Endpoint Security


Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication

Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication 1

Security architecture is like the ocean: no one owns it, and it is constantly affected by change. New technologies are introduced, staff changes occur, and as a result, communication suffers. I often see environments where ownership is placed into silos across teams in the enterprise, meaning IT administrators preventing threats may not get the insights uncovered by security operations teams. On the other hand, SecOps may not receive details on why a policy or configuration change has occurred. What’s more, in environments without effective integration between security tools, this lack of communication means the insights and visibilities that might benefit other stakeholders rarely travel or surface outside the immediate security team.

Add into the mix a pool of security tools that can’t co-exist — or who do so poorly in a way that causes conflicts with the other — and the situation is complicated even further. Clearly, implementing an effective, comprehensive endpoint strategy is one challenge, but maintaining that strategy is usually where the real battle begins.

A crucial part of winning this battle is ensuring that IT security administrators and SecOps work together effectively. Let’s examine how these two can do so to ensure all bases and endpoints are covered.

A Lack of Alignment Exacerbates the Skills Gap

A quick reminder: IT security teams are responsible for the health of the network and IT infrastructure, requiring them to focus on access controls, endpoint protection, and vulnerability management. SecOps teams, meanwhile, establish the rules their organization must follow to secure their environment.

Logically, these teams should work hand-in-hand, but in most enterprises, they are siloed due to functional or technical limits. Each has little visibility into what the other side is doing on a day-to-day basis, plus a complete lack of insight into longer-term strategic security initiatives. This can lead to a breakdown in rules, configurations, and escalations that has a detrimental impact on an enterprises’ infrastructure.

Lack of communication can also make it hard for IT security admins to know how to escalate and prioritize issues, as well as prevents SecOps from upskilling. For example, junior analysts can only address about 30% of alerts today. The remainder of alerts require a higher skill set to remediate, a problem that’s only compounded by the lack of qualified cybersecurity talent. In fact, some estimates expect the number of unfilled cybersecurity jobs to rise to 3.5 million by 2021, and because many SecOps tools today require significant experience to operate, communication and education will only become more critical.

Establishing Shared Visibility Between Teams

Now that we know the issues that can arise when SecOps and IT admins don’t communicate, let’s address some of the solutions and outcomes. It all starts with better, shared visibility. When each team has insight into what the other is working on, teams are no longer siloed, and less time is spent on alerts and false positives that frontline IT can handle rather than SecOps. This means that if an eventual hack or breach does occur, more time and effort can be spent on threat remediation in order to strengthen an enterprise’s endpoint environment.

Shared visibility extends into joint policy creation as well. When forming policies, if IT admins and SecOps provide their respective input, there is less of a chance of miscommunication or misconfiguration. Policy changes can be understood from the get-go by forming a holistic approach, with the necessary expertise and insights from both teams coming together to create an overarching endpoint security strategy that’s more secure.

SecOps and IT must also find a way to extend that visibility to new team members. In my experience, solving security architecture issues requires a two-pronged approach. First, the security industry should take more responsibility for designing products usable by both the most advanced security professionals and operational staff and analysts. But second, organizations must ensure that a lack of continuity at customer sites from staff rotations is maintained through documented policies to support product configurations. In other words, organizations must ensure the appropriate processes are in place to support the security tools they deploy. This historical knowledge matters because, anecdotally,I find that a significant number of escalations are addressable simply by reverting a customer environment back to default settings. New employees are unaware of this quick fix and therefore waste precious time and resources on unnecessary efforts.

Collaborating for True Endpoint Security

With these challenges in mind, we recommend the following steps.

  • Create visible, documented policies for all products and scenarios. This helps overcome a lack of communication, staff turnover, and the inability of products to integrate.
  • Conversely, seek integration and automation. And in fact, organizations are doing so, with over 70% pursuing increased automation in endpoint security, including automated detection and response.
  • Establish cross-functional collaboration in other ways. For example, require IT admins to flag threats to SecOps.
  • Review your policy book and guidelines quarterly so that the latest technology and processes can be effectively integrated into guidelines.

IT security admins and SecOps teams don’t have to — and shouldn’t — do their jobs alone. To cover all bases, they can leverage a multitude of endpoint security solutions with proactive, collaborative, and integrated technology built in. These solutions allow IT security admins and SecOps teams to focus their efforts elsewhere, such as on strategic projects, policies, and insights.

McAfee MVISION Endpoint and MVISION Mobile, for example, build machine learning (ML) algorithms and analysis into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Detection & Response combines real-time endpoint monitoring and data collection with rules-based automated response and analysis capabilities so that both IT security and SecOps can be involved in the process of fostering effective enterprise endpoint security in a way that makes both of their jobs easier.

With the proper visibility between IT security and SecOps teams, advanced security solutions not only bring an endpoint security strategy full circle but also allow for more time to be spent on collaboration and teamwork. An endpoint security strategy is only as strong as its weakest link – human, solution, or otherwise. Enterprises should ensure that their weakest link isn’t a vulnerable missing link between IT admins and SecOps.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.


The post Endpoint Security 301: When Products, Policies, and People Break Down the Lines of Communication appeared first on McAfee Blogs.


Response Required: Why Identifying Threats With Your EDR Isn’t Enough

Response Required: Why Identifying Threats With Your EDR Isn’t Enough 2

The perpetrator was a master of disguise, outfitting himself as an employee to bypass the extensive preventive security controls and flee with the contents of the vault. Fortunately, the building was equipped with strong detection security measures, and the burglar—unaware of the location of a laser tripwire—soon set off a silent alarm. A handful of the best-equipped and most experienced officers swarmed the building just minutes later, tracing the subject to a large storage area where they found him frantically digging through the large box of documents and cramming a few in his backpack.

While the other officers stood in the hallway at the ready, one began walking toward the perp, shouting “It’s all over, buddy. This is the end of the road.” The criminal, fear-stricken, turned to run. As he began to make his way toward a freight entrance, he was dumbfounded to hear only his own footsteps reverberating off the walls. He chanced a look back at the officer, who had not moved. “You thought you could run, but we found you! You’re under arrest!” the officer shouted, still not moving a muscle. Knowing something had to be going on, the criminal took this opportunity to hurriedly backtrack to the box and grab his ill-gotten loot. He looked back at the officer, who was still frozen in place.

The criminal looked incredulously at the officer, laughed and shook his head. Feeling no threat, he slowly shuffled out with his giant box of classified documents into the night.

The “R” Is There For A Reason

What is true in the world of police is also true in the world of cybersecurity: Detection means nothing without response. And not any response, but the right response.

EDR marketing materials focus heavily on their ability to detect the largest number of the newest threats in the least amount of time. But without a broad and well-developed set of response mechanisms in place, even the best detection abilities are of little use. Unlike, say, a legacy anti-virus product, EDR isn’t a “set it and forget it” technology—you can’t just put it on your network and call it a day. Your ability to adequately respond to threats is going to depend on two factors. While having capable analysts at the helm is vital, not limiting them with inadequate tools is an equally important part of safeguarding your enterprise.

Response Options Must Be Extensive

What if our officer instead had access to a full range of response capabilities? Criminals are unpredictable, and it’s impossible to know ahead of time whether “Put your hands up!” will be sufficient, or whether you’ll need to call for backup, use a stun gun or give chase. The ability to determine the best response isn’t enough if you don’t have access to that response method.

So it goes in cybersecurity. The EDR market is sharply divided in terms of response capabilities, and the ability—or inability—to adequately respond should be a purchasing consideration. Any decent EDR will yield the necessary context and present it in a way that allows you to easily and quickly assess the situation. A good EDR will put a panoply of response capabilities at your fingertips. Should you kill the process? Restart the machine? Quarantine the box? The amount of flexibility offered can affect how quickly you’re able to handle the threat.

Ideally, according to a SANS Institute report, your EDR should have at least the following response options:
– Terminate running processes
– Prevent processes from executing based on name, path, argument, parent, publisher or hash
– Block specific processes from communicating on the network,
– Block processes from communicating with specific host names or IP addresses
– Uninstall Services
– Edit registry keys and values
– Shut down or reboot an endpoint
– Log users off an endpoint
– Delete files and directories

But what do you do when the specific response you need isn’t available out of the box? In this case, you need to be able to program your own script to perform a custom action or response. Many EDRs lack the technology to make this possible, but it’s an important thing to look for—just because your business needs don’t require it now, doesn’t mean it won’t in the future.


EDR: Excessively Delayed Reaction?

What if our officer can chase a suspect, but only in baby steps? What if he or she can call for backup, but it takes them 45 minutes to arrive?

Having every response ever conceived still isn’t enough if they cannot contain threats in time.

With attackers moving from initial compromise to action on objectives with increasing quickness, the old way of “reassign the ticket to IT” no longer cuts it—by the time IT notices the ticket, the attacker may already have gone.

It’s important to have at your disposal the best response. But when you don’t yet know what something is, your best response may not be your first response. In other words, sometimes you’re going to want to be able to quarantine the affected device(s) while you investigate and scope in order to limit the threat’s impact.

The ability for the EDR to integrate with existing workflows, rather than dictating those workflows, can also make a big difference. A lot of people look at MTTD (Mean Time To Detection)—but that’s only part of the story. A better indicator of an EDR’s effectiveness is MTTR (Mean Time To Response). According to SANS Institute analyst Jake Williams, enterprises that have orchestrated actions between detection and response have MTTR metrics that are both more favorable and more reliable.

There’s no shortage of EDR solutions on the market, at all levels of speed and capability. It’s worth making sure that yours offers as much in terms of response as it does in detection—remember, when you choose an EDR, you’re partnering with the technology that will serve and protect your enterprise.  When the chips are down, are you going to have an EDR that can identify, track and eliminate a threat in time to prevent massive devastation?

In a future blog, we’ll explain how detection and response should work in parallel with prevention to safeguard your enterprise. 

 Want to learn more about what to look for—and watch out for—in an EDR? Click here to read “Why Traditional EDR Is Not Working—and What To Do About It.”

The post Response Required: Why Identifying Threats With Your EDR Isn’t Enough appeared first on McAfee Blogs.


Threat Hunting or Efficiency: Pick Your EDR Path?

Threat Hunting or Efficiency: Pick Your EDR Path? 3

“Do You Want It Done Fast, Or Do You Want It Done Right?” “Yes.”

“Help out more with our business objectives.” “Cover an increasing number of endpoints.” “Cut budgets.” “Make it all work without adding staff.”

Cybersecurity teams face a lot of conflicting objectives—both within their teams and from upper management. But a May 2019 commissioned study conducted by Forrester Consulting on behalf of McAfee really puts a fine point on it: When decision makers were asked which endpoint security goals and initiatives they’re prioritizing for the coming year, the top two responses were “improve security detection capabilities” (87%) and “increase efficiency in the SOC” (76%).

Unfortunately, traditional EDR solutions have made accomplishing both of these goals (and in some cases, even one or the other!) difficult, if not impossible. According to the study, gaps in EDR capabilities have created pain points for 83% of enterprises. For instance, while 40% of enterprises consider threat hunting a critical requirement, only 29% feel their current EDR solutions fully meet that need. On an even more basic level, 36% worry their EDR solution doesn’t surface every threat that breaks through—while an equal number of respondents say the alerts that are surfaced by their EDR are frequently not relevant or worth investigating.

These numbers clearly show there’s a lot of room for improvement, but at the same time, these two goals seem to be less than complementary. How would you choose to try and meet them?

Scenario 1: The Status Quo

Your team continues utilizing their traditional EDR solution on its own.

You lose points in efficiency out of the gate—according to Forrester, 31% of companies say that the systems are so complex, their junior staff lack the skillset to triage and investigate alerts without senior staff.

The number of alerts output by traditional EDR solutions will cost you efficiency in another way: another 31% of respondents say their teams struggle to keep up with the volume of alerts generated by their EDRs.

On the threat detection side, you’re not starting out with a perfect score, either: Again, keep in mind that more than a third of respondents believe that, even with this large volume of alerts, not everything is being caught.

As a baseline, let’s assume you’re starting out with a 7 in Threat Detection, and a 3.5 in Efficiency.
You’re still a long way from meeting your goals. Let’s look at our options.

Do you want to:

  • Add more staff members
  • Bolt on more software
  • Hire an MDR

Scenario 2: Add more staff members

With efficiency seeming such a far-off goal, your team decides to focus its efforts on threat detection. To help manage the number of alerts, you hire two new employees. You still have every bit as much noise coming from your EDR, and it still isn’t catching everything, but your team has marginally more ability to triage and respond to threats. You gain a point for threat detection, but a look at your department budget sheet shows your efficiency score is basically shot.

Final Score: 8 in Threat Detection, and a 2 in Efficiency.

Scenario 3: Bolting On More Software

Other businesses are taking a different tack. They’re keeping their traditional EDR solution, but they’re also bolting on more point solutions to help catch things that fall through the cracks. If you choose to go this route, your threat detection capabilities go up …. but between all the duplicate alerts, separate interfaces, and near complete lack of integration, your team is critically bogged down.  With junior staff able to triage just 31 percent of alerts on traditional EDR systems, senior analysts are having to manage all the alerts on all the interfaces on their own.

All this software isn’t cheap, and you’re losing time in both training in all of it, and in switching back and forth. Meanwhile, the solutions that were supposed to improve your threat detection capabilities are doing so … somewhat … but with things falling through the cracks amidst the chaos and analyst fatigue setting in, you wouldn’t know it.

Final Score: 7.5 in Threat Detection, 1.5 in Efficiency.

Scenario 4: Partnering with an MDR

You don’t want to hire any more staff—and even if you did, there aren’t many to hire. So instead you hire a Managed Detection and Response (MDR) provider to do what your EDR should be doing, but isn’t. You partner with the most reputable MDR you can find, and you’re confident that between what you’re doing and what they’re doing, there isn’t much getting past you. But you’re also paying twice to get a single set of capabilities.

Final Score: 9 in Threat Detection, 1 in Efficiency

Clearly, it’s time to try something new

  • I want to improve my efficiency with my current EDR!
  • I want to try something better.

Scenario 5: Improving efficiency with current EDR

How do you make a first-gen EDR more efficient? You don’t. In other words, if you want to get more out of an EDR that doesn’t utilize the latest technologies, the only adjustments you can make here have to come from your team. If you could get more threat detection mileage out of the same number of team members, your efficiency level would naturally rise.

Initial Score: 8 in Threat Detection, 4 in Efficiency

But as you soon find out, the mandatory late nights and your “you’d better step it up or else!” attitude aren’t exactly doing wonders for morale. With cybersecurity professionals in high demand everywhere, it isn’t long before you’re down at least one team member. Now you have 4 team members doing the number of 5. Which sounds decent ….

Intermediate Score: 6 in Threat Detection, 6 in Efficiency

… until an enterprising hacker takes note of your shorthandedness and targets you, hoping to use your situation to their advantage. Unfortunately, not only do you have a highly imperfect traditional EDR system and four employees trying to do the work of five … you have four disgruntled employees trying to do the work of five. According to IDC, in organizations that have experienced a breach in the last 12 months, those staff who are extremely satisfied are, on average, more likely to report fewer hours to identify the breach (11 hours) than those who are dissatisfied (23 hours). Guess which camp your team falls into?

Before long, your company is brought to its knees by a major attack. The press is all over it, and confidence in your company plummets. Your company’s reputation might recover … eventually … but things aren’t looking so good for you.

Final Score: Game Over.

Scenario 6: I want to try something better.

You’ve heard from your friends and colleagues about what doesn’t work. And, of course, you’ve read the horror stories. But you’re still left with two disparate goals. What if there was a way to increase threat detection capabilities without hiring more personnel, outsourcing what your EDR should be able to handle but isn’t, or creating a system with more bolts than Frankenstein’s monster?

According to Forrester, there is a way to bridge the goals of greater efficiency and better threat detection. With AI guided investigation, your junior analysts will be able to triage threats like your more seasoned analysts, freeing your senior analysts to focus on mission-critical tasks. And with less noise, your team will be free to focus on more of the right alerts.

Survey respondents backed this up: 35 percent believe AI-guided investigations will lead to fewer breaches, and 52 percent think they’ll lead to improved efficiency. Mission accomplished.

Final Score: You=1, Hackers=0.

To read more about how AI-guided investigation can help revolutionize your SOC, click here.

The post Threat Hunting or Efficiency: Pick Your EDR Path? appeared first on McAfee Blogs.


Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment?

Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? 4

You’ve heard it once; you’ve heard it a hundred times – “secure the cloud.” But what does that phrase mean? On the surface, it’s easy to assume this phrase means using cloud-enabled security products. However, it’s much more than that. Cloud security is about securing the cloud itself through a combination of procedures, policies, and technologies that work together to protect the cloud—from the endpoint to the data to the environment itself. A cloud security strategy must be all-encompassing, based on how data is monitored and managed across the environment. So, let’s examine how IT security teams can address common cloud challenges head-on, while at the same time establishing the right internal processes and adopting the necessary solutions in order to properly secure the cloud.

Cloud Security’s Top Challenges

As we enter a post-shadow IT world, security teams are now tasked with understanding and addressing a new set of challenges—those that can stem from a complex, modern-day cloud architecture. As the use of cloud services grows, it is critical to understand how much data now lives in the cloud. In fact, the amount of sensitive data stored in cloud-based files is only growing, currently standing at 21% after having increased 17% over the past two years. So it’s no wonder that threats targeting the cloud are growing, too: The average organization experiences 31.3 cloud-related security incidents each month, a 27.7% increase over the same period last year.

Frequently impacted by data breaches and DDoS attacks, cloud technology is no stranger to cyberthreats. However, the technology is also impacted by challenges unique to its makeup—such as system vulnerabilities and insecure user interfaces (UIs) and application programming interfaces (APIs), which can all lead to data loss. Insecure UIs and APIs are top challenges for the cloud, as the security and availability of general cloud services depends on the security of these UIs and APIs. If they’re insecure, functionalities such as provisioning, management, and monitoring can be impacted as a result. There are also bugs within cloud programs that can be used to infiltrate and take control of the system, disrupt service operations, and steal data, mind you. The challenge we see with data and workloads moving to the cloud is insufficient knowledge of developers on the evolution of cloud capabilities. We are finding misconfigurations to be one of the major contributors of data leaks and data breaches as well, meaning cloud configuration assessment is another best practice that IT should own. Another major source of cloud data loss? Improper identity, credential, and access management, which can enable unauthorized access to information via unprotected default installations.

The good news? To combat these threats, there are a few standard best practices IT teams can focus on to secure the modern-day cloud. First and foremost, IT should focus on controls and data management.

Security Starts with Process: Controls and Data Management

To start a cloud security strategy off on the right foot, the right controls for cloud architecture need to be in place. Cloud security controls provide protection against vulnerabilities and alleviate the impact of a malicious attack. By implementing the right set of controls, IT teams can establish a necessary baseline of measures, practices, and guidelines for an environment. These controls can range from deterrent and corrective to preventative and protective.

In tandem with controls, IT teams need to establish a process or system for continually monitoring the flow of data, since insight into data and how it is managed is vital to the success of any cloud security strategy. A solution such as McAfee Data Loss Prevention (DLP) can help organizations monitor data through the use of a management console or dashboard. This tool can help secure data by extending on-premises data loss prevention policies to the cloud for consistent DLP, protecting sensitive data wherever it lives, tracking user behavior, and more.

Solving for Visibility, Compliance, and Data Protection

When it comes to securing data in the cloud, visibility and compliance must be top of mind for IT teams as well. Teams need to gain visibility into the entirety of applications and services in use, as well as have proper insight into user activity to have a holistic view of an organization’s existing security posture. They also need to be able to identify sensitive data in the cloud in order to ensure data residency and compliance requirements are met.

That’s precisely why IT teams need to adopt an effective cloud access security broker (CASB) solution that can help address visibility and compliance issues head-on. What’s more, this type of solution will also help with data security and threat protection by enforcing encryption, tokenization, and access control, as well as detecting and responding to all types of cyberthreats impacting the cloud.

Bringing It All Together

By combining the right controls and data management processes with a CASB solution, security teams can protect the cloud on all levels. A CASB solution like McAfee MVISION Cloud protects data where it lives today, in the cloud. This CASB solution is a cloud-hosted software that sits between cloud service customers and cloud service providers to enforce security, compliance, and policies uniformly across all cloud assets, from SaaS to IaaS/PaaS. Plus, McAfee MVISION Cloud can help organizations extend security controls of their on-premises infrastructure to the cloud and beyond. To extend these controls, this solution detects, protects, and corrects. During detection, IT security teams gain complete visibility into data, context, and user behavior across all cloud services, users, and devices. When data leaves the cloud, McAfee MVISION Cloud applies persistent protection wherever it goes: in or outside the cloud. And when an error does occur, the solution takes real-time action deep within cloud services to correct policy violations due to human error and stops security threats. While McAfee MVISION Cloud protects the cloud itself, it’s also important to protect access to the cloud at the start, or the endpoint. An endpoint security solution, such as McAfee Endpoint Security, is also integral for safeguarding the cloud, since endpoints are a target for credential theft that leads to greater risk in the cloud environment.

In an ever-changing threat landscape, implementation of the proper controls and data management, with the addition of effective cloud security solutions, are the keys to a strong cloud security strategy. By taking into account and working to proactively protect the multitude of endpoints connected to the cloud, the amount of data stored in the cloud, and the cloud environment itself, IT security teams can help ensure the cloud is secure.

To learn more about cloud security and other enterprise cybersecurity topics, be sure to follow us @McAfee and @McAfee_Business.


The post Defining Cloud Security – Is It the Endpoint, Your Data, or the Environment? appeared first on McAfee Blogs.


MITRE ATT&CK™ APT3 Assessment

MITRE ATT&CK™ APT3 Assessment 5

Making a case for the importance for real-time reporting is a simple exercise when considering almost every major campaign.  Take the case of Shamoon, where analysis into the Disttrack wiper revealed a date in the future when destruction would happen.  Similarly, cases where actors use different techniques in their attacks reveal that once mapped out, a story becomes visible. The question is, do you have visibility and early warnings into these threats and how timely are they presented to you so there’s time to respond? 

MITRE’s ATT&CK for Enterpriseproduced by the Cyber Security division of MITRE, is an adversarial behavior model for possible attacker actionsThe ATT&CK matrix used is a visualization tool in the form of a large table, intended to help provide a framework to talk about attacks in a unified way. This is coupled to detailed descriptions of different tactics and techniques and how they differ from attacker to attacker.  

When you participate in the assessment, MITRE is the red team simulating the techniques, used by APT3 in this case, and we as McAfee are the blue team using our products to detect their actions and report them. When the red team attacks us with a variant of a technique, as a blue team, we need to prove we detected it. 

McAfee went through a MITRE ATT&CK assessment early this summer and we are excited to announce that MITRE has published the results of the APT3 assessment today on their website. In today’s cyber-threat landscape, it’s all about ‘time’, time to detect, time to respond, time to remediate, etc. When it comes to advanced attacks represented in APT3 – real time detections offer a significant advantage to incident responders to rapidly contain threats. 

As the results show, McAfee provided the most real-time alerts while detecting the attacksWhen real-time alerts and simple efficacy score, as calculated using criteria published by Josh Zelonis of Forrester, are considered together, McAfee occupies a leadership position in the upper right quadrant of the chart: 

MITRE ATT&CK™ APT3 Assessment 6 


During MITRE’s APT3 evaluation, McAfee was the only vendor to display real-time alerts for certain attacks, including T1088: Bypass User Account Control, one of the techniques used by Shamoon. 

While MITRE’s evaluation focused on MVISION EDR’s detection capabilities, there are several aspects that defenders need to consider in order to properly triage, scope, contain and close an incidentDuring the APT3 attack we generated 200+ alerts and telemetry datapoints which were the core of MITRE’s evaluationYet we don’t expect analysts to review them individually. In MVISION EDR those 200+ data points got clustered into 14 threats which added context to paint a more complete picture of what happened in order to speed triage. 

Furthermore, analysts could trigger an automated investigation from a threat and therefore involve our AI driven investigation guides to bring more context from other products (e.g. ePO, SIEM)endpoint forensics, analytics and threat intelligence.  

MITRE ATT&CK™ APT3 Assessment 7 

Investigation case collecting 4000+ pieces of evidence, linking it, showing expert findings and uncovering potential lateral movement between two devices 

 Thanks to our automated investigation guides, in the case of APT3MVISION EDR was able to gather passive DNS information and link the evidence to further expose potential lateral movement and C2. 

Although it was not exercised by MITRE, the next step for the analyst would have been to use MVISION EDR’s real time search to further scope the affected devices and take containment actions (e.g. quarantine, kill processes, etc). 

McAfee has been engaged with MITRE in expanding the ATT&CK Matrix and helping to evolve future ATT&CK Evaluations. We are a proud sponsor of ATT&CKcon and will be exhibiting at ATT&CKcon 2.0 later this month. Come learn more about how automated AI-driven investigations can reduce the time to detect and respond to threats using McAfee MVISION EDR. 



The post MITRE ATT&CK™ APT3 Assessment appeared first on McAfee Blogs.


Maintaining Effective Endpoint Security 201

Maintaining Effective Endpoint Security 201 8

Today’s enterprises are faced with unique, modern-day issues. Many are focused on adopting more cloud-based services and reducing infrastructure footprint, all while the number of devices accessing the environment grows. This, in turn, requires security teams to create different levels of access, policies, and controls for users. Plus, as these businesses expand some unexpected security issues may arise, such as alert volume, lack of visibility, complicated management, and longer threat dwell times. To strike a balance between business objectives and a healthy security posture, IT teams can implement some of the tactics we recommended in our Effective Endpoint Security Strategy 101 blog, such as virtual private networks (VPNs), proper employee security training, and machine learning (ML) and artificial intelligence (AI) technology for predictive analysis. But with the threat landscape evolving every day, is there more these organizations can do to sustain an effective endpoint strategy while supporting enterprise expansion? Let’s take a look at how teams can bolster endpoint security strategy.

Managing the Many Vulnerabilities

As enterprises try to keep pace with the number of endpoints, as well as the threats and vulnerabilities that come with these devices, multiple levels of security need to be implemented to maintain and expand a sustainable security posture. One way for enterprise security teams to keep track of these vulnerabilities and threats is through the use of vulnerability management. This process involves the identification, classification, and prioritization of vulnerabilities when flaws arise within a system.

For vulnerability management to be successful, security teams must have full visibility into an endpoint environment. This awareness will help teams proactively mitigate and prevent the future exploitation of vulnerabilities. Plus, with endpoints always evolving and being added, a vulnerability management system is a necessity for expanding effective endpoint security.

Beware of Privilege Escalation

Due to the sheer number of endpoints being introduced to the enterprise environment, the possibility of a vulnerable endpoint increases. And with vulnerable endpoints creating gateways to important enterprise data, cybercriminals often attempt to exploit a bug or flaw in an endpoint system to gain elevated access to sensitive resources. This tactic is known as privilege escalation.

To thwart cybercriminals in their tracks and subvert privilege escalation attacks, security teams can employ the practice of least privilege. In other words, users are granted the least amount of privilege required to complete their job. That way, if hackers manage to get their hands on an exposed endpoint, they won’t be able to gain access to troves of corporate data. The threat of privilege escalation can also be solved through patches and added layers of security solutions at different stages of the endpoint.

Administering Enterprise Access

Who can access specific assets and resources within an enterprise is an important discussion to be had for any endpoint security strategy. Not all users should have access to all resources across the network and if some users are given too much access it can lead to increased exposure. This is where access management comes into play.

Maintaining a secure endpoint environment requires security teams to identify, track, and manage specific, authorized users’ access to a network or application. By creating differentiated levels of access across the board, teams can ensure they are prioritizing key stakeholders while still controlling the number of potential exposure points. Beyond monitoring accessibility, its critical security teams know where data is headed and are able to control the flow of information. The good news? Teams can rely on a solution such as McAfee Data Loss Prevention (DLP) to assist with this, as it can help security staff protect sensitive data on-premises, in the cloud, or at the endpoints.

Coaching Users on Passwords and Identity Management

Passwords are the first defense against cybercriminals. If a cybercriminal guesses a password, they have access to everything on that device – so the more complex and personalized a password is the better. Beyond encouraging complex password creation, it’s crucial security teams make single sign-on (SSO) or multifactor authentication a standard aspect of the user login process. These are easy-to-use tools that users can take advantage of, which help add more protective layers to a device.

Assessing the Risks

 As a security team, assessing the overall risk present in your organization’s current environment is a top priority. From checking for potential cyberthreats to monitoring and evaluating endpoints to ensure there are no exposures – its important teams do their due diligence and conduct a comprehensive risk assessment. Teams need to make risk assessments a routine aspect of their overall security strategy, as new risks are always popping up. To do so in a proper and timely manner, better visibility is required, and teams should get into a habit of red teaming and leveraging automation for response and remediation. McAfee MVISION Endpoint Detection and Response (EDR) can also help teams get ahead of modern threats with AI-guided investigations that surface relevant risks, as well as automate and remove the manual labor of gathering and analyzing evidence.

Once a risk assessment has been done, security teams must take immediate action on the results. After potential threats are identified and analyzed with the help of McAfee MVISION EDR, teams must work to correct any potential negative impact these risks may have on an enterprise, resources, individuals, or the endpoint environment. By leveraging a centralized management tool, enterprise teams can do just that — reducing alert noise, elevating critical events, and speeding up the ability to respond and harden endpoints when risks or areas of exposure are identified.

Utilizing Advanced Security Solutions

To cover all the bases, it is vital teams leverage multiple endpoint security solutions that have proactive technology built-in and are collaborative and integrative. Take McAfee MVISION Endpoint and MVISION Mobile for example, which both have machine learning algorithms and analysis built into their architecture to help monitor and identify malicious behavior. Additionally, McAfee Endpoint Security delivers centrally managed defenses, like machine learning analysis and endpoint detection, to protect systems with multiple, collaborative defense and automated responses.

Advanced security solutions bring an endpoint security strategy full circle. Take the time to research and then invest in technology that is suitable for your enterprise’s needs. Growth does not have to be hindered by security, in fact having the two work in tandem will ensure longevity and stability.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Maintaining Effective Endpoint Security 201 appeared first on McAfee Blogs.


Easier Management with Integrated Endpoint Security

Easier Management with Integrated Endpoint Security 9

Integration matters. We at McAfee have been advocating the administrative benefits of integrated, centrally managed endpoint security for decades, but you don’t just have to take our word for it. A recent independently written article in BizTech Magazine concurs.

BizTech explores technology and business issues that IT leaders and business managers face when they’re evaluating and implementing solutions. In “Businesses Find Endpoint Security Easier to Manage with Integrated Solutions,” journalist Kym Gilhooly references a number of independent security surveys as well as interviews a CISO, an IT manager, and a network administrator at three different companies. Each of these cybersecurity professionals and their respective small and medium-sized companies came to the conclusion that, to defend against today’s breadth of threats—from signature-based to zero-day, known and unknown— an integrated security approach combining endpoint detection and response (EDR), next-generation antivirus, and application control makes more sense than deploying discrete solutions.

Uniting these technologies in one integrated solution has allowed them to take action across the threat defense lifecycle—from detecting and blocking threats and whitelisting critical applications to tracking down malicious exploits during or before execution and helping incident response teams respond and remediate faster. As CISO Tony Taylor of dairy company Land O’Lakes points out in the article, “There are lots of security tools out there, but if you don’t integrate the stack, you’ve got to associate all that information and make the connections yourself.”

EDR Becoming an Integral Component of Endpoint Security

All the companies interviewed by Gilhooly affirm the importance of EDR in their security defense. As an IT manager at a 500-employee retail company states in the article, “The days when IT took a set-it-and-forget-it approach to endpoint security are over.” The ability to quickly investigate threats—whether reactively seeking to understand where a threat originated, how it spread and what damage it caused, or proactively hunting for anomalous behavior and dormant threats—is becoming a must-have tool to shrink the response and remediation gap.

What’s more, the article recognizes that an integrated EDR-EPP (endpoint protection software) solution makes much more sense than bolting on an EDR point solution. That’s because EDR and EPP can enhance each other’s effectiveness. For instance, if a company uses McAfee Endpoint Security or SaaS-based McAfee MVISION Endpoint alongside McAfee MVISION EDR, when the EPP part of the integrated solution detects anomalous behavior on an endpoint—but not enough to convict it—an analyst can use EDR to enrich the data, subsequently raising or lowering the incident’s severity ranking. On the flip side, when the EDR part detects an unknown threat in the environment, the analyst can query the threat reputation database and share new threat information instantly across endpoints via the EPP.

The more cyberdefense tools can collaborate and be managed as a unified solution, the more actions can be automated, IT staff burdens reduced, and time freed up for more proactive forensics and other activities.

In short, the BizTech article reiterates what we’ve been saying: Integration is more than just a buzzword. It’s time to stop thinking about EDR as an add-on, or EPP and EDR as separate entities. It’s also time to start moving endpoint security to the cloud. The article touches on that, too.

To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.


“There are lots of security tools out there, but if you don’t integrate the stack, you’ve got to associate all that information and make the connections yourself.”

— Land O’Lakes CISO Tony Taylor (as quoted in BizTech)



The post Easier Management with Integrated Endpoint Security appeared first on McAfee Blogs.


7 Questions to Ask Your Child’s School About Cybersecurity Protocols

7 Questions to Ask Your Child’s School About Cybersecurity Protocols 10

7 Questions to Ask Your Child’s School About Cybersecurity Protocols 11Just a few weeks into the new school year and, already, reports of malicious cyberattacks in schools have hit the headlines. While you’ve made digital security strides in your home, what concerns if any should you have about your child’s data being compromised at school?

There’s a long and short answer to that question. The short answer is don’t lose sleep (it’s out of your control) but get clarity and peace of mind by asking your school officials the right questions. 

The long answer is that cybercriminals have schools in their digital crosshairs. According to a recent report in The Hill, school districts are becoming top targets of malicious attacks, and government entities are scrambling to fight back. These attacks are costing school districts (taxpayers) serious dollars and costing kids (and parents) their privacy.

Prime Targets

According to one report, a U.S. school district becomes the victim of cyberattack as often as every three days. The reason for this is that cybercriminals want clean data to exploit for dozens of nefarious purposes. The best place to harvest pure data is schools where social security numbers are usually unblemished and go unchecked for years. At the same time, student data can be collected and sold on the dark web. Data at risk include vaccination records, birthdates, addresses, phone numbers, and contacts used for identity theft. 

Top three cyberthreats

7 Questions to Ask Your Child’s School About Cybersecurity Protocols 12

The top three threats against schools are data breaches, phishing scams, and ransomware. Data breaches can happen through phishing scams and malware attacks that could include malicious email links or fake accounts posing as acquaintances. In a ransomware attack, a hacker locks down a school’s digital network and holds data for a ransom. 

Over the past month, hackers have hit K-12 schools in New Jersey, New York, Wisconsin, Virginia, Oklahoma, Connecticut, and Louisiana. Universities are also targeted.

In the schools impacted, criminals were able to find loopholes in their security protocols. A loophole can be an unprotected device, a printer, or a malicious email link opened by a new employee. It can even be a calculated scam like the Virginia school duped into paying a fraudulent vendor $600,000 for a football field. The cybercrime scenarios are endless. 

7 key questions to ask

  1. Does the school have a data security and privacy policy in place as well as cyberattack response plan?
  2. Does the school have a system to educate staff, parents, and students about potential risks and safety protocols? 
  3. Does the school have a data protection officer on staff responsible for implementing security and privacy policies?
  4. Does the school have reputable third-party vendors to ensure the proper technology is in place to secure staff and student data?
  5. Are data security and student privacy a fundamental part of onboarding new school employees?
  6. Does the school create backups of valuable information and store them separately from the central server to protect against ransomware attacks?
  7. Does the school have any new technology initiatives planned? If so, how will it address student data protection?

The majority of schools are far from negligent. Leaders know the risks, and many have put recognized cybersecurity frameworks in place. Also, schools have the pressing challenge of 1) providing a technology-driven education to students while at the same time, 2) protecting student/staff privacy and 3) finding funds to address the escalating risk.

Families can add a layer of protection to a child’s data while at school by making sure devices are protected in a Bring Your Own Device (BYOD) setting. Cybersecurity is a shared responsibility. While schools work hard to implement safeguards, be sure you are taking responsibility in your digital life and equipping your kids to do the same. 


The post 7 Questions to Ask Your Child’s School About Cybersecurity Protocols appeared first on McAfee Blogs.


Analyst Fatigue: The Best Never Rest

Analyst Fatigue: The Best Never Rest 13

They may not be saying so, but your senior analysts are exhausted.

Each day, more and more devices connect to their enterprise networks, creating an ever-growing avenue for OS exploits and phishing attacks. Meanwhile, the number of threats—some of which are powerful enough to hobble entire cities—is rising even faster.

While most companies have a capable cadre of junior analysts, most of today’s EDR (Endpoint Detection and Response) systems leave them hamstrung. The startlingly complex nature of typical EDR software necessitates years of experience to successfully operate—meaning that no matter how willing the more “green” analysts are to help, they just don’t yet have the necessary skillset to effectively triage threats.

What’s worse, while these “solutions” require your top performers, they don’t always offer top performance in return. While your most experienced analysts should be addressing major threats, a lot of times they’re stuck wading through a panoply of false positives—issues that either aren’t threats, or aren’t worth investigating. And while they’re tied up with that, they must also confront the instances of false negatives: threats that slip through the cracks, potentially avoiding detection while those best suited to address them are busy attempting to work through the noise. This problem has gotten so bad that some IT departments are deploying MDR systems on top of their EDR packages—increasing the complexity of your company’s endpoint protection and further increasing employee stress levels.

Hoping to both measure the true impact of “analyst fatigue” on SOCs and to identify possible solutions, a commissioned study was conducted by Forrester Consulting on behalf of McAfee in March 2019 to see what effects current EDRs were having on businesses, and try to recognize the potential for solutions. Forrester surveyed security technology decision-makers, from the managers facing threats head-on to those in the C-suite viewing security solutions at the macro level in relation to his or her firm’s financial needs and level of risk tolerance. Respondents were from the US, UK, Germany or France, and worked in a variety of industries at companies ranging in size from 1,000 to over 50,000 employees.

When asked about their endpoint security goals, respondents’ top three answers—to improve security detection capabilities (87%), increase efficiency in the SOC (76%) and close the skills gap in the SecOps team (72%)—all pointed to limitations in many current EDRs.  Further inquiry revealed that while 43% of security decision makers consider automated detection a critical requirement, only 30% feel their current solution(s) completely meet their needs in this area.

While the issues uncovered were myriad, the results also suggested that a single solution could ameliorate a variety of these problems.  The introduction of EDR programs incorporating Guided Investigation could increase efficiency by allowing junior analysts to assist in threat identification, thereby freeing up more seasoned analysts to address detected threats and focus on only the most complex issues, leading to an increase in detection capabilities. Meanwhile, the hands-on experience that junior analysts would get addressing real-life EDR threats would increase both their personal efficiency and their skill level, helping to eliminate the skills gaps present in some departments.

To learn more about the problems and possibilities in the current EDR landscape, you can read the full “Empower Security Analysts Through Guided EDR Investigation” study by clicking here.

The post Analyst Fatigue: The Best Never Rest appeared first on McAfee Blogs.


Don’t Silo Your Endpoint Security Roadmap

Don’t Silo Your Endpoint Security Roadmap 14

If there’s a gap you bridge it, if there’s a hole you plug it. These are simple musts that businesses have to follow – they need to right wrongs and adjust processes to create better outcomes. The same thing goes for the security teams tasked with safeguarding these organizations, who know they must always bridge the gap between exposed and secure. These security teams know that in order to plug any holes they must at minimum apply standard endpoint security to their infrastructure. While most teams know one solution can’t be the be-all and end-all for their strategy, many are still slow to adopt new technologies to their defense strategy. Here’s why.

Outdated Adoption Mindsets

I meet a lot of security professionals that are aware a better mousetrap exists, but feel as though the pains of making a change outweigh the advantages of better detection or threat detail. I get it, I’m up against my own list of critical projects and nice-to-have things that are difficult to move to the top of the list. Maybe that’s why so many businesses are stating they intend to adopt next-gen technologies but are struggling with the expertise to move ahead with a product or deploy it.

When it comes to getting more tactical against the latest generation of threats that are designed to evade detection, the natural next step for these teams is to add a product like McAfee MVISION EDR. This type of product is top of mind for many right now, as 82% of IT leaders say they don’t have the visibility they need. As a threat hunting tool, EDR tells security teams how exactly threats entered an environment, what these threats did while inside, and how teams can pivot to action against them now and prevent similar attacks from happening again. The value of the EDR might be understood, but adopting it is usually hindered by pre-existing mindsets.

Many security professionals out there think of products, such as McAfee ENS and McAfee MVISION EDR as two separate entities. The same thing goes for solutions such as DLP and CASB. These teams often adopt one solution at a time, with the hope of eventually being able to collect them all one day. Compounding this issue, many fear they’re going to overwhelm existing staff with all the new training and education required for proper adoption. But therein lies the problem – these solutions shouldn’t be viewed as a burden or mutually exclusive, given accurate threat protection in today’s modern threat landscape is reliant on multiple success factors working together at the same time. Adoption should be holistic and simultaneous.

The Importance of Integration

Just like one size typically doesn’t fit all, one solution cannot address all threats. That means your defense strategy shouldn’t rely on just one defense or detection method to protect every user from every kind of threat. Therefore, security teams need to clear out old notions and start looking at solution adoption with the idea of integration and a platform that is sustainable for the long term, not just a product. Meaning, by achieving the right convergence of solutions, teams will establish a holistic security posture for their organization, ultimately positioning it for success.
So, what does this blend of solutions look like? To cover all the bases, organizations should look toward adopting solutions designed with collaboration and integration in mind. Take McAfee’s EPP for example, which is built with the future in mind. Our cloud-first MVISION products are designed to help you transform your IT environment. Specifically, our EDR solution is designed to meet you where you are with AI-guided investigations, detecting and remediating both the opportunistic and targeted attacks.

The more defense solutions can work together, the more actions can be automated and burdens can be reduced for the IT staff. So, instead of making your buying decision in order to fill a gap in today’s environment, make sure you buy with tomorrow’s gaps in mind. Focus on how the product you buy today will work or not work with the purchases you make in the future. From there, security will move beyond a simple must, becoming second nature.


To learn more about effective endpoint security strategy, be sure to follow us @McAfee and @McAfee_Business.

The post Don’t Silo Your Endpoint Security Roadmap appeared first on McAfee Blogs.

Vox Messenger Logo - 512x512

End-2-End Encrypted. Secure. Ad-Free.
Lightweight and Faster than the Competition.

Vox Messenger is an ad-free, secure and end-2-end encrypted alternative to other popular chat messenger apps.

Available for Free. Whitelabel Corporate Edition Available on Request.

Vox Messenger {Secure} - Communicate safely with our private and secure messaging app | Product Hunt Embed

All Rights Reserved - © Copyright 2020 - Vox Messenger (a Division of Kryotech Ltd.)