McAfee Logon Collector helps a threat analyst troubleshoot events detected by the intrusion prevention system. A botnet infection can be spotted down to the infected PC and stopped before it propagates throughout the network. The tool can be implemented as a stand-alone server or set up through ePO.
Investigating suspicious activity and isolating infections is becoming a highly coveted skill set at businesses, said Ricardo Vanucci Bianco, a security expert at BTGPactual, a financial firm based in Brazil. Bianco said most threats are caught by IPS/IDS sensors, but IT security teams are concerned about custom malware designed to defeat security devices and internal threats.
McAfee's Network Threat Behavior Analysis appliance is designed to have nearly complete visibility over application use and bandwidth on the network. It can detect if an employee is using BitTorrent or streaming Netflix videos, but security teams would be interested in seeing the files transferred into and out of the environment, including potentially malicious executable files that are downloaded and could signal a malware threat. It also can give threat analysts visibility into botnet activity by identifying suspicious server traffic on the network that would signal a botnet infection.
Network forensics teams investigating an incident can discover the source or destination of an IP address and gain specific information on websites visited, files that have been transferred and even email sent and received, Accuvant's Tegen said.
"From a forensics perspective it provides the kind of data that you'll need to determine if a host is compromised," Tegen said. You have a lot of visibility here into the end users and environment. ... The tools are at your disposal to make an educated guess on a false positive or true attack and how widespread that threat is."
PUBLISHED OCT. 3, 2013