Accuvant Solutions Architect Talks Up McAfee's Free Threat Analysis Tools


Businesses will be able to correlate events and monitor network behavior through two free McAfee appliances that several security experts say can help threat analysts track down and contain internal threats and malware infections.

Poorly configured and improperly tuned security appliances lead to false positives and ultimately missed incidents, said Russ Tegen, a solutions architect at Denver-based networking and security solution provider Accuvant. At the McAfee Focus Security Conference Wednesday, Tegen provided advice to network security pros in how to use the McAfee Logon Collector and the McAfee Network Threat Behavior Analysis appliance, two free tools that if implemented and configured properly could save time when investigating suspicious network activity.

Tegen said he frequently sees environments where the intrusion prevention system sensor is placed outside the firewall instead of inside. The poor configuration results in too much data, amplifying the significance of attacks that have not penetrated the network, Tegen said. Changing the configuration to monitor events behind the corporate firewall can help throttle down the "noise," he said, and give threat analysts time to investigate higher-risk incidents.

[Related: Misconfigured Security Appliances, Basic Missteps Central To Data Breaches: Experts]

"The firewall can stop 90 percent of all those events attempting to come in, such as reconnaissance activity and other attacks, and you are really not interested in seeing those unless they get past that firewall," Tegen said. "You need to spend a lot of time determining what is relevant and not relevant to your environment. Do you really want to watch every person or car that drives past your house?"

Accuvant, FishNet Security and other large solution providers are a huge part of McAfee's channel strategy and have seen double-digit growth over the past year, said McAfee channel chief Gavin Struthers. In an interview with CRN, Struthers said channel partners with strong services teams are highly valued and increasingly relied on by McAfee's customer base for expertise in deploying and maintaining security appliances. They also can provide the skills necessary to conduct a thorough risk assessment of an environment to determine any weaknesses that can be immediately addressed to mitigate risk, Struthers said.

Like other large solution providers, Accuvant has a strong consultancy practice and managed services arm. In addition to 30 consultants dedicated to McAfee products, Tegen said the company maintains an on-demand team of consultants and analysts who provide assistance in implementing and assisting with projects. A managed services unit can take over full management and maintenance of an environment.

Tegen said some businesses don't have time to implement free tools or thoroughly investigate suspicious activity, and McAfee Logon Collector is designed to save time and increase visibility. The tool correlates network traffic with user behavior and integrates it with McAfee Firewall Enterprise, data loss prevention and McAfee's e-Policy Orchestrator (ePO) management console.

NEXT: Tools Help Speed Incident Response, Contain Threats