Professional Documents
Culture Documents
TUS - McAfee Endpoint Security 10 - 1
TUS - McAfee Endpoint Security 10 - 1
DLP Encryption
HIPS
Agent
Agent
Anti
Malware
console
2
Intel Security Confidential
Endpoint Security: Focus Areas
Performance
Integration
Protection
Simplicity
3
Intel Security Confidential
Agenda
• Under the hood
• Redesigned Modules
• Changes in EP10.1
• AMCore Framework
• How to Migrate
• Deployment Options
Before
VSE HIPS Site Advisor Future Modules
6
Intel Security Confidential
Endpoint Security Platform
A framework to simplify today, built with the future in mind
Common Components
7
Intel Security Confidential
Endpoint Security Platform Architecture
Endpoint Security 10 Client
Security Management
McAfee ePO™ Agent Client UI SaaS Endpoint Connector
Common Components
Business Logic Framework Logger Location Monitor License Manager Global Threat Intelligence
Exploit Prevention Driver Link Driver Network Driver Validate Trust Protect
Threat Event Storage Service
8
Intel Security Confidential
Endpoint Security Platform Architecture - Common
Components
Endpoint Security 10 Client
Security Management
McAfee ePO™ Agent Client UI SaaS Endpoint Connector
Common Components
Business Logic Framework Logger Location Monitor License Manager Global Threat Intelligence
Exploit Prevention Driver Link Driver Network Driver Validate Trust Protect
Threat Event Storage Service
9
Intel Security Confidential
Redesigned Modules
10
Intel Security Confidential
Endpoint Security Platform Architecture - Modules
Endpoint Security 10 Client
Security Management
McAfee ePO™ Agent Client UI SaaS Endpoint Connector
Additional
Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings Module
Common Components
Business Logic Framework Logger Location Monitor License Manager Global Threat Intelligence
Exploit Prevention Driver Link Driver Network Driver Validate Trust Protect
Threat Event Storage Service
11
Intel Security Confidential
Threat Prevention
• Checks for viruses, spyware, unwanted programs, and other threats by scanning items
— automatically when users access them or on demand at any time.
12
Intel Security Confidential
Threat Prevention: Exploit Prevention
• Generic Buffer Overflow Protection (GBOP)
• Content-driven protection for specific list of APIs against buffer overflow attacks
• Kevlar Signatures and Suspect Call Validation
• Supervisor Mode Execution Protection (SMEP)
• Intel Technology in Ivy Bridge and newer CPUs
• Exploit Prevention Monitors and reports SMEP violations
• Data Execution Prevention (DEP)
• Microsoft OS feature that prevents harmful code from running in system memory
• Exploit Prevention monitors and reports when DEP is triggered
13
Intel Security Confidential
Firewall
• Checks for viruses, spyware, unwanted programs, and other threats by scanning items
— automatically when users access them or on demand at any time.
• Application-aware firewall
• Control inbound and outbound traffic
• Reduce attack surface to prevent intrusions
Firewall
Stateful Firewall
Adaptive Mode
DNS Blocking
14
Intel Security Confidential
ENS 10.1 vs HIPS
ENS 10.1 Will Co-Exist with HIPS 8.0! Customer Positioning
• ENS 10.1 does not replace HIPS • Full HIPS module planned
• Only Firewall component of HIPS is replaced
for next release in 2016
• ENS 10.1 has exploit prevention • HIPS 8.8 can co-exist with
ENS
• Generic Buffer Overflow Protection (GBOP)
• Data Execution Prevention (DEP)
• Exploit Prevention of TP
provides limited HIPS-like
• Kevlar functionality
• Suspicious Caller
• TIE Module adds additional
• Advanced Access Protection supports emergent later protection of advanced
malware just as HIPS threats.
15
Intel Security Confidential 1
Host IPS to ENS 10.1Mapping
Intrusion Prevention HIPS ENS 10.1
Access Protection (AP)
Custom IPS (AP) rules support
NIPS Signature
SQL Server and IIS Server protection
Exploit Mitigation (Memory Protection) HIPS ENS 10.1
Generic Buffer Overflow (GBOP)
Suspicious Caller
Dynamic API Protection
General Privilege Escalation (GPEP)
Data Execution Protection (DEP)
Supervisor Mode Execution Prevention (SMEP)
Signature and Rules Management HIPS ENS 10.1
High, Medium and
Signature Severity Support Low
High and Medium
With improved AP and new mitigation techniques ENS enhances ability to block
emergent Malware while providing base rules management
Displays safety ratings and reports for websites during online browsing and searching.
Web Control enables the site administrator to block access to websites based on safety
rating or content.
Web Control
Site Ratings
Site Categorization
Browser Plugin
17
Intel Security Confidential 1
Threat Intelligence Exchange – Reputation Based
Execution
Enhances ENS with adaptive threat prevention
Data Exchange
Open, Connected Ecosystem Intel Security Threat Layer
Network, gateway, endpoint, and 3rd Party
Solutions Intelligence
cloud-based countermeasures Partners Ultra-fast persistent
Feeds
and intelligence bidirectional
messaging fabric
Threat Intelligence
Integrated TIE Endpoints Additional
Endpoint Module Module
Execution-time reputation
inspection and protection Reputation-based
Execution
18
Intel Security Confidential
Changes in EP10.1
Password Protected
Touch friendly GUI
Basic / Advanced
Client Settings
Modular, Scalable
Design
20
Lower system Impact on
10
1st scan 2nd scan 3rd scan 1st scan 2nd scan 3rd scan
0
CPU utilization
Endpoint
1 10 Legacy
2 When scanning while user is active
22
23
Intel Security Confidential
Detailed Threat Forensics
Actionable, real-time
threat intelligence
24
Intel Security Confidential
Detailed Threat Information
MACHINE TARGET SOURCE ADDITIONAL
Host Name Ipv4 Address Parent Process Signed Ipv4 Address File Path Cleanable
Ipv6 Address Ipv6 Address Parent Process Signer Ipv6 Address File Size Task Name
Port Name API Name
Ipv4 Address Port Hash
Url Path First Attempted Action
Mac Url Signed
Share Name File Size Second Attempted Action
Location Share Name Signer
Mac Modify Time First Action Status
Protocol Access Time Mac Modify Time
Second Action Status
User Name Create Time User Name Access Time
Event ID Description
DETECTION Process Name Device Display Name Process Name Create Time Natural Language
FEATURE Hash Serial Number Device Serial Description
Signed Device VID Parent Process Name
Name Number Duration Before Detection
Signer Device PID
Parent Process Hash Device Vid Attack Vector Type
Version Description
Direction
Parent Process Source
Content Version ICMP Type
Signed Description
Content Creation THREAT DATA Firewall Event Type
Date Event ID Parent Process Signer Throttled Event Count
Rule ID Severity
Name
Rule Name Type
Action Taken Helps understand and track
Reg Info
GTI Query
Handled
Detected On Create attacks better
Impact
26
Intel Security Confidential
Simplified Policy Management: one tab only
27
Intel Security Confidential
Simplified Policy Management: Common Policies for
Windows and Mac
28
Intel Security Confidential
Configurable On Demand and Right-Click Scans
29
Intel Security Confidential
AMCore Framework
Context and
Built-in false Enhances what’s
reputation
aware
mitigation working well today
with additional scanners:
31
Intel Security Confidential
Intelligent Trust:
• Scan Avoidance
AMCore Integration • Trust files placed by a trusted
• Next-generation anti-malware framework installer are not scanned
• Trust can be revoked via a
content update, and is subject to
a “time to live” before automatic
Context and rescanning
Built-in false
reputation
mitigation
aware • Processes Inheritance
• Trusted processes have a limited
set of their events scanned
• Suspicious processes have a full
Adaptive Performance set of their events scanned
Intelligent trust and future
scanning
expansion
• Performance\Security Gain
• Resources freed by not scanning
as often
Extensible framework for • More aggressive scans possible
incorporating anti-malware Protects 20 million+ when necessary
scanners and engines consumer nodes today
32
Intel Security Confidential
AMCore Integration Context and Reputation:
• Next-generation anti-malware framework • Traditional AV techniques not
abandoned
Context and
Built-in false • Uses cloud lookups for
known black/white
reputation
mitigation
aware
• Uses traditional generic
heuristics
Performance
• Cleanly sorts out black and
Adaptive
Intelligent trust
scanning and future white
expansion
33
Intel Security Confidential
AMCore Integration Adaptive Behavioral Scanning:
• Next-generation anti-malware framework • Malware families follow certain
behavioral patterns
• Observe what untrusted apps and
Context and
Built-in false
processes do, looking for
Context
reputation
and
mitigation suspicious behavior
aware
• If something suspicious is
seen, increase the event
monitoring for that process
Performance
Intelligent trust
Adaptive
and future • Get aggressive, but in a
scanning
expansion highly targeted way!
• Keep track of the events in a local
DB
Extensible framework for
incorporating anti-malware Protects 20 million+
scanners and engines consumer nodes today
34
Intel Security Confidential
AMCore Integration Telemetry and False Mitigation:
• Next-generation anti-malware framework If you use behavioral, you’re more
likely to false. AMCore uses false
detection prevention checks for
Context and every detection
Built-in false
reputation
mitigation • Performed Local check for
aware
files signed against a list of
trusted publishers
• Cloud GTI reputation check
Adaptive Performance against hash of file
Intelligent trust and future
scanning
expansion
35
Intel Security Confidential
AMCore Integration
• Next-generation anti-malware framework
Performance and future
expansion:
• AMCore is a framework
Context and
reputation
Built-in false that allows us to deploy
mitigation
aware future scanners and
content without requiring
point product binary
Intelligent trust
Adaptive Performance updates
scanning and future
expansion • V3 DAT is ~40% the size
of traditional AVV DAT
Extensible framework for
incorporating anti-malware Protects 20 million+
scanners and engines consumer nodes today
36
Intel Security Confidential
AMCore Integration - Summary
• Next-generation anti-malware framework
37
Intel Security Confidential
V3 DAT Facts
• https://kc.mcafee.com/corporate/index?page=content&id=KB82396
38
Intel Security Confidential
Exploit Prevention
39
Intel Security Confidential
How to Migrate
41
Intel Security Confidential
What Customers Get ENS 10.1
43
Intel Security Confidential
Endpoint Security Migration
Regression-free, seamless migration support
from the current and previous versions of
VSE, HIPS, and SAE
Incremental upgrade – not a “forklift”
44
Intel Security Confidential
Endpoint Migration Assistant
45
Intel Security Confidential
Endpoint Migration Assistant
• ePO Extension
• Migration Modes
• Manual
• Automatic
• Migration Objects
• Policies
• Client Tasks
46
Intel Security Confidential
Policy Migration
Migrated items
Preview policy
are created
migration results
Manually assign
migrated items
47
Intel Security Confidential
Policy Migration
• McAfee Default policies do NOT migrate
• Endpoint Security McAfee Default policy assigned if legacy McAfee Default
assigned
• Policy Names
• Automatic Migration
• One-to-One policy migration will keep original policy name
• Multiple-to-One policy migration will begin with ‘Migrated’ appending incremental
numbers
• For example: Migrated VSE Policy-1 and Migrated VSE Policy-2
• Manual Migration
• One-to-one policy category migration will maintain source policy name
• Multiple-to-One policy category migration will require typing a name
48
Intel Security Confidential
VirusScan Enterprise 8.8 Policy Migration Mapping
51
Intel Security Confidential
Deployment Options
Security Management
McAfee ePO™ Agent SaaS Endpoint Connector Client UI
Adaptive ModeProtection
Access Exploit Protection Site Categorization
ScriptScan
DNS Blocking Right Click Scan Browser Plugin
Common Components
Business Logic Framework Logger
Location Monitor License Manager Global Threat Intelligence
Exploit Prevention Driver Link Driver Network Driver Validate Trust Protect
Threat Event Storage
Managed Service
53
Intel Security Confidential
Deployment Flexibility
55
Intel Security Confidential
56