Building and Using Your Network of Informants

By on Apr 21, 2015

If you are working in law enforcement, having a network of informants is both a blessing and a curse. A blessing, because they can provide you with information, tips, and clues that you would otherwise miss. A curse, because they may not be the most trustworthy individuals or may see only part of the picture. So you look at previous behavior, corroborating stories, and other mitigating factors to decide which ones will contribute to a conviction.

Network security needs to move in a similar direction. There are informants inside your systems, others hanging around outside, and interested bystanders who have clues you can use. These internal informants are your endpoints, web gateways, email gateways, and data loss prevention (DLP) tools, all of whom are watching what happens in their neighborhoods. And if you ask them, they will tell you what they know.

McAfee expands your informant network by integrating McAfee Web Gateway and DLP Endpoint to the McAfee Threat Intelligence Exchange (TIE) and McAfee Email Gateway to the Enterprise Security Manager (ESM). Better than paid informants on the streets, with TIE and ESM these components instantly share what they know when they know it, sharing it throughout the connected ecosystem.

Today’s attacks use multiple vectors to try to get that first entry to your systems. Quickly getting a tip from the first informant to see suspicious or malicious files to the rest of the crew is important for rapid containment. McAfee Web Gateway and Threat Intelligence Exchange now share file reputations in real-time. Convicted files that are unknown to the web gateway are stopped during the web request before they reach their destination.

Secure email gateways are like informants with a photographic memory. They log useful details on files that are received, URLs seen, IP addresses of email senders, and the identity of recipients. If at any point in the future you discover malware on the network, just ask the security information and event management (SIEM) system who else received the malicious attachment. You can also ask who sent the email and check for activity to that IP address, instantly establishing the scope of the attack and take steps to contain the infection.

The endpoint is another valuable player, even before they know that they are being attacked. The endpoint can query TIE for reputation scores on unknown processes. If the process has an unsavory poor reputation (e.g. possibly malicious or most likely malicious), the DLP endpoint can watch for access to sensitive files or attempts to move data to the cloud, record or block the activity, and raise the alarm with extra criticality. You can then investigate while the potential crime is in progress. Your investigation will immediately benefit from the logging on the endpoint, giving you an understanding of what malicious activities have been happening and for how long.

By connecting web gateways, emails gateways, and endpoint DLP to the informant network, the door is open for everyone share and learn about suspicious or malicious activity when it first appears. Regardless of who saw it first, McAfee Threat Intelligence Exchange gets the word out, turning your network of informants into a powerful neighborhood watch.

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs