McAfee Security Insights

McAfee Security Insights

Security Changes the Subject

Enterprise security is the last place anyone can afford to settle for less.

So, most security professionals will opt to block intrusions rather than just detect those dark hats who like to sniff around the edges of the enterprise to find its weak spots.

"Detection versus prevention is the difference between active and passive countermeasures," says Patrick Bedwell, Senior Product Marketing Manager for McAfee® Entercept® host intrusion prevention.

Host intrusion prevention systems (IPS) block behavior and activity on an individual system, and on the network side, IPS detects hostile traffic and blocks it before it reaches a destination. The more passive intrusion detection systems (IDS) create alerts, saying certain types of traffic were seen or a certain type of behavior occurred in the host.

"Blocking threats before they can cause damage is significantly more valuable," Bedwell notes. "About 80 percent of our customers are deploying blocking in our products."

In that same evolution from detection to protection, enterprises are drawing on the combined functionality of IDS and firewall capabilities to help block attacks as they occur, according to Ed Metcalf, Senior Product Marketing Manager for McAfee® Desktop Firewall. "It's one thing to say, ‘I was attacked and they took down my server,’ and another to say ‘I’m being attacked right now and blocking it,’" Metcalf adds.

The Edge Gets Blurred

Passive detection has shifted to active prevention. Many organizations extend their networks to unexpected places, including employees’ home offices, the hotel rooms of traveling workers, and even into the data centers of partners, customers and suppliers. Virtual private networks (VPNs) and Web-based applications provide lots of flexibility for a generation of professionals who are far less desk-bound than employees 20 years ago.

That’s the good news. The dark side of this flexible networking and applications access model is that it also adds risk, exposing the network to hackers or their software agents, which seek open ports, unprotected remote access servers or other entrée into corporate payroll information, customers’ personal information or trade secrets.

"With so many people operating outside the corporate perimeter, you need protection from attacks at the gateway and throughout the corporate environment as well as remote and branch offices," Bedwell says.

Intrusion prevention is also much broader than server or host protection. As Bedwell observes, notebook and desktop computers contain a lot of the same proprietary information as core servers, but they may lack the protections of the accounting department’s server, for example. "Host IPS for the desktop is so critical because you have to treat every system with confidential data as a potential point of compromise," he adds. Left unchecked, it opens the company to potential regulatory penalties, brand equity erosion and significant revenue losses.

McAfee's Holistic Approach

Unlike other vendors who offer point products which are difficult to integrate with larger security installations or are cumbersome to manage, McAfee brings together the diverse technologies of intrusion prevention, firewalling, anti-virus, anti-spyware and vulnerability management solutions.

McAfee Entercept agents protect desktops and servers against zero-day and known attacks. Entercept combines behavioral rules, signatures and a system firewall to provide unmatched proactive threat protection of critical systems and applications.

Host protection can help enterprises get control of the vicious cycle of patch management. Because Entercept agents provide protection against new attacks with no updates, it significantly decrease the criticality of patch deployment, lowering costs associated with patch management and deploying and maintaining system protection. Protecting host systems also enables organizations to ensure business availability and data confidentiality.

Desktop clients are protected against threats that anti-virus software can’t defeat alone with McAfee Desktop Firewall. Desktop Firewall combines comprehensive network and application firewall capabilities with intrusion detection and prevents clients from sending or receiving traffic- or application-borne threats. IT managers can ensure that users’ trusted applications are not being used to spread attacks across the network.

Additionally, McAfee® AntiSpyware Enterprise quickly detects and then safely eliminates potentially unwanted programs, such as key loggers, remote-control programs, browser hijackers, and cookies, protecting corporate users from identity or password theft as well as having their Internet activities.

Orchestrated Management

"Companies don’t want another management console; they want a single interface from which they can manage all their security globally," Metcalf says. From a single interface, they want to be able to correlate firewall alerts, anti-virus and anti-spyware definitions and intrusion prevention systems. "If it’s unmanageable and can’t scale, it won’t be used, and if it’s unused, the enterprise won’t be protected," he adds. "That’s why management is the top line consideration for most large customers."

In that vein, McAfee® Entercept® Management System provides enterprise-class management for associated Entercept agents from a single management server, reducing complexity and providing scalable security to even the most remote branch locations. Customers can deploy and manage up to 10,000 agents with one McAfee Entercept management server. For an even more comprehensive overview, organizations have the option to use McAfee® ePolicy Orchestrator® 3.5 (ePO™ ), which will soon permit security professionals to monitor as many as 100,000 agents.

McAfee ePO also provides the visibility and intelligence to enforce security policies. These policies may be as mundane as requiring users to change their passwords every ten days using numbers and letters or more complex functions like ensuring that that a newly signed-on user runs particular anti-virus and anti-spyware routines before he or she gets access to critical data and network services.

"One of the biggest problems that security administrators, directors and chief security officers have is the ability to enforce policy that’s been written down or articulated to the corporation’s board of directors," says Metcalf. "Security policies are what permit you to provide the layered approach to protect servers and desktops against problems from external sources and mitigate attacks from internal sources."

Enterprises clearly need a more layered approach as their security mindsets move from passive to active and from detection to prevention. The changing nature of attacks requires instantaneous responses that must be automated to be effective. And that requires companies to articulate and implement security policies to guard against all manner of internal and external threats. It’s an active mindset that McAfee shares with customers of all sizes.

Since this article was written, McAfee has introduced new products that offer similar capabilities. Please see our products section for additional information.

Resources

Learn more about McAfee solutions for host intrusion prevention.

McAfee Desktop Firewall protects all incoming and outgoing traffic.

Read the McAfee white paper on host and network intrusion prevention.