Accuvant Solutions Architect Talks Up McAfee's Free Threat Analysis Tools10:38 AM EST Thu. Oct. 03, 2013
Businesses will be able to correlate events and monitor network behavior through two free McAfee appliances that several security experts say can help threat analysts track down and contain internal threats and malware infections.
Poorly configured and improperly tuned security appliances lead to false positives and ultimately missed incidents, said Russ Tegen, a solutions architect at Denver-based networking and security solution provider Accuvant. At the McAfee Focus Security Conference Wednesday, Tegen provided advice to network security pros in how to use the McAfee Logon Collector and the McAfee Network Threat Behavior Analysis appliance, two free tools that if implemented and configured properly could save time when investigating suspicious network activity.
Tegen said he frequently sees environments where the intrusion prevention system sensor is placed outside the firewall instead of inside. The poor configuration results in too much data, amplifying the significance of attacks that have not penetrated the network, Tegen said. Changing the configuration to monitor events behind the corporate firewall can help throttle down the "noise," he said, and give threat analysts time to investigate higher-risk incidents.
"The firewall can stop 90 percent of all those events attempting to come in, such as reconnaissance activity and other attacks, and you are really not interested in seeing those unless they get past that firewall," Tegen said. "You need to spend a lot of time determining what is relevant and not relevant to your environment. Do you really want to watch every person or car that drives past your house?"
Accuvant, FishNet Security and other large solution providers are a huge part of McAfee's channel strategy and have seen double-digit growth over the past year, said McAfee channel chief Gavin Struthers. In an interview with CRN, Struthers said channel partners with strong services teams are highly valued and increasingly relied on by McAfee's customer base for expertise in deploying and maintaining security appliances. They also can provide the skills necessary to conduct a thorough risk assessment of an environment to determine any weaknesses that can be immediately addressed to mitigate risk, Struthers said.
Like other large solution providers, Accuvant has a strong consultancy practice and managed services arm. In addition to 30 consultants dedicated to McAfee products, Tegen said the company maintains an on-demand team of consultants and analysts who provide assistance in implementing and assisting with projects. A managed services unit can take over full management and maintenance of an environment.
Tegen said some businesses don't have time to implement free tools or thoroughly investigate suspicious activity, and McAfee Logon Collector is designed to save time and increase visibility. The tool correlates network traffic with user behavior and integrates it with McAfee Firewall Enterprise, data loss prevention and McAfee's e-Policy Orchestrator (ePO) management console.
NEXT: Tools Help Speed Incident Response, Contain Threats
McAfee Logon Collector helps a threat analyst troubleshoot events detected by the intrusion prevention system. A botnet infection can be spotted down to the infected PC and stopped before it propagates throughout the network. The tool can be implemented as a stand-alone server or set up through ePO.
Investigating suspicious activity and isolating infections is becoming a highly coveted skill set at businesses, said Ricardo Vanucci Bianco, a security expert at BTGPactual, a financial firm based in Brazil. Bianco said most threats are caught by IPS/IDS sensors, but IT security teams are concerned about custom malware designed to defeat security devices and internal threats.
McAfee's Network Threat Behavior Analysis appliance is designed to have nearly complete visibility over application use and bandwidth on the network. It can detect if an employee is using BitTorrent or streaming Netflix videos, but security teams would be interested in seeing the files transferred into and out of the environment, including potentially malicious executable files that are downloaded and could signal a malware threat. It also can give threat analysts visibility into botnet activity by identifying suspicious server traffic on the network that would signal a botnet infection.
Network forensics teams investigating an incident can discover the source or destination of an IP address and gain specific information on websites visited, files that have been transferred and even email sent and received, Accuvant's Tegen said.
"From a forensics perspective it provides the kind of data that you'll need to determine if a host is compromised," Tegen said. You have a lot of visibility here into the end users and environment. ... The tools are at your disposal to make an educated guess on a false positive or true attack and how widespread that threat is."
PUBLISHED OCT. 3, 2013