisor MRA Patch Report: Adobe SecurityBulletin Threats

Retrieves information about the Adobe securitybulletin threats.

MRA Patch Report: Adobe SecurityBulletin Threats by SecurityBulletin

Retrieves information about the threats thatcan be mitigated by Adobe security bulletins.

MRA Patch Report: Adobe SecurityBulletin Threats ExploitabilityIndex

Retrieves information about the exploitabilityindex for Adobe security bulletin threats.

8 Monitoring with dashboards and querying databaseQueries



MRA Patch Report: Adobe SecurityBulletin Threats Trend

Retrieves information about the Adobe securitybulletin threats released in the last threemonths.

MRA Patch Report: Assets at Riskfrom Patch Tuesday Threats byCriticality

Retrieves information about the assets in acriticality level that are at risk by PatchTuesday threats released over the last threemonths.

MRA Patch Report: Assets at Riskfrom Patch Tuesday Threats bySystem Group

Retrieves information about the assets in asystem group that are at risk by Patch Tuesdaythreats released in three months.

MRA Patch Report: Microsoft PatchTuesday Threats

Retrieves information about the Microsoft PatchTuesday threats.

MRA Patch Report: Microsoft PatchTuesday Threats by SecurityBulletin

Retrieves information about the Microsoft PatchTuesday threats that can be mitigated bySecurity Bulletins.

MRA Patch Report: Microsoft PatchTuesday Threats ExploitabilityIndex

Retrieves exploitability index for MicrosoftPatch Tuesday threats.

MRA Patch Report: Microsoft PatchTuesday Threats Trend

Retrieves information about the latest MicrosoftPatch Tuesday threats released over the last sixmonths.

MRA Patch Report: Risk Score forSystems Groups across PatchTuesday Threats

Retrieves information about the aggregatedrisk score of system groups over the latestMicrosoft Patch Tuesday threats.

MRA: Enterprise Risk Score Trend Retrieves information about the average ofEnterprise Risk Score over a period of time.

MRA: Expired Suppressions Retrieves the average of Enterprise Risk Scoreover a period of time.

MRA: In Effect Suppressions Retrieves the list of suppressions that arein-effect.

MRA: List of Assets at High Risk Retrieves information about the assets thathave Risk Category as High.

MRA: List of Threats withMaximum Risk Score

Retrieves information about the threats withmaximum risk score (greater than 65).

MRA: Most Critical Assetsprotected by Countermeasures

Retrieves information about the most criticalassets that are protected by countermeasures.

MRA: Most Critical Assets ThatRequire Action But No PatchAvailable

Retrieves information about the most criticalassets that require action, but for which nopatch is available.

MRA: Most Critical Assets ThatRequire Immediate Action

Retrieves information about the most criticalassets that require immediate action.

MRA: Most Critical assetsvulnerable to a high severity threat

Retrieves information about the most criticalassets vulnerable to a threat with severity >=8.

MRA: Most Recent Threats* Retrieves information about the most recentthreats grouped by date.

MRA: Overall Threat AssetCoverage

Retrieves information about the breakup ofthreat-asset combinations into differentcoverage states.

MRA: Product Threat Protection* Retrieves information about the number ofthreats a product protects against and how aproduct mitigates threats.

Monitoring with dashboards and querying databaseQueries 8



MRA: Reporting Group'sConsolidated Risk Score History

Retrieves information about the reportinggroup's trends based on Consolidated RiskScore.

MRA: Threats By Vendor* Retrieves information about the threats relatedto each vendor.

MRA: Threats with AvailablePatches*

Retrieves information about the patchavailability for every threat.

MRA: Top 10 Assets by Risk Score* Retrieves information about the top 10vulnerable or indeterminate assets that havethe highest risk scores against all impactingthreats.

MRA: Top 10 Assets for allReporting Groups based on RiskScore.

Retrieves the top 10 assets for all reportinggroups based on their risk scores.

MRA: Top 10 PrevalentApplications Across Threats

Retrieves the top 10 prevalent applicationsacross threats.

MRA: Top 10 Reporting Groupsbased on Consolidated Risk Score

Retrieves information about the top 10reporting groups based on Consolidated RiskScore.

MRA: Top 10 Threats by RiskScore*

Retrieves information about the top 10 threatsthat have the highest risk scores over allapplicable assets.

MRA: Top 10 Threats for allReporting Groups based on RiskScore

Retrieves the top 10 threats for all reportinggroups based on risk score.

MRA: Upcoming Suppressions Retrieves the list of suppressions that arescheduled to be in-effect.

MRA: Weekly Report of AssetVulnerability Status

Retrieves a weekly report of overall assetvulnerability status for threats published ordownloaded in that week.

Risk AdvisorNSP

MRA: NSP Alerts Retrieves information about the latest 20,000McAfee Network Security Platform alerts.

MRA: NSP Sensor-Port-Policy withAttacks set to block

Retrieves information about the blockedattacks for every McAfee Network SecurityPlatform sensor, port, and policy association.

MRA: NSP System Attack Coverage Retrieves information about the attacks forevery McAfee Network Security Platformsensor, port, and policy association for eachsystem.

MRA: NSP System Coverage Retrieves information about the sensor, port,and policy association for the systems coveredby McAfee Network Security Platform.

MRA: Systems Not Protected byNSP

Retrieves information about the assets that arenot protected by McAfee Network SecurityPlatform.

Risk AdvisorRollup

MRA Rollup: Server Risk ScoreTrend

Retrieves information about the variations inServer Risk Scores over time.

MRA Rollup: Overall EnterpriseRisk Score Trend*

Retrieves information about the variations inOverall Enterprise Risk Score over time.




MRA Rollup: Overall EnterpriseRisk Status*

Retrieves information about the breakup ofregistered servers for each Enterprise RiskCategory.

MRA Rollup: Top 10 ThreatsAcross Servers*

Retrieves information about the top 10 severeor indeterminate threats that have the highestrisk score across servers.

* These queries are included as monitors in the predefined McAfee Risk Advisor dashboards. You can add the otherpredefined queries to these dashboards as well.

Custom queriesYou can create custom McAfee Risk Advisor queries with the Query Builder wizard.

McAfee Risk Advisor provides these custom queries and query result types:

Group Query Result Type Definition

ApplicationInventory

Applications Retrieves information about the applicationsinstalled on assets.

Risk AdvisorRoll-up Targets

Overall Enterprise RiskMetrics

Retrieves information about the overall enterpriserisk metrics calculated using the rolled up McAfeeRisk Advisor data.

Risk Advisor Rolled-UpServers

Retrieves information about the last aggregatedMcAfee Risk Advisor data across servers. (Requiredtask: MRA Rollup: Roll up Risk Advisor Data with Data Typeset to Risk Advisor Data)

Risk Advisor Rolled-UpServers History

Retrieved information about aggregated McAfeeRisk Advisor data across servers. (Required task:MRA Rollup: Roll up Risk Advisor Data with Data Type set toRisk Advisor Data)

Rolled-Up Threats Retrieved information about threat data acrossservers. (Required task: MRA Rollup: Roll up Risk AdvisorData with Data Type set to Risk Advisor Threat Data or RiskAdvisor Threat Risk Metrics)

Risk Advisor Asset Countermeasure Retrieves information about the countermeasuresavailable on Assets.

Enterprise Risk Score Retrieves information about overall Enterprise RiskScore.

NSP Alerts Retrieves information about McAfee NetworkSecurity Platform alerts.

NSP Asset Associations Retrieves information about McAfee NetworkSecurity Platform asset associations.

NSP Attacks Retrieves information about McAfee NetworkSecurity Platform attacks.

NSP Interfaces Retrieves information about McAfee NetworkSecurity Platform interfaces.

NSP Policies Retrieves information about McAfee NetworkSecurity Platform policies.

NSP Sensor-Port-PolicyAttack Configuration

Retrieves information about the attacks for everyMcAfee Network Security Platform sensor, port, andpolicy association.

NSP Sensor Ports Retrieves information about McAfee NetworkSecurity Platform sensor ports.

Monitoring with dashboards and querying databaseQueries 8


Group Query Result Type Definition

NSP Sensors Retrieves information about McAfee NetworkSecurity Platform sensors.

NSP System Association Retrieves information about the sensor, port, andpolicy association for the systems covered byMcAfee Network Security Platform.

NSP Threat Asset Protection Retrieves information about the countermeasureprotection status for threat-asset combinations.

Reporting Group AnalysisResults History

Retrieves information about analysis results ofreporting groups.

Reporting Group Asset RiskMetrics

Retrieves information about the asset risk metricsof reporting groups.

Reporting Groups Retrieves information about the reporting groupscreated.

Reporting Group Threat RiskMetrics

Retrieves information about the threat risk metricsof reporting groups.

Security Bulletin ThreatAsset Coverage

Retrieves information about asset coverage forsecurity bulletin threats.

Security Bulletin Threats Retrieved information about the threats that can bemitigated using security bulletins.

Threat Affected Software Retrieves information about the software affectedby threats.

Threat AssetCountermeasure

Retrieves information about countermeasures usedin the threat-asset coverage analysis.

Threat Asset Coverage Retrieves information about asset coverage forthreats.

Threat Asset Vulnerability Retrieves information about vulnerabilities used inthe threat-asset coverage analysis.

Threat ComplianceTechnology Document

Retrieves information about threat compliancetechnology documents.

Threat CVSS Retrieves information about threat CVSS values.

Threat Disclosure Retrieves information about the threat disclosures.

Threat Notes Retrieves information about the notes added tothreats.

Threat Port Retrieves information about the ports affected bythreats.

Threat Product Retrieves information about countermeasures anddetectors declared in the threats.

Threat Product Attribute Retrieves information about the attributes ofcountermeasures and detectors declared in thethreats.

Threat Security Dictionary Retrieves information about the threat securitydictionary.

Threat Retrieves information about threats and theirrelated entities

Threat Security Dictionary Retrieves information about the threat securitydictionary

User DefinedCountermeasures

Retrieves information about the user definedcountermeasures.

What-if Risk Metrics Retrieves information about the What-if risk metrics.



9 Viewing reports

Reports, which are comprised of preconfigured charts and tables, provide information about the latestthreats and how they affect your environment.

Table reports offer broader views of your environment from which you can drill down to view moredetailed information about a specific threat or asset. Some reports offer additional actions such asfiltering or adding a threat note.

Contents

Report navigation Advanced filters Server Risk Metrics tab Asset-centric report Threat-centric reports Threat-asset centric reports Action-centric reports Rollup server reports What-if Risk Analysis tab Vulnerability-centric reports Countermeasure-centric reports Risk analysis exceptions Reporting groups

Report navigationYou can view reports predefined by McAfee Risk Advisor by drilling down on data in dashboardmonitors and in other reports.

This section presents how to access the McAfee Risk Advisor reports by drilling down on data in theThreats page or the System Tree. Some of these reports can also be accessed by drilling down on data inthe dashboard monitors and other reports. See information about each monitor and report for details.

Task

• In the ePolicy Orchestrator console, do one of the following:

9


To access this page... Do this...

Actionable Threat Count Do one of the following:

• Click Menu | Reporting | Dashboards | MRA: Threat Dashboard, and click apie-chart section under the MRA: Overall Asset Coverage Summarymonitor. Then select a value for Actionable Threat Count for any of theasset to view a list of actionable threats for the selected asset.

• Click Menu | Reporting | Dashboards | MRA: Threat Action Advisory Dashboard,and click a value under MRA: Overall Asset Action Status or MRA: ActionRequired Assets - By Asset Criticality or MRA: Investigation Required Assets - ByAsset Criticality monitors. Then select a value for Actionable Threat Countfor any of the asset to view a list of actionable threats for theselected asset.

Assets Having Maximum Risk Score Click Menu | Reporting | Risk Metrics | Server Risk Metrics | Threats tab, thenclick the value for Max Risk Score for a particular threat.

Assets Impacted Click Menu | Reporting | Risk Metrics | Server Risk Metrics | Threats, then clickthe value for Assets Impacted for a particular threat.

Threats Click Menu | Risk & Compliance | Threats.

Threat Details Go to the Threats page, then select a threat.

How Am I at Risk? Go to the Threat Details page, then select an area on the Risk Detailschart.

Impacting Threats Click Menu | Reporting | Risk Metrics | Server Risk Metrics | Assets tab, thenclick the value for Impacting Threat Count for a particular asset.

No Immediate Action RequiredThreat Count


• Click Menu | Reporting | Dashboards | MRA: Threat Dashboard, and click avalue under the MRA: Overall Asset Coverage Summary monitor. Thenselect a value for No Immediate Action Required Threat Count for an asset.

• Click Menu | Reporting | Dashboards | MRA: Threat Action Advisory Dashboard,and click a value under MRA: Overall Asset Action Status or MRA: ActionRequired Assets - By Asset Criticality or MRA: Investigation Required Assets - ByAsset Criticality monitors. Then select a value for No Immediate ActionRequired Threat Count for an asset.

Risk Advisor sections of theSystem Details

Go to the System Details page, then scroll down to the Risk Advisor ThreatCoverage section.

Server Risk Metrics Click Menu | Reporting | Risk Metrics, then click Server Risk Metrics tab.

What-if Risk Analysis Click Menu | Reporting | Risk Metrics, then click What-if Risk Analysis tab.

Rolled-Up Risk Metrics Click Menu | Reporting | Risk Metrics, then click Rolled-Up Risk Metrics tab.

Rolled-Up Enterprise Risk Metrics Click Menu | Reporting | Risk Metrics | Rolled-Up - Risk Metrics.

Rolled-Up Servers Details Click Menu | Reporting | Risk Metrics | Rolled-Up - Risk Metrics | Servers tab,then select a row from the servers list.

Rolled-Up Threat Details Click Menu | Reporting | Risk Metrics | Rolled-Up - Risk Metrics | Threats tab,then select a row from the threats list.

System Details Select a system from the System Tree or from a query result table thatdisplaying a list of assets.

What Threat Actions Required? Go to the Threat Details page, then select a pie-chart section under theAction Details chart.

Where Am I at Risk? Go to the Threat Details page, then select a pie-chart section under theRisk Summary chart.

9 Viewing reportsReport navigation



Threat Asset Coverage Go to the Risk Advisor section of the System Details page, then click Viewall Threats Coverage Status Information for this system.

Threat Asset Coverage Details Do one of the following:

• Go to the Threat Asset Coverage page, then select a system.

• Go to the Where Am I at Risk? page, the How Am I at Risk? page, or theWhat Threat Actions Required? page, then select a system.

Threats Having Maximum Risk Score Click Menu | Reporting | Risk Metrics | Server Risk Metrics | Assets tab, thenselect a value for Max Risk Score for a particular asset.

Reporting Groups Click Menu | Risk & Compliance | Reporting Groups.

Reporting Group Details Go to the Reporting Groups page, then click a row.

Risk Advisor reports Click Menu | Reporting | Risk Advisor reports.

Countermeasure-centric report Click Menu | Reporting | Risk Advisor reports | Countermeasure Centric Report tab.

Vulnerability-centric report Click Menu | Reporting | Risk Advisor reports | Vulnerability Centric Report tab.

Assets protected bycountermeasure

Go to the Countermeasure Centric Report page, then select a value underProtected Assets.

Assets not protected bycountermeasure

Go to the Countermeasure Centric Report page, then select a value underNot Protected Assets.

Threat Coverage Go to the Countermeasure Centric Report page, then select a value underThreat Coverage.

Vulnerabilities that can bemitigated bycountermeasure

Go to the Countermeasure Centric Report page, then select a value underVulnerability Coverage.

Assets vulnerable to aVulnerability ID

Go to the Vulnerability Centric Report page, then select a value underVulnerable Assets.

Assets not vulnerable to aVulnerability ID

Go to the Vulnerability Centric Report page, then select a value under NotVulnerable Assets.

Threats that exploit avulnerability

Go to the Vulnerability Centric Report page, then select a value underExploiting Threats.

Risk Analysis Exceptions Click Menu | Risk & Compliance | Risk Analysis Exceptions.

User Defined Countermeasures Go to the Risk Analysis Exceptions page, then click the User DefinedCountermeasures tab.

Countermeasure Declaration Go to the Risk Analysis Exceptions page, then click the CountermeasureDeclarations tab.

Suppressions Go to the Risk Analysis Exceptions page, then click the Suppressions tab.

User Defined CountermeasureDetails

• Go to the Risk Analysis Exceptions page, then click the User DefinedCountermeasures tab. Click a row.

• Go to the Risk Analysis Exceptions page, then click the CountermeasureDeclarations tab. Click a row, then click Go to related User DefinedCountermeasure

Countermeasure Declaration Details • Go to the Risk Analysis Exceptions page, then click the CountermeasureDeclarations tab. Click a row.

• Go to the Risk Analysis Exceptions page, then click the User DefinedCountermeasures tab. Select a value under Countermeasure Declarations.

Suppression Details Go to the Suppressions page, then click a row.

Viewing reportsReport navigation 9



Suppressed Assets Go to the Server Risk Metrics page, click Threats tab, then select a valueunder Suppressed Asset Count.

Suppressed Threats Go to the Server Risk Metrics page, click Assets tab, then select a valueunder Suppressed Threat Count.

Advanced filtersThe advanced filter options on threat-centric and asset-centric pages allow you to configure criteria tofilter the table data.

In ePolicy Orchestrator 4.6, select Add under Custom from a reporting page listing assets or threats. InePolicy Orchestrator 4.5, click Advanced Filters from a reporting page listing assets or threats.

Filters listed under Available Properties varies based on the products installed on your ePolicy Orchestratorserver.

Asset-centric report filtersList of Advanced Filter options is available for assets page in McAfee Risk Advisor.

Additional filters might be available in your server depending upon the McAfee products installed andserver configuration.

Group Option Definition

Applications with Threats Application Name Filters the list based on the applications installed on theassets.

Asset Details Analysis Status Filters the list based on whether the analysis status ofassets is enabled or disabled.

Criticality Filters the list based on the criticality levels of assets.

Asset Risk Score Absolute Risk Score Filters the list based on the sum total of asset risk scoresfor all impacting threats.

Actionable Threat Count Filters the list by specifying the number of actionablethreats for the assets.

Asset Risk Category Filters the list based on the risk category of the assets.

Asset Risk Score Filters the list based on the overall risk score of the asset.

Asset Risk Status Filters the list based on the risk status of the assets.

Impacting Threat Count Filters the list based on the number of threats impactingthe assets.

Max Risk Score Filters the list based on the maximum value of the riskscores among all the impacting threats.

No Immediate ActionRequired Threat Count

Filters the list based on the number of threats applicable tothe assets where an action is not required or where anaction can be deferred.

Overall Action Status Filters the list based on the recommended action foraddressing threats to the asset.

9 Viewing reportsAdvanced filters


Threat-centric report filtersList of Advanced Filter options is available for a threats page in McAfee Risk Advisor.


Threats Absolute Risk Score Filters the list based on the sum total of all impactingthreats risk scores.

Analysis Status Filters the list based on whether the analysis status ofthreats is enabled or disabled.

Assets Impacted Filters the list based on the number of assets impactedby the threat.

At Risk Asset Count Filters the list based on the number of assets that are atrisk due to the threat.

Attack Vector Filters the list based on the attack vector value.

Basic Threat Score Filters the list based on the CVSS Base Score set byMcAfee.

Creation Date Filters the list based on the date and time the threatinformation was created.

Is Exploited? Filters the list based on whether the threat is exploited.

Is User Interaction Required Filters the list based on whether a user interaction isrequired for the threat.

Last Modification Date Filters the list based on the date and time the threatinformation was last modified.

Max Risk Score Filters the list based on the maximum value of risk scoreamong all applicable assets.

McAfee Threat ID Filters the list based on the McAfee ID associated withthe threat.

Not At Risk Asset Count Filters the list based on the number of assets that are not"at risk" due to the threat.

Notes Filters the list based on the threat notes entered by a user.

Not Protected Asset Count Filters the list based on the number of assets that are notprotected to mitigate risk from the threat.

Not Vulnerable Asset Count Filters the list based on the number of assets that are notvulnerable to the threat.

Patch Exists? Filters the list based on whether a patch is available forthis threat.

Potentially At Risk AssetCount

Filters the list based on the number of assets that arepotentially at risk due to the threat.

Protected Asset Count Filters the list based on the number of assets that areprotected from the threat.

Severity Filters the list based on the risk rating set by McAfee.

Suppressed Asset Count Filters the list based on the number of suppressed assets.

Tags Filters the list based on the threat tags applied to thethreat.

Threat Information Source Filters the list based on the source of the threat, if known.

Threat Information SourceCreation Date

Filters the list based on the date and time the threat wasdiscovered.

Threat Information SourceLast Modification Date

Filters the list based on the date and time the threatsource was last modified.

Viewing reportsAdvanced filters 9



Threat Risk Score Filters the list based on the risk score of this threat overall the impacting assets.

Threat Type Filters the list based on the type of threat. For example,malware.

Unknown Status AssetCount

Filters the list based on the number of assets for whichthe overall risk status is Potentially At Risk.

Vendor Filters the list based on the name of the vendor affectedby the threat.

Vendor Rating Filters the list based on the severity level of the threatgiven by the vendor.

Vulnerable/Not ProtectedAsset Count

Filters the list based on the number of assets that arevulnerable to the threat and are not protected.

Vulnerable/Protected/NotProtected Asset Count

Filters the list based on the number of assets that arevulnerable to the threat, and are protected or notprotected.

Vulnerable Asset Count Filters the list based on the number of assets that arevulnerable to the threat.

Read Status Read Status Filters the list based on whether the read status of thethreat is marked Read or Unread.

Threat Affected OS CPE Filters the list based on the unique string to identify theoperating system version.

Does Threat have OS? Filters the list based on whether the threat is targeted toa particular operating system.

OS Name Filters the list based on the name of the affectedoperating system.

Threat Affected Software CPE Filters the list based on the unique string to identify theoperating system version.

Does Threat have Software? Filters the list based on whether the threat is targeted toa particular software.

Software Filters the list based on the name of the software.

Threat ComplianceTechnology Document

Document Name Filters the list based on the name of the compliancepolicy affected by the threat.

Does Threat haveDocument?

Filters the list based on whether any compliance policy isaffected by the threat.

Section Name Filters the list based on the section of the compliancepolicy affected by the threat.

Technology Name Filters the list based on the technology available to scanhosts on a network to check for compliance against thethreat.

Threat Countermeasure Covered by HIPS? Filters the list based on whether the threats are coveredby McAfee Host Intrusion Prevention.

Covered by McAfeeApplication Control?

Filters the list based on whether the threats are coveredby McAfee Application Control.

Covered by McAfee NetworkSecurity Platform?

Filters the list based on whether the threats are coveredby McAfee Network Security Platform.

Covered by VSE? Filters the list based on whether the threats are coveredby VirusScan Enterprise.

9 Viewing reportsAdvanced filters



Threat CVSS Base Score Filters the list based on the characteristics of avulnerability that are constant over time and userenvironments.

Description Filters the list based on the abbreviated metric namesthan can be applied to the calculator settings.

Does Threat have CVSS? Filters the list based on whether the threat is associatedwith CVSS information.

Environmental Score Filters the list based on the risk that a vulnerabilityposes, which varies with different environments.

Exploit Filters the list based on the exploits for the threat.

Impact Filters the list based on the impact information for thethreat.

Overall Score Filters the list based on the overall score of the threat.

Owner Filters the list based on the name of the organization thatprovided the CVSS score.

Temporal Score Filters the list based on the threat posed by avulnerability, which can change over time.

Threat Disclosure Does Threat haveDisclosure?

Filters the list based on whether the threat is associatedwith information about disclosures.

Has Vendor? Filters the list based on whether the disclosureinformation has a vendor.

Is Public? Filters the list based on whether the disclosureinformation is public.

Patch Released? Filters the list based on whether a patch was released forthe threat.

Release Date Filters the list based on the date and time theinformation was released.

Title Filters the list based on the sources that provide a patchfor the threat.

URL Filters the list based on the a link to information aboutthe threat.

Threat MitigationAvailability

Has Countermeasure? Filters the list based on whether threat informationcontains the countermeasure that can mitigate the threat.

Has Detector? Filters the list based on whether threat informationcontains a vulnerability detector that can detect the threat.

Has OS/Applicationinformation

Filters the list based on whether threat informationcontains the targeted operating system or application.

Threat Port Does Threat have Port? Filters the list based on whether the threat is targeted toa specific port.

Protocol Name Filters the list based on the protocol used by the threatto attack.

Threat Product Attribute Context Filters the list based on the context of the productattribute.

Attribute Name Filters the list based on the name of the product attribute.

Attribute Value Filters the list based on the value of the product attribute.

Content Filters the list based on the actual content of the productattribute.

Viewing reportsAdvanced filters 9



Does Threat have Product? Filters the list based on whether the threat is targeted toa specific product.

Operator Allows selecting the comparison operator for a productattribute.

Product Filters the list based on the name of the product.

Product Class Filters the list based on the category of the product.

Product Statement Filters the list based on the information about theproduct that relates to the threat.

Status Filters the list based whether the "coverage exists","expected but not confirmed", or "out of scope" for theproduct.

Vector Filters the list based on the value for Vector.

Threat ProductCoverage Status

Status Filters the list based on whether any McAfee product isprotecting against this threat.

Threat SecurityDictionary

Does Threat haveDictionary?

Filters the list based on whether the threat is describedin a dictionary or an external reference.

Reference Value Filters the list based on the unique identifier given to thethreat by the external reference.

Threat Text Attack Vector Filters the list based on the point from which an attackcould occur.

Description Filters the list based on the brief description of the threat.

Observation Filters the list based on the brief description of theproduct and how the threat affects it.

Overview Filters the list based on the threat overview.

Recommendation Filters the list based on the recommended solutions forthe threat.

Threat Name Filters the list based on the name of the threat.

Threat Vulnerabilities Vulnerability Filters the list based on the ID of the vulnerability thatcan be exploited by the threats.

Vulnerability Description Filters the list based on the description of thevulnerability that can be exploited by the threats.

Vulnerability Metrics Exploitable Vulnerabilities Filters the list based on the number of vulnerabilities thatcan be exploited by the threats.

Server Risk Metrics tabThe Server Risk Metrics tab on the Risk Metrics page provides asset, threat, and enterprise risk metricsvalues for the server.

This page provides information you require to find out the riskiest system among the assets on theserver, to prioritize patching efforts, and to recognize threats contributing the maximum to assets.

You can further drill down to detailed reports about an individual asset, threat, or risk metrics.

9 Viewing reportsServer Risk Metrics tab


Option Definition

Enterprise Risk Status Displays the overall risk status for your assets on the server, including:

• Enterprise Risk Score — Risk score of all the assets on the server over all the threats.

• Change in Enterprise Risk Score — Percentage change in the Enterprise Risk Scorefrom the previous time the MRA: Threat Download and Analysis task was run.

• Enterprise Risk Category* — Risk category of the enterprise based on EnterpriseRisk Score for the data collected from the server. Possible types include: High,Medium, and Low.

Assets tab Displays the asset-centric risk information:

• System Name — Name of the asset.

• Managed State — Whether the asset is managed by the ePolicy Orchestrator server.

• Criticality* — Criticality of the asset.

• Asset Risk Category* — Risk Category of the asset based on the asset risk score.

• Impacting Threat Count — Number of threats that are applicable to the asset andthreats to which the asset is vulnerable.

• Asset Risk Score — Average risk score of the asset over all the impacting threats.

• Max Risk Score — Maximum value of the risk scores among all the impactingthreats.

• Suppressed Threat Count — Number of threats that were excluded from analysisdue to suppression.

Assets tab actions When selected, displays these actions:






Threats tab Displays the threat-centric risk information:

• Threat Name — Name of the threat.

• Basic Threat Score — CVSS Base Score set by McAfee.

• Patch Exists? — Whether a patch is available for this threat.

• Assets Impacted — Number of assets to which the threat is applicable and assetsthat are vulnerable to the threat.

• Threat Risk Score — Average risk score of the threat against all the applicableassets.

• Max Risk Score — Maximum value of risk score among all applicable assets.

• Suppressed Asset Count — Number of assets that were excluded from analysis dueto suppression.

Viewing reportsServer Risk Metrics tab 9


Option Definition

Threats tab actions When selected, displays these actions:







Select a row in theAssets tab

Displays the System Details page.

Select a value inImpacting Threats Count(Assets tab)

Displays the Impacting Threats page.

Select a value inMax Risk Score (Assetstab)

Displays the Threats having Maximum Risk Score page.

Select a value inSuppressed ThreatCount (Assets tab)

Displays the Suppressed Threats page.

Select a row in theThreats tab

Displays the Threats Details page.

Select number ofassets impacted ina row (Threats tab)

Displays the Assets Impacted page.

Select max riskscore in a row(Threats tab)

Displays the Assets having Maximum Risk Score page.

Select a value inSuppressed Asset Count(Threats tab)

Displays the Suppressed Assets page.

* The labels for Enterprise Risk Category, Asset Criticality and Asset Risk Category can be customized in the respectivesections on the Menu | Configuration | Server Settings | Edit Risk Advisor page.

Asset-centric reportMcAfee Risk Advisor sections in the System Details page provides risk metrics information of an asset.

Option Definition

Asset Criticality Displays the criticality of the asset.

Analysis Status Displays the analysis status of the asset. If disabled, no information is displayedin the Risk Advisor section.

Asset Risk Status Displays the risk status of the asset.


Asset Overall Risk Score Displays the risk score of the asset over all the impacting threats.


Max Risk Score Displays the maximum value of risk score among all the impacting threats.

9 Viewing reportsAsset-centric report


Option Definition

Impacting Threats Displays the number of threats that are applicable to the system and thethreats to which the system is vulnerable.

Suppressed Threat Count Displays the number of threats that are suppressed for the asset.

Reporting Groups Displays the number of reporting groups that contains the asset.

Overall Action Status Displays the recommended action for addressing threats to the asset.

Actionable Threats Count Displays the number of threats applicable to the asset where an action needs tobe taken.

No Immediate ActionRequired Threats Count

Displays the number of threats applicable to the asset where action is notrequired or where action can be deferred.

Threat Coverage Displays information about the threat coverage for the asset:

• How Am I at Risk? — Displays a chart representing the number of threatsassociated with each asset overall status:

• Vulnerable • Not Protected

• Not Vulnerable • Insufficient Data

• Protected

When an area of the chart is selected, the How Am I at Risk? page is displayed.

• What Action to Take? — Displays a chart representing the number of threatsassociated with each threat action for the asset:

• Immediate action required (Install/Configure) • No action required (Not vulnerable)

• Action required but no patch available • Not applicable

• Action can be deferred (Protected) • Investigation required (Not enoughinformation)

When an area of the chart is selected, displays the What Threat Actions Required?page.

• View all Threats Coverage Status Information for this system — When selected, displays theThreat Asset Coverage page for the asset.

Network SecurityPlatformCountermeasures

Displays the McAfee Network Security Platform countermeasures on the system:

• Sensor — Displays the name of the sensor.

• Port — Displays the port the sensor is running on.

• Interface — Displays the name of the interface.

• Policy — Displays the policy associated with the sensor.

• Defined By — Displays how the sensor is defined. For example, by system.







Viewing reportsAsset-centric report 9


Threat-centric reportsYou can view and drill down to threat risk metrics reports from the Risk Metrics page.

Threats pageThis page provides the detailed list of threats.

Option Definition

Quick find Lets you search a specific threat. Type what you want to search for, then clickApply. Click Clear to reset the results.

Preset When selected, displays the filter options for the page: All, Read, and Unread.

Custom Let's you use advanced filters to filter the results. Select Add, then select thefilters that you want to apply from Available Properties.



Threat Last Modified inMcAfee Labs

Displays the date and time the threat source was last modified.

Severity Displays the risk rating set by McAfee.

Vendor Displays the name of the vendor affected by the threat.


Analysis Status Displays whether the threat is Enabled or Disabled.


CVE References Displays the CVE references about the threat.

Vendor Rating Displays the severity level given by the vendor.

Threat Type Displays the type of threat. For example, Malware.

Read Status Displays the read status of the threat: Read or Unread.









9 Viewing reportsThreat-centric reports


Threat Details pageThis page provides detailed information about a specific threat, and risk posture to help you determinewhich applications are affected by the threat, which detectors can discover the vulnerability throughwhich the threat can be exploited, and which countermeasures help protect systems from the threat.

Option Definition

Threat Information Displays details of the threat:

• Name — Displays the name of the threat.

• Type — Displays the type of threat. For example, malware.

• Description — Displays a brief description of the threat.

• Overview — Displays what the threat is about.

• Observation — Displays a brief description of the product and how the threataffects it.

• Recommendation — Displays recommended solutions for the threat.

• Vendor — Displays the name of the vendor affected by the threat.

• Threat Information Source — Displays the source of the threat, if known.

• McAfee Threat ID — Displays the McAfee ID associated with the threat.

• Threat Created in McAfee Labs — Displays the date and time the threat was created inMcAfee Labs.

• Threat Last Modified in McAfee Labs — Displays the date and time the threat informationwas last modified in McAfee Labs.

• Threat Downloaded in Risk Advisor — Displays the date and time the threat informationwas reconciled in McAfee Risk Advisor.

• Threat Last Modified in Risk Advisor — Displays the date and time the threat informationwas last modified in McAfee Risk Advisor.

• Attack Vector — Displays the point from which an attack could occur.

• Countermeasures — Displays a list of available countermeasures.

• Vulnerability Detectors — Displays a list of products that can detect the threat.

• Severity — Displays the risk rating set by McAfee.

• Vendor Rating — Displays the severity level of the threat, given by the vendor.

• Basic Threat Score — Displays the CVSS Base Score set by McAfee.

• Ports — Displays the ports affected by the threat.

• Tags — Displays the threat tags applied to the threat.

• Analysis Status — Displays the analysis status. If disabled, threat is not included forthe next cycle of analysis.

Risk Summary chart Displays risk summary states for this threat and the number of assets in each.When an area of the chart is selected, displays the Where Am I at Risk? page. Possiblestates:

• At Risk

• Not At Risk


Viewing reportsThreat-centric reports 9


Option Definition

Risk Details chart Displays the overall asset status for this threat and the number of assets in each:

• Vulnerable • Not Protected

• Not Vulnerable • Insufficient Data

• Protected

When an area of the chart is selected, the How Am I at Risk? page is displayed.

Action Details chart Displays the threat action status for this threat and the number of assets in each.Possible types of status include:



• Action can be deferred (Protected) • Investigation required (Not enough information)

When an area of the chart is selected, the What Threat Actions Required? page is displayed.

Threat Risk Metrics Displays the quantitative risk analysis findings about the threat, including:

• Threat Overall Risk Score — Aggregated Risk Score of this threat.

• Threat Risk Score — Risk Score of this threat over all the impacting assets.

• Max Risk Score — Maximum value of the Risk Score.

• Assets Impacted — Total number of assets to which the threat is applicable andassets that are vulnerable to the threat. It also displays the number of assets foreach criticality level.

• Suppressed Asset Count — Number of assets suppressed for the threat.

• Reporting Groups — Number of reporting groups which contains the threat.

External Reference Displays the external references for the threat:

• Name — Displays the name of the external reference.

• Value — Displays the unique identifier given to the threat by the external reference.

• Description — Displays a description of the threat by an external reference.

• URL — Displays a link to the external reference for further information about thethreat.

Applications Displays the applications affected by the threat:

• Name — Displays the name of the application affected.

• Confidence — Displays the level of confidence that the application is susceptible tothe threat; 1 = low susceptibility, 10 = highly susceptible.

• Dependencies — Displays the system configuration affected by the threat.

Countermeasures Displays the products that provide countermeasure for the threat:

• Product — Displays the product that provides the countermeasure.

• Description — Displays a description of the countermeasure.

• Status — Displays information on whether coverage exists, expected but notconfirmed, or out of scope for the countermeasure product.

• Product Statement — Displays information about the countermeasure product thatrelates to the threat.



Option Definition

VulnerabilityDetectors

Displays the products that detect vulnerabilities:

• Product — Displays the product name for the detector.

• Description — Displays a description of the detector.

• Status — Displays information on whether coverage exists, expected but notconfirmed, or out of scope for the vulnerability detector product.

• Product Statement — Displays information about the vulnerability detector productthat relates to the threat.

Disclosures Displays disclosures about the threat:

• Release Date — Displays the date and time the information was released.

• Title — Displays the title of the disclosure information.

• Patch Released? — Displays the sources that provide a patch for the threat.

• URL — Displays the a link to information about the threat.

Exploits Displays exploits for the threat:

• Title — Displays the title of the exploit.

• Scenario — Displays an example of how the exploit is executed.

• Summary — Displays a description of the exploit.

• Release Date — Displays the date and time the exploit was discovered.

• URL — Displays the link to information about the exploit.

CVSS information(See the CVSSvector legendfor definitions ofthe scoreabbreviations)

Displays CVSS information about the threat:

• Owner Name — Displays the name of the organization that provided the CVSS score.

• Vector Description — Displays abbreviated metric names than can be applied to thecalculator settings.

• Base Score — Displays the characteristics of a vulnerability that are constant overtime and user environments. There are six base score metrics: Access Vector,Access Complexity, Authentication, Confidentiality Impact, Integrity Impact, andAvailability Impact.

• Temporal Score — Displays the threat posed by a vulnerability, which can changeover time. Temporal metrics are optional and include a metric value that has noeffect on the score. This value is used when the user feels the particular metricdoes not apply and wants to exclude it from the score. There are three temporalmetrics: Exploitability, Remediation Level, and Report Confidence.

• Environmental Score — Displays the risk that a vulnerability poses, which varies withdifferent environments. Environmental metrics are optional and include a metricvalue that has no effect on the score. This value is used when the user feels theparticular metric does not apply and wants to exclude it from the score. Thereare five environmental metrics: Collateral Damage Potential, Target Distribution,Confidentiality Requirement, Integrity Requirement, and Availability Requirement.

• Score Detail — Displays the numbers used for each metric for calculating the CVSSscore.



Option Definition

Compliances Displays the compliance policies affected by the threat:

• Name — Displays the name of the compliance policy affected by the threat. Forexample, ACSI 33, FISMA, HIPPA.

• Section — Displays the section of the compliance policy affected by the threat.

• Technology — Displays the technology available to scan hosts on a network tocheck for compliance against the threat.

Notes Displays additional information about the threat, entered by a user. Click Edit tomodify a note. Click Delete to remove it.








CVSS informationThe Common Vulnerability Scoring System (CVSS) information is displayed on the Threat Details page.

This information represents an abbreviated display of the values used in a given CVSS vector score.

Each metric in the vector consists of the abbreviated metric name, followed by a ":" (colon), then theabbreviated metric value. The vector lists these metrics in a predetermined order, using the "/" (slash)character to separate the metrics. If a temporal or environmental metric is not to be used, it is given avalue of ND (not defined).

For example, a vulnerability with base metric values of "Access Vector: Low, Access Complexity:Medium, Authentication: None, Confidentiality Impact: None, Integrity Impact: Partial, AvailabilityImpact: Complete" would have the following base vector: "AV:L/AC:M/Au:N/C:N/I:P/A:C."



Metric group Metric and possible values

Base Score • AV = Access Vector

• L = requires local access

• A = adjacent network accessible

• N = network accessible

• AC = Access Complexity

• H = high

• M = medium

• L = low

• Au = Authentication

• M = requires multiple instances of authentication

• S = requires single instance of authentication

• N = requires no authentication

• C = Confidentiality Impact

• N = none

• P = partial

• C = complete

• I = Integrity Impact

• N = none

• P = partial

• C = complete

• A = Availability Impact

• N = none

• P = partial

• C = complete

Temporal Score • E = Exploitability

• ND = not defined • F = functional exploit exists

• U = unproven that exploit exists • H = high

• POC = proof of concept code

• RL = Remediation Level

• ND = not defined • W = workaround

• OF = official fix • U = unavailable

• TF = temporary fix

• RC = Report Confidence

• ND = not defined

• UC = unconfirmed

• UR = uncorroborated



Metric group Metric and possible values

• C = confirmed

Environmental Score • CDP = Collateral Damage Potential

• ND = not defined • LM = low-medium

• N = none • MH = medium-high

• L = low • H = high

• TD = Target Distribution

• ND = not defined • M = medium

• N = none • H = high

• L = low

• CR = Confidentiality Requirement


• L = low

• M = medium

• H = high

• IR = Integrity Requirement


• L = low

• M = medium

• H = high

• AR = Availability Requirement


• L = low

• M = medium

• H = high

Threat-asset centric reportsThe threat-asset centric reports are the reports about a combination of threats and assets such asthreat coverage information about a particular asset and assets risk metrics information against aparticular threat.

You can drill down to risk metrics reports about threat-asset combinations from the Risk Metrics page.

Threat Asset Coverage pageThis page provides threat coverage information for an asset to help you determine the overall riskstatus of the asset against all the threats.

Option Definition



9 Viewing reportsThreat-asset centric reports


Option Definition

Countermeasure Status Displays the countermeasure status of the asset for the threat:

• Protected

• Not Protected

• Insufficient Data

Vulnerability Detector Status Displays the vulnerability detector status of the asset for the threat:

• Vulnerable

• Not Vulnerable


Threat Applicability Displays the applicability status of the asset for the threat:

• Applicable

• Not Applicable


Summary State Displays risk summary state of the asset for the threat:

• At Risk

• Not At Risk


Patch exists? Displays whether a patch is available for the asset against the threat.

Threat Action Status Displays the threat action status of the asset for the threat:






• Create Issue • Override NSP Countermeasure Status

• NSP Countermeasure Declaration • Remove NSP Countermeasure Override

Select a row of data Displays the Threat Asset Coverage Details page.

Viewing reportsThreat-asset centric reports 9


Threat Asset Coverage Details pageThis page provides risk metrics information about an asset against a particular threat. The threatcoverage information includes which product detected the vulnerability through which the threat canbe exploited, and which countermeasure product is protecting the selected system from the threat.

Option Definition

Summary Displays a summary of the coverage of the asset for the threat:

• Threat Name — Displays the name of the threat.

• System Name — Displays the name of the asset.

• Asset Criticality — Displays the criticality of the asset.

• Risk Score — Displays the risk score of the asset against the threat.

• Summary State — Displays the risk summary state of the asset for this threat.

• Asset Overall Status — Displays the overall status of the asset for this threat and thestatus for Threat Applicability, Vulnerability Detectors, and Countermeasures,which are used to determine the overall status.

• Threat Action Status — Displays the recommended action to take against the threat.

Threat Applicability Displays a message stating whether the threat is applicable to the asset. Click Moredetails to view the details. This link is only displayed if more information exists.

When More details is selected, displays this information:

• Applicability — Displays the type of information found on the system to checkapplicability of the threat. For example, operating system.

• Property — Displays the type of information or value being gathered from the asset.

• Expected — Displays the information or value expected while checking the status ofthe threat applicability.

• Observed — Displays the information or value gathered from the threat applicability.

• State — Displays whether the type of information being gathered from the systemmatches the threat and is Applicable or Not Applicable. A status of Insufficient Data isdisplayed if there is not enough information to determine if the threat applicability.

When the McAfee Application Inventory agent data is available for an entry, More isdisplayed next to the entry. Click this to view the Threat Asset Applicable page listing thematch status of all the installed applications matched against the application towhich the threat is applicable.

VulnerabilityDetectors

Displays a message stating whether the asset is vulnerable to the threat. Click Moredetails to view the details. This link is only displayed if more information exists.


• Detector — Displays the McAfee product used to scan the system.

• Property — Displays the type of information or value being gathered from the detector.

• Expected — Displays the information or value expected, as defined in the threat feed.

• Observed — Displays the information or value gathered from the system. Theinformation could have an (On) or (Off) statement after it. (On) means thevulnerability is discovered on the system. (Off) means the vulnerability is presenton the system.

• State — Displays whether a system is Vulnerable or Not Vulnerable to a threat. A statusof Insufficient Data is displayed when there's no information available for vulnerabilitydetectors.



Option Definition

DetectedCountermeasures

Displays a message stating whether the asset has countermeasures that can protectit from the threat. Click More details to view the details. This link is only displayed ifmore information exists.


• Countermeasure — Displays the McAfee countermeasure used to protect the system.

• Property — Displays the type of information or value being gathered from thecountermeasure. For example, some countermeasure provide protection against athreat if the countermeasure is up-to-date. So the Version property would bechecking the expected version number against the observed version number of thecountermeasure.

• Expected — Displays the information or value expected while checking the status ofthe countermeasure.

• Observed — Displays the information or value gathered from the countermeasure.

• State — Displays whether a system is Protected or Not Protected from the threat. Astatus of Insufficient Data is displayed when there is no information available forcountermeasures.

For McAfee Network Security Platform, an attack ID in the On state means thesystem is protected by McAfee Network Security Platform. For a system to belabeled as protected, it must meet this criteria:

• The associated Sensor Port must be in in-line mode.

• The Sensor Port IO type must be Outside Network.

• The Sensor Port administrative status must be active or enabled.

• The Policy must be configured to block.

• The Policy must not be an outbound policy.

• The Attack must be active and configured to block.

DeclaredCountermeasures

Displays the user-defined countermeasure declarations for the asset against thethreat.

Patches Displays the URL for the patch if one is available.

Related Items Displays these links:

• Go to related System — When selected, displays the System Details page for the selectedsystem.

• Go to related Threat — When selected, displays the Threat Details page for the selectedthreat.





How Am I At Risk pageThis page provides information about the assets that are Vulnerable, Not Vulnerable, Protected, or Not Protectedagainst a threat. If an asset's risk can't be determined, the risk status is Insufficient Data.

To access this page, go to the Threat Details page, then select an area on the Risk Details chart.



Option Definition





• Protected

• Not Protected


Vulnerability DetectorStatus

Displays the vulnerability detector status of the asset for the threat:

• Vulnerable

• Not Vulnerable


Threat Applicability Displays the threat applicability status of the asset for the threat:

• Applicable

• Not Applicable


Summary State Displays risk summary states for this threat and the number of assets in each:

• At Risk

• Not At Risk











Where Am I At Risk pageThis page provides the list of assets per their risk status against a threat: At Risk, Not At Risk, or PotentiallyAt Risk.

To access this page, go to the Threat Details page and select an area on the Risk Summary chart.

Option Definition






Option Definition


• Protected

• Not Protected




• Vulnerable

• Not Vulnerable



• Applicable

• Not Applicable



• At Risk

• Not At Risk











Assets Having Maximum Risk Score pageThis page provides the list of assets that have the maximum risk scores against a threat.

Option Definition



Risk Score Displays the maximum value of risk score among all the impacting threats tothe asset.


• Protected

• Not Protected




Option Definition


Displays whether a user-defined countermeasure is declared for the assetagainst the threat.

Threat Action Status Displays the vulnerability detector status of the asset for the threat:

• Vulnerable

• Not Vulnerable


Summary State Displays the threat action status of the asset for the threat:




Actions Displays the risk summary states of the asset:

• At Risk


• Not At Risk






Assets Impacted pageThis page provides the list of assets impacted by a particular threat. These are the assets to which thethreat is applicable and the assets that are vulnerable to the threat.

Option Definition





• Protected

• Not Protected


Is CountermeasureDeclared?




• Vulnerable

• Not Vulnerable




Option Definition

Summary State Displays the risk summary states of the asset:

• At Risk


• Not At Risk










Threats Having Maximum Risk Score pageThis page provides the list of threats that have the maximum risk score for a particular asset.

Option Definition


Risk Score Maximum value of risk score among all assets applicable to the threat.


• Protected

• Not Protected






• Vulnerable

• Not Vulnerable







• At Risk


• Not At Risk



Option Definition

Patch Exists? Displays whether a patch exists that could protect the system against thethreat.


• Assign Criticality to Assets • NSP Countermeasure Declaration

• Change Analysis Status • NSP Countermeasure Removal


• Manage Reporting Groups • Remove NSP Countermeasure Override


Impacting Threats pageThis page provides the list of threats that are impacting an asset. These are the threats that areapplicable to the asset and the threats to which the asset is vulnerable.

Option Definition


Risk Score Displays the risk score of the threat against the asset.


• Protected

• Not Protected




• Vulnerable

• Not Vulnerable



Displays the risk summary states of the asset:

• At Risk


• Not At Risk

Summary State Displays the threat action status of the asset for the threat:




Threat Action Status Displays whether a patch exists that could protect the system against the threat.

Patch Exists? When selected, displays these actions:




Actions Displays the Threat Asset Coverage Details page.



Action-centric reportsObservations from the risk metrics reports help you determine your assets risk status against thethreat, and what actions you require to mitigate the threat. You can drill down to risk metrics reportsabout threat actions from the Risk Metrics page.

What Threat Actions Required pageThis page provides the list of assets for a selected action status against a threat: Immediate action required(Install/Configure), Action required but no patch available, Action can be deferred (Protected), No action required (Not vulnerable),or Investigation required (Not enough information).

To access this page, go to the Threat Details page and select an area on the Action Details chart.

Option Definition





• Protected

• Not Protected




• Vulnerable

• Not Vulnerable



• Applicable

• Not Applicable



• At Risk

• Not At Risk











Viewing reportsAction-centric reports 9


Actionable Threat Count pageThis page provides the list of threats for which the action status for an asset is: Immediate action required,Investigation required, or Action required but no patch available.

Option Definition




• Protected

• Not Protected






• Vulnerable

• Not Vulnerable







• At Risk


• Not At Risk

Patch Exists? Displays whether a patch exists that could protect the system against the threat.






No Immediate Action Required Threat Count pageThis page provides the list of threats for which the action status for an asset is: No action required, Actioncan be deferred, or Not applicable.

Option Definition



9 Viewing reportsAction-centric reports


Option Definition


• Protected

• Not Protected






• Vulnerable

• Not Vulnerable







• At Risk


• Not At Risk

Patch Exists? Displays whether a patch exists that could protect the system against the threat.






Rollup server reportsYou can view and drill down to reports for rollup risk metrics from the Rolled-up - Risk Metrics tab on theRisk Metrics page.

Rolled up Risk Metrics tabThis page provides information about the overall enterprise risk information across servers.

You can use the information provided on the Rolled-Up Risk Metrics page to find out the riskiest system inthe organization, to prioritize patching efforts, and to recognize threats impacting assets the most.

Viewing reportsRollup server reports 9


Option Definition

Rolled-UpEnterprise RiskMetrics

Displays the overall risk status of your enterprise:

• Overall Enterprise Risk Score — Displays the cumulative impact of threats over allapplicable assets under every registered ePolicy Orchestrator server from whichMcAfee Risk Advisor data was rolled up.

• Change in Overall Enterprise Risk Score — Displays the percentage change in the OverallEnterprise Risk Score from the previous time the MRA Rollup: Roll up Risk Advisor Data taskwas run.

• Overall Enterprise Risk Category — Displays the risk category of the overall enterpriseconsidering all the assets under every registered ePolicy Orchestrator from whichMcAfee Risk Advisor data was rolled up. Possible types include: High, Medium, and Low.

Servers tab Displays the rollup information of all the registered ePolicy Orchestrator servers fromwhich McAfee Risk Advisor data was rolled up:

• Server Name — Displays the name of the ePolicy Orchestrator server.

• Server Risk Score — Displays the aggregated risk score of all the assets on the serverover all the threats.

• Server Risk Category — Displays the risk category of the server based on Server RiskScore. Possible types include: High, Medium, and Low.

• At Risk Asset Count — Displays the number of assets on the server that are At Risk.

• Action Required Asset Count — Displays the number of assets on the server that requiresome action to be performed.

• High Risk Category Asset Count — Displays the number of assets on the server that areunder High risk category.

• Calculated Time — Displays the time at which the report was generated.

Threats tab Displays information about all impacting threats:




• Basic Threat Score — Displays the CVSS Base Score set by McAfee.

• Vendor Rating — Displays the severity level of the threat given by the vendor.

• Assets Impacted — Displays the number of threats that are applicable to the asset andthreats to which the asset is vulnerable.

• Threat Risk Score — Displays the average risk score of the threat against all theapplicable assets.

• Max Risk Score — Displays the maximum value of risk score among all applicable assets.

Select a rowof data inthe Serverstab

Displays the Rolled-Up Servers Details page.

Select a rowof data inthe Threatstab

Displays the Rolled-Up Threat Details page.

9 Viewing reportsRollup server reports


Rolled up Servers Details pageThis page provides rollup risk analysis information about a server.

Option Definition

Rolled-up ServersInformation

• Server Name — Displays the name of the rollup server.

• Server Description — Displays the description of the server.

Server RiskMetrics

• Server Risk Score — Displays the risk score of all the assets on the server over all thethreats.

• Enabled Assets — Displays the number of assets on the server that are enabled foranalysis.

• Enabled Threats — Displays the number of threats on the server that are enabled foranalysis.

• At Risk Asset Count — Displays the number of assets on the server that are At Risk.

• Action Required Asset Count — Displays the number of assets on the server that requiresome action to be performed.

• High Risk Category Asset Count — Displays the number of assets on the server that areunder High risk category.

• Server Risk Category — Displays the risk category of the enterprise risk score for theserver.

Server Risk ScoreTrend

Displays a line chart representing the trends of change in risk scores of the rollup server.

Related Items Click Go to related Registered Server to view the registered server details.



Rolled up Threat Details pageThis page provides rolled up risk metrics information about a threat.

Option Definition

Rolled-UpThreatInformation


• Description — Displays a brief description of the threat.

• Overview — Displays what the threat is about.

• Observation — Displays a brief description of the product and how the threat affects it.

• Recommendation — Displays recommended solutions for the threat.



• Threat Information Source Modified Date — Displays the date and time the threat sourceinformation was last modified.

• Severity — Displays the risk rating set by McAfee.

• Vendor Rating — Displays the severity level of the threat, given by the vendor.

• Is Exploited? — Displays if the threat is exploited.

• Is User Interaction Required? — Displays if a user interaction is required for the threat.

• Is Threat Consistent Across Servers? — Displays if the threat version is consistent across allthe registered servers.

Risk Metrics • Absolute Risk Score — Displays the absolute Risk Score of this threat over all theimpacting assets across servers.

• Threat Risk Score — Displays the aggregated Risk Score of this threat over all theimpacting assets across servers.

• Max Risk Score — Displays the maximum value of the Risk Score of this threat over all theimpacting assets across servers.

• Assets Impacted — Displays the total number of assets across servers to which the threatis applicable and assets that are vulnerable to the threat.

Server RiskMetrics

• Absolute Risk Score — Displays the absolute Risk Score of this threat over all theimpacting assets on the server.

• Threat Risk Score — Displays the aggregated Risk Score of this threat over all theimpacting assets on the server.

• Max Risk Score — Displays the maximum value of the Risk Score of this threat over all theimpacting assets on the server.

• Assets Impacted — Displays the number of assets on the server to which the threat isapplicable and assets that are vulnerable to the threat.

RiskSummarychart

Displays risk summary states for this threat and the number of assets in each server:

• At Risk — Displays the number of assets across servers that are At Risk due to this threat.

• Not At Risk — Displays the number of assets across servers that are Not At Risk due to thisthreat.

• Potentially At Risk — Displays the number of assets across servers that are Potentially At Riskdue to this threat.

When an area of the chart is selected, displays the Summary State page.



Option Definition

Risk Detailschart

Displays the overall asset status for this threat and the number of assets in each:

• Vulnerable — Displays the number of assets across servers on which the threat wasfound and no countermeasure was detected that could mitigate the threat.

• Not Vulnerable — Displays the number of assets across servers which are not vulnerableto the threat and have countermeasures in place.

• Protected — Displays the number of assets across servers which have countermeasuresto mitigate the vulnerability of the asset to the threat.

• Not Protected — Displays the number of assets across servers on which the threat wasnot found and no countermeasure was detected. Such systems are still vulnerable tothe threat, but are currently not affected by the threat.

• Insufficient Data — Displays the number of assets across servers on which neither thethreat nor the countermeasure have been detected. This state could be caused if thescan did not complete on this asset.

When an area of the chart is selected, the Coverage State page is displayed.

Action Detailschart

Displays the threat action status for this threat and the number of assets in each:

• Immediate action required (Install/Configure) — Displays the number of assets across serversthat require an immediate action due to the threat.

• Action required but no patch available — Displays the number of assets across servers thatrequire some action due to the threat but there is no such patch available.

• Action can be deferred (Protected) — Displays the number of assets across servers whoseaction can be deferred.

• No action required (Not vulnerable) — Displays the number of assets across servers thatrequire no action due to the threat.

• Not applicable — Displays the number of assets across servers to which the threat is notapplicable.

• Investigation required (Not enough information) — Displays the number of assets across serversthat require further investigation to protect them from the threat.

When an area of the chart is selected, the Threat Action Status page is displayed.

Summary State pageThis page provides the list of ePolicy Orchestrator servers per their Summary State against a threat: AtRisk, Not At Risk, and Potentially At Risk.

To access this page, go to the Rolled-Up Threat Details page, then select an area on the Risk Summary chart.

Option Definition

Server Name Displays the name of the ePolicy Orchestrator server.

Server Description Displays the description of the server.



Option Definition

Assets count Based on the risk status, the option title might be:

• At Risk Assets Count — Displays the number of assets on the ePolicy Orchestratorserver that are At Risk.

• Not At Risk Assets Count — Displays the number of assets on the ePolicyOrchestrator server that are Not At Risk.

• Potentially At Risk Assets Count — Displays the number of assets on the ePolicyOrchestrator server that are Potentially At Risk.

Click a row ofdata

Displays the Rolled-up Servers Details page.

Coverage State pageThis page provides the list of ePolicy Orchestrator servers whose assets are Vulnerable, Not Vulnerable,Protected and Not Protected against a threat.

If risk of an asset cannot be determined, it is labeled as Insufficient Data.

To access this page, go to the Rolled-Up Threat Details page, then select an area on the Risk Details chart.

Option Definition



Assets count Based on the vulnerability status, the option title might be:

• Vulnerable Assets Count — Displays the number of assets on the ePolicy Orchestratorserver that are Vulnerable to the threat.

• Not Vulnerable Assets Count — Displays the number of assets on the ePolicyOrchestrator server that are Not Vulnerable to the threat.

• Protected Assets Count — Displays the number of assets on the ePolicy Orchestratorserver that are Protected against the threat.

• Not Protected Assets Count — Displays the number of assets on the ePolicyOrchestrator server that are Not Protected against the threat.

Click a row ofdata


Threat Action Status pageThis page provides the list of ePolicy Orchestrator servers with their asset count for a specific actionstatus against a threat.

To access this page, go to the Rolled-Up Threat Details page, then select an area on the Action Details chart.

Option Definition





Option Definition

Assets count Based on the action status, the option title might be:

• Immediate Action Required Asset Count — Displays the number of assets on the ePolicyOrchestrator server that require an immediate action to mitigate the threat.

• Action Required But No Patch Available Asset Count — Displays the number of assets on theePolicy Orchestrator server that require an immediate action to mitigate the threatbut there is no patch available.

• Action Can Be Deferred Asset Count — Displays the number of assets on the ePolicyOrchestrator server for which the recommended action can be deferred.

• No Action Required Asset Count — Displays the number of assets on the ePolicyOrchestrator server that do not require any action to be performed.

• Not Applicable Asset Count — Displays the number of assets on the ePolicy Orchestratorserver for which the threat is not applicable.

• Investigation Required Asset Count — Displays the number of assets on the ePolicyOrchestrator server for which the Vulnerability Detector and Countermeasurestates are Insufficient Data and patch availability is not considered.

Click a row ofdata


What-if Risk Analysis tabWhat-if risk analysis reports help you analyze how risk metrics will change if additionalcountermeasures are installed.

Option Definition

Risk Score forSelected Assets

• Before Analysis — Displays the actual value of the risk score of the selected assets overall the threats.

• After Analysis — Displays the Risk Score derived by considering the additionalcountermeasures selected in what-if risk analysis.

Risk Category • Before Analysis — Displays the Risk Category of the enterprise based on the actualEnterprise Risk Score: High, Medium, or Low.

• After Analysis — Displays the Risk Category of the enterprise based on the EnterpriseRisk Score derived from what-if risk analysis: High, Medium, or Low.

Number ofThreats toMitigate

• Before Analysis — Displays the before analysis value of the number of threats to beprotected against, which is equivalent to the number of threats applicable to assets.

• After Analysis — Displays the after analysis value of the number of threats to beprotected against.

The potential of the selected countermeasure(s) can be determined by deducting theAfter Analysis value from the Before Analysis value.

Viewing reportsWhat-if Risk Analysis tab 9


Vulnerability-centric reportsYou can view and drill down to vulnerability risk metrics reports from the Risk Advisor reports page.

Vulnerability Centric Report tabThis page provides the detailed list of vulnerabilities detected.

The information includes:

• Threats exploiting the vulnerability that can be covered by each countermeasure.

• Assets that are vulnerable or not vulnerable to the Vulnerability.

• Threats that can exploit the vulnerability.

Option Definition

Filter Filters the report based on:

• Vulnerability Detector: McAfee Vulnerability Manager or Policy Auditor SCAP.

Vulnerability Displays the ID of the vulnerability.

Description Displays the description about the vulnerability.

CVE References Displays the CVE references about the vulnerability, if available.

[Product Name] ThreatCoverage

Displays the number of threats exploiting the vulnerability that can becovered by the countermeasure.

There are individual listings for each countermeasure product, such as HostIntrusion Prevention Threat Coverage, McAfee Network Security PlatformThreat Coverage, McAfee Application Control Threat Coverage.

Vulnerable Assets Displays the number of assets that are vulnerable to the vulnerability.

Not Vulnerable Assets Displays the number of assets that are not vulnerable to the vulnerability.

Exploiting Threats Displays the number of assets that exploit the vulnerability.

Select a value inVulnerable Assets

Displays a list of assets that are vulnerable from the vulnerability.

Select a value in NotVulnerable Assets

Displays a list of assets that are not vulnerable from the vulnerability.

Select a value in ExploitedThreats

Displays a list of threats that can exploit the vulnerability.

Assets vulnerable to a vulnerability ID pageThis page provides the detailed list of assets that are in Vulnerable or Insufficient Data state for a vulnerability.

Option Definition


IP Address Displays the IP address of the asset.


Vulnerability Status Displays the vulnerability status of the asset.

Select a row of data Displays the countermeasure status of the asset for each threat that exploit thevulnerability.

9 Viewing reportsVulnerability-centric reports


Assets not vulnerable to a vulnerability ID pageThis page provides the detailed list of assets that are not vulnerable to a vulnerability ID.

Option Definition




Vulnerability Status Displays the vulnerability status of the asset.

Select a row of data Displays the countermeasure status of the asset for each threat that exploit thevulnerability.

Threats that exploit a vulnerability pageThis page provides the list of threats that exploit the vulnerability.

Option Definition



Threat Risk Score Displays the average risk score of the threat over all applicable assets.

Max Risk Score Displays the maximum value of the risk score of this threat over all theimpacting assets.

Patch Exists? Displays whether a patch is available for this threat.

Vulnerability Description Displays the description of the vulnerability.









Countermeasure-centric reportsYou can view and drill down to countermeasure risk metrics reports from the Risk Advisor reports page.

Countermeasure Centric Report tabThis report gives detailed information on each countermeasure.

The information includes:

• Vulnerabilities that can be covered.

• Threats that can be mitigated.

• Assets that are protected or not protected.

Viewing reportsCountermeasure-centric reports 9


Option Definition

Countermeasure Coverage Displays the name of the countermeasure product.

Vulnerability Coverage Displays the number of vulnerabilities that can be mitigated by thecountermeasure.

Threat Coverage Displays the number of threats that can be mitigated by the countermeasure.

Protected Assets Displays the number of assets that are protected by the countermeasure.

Not Protected Assets Displays the number of assets that require protection by the countermeasure.

Select a value inVulnerability Coverage

Displays a list of vulnerabilities that can be mitigated by thecountermeasure, with the details including:

• Number of threats that can exploited by the vulnerability

• The product that can detect the vulnerability

Select a value in ThreatCoverage

Displays a list of threats that can be mitigated by the Countermeasure, withthe details including:

• Threat Name

• Threat ID

• Number of assets that are At Risk against the threat

• Number of asset that are Not At Risk against the threat

• Number of vulnerabilities that can be exploited by the threat

Select a value inProtected Assets

Displays a list of assets that are protected by the countermeasure, with thedetails including:

• System Name

• IP Address

• Managed State

• Threats that are mitigated by the countermeasure

• Threats that are not mitigated by the countermeasure

Select a value in NotProtected Assets

Displays a list of assets that require protection by the countermeasure, withthe details including:

• System Name

• IP Address

• Managed State

• Threats that are mitigated by the countermeasure

• Threats that are not mitigated by the countermeasure

Vulnerabilities that can be mitigated page This page provides the detailed list of vulnerabilities that can be mitigated using a countermeasure.

Option Definition

Vulnerability Displays the ID of the vulnerability.

Exploiting Threats Displays the number of threats exploiting the vulnerability.

Product Name Displays the name of the product that detected the vulnerability.

Select a value in Exploiting Threats Displays information about the threats that can exploit thevulnerability.

9 Viewing reportsCountermeasure-centric reports


Assets protected by countermeasure page This page provides the detailed list of assets that are protected by the countermeasure.

Option Definition




Threats - Mitigated Displays the number threats impacting the asset that have been mitigated.

Threats - Not Mitigated Displays the number threats impacting the asset that have not been mitigated.

Asset Countermeasure Status Displays the protection status of the asset by the countermeasure.







Assets not protected by countermeasure page This page provides the detailed list of assets that are not protected by the countermeasure.

Option Definition




Threats - Mitigated Displays the number threats impacting the asset that have been mitigated.

Threats - Not Mitigated Displays the number threats impacting the asset that have not been mitigated.

Asset Countermeasure Status Displays the protection status of the asset by the countermeasure.







Threats Coverage page This page provides the detailed list of threats that can be mitigated by the countermeasure.

Option Definition



At Risk Asset Count Displays the number of assets that are At Risk by the threat.

Not At Risk Asset Count Displays the number of assets that are Not At Risk by the threat.

Viewing reportsCountermeasure-centric reports 9


Option Definition

Exploitable Vulnerabilities Displays the number of vulnerabilities that can be exploited by the threat.








Click a row of data Displays the Threat Details page.

Risk analysis exceptionsThe Risk Analysis exceptions page provides information about the user-defined countermeasures and theirdeclarations, and suppressions.

User Defined Countermeasures tab This page allows you to view and manage user-defined countermeasures that are not configured forMcAfee Risk Advisor data import but they are protecting your assets.

Option Definition

Countermeasure Name Displays the name of the user-defined countermeasure.

Description Displays the notes added to the countermeasure.

Last Modified By Displays the ePolicy Orchestrator Login ID from which thecountermeasure information was updated last.

Last Modified Date Displays the date when the countermeasure was updated last.

Countermeasure Declaration Displays the number of declarations associated with thiscountermeasure. A declaration provides information about the threatsand assets to which the countermeasure is applicable.

Click a value underCountermeasure Declaration

Displays list of declarations for the countermeasure.


• Delete Countermeasures

• Edit Countermeasures

• New Countermeasures

Countermeasure Declarations tab This page allows you to view and manage the declarations for the user-defined countermeasures. Youcan declare a user-defined countermeasure that's protecting a group of assets against a group of threats.

Option Definition

Name Displays the name of the countermeasure declaration.

Status Displays whether the declaration is Enabled or Disabled.

Reason Displays the reason for adding the declaration.

9 Viewing reportsRisk analysis exceptions


Option Definition

Countermeasure Name Displays the countermeasure to which the declaration is applicable.

Last Modified By Displays the ePolicy Orchestrator Login ID from which the declaration wasupdated last.

Last Modified Date Displays the date when the declaration was updated last.


• Declare Countermeasure • Edit Declaration

• Delete Declaration(s) • Enable Declaration(s)

• Disable Declaration(s)

Suppressions tabThis page allows you to view and manage the suppressions to temporarily ignore certain threat-assetcombinations during analysis.

Option Definition

Name Displays the name of the suppression.

Description Displays the notes added to the suppression.

Status Displays the status of the suppression:

• In-effect — If the suppression is currently enabled.

• Upcoming — If the start date for the suppression is in near future.

• Expired — If the end date for the suppression has passed.

• Invalid — If the suppression is not valid.

Start Date Displays the date from which the suppression is in-effect.

End Date Displays the date to which the suppression is in-effect.


• Delete Suppression(s)

• Edit Suppression

• New Suppression

User Defined Countermeasure Details pageThis page provides information about a user-defined countermeasure and the associated declarations.

Option Definition

Countermeasure Name Displays the name of the user-defined countermeasure.

Description Displays the notes added to the countermeasure.

Last Modified By Displays the ePolicy Orchestrator Login ID from which the countermeasureinformation was updated last.

Last Modified Date Displays the date when the countermeasure was updated last.

Viewing reportsRisk analysis exceptions 9


Option Definition

CountermeasureDeclarations

Displays a list of declarations for the countermeasure, with these details:

• Name — Name of the declaration.

• Status — Whether enabled or disabled.

• Reason — Reason for adding the declaration.

• Last Modified By — ePolicy Orchestrator Login ID from which the declaration wasupdated last.

• Last Modified Date — Date on which the declaration was updated last.

Actions When clicked, displays these actions:

• Delete Countermeasure

• Edit Countermeasures

Countermeasure Declaration Details pageThis page provides information about a countermeasure declaration for a user-defined countermeasure.

Option Definition

Name Displays the name of the countermeasure declaration.

Status Displays whether the declaration is Enabled or Disabled.

Reason Displays the reason for adding the declaration.

Countermeasure Displays the countermeasure to which the declaration is applicable.

Created Date Displays the date when the declaration was created.

Created By Displays the ePolicy Orchestrator Login ID from which the declaration was created.

Last Modified Date Displays the date when the declaration was updated last.

Last Modified By Displays the ePolicy Orchestrator Login ID from which the declaration was updated last.

Selection Criteria Displays the threat-asset combination criteria to which the user-definedcountermeasure is applicable:

• System Criteria — The asset group or tags selected, and a link to the list of systemsmatching the criteria.

• Threat Criteria — The Threat tags selected, and a link to the list of threats matchingthe criteria.

Related Items Click Go to related User Defined Countermeasure to view the countermeasure to which thedeclaration is associated.

Actions When clicked, displays these actions:

• Delete Declaration(s)

• Disable Declaration(s)

• Edit Declaration

• Enable Declaration(s)

9 Viewing reportsRisk analysis exceptions


Suppression Details pageThis page provides information about a suppression created to temporarily ignore certain threat-assetcombinations during analysis.

Option Definition

Name Displays the name of the suppression.

Description Displays the notes added to the suppression.

Status Displays the status of the suppressions:

• In-effect — If the suppression is currently enabled.

• Upcoming — If the start date for the suppression is in the near future.

• Expired — If the end date for the suppression has passed.

• Invalid — If the suppression is not valid.

Effective period Displays the time period during which the suppression is in-effect.

Number of Days toExpire

Displays the number of days left before the effective period for the suppressionends.

Created Date Displays the date when the suppression was created.

Created By Displays the ePolicy Orchestrator Login ID from which the suppression was created.

Last Modified Date Displays the date when the suppression was updated last.

Last Modified By Displays the ePolicy Orchestrator Login ID from which the suppression wasupdated last.

Selection Criteria Displays the threat-asset combination criteria to which the suppression isapplicable. The information includes:

• System Criteria — The Asset group or tags selected, and a link to the list ofsystems matching the criteria.

• Threat Criteria — The Threat tags selected, and a link to the list of threatsmatching the criteria.


• Delete Suppression

• Edit Suppression

Suppressed Assets pageThis page provides the list of assets that were excluded from analysis due to suppression. This doesnot include the assets that are disabled.

Option Definition


Criticality Displays the level of criticality of the asset.

Asset Risk Score Displays the risk score of the asset against the threat.

Viewing reportsRisk analysis exceptions 9


Option Definition

Overall Action Status Displays the recommended action for the asset to address the threat.







Suppressed Threats pageThis page provides the list of threats that were excluded from analysis due to suppression. This doesnot include the threats that are disabled.

Option Definition


Threat Type Displays the type of the threat. For example, malware.


Analysis Status Displays whether the threat is Enabled or Disabled.


Patch Exists? Displays whether a patch is available for the threat.








Reporting groupsReporting groups allows you to perform selective threat and asset risk analysis. You can view thegroups created and drill down to Reporting Group Details page from Reporting Groups page.

Reporting Groups management page This page allows you to view and manage the reporting groups for selective threat and asset risk analysis.

Option Definition

Reporting Group Name Displays the name of the reporting group.

Status Displays whether the status group is valid.

Description Displays the notes added to the reporting group.

Total Assets Displays the total number of assets in the group. When clicked, displays the listof assets with their details.

9 Viewing reportsReporting groups


Option Definition

Impacted Assets Displays the number of assets to which the threats in the group are applicable,and which are vulnerable to the threats. When clicked, displays the list of assetswith their details.

Total Threats Displays the total number of threats in the group. When clicked, displays the listof threats with their details.

Impacting Threats Displays the number of threats that are applicable to the assets in the group,and to which the assets are vulnerable. When clicked, displays the list of threatswith their details.

Consolidated Risk Score Displays the Consolidated Risk Score of all the assets over all the threats in thereporting group.


• Delete Reporting Group

• Edit Reporting Group

• New Reporting Group

• Run Reporting Group Analysis

Reporting Group Details pageThis page provides the detailed information about a reporting group.

Option Definition

Reporting GroupName

Displays the name of the reporting group.

Status Displays whether the reporting group is valid.

Description Displays the notes added to the reporting group.

Selection Criteria Displays the threat-asset combination criteria selected for the reporting group,including:

• System Criteria — Asset tags, and a link to the list of enabled systems matching thecriteria.

• Threat Criteria — Threat tags, and a link to the list of enabled threats matching thecriteria.

Last ModifiedDate

Displays the date and the time at which the report was last modified.

Viewing reportsReporting groups 9


Option Definition

Risk Metrics Displays the risk metrics information about the reporting group such as:

• Total Assets — Displays the total number of assets in the group.

• Impacted Assets — Displays the number of assets to which the threats in the group areapplicable, and which are vulnerable to the threats.

• Total Threats — Displays the total number of threats in the group.

• Impacting Threats — Displays the number of threats that are applicable to the assets inthe group, and to which the assets are vulnerable.

• Consolidated Risk Score — Displays the consolidated risk score of all the assets over allthe threats in the reporting group.

Click a value to view the list of threats or assets that matched the criteria.


• Delete Reporting Groups

• Edit Reporting Group

9 Viewing reportsReporting groups


10 Frequently asked questions

Here are answers to frequently asked questions.

Product overview

Does McAfee Risk Advisor protect systems on its own as any other security product?

No, McAfee Risk Advisor doesn't perform any action on its own. It's an analytics tool thatimports data from managed security products, generates reports about the potentialvulnerabilities on your network, and recommends and prioritizes what you need to do to addressthem.

How McAfee Risk Advisor calculates risk?

McAfee Risk Advisor uses both qualitative and quantitative approaches to describe the nature ofthe risk and numerical values, respectively. It uses certain risk metrics to determine risk scoresof each asset and threat, and then performs analytics to calculate the overall risk posture atasset, threat, and enterprise level.

Installation

What are the system requirements to install McAfee Risk Advisor 2.7? How different arethey from ePolicy Orchestrator requirements?

McAfee Risk Advisor 2.7 works on the ePolicy Orchestrator framework and supports all operatingsystems, browsers, databases, and virtualization platforms supported by ePolicy Orchestratorversions 4.5 and 4.6. However, you need to make sure that your system meets the upgrade,rollup, and database requirements. See System Requirements for details.

Can I configure data import from a product that I didn't select during installation?

Yes, you can configure your data imports after the installation also. Rerun the McAfee RiskAdvisor installation program and select all the products and services that you want.

Can I use McAfee Risk Advisor without an Internet connection?

Yes, you can download a .zip file containing threat updates from the McAfee Threat Intelligencewebsite and import threat updates from the file to McAfee Risk Advisor.

10


10 Frequently asked questions


A Appendix

Here are few additional tasks for use-case scenarios.

Contents

Identify critical systems that are vulnerable Determine risk metrics for a set of threats and assets Exclude a set of threats from analysis temporarily Specify countermeasure protection for a set of assets

Identify critical systems that are vulnerableYou can perform this task by running the MRA: Overall Threat Asset Coverage query with the Criticality andVulnerability Detector Status filters.

Before you begin

Identify the systems that are most critical to your organization.

Task


1 In the ePolicy Orchestrator console, assign criticality level as Most Critical to the critical systemsidentified.

a Go to the System Tree, then select the assets.

b Click Actions | Risk Advisor | Assign Criticality to Assets, select Most Critical, then click OK.

2 Go to Queries & Reports, then select Risk Advisor from the groups.

3 Select MRA: Overall Threat Asset Coverage query, then click Actions | Duplicate.

4 Select the duplicate query, click Actions | Edit.

5 Make necessary changes in the Chart screen, if needed, and click Next.

6 Make necessary changes in the Columns screen, if needed, and click Next.

7 From the Available Properties, select Criticality as Most Critical and Vulnerability Detector Status as Vulnerable, thenrun the query.

A monitor displaying number of systems that are Most Critical and Vulnerable appears. Select an area ofthe pie-chart to get the list of the systems.


Determine risk metrics for a set of threats and assetsReporting groups provide the ability to generate reports for selected threats based on threat tags, andsystems based on groups or asset tags.

Before you begin

You need to create asset groups or tags and threat tags and apply them according to yourorganization's needs before creating reporting groups.

Imagine a scenario when you want to determine the risk metrics for "Aurora" threats against a set ofdesktop machines. You can perform this task by creating a reporting group.

Task



2 Click Actions | Risk Advisor | New Reporting Group, type a name and a description (if required), then clickNext.

3 Select the asset group or tag (Desktop) and the threat tag (Aurora), then click Next.

4 Review the summary, then click Save.

5 Run the MRA: Reporting Group Analysis task.

6 Once the task completes, go to the Reporting Groups page to view the results.

The risk metrics are calculated only for the assets and threats defined in the reporting group.

Exclude a set of threats from analysis temporarilySuppression is the ability to exclude selected threats based on threat tags, and systems based onasset groups or asset tags, from analysis.

Before you begin

You need to create asset groups or tags and threat tags and apply them per yourrequirement before configuring Risk Analysis Exceptions.

Imagine a scenario when you want to suppress the Microsoft Patch Tuesday threats from risk analysisfor a period of time and analyze the rest of threats on the enterprise servers. You can perform thistask by creating a suppression to selectively exclude the recent Microsoft Patch Tuesday threats frombeing analyzed against enterprise servers.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click theSuppressions tab.

2 Click New Suppression, then type a name and a short description explaining the reason for creatingthe suppression (it's a mandatory field).

3 Select Start and End date for the suppression to be effective, then click Next.

4 Select the asset group or tag (Servers) and the threat tag (Patch Tuesday(McAfee)), then click Next.

A AppendixDetermine risk metrics for a set of threats and assets


5 Review the Summary, then click Save.


The suppressed assets and threats are excluded from analysis

Specify countermeasure protection for a set of assetsYou might have implemented countermeasure products that are not integrated with McAfee RiskAdvisor. For more accurate analysis, add these products as user-defined countermeasures and specifya set of assets that are protected by them.

Imagine a scenario when you have McAfee® Firewall Enterprise with an active policy protecting yourendpoint machines. You can add this as a user-defined countermeasure and declare the set ofendpoints as protected.

Task


1 In the ePolicy Orchestrator console, click Menu | Risk & Compliance | Risk Analysis Exceptions, then click theUser Defined Countermeasures tab.

2 Click New Countermeasure, then type a name (for example, Firewall) and description, and then clickSave.

3 Click the Countermeasure Declarations tab to declare the countermeasure against threat-assetcombinations.

4 Click Declare Countermeasure, then type a name (for example, Declare Firewall) , selectcountermeasure from the list, type the reason for the declaration, and then click Next.

5 Select the asset groups or tags and threat tags that should be included as part of user-definedcountermeasure (By default all assets and threats are selected), then click Next.

6 Review the summary, then click Save.


The selected assets are considered protected against the selected threats in analysis.

AppendixSpecify countermeasure protection for a set of assets A


A AppendixSpecify countermeasure protection for a set of assets


Index

A

about this guide 7advanced filters

asset data filters 100

threat data filters 101

analysis queue 75

analysis statusassets 39

threats 48

application awarenessagent data, collecting on demand 26

agent data, scheduling collection 25

agent deployment, testing 25

application inventory agent, deploying 24

configuring 24

enabling or disabling 65

permission set 31

asset criticalitylabels, defining 33

levels, assigning 34

asset managementanalysis status, changing 39

asset criticality 33

asset issues, creating 39

Network Security Platform policy declaration 35

risk category labels, defining 38

asset risk categorylabels, defining 38

automatic responsespredefined actions 61

predefined event groups 59

C

configurationApplication Inventory agent updates 24

Network Security Platform updates 21

permission sets, assigning 30

rollup reporting 29

Threat Intelligence Service updates 26

threat localization, enabling 31

Vulnerability Manager updates 24

conventions and icons used in this guide 7

countermeasure declarationcreating 67

deleting 69

enabling or disabling 68

modifying 68

report 136

countermeasures, supported products 10

D

dashboardsRollup Risk Advisory Dashboard 87

Security Bulletin Dashboard 90

Threat Action Advisory Dashboard 84

Threat Dashboard 80

data analysisdata integrity 52

data reconciliation 52

data importApplication Inventory agent 24

extension, modifying 19

Network Security Platform 21

supported products 10

Threat Intelligence Service 26

Vulnerability Manager 24

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

E

enterprise risk category labels, defining 76

extensioninstalling 17

modifying 19

removing 32

verifying 19

F

frequently asked questions 143


I

installationdata import extensions 19

licenses 17

online help 18

product extension 17

system requirements 15, 16

verifying 19

introductiondata sources 10

high-level architecture 11

how Risk Advisor works 11

overview 9product components 11

product features 9

M

McAfee ServicePortal, accessing 8monitors, Rollup Risk Advisory Dashboard

Overall Asset Action Status 88

Overall Asset Coverage Summary 88

Overall Enterprise Risk Score Trend 89

Overall Enterprise Risk Status 88

Server Risk Score Trend 87

Top 10 Threats Across Servers 89

monitors, Security Bulletin DashboardAssets at Risk from Patch Tuesday Threats by Criticality 91

Assets at Risk from Patch Tuesday Threats by SystemGroup 91

Microsoft Patch Tuesday Threats Trend 90

Risk Score for System Groups across Patch TuesdayThreats 90

monitors, Threat Action Advisory DashboardAction Required Assets By Asset Criticality 86

Investigation Required Assets By Asset Criticality 87

Overall Asset Action Status 85

Threats with Available Patches 84

monitors, Threat DashboardMost Recent Threats 80

Overall Asset Coverage Summary 83

Product Threat Protection 82

Threats By Vendor 81

Top 10 Assets by Risk Score 82

Top 10 Threats by Risk Score 82

N

Network Security Platformcountermeasure declaration, overriding 37

countermeasure override, removing 37

data, importing 22

data, purging 23

policies, declaring 35

policy declaration, removing 36

server, registering 21

P

permission setsapplication inventory 31

Risk Advisor users 30

rollup reporting 31

Q

queriescustom 95

predefined 92

R

reporting groupsanalysis task 73

creating 72

deleting 73

limit, specifying 71

management page 140

modifying 72

overview 71

reportsActionable Threats Count 124

advanced filters 100

Assets Having Maximum Risk Score 119

Assets Impacted 120

Assets not protected by countermeasure 135

Assets not vulnerable to a vulnerability 133

Assets protected by countermeasure 135

Assets vulnerable to a vulnerability 132

Countermeasure Centric Report 133

Countermeasure Declaration Details 138

Countermeasure Declarations 136

Coverage State 130

CVSS information 112

How Am I At Risk 117

Impacting Threats 122

navigation 97

No Action Required Threats Count 124

Reporting Group Details 141

Reporting Groups 140

Rolled up Servers Details 127

Rolled up Threat Details 128

Rolled-Up Risk Metrics 125

Server Risk Metrics 104

Summary State 129

Suppressed Assets 139

Suppressed Threats 140

Suppression Details 139

Suppressions 137

System Details 106

Threat Action Status 130

Threat Asset Coverage 114

Threat Asset Coverage Details 116

Threat Details 109

Index


reports (continued)Threats 108

Threats Coverage 135

Threats Having Maximum Risk Score 121

Threats that exploit a vulnerability 133

User Defined Countermeasure Details 137

User Defined Countermeasures 136

Vulnerabilities that can be mitigated by countermeasure134

Vulnerability Centric Report 132

What Threat Actions Required 123

what-if risk analysis 131

Where Am I At Risk 118

risk analysis exceptions 66

risk assessmentdefault analysis task 28

how data is analyzed 49

how risk is determined 52

how threat action is determined 57

Risk Advisor actions 57

risk metrics 54

rollup reportinganalysis task 74

data, purging 74

permission set 31

rolled up risk metrics 125

servers, registering 29

supported Risk Advisor versions 15

supported servers 15

S

server registrationNetwork Security Platform 21

rollup reporting 29

server settingsasset criticality labels 33

asset risk category 38

enterprise risk category 76

reporting groups limit, specifying 71

threat feed 26

server tasksCreate Risk Advisor Asset Issue 40

import and analysis, separating 50

MRA Rollup:Purge Rolled-Up Data 74

MRA Rollup:Roll Up Risk Advisor Data 74

MRA Threat Download and Analysis 49

MRA:Reporting Group Analysis 73

MRA:Threat Download and Analysis 28

Network Security Platform Alert Data Purge 23

Network Security Platform Data Import 22

predefined actions 61

predefined subactions 64

ServicePortal, finding product documentation 8supported products 10

suppressionscreating 69

deleting 70

modifying 70

report 137

system requirementslicenses 17

supported product versions 16

T

task managementautomatic responses 59

server tasks 61

Technical Support, finding product information 8threat feed

updates, downloading automatically 26

updates, importing from file 27

threat managementanalysis status, changing 48

notes 43

read status 45

threat tags 46

threat notesadding 43

deleting 44

modifying 44

threat tagsapplying 47

creating 46

deleting 47

modifying 46

removing 48

U

updatesApplication Inventory agent 24

Network Security Platform 21

Threat Intelligence Service 26

Vulnerability Manager 24

user permissionsoverview 29

permission sets, assigning 30

user-defined countermeasuresadding 66

declaring 67

deleting 67

modifying 67

report 136

V

vulnerabilities, supported detectors 10

Index


W

what-if risk analysis 74, 131

Index


00

Documents

Risk Advisor 2.7 Product Guide for use with ePO 4.5 / 4.6