TUS - McAfee Endpoint Security 10 - 1

McAfee Endpoint Security 10
Next-Generation Endpoint Security

NEEU Partner Session | Friday 15th of January 2016
Michiel de Lepper | Inside Channel Technical Enablement
Traditional Architecture for Endpoint Security
DLP Encryption
HIPS
Agent
Agent
Anti
Malware
console
EDR agent Systems Management Agent

EDR
console
EDR HIPS Encryption Management
AntiMalware DLP White listing
2
Intel Security Confidential
Endpoint Security: Focus Areas
Performance
Integration
Protection
Simplicity
Security Endpoint Security Hardware

Connected Assisted
3
Agenda
• Under the hood
• Redesigned Modules
• Changes in EP10.1
• AMCore Framework
• How to Migrate
• Deployment Options

Under the Hood
New Platform Architecture
5
Endpoint Security Platform
A framework to simplify today, built with the future in mind
Before
VSE HIPS Site Advisor Future Modules
Common Common Common Common

Components Components Components Components
Kernel Mode Kernel Mode Kernel Mode Kernel Mode
Drivers Drivers Drivers Drivers
6
Endpoint Security Platform
A framework to simplify today, built with the future in mind
New Endpoint Security Client
Threat Firewall Web Control TIE Future Modules

Prevention
Common Components
Kernel Mode Drivers
7
Endpoint Security Platform Architecture
Endpoint Security 10 Client
Security Management
McAfee ePO™ Agent Client UI SaaS Endpoint Connector
Firewall Threat Prevention Web Control
Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings
Adaptive Mode Access Protection Exploit Protection Site Categorization
DNS Blocking ScriptScan Right Click Scan Browser Plugin
Common Components
Business Logic Framework Logger Location Monitor License Manager Global Threat Intelligence
Self Protection Scheduler Package Manager System Information

Password Manager
Threat Event Manager Kernel Mode Drivers McAfee Master Service

AMCore Detection, Cleaning, Arbitrary Access Control FireCore Driver
and Event Drivers Driver
Exploit Prevention Driver Link Driver Network Driver Validate Trust Protect
Threat Event Storage Service
8
Endpoint Security Platform Architecture - Common
Components
Security Management
Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings
Common Components

Password Manager

9
Redesigned Modules
10
Endpoint Security Platform Architecture - Modules
Security Management
Firewall Threat Prevention Web Control Threat Intelligence
Additional
Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings Module

Reputation-based Execution
Common Components

Password Manager

11
Threat Prevention
• Checks for viruses, spyware, unwanted programs, and other threats by scanning items
— automatically when users access them or on demand at any time.
• On-access and on-demand scanning

• Enhanced Exploit Protection (DEP, GBOP, Kevlar Sigs., SMEP)
• Access Protection rules
• AM Core
Threat Prevention
On-Access Scanner On-Demand Scanner
Access Protection Exploit Protection
ScriptScan Right Click Scan
12
Threat Prevention: Exploit Prevention
• Generic Buffer Overflow Protection (GBOP)
• Content-driven protection for specific list of APIs against buffer overflow attacks
• Kevlar Signatures and Suspect Call Validation
• Supervisor Mode Execution Protection (SMEP)
• Intel Technology in Ivy Bridge and newer CPUs
• Exploit Prevention Monitors and reports SMEP violations
• Data Execution Prevention (DEP)
• Microsoft OS feature that prevents harmful code from running in system memory
• Exploit Prevention monitors and reports when DEP is triggered
13
Firewall
• Checks for viruses, spyware, unwanted programs, and other threats by scanning items
— automatically when users access them or on demand at any time.
• Application-aware firewall
• Control inbound and outbound traffic
• Reduce attack surface to prevent intrusions
Firewall
Stateful Firewall
Adaptive Mode
DNS Blocking
14
ENS 10.1 vs HIPS
ENS 10.1 Will Co-Exist with HIPS 8.0! Customer Positioning
• ENS 10.1 does not replace HIPS • Full HIPS module planned
• Only Firewall component of HIPS is replaced
for next release in 2016
• ENS 10.1 has exploit prevention • HIPS 8.8 can co-exist with
ENS
• Generic Buffer Overflow Protection (GBOP)
• Data Execution Prevention (DEP)
• Exploit Prevention of TP
provides limited HIPS-like
• Kevlar functionality
• Suspicious Caller
• TIE Module adds additional
• Advanced Access Protection supports emergent later protection of advanced
malware just as HIPS threats.
15
Intel Security Confidential 1
Host IPS to ENS 10.1Mapping
Intrusion Prevention HIPS ENS 10.1
Access Protection (AP)
Custom IPS (AP) rules support
NIPS Signature
SQL Server and IIS Server protection
Exploit Mitigation (Memory Protection) HIPS ENS 10.1
Generic Buffer Overflow (GBOP)
Suspicious Caller
Dynamic API Protection
General Privilege Escalation (GPEP)
Data Execution Protection (DEP)
Supervisor Mode Execution Prevention (SMEP)
Signature and Rules Management HIPS ENS 10.1
High, Medium and
Signature Severity Support Low
High and Medium
Memory Protection Management Flexibility in ePO Very granular Basic
With improved AP and new mitigation techniques ENS enhances ability to block
emergent Malware while providing base rules management

Web Control
Displays safety ratings and reports for websites during online browsing and searching.
Web Control enables the site administrator to block access to websites based on safety
rating or content.
• Web site ratings

• Web site Categorizations
• On-demand scan trigger for downloads
Web Control
Site Ratings
Site Categorization
Browser Plugin
17
Intel Security Confidential 1
Threat Intelligence Exchange – Reputation Based
Execution
Enhances ENS with adaptive threat prevention
Data Exchange
Open, Connected Ecosystem Intel Security Threat Layer
Network, gateway, endpoint, and 3rd Party
Solutions Intelligence
cloud-based countermeasures Partners Ultra-fast persistent
Feeds
and intelligence bidirectional
messaging fabric
Centralized Visibility TIE

and Control Server
Incident response knowledgebase
Local prevalence intelligence
Threat Intelligence
Integrated TIE Endpoints Additional
Endpoint Module Module
Execution-time reputation
inspection and protection Reputation-based
Execution
18
Changes in EP10.1

McAfee Endpoint Security 10.1 | Client
Smarter, Faster Scans
Password Protected
Touch friendly GUI
Basic / Advanced
Client Settings
Human Integrated Smart

Readable Events Modules
Modular, Scalable
Design

Flexible Management Options
ePO ePO Cloud Self-Managed
Endpoint Security 10.x Client

21
Maximized Performance
Faster than HIPS 8, SAE 3.5 and VSE 8.8
Faster Performance on
Scans Comparisons
70
Full and quick system scans
60
Booting system
50 Suspend, hibernate, and resume
40 Network operations (UNC File Copy)
30
20
Lower system Impact on
10
1st scan 2nd scan 3rd scan 1st scan 2nd scan 3rd scan
0
CPU utilization
Endpoint
1 10 Legacy
2 When scanning while user is active
22

Zero Impact User Scans
• Scans only run when the device is

idle and resumes after shutdown or
restart
• Idle state is determined by
monitoring disk utilization
Scanning… • Scan pauses when system use
resumes at next idle time
• Scan always starts from where it
left off
• Reboot doesn’t terminate the scan
23
Detailed Threat Forensics
Actionable, real-time
threat intelligence
BEAQA\JBlaine ran DLLHOST.EXE which More details on attack sources

attempted to access C:\PROGRAM and destinations
FILES\McAfee\Endpoint\ in a manner which
violates self-protection rules and was blocked Delivers actionable intelligence
explained in simple language
Available via the client UI and
McAfee ePO
24
Detailed Threat Information
MACHINE TARGET SOURCE ADDITIONAL
Host Name Ipv4 Address Parent Process Signed Ipv4 Address File Path Cleanable
Ipv6 Address Ipv6 Address Parent Process Signer Ipv6 Address File Size Task Name
Port Name API Name
Ipv4 Address Port Hash
Url Path First Attempted Action
Mac Url Signed
Share Name File Size Second Attempted Action
Location Share Name Signer
Mac Modify Time First Action Status
Protocol Access Time Mac Modify Time
Second Action Status
User Name Create Time User Name Access Time
Event ID Description
DETECTION Process Name Device Display Name Process Name Create Time Natural Language
FEATURE Hash Serial Number Device Serial Description
Signed Device VID Parent Process Name
Name Number Duration Before Detection
Signer Device PID
Parent Process Hash Device Vid Attack Vector Type
Version Description
Direction
Parent Process Source
Content Version ICMP Type
Signed Description
Content Creation THREAT DATA Firewall Event Type
Date Event ID Parent Process Signer Throttled Event Count
Rule ID Severity
Name
Rule Name Type
Action Taken Helps understand and track
Reg Info
GTI Query
Handled
Detected On Create attacks better
Impact

Simplified Policy Management: fewer categories
26
Simplified Policy Management: one tab only
27
Simplified Policy Management: Common Policies for
Windows and Mac
28
Configurable On Demand and Right-Click Scans
29
AMCore Framework

AMCore Integration
• Next-generation anti-malware framework
Context and
Built-in false Enhances what’s
reputation
aware
mitigation working well today
with additional scanners:
• False mitigation, scan

Adaptive Performance avoidance, and self-learning
Intelligent trust and future
scanning capabilities.
expansion
• DAT size reduction.
• Extensible.
Extensible framework for
incorporating anti-malware Protects 20 million+
scanners and engines consumer nodes today
31
Intelligent Trust:
• Scan Avoidance
AMCore Integration • Trust files placed by a trusted
• Next-generation anti-malware framework installer are not scanned
• Trust can be revoked via a
content update, and is subject to
a “time to live” before automatic
Context and rescanning
Built-in false
reputation
mitigation
aware • Processes Inheritance
• Trusted processes have a limited
set of their events scanned
• Suspicious processes have a full
Adaptive Performance set of their events scanned
scanning
expansion
• Performance\Security Gain
• Resources freed by not scanning
as often
Extensible framework for • More aggressive scans possible
incorporating anti-malware Protects 20 million+ when necessary
32
AMCore Integration Context and Reputation:
• Next-generation anti-malware framework • Traditional AV techniques not
abandoned
Context and
Built-in false • Uses cloud lookups for
known black/white
reputation
mitigation
aware
• Uses traditional generic
heuristics
Performance
• Cleanly sorts out black and
Adaptive
Intelligent trust
scanning and future white
expansion

What do you do with what’s left?
33
AMCore Integration Adaptive Behavioral Scanning:
• Next-generation anti-malware framework • Malware families follow certain
behavioral patterns
• Observe what untrusted apps and
Context and
Built-in false
processes do, looking for
Context
reputation
and
mitigation suspicious behavior
aware
• If something suspicious is
seen, increase the event
monitoring for that process
Performance
Intelligent trust
Adaptive
and future • Get aggressive, but in a
scanning
expansion highly targeted way!
• Keep track of the events in a local
DB
34
AMCore Integration Telemetry and False Mitigation:
• Next-generation anti-malware framework If you use behavioral, you’re more
likely to false. AMCore uses false
detection prevention checks for
Context and every detection
Built-in false
reputation
mitigation • Performed Local check for
aware
files signed against a list of
trusted publishers
• Cloud GTI reputation check
Adaptive Performance against hash of file
scanning
expansion

35
AMCore Integration
Performance and future
expansion:
• AMCore is a framework
Context and
reputation
Built-in false that allows us to deploy
mitigation
aware future scanners and
content without requiring
point product binary
Intelligent trust
Adaptive Performance updates
scanning and future
expansion • V3 DAT is ~40% the size
of traditional AVV DAT
36
AMCore Integration - Summary
Context and Built-in Enhances what’s

reputation false working well today
aware mitigation
with additional scanners:
• False mitigation, scan

Intelligent Adaptive Performance avoidance, and self-learning
trust scanning and future capabilities.
expansion
• DAT size reduction.
• Extensible.
37
V3 DAT Facts
• https://kc.mcafee.com/corporate/index?page=content&id=KB82396
• The V3 DAT incorporates a new structure that is compatible with AMCore-based

products such as Endpoint Security 10
• The technology in V3 DATs has been used in McAfee Consumer products since
December 2012. It is already running on tens of millions of Consumer endpoints and
has been tested extensively in the field. It has also been subjected to numerous
efficacy, performance, and false tests by third-party organizations such as AV-Test.org
and AV-Comparatives.org. As with the V2 DAT, each release of the V3 DAT undergoes
extensive quality and safety testing by McAfee.
•
The V3 DAT is smaller than the V2 DAT. Approximately 30MB Compressed.
• The V3 DAT can be managed, deployed, updated via ePO, simultaneous with V2 DATs.
38
Exploit Prevention
• Improved Buffer Overflow Protection Includes:

• GBOP - Generic buffer overflow protection (existing McAfee technology) x86 only
• Kevlar Signatures and Suspect Call Validation (existing McAfee technologies) x86
and x64
• SMEP - Supervisor Mode Execution Protection (new Intel technology in IVY Bridge
CPUs. ENS 10 monitors and reports SMEP violations) x86 and x64
• DEP - Data Execution Prevention (Microsoft prevents harmful code from running in
system memory locations reserved for Windows and other authorized programs)
x86 and x64
39
How to Migrate

Migration Steps
1. Endpoint 10 availability
2. Check requirements
3. Migrate policies
4. Upgrade clients
41
What Customers Get ENS 10.1
• ALL Endpoint Customers!

CEE CEB EPA EPS
TSB TSA STP

42

Requirements
McAfee Agent ePO Macintosh Microsoft Workstations

McAfee Agent 5.0 ePO 5.1.1 or later Mac OS X 10.10+, Windows 10, 8.1, 8.0, 7.0, Vista;
or later 10.9+
ePO Cloud 5.2, Microsoft Server
5.3, 5.4
Windows 2012 R2 Essentials/Standard/Datacenter
Windows 2008 R2 Standard/Datacenter/Enterprise/
Web/Small Business Server
Windows Small Business Server 2011
Windows Embedded Standard 2009
Windows POS 1.1
Windows POS Ready 2009
43
Endpoint Security Migration
Regression-free, seamless migration support
from the current and previous versions of
VSE, HIPS, and SAE
Incremental upgrade – not a “forklift”
44
Endpoint Migration Assistant
45
Endpoint Migration Assistant
• ePO Extension
• Migration Modes
• Manual
• Automatic
• Migration Objects
• Policies
• Client Tasks
46
Policy Migration
Automatic Migration Manual Migration
Select what items you want

Select what items you want
to migrate:
to migrate:
• Policies
• Policies
• Client tasks
• Client tasks
• Catalog (FW only)
Configure policies
or tasks
Migrated items
Preview policy
are created
migration results
Manually assign
migrated items
Migrated items are created

Repeat to migrate
and assigned automatically
additional items
47
Policy Migration
• McAfee Default policies do NOT migrate
• Endpoint Security McAfee Default policy assigned if legacy McAfee Default
assigned
• Policy Names
• Automatic Migration
• One-to-One policy migration will keep original policy name
• Multiple-to-One policy migration will begin with ‘Migrated’ appending incremental
numbers
• For example: Migrated VSE Policy-1 and Migrated VSE Policy-2
• Manual Migration
• One-to-one policy category migration will maintain source policy name
• Multiple-to-One policy category migration will require typing a name
48
VirusScan Enterprise 8.8 Policy Migration Mapping

Host IPS 8.0 Policy Migration Mapping

SiteAdvisor Enterprise 3.5 Policy Migration Mapping
51
Deployment Options

Deployment Options
Security Management
McAfee ePO™ Agent SaaS Endpoint Connector Client UI

ePO Cloud ePO On-Premises
StatefulOn-Access
Firewall Scanner On-Demand Scanner Site Ratings
Adaptive ModeProtection
Access Exploit Protection Site Categorization
ScriptScan
DNS Blocking Right Click Scan Browser Plugin
Common Components
Business Logic Framework Logger
Location Monitor License Manager Global Threat Intelligence

Password Manager
Threat Event Manager Kernel Mode Drivers Standalone

McAfee Master Service
Threat Event Storage
Managed Service
53
Deployment Flexibility

Why Migrate to Endpoint 10?
• 1. Better performance
• First time ODS scans run more than 30% faster over legacy endpoint security
• Boot time is 18% faster than McAfee legacy endpoint security
• Our DAT is 55% the size of traditional AV DATs
• 2. More simplicity
• Automatic migration retains policy and client task assignments
• Regression-free, seamless migration support from VSE, HIPS FW and SAE
• Management and deployment flexibility
3. Better protection McAfee ePO is the
• Modules collaboration only
• New access protection rules provides ability to block hash, files, process path and name security
enterprise/commerci
components. al endpoint product
• Expanded memory protection included generic buffer overflow to offer a choice of
• Co-existence with full Host IPS local or a cloud-
• Available TIE technology learns instantly across endpoint, network, gateway, and cloud security based management
components. option.
55
56

TUS - McAfee Endpoint Security 10 - 1

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

TUS - McAfee Endpoint Security 10 - 1

Uploaded by

Copyright:

Available Formats

McAfee Endpoint Security 10

Next-Generation Endpoint Security

EDR agent Systems Management Agent

AntiMalware DLP White listing

Security Endpoint Security Hardware

Intel Security Confidential

Common Common Common Common

New Endpoint Security Client

Threat Firewall Web Control TIE Future Modules

Kernel Mode Drivers

Firewall Threat Prevention Web Control

Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings

Adaptive Mode Access Protection Exploit Protection Site Categorization

DNS Blocking ScriptScan Right Click Scan Browser Plugin

Self Protection Scheduler Package Manager System Information

Threat Event Manager Kernel Mode Drivers McAfee Master Service

Firewall Threat Prevention Web Control

Stateful Firewall On-Access Scanner On-Demand Scanner Site Ratings

Adaptive Mode Access Protection Exploit Protection Site Categorization

DNS Blocking ScriptScan Right Click Scan Browser Plugin

Self Protection Scheduler Package Manager System Information

Threat Event Manager Kernel Mode Drivers McAfee Master Service

Firewall Threat Prevention Web Control Threat Intelligence

Adaptive Mode Access Protection Exploit Protection Site Categorization

Self Protection Scheduler Package Manager System Information

Threat Event Manager Kernel Mode Drivers McAfee Master Service

• On-access and on-demand scanning

On-Access Scanner On-Demand Scanner

Access Protection Exploit Protection

ScriptScan Right Click Scan

Memory Protection Management Flexibility in ePO Very granular Basic

Intel Security Confidential

• Web site ratings

Centralized Visibility TIE

Intel Security Confidential

Human Integrated Smart

Intel Security Confidential

Endpoint Security 10.x Client

Intel Security Confidential

• Scans only run when the device is

BEAQA\JBlaine ran DLLHOST.EXE which More details on attack sources

Intel Security Confidential

Intel Security Confidential

• False mitigation, scan

Extensible framework for

Extensible framework for

Context and Built-in Enhances what’s

• False mitigation, scan

• The V3 DAT incorporates a new structure that is compatible with AMCore-based

• Improved Buffer Overflow Protection Includes:

Intel Security Confidential

• ALL Endpoint Customers!

TSB TSA STP

Intel Security Confidential

McAfee Agent ePO Macintosh Microsoft Workstations

Automatic Migration Manual Migration

Select what items you want

Migrated items are created

Intel Security Confidential

Intel Security Confidential

Intel Security Confidential

Firewall Threat Prevention Web Control