Embed Size (px)
Citation preview
Security Information and Event Management (SIEM) Orchestration How McAfee® Enterprise Security Manager drives action, automates remediation, and optimizes incident response
Michael Leland, Senior SIEM Enterprise Architect, McAfee
Guide
2
SIEM Orchestration
Table of Contents
Introduction 3
Orchestration Triggers 4
Orchestrating Action 5
McAfee ePolicy Orchestrator (McAfee ePO) Software 5
Reporting on Suspicious Systems 5
Practical Example: Flagging Suspicious Systems for Follow-Up 6
Dynamic McAfee ePO Software Policy Changes 8
Trigger McAfee ePO Software Client Task Execution 9
Practical Example: Quarantine and Remediation of a Compromised System 9
McAfee ePO Software Configuration 13
McAfee Network Security Platform 14
Configuring McAfee Network Security Platform 15
Practical Example: Behavior-Based Blacklisting 16
McAfee Threat Intelligence Exchange 18
Configuring McAfee Threat Intelligence Exchange 19
Practical Example: Finding Systems that Have Executed a Malicious File 20
Orchestrating Actions with Other Tools 23
Configuring Scripting 23
Cyber Threat Manager 24
Practical Example: Using Backtrace to Report Systems Identified as Having IOCs within McAfee ePO Software 24
Other Examples 27
Summary 28
Next Steps 28
About McAfee 28
Guide
3
SIEM Orchestration
Over the last two decades, security information and event management (SIEM) adoption has increased dramatically, driven largely by complex and demanding compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS) and Sarbanes–Oxley (SOX), as well as the needs of incident response teams for threat management. As adoption increased, enterprises quickly realized the value of the SIEM in providing and leveraging “threat intelligence”—giving visibility into known threats occurring around the world and the ability to identify and track potential threats as they occur. This situational awareness allows enterprises to detect attacks sooner, and, as a result, take action to minimize the impact of today’s advanced threats.
Introduction
Times change. Today’s exploits are executed in a matter of hours or less. However, according to the Ponemon 2015 Cost of Cyber Crime
study, the average time to resolve a cyberattack is 46 days.1
Figure 1. Attacks and losses happen in minutes and hours. Response takes days and weeks.
This slow response is driven largely by processes and tools that have not kept up with the rapid acceleration in attack speed. Attack
responses often are loosely coordinated affairs, requiring the cooperation of multiple teams across the enterprise. Efforts follow manual
workflows that require human intervention at multiple steps along the way. If there is to be any hope of stopping intrusions before the
damage is done, we must find ways to optimize and automate these processes as much as possible.
A similar evolution occurred in the network intrusion detection system (NIDS) space in the early 2000s. At that time, NIDS were well-
established methods of identifying network attacks, based largely on attack signatures. As detection methodologies improved,
administrators realized that it was feasible to rely on these tools to make policy enforcement decisions and actually block known attacks.
Then network intrusion prevention systems (NIPS) came into being. While not a silver bullet, NIPS significantly raised the bar for an
attacker to execute a successful attack.
Ten years later, SIEM is at the same crossroads. No longer is it sufficient to simply detect threats to our networks. SIEM can be used not
just to improve situational awareness, but also as a platform to orchestrate responses and to stop attacks well before they become
breaches.
This document begins by outlining the kinds of activities that are well suited to orchestration. Following this, we’ll take a deep look at
McAfee® Enterprise Security Manager, the McAfee SIEM solution, and examine how it works as part of the McAfee platform to optimize
incident response processes.
Guide
4
SIEM Orchestration
Orchestration Triggers
The first step in effectively responding to an attack is identifying triggers that will begin the process. The best triggers clearly describe a
suspicious or malicious behavior with enough precision that the reaction to it is clear. Triggers must also be highly accurate and offer
integrated threat intelligence if they are to be relied upon for automated responses. Below are a few examples.
Anti-social behaviors: Most enterprises will see activities coming from within or outside their networks that, while not immediately
alarming, are clearly not related to their business. Often these behaviors are the precursors to an actual attack.
Password guessing: High volumes of incorrect passwords are indicators of automated tools used by attackers to attempt to guess
user credentials.
Network reconnaissance: Host scans, port scans, and similar activities are equivalent to jiggling the doorknob of a house to see if it’s
locked. This kind of activity should only originate from trusted partners.
Application reconnaissance: Attackers will often begin a campaign with a series of probes designed to understand the attack surface
of their target. This activity may be seen in application logs as high volumes of requests from a host, often for resources that do not
exist.
Threat intelligence: This provides a real-time understanding of the world outside—threat data, reputation feeds, and vulnerability
status—as well as a view of the systems, data, risks, and activities inside your enterprise. It’s a critical tool that prevents security
teams from overlooking indicators of compromise (IOCs) and is effective for incident investigations and remediation.
These activities happen so frequently in most organizations that it is not feasible for human analysts to follow up on each one. As a result,
the records of these activities become fodder for regular executive rollup reports or perhaps part of the evidence chain uncovered while
investigating a breach. However, an effective SIEM platform can take appropriate actions in response to these behaviors and stop attacks
at their earliest stages. In today’s ever-evolving threat landscape, McAfee Enterprise Security Manager enables rapid response to
emerging threats.
Signs of malware infection: Fighting malware is a daily part of any enterprise security professional’s job. Most malware is detected
and dealt with efficiently by implementing technologies at the endpoint (such as McAfee Endpoint Protection Suites) and malware
detection in network devices, network intrusion prevention systems (McAfee Network Security Platform), web protection gateways
(McAfee Web Gateway), and advanced threat protection appliances (McAfee Advanced Threat Defense). However, when especially
targeted or evasive malware does get around these defenses, it can be difficult to detect and eradicate. Signs of malware infection
include:
o Alerts and blocking based on intrusion prevention system (IPS) events: Most IPS products include signatures designed
to identify traffic associated with botnet command-and-control networks, and similar behaviors.
o Communication with suspicious hosts: Many IPS and SIEM solutions today incorporate geolocation, reputation feeds,
and other contextual feeds that allow enterprises to track known malicious hosts and communication patterns within the
enterprise. Internal hosts seen to be communicating with suspect hosts in other parts of the world merit additional follow-up
as these activities are indicators of infected hosts.
o DNS requests: DNS requests for resolution of domain names that are associated with known purveyors of malware are
clear signs of infection.
o Indicators of compromise: IOCs provide details of a potential threat within the environment in a standard format. The
SIEM can use this information to detect if those indicators have been seen in the past, as well as keep an eye on them in the
future.
Anomalous behaviors: In any network there are unexplained, outlier behaviors that can be valuable signs of systems that have been
subverted or are otherwise not being used for their intended purpose.
o NetFlow volumes and patterns: NetFlow records provide useful metadata about what systems are communicating, and
how much, in the enterprise. While individual NetFlow records may provide little useful information, over time, NetFlow
records can be aggregated to establish a unique fingerprint that identifies how and when a system (or a class of systems)
communicates. Deviations from this baseline can provide useful IOCs.
o Suspicious network traffic: Tools like McAfee Network Threat Behavior Analysis (used with the McAfee Network Security
Platform) collect and analyze traffic from the entire network—host and applications—to detect unusual behavior resulting
from worms, botnets, zero-day threats, spam, and reconnaissance attacks.
Guide
5
SIEM Orchestration
While most enterprises strive to investigate these types of events, the sheer volume can quickly become overwhelming to incident
responders. Even running a simple malware scan on a likely infected host may take hours or days to get scheduled, depending on the
organization’s operational maturity. All the while, the malware is free to execute the attacker’s payload—perhaps exfiltrating data—or it is
free to spread more deeply into the enterprise. What’s needed is a simple, automated method to stop attacks as soon as they are
detected. Freezing the attack gives responders breathing room to investigate the scope and take advanced remediation steps as needed.
Orchestrating Action
McAfee Enterprise Security Manager provides a rich platform to automate responses to the kinds of triggers discussed above. It
collaborates closely with many McAfee solutions, allowing administrators to orchestrate responses easily without complicated custom
integrations. In addition, McAfee Enterprise Security Manager provides integration for hundreds of third-party products.
McAfee Enterprise Security Manager actions are driven by alarms triggered by a wide range of events, including those described above.
You can configure each alarm to launch a variety of actions. Below we'll discuss some of the orchestration options possible with McAfee
Enterprise Security Manager and its complementary products.
McAfee ePolicy Orchestrator (McAfee ePO) Software
Integrated closely with McAfee Enterprise Security Manager, McAfee® ePolicy Orchestrator® (McAfee ePO™) software provides policy-
based management of a wide range of endpoint, data center, and network security countermeasures, including antivirus, host intrusion
prevention, whitelisting, activity monitoring, and data loss prevention.
McAfee ePO software lets administrators categorize systems via manual or criteria-based “tags,” which may then be used as the basis for
assigning configuration profiles to assets, launching tasks on managed endpoints, or filtering dashboards and reports.
McAfee Enterprise Security Manager integrates with McAfee ePO software via the McAfee ePO software web application programming
interface (API). Through this channel, McAfee Enterprise Security Manager can assign tags to systems in McAfee ePO software in
response to triggers seen by McAfee Enterprise Security Manager, just as a McAfee ePO software administrator might do via the McAfee
ePO software graphical user interface (GUI). Through tags, McAfee Enterprise Security Manager can automate many “first response”
actions, helping organizations respond to attacks more quickly and efficiently than would be possible when relying solely on security
operations center (SOC) staff to drive incident responses.
Figure 2. McAfee ePO software initiates policy-based responses to systems under attack.
Reporting on Suspicious Systems
In one of the simplest use cases, a tag may be used as a filter for a dashboard or a report in McAfee ePO software. SOC staff often use a
custom dashboard or role-based report to regularly monitor the status of the technologies managed via McAfee ePO software and to
Guide
6
SIEM Orchestration
identify events where a response may be necessary. This process provides excellent visibility into the different security countermeasures
that McAfee ePO software manages, but is blind to the rest of the enterprise environment.
McAfee Enterprise Security Manager provides deep situational awareness to complement standard McAfee ePO software visibility. By
assigning the proper tags, McAfee Enterprise Security Manager can quickly and automatically bring systems exhibiting suspicious
behaviors to the attention of endpoint security operations. Security operations can then take appropriate actions as needed.
Practical Example: Flagging Suspicious Systems for Follow-Up
In many enterprises, the team that handles endpoint security leverages McAfee ePO software as a tool to drive day-to-day workflow for
incident response. For example, a system that reports large volumes of repeated malware infections in a short time often has additional
undetected malware running behind the scenes. In this circumstance, the system requires human analysis to review its state and health
and to identify additional remediation steps needed.
Tagging helps incident response staff track systems that require investigation. A specified McAfee ePO software tag may be used as a
filter for a McAfee ePO software dashboard or report, which, in turn, is monitored by incident response staff to drive daily remediation
activities. This approach may be extended easily to allow McAfee Enterprise Security Manager to tag suspicious systems based on a wide
variety of criteria. Endpoint security staff members gain greater awareness of enterprise security posture and can prioritize remediation
efforts on the systems with the most severe security issues.
Set up McAfee ePO software: To take advantage of this use case, it's first necessary to perform appropriate setup in McAfee ePO
software.
o Identify or create a McAfee ePO software tag to use as a means of flagging systems that require manual analysis. For
purposes of discussion, we'll name this tag "FILTER: Suspicious Systems.” Set up this tag as a manual tag in McAfee ePO
software.
o Identify or create a dashboard in McAfee ePO software that will be used to track suspicious systems. Each query in the
dashboard should include the "FILTER: Suspicious Systems" tag as a filter, ensuring that only data associated with tagged
systems are displayed. For our purposes, we will use the tag as a filter for the McAfee ePO software system tree.
Identify SIEM trigger: The next step is to identify the conditions seen by McAfee Enterprise Security Manager on which you would
like to trigger.
o Content packs provide prebuilt correlation rules that McAfee ePO software can utilize for common use cases. Content
packs are continuously being developed and updated as new threats emerge. New correlation rules that provide triggers
when malicious behavior is detected are a common element of content packs. The following are currently existing content
packs that can provide triggers for McAfee ePO software incidents:
Malware content pack
Firewall content pack
McAfee Threat Intelligence Exchange content pack
Guide
7
SIEM Orchestration
Figure 3. Content packs currently available in the McAfee Enterprise Security Manager console.
o In addition to pre-built content packs, the potential to create additional triggers here are virtually limitless. They depend
largely on the data sources that are present in your McAfee Enterprise Security Manager; the correlation rules that you
have at your disposal; and the types of things into which the endpoint security team would like visibility. For our purposes,
we would like to notify the McAfee ePO software team anytime the enterprise web proxy (such as McAfee Web Gateway)
detects an attempt to download a malicious file. These systems deserve inspection since systems that attempt to download
malware are often already infected with malware.
Figure 4. McAfee Enterprise Security Manager console displays malware detected by McAfee Web Gateway.
Enable alarm: While it's certainly possible to manually trigger the McAfee ePO software tagging action (via the McAfee Enterprise
Security Manager action menu), in our example, we will automate this process to ensure that the endpoint security operations team
has immediate visibility to the latest threats. As the final configuration step, we must configure McAfee Enterprise Security Manager
Guide
8
SIEM Orchestration
with an alarm that is triggered by the event we've identified above and takes the action of applying the "FILTER: Suspicious Systems"
to the target systems.
Figure 5. McAfee Enterprise Security Manager Alarm: McAfee ePO software tagging action.
Monitor dashboard in McAfee ePO software: Once the alarm is configured, you should begin to see systems tagged appropriately in
McAfee ePO software, and they should automatically begin to appear in the "Suspicious Systems" dashboard. After the analyst
reviews the systems and takes appropriate remediation steps taken, the analyst can remove the tag, and the system will be removed
from the dashboard.
Figure 6. Systems with web malware detections flagged as suspicious in McAfee ePO software.
Dynamic McAfee ePO Software Policy Changes
In the context of McAfee ePO software, a “policy” is a collection of settings that you create and configure and then enforce on a set of
managed systems. McAfee ePO software allows administrators to configure user- and systems-based policy settings for all products and
systems from a central location. For example, McAfee ePO software policies provide complete control over all aspects of endpoint
security—from the aggressiveness of on-access scanning to the network connections allowed by the endpoint firewall.
McAfee ePO software policies may be assigned in a number of different ways. One highly flexible method is via policy assignment rules.
With McAfee ePO software policy assignment rules, policies may be assigned to managed systems using a flexible set of criteria and
updated on the fly as those criteria change. Asset tags are one of the criteria supported by policy assignment rules in McAfee ePO
Guide
9
SIEM Orchestration
software. By leveraging McAfee Enterprise Security Manager to manipulate McAfee ePO software asset tags in response to triggers, we
can modify policies on those assets in near real time in response to changing conditions or detected threats.
Essentially, we can take the incremental data that becomes visible through McAfee Enterprise Security Manager-to-McAfee ePO software
integration and use that data to modify policies that, in turn, affect countermeasures.
Figure 7. McAfee software policy assignment rules.
Trigger McAfee ePO Software Client Task Execution
A client task in McAfee ePO software is an action that is pushed to and executed on a managed endpoint. Examples of client tasks include
scheduled anti-malware scans and deployment of security agent software. Like policies, a client task may be assigned to a system in a
variety of ways within McAfee ePO software. For example, client tasks may be tied to asset tags, such that assigning a tag to a system
brings with it a set of associated client tasks.
Figure 8. Client task assigned to systems based on McAfee ePO software asset tags.
By leveraging McAfee Enterprise Security Manager to manipulate McAfee ePO software asset tags in response to triggers, we can
immediately execute tasks on managed systems in response to changing conditions or detected threats.
Practical Example: Quarantine and Remediation of a Compromised System
In the course of investigating an ongoing attack or breach, it sometimes becomes clear that there is a definitive pattern of behaviors that
indicate a compromised system. Examples might include communication with a specific IP address, repeated brute-force password
guessing attempts, or specific malware detections. Regardless of the indicators, the first step for incident responders should be to isolate
the compromised system from the enterprise network as quickly as possible in order to minimize the amount of damage that will be done.
In this example, we will leverage McAfee Enterprise Security Manager to orchestrate a real-time response with McAfee ePO software,
effectively quarantining the compromised host and launching an aggressive malware scan. These remediation actions should neutralize
the threat in real time, minimizing the impact much more quickly and effectively than would be possible when relying on human analyst
response.
Guide
10
SIEM Orchestration
Set up McAfee ePO software policies and tasks: The first step in meeting this use case is to define a set of “lockdown” policies and
tasks in McAfee ePO software that will be engaged when McAfee Enterprise Security Manager detects the compromise. Your optimal
set of policies will be dictated by the managed products you have in McAfee ePO software. Below you will find some suggestions:
o McAfee Host Intrusion Prevention Firewall: Enable firewall with a highly restrictive rule set.
o McAfee VirusScan® Access Protection: Enable “Maximum Protection” rules. Consider implementing custom rules to block
network traffic if McAfee Host Intrusion Prevention Firewall is not deployed in your environment.
o McAfee VirusScan On-Access: Enable scanning inside archives, eliminate scanning exclusions, and set McAfee Global
Threat Intelligence reputation inquiry to “Very High” sensitivity level.
o McAfee VirusScan On-Demand Scan Task: Define a scan task to deeply assess all drives and files, with no exclusions.
Figure 9. Sample “lockdown” McAfee Host Intrusion Prevention Firewall rule set.
Set up Map McAfee ePO software policies and tasks to tags: Once you define client tasks and lockdown policies, the next step will
be to tie these to one or more tags. In our example, we will define two separate tags:
o POLICY: Lockdown
o TASK: Aggressive Scan. The first of these tags will be tied to the various lockdown policies via a McAfee ePO software
policy assignment rule, as shown in the screenshots below.
Figure 10. Selection of lockdown policies in McAfee ePO software policy assignment rule.
Figure 11. Selection of tag in McAfee ePO software policy assignment rule.
In the case of the on-demand client task, we will leverage client task assignment criteria in order to automatically enable the emergency
scan task on any systems with the “TASK: Aggressive Scan” tag.
Guide
11
SIEM Orchestration
Figure 12. Tying a task to a McAfee ePO software tag, using “Task Assignment.”
We have now completed the setup within McAfee ePO software. Any systems that are assigned to the relevant tags in McAfee ePO
software will automatically have the proper policies and tasks pushed down the next time the system communicates with McAfee ePO
software.
Identify SIEM trigger: The conditions that are used to trigger the actions in this use case are entirely dependent on the specifics of the
threat you wish to respond to. In our example, we will deal with a hypothetical threat, which has three behaviors that are easily
observable:
o Communication with known malicious IP addresses
o Multiple attempts to guess root account passwords
o Attempts to download and install malware
Given this information, we will define a simple correlation rule that triggers when we see these behaviors together, associated with a single
host.
Figure 13. A correlation rule can be defined for individual systems.
Guide
12
SIEM Orchestration
Enable alarm: All that remains is to define a set of actions that will be executed when our triggering rule fires. We will do
this by defining an alarm tied to the correlation rule. This alarm will take the primary action of “Assign Tag with McAfee
ePO.”
Figure 14. Alarm action: “Assign Tag with McAfee ePO.”
We will leverage this alarm to assign both our “POLICY” and “TASK” tags to the affected system. We will also check the box labeled
“Wake up client” in the McAfee ePO software tagging configuration. By default, McAfee ePO software clients check in with McAfee ePO
software on a regular interval, which is typically every one to two hours. Checking the “Wake up client” box will ensure that the affected
client immediately communicates with McAfee ePO software and receives its updated policies and tasks in near real time. In practice,
policy enforcement should occur in less than one minute from the time the alarm is triggered.
Guide
13
SIEM Orchestration
Figure 15. Define actions: associate policy and task with an action.
McAfee ePO Software Configuration
McAfee Enterprise Security Manager can leverage McAfee ePO software tagging actions for any internal hosts (defined by the “Homenet”
variable in the “Network Discovery” tab of the McAfee Enterprise Security Manager Asset Manager). McAfee Enterprise Security Manager
can drive McAfee ePO software tagging actions in two ways. First, an SIEM analyst, via the actions menu in the McAfee Enterprise
Security Manager user interface, may assign McAfee ePO software tags manually. In this model, an SIEM analyst identifies a triggering
event via manual review and leverages McAfee ePO software tagging to orchestrate follow-up activity on the affected system.
Figure 16. Manual assignment of McAfee ePO software tags.
When the “McAfee ePO Tagging” option is selected by the analyst, he or she is presented with a list of tags that have been defined in
McAfee ePO software and is then free to select the tags appropriate for the actions the analyst wishes to take.
Guide
14
SIEM Orchestration
McAfee ePO software tags may also be applied to systems in McAfee ePO software automatically by leveraging McAfee Enterprise
Security Manager alarms. Alarms are triggered by a wide range of conditions, and each alarm has a set of actions associated with it that
are executed when the alarm triggers. “Assign Tag with McAfee ePO” is one of the supported options.
Figure 17. Automated assignment of McAfee ePO tags via alarm actions.
As in the manual case described above, when a system administrator clicks the “Configure” button seen above, the system presents a list
of tags that have been defined in McAfee ePO software. The administrator can then select the appropriate tags for the actions desired in
response to the defined conditions.
As you can see, with proper configuration within McAfee ePO software, asset tags can be used to allow McAfee Enterprise Security
Manager to exert a high degree of control over the security posture of a system managed by McAfee ePO software, either as part of a
manual incident analysis process, or automatically.
McAfee Network Security Platform
The McAfee Network Security Platform provides a full range of network-based intrusion detection and prevention features. The McAfee
Network Security Platform includes a number of components:
McAfee Network Security Manager: It provides centralized management, analysis, and reporting capabilities for McAfee Network
Security Platform.
McAfee Network Security Platform sensors: Deployed on network segments to monitor traffic and enforce security policy as
configured in the McAfee Network Security Manager. McAfee Network Security Platform sensors, when deployed inline on a network
segment, provide the ability to block attacks in real time.
McAfee Network Threat Behavior Analysis: Collects and analyzes traffic from the entire network—host and applications—to detect
worms, botnets, zero-day threats, spam, and reconnaissance attacks. It reports any unusual behavior to help you maintain a
comprehensive and efficient network security infrastructure.
McAfee Network Security Platform provides a highly intelligent security solution that discovers and blocks sophisticated threats in the
network. However, like any IPS, its visibility and ability to react is limited based by where McAfee Network Security Platform sensors are
deployed.
McAfee Enterprise Security Manager is complementary to McAfee Network Security Platform. McAfee Enterprise Security Manager’s
access to activity logs from the entire enterprise provides it with global visibility, which is often missing in network-based security controls.
McAfee Enterprise Security Manager integrates with McAfee Network Security Manager via the McAfee Network Security Platform open
API.
Guide
15
SIEM Orchestration
Figure 18. Overview of the McAfee Enterprise Security Manager/McAfee Network Security Platform operational workflow.
Configuring McAfee Network Security Platform
From within the McAfee Enterprise Security Manager Console, McAfee Network Security Platform blacklist actions are available for any
hosts—internal or external. Successful blacklisting requires a McAfee Network Security Platform sensor to be deployed inline—only
network traffic that traverses a McAfee Network Security Platform sensor can be blocked in this manner. In practice, this tends to limit
blacklisting to network choke points, such as perimeter links or data center boundaries.
In addition to inline deployment, a few configuration steps are necessary within McAfee Network Security Platform before McAfee Network
Security Platform blacklisting can be enforced. On the McAfee Network Security Manager, an appropriate network access zone should be
defined, which outlines precisely what traffic is blocked and allowed for any blacklisted hosts. Network access zones are defined in the
McAfee Network Security Manager user interface under “Policy/Intrusion Prevention/IPS Quarantine/Network Access Zones.” In addition,
the intrusion prevention system (IPS) quarantine feature must be enabled on desired network interfaces. This selection is located under
“Devices/Policy/IPS Quarantine/Port Settings.”
McAfee Network Security Platform blacklisting can be driven by McAfee Enterprise Security Manager in two ways. First, blacklist entries
can be assigned manually by an SIEM analyst via the actions menu in the McAfee Enterprise Security Manager user interface. In this
model, the SIEM analyst identifies a triggering incident via manual review and leverages McAfee Network Security Platform blacklisting to
block traffic to/from the affected system.
Guide
16
SIEM Orchestration
Figure 19. Manual blacklisting of a suspicious host.
When you select the “Blacklist” option, you see a list of McAfee Network Security Platform sensors where the blacklist should be enforced.
The blacklist entry can be applied to all sensors in your enterprise, via the “Global Blacklist,” or to an individual sensor you select.
For an orchestrated approach, blacklist entries may also be implemented automatically by leveraging McAfee Enterprise Security Manager
alarms. As discussed above under “Orchestration Triggers,” a wide range of conditions can trigger alarms, with associated actions that
execute when the alarm triggers. “Blacklist” is one of the supported options.
Figure 20. Automated blacklisting via alarm actions.
As in the manual case described above, when you click the “Configure” button seen above, the system presents a list of McAfee Network
Security Platform sensors. You are then free to select the sensor where the automated blacklist is to be enforced or to apply the new entry
to the “Global Blacklist.”
When integrated with McAfee Network Security Platform, McAfee Enterprise Security Manager becomes a powerful extension of the
McAfee Network Security Platform detection engines. McAfee Enterprise Security Manager provides actionable intelligence to the McAfee
Network Security Platform sensor, which can then block attacks in real time.
Practical Example: Behavior-Based Blacklisting
Reconnaissance attacks represent one of the most frequently seen alerts coming from network-based intrusion detection systems (IDS)
and firewalls. Reconnaissance activities indicate that an adversary is gathering useful information about an enterprise, such as IP
addresses in use, open ports, applications, and possible weak passwords. Data gathered during reconnaissance may then be used in later
phases of a targeted attack.
While reconnaissance activity is seen frequently, it can be difficult to act on. High volumes of this kind of activity make it impossible for
security analysts to follow up directly on each incident. The nature of reconnaissance techniques makes it very difficult to block outright
without also affecting authorized traffic coming from customers and trusted partners. However, once an attacker has tipped his hat by
showing this kind of behavior, we can leverage McAfee Enterprise Security Manager to orchestrate an automated response at the network
layer, blocking future connections from the attacker.
Set up McAfee Network Security Manager: In this use case, we will leverage a McAfee Network Security Platform sensor to block
traffic from the attacker. In order to properly execute the blacklist, we will assume we have a McAfee Network Security Platform sensor
deployed inline on the perimeter internet connection. You must also define a tightly restricted network access zone and enable
quarantine on the relevant McAfee Network Security Platform sensor interface.
Identify SIEM trigger: There are wide ranges of reconnaissance activities that represent reasonable triggers for a McAfee Network
Security Manager quarantine action. While it might be tempting to aggressively block based on any type of reconnaissance activity,
Guide
17
SIEM Orchestration
care must be taken to avoid reacting to potential false positive events. Initially, it's best to focus on a small number of behaviors that
represent clear and accurate signs of bad intent. Good candidates include activities such as repeated failed login attempts or repeated
connections from known malicious IPs, which are unlikely to be triggered benignly.
In our example, we will look for high volumes of HTTP 404 (“File Not Found”) logs coming from an Apache web server. High volumes of
these logs are very good indicators that an adversary is fingerprinting a web application or identifying the surface area available for a
future attack. In order to provide flexibility in tuning this behavior pattern, we'll define a custom correlation rule in McAfee Enterprise
Security Manager.
Figure 21. HTTP reconnaissance correlation rule.
Enable alarm: Finally, we will configure an alarm in McAfee Enterprise Security Manager. Our alarm will be triggered based on our
custom correlation rule defined above. When the alarm is triggered, we will signal the McAfee Network Security Platform sensor to
block traffic for 60 minutes. In addition, we will trigger a report to run against the McAfee Enterprise Security Manager database and
automatically send it via email to a security analyst. This report will include a summary of all activity seen from the source of the
reconnaissance activity, for review by security analyst staff.
Guide
18
SIEM Orchestration
Figure 22. McAfee Enterprise Security Manager alarm configuration.
McAfee Threat Intelligence Exchange
McAfee Threat Intelligence Exchange provides an ecosystem of connected security components that work collaboratively to share
insights, provide context, and act upon emerging threats. McAfee Threat Intelligence Exchange enables adaptive threat prevention by
sharing relevant security data across endpoints, gateways, and other security products. This exchange of data allows for rapid actions to
be taken on the collective threat intelligence. The information generated from McAfee Threat Intelligence Exchange can be consumed and
correlated by McAfee Enterprise Security Manager to provide alerts and historical views for enhanced security intelligence, risk
prioritization, and real-time situational awareness. It provides a historic view and monitors endpoint event baselines to dynamically act on
significant deviations and established thresholds while adjusting user and asset risk. The combined solution brings unprecedented
synthesis across endpoint events, reputation analysis, and advanced security information and event management (SIEM) correlation to
quickly distill down the wealth of relevant threat information and focus efforts where they matter most.
Guide
19
SIEM Orchestration
Figure 23. Overview of McAfee Enterprise Security Manager/McAfee Threat Intelligence Exchange integration.
Configuring McAfee Threat Intelligence Exchange
McAfee Threat Intelligence Exchange verifies the reputation of executable programs on the endpoints. When you add a McAfee ePO
software device to McAfee Enterprise Security Manager, the system automatically detects the McAfee Threat Intelligence Exchange server
that is on the network. McAfee Enterprise Security Manager starts listening on the McAfee Data Exchange Layer and begins to log McAfee
Threat Intelligence Exchange events. When the McAfee Threat Intelligence Exchange server is initially detected, its watch lists, data
enrichment, and correlation rules are added automatically, and its alarms are enabled.
When a McAfee Threat Intelligence Exchange server is added, it will automatically add:
New alarms
Figure 24. McAfee Threat Intelligence Exchange alarm settings.
Guide
20
SIEM Orchestration
New automated watch lists
Figure 25. McAfee Threat Intelligence Exchange watch-list settings.
New correlation rules
Figure 26. McAfee Threat Intelligence Exchange correlation rules.
Practical Example: Finding Systems that Have Executed a Malicious File
The reputation of a file may change from an unknown status to a more severe status with new information provided by McAfee Global
Threat Intelligence, McAfee Advanced Threat Defense, or another threat feed source. With this change of status, McAfee Enterprise
Guide
21
SIEM Orchestration
Security Manager provides an easy method of finding other systems that have executed the file in the past and for adding the system to a
watch list.
McAfee Enterprise Security Manager provides several new correlation rules associated with McAfee Threat Intelligence Exchange. With
the “McAfee Threat Intelligence Exchange reputation changed from clean to dirty” rule, it will trigger when a previously clean file becomes
dirty and potentially malicious and will provide the file hash of the offending file.
Figure 27. McAfee Threat Intelligence Exchange correlation rule to identify systems that change reputations.
On the “Events” screen, the McAfee Threat Intelligence Exchange file reputation change will display the new reputation as “Known Dirty.”
This is an indication that this file is malicious and other systems that contain this file may be harmed. We can use this event to identify
other systems that have executed this file.
Guide
22
SIEM Orchestration
Figure 28. An event with a known dirty reputation.
With this event, we can find all of the systems that have executed this file by selecting the option from the McAfee Enterprise Security
Manager UI. This allows the administrator to manually add these systems identified as potentially compromised to a watch list.
Figure 29. Running the McAfee Threat Intelligence Exchange execution history.
The IP address or hostname of these systems can be added to a watch list for correlation rules. These systems on the watch list can be
set for extra scrutiny in correlation rules or configured as a filter for reports of infected systems.
Guide
23
SIEM Orchestration
Figure 30. Running the McAfee Threat Intelligence Exchange execution history.
Orchestrating Actions with Other Tools
While McAfee Enterprise Security Manager provides simple, pre-built connectivity to many McAfee technologies via existing APIs, McAfee
Enterprise Security Manager also provides an open interface to allow orchestrating action with other technologies from third parties.
McAfee Enterprise Security Manager can be configured to execute custom scripts in response to triggers. You can write scripts in any
scripting language that is supported on the scripting host, and then run scripts on a designated scripting host or launch them via secure
socket shell (SSH).
Figure 31. Overview of McAfee Enterprise Security Manager scripting operational workflow.
Configuring Scripting
Automated scripts may be set up as an alarm action in the McAfee Enterprise Security Manager user interface. Within McAfee Enterprise
Security Manager, you enter the information necessary to establish secure shell (SSH) communication with the scripting host, as well as
the path to the script and any needed command line parameters.
Guide
24
SIEM Orchestration
Figure 32. McAfee Enterprise Security Manager script action configuration.
Once enabled, McAfee Enterprise Security Manager will execute the configured script each time the relevant McAfee Enterprise Security
Manager alarm conditions are satisfied. This interface provides a highly flexible means to drive automated actions with a wide range of
third-party platforms. Common targets for third-party integration include: workflow and ticketing systems, firewalls, and network access
control platforms.
Cyber Threat Manager
McAfee Enterprise Security Manager offers enhanced real-time monitoring and understanding of emerging threats via the dedicated Cyber
Threat Manager dashboards. Suspicious or confirmed threat information reported via threat intelligence sharing standards—Structured
Threat Information eXpression (STIX)/Trusted Automated eXchange of Indicator Information (TAXII), McAfee Advanced Threat Defense
and/or third-party web URLs—can be aggregated and correlated in real time or historically (with McAfee Advanced Correlation Engine or
McAfee Enterprise Security Manager’s Backtrace feature) against event data, providing security teams with a deeper understanding of the
threat propagation within an environment. In addition, Cyber Threat Manager provides McAfee Enterprise Security Manager with the ability
to automatically ingest IOCs from various sources and use that threat data to identify incidents within the environment. IOCs are structured
files that provide indicators—such as an IP address of a botnet or a hash of a malicious file—that might suggest an attack is taking place.
After IOCs are fed to the McAfee Enterprise Security Manager, an administrator can view the indicators in an easily readable dashboard
within the console. IOCs can also trigger indicators to be automatically added to a watch list. The watch list can then be used within a
correlation rule to identify future attacks.
In addition to being used in watch lists, the McAfee Enterprise Security Manager will also use the IOC and look back at past events with
the Backtrace feature. It will use the indicator and seek out matches with events that were received in the past. If it finds a match, it can
perform various actions. For example, if an IOC contains a malicious file hash, it can review past events and alert if the file hash is present
in an existing event.
Practical Example: Using Backtrace to Report Systems Identified as Having IOCs within McAfee ePO
Software
Set up tags within McAfee ePO software: With the Backtrace feature in the McAfee Enterprise Security Manager, analysts can
automatically search through all of the events to determine if an IOC has been observed in a previous event. If an event with an IOC is
detected, McAfee Enterprise Security Manger can perform a number of actions automatically. For this example, you can tag systems
in McAfee ePO software so that you can create a filter to display systems with IOCs and send out an email to the security team. To set
up the tag in McAfee ePO software, create a tag named “FILTER: Identified by IOC” in McAfee ePO software, and then create a filter
for the system tree to only show systems with the tag “FILTER: Identified by IOC”.
Guide
25
SIEM Orchestration
Figure 33. McAfee ePO software tag to create a filter for systems identified with an IOC.
Set up a threat feed: In the Cyber Threat Manager in McAfee Enterprise Security Manager, you can create the Cyber Threat Feed
that allows you to import an IOC and manually upload a STIX file as our IOC source. With this IOC, you can configure McAfee
Enterprise Security Manager to notify the McAfee ePO software team immediately when an IOC matches with events within the
environment. This will notify the security team and allow them to inspect the systems listed in the events within McAfee ePO software
easily since they will be tagged. To notify the McAfee ePO software team, we’ll configure Backtrace to send a message when there is
a Backtrace hit. In addition to sending a message, it will also automatically tag systems associated with the event containing an IOC
within McAfee ePO software.
Guide
26
SIEM Orchestration
Figure 34. Backtrace in Cyber Threat Manager.
McAfee Enterprise Security Manager also provides the ability to parse the IOCs into an easily readable format displayed in the Cyber
Threat Indicator dashboards. Within this view, the individual components of an IOC can be identified, and any events that have elements
of the IOC can be displayed. Additionally, it will display the number of Backtrace hits and show all of the events that contain the IOC.
Guide
27
SIEM Orchestration
Figure 35. IOCs listed in Cyber Threat Indicator dashboard.
Review systems in McAfee ePO software: The security team can now look within McAfee ePO software to see a list of systems that
contain IOCs. After the security team reviews the systems, team members can take appropriate action and remove the tag, which will
then remove the system from the display.
Figure 36. Systems identified with IOCs.
Other Examples Below are a few additional use case ideas.
Tracking infected systems during a malware outbreak:
o Trigger: A DNS request for specified malware domain associated with the outbreak is sent.
o Action 1: Apply McAfee ePO software filter tag to system, causing it to appear in the McAfee ePO software dashboard and
drive McAfee ePO software-based remediation workflow.
o Action 2: Use custom script to push access control list (ACLs) to third-party firewall or network access control (NAC)
solution, blocking communication with external hosts.
Stopping data exfiltration in progress:
o Trigger: Flow anomaly indicates unusually large volumes of data leaving the network from a single host.
o Action: Apply a McAfee ePO software policy tag that brings restrictive data loss prevention policies to provide enhanced
visibility of what’s happening on the endpoint and then quarantine the endpoint if warranted.
Alert on unauthorized changes:
o Trigger: Indicates a configuration or policy change event coming from a switch, router, or mission-critical application.
o Action: Custom script queries change management system to verify that the change was expected. Alerts threat responders
if change is not authorized.
Guide
28
SIEM Orchestration
McAfee and the McAfee logo, ePolicy Orchestrator, McAfee ePO, and VirusScan are trademarks or registered trademarks of
McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of
others. Copyright © 2017 McAfee, LLC.
62359gde_siem-orchestration_0516_pb
Take action on intelligence received from advanced detection tools:
o Trigger: A detection-based tool identifies a malicious object in the enterprise.
o Action: Custom script extracts threat indicators, such as malicious file hashes or IP addresses, from events, and then sends
them to other security devices within the organization to provide protection.
Summary In response to an increasingly complex IT ecosystem and expanding attack surface, McAfee offers a unified threat defense lifecycle. McAfee delivers an integrated, connected architecture that dramatically increases speed and capacity of organizations to prevent and respond to attacks. Our architecture reduces complexity and improves operational efficiency, providing critical integrated, adaptive, and orchestrated intelligence and response capabilities. This empowers customers to block threats more effectively, identify compromises, and implement quick remediation and stronger countermeasures.
Next Steps In this paper we have examined today’s reality: manual incident response processes are ineffective an expanding and dynamic threat landscape. The concept of SIEM orchestration provides immediate, automated responses. It is the only way for a modern enterprise to protect against advanced attacks. Consider the examples we have provided, and determine how they apply to your organization. Look for activities that take up significant time, and leverage the orchestration concepts we have provided here to automate and optimize where it makes sense.
Finally, please share your questions, thoughts, successes, and challenges with others in the McAfee Community:
https://community.mcafee.com/community/business/siem
About McAfee
McAfee is one of the world’s leading independent cybersecurity companies. Inspired by the power of working together,
McAfee creates business and consumer solutions that make the world a safer place. By building solutions that work with
other companies' products, McAfee helps businesses orchestrate cyber environments that are truly integrated, where
protection, detection and correction of threats happen simultaneously and collaboratively. By protecting consumers across
all their devices, McAfee secures their digital lifestyle at home and away. By working with other security players, McAfee is
leading the effort to unite against cybercriminals for the benefit of all.
www.mcafee.com
McAfee
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.mcafee.com
1. http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states
