McAfee Enterprise – McAfee Blogs Securing Tomorrow. Today. Mon, 20 Sep 2021 15:48:54 +0000 en-US hourly 1 McAfee Enterprise – McAfee Blogs 32 32 McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 Mon, 20 Sep 2021 15:48:54 +0000

Threat Summary Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that...

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.


Threat Summary

Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that is being leveraged by remote, unauthenticated attackers to execute code on the target system using specifically crafted office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents. This vulnerability is being actively exploited and protections should be put into place to prevent that. Microsoft has released guidance on a workaround, as well as updates to prevent exploitation, but below are additional McAfee Enterprise countermeasures you can use to protect your business.

MVISION Insights Campaign – “CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability”

Since originally reported, vulnerability exploitation has grown worldwide.

Figure 1. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

Additional MITRE ATT&CK techniques have been identified since our original report. MVISION Insights will be regularly updated with the latest IOCs and hunting rules for proactive detection in your environment.

Figure 2. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

McAfee Enterprise Product Protections

The following McAfee Enterprise products can protect you against this threat.

Figure 3. Protection by ENS Module

For ENS, it’s important to have both Threat Protection (TP) and Adaptive Threat Protection (ATP) with GTI enabled. We are seeing 50% of detections based on ATP behavior analysis rules.

Figure 4. Protection by ENS Module

More details on Endpoint protection including MVISION EDR are included below.

Preventing Exploit with McAfee ENS

McAfee Global Threat Intelligence (GTI) is currently detecting the analyzed IOCs for this exploitation. GTI will be continually updated as new indicators are observed in the wild.

ENS Threat Prevention module can provide added protections against exploitation of CVE-2021-40444 until a patch is deployed. The following signature in Exploit Prevention has shown coverage in testing of observed exploits; this signature could cause false positives, so it is highly advised to test in Report Mode or in sandbox environments before blocking in production environments.

Signature 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability

Several custom Expert Rules can be implemented to prevent or detect potential exploitation attempts. As with all Expert Rules, please test them in your environment before deploying widely to all endpoints. Recommended to implement this rule in a log only mode to start.

Figure 5. Expert Rule to block or log exploitation attempts

Figure 6. Expert Rule to block or log exploitation attempts

ATP Rules

Adaptive Threat Protection module provides behavior-blocking capability through threat intelligence, rules destined to detect abnormal application activity or system changes and cloud-based machine-learning. To exploit this vulnerability, the attacker must gain access to a vulnerable system, most likely through Spearphishing with malicious attachments. These rules may also be effective in preventing initial access and execution. It is recommended to have the following rules in Observe mode at least and monitor for threat events in ePO.

  • Rule 2: Use Enterprise Reputations to identify malicious files.
  • Rule 4: Use GTI file reputation to identify trusted or malicious files
  • Rule 5: Use GTI file reputation to identify trusted or malicious URLs
  • Rule 300: Prevent office applications from being abused to deliver malicious payloads
  • Rule 309: Prevent office applications from being abused to deliver malicious payloads
  • Rule 312: Prevent email applications from spawning potentially malicious tools

As with all ATP Rules, please test them in your environment before deploying widely to all endpoints or turning on blocking mode.

Utilizing MVISION EDR for Hunting of Threat Activity

The Real-Time Search feature in MVISION EDR provides the ability to search across your environment for behavior associated with the exploitation of this Microsoft vulnerability. Please see the queries to locate the “mshtml” loaded module associated with various application processes.

EDR Query One

Processes where Processes parentimagepath matches “winword|excel|powerpnt” and Processes cmdline matches “AppData\/Local\/Temp\/|\.inf|\.dll” and Processes imagepath ends with “\control.exe”

EDR Query Two

HostInfo hostname and LoadedModules where LoadedModules process_name matches “winword|excel|powerpnt” and LoadedModules module_name contains “mshtml” and LoadedModules module_name contains “urlmon” and LoadedModules module_name contains “wininet

Additionally, the Historical Search feature within MVISION EDR will allow for the searching of IOCs even if a system is currently offline.

Figure 7. Using Historical Search to locate IOCs across all devices. Source: MVISION EDR

McAfee Enterprise has published the following KB article that will be updated as more information and coverage is released.

McAfee Enterprise coverage for CVE-2021-40444 – MSHTML Remote Code Execution

Further Protection for Threat Actor Behavior After Exploitation

Since public disclosure of the vulnerability, it has been observed from successful exploitation of CVE-2021-40444 in the wild that threat actors are utilizing a Cobalt Strike payload to then drop ransomware later in the compromised environment. The association between this vulnerability and ransomware point to the possibility that the exploit has been added to the tools utilized in the ransomware-as-a-service (RaaS) ecosystem.

Figure 8. CVE-2021-40444-attack-chain (Microsoft)​​

The Ransomware Gangs that have been observed in these attacks have in the past been known to utilize the Ryuk and Conti variants of ransomware.

Please see below additional mitigations that can be utilized in the event your environment is compromised and added protections are needed to prevent further TTPs.

Cobalt Strike BEACON

MVISION Insights Campaign – Threat Profile: CobaltStrike C2s


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 517: Prevent actor process with unknown reputations from launching processes in common system folders


Ryuk Ransomware Protection

MVISION Insights Campaign – Threat Profile: Ryuk Ransomware


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs


Endpoint Security – Access Protection:

Rule: 1

Executables (Include):



Subrule Type: Files



Targets (Include):



Endpoint Security – Exploit Prevention

Signature 6153: Malware Behavior: Ryuk Ransomware activity detected


Conti Ransomware Protection

MVISION Insights Campaign – Threat Profile: Conti Ransomware


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs


Endpoint Security – Access Protection Custom Rules:

Rule: 1

Executables (Include):



Subrule Type: Files



Targets (Include):



Endpoint Security – Exploit Prevention

Signature 344: New Startup Program Creation

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.

The Bug Report | September 2021: CVE-2021-40444 Fri, 17 Sep 2021 10:07:22 +0000 How to check for viruses

Why am I here? There’s a lot of information out there on critical vulnerabilities; this short bug report contains an...

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

How to check for viruses

Why am I here?

There’s a lot of information out there on critical vulnerabilities; this short bug report contains an overview of what we believe to be the most news and noteworthy vulnerabilities. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. Today, we’ll be focusing on CVE-2021-40444.

CrossView: CVE-2021-40444

What is it?

CVE-2021-40444 is a vulnerability in Office applications which use protected view such as Word, PowerPoint and Excel which allows an attacker to achieve remote code execution (RCE). CVE-2021-40444 is a vulnerability which allows a carefully crafted ActiveX control and a malicious MS Cabinet (.cab) file to be launched from an Office document

Most importantly, this vulnerability impacts the applications themselves, as well as the Windows Explorer preview pane.

Who cares?

This is a great question! Pretty much anyone who uses any Microsoft Office applications, or has them installed, should be concerned.

Office is one of the most widely-used applications on the planet. Odds are good you have it open right now. While many companies have disabled macros within Office documents at the Group Policy level, it is unlikely ActiveX is treated similarly. This means that without proper data hygiene, a large proportion of Office users will be vulnerable to this exploit.

Fortunately, “spray and pray” style email campaigns are unlikely to gain traction with this exploit, as mail providers have started flagging malicious files (or at least known PoCs) as potential malware and removing them as attachments.

What can I do?

Good news! You aren’t necessarily completely helpless. By default, Windows uses a flag known as the “Mark of the Web” (MoTW) to enable Protected Mode in Office. Email attachments, web downloads, and similar all have this MoTW flag set, and Protected Mode prevents network operations, ActiveX controls, and macros embedded within a document from being executed, which effectively disables exploitation attempts for this vulnerability.

That said, users have become so inured to the Protected View message, they often dismiss it without considering the consequences. Much like “confirmation fatigue” can lead to installing malicious software, attackers can leverage this common human response to compromise the target machine.

Even more so, while exploitation can occur via the Office applications themselves and via the Explorer preview pane, the Outlook preview pane operates in a completely different manner which does not trigger the exploit. Exactly why this distinction exists only MS can explain, but the upshot is that Outlook users have to explicitly open malicious files to be exploited – the more hoops users have to jump through to open a malicious, the less likely they are to be pwned.

If I’m protected by default, why does this matter?

It depends entirely on how the file gets delivered and where the user saves it.

There are many ways of getting files beyond email and web downloads – flash cards for cameras, thumb drives, external hard drives, etc. Files opened from these sources (and many common applications[1]) don’t have MoTW flag set, meaning that attackers could bypass the protection entirely by sending a malicious file in a .7z archive, or as part of a disk image, or dropping a USB flash drive in your driveway. Convincing users to open such files is no harder than any other social engineering strategy, after all.

Another fun workaround for bypassing default protections is to make use of an RTF file – emailed, downloaded, or otherwise. From our testing, an RTF file saved from an email attachment does not bear the MoTW but can still be used as a vector of exploitation. Whether RTF files become the preferred option for this exploit remains to be seen.


Ha! We put the tl;dr near the end, which only makes sense when the information above is so important it’s worth reading. But if all you care about is what you can actively do to ensure you’re not vulnerable, this section is for you.


  • Apply the Patch! Available via Windows Update as of 9/14/2021, this is your best solution.
  • Enable registry workaround to disable ActiveX – details can be found on Microsoft’s bulletin page and should effectively disable exploitation attempts until a formal patch can be applied.
  • Confirm that Windows Explorer “Preview” pane is disabled (this is true by default). This only protects against the Preview pane exploitation in Explorer. Opening the file outside of Protected Mode (such as an RTF file) or explicitly disabling Protected Mode will still allow for exploitation.

The Gold Standard

In case you simply can’t apply the patch or have a “production patch cycle” or whatever, McAfee Enterprise has you covered. Per our KB we provide comprehensive coverage for this attack across our protection and detection technology stack of endpoint (ENS Expert Rules), network (NSP) and EDR.

[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry Wed, 15 Sep 2021 15:05:22 +0000

For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was...

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.


For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was named one of CRN’s 2021 Channel Chiefs. Joining the company in April 2020, she was acknowledged for her contributions expanding our partner program initiatives to reward partners for servicing customers in line with their modern needs and consumption preferences. This includes spearheading McAfee Enterprises’ “channel first” initiative and ethos, aimed to better empower our channel partner community and increase their profitability, while at the same time optimizing the end customer experience by scaling through McAfee Enterprise’s channels and partners. Read below for more.

Q: Who has been the most influential person in your life?

My father instilled in me, from as far back as I can remember, that I can do whatever I set my mind to and that I am the owner of my life story. This helped create a positive, empowered mindset when facing challenges and opportunities throughout my life. And my father always kept our world big. Whether it was traveling to see other cultures, sharing his never-ending love of history, or getting involved in our community, his actions showed me the importance of taking time to connect with others, understand the context of things, and have compassion. While he is no longer with us, I still feel like I get advice from him every day.

Q: What are the most significant problems influencing cybersecurity professionals today?

The ever-changing threat landscape is a real challenge. Finding the time to keep up on trends, proactively secure an environment, and address unexpected issues has become increasingly difficult. Together with our partners, we can help solve these problems.

Q: How do you separate hype from genuine innovation?

Execution. True innovation delivers real outcomes. It can be big or small, but mostly, it must be realized and validated.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise and our partners in the coming years?

There is tremendous opportunity ahead for us and our partners. With the complexity of the cybersecurity landscape, continuing threats, and talent gaps, our customers need our collective solutions, expertise, and services more than ever. We are charging ahead to optimize our channel program with partner profitability and growth at the forefront. Our dedication to a Channel First strategy coupled with best-in-class solutions positions us extremely well to win and best benefit the customers we serve together.

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign Wed, 15 Sep 2021 04:01:21 +0000

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco...

The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.


A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.

Executive Summary

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.

From a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs.

In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. There will be parts that are censored since we respect the confidentiality of the victim. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.

IOCs that could be shared are at the end of this document.

McAfee customers are protected from the malware/tools described in this blog. MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used  in this attack. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here.

Technical Analysis

Initial Infection Vectors [TA0001]

Forensic investigations identified that the actor established initial access by compromising the victim’s web server [T1190]. On the webserver, software was installed to maintain the presence and storage of tools [T1105] that would be used to gather information about the victim’s network [T1083] and lateral movement/execution of files [T1570] [T1569.002]. Examples of the tools discovered are PSexec, Procdump, and Mimikatz.

Privilege Escalation and Persistence [TA0004TA0003]

The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network. We will highlight a few in each category.

Besides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations [T1068]. One of the tools was “RottenPotato”. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.

Example of RottenPotato on elevating these rights:

Figure 1 RottenPotato

The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights.

Figure 2 BadPotato

The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code. Inspecting the File (COFF) header, we observed the file’s compilation timestamp:

TimeDateStamp: 05/12/2020 08:23:47  – Date and time the image was created


Another major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. PlugX makes use of the technique “DLL Sideloading” [T1574.002]. PlugX was observed as usual where a single (RAR) executable contained the three parts:

  • Valid executable.
  • Associated DLL with the hook towards the payload.
  • Payload file with the config to communicate with Command & Control Server (C2).

The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets. The samples discovered and analyzed were communicating towards two domains. Both domains were registered during the time of the campaign.

One of the PlugX samples consisted of the following three parts:

Filename Hashes
HPCustPartic.exe SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775

The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process.

We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. After the basic forensically sound steps, we ran the malfind plugin to detect possible injected code in a process. From the redacted output of the plugin, we observed the following values for the process with possible injected code:

Process: svchost.exe Pid: 860 Address: 0xb50000

Process: explorer.exe Pid: 2752 Address: 0x56a000

Process: svchost.exe Pid: 1176 Address: 0x80000

Process: svchost.exe Pid: 1176 Address: 0x190000

Process: rundll32.exe Pid: 3784 Address: 0xd0000

Process: rundll32.exe Pid: 3784 Address: 0x220000

One observation is the mention of the SVCHOST process with a ProcessID value of 1176 that is mentioned twice but with different addresses. This is similar to the RUNDLL32.exe that is mentioned twice with PID 3785 and different addresses. One way to identify what malware may have been used is to dump these processes with the relevant PID using the procdump module, upload them to an online analysis service and wait for the results. Since this is a very sensitive case, we took a different approach. Using the best of both worlds (volatility and Yara) we used a ruleset that consists of malware patterns observed in memory over time. Running this ruleset over the data in the memory dump revealed the following (redacted for the sake of readability) output:

Figure 3 Output Yarascan memory dump

The output of the Yara rule scan (and there was way more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Also, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.

Investigating the dumps after dynamic analysis, we observed two domain names used for C2 traffic:


In particular, we saw the following hardcoded value that might be another payload being downloaded:

The PlugX families we observed used DNS [T1071.001] [T1071.004] as the transport channel for C2 traffic, in particular TXT queries. Investigating the traffic from our samples, we observed the check-in-signature (“20 2A 2F 2A 0D”) that is typical for PlugX network traffic:

00000000:            47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45

00000010:            31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54

00000020:            54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20

00000030:            2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43

00000040:            57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55

00000050:            71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D

During our analysis of the different PlugX samples discovered, the domain names as mentioned above stayed the same, though the payload values were different. For example:

  • hxxp://
  • hxxp://
  • hxxp://

Other PlugX samples we observed injected themselves into Windows Media Player and started a connection with the following two domains:


Hello Winnti

Another mechanism observed was to start a program as a service [T1543.003] on the Operating System with the acquired System rights by using the *Potato tools. The file the adversary was using seemed to be a backdoor that was using the DLL file format (2458562ca2f6fabddae8385cb817c172).

The DLL is used to create a malicious service and its name is service.dll”. The name of the created service, “SysmainUpdate”, is usurping the name of the legitimate service “SysMain” which is related to the legitimate DLL sysmain.dll and also to the Superfetch service. The dll is run using the command “rundll32.exe SuperFrtch.dll, #1”. The export function has the name “WwanSvcMain”.

The model uses the persistence technique utilizing svchost.exe with service.dll to install a rogue service. It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA. A description of the technique can be found here.

The malware also decrypts and injects the payload in memory. The following screenshot shows the decryption routine.

Figure 4 Decryption routine

When we analyzed this unique routine, we discovered similarities and the mention of it in a publication that can be read here. The malware described in the article is attributed to the Winnti malware family. The operating method and the code used in the DLL described in the article are very similar to our analysis and observations.

The process dump also revealed further indicators. Firstly, it revealed artifacts related to the DLL analyzed, “C:\ProgramData\Microsoft\Windows\SuperfRtch\SuperfRtch.dat”. We believe that this dat file might be the loaded payload.

Secondly, while investigating the process dump, we observed activities from the backdoor that are part of the data exfiltration attempts which we will describe in more detail in this analysis report.

A redacted snippet of the code would look like this:

Creating archive ***.rar

Adding   [data from location]



Another indicator of discovering Winnti malware was the following execution path we discovered in the command line dump of the memory:

cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat

What we observed here was the use of a valid executable, the AES 256 decryption key of the payload (.dat file). In this case, the payload file was named using an abbreviation of the victim company’s name. Unfortunately, the adversary had removed the payload file from the system. File carving did not work since the disk/unallocated space was overwritten. However, reconstructing traces from memory revealed that we were dealing with the Winnti 4.0 malware. The malware was injected into a SVCHOST process where a driver location pointed to the config file. We observed in the process dump the exfiltration of data on the system, such as OS, Processor (architecture), Domain, Username, etc.

Another clue that helped us was the use of DNS tunneling by Winnti which we discovered traces of in memory. The hardcoded resolves to a legitimate OpenDNS DNS server. The IP is pushed into the list generated by the malware at runtime. At the start of the malware, it populates the list with the system’s DNS, and the OpenDNS server is only used as a backup to ensure that the C2 domain is resolved.

Another indicator in the process dump was the setup of the C2 connection including the User-Agent that has been observed being used by Winnti 4.0 malware:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Other Persistence Activities

WMI activity [T1546.003] was also observed to execute commands on the systems.

From a persistence point of view, scheduled tasks [T1053.005] and the use of valid accounts [T1078] acquired through the use of Mimikatz, or creating LSASS dumps, were observed being employed during the length of the campaign.

Lateral Movement

From a lateral movement perspective, the adversary used the obtained credentials to hop from asset to asset. In one particular case, we observed a familiar filename: “PsExec.exe”. This SysInternals tool is often observed being used in lateral movement by adversaries, however, it can also be used by the sysadmins of the network. In our case, the PsExec executable had a file size of 9.6 MB where the original PsExec (depending on 32- or 64-bit version) had a maximum file size of 1.3 MB. An initial static inspection of the file resulted in a blob of code that was present in the executable which had a very high entropy score (7.99). When running the file from the command line, the following output was observed:

Figure 5 PsExec output

The error notification and the ‘Impacket’ keyword tipped us off and, after digging around, we found more. The fake PsExec is an open-source Python script that is a PsExec alternative with shell/backdoor capability. It uses a script from this location: hxxps:// The file is large since it incorporates a low-level protocol interaction from Impacket. The Python library combined with the script code is compiled with py2exe. The file was compiled during the time of the latest attack activities and signed with an expired certificate.

Data Exfiltration

From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.

The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size [T1020] [T1030]. Example of content in a batch script:

C:\Windows\web\rar.exe a -[redacted] -r -v50000 [Target-directory]

On other occasions, manual variants of the above command were discovered after using the custom backdoor as described earlier.

When the data was gathered on a local system using the backdoor, the files were exfiltrated over the backdoor and the rar files were deleted [T1070.004]. Where external facing assets were used, like a web server, the data was stored in a location in the Internet Information Services (IIS) web server and exfiltrated over HTTP using GET requests towards the exact file paths [T1041] [T1567] [T1071].

An example of the [redacted] web traffic in the IIS logfiles:

Date /Time Request TCP Src port Source IP User-Agent
Redacted GET /****/[redacted].rar 80 180.50.*.* MINIXL
redacted GET /****/[redacted].rar 80 209.58.*.* MINIXL

The source IP addresses discovered belonged to two different ISP/VPN providers based in Hong-Kong.

The User-Agent value is an interesting one, “MINIXL”. When we researched that value, we discovered a blog from Dell SecureWorks from 2015 that mentions the same User-Agent, but also a lot of the artifacts mentioned from the blog overlapped with the observations and TTPs of Operation Harvest [link].

What we could retrieve from open-source databases is that the use of this particular User-Agent is very limited and seems to originate from the APAC region.

Who did it?

That seems to be the one-million-dollar question to be asked. Within McAfee, attribution is not our main focus, protecting our customers is our priority. What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?

We started by mapping out all MITRE ATT&CK Enterprise techniques and sub-techniques, added the tools used, and did a comparison against historical technique data from the industry. We ended up with four groups that shared techniques and sub-techniques. The Winnti group was added by us since we discovered the unique encryption function in the custom backdoor and indicators of the use of the Winnti malware.

Figure 6 ATT&CK technique comparison

The diagram reflecting our outcome insinuated that APT27 and APT41 are the most likely candidates that overlap with the (sub-)techniques we observed.

Since all these groups are in a certain time zone, we extracted all timestamps from the forensic investigation with regards to:

  • Registration of domain
  • Compile timestamps of malware (considering deception)
  • Timestamps of command-line activity
  • Timestamps of data exfiltration
  • Timestamps of malware interaction such as creation, deletion, etc.

When we converted all these timestamps from UTC to the aforementioned groups’ time zones, we ended up with the below scheme on activity:

Figure 7 Adversary’s time of operation

In this campaign, we observed how the adversary mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception.

Correlating ATT&CK (sub-)techniques, timestamps, and tools like PlugX and Mimikatz are not the only evidence indicators that can help to identify a possible adversary. Command-line syntax, specific code similarity, actor capability over time versus other groups, and unique identifiers are at the top of the ‘pyramid of pain’ in threat intelligence. The bottom part of the pyramid is about hashes, URLs, and domains, areas that are very volatile and easy to change by an adversary.

Figure 8 Pyramid of Pain

Beyond investigating those artifacts, we also took possible geopolitical interests and potential deception into consideration when building our hypothesis. When we mapped out all of these, we believed that one of the two previously mentioned groups were responsible for the campaign we investigated.

Our focus was not about attribution though, but more around where the flow of the attack is, matches against previous attack flows from groups, and what techniques/tools they are using to block next steps, or where to locate them. The more details we can gather at the top of ‘the pyramid of pain’, the better we can determine the likely adversary and its TTP’s.

That’s all Folks!

Well, not really. While correlating the observed (sub-)techniques, the malware families and code, we discovered another targeted attack against a similar target in the same nation with the major motivation of gathering intelligence. In the following diagram we conducted a high-level comparison of the tools being used by the adversary:

Figure 9 Tools comparison

Although some of the tools are unique to each campaign, if taken into consideration over time with when they were used, it makes sense. It demonstrates the development of the actor and use of newer tools to conduct lateral movement and to obtain the required level of user rights on systems.

Overall, we observed the same modus operandi. Once an initial foothold was established, the adversary would deploy PlugX initially to create a few backdoors in the victim’s network in case they were discovered early on. After that, using Mimikatz and dumping lsass, they were looking to get valid accounts. Once valid accounts were acquired, several tools including some of their own tools were used to gain information about the victim’s network. From there, several shares/servers were accessed, and information gathered. That information was exfiltrated as rar files and placed on an internet-facing server to hide in the ‘normal’ traffic. We represent that in the following graphic:

Figure 10 Attack flow

In the 2019/2020 case we also observed the use of a malware sample that we would classify as part of the Winnti malware family. We discovered a couple of files that were executed by the following command:

Start Ins64.exe E370AA8DA0 Jumper64.dat

The Winnti loader ‘Ins64.exe’ uses the value ‘E370AA8DA0’ to decrypt the payload from the .dat file using the AES-256-CTR decryption algorithm and starts to execute.

After executing this command and analyzing the memory, we observed a process injection in one of the svchost processes whereby one particular file was loaded from the following path:


Figure 11 Memory capture

The malware started to open up both UDP and TCP ports to connect with a C2 server.

UDP Port 20502

TCP Port  20501

Figure 12 Network connections to C2

Capturing the traffic from the malware we observed the following as an example:

Figure 13 Winnti HTTP traffic to C2

The packet data was customized and sent through a POST request with several headers towards the C2. In the above screenshot the numbers after “POST /” were randomly generated.

The User-Agent is a good network indicator to identify the Winnti malware since it is used in multiple variants:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Indeed, the same User Agent value was discovered in the Winnti sample in Operation Harvest and seems to be typical for this malware family.

The cookie value consists of four Dword hex values that contain information about the customized packet size using a XOR value.

We learned more about the packet structure of Winnti from this link.

Applying what we learned about the handshake, we observed the following in our traffic sample:

Dword value 0 = 52 54 00 36

Dword value 1 = 3e ff 06 b2

Dword value 2 = 99 6d 78 fe

Dword value 3 = 08 00 45 00

Dword value 4 = 00 34 00 47

Initial handshake order:

Based on our cross-correlation with samples and other OSINT resources, we believe with a high confidence that this was a Winnti 4.0 sample that connects with a confirmed Winnti C2 server.

The identified C2 server was TCP/80.

Timeline of Events

When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:

Figure 14 Beijing working hours case 2019/2020

Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.


Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

After mapping out all data, TTP’s etc., we discovered a very strong overlap with a campaign observed in 2019/2020. A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.

On a separate note, we observed the use of the Winnti malware. We deliberately mention the term ‘malware’ instead of group. The Winnti malware is known to be used by several actors. Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc. We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.


MITRE ATT&CK Techniques

Technique ID Technique Title Context Campaign
T1190 Exploit Public-facing application Adversary exploited a web-facing server with application
T1105 Ingress Tool transfer Tools were transferred to a compromised web-facing server
T1083 File & Directory Discovery Adversary browsed several locations to search for the data they were after.
T1570 Lateral Tool Transfer Adversary transferred tools/backdoors to maintain persistence
T1569.002 System Services: Service Execution Adversary installed custom backdoor as a service
T1068 The exploitation of Privilege Escalation Adversary used Rotten/Bad Potato to elevate user rights by abusing API calls in the Operating System.
T1574.002 Hijack Execution Flow: DLL Side-Loading Adversary used PlugX malware that is famous for DLL-Side-Loading using a valid executable, a DLL with the hook towards a payload file.
T1543.003 Create or Modify System Process: Windows Service Adversary launched backdoor and some tools as a Windows Service including adding of registry keys
T1546.003 Event-Triggered Execution: WMI Event Subscription WMI was used for running commands on remote systems
T1053.005 Scheduled task Adversary ran scheduled tasks for persistence of certain malware samples
T1078 Valid accounts Using Mimikatz and dumping of lsass, the adversary gained credentials in the network
T1020 Automated exfiltration The PlugX malware exfiltrated data towards a C2 and received commands to gather more information about the victim’s compromised host.
T1030 Data transfer size limits Adversary limited the size of rar files for exfiltration
T1070.004 Indicator removal on host Where in the beginning of the campaign the adversary was sloppy, during the last months of activity they became more careful and started to remove evidence
T1041 Exfiltration over C2 channel Adversary used several C2 domains to interact with compromised hosts.
T1567 Exfiltration over Web Service Gathered information was stored as ‘rar’ files on the internet-facing server, whereafter they were downloaded by a specific ip range.
T1071.004 Application layer protocol: DNS Using DNS tunneling for the C2 traffic of the PlugX malware


Indicators of Compromise (IOCs)

Note: the indicators shared are to be used in a historical and timeline-based context, ranging from 2016 to March 2021.

Operation Harvest:

PlugX C2:









Operation 2019/2020

PlugX malware:











Winnti C2:



PSW64                  6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6

NTDSDumpEx  6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96

NBTSCAN             c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

NetSess                ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d

Smbexec              e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee

Wmiexec              14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8


RAR command-line


The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.

McAfee Enterprise Defender’s Blog: Operation Harvest Wed, 15 Sep 2021 04:01:11 +0000

Summary McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog,...

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.



McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog, they detail the MITRE Tactics and Techniques the actors used in the attack. In this blog, our Pre-Sales network defenders describe how you can defend against a campaign like Operation Harvest with McAfee Enterprise’s MVISION Security Platform and security architecture best practices.

Defending Against Operation Harvest with McAfee

Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data. Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience. Below is an overview of how you can defend against attacks like Operation Harvest with McAfee’s MVISION Security Architecture.

Throughout this blog, we will provide some examples of where MVISION Security Platform could help defend against this type of attack.

Get Prepared with the Latest Threat Intelligence

As Network Defenders our goal is to prevent, detect and contain the threat as early as possible in the attack chain. That starts with using threat intelligence, from blogs or solutions like MVISION Insights to get prepared and using tools like MITRE Attack Navigator to assess your defensive coverage. The ATR blog details the techniques, indicators and tools used by the attackers. Many of the tools used in Operation Harvest are common across other threat actors and detection details for PlugX, and Winnti are already documented in MVISION INSIGHTS.

Get a quick overview of the PlugX tool:

Easily search for or export PlugX IOCs right from MVISION Insights:

Get a quick overview of the Winnti tool:

Easily search for or export Winnti IOCs right from MVISION Insights:

Cross Platform Hunting Rules for Winnti:

MVISION Insights is also updated with the latest technical intelligence on Operation Harvest including a summary of the threat, prevalence, indicators of compromise and recommended defensive countermeasures.

Defending Against Initial Access

In this attack, the initial access involved a compromised web server. Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains. The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry. Detecting this activity and stopping it is critical to limiting the abilities of the threat actor to further their execution strategy. Along with detecting the ongoing activity, it is also imperative to verify critical vulnerabilities are patched and configurations are security best practice to prevent exploitation. MVISION UCE provides visibility into threats, vulnerabilities, and configuration audits mapped to the MITRE ATT&CK Framework for protection against suspicious activity.

Many customer-facing applications and web servers are hosted on cloud infrastructure. As a Network Defender, gaining visibility and monitoring for misconfigurations on the infrastructure platforms is critical as this is increasingly the entry point for an attacker. MVISION Cloud Native Application Protection Platform (CNAPP) provides a continuous assessment capability for multiple cloud platforms in a single console so you can quickly correct misconfigurations and harden the security posture across AWS, AZURE or Google Cloud Platforms.

Harden the Server or Endpoint Against Malicious Tool use

The attackers uploaded several known or potentially malicious tools to compromised systems. Many of these tools were detected on installation or execution by ENS Threat Prevention or Adaptative Threat Prevention Module. The following is a sample of the Threat Event log from ePolicy Orchestrator (ePO) from our testing.

You can easily search for these events in ePO and investigate any systems with detections.

For best protection turn on Global Threat Intelligence (GTI) for both Threat Prevention and Adaptive Threat Protection modules. Ensure ATP Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled in ATP. Global Threat Intelligence is updated with the latest indicators for this attack as well.

Additionally, based on other observables in this attack, we believe there are several other Adaptive Threat Prevention Rules that could prevent or identify potentially malicious activity on the endpoint or server. Monitor especially for these ATP events in the ePO threat event logs:

Rule 269: Detects potentially malicious usage of WMI service to achieve persistence

Rule 329: Identify suspicious use of Scheduled Tasks

Rule 336: Detect suspicious payloads targeting network-related services or applications via dual use tools

Rule 500: Block lateral movement using utilities such as Psexec from an infected client to other machines in the network

Rule 511: Detect attempts to dump sensitive information related to credentials via lsaas

Analysis will continue and additional ATP rules we think relate will be added to mitigation guidance in MVISION Insights.

ENS with Expert Rules

Expert Rules are a powerful, customizable signature language within ENS Threat Prevention Module. For this attack, you could use Expert Rules to identify potential misuse of Psexec or prevent execution or creation of certain file types used such as .rar files.

Additional guidance on creating your own Expert Rules and link to our repository are here:

How to Use Expert Rules in ENS to Prevent Malicious Exploits

ATR Expert Rule Repository

Per standard practice, we recommend that customers test this rule in report mode before applying in block mode.

Preventing or Detecting Command and Control

Like other attacks exploiting critical vulnerabilities, attackers may gain command and control over exploited systems to deliver payloads or other actions. MVISION EDR can both identify many command-and-control techniques such as Cobalt Strike beacons. In this case, MVISION EDR would have logged the DNS and HTTP connection requests to the suspicious domains and an SOC analysts could use Real Time and Historical search to hunt proactively for compromised machines.

Additionally, Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. This is a great control to identify potentially malicious C2 activity.

Monitoring for Privilege Escalation

The adversary used several techniques and tools to elevate privileges and run Mimikatz to steal credentials. In our simulation, MVISION EDR proactively identified the attempt to download and execute in memory a Mimikatz PowerShell script.

We simulated the attacker malicious attempt using potato tools reproducing a generic privilege escalation. From the EDR monitoring process tree we could observe the sequence of events with a change in terms of user name from a user account to SYSTEM.”

We started a guided investigation on the affected system. Analytics on the data identified anomalies in user behavior. Guided investigations make easier to visualize complex data sets and interconnections between artifacts and systems.

Identifying Commonly used Tools for Lateral Movement

The attackers used a common dual use system utility, in this case Psexec.exe, to move laterally. In many cases, the malicious use of legitimate system tools is difficult to detect with signature-based detection only. MVISION EDR uses a combination of behaviour analytics and threat intelligence to proactively identify and flag a high severity alert on malicious use of Psexec for lateral movement.

Psexec.exe used for lateral movement:

Mapping User and Data Anomalies to Detect Exfiltration

The threat actors behind Operation Harvest utilized various tools to elevate privileges and exfiltrate data out of the impacted environment. Visualizing anomalies in user activity and data movement can be used to detect out of the ordinary behavior that can point to malicious activity going on in your environment. MVISION UCE will monitor user behavior and provide anomalies for the security team to pinpoint areas of concern for insider or external adversarial threats.

Identifying User Access Anomalies with UCE:

Identifying Data Transfer Anomalies with UCE:


MVISION Security Platform provides defense in depth to prevent, disrupt or detect many of the techniques used in Operation Harvest. As a network defender, focus on early prevention or detection of the techniques to better protect your organization against cyber-attacks.

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.

How MVISION CNAPP Helps Protect Against ChaosDB Thu, 09 Sep 2021 15:00:39 +0000

Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just...

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.


Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just last month the US Justice Department disclosed that Solorigate continues to comprise security when they confirmed over 80% of Microsoft email accounts were breached across four different federal prosecutors offices. In August Microsoft released another security patch (the second of two) for PrintNightmare, which allows remote attackers system level escalation of all Windows clients and servers. Since Microsoft still has the dominate market share for desktop OS, email/office services, along with the second largest market share in cloud computing, any security vulnerability found within the Microsoft ecosystem has cascading effects across the board.

Based on this, we wanted to let our customers know our response to the latest Microsoft security vulnerability. On August 12, Microsoft confirmed a security vulnerability dubbed ChaosDB whereby attackers can download, delete, or modify all data stored within the Azure Cosmos DB service. In response to the vulnerability Microsoft has since disabled the feature that can be exploited and notified potentially affected customers. However, according to the research team that identified the vulnerability they believe the actual number of customers affected is much higher and has the potential to expose thousands of companies dating back to 2019.

Cosmos DB is Microsoft’s fully managed NoSQL database service hosted on Azure which boasts customers such as Mars, Mercedes Benz, and Chipotle. The ChaosDB vulnerability affects customers that use the Jupyter Notebook feature. This built-in feature allows customers to share data visualizations and narrative text based on the data stored in Cosmos DB. Unfortunately, the Jupyter Notebook feature has been enabled by default for customers since February 2021, and fixing the vulnerability is no easy task. Because the vulnerability exposes public keys that can be used to access other Cosmos databases, the resolution requires that customers manually rotate their Cosmos DB primary keys – which are typically long-lived keys and used across multiple services or applications.

For customers using Cosmos DB, we highly recommend following Microsoft’s guidance and rotate their keys, but we also recognize that business can’t stop and unless you’ve automated key rotation, that task may take time and coordination across multiple teams. This blog will help provide some assistance on how one of our newest services can help identify and mitigate ChaosDB.

MVISION Cloud Native Application Protection Platform (CNAPP) is a new service we launched this year that provides complete visibility and security into services and applications built on top of cloud native solutions. MVISION CNAPP helps customers secure the underlying platform like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud used to build applications but also provides complete build and runtime protection for applications using virtual machines, Docker, and Kubernetes.

As part of this service, MVISION CNAPP has a feature called the custom policy builder. The custom policy builder is a great way for customers to audit services across their entire cloud environment in real time to identify risky configurations but can also be used to curate a specific policy to the customer’s unique environment based on several API properties.

How does the custom policy builder work? Once MVISION CNAPP is connected to a customer’s AWS, Azure, or GCP account, the custom policy builder will list all the supported services within each cloud platform. Along with all the supported services, the custom policy builder will also list all the available API attributes for each of those services – attributes that customers can use as triggers for creating security incidents and automatic responses. A good example of the capability would be “if MVISION CNAPP identifies a public Amazon S3 bucket, performs a scan to on the bucket objects to identify any sensitive data and alerts teams via a SNS notification.” When new vulnerabilities like ChaosDB hit the wire, the custom policy builder is purpose built to help customers identify and understand their risk to anything new.

So how can CNAPP help identify if you’re at risk for ChaosDB? Essentially, you’ll want to answer three questions to understand your risk:

  • Are we using Cosmos DB?
  • If so, do our Cosmos databases have unrestricted access?
  • If an attacker did have access to our Cosmos DB keys, what level of access would they have with those keys?

To find answers to these questions, I’ll show how you can create several custom policies using the MVISION CNAPP custom policy builder, but you can combine and mix these rules based on your needs.

In the first example, I’m going to answer the first two questions to see if we’re running Cosmos DB and if the service has unrestricted network access. Under the MVISION CNAPP menu I’ll click on Policy | Configuration Audit | Actions | Create Policy. From there I’ll give my policy a name and select Microsoft Azure | Next. The custom policy builder will automatically prepopulate all the available services in Azure when I click on Select Resource Type. Select Azure Cosmos DB and the custom policy builder will now show me all the available API attributes for that service. Start typing for the string of properties.publicNetworkAccess with a statement of equals to Enabled with a severity level you assign. Click Test Rule and the custom policy builder will check if you’re running any Cosmos DBs that allow access from any source.

Figure 1: Custom Policy Builder Screenshot

If the results of the custom policy show any incidents where Cosmos DB has unrestricted access, you’ll want to immediately change that setting by Configuring an IP firewall in Azure Cosmos DB.

Now let’s see if we have any Cosmos databases where we haven’t set firewall rules. These rules can be based on a set of IP addresses or private end points and should have been set when you created the DBs, but let’s confirm. You’ll follow the same steps as before but select the following criteria for the policy using AND statements:

  • ipRangeFilter equals to not set
  • virtualNetworksRules is not set
  • privateEndpointConnections is not set

Figure 2: Custom Policy Builder Screenshot 2

If you see any results from the custom policy, you’ll want to review the IP address and endpoints to make sure you’re familiar with access from those sources. If you’re not familiar with those sources or the sources are too broad, follow Configuring an IP firewall in Azure Cosmos DB to make the necessary changes.

Finally, let’s show how MVISION CNAPP can audit to see what is possible if your keys were exposed. In general, database keys are issued out to applications so they can access data. Rarely would you issue keys to make configuration changes or write changes to your database services. If you granted keys that can make changes, you may have issued an overly permissive key. Eventually you’ll want to regenerate those keys, but in the meantime let’s identify if the keys can make write changes.

We’ll follow the same procedure as before but use the properties.disableKeyBasedMetadataWriteAccess equals to false

Figure 3: Custom Policy Builder Screenshot 3

Like in the previous examples, if you find any results here that show you’ve issued keys that can make write changes, you’ll want to disable the feature by following Disable key based metadata write access.

Our custom policy builder is just one of the many features we’ve introduced with MVISION CNAPP. I invite you to check out the solution by visiting for more information or request a demo at

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.

How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates Thu, 09 Sep 2021 04:01:34 +0000

Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution. Executive...

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.


Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution.

Executive Summary

McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.


For many years the world of Ransomware-as-a-Service (RaaS) was perceived as a somewhat hierarchical and structured organization. Ransomware developers would advertise their RaaS program on forums and gracefully open up slots for affiliates to join their team to commit crime. The RaaS admins would conduct interviews with potential affiliates to make sure they were skilled enough to participate. Historically, i.e., with CTB locker, the emphasis was on affiliates generating enough installs via a botnet, exploit kits or stolen credentials, but it has shifted in recent years to being able to penetrate and compromise a complete network using a variety of malicious and non-malicious tools. This essentially changed the typical affiliate profile towards a highly-skilled pen-tester/sysadmin.

Figure 1. Recruitment posting for CTB locker from 2014

Figure 2. Recruitment posting for REvil from 2020

Experts often describe the hierarchy of a conventional organized crime group as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t a novel concept, a RaaS group’s hierarchy is more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

However, this growth isn’t without consequences. Recently we have observed certain events that might be the beginning of a new chapter in the RaaS ecosystem.

Cracks in the RaaS model

Trust in the cybercriminal underground is based on a few things, such as keeping your word and paying people what they deserve. Just like with legitimate jobs, when employees feel their contributions aren’t adequately rewarded, those people start causing friction within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online, as shown in the screenshot below.

Figure 3. Disgruntled Conti affiliate

In the past, ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

Recently, security researcher Fabian Wosar opened a dedicated Jabber account for disgruntled cybercriminals to reach out anonymously and he stated that there was a high level of response.

Figure 4. Jabber group for unhappy threat actors

Moreover, the popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack. Now, the groups no longer have a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

Paying respects…. RAMP Forum and Orange

After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, it seems that some of the ransomware-affiliated cybercriminals have found a home in a forum known as RAMP.

Figure 5. RAMP posting by Orange, introducing Groove and explaining relationships

Translated Posting

When analyzing RAMP and looking at the posting above from the main admin Orange, it’s hard to ignore numerous references that are made: From the names chosen, to the avatar of Orange’s profile, which happens to be a picture of a legitimate cyber threat intelligence professional.


Hello, friends! I am happy to announce the first contest on Ramp.

Let’s make it clear that we don’t do anything without a reason, so at the end of the day, it’s us who will benefit most from this contest 🙂

Here’s the thing: besides my new projects and old, I have always had this unit called

GROOVE — I’ve never revealed its name before and it’s never been mentioned directly in the media, but it does exist — we’re like Mossad (we are few and aren’t hiring). It’s Groove whom the babuk ransomware needs to thank for its fame.

Groove rocks, and babuk stinks 🙂

Challenge: Using a PHP stack+MYSQL+Bootstrap, code a standard ransomware operators’ blog in THE RUSSIAN LANGUAGE with the following pages:

1) About us

The description of a group, which must be editable from the admin panel and use the same visual editor as our forum.

2) Leaks.

No hidden blogs, just leaks.

Use standard display, just like other ransomware operators’ blogs do.

3) News

A news page; it must be possible to add and edit news via the admin panel.

We’ll be accepting your submissions up to and including August 30.

Who will rate the entries and how?

There will be only one winner. I, Orange, will rate the usability and design of blogs. MRT will rate each entry’s source code and its security. In addition to USD 1k, the winner will most likely get a job in the RAMP team!

Now, for those of you who are interested in entirely different things:

1) No, we are not with the Kazakh intelligence agency.–livres-blancs/cybersecchronicles_-_babuk.pdf

2) Groove has never had a ransomware product, nor will that ever change.

3) The babuk team doesn’t exist. We rented the ransomware from a coder who could not shoulder the responsibility, got too scared and decided to leave an error in the ESX builder — naturally, to give us a reason to chuck him out (his motives? Fxxx if I know)

babuk 2.0, which hit the headlines, is not to be taken seriously and must be regarded as nothing but a very stupid joke

4) GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in

RAMP Ransom Anon Mark[et] Place

RAMP was created in July 2021 by a threat actor TetyaSluha, who later changed their moniker to ‘Orange.’ This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic, following the high-profile ransomware attacks against the Colonial Pipeline and Washington D.C.’s Metropolitan Police Department in the spring of 2021.

At the time of the initial launch, Orange claimed the forum’s name was a tribute to a now-defunct Russian-language underground drug marketplace, “Russian Anonymous Marketplace,” which was taken down by Russian law enforcement agencies in 2017.  The re-launched cybercrime forum’s name now supposedly stands for “Ransom Anon Mark[et] Place”.

The forum was initially launched on the same TOR-based resource that previously hosted a name-and-shame blog operated by the Babuk ransomware gang and the Payload.bin marketplace of leaked corporate data. The forum was later moved to a dedicated TOR-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators.

Why the name Orange?

Why the admin changed handles from TetyaSluha to Orange isn’t 100 percent clear. However, looking back, the early days of RAMP provides us some evidence on who this person has been affiliated with. We found a posting from  where the names Orange and Darkside are mentioned as potential monikers. Very shortly after that, TetyaSluha changed their handle to Orange. While the initial message has been removed from the forum itself, the content was saved thanks to Intel 471.

July 12th 2021 by Mnemo

Congratulations on the successful beginning of struggle for the right to choose and not to be evicted. I hope, the community will soon fill with reasonable individuals.

Oh yeah, you’ve unexpectedly reminded everyone about the wonderful RAMP forum. Are the handles Orange and Darkside still free?

The name Darkside might sound more familiar than Orange but, as we saw with the naming of RAMP, TetyaSluha is one for cybercrime sentiment, so there is almost certainly some hidden meaning behind it.

Based on ATR’s previous research, we believe the name Orange was chosen as a tribute to REvil/GandCrab. People familiar with those campaigns have likely heard of the actor UNKN’. However, there was a less well known REvil affiliate admin named Orange. A tribute seems fitting if Tetyasluha isn’t the notorious Orange as that moniker is tied to some successful ransomware families, GandCrab and REvilthat shaped the RaaS ecosystem as we know it today. 

In the past, UNKN was linked to several other monikers, however Orange was hardly mentioned since there wasn’t a matching public handle used on any particular cybercrime forum.  However, REvil insiders will recognize the name Orange as one of their admins.

Based on ATR’s closed-source underground research, we believe with a high level of confidence, that UNKN was indeed linked to the aforementioned accounts, as well as the infamous “Crab”handle used by GandCrab. Crab was one of the two affiliate-facing accounts that the GandCrab team had (The other being Funnycrab). We believe with a high level of confidence that after the closure of GandCrab, the individual behind the Funnycrab account changed to the account name to Orange and continued operations with REvil, with only a subset of skilled GandCrab affiliates, (as described in our Virus Bulletin 2019 whitepaper) since GandCrab grew too big and needed to shed some weight.

The posting in figure 5 is also shedding some light on the start of the Groove Gang, their relationship to Babuk and, subsequently, BlackMatter.

Groove Gang

In the post from Figure 5, “Orange” also claims to have always had a small group of people that the group collaborates with. Additionally, the actor claims that the name has not been mentioned in the media before, comparing the group to the Israeli secret service group Mossad. The group’s comparison to Mossad is extremely doubtful at best, given the drama that has publicly played out. Groove claims several of Babuk’s victims, including the Metropolitan Police Department, brought them a lot of attention. The several mentions to Babuk isn’t by mistake: we have evidence the two groups also have connections, which we’ve pieced together from examining the behavior of — and particularly the fallout between — the two groups.

Babuk’s Fallout

Originally, the Babuk gang paid affiliates by each victim they attacked. Yet on April 30, it was reported that the gang suddenly had stopped working with affiliates, including the act of encrypting a victim’s system. Instead, their focus shifted to data exfiltration and extortion of targeted organizations. That was followed by the group releasing the builder for the old versions of its ransomware as it pivoted to a new one for themselves.

The attention that Babuk drew by hacking and extorting the Metropolitan Police Department meant their brand name became widely known. It also meant that more firms and agencies were interested in finding out who was behind it. This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them.

Then, on September 3, the threat actor with the handle ‘dyadka0220’ stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer.

Figure 6. Dyadka0220 was possibly the developer that Orange hinted at in the posting (Figure 5) mentioned above.

On September 7, the Groove gang responded with a blog on their own website, titled “Thoughts about the meaning”, which rhymes in Russian. In this blog, the gang (allegedly) provides information on several recent happenings. Per their statement, the illness of ‘dyadka0220’ is a lie. Additionally, their response alleges that the Groove gang never created the Babuk ransomware themselves, but worked with someone else to produce it.

The validity of the claims in Groove’s latest blog is hard to determine, although this does not matter too much: the Babuk group, including affiliates, had a fallout that caused the group to break up, causing the retaliation of several (ex-)members.

Observed Behavior

The ATR team has covered Babuk multiple times. The first blog, published last February, covers the initial observations of the group’s malware. The second blog, published last July, dives into the ESXi version of the ransomware and its issues. The group’s tactics, techniques, and procedures (TTPs) are in-line with commonly observed techniques from ransomware actors. The deployment of dual-use tools, which can be used for both benign and malicious purposes, is difficult to defend against, as intent is an unknown term for a machine. Together with other vendors we have narrowed down some of the TTPs observed by the Groove gang.

Initial Access

The actor needs to get a foothold within the targeted environment. The access can be bought, in terms of stolen (yet valid) credentials, or direct access in the form of a live backdoor on one or more of the victim’s systems. Alternatively, the actor can exploit publicly facing infrastructure using a known or unknown exploit. To ATR’s understanding, the latter has been used several times by exploiting vulnerable VPN servers.

Lateral Movement, Discovery and Privilege Escalation

Moving around within the network is an important step for the actor, for two reasons. Firstly, it allows the attacker to find as much data as possible, which is then exfiltrated. Secondly, access to all machines is required in order to deploy the ransomware at a later stage. By encrypting numerous devices at once, it becomes even harder to control the damage from a defender’s point of view. The actor uses commonly known tools, such as Ad-Find and NetScan, to gather information on the network. Based on the gathered information, the actor will move laterally through the network. One of the most frequently observed methods by this actor to do so, is by using RDP.

To work with more than user-level privileges, the actor has a variety of options to escalate their privilege to a domain administrator. Brute forcing RDP accounts, the dumping of credentials, and the use of legacy exploits such as EternalBlue (CVE-2017-0144), are ways to quickly obtain access to one or more privileged accounts. Once access to these systems is established, the next phase of the attack begins.

Data Exfiltration and Ransomware Deployment

The actor navigates through the machines on the network using the earlier obtained access. To exfiltrate the collected data, the attacker uses WinSCP. Note that other, similar, tools can also be used. Once all relevant data has been stolen, the attacker will execute the ransomware in bulk. This can be done in a variety of ways, ranging from manually starting the ransomware on the targeted machines, scheduling a task per machine, or using PsExec to launch the ransomware.

Linking Groove to Babuk and BlackMatter

As discussed above, there was a fallout within Babuk. From that fallout, a part of the group stayed together to form Groove. The server that Babuk used, which we will refer to as the “wyyad” server due to the ending of the onion URL, rebranded in late August 2021. The similarities can be seen in the two screenshots below.

Figure 7. The changes to the landing page from Babuk to Groove

Aside from this, data from old Babuk victims is still hosted on this server. The ATR team found, among others, leaks that belong to:

  • a major US sports team,
  • a British IT service provider,
  • an Italian pharmaceutical company,
  • a major US police department,
  • a US based interior shop.

All these victims have previously been claimed by (and attributed to) Babuk.

Another gang, known as BlackMatter, uses a variety of locations to host their extorted files, which can be done out of convenience or to avoid a single notice and takedown to remove all offending files. Additionally, the ATR team assumes, with medium confidence, that different affiliates use different hosting locations.

The data of one of the BlackMatter gang’s victims, a Thai IT service provider, is stored on the “wyyad” server. As such, it can mean that the Groove gang worked as an affiliate for the BlackMatter gang. This is in line with their claim to work with anybody, as long as they profit from it. The image below shows the BlackMatter leak website linking to the “wyyad” server.

Figure 8. screenshot of BlackMatter, where the data is stored on the Groove server

The Groove gang’s website contains, at the time of writing, a single leak: data from a German printing company. Even though the website is accessible via a different address, the leaked data is stored on the “wyyad” server.

Figure 9. Another Groove victim but stored on their own page

The affected company does not meet BlackMatter’s “requirements,” the group has said it only goes after companies that make more than $US 100 million. This company’s annual revenue is estimated at $US 75 million, as seen in the below screenshot.

Figure 10. Posting on the Exploit forum by BlackMatter

At the end of Orange’s announcement comes a call to action and collaboration: “GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in”.

The group’s primary goal, making money, is not limited to ransomware. Inversely, ransomware would be the cherry on top. This is yet another indication of the ransomware group’s shift to a less hierarchical set-up and a more fluid and opportunistic network-based way of working.

In the Groove gang’s blog on September 7, a reference is made with regards to BlackMatter, and its links to DarkSide. If true, these insights show that the Groove gang has insider knowledge of the BlackMatter gang. This makes the collaboration between Groove and BlackMatter more likely. If these claims are false, it makes one wonder as to why the Groove gang felt the need to talk about other gangs, since they seem to want to make a name for themselves.

Due to the above outlined actions ATR believes, with high confidence, that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely.


Ever since Ransomware-as-a-Service became a viable, and highly profitable, business model for cybercriminals, it has operated in much the same way with affiliates being the sometimes underpaid workhorses at the bottom of a rigid pyramid shaped hierarchy.

For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling. Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.

Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire. One thing is clear though; with the manifestation of more self-reliant cybercrime groups the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim’s networks.


We have compiled a list of TTPs based on older Babuk cases and some recent cases linked to Groove:

  • T1190: Exploit Public-Facing Application (VPN services)
  • T1003: OS Credential Dumping
  • 002: Valid Accounts: Domain Accounts
  • T1059: Command and Scripting Interpreter
  • T1021:002: SMB/Windows Admin Shares
  • T1210: Exploitation of Remote Services
  • T1087: Account Discovery
  • T1482: Domain Trust Discovery
  • T1562: Impair Defense
  • T1537: Transfer Data to Cloud Account
  • T1567: Exfiltration Over Web Service

If a partnership is achieved with a Ransomware family:

  • T1486 Data Encrypted for Impact

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.

Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann Wed, 08 Sep 2021 15:00:25 +0000

I’m back at it again with another round of our executive blog series. This week I had the privilege to...

The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.


I’m back at it again with another round of our executive blog series. This week I had the privilege to speak with Tom Gann, our Chief Public Policy officer and he had some interesting things to say on the cyber security issues that are shaping public policy dialogue in Washington DC and other capitals around the world, and much much more.

Q: What is one event in your life that made you who you are today?

Teaching tennis. I know that teaching tennis is not an event, it’s a sport. For me it was a business at a young age that helped to change my life.

I grew up in Palo Alto, CA, when the town was middle-class. I went to Gunn High School when the school was very good at tennis – they had 10 undefeated seasons. My parents were kind enough to pay for tennis lessons and while I was only a so-so tennis player, my tennis coach thought that I would be a good teacher. And so, starting in the 11th grade, I began teaching tennis for a tennis shop in Menlo Park called the Better Backhand. Then later, when I was at Stanford, I started my own business teaching lessons on private tennis courts which helped me pay for school and a car.

Through this experience, I learned how to become a professional and most importantly, how to relate to people while helping them learn something valuable. I am amazed that many of the things I learned from teaching tennis still guide me today: treating people well, empowering them, and striving to get things done that matter.

Q: What are the biggest cyber security issues shaping the public policy dialogue in Washington DC and other capitals around the world?

The reality today, and likely in the future, is that the bad guys have and will continue to have the advantage. Bad guys need to be right one time to get into a government or company environment. The good guys, playing defense, need to be right every time. This reality is made more challenging by the fact that today’s typical new, best-in-class cyber security solution is often out of date in two years because the bad guys are great at innovating. At the same time, unfortunately, many organizations are too slow or too distracted to ensure all their cyber security solutions work effectively together.

The threats from nation states, criminal organizations, and terrorist groups is only getting bigger as time goes on – meaning our challenge continually grows, shifts, and evolves. Today, these actors are perfecting a wide range of ransomware strategies to blackmail all types of organizations in the public and private sectors.

Responsible governments and citizens need to demand real change, they need to push non-compliant nation states to commit to a basic level of fair play. The public and private sectors also need to work together to create a firewall against these bad actors who use ransomware to achieve such strategic objectives as profit and intimidation.

Q: What is the true value cloud security has brought to the government contracting and federal sectors? Why is there so much hype around this technology?

Everyone is moving to the cloud – private and public sector organizations as well as folks at home. This trend makes sense because the cloud is cost effective, reliable, and highly secure. However, the key in this shift is to make sure that government agencies have the flexibility to rapidly work with private sector experts – the data center, the enterprise software, and the cyber security leaders – to ensure long term success. Too often, I have seen government agencies use outdated procurement rules and processes that bog down progress. This often results in cloud and data center deployments, particularly when government agencies host these infrastructures, being completed with last generation solutions.

At the same time, outdated contracting rules can limit the ability of agencies to field the most up to date cyber security solutions. This challenge is becoming a bigger deal as agencies deploy multiple cloud solutions. These many cloud implementations create targets of opportunity for hackers who exploit security gaps between and among clouds, meaning agencies need to be proactive to ensure that their move to the cloud is safe and effective. Policymakers need to step up to the plate and modernize procurement rules and processes. Such support will help government agencies work quicker and more effectively to serve our citizens who demand first-class service from their government.

Q: How can our organization be the best partner to government agencies moving forward?

It is all about trust. Without trust you have noting. Working with the government, a company, or your neighbor down the street is the same – it all depends on trust. This means doing what you say you will do and working to overdeliver on your commitments.


The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.

Remote Browser Isolation: The Next Great Security Technology is Finally Attainable Tue, 07 Sep 2021 15:00:17 +0000

Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time...

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.


Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time when the internet was a new phenomenon full of wonder and promise.  These same individuals probably view it through a more skeptical lens seeing it now as a cesspool of malware and great risk.  It’s also widely understood that no web security solution can offer perfect protection against the metaphorical minefield that is the internet.  This last statement, however, is being challenged by a new technology that is grasping at the title of perfect web security.  This mythical technology is Remote Browser Isolation, or RBI, and it can be argued that it does, in fact, provide its users with invincibility against web-based threats.

Remote Browser Isolation changes the playbook on web security in one very fundamental way: it doesn’t rely on detecting threats.  When a user tries to browse to a website, the RBI solution instantiates an ephemeral browser in a remote datacenter which loads all the requested content.  The RBI solution then renders the website into a dynamic visual stream that enables the user to see and safely interact with it.

Figure 1: How Remote Browser Isolation works.

User behavior can be controlled at a granular level, preventing uploads, downloads, and even copy & paste using the local clipboard.  When properly configured, absolutely none of the content from the requested site is loaded on the local client.  For this reason, it can be argued that it’s literally impossible for malware to be delivered to the local client.  Of course, the RBI solution’s ephemeral browser instance may be compromised, but it will be fully isolated from the organization’s valuable assets and data, rendering the attack harmless.  As soon as the user closes their local browser tab, the ephemeral browser is destroyed.

The value of this cannot be overstated.  The world is increasingly conducting its affairs through web browsers, and the challenge of detecting threats continues to increase at an exponential rate.  While there is great efficacy and value in the threat intelligence and malware detection capabilities of web security solutions today, the “cat & mouse” game being played with cybercriminals means that they’re simply never going to offer perfect protection.  Attackers often use zero-day threats coupled with domains registered perhaps within the past few minutes to compromise their victims, and these methods will too often succeed in circumventing any detection-based security measures.  The game-changing efficacy of RBI and the fact its inception was actually more than 10 years ago should bring an obvious question to mind – If it’s so great, why doesn’t every organization in the world use RBI today?  There are a few relevant answers to this, but one rises above all the rest: cost.

RBI’s method of instantiating remote web browsers for all users precludes the possibility of any implementation that is not expensive to deliver.  Consider the size of a modern enterprise, the number of users, the number of web browser tabs an average user keeps open, and then consider the amount of memory and CPU consumed by each of those tabs.  To mirror these resources in a remote datacenter will always be a costly proposition.  For this reason, many RBI solutions on the market today may literally consume the entire security budget allocated for each licensed user.  As prevalent as web-based threats are today and as effective as RBI’s protection may be, no security organization can dedicate most or all of their security budget to a single technology or even a single threat vector.

To better understand the cost problem and how it may be solved, let’s take a closer look at the two most common use cases for RBI.  The first and most common use case is handling uncategorized sites or sites with unknown risk, known as selective isolation.  As mentioned before, attackers will often use a site that was registered very recently to deliver their web-based threats to victims.  Therefore, organizations often want to block any site that has not been categorized by their web security vendor.  However, the problem is that many legitimate sites can be uncategorized resulting in unnecessary blocking that may impact business.  Managing such a policy is very tedious, and the user experience tends to suffer greatly.  RBI is an ideal solution to this problem where you can grant users access to these sites while maintaining a high level of security.  This situation calls for a selective use of RBI where trusted sites are filtered through more traditional means while only the unknown or high-risk sites are isolated.

The other common need for RBI is various groups of high-risk users.  Consider C-level executives who have access to highly sensitive information relating to business strategies, intellectual property, and other information that must remain private.  Another common example is IT administrators who have elevated privileges that could be devastating if their accounts were compromised.  In these scenarios, organizations may look to isolate all of the traffic for these users including even sites that are trusted.  Typically, this full isolation approach is reserved for only a subset of users who pose a particularly high risk if compromised.

In light of these two use cases, selective isolation and full isolation, let’s take a closer look at the cost of this invincibility-granting technology.  Let’s consider a hypothetical organization, Brycin International, who has a total of 10,000 users.  Brycin has identified 400 users who either have access to critical data or have elevated permissions and therefore require full-time isolation.  We will assume a street price of $100 per user for full time isolation totaling $40,000 for these users.  This seems like a reasonable cost considering the elevated risk a compromise would represent for any one of these users.  Brycin would also like to leverage selective isolation for the rest of the user population, or 9,600 users.  Some solutions may require purchasing a full license, but most offer a discounted license for selective isolation.  We will assume a generous discount of 60%, resulting in a total cost of $40 per user or $384,000 for the rest of the organization.  This gives us a total price tag of $424,000 for Brycin, or an average cost of $42.40 per user.

Not only is this a steep cost for our 10,000-user enterprise, but the cost does not at all align with the value or the cost to deliver the solution.  The 9,600 selective isolation users may represent 96% of the user population, but when you consider the fact that only a small percentage of their web traffic will actually be isolated – state-of-the-art web threat security stacks can detect as much as 99% of all threats, leaving 1% of all traffic to be isolated – they generate perhaps less than 20% of the isolated web traffic.  The full isolation users, while a minority of the license count, will represent the bulk of the isolated web traffic – a little more than 80%.  However, despite the fact that selective isolation users are responsible for such a small share of all isolated traffic and given the generous 60% discounted licensing, they are still by far the largest expense at over 90% of the total solution cost!  This ratio of cost to value simply will not align with the budget and goals of most security organizations.

Figure 2: The disproportionate relationship between RBI users, traffic load, and solution cost.

McAfee Enterprise has now upended this unfortunate paradigm by incorporating remote browser isolation technology natively into our MVISION Unified Cloud Edge platform.  McAfee Enterprise offers two licensing options for RBI: RBI for Risky Web and Full Isolation.  RBI for Risky Web uses an algorithm built by McAfee Enterprise to automatically trigger browser isolation for any site McAfee Enterprise determines to be potentially malicious.  This is designed to address the most common use case, selective isolation, and it is included at no additional cost for any Unified Cloud Edge customer.  Additionally, Full Isolation licenses can be purchased as an add-on for any users that require isolation at all times.  These Full Isolation licenses allow you to create your own policy dictating which sites are isolated or not for these users.

Now, let’s revisit Brycin International’s cost to deliver enterprise-wide RBI if they chose McAfee Enterprise.  As we saw earlier, despite the fact the selective isolation users generated less than 20% of the traffic, they represented over 90% of the total cost of the solution.  With McAfee Enterprise’s licensing model, these users would not require any additional licenses at all, reducing this cost to zero!  Now, Brycin only has to consider the Full Isolation add-on licenses for their 400 high-risk users, or $40,000 – this is now the entire cost for the enterprise-wide RBI deployment.  While $100 per user still may exceed the per-user security budget for Brycin, it is now diluted by the total user population, reducing the per-user cost of the RBI deployment from $42.40 to only $4.  This is a tremendous reduction in cost for equal or greater value, making RBI much more likely to fit into Brycin’s budget and overall security plans.

This may beg the question, “How can McAfee Enterprise do this?”  In short, as one of the most mature security vendors in the world, McAfee Enterprise has the most powerful threat intelligence and anti-malware capabilities in the market today.  McAfee Enterprise’s Global Threat Intelligence service leverages over 1 billion threat sensors around the world reducing the unknowns to an extremely small fraction of all web traffic.  In addition, its heuristics-based anti-malware technology is able to detect many zero-day malware variants.  More uniquely, the Gateway Anti-Malware engine offers inline, real-time, emulation-based sandboxing using behavioral analysis to identify never-before seen threats based on their behavior.  After analyzing the combined effectiveness of these technologies, we found that only a small percentage of web traffic could not be confidently identified as either safe or malicious – roughly 0.5%. This made the cost of delivering selective RBI for Risky Web something that could be easily absorbed without any additional cost to our customers.

Remote Browser Isolation is an absolute paradigm shift in how we can protect our most critical assets against web-based threats today.  While the benefits are tremendous, cost has been a significant barrier preventing this powerful defense from becoming a ubiquitous technology.  McAfee Enterprise has broken down this barrier by leveraging our superior threat intelligence to reduce the cost of delivering RBI and then passing this savings on to our customers.

Remote Browser Isolation

Remove the risk and enjoy worry-free web browsing with McAfee’s RBI.

View Now

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.

Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott Thu, 02 Sep 2021 15:00:14 +0000

Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise...

The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.


Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe.

Q: Do you have a role model? If so, who is it?

Well, there are work and there are more personal role models. At work, I have several past and present role models I’ve met across my career that share the same traits. They’re typically great leaders who lead authentically and with a strong sense of purpose and values. For these, I often think when facing a challenge, “What would he or she do?”

Personally, I have many people who have inspired me. A current, topical favorite is Gareth Southgate – manager of the England national football team. He’s not only achieved great success in getting the team to their first final in over 50 years but has challenged the status quo by focusing on young talent and has played a pivotal role as a visible leader in support of diversity.

Q: What’s the most important thing happening in your field at the moment? 

The pandemic, coupled with the ongoing digitization of society, are probably the two most dominant topics in the cyber domain. Ransomware and cyber threats continue to rise in profile, as does cyber security and information assurance in the macro, geo-political sphere. Our purpose has never been greater as leaders in this field.

Q: Will zero trust be a requirement for agencies?

Yes. Organizations deliver outcomes through partnerships, both at a human and systems level. Implementing mechanisms to ensure trust is increasingly important as these partnerships increasingly digitize in operation. Thinking of zero trust as an architecture and framework matters. Many suppliers articulate zero trust as a feature. It is not. As a true partner, it’s important to consider its role more broadly, to not trust and always verify, not just a virtual choke point (remember, there is no perimeter), but throughout the data journey.

Q: What was your mindset to build your team and establish the right culture to drive success for the new company and continue to strive for new goals in the future?

In building a team with the culture to drive growth, the most fundamental attributes I seek in every team member is attitude and energy. Those are the power and velocity needed as a foundation. It’s amazing what people can achieve, and how they find ways to do so, with those fundamental ingredients.

When you combine a group of those people with a common goal and assign each a clear role to play, you end up with a phenomenal team. Rather than offering either no parameters, or parameters that are too narrow, you must empower them with a framework in which they can innovate and find ways to win. This is critical – giving them the scope to use their talent for a positive outcome. Listen to them. Hiring great people who push boundaries brings a lot of intellect and creativity. It’s a waste of intelligence if you don’t take the time to learn from them to continuously improve the business.


The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.

SASE, Cloud Threats and MITRE Tue, 31 Aug 2021 14:15:49 +0000

As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the was the first of all the SASE vendors...

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.


As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the was the first of all the SASE vendors to implement the MITRE ATT&CK Framework for Cloud last year. An important aspect of Gartner’s SASE Framework is the ability for effective Threat Protection and Resolution in the Cloud. MVISION UCE takes this to the next level – the product takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

As a quick refresher, the MITRE Att&CK Matrix represents the relationship between attacker Tactics and Techniques:

  • Tactics. A tactic describes the objective, or why the adversaries are performing the attack. In the ATT&CK Matrix, the table header represents tactics.
  • Technique. A technique describes how adversaries achieve their tactical objectives. For example, what are the various technical ways performed by attackers to achieve the goal? In the ATT&CK Matrix, the table cell represents techniques.

This Dashboard is available within the MVISION Cloud console by accessing the Dashboards > MITRE Dashboard link

Ever since the launch of this truly differentiated product offering, we have seen a tremendous amount of interest and adoption of this feature within our existing customers. Over the past few months, we have continued to make significant enhancements as part of our MITRE Dashboard.

In this post, I shall summarize some of the significant highlights that we have introduced in the past few releases:

Executive Summary Section

The Executive Summary displays an at-a-glance view of the current count of Threats, Anomalies, Incidents, types of incidents, and Detected Techniques with severity.

Flexible Filters

To suit the needs of the different teams that would be using the MVISION Dashboard, we now have the ability to filter the MITRE Dashboard by using a variety of facets:

  • Service Name. The name of the cloud service.
  • Threat Type. The name of the threat type.
  • Status. The MITRE Threat statuses available are:
    • Executed Threat. Threats that caused risk to your cloud service security.
    • Potential Threat. Threats that have the potential to cause risk to your cloud service security. It is recommended to look into the Potential Threats to reduce the impending risk.
  • Top 20 Users. Top 20 users who are impacted by the attacks.

Detected Techniques – Risk and Drilldown

When an incident is detected for a technique in MVISION Cloud, a severity is computed. The detected techniques are categorized based on the severity of the incidents. Each detected technique is interactive and leads to more detailed explanations.

To view the details of the detected techniques:

  1. Click any technique on the ATT&CK Matrix table to view the Technique Cloud Card. For example, you can click one of the techniques under the Initial Access category such as Trusted Relationship to learn how an attacker gained access to an organization’s third-party partners’ account and shows the details of compromised Connected Apps.
  2. Next, click the Connected Apps Mini Card to view an extended cloud card that displays the restricted details of Connected Apps.
  3. Then click the link to the specific restricted Connected App to see an extended view of the compromised Connected Apps incident.
  4. Info severity details allow you to investigate and apply a remediation action. As a remediation action, select and assign the Owner and Status from the menu.

With McAfee Enterprise, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint to your analytics platforms. With MVISION CloudMVISION EDR, and MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.


MITRE ATT&CK® as a Framework for Cloud Threat Investigation

Want to learn more about how you can leverage MITRE ATT&CK to extend your detection and response capabilities to the cloud?

Download Now

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.

Access Granted: How the DoD Can Stay Cyber-Resilient Mon, 30 Aug 2021 15:00:05 +0000

Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting...

The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.


Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting back to a new normal. But the threats are still here.


And according to many reports, the threats have – and are continuing to – increase. McAfee Enterprise’s Advanced Threat Research recently published a report highlighting some of the biggest cyber stories dominating the year thus far, including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream. In fact, the June report provides a deep dive into the DarkSide ransomware, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin.

Rising Up

So how does the DoD approach modern-day threats like this? McAfee Enterprise’s online cyber training program is a great place to start. I’m proud to say the program is complimentary for our DoD partners and provides anywhere from 1-6 Continuing Professional Education (CPE) hours per course. You can login anywhere in the world to access the various trainings. Plus, the digital course are valid for 30 days from your registration date, so you can start and stop at any time. Not surprisingly, the tech industry is seeing a greater acceptance and return on investment from online training programs. Within the DoD for example, the Airforce recently launched Digital University. Airmen are elevating their digital literacy skills with up to 12,000 courses to better serve our country, while discovering new career paths in the process. Everything from leadership and public speaking to cloud computing and cybersecurity are covered, proving this platform may be the future of IT training.

Access Granted

I know the cyber industry that I joined 20+ years ago isn’t the same as it is today. And without access to trainings and CPE courses, my skill set would not be as strong. But if your day is anything like mine, finding time to squeeze in continuing education courses is a challenge. However, after hearing feedback from a long-time DoD partner, I know we’re on to something good. Success stories like these remind me of the importance of staying cyber-resilient in the field.

Don’t forget to reach out to your McAfee Enterprise Account Executive for your unique DoD voucher code!


The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.

McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump Tue, 24 Aug 2021 13:00:53 +0000

Overview As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat...

The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blogs.



As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat Research (ATR) recently investigated the B. Braun Infusomat Space Large Volume Pump along with the B. Braun SpaceStation, which are designed for use in both adult and pediatric medical facilities. This research was done with support from Culinda – a trusted leader in the medical cyber-security space. Though this partnership, our research led us to discover five previously unreported vulnerabilities in the medical system which include:

  1. CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
  2. CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
  3. CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
  4. CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
  5. CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)

Together, these vulnerabilities could be used by a malicious actor to modify a pump’s configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all with zero authentication.

Per McAfee’s vulnerability disclosure policy, we reported our initial findings to B. Braun on January 11, 2021. Shortly thereafter, they responded and began an ongoing dialogue with ATR while they worked to adopt the mitigations we outlined in our disclosure report.

This paper is intended to bring an overview and some technical detail of the most critical attack chain along with addressing unique challenges faced by the medical industry. For a brief overview please see our summary blog here.

Table of Contents


The most important part of any product assessment is a solid understanding of the purpose and function of the product under test. Without this it is simply too easy for research to produce less than meaningful results. Therefore, for this research it is first important to answer these few simple questions. What are infusion pumps? What security research has already been performed?

What are Infusion Pumps?

To start with the basics using a trusted resource – says “An infusion pump is a medical device that delivers fluids, such as nutrients and medications, into a patient’s body in controlled amounts.” The FDA goes on to explain they are typically used by a “trained user who programs the rate and duration”. Infusion pumps can be simple, administering a single intravenous (IV) medication in the home setting, or complex, delivering multiple medications simultaneously in the ICU setting. From the 1960’s to 2000 infusion pumps were mostly electromechanical devices with some embedded electronics, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to information security challenges. Cross referencing the specific product we have chosen to look at, the Infusomat® Space® Large Volume Pump (Figure 1), we see that this pump is meant only for a medical setting and not designed for a home user. Infusion pumps exist mostly to remove the need to perform manual infusion, which requires dose conversion into drops per minute and visually counting drops to set a rate which is both time consuming and unreliable. It is estimated that there are over 200 million IV infusions administered globally each year, and 2020 sales of IV pumps in the US were at $13.5 billion. Clearly infusion pumps have cemented their place in the medical world.

Figure 1: B. Braun Infusomat Pump

What Security Research has Already Been Performed?

Since infusion pumps are such a large part of the medical field and there are several different types, it is reasonable to expect our team is not the first to inquire about their security. As expected, there have been many different research projects on infusion pumps over the years. Perhaps the most well-known research was presented in 2018 at Blackhat by Billy Rios and Johnathan Butts. The infusion pump portion of their research was focused on the Medtronic insulin pumps. They found they were able to remotely dose a patient with extra insulin due to cleartext traffic and the ability to issue a replay attack. Even earlier, in 2015 research was published on the Hospira Symbiq Infusion Pump showing that it was possible to modify drug library files and raise dose limits through “unanticipated operations”, although authentication was required.

Of course, for our purpose, the most important question remains – is there any previous research performed on our specific device. Initially the answer was no; however, during our research project a very large study, ManiMed, was released under the aegis of German authorities to examine the security of network-connected medical devices produced or in use in their country. This included research done on the B. Braun Infusomat pump. This is a fantastic piece of work which covers many network-connected devices. We will reference this study and talk about their findings where appropriate throughout this document, as we additionally explore our enhancements to this research and demonstrate a new attack that was previously called impossible.

Project Motivation

If we consider the Background section earlier, it becomes apparent there is still a large amount of critical research to be performed in this space. Infusion pumps are a prominent and continuously developing area within the medical device space, where previous research has only scratched the surface. Due to the potential critical impact and the state of medical device security, many previous projects didn’t need to dig very deep to find security issues or concerns. The infusion pump industry has numerous devices which have not been researched publicly at all, and even more that only received a cursory analysis from the information security community. For these reasons, we decided to have an in-depth look at one of the largest infusion pumps vendors, B. Braun, and specifically focus on one of their devices used worldwide to analyze it at a depth never seen before. Tackling every aspect of this pump, we wanted to answer the basic question: In a realistic scenario, leveraging original security vulnerabilities, could a malicious attacker impact human life?

System Description

For this research project our system consisted of three main components– a B. Braun Infusomat Large Volume Pump Model 871305U (the actual infusion pump), a SpaceStation Model 8713142U (a docking station holding up to 4 pumps) and a software component called SpaceCom version 012U000050. These models and the corresponding software for the B. Braun Infusomat system were released in 2017. In industries such as consumer electronics, this would be considered obsolete and therefore less relevant to research. However, as discussed above, in the medical field this is simply not the case. Since older devices are still widely used and perhaps originally developed with a less emphasis on security, it increases the importance of investigating them. For due diligence, we consulted and confirmed with our industry partners that this specific model was still actively being used in hospital systems across the country.

SpaceCom is an embedded Linux system that can run either on the pump from within its smart-battery pack or from inside the SpaceStation. However, when the pump is plugged into the SpaceStation, the pump’s SpaceCom gets disabled. We performed most of our research with the pump attached to the SpaceStation as we found this was the most common use case. If a SpaceStation was compromised, it could potentially affect multiple pumps at once. SpaceCom acts as the external communication module for the system and is separated from the pump’s internal operations, regardless of where it is running from.

If we consider the pump attached to the SpaceStation as one system, it has three separate operating systems running on three distinct chipsets. SpaceCom running on the SpaceStation runs a standard version of Linux on a PowerPC chipset. The WIFI module for the SpaceStation also runs a standard version of Linux on an ARM chipset and communicates over a PCI bus with SpaceCom. Lastly, the pump runs its own custom Real Time Operating System (RTOS) and firmware on a M32C microcontroller. An additional microcontroller is used to monitor the M32C microcontroller, but this goes beyond the scope of our research. Due to this modular and isolated design, the Spacecom communication module and the pump need a dedicated path for exchanging data. This is resolved via a CAN bus, shared throughout the SpaceStation, where it allows pumps and accessories to communicate with each other. This is what SpaceCom and any pump docked into the Space Station rely on for their exchange. An architecture diagram below helps demonstrates the system layout and design when a pump is present in the docking station.

Figure 2: System Architecture

SpaceCom Functions and Software Components

SpaceCom contains many different pieces of propriety software and applications to support the many functions of the larger B. Braun and medical facility ecosystem. Our team spent time analyzing each one in great detail; however, for the purpose of this paper we will only touch on key components which are important to the most critical findings mention in the opening summary.

An important function of SpaceCom is to be able to update the drug library and pump configuration stored on the pump. The drug library contains information such as ward and department, a list of pre-configured drugs with their default concentrations, information messages to be printed on the screen when selected, and more importantly, soft, and hard limits to prevent medication error. One of the biggest selling points of the smart infusion pumps is their ability to prevent incorrect dosing of drugs, which is partly done through the limits in the drug library. Another risk the drug library helps mitigate is human error. By having the most common dosage and infusion lengths preprogrammed into the pump, it eliminates errors associated with rate calculations, and drop counting previously mentioned, associated with manual infusion therapy.

The pump RTOS contains a database of over 1500 key/value pairs used during operation. This data consists of everything from status about current components, battery life, motor speed, alarms and values used for tube calibration. As such, this data would be considered extremely sensitive in the context of the pump’s operation and is not intended to have direct user interaction, nor is it presented to the user. A subset of the keys can be indirectly modified via a dedicated servicing software by certified technicians.

To interact with both the drug library and pump configuration on the pump from SpaceCom, a propriety binary called PCS is used. The PCS binary uses the canon binary to interface with the CAN bus to send commands to the pump’s system for both reading and writing values based on the drug library or pump configuration provided to it. The main interface to accomplish this task is via a propriety TCP networking protocol, which by default is sent over port 1500. This protocol is both unauthenticated and unencrypted and we relied heavily on these weaknesses for our research and attacks. Additionally, this resulted in the filing of CVE-2021-33882 and CVE-2021-33883 as stated in the overview above.

Critical Attack Scenario Details


What could be the goal of a malicious attacker? Realistically speaking, most attacks have been proven to be financially motivated. When translating this to our infusion pump, the question becomes: What would medical executives, without hesitation, pay large sums of money for? If we look at recent events, in May of 2021, Colonial Pipeline paid hackers 4.4 million dollars to get their oil pipeline running again from ransomware attacks. Attacks on healthcare settings are increasing with the FBI estimating a cyberattack using “Ryuk” ransomware took in $61 million over a 21-month period in 2018 and 2019. Attacks are now showing potential for patient harm with one example beginning on October 28th, 2020. The University of Vermont Health Network was part of a larger coordinated attack on multiple US healthcare which resulted in a complete loss of their electronic medical record system for weeks. The results of the ransomware-based attack led to 75% of active chemotherapy patients being turned away, rerouting of ambulances, and delays in testing and treatment. Considering IV pumps are directly supporting human life in some cases, it is easy to suggest an attacker could demand any “ransom” amount leveraging threats to actual patients. To accomplish this an attacker would therefore need to control the operation of the pump.

This task is easier said than done when considering the design of the pump as outlined above. The traditional “getting root” on the network component (SpaceCom) proves ineffective. To make any changes to the pump itself, an attacker needs to interact with the pump’s RTOS, which is not network connected. In this section we provide an outline on how we were able to accomplish this goal by using the five reported CVEs.

Initial Access

Even though getting root access on SpaceCom will not provide us everything we need to accomplish the ultimate goal, it is still the first step. During our reconnaissance and enumeration of the system we discovered a remote interface listening at https://{ipaddress}/rpc. This interface was connected to a common open source service referred to as “json-dbus-bridge”. As described on GitHub, this service “is a fast-cgi application that provides access to D-Bus. It accepts JSON-RPC calls and translates these into D-Bus calls. Any response is converted back to JSON and sent to the client.” This piqued our interest since external access to the D-Bus subsystem could provide us access to internal communication, which may have a different level of security than typical external networking.

When doing any type of vulnerability research, product security assessment or evaluation it is critical to not forget to search for existing issues in any third-party components. This is even more important since we are working on a software released in 2017. While scouring GitHub pages for the json-dbus-bridge, we noticed a format string vulnerability that was patched in 2015. Of course, we had to test if the version we encountered had the existing vulnerability.

Figure 3: Format String Vulnerability Testing

The tests in Figure 3 confirmed the existence of the format sting vulnerability. While this format string vulnerability had been publicly discovered in 2015 in the json-dbus-bridge code, the update was never included in B. Braun’s software and hence satisfied the condition for a vendor specific zero-day vulnerability disclosure. This was filed as CVE-2021-33886 and was our first reported discovery to B. Braun. Over the next several weeks we were able to leverage this vulnerability and create a working exploit to gain www user level shell access to the device. Due to the potential impact to unpatched devices, the exact technical details of our exploit have not been included.

Privilege Escalation

Although user access is the first step, root access will be needed in order to interact with the CAN bus to communicate with the actual pump. A good target and well-known process for privilege escalation is to find a binary owned by root with the setuid bit enabled. We could not find one ready to use; however, the web interface has an option to backup and export settings which relies on tarring a folder containing a handful of files and encrypting it with AES using a user-provided password. The backup archive can then be downloaded for later restore of the settings. When restoring this backup, root is the user doing the untarring in such a way that file permissions are being preserved from the provided tar file. Thus, if we can tamper with the archive, we might be able to create a privilege escalation scenario.

To use this to our advantage we need to embed a binary in the backup archive owned by root with the “setuid” bit set so we can use it to elevate privileges. Ironically, the code responsible for the import/export of settings is already doing most of the work for us. The “configExport” binary located on the filesystem is a wrapper to call setuid/setgid (and sanitize inputs) which then calls execve on the script “/configExport/” We can use a hex editor to change which script the “configExport” binary is running and replace “” with an attacker-controlled script, while also patching out the input sanitizing. We could absolutely have compiled our own binary instead, but this approach saves us from a couple of hours of PPC cross-compiling fun.

While we were working through this component of our attack chain, researchers working on the ManiMed project, in coordination with B. Braun, published a report which included this finding, listed as CVE-2020-16238 on B. Braun’s website. As described in section of their report “An authenticated arbitrary file upload vulnerability combined with an unvalidated symbolic link and local privilege escalations enables attackers to execute commands as the root user.” We commend the ManiMed researchers for also discovering this vulnerability and practicing responsible disclosure.

Crossing Systems

The real work begins once root access is obtained. The challenge becomes how to affect change on the pump RTOS with root access on the SpaceCom communication module. One common approach would be to continue to look for vulnerabilities in the pump’s RTOS that would lead to code execution within its system. This method poses many challenges during black box testing and could lead to damaging our limited number of test devices.

Another approach which we have leveraged in past projects is hijacking the standard functionality of the device to further the attack. This can be more manageable, but it first requires a deep understanding of how the device works and the desired outcome. This also tests the device’s defense in depth and can prove to be very difficult depending on the security measures in place. In our case, this would force the question of how well-protected the area is surrounding the communication between the pump and SpaceCom.

As mentioned in the system description section above, the PCS binary is responsible for communicating with the pump’s system for two critical operations – updating the drug library and updating the pump config. These are key functions that would likely be of interest to an attacker. There are several different approaches which could be taken by an attacker to interact with these key operations, especially given root access. Considering the various alternatives, we chose to leverage our root access on SpaceCom to inject code into PCS’s memory and use existing functions and objects to communicate with the pump’s internal system.

Our chosen path required a deep understanding of the data structures and functions used to facilitate this communication. The key is to find the perfect place in a larger operation call stack where we can modify or inject the data we want, while still utilizing lower-level functions to avoid the need to unnecessarily create objects and data from scratch. To illustrate this point, consider if we want to send a simple signal to power off the pump from within PCS’s memory space. The fact that all data sent from SpaceCom to the pump’s RTOS is done through CAN messages, with root access meant that we could send CAN messages directly on the CAN bus. This would require an extensive knowledge and breakdown of the CAN message structure as the underlying protocol is designed by B. Braun and would have to be reverse engineered. Although possible, it is very difficult, especially with CAN’s data frame field having a lack of strict specifications. Inside PCS there is a call chain which builds this message. If we were to inject and utilize functions very low in the call chain, such as the trySend function which sends a CAN message (as seen in figure 4) , we would need to understand all of its arguments and the data format it uses. We’d essentially have the same problem as before.

Figure 4: trySend function

If we look higher in the call stack for a function that performs the operation we are interested in, switching off the device, we can instead let the rest of the call chain do the heavy lifting for us. Notice in Figure 5 below there is a function for just this purpose, which only requires one parameter to be passed.

Figure 5: switchOffDevice

Leveraging this concept, we are able to use the functions within PCS in a manner similar to an API to perform read and write operations to the pump’s database and force a change.

Understanding Critical Data

If we want to send and write data such as the drug library and pump config, we first need to understand the format of the data, how it is processed and any security measures in place which need to be accounted for. Our team spent extensive time reversing both the drug library and pump configuration data. A portion of the pump configuration is referred to as calibration and disposable data. Both can be modified through our attack chain; however, for this paper we will just touch on the more critical of the two the calibration and disposable data.

The calibration and disposable data are usually seen in the form of files that are living in SpaceCom. At a more granular level, they are a collection of key/value pairs that are meant to be read or written to the pump’s database. Each file can also be a large blob of data living on the pump flash. The physical location of each key within this blob is hardcoded in the pump and sometimes in PCS. This representation is relevant when it comes to computing various CRCs that operate on blobs of data rather than key pairs. These checksums are used heavily throughout the pump’s infrastructure with critical data to ensure the integrity of the data. This goes to ensure the safety of patients by ensuring data can’t be accidently modified or corrupted. Figure 6 shows an example of disposable data as contained in files on SpaceCom.

Figure 6: Disposable Data

Looking at the variable names inside the disposable data file and relevant code in the pump firmware led us to one key/value pair that specifies the “head volume” of the tube, which can be seen in the figure above. After extensive analysis, we determined that “head volume” is the parameter dictating the amount of medication being delivered per cycle to the patient. We determined that if this value was to be changed, it could be potentially harmful. We detail this analysis in section “Unique Consideration for Infusion Pump Hacking” below.

With a target key/value pair in mind, the next step would be to understand how to calculate the CRCs. Since the system is constantly checking the integrity of the data, if an attacker wanted to modify any value, they would also need to modify the CRCs which validate the changed data. Through reverse engineering we determined the CRC was a custom implementation of a CRC16, where the initial value is 0xFFFF and relies on a hardcoded polynomial table. We were able to extract this algorithm and write custom python scripts to compute the CRC needed for the disposable data.

With a basic understanding of the critical operational data and the ability to compute the CRCs, we are able to leverage the PCS binary, in an API fashion to send commands to the pump to modify this data. This holds true for both the drug library and the pump configuration data. Although CRCs are great for integrity checking, they provide no security or level of trust of the where the data is coming from.  This lack of origin verification is what led to the filing of CVE-2021-33885.

Final Attack Chain

If we review our attack chain, we can gain user-level access to the device without authentication or authorization. We can then escalate our privileges to root and leverage the existing functionality of the PCS binary to make modifications to the pump’s disposable data. Conceptually, the process is complete; however, we can do some additional housekeeping in order to make our attack chain slightly more realistic and efficient.

Since the proprietary protocol for the PCS binary is unauthenticated, there are certain configuration options which can be modified for an attacker to make their job even easier. One of these configuration options tells the pump which server is “trusted” to receive operational data from (such as the drug library). An attacker can send a command to SpaceCom which clears the current trusted server configuration and rewrites it to an attacker-controlled server. This is not required for this attack when leveraging the format string and privilege escalation path outlined above; however, it does provide alternative methods and simplifies the attack process.

Lastly, the pump has an audible and visual notification when any configuration or drug information has been modified on the pump. Once again in the spirit of a realistic attack, a malicious attacker is going to want to be as stealthy as possible. To accomplish this, it was worth determining a method in which to clear these notifications. This process turned out to be as simple as restarting the pump after our modifications were complete. The reboot operation happens in a matter of seconds, so by using this technique, all alerts to the end user were quickly cleared. The complete attack process can be seen outlined in the diagram below.

Figure 7: Complete Attack Chain

Attack Prerequisites

Although this attack chain presents a complete method to modify critical pump data, it is important to recognize the conditions required for this attack to be successful. These pumps are designed to be network connected to a local internal network. Therefore, under normal operating conditions an attacker would need to have found a method to gain access to the local network. Could this attack take place over the internet? Technically speaking, yes; however, it would be very unlikely to see a setup where a pump is directly internet-connected.

In addition to being on the local network, the pump does have safeguards in place to ensure no modifications can occur while the pump is operational. From what we discovered during our research, if the pump is actively administering medication, it ignores any request on the CAN bus to modify library or configuration data. This means the attack can only be successful when a pump is idle or in standby mode in between infusions.


The prerequisites for this attack are minimal and are not enough to mitigate the overall threat. In today’s world there are a wide range of documented and utilized methods for attackers to gain access to local networks. If we also consider that hospital or medical facilities are generally public places with little to no barriers to entry, it is easy to see how someone malicious can go unnoticed and obtain network access. Pumps are also not always actively administering mediation. Even in the busiest of hospitals there is downtime between patients or times when pumps are simply not in use.

With the ability to modify disposable and configuration data on the pump, there are a wide range of possibilities for which an attacker could choose to have an impact. An attacker could simply put the device in an unusable state or write arbitrary messages on the screen. We chose to focus on the disposable data, specifically the key/value pair labeled “TUBE_HEADVOLUME_A” since we determined it would demonstrate the greatest impact, bringing harm to a patient. In the below video you will first see the pump under normal operation. After demonstrating the system working as intended, we modify the configuration remotely using the attack chain explained above and then illustrate its effect on the pump when administering medication.


Unique Considerations for Infusion Pump Hacking

An interesting characteristic of this project is that its impact and consequences are inherently grounded in the physical world. Where common software hacks end with the ability to get root access or kernel privileges, in this project, the way the device is used by medical staff and how it can affect patient safety is crucial to the outcome. The next few sections will focus on various aspects of the project that fall under this umbrella.

Why we modified TUBE_HEADVOLUME

As described previously, our attack relies on modifying the disposable data that governs the way the pump is used to deliver medication. But why and how did we decide to go investigate this? An interesting side-effect of the pump being built to be safe is that most of the inputs and outputs it receives from the CAN bus are extensively checked against out-of-range access. From an attacker’s perspective who has already compromised SpaceCom, this would usually be the prime target for memory corruption bugs. Fuzzing and emulating the M32C architecture is cost-heavy in terms of upfront work, so instead, we started looking for a path of least resistance and searched for blind spots in the secure design.

In our case, we wanted to be able to affect the amount of drug being dispensed, preferably without having something on screen as that would indicate a malfunction or abnormality. Our original plan was to tamper with the device drug library, but it turns out that data we could alter would be displayed on screen, which could raise concern as medical staff verify the prescribed drug and rate against the order before, and immediately after starting the infusion. This would not be ideal for an attacker, so we kept investigating. The other files we could modify were the calibration data and the disposable data. These files are interesting as they describe internal parameters; the calibration one specifies the physical parameters of the device itself, while the disposable one is for the specifics regarding the tubing going through the pump. Anyone familiar with precision tools know how important a good calibration is. If the calibration is off it will lead to improper operations or results. From an operational standpoint this makes sense, but from an attacker perspective this has a strong likelihood of fitting the bill for the attack we had in mind: modifying an internal value so the pump thinks it is dispensing the right amount of drug, while it is actually incorrect in its calculations.

Looking at the variable names inside the disposable file and relevant code in the pump firmware led us to one that specifies the “head volume” of the tube. From our understanding, each time the pump pumps, it compresses the IV tubing thereby pushing a small quantity of drug towards the patient. Overall, there are many physical parameters that would govern this volume –the internal tube diameter, the length of the compressed region, how much the tube is being compressed, etc.—but in the end, it seemed that all these values were summed up in one variable. Cutting this value in half would make the pump believe it is pushing half the actual amount, and therefore would have to pump twice as fast to deliver it. We tried our hypothesis, and by doing so, the amount of drug dispensed doubled while the pump assumed everything was normal.

Operations in Hospitals and Consequences of Over-Infusing Drugs

Now that we have an idea of what happens to the device when we alter its internal configuration, we can consider how this could play out in the real world. As mentioned previously, medical staff are expected to be extra-careful when using these devices, ensuring the numbers match the doctor’s order. In the United States, both the Centers for Medicare and Medicaid Services (CMS) and the American Society of Clinical Oncology require standard of practice be followed with high risk or hazardous infusions like blood or chemotherapy. This standard requires two appropriately trained people (usually nurses), one who will be infusing the medication, and the other to verify the order and configuration prior to administration. Looking internationally, we were also  able to find this same protocol in use at an Irish hospital. It confirms the attention to detail and the requirement to double-check each value is correct. However, another document describing the adoption of a smart pump system in a Swedish hospital hints at concerns (p. 47) that invalid drug protocols might be followed if a nurse picked the wrong default settings on the pump. These documents are anecdotal, but the overall feeling is that strong checks are in place. Under pressure or with multiple infusions, mistakes can be made, which smart pumps should prevent.

One of our industry partners, Shaun Nordeck, M.D. is an Interventional Radiology Resident Physician at a Level 1 Trauma Center and prior, served as an Army Medic and Allied Health Professional. Leaning on more than 20 years in the medical field. Dr. Nordeck states “A high-pressure environment such as the ICU may be at increased risk for infusion errors since these critical and often medically complex patients have multiple infusions which are being adjusted frequently. Errors, however, are not limited to the ICU and may just as easily occur in the inpatient ward or outpatient settings. Essentially with each increase in variable (patient complexity or acuity, number of medications, rate changes, nurse to patient ratio, etc.) there is an increased risk for error.”

As a measure of safety, it is important to keep in mind that one can visually count the number of drops to verify the infusion rate (there’s even an optional module to do it automatically). However, depending on the parameters, a minor change of speed (e.g., halved or doubled) might not be immediately obvious but could still be deleterious. Dr. Nordeck further stated that “something as routine as correcting a person’s high blood sugar or sodium level too quickly can cause the brain to swell or damage the nerves which can lead to permanent disability or even death.” The FDA’s MAUDE database keeps track of adverse events involving medical devices and can be used to see what type of problems actually occurred in the field. Certain drugs are particularly potent, in which case the speed at which they are delivered matters. In this instance, an over-sedation at 4 times the intended rate led to the death of a patient a few hours after the incident occurred. Under-dosing can also be problematic as the required medication does not reach the patient in the appropriate quantity. These examples highlight that a pump not delivering the correct amount of drug occurs in the field and may remain unnoticed for multiple hours, which can lead to injury or death.

Common Pitfalls

Let’s now take a step back and consider some generic shortcomings that became apparent while looking at the infusion pump ecosystem. We believe these problems are not specific to a brand or a product but rather may be found across the entire medical field. This is because throughout the years, this vertical has only received a limited amount of attention from both malicious actors and the cybersecurity industry.  With the increased rate of cyber threats and the constant additions of new smart devices in private networks, new attack surfaces are being exposed and the hardening of many systems may turn into low hanging fruits for the ones lagging. The slower life cycle of smart medical devices means that best security practices and mitigations take longer to be adopted and deployed in the field. Awareness of this may help healthcare organizations, and their supporting IT administration have a more critical eye on the technology deployed in their environments while medical device vendors should remain vigilant of their “legacy” technologies and continually reassess the risk profile associated with legacy products in the current cybersecurity landscape.

Patching is Costly

Consumer products, both hardware and software are often nimbler than their counterparts in the medical industry. Your web-browser or operating system on your personal computer will auto-update immediately after a patch is released which come on a regular basis. This is radically different for medical devices which are often directly linked to patient safety and therefore need to undergo a more rigorous vetting process before applying updates. This often leads to the need to immobilize devices during updates, perform follow up tests and recalibrations. It is often very expensive and challenging for medical facilities to update products, resulting in deployed devices with firmware that is several years old. Because of this, “table stakes” security measures may never be fully adopted, and corresponding vulnerabilities may have a larger impact than in other industries.

Designed for Safety Rather than Security

When looking at the general architecture of the pump, it is obvious that it was designed with safety in mind. For instance, it relies on an application processor for the main processing but also has a control processor that makes sure nothing unexpected occurs by monitoring sensors output along with other components. Everything is CRC checked multiple times to flag memory corruption and every range is bounds-checked. All of this suggests that the design was intended to mitigate hardware and software faults, data accidentally being corrupted over the wire, and the flash module degrading which aligns with a high priority on safety.

However, it looks like preventing malicious intent was not given as much attention during the design process. Sometimes the difference between safety and security might be a little blurry. Preventing accidental memory corruption and out of bounds access due to faulty hardware will also make exploitation harder, yet an attacker will always attempt to escape these mitigations. Along the same lines, logic bugs that would be extremely unlikely to occur by chance might be the “keys to the kingdom” for an attacker. Internal audits and offensive security exercises can highlight the attacker mindset and bring valuable insights as how to harden existing safeguards to protect against intentional threats.

Everything is Trusted

When looking at how the pump and its communication module handles communication and file handling, we observed that critical files are not signed (CVE-2021-33885), most of the data exchanges are done in plain-text (CVE-2021-33883), and there is an overall lack of authentication (CVE-2021-33882) for the proprietary protocols being used. There are a few password-protected areas for user facing systems, but not as many for the behind-the-scenes internal systems. This might be because a login page on a website is an “obvious” necessity, along with having a proper authentication mechanism for FTP and SSH, while ad-hoc protocols designed more customized uses are not as obvious. There is also an evolving landscape at play and its related threat assessment; the risk of an unauthorized person tampering with a configuration file (calibration data, drug library, etc.) is fairly low if it also requires dedicated software and physical access to the device. However, if suddenly the device becomes network-connected, the attack surface is extended and the original assumptions may not be refreshed. Defense-in-depth would dictate that in any case, important files should not be easy to tamper with. However, security vs functionality comes with legitimate compromises and when it comes to embedded devices, limited resources and usability also need to be factored into the equation.

CAN gets Connected to WIFI

Originally, the CAN bus was reserved for communication between trusted components such as a Servicing PC used for maintenance or for connecting multiples devices within an older model of the Space Station that did not have SpaceCom built in. The latter would come as an optional module that could be plugged into the Space Station to offer external connectivity. Hence, the CAN bus was used for “internal” communication between trusted components and an external module, the SpaceCom, could be added for data reporting over the network. Over the following decade, technology improved and miniaturized to the point where everything got merged, so that even a battery module could provide WIFI connectivity and the SpaceCom functionalities. This opened new possibilities, such as having the built-in SpaceCom module provide similar capabilities as the servicing PC. From a user perspective this is great as it simplifies operations, but from a security perspective, this created a situation where a “trusted” internal network suddenly became bridged to an external network that could even be accessed wirelessly. What might have been an acceptable risk, where only a few proprietary devices with physical access could perform privileged operations, became much more questionable when a WIFI-connected Linux device started to offer the same capabilities.

This kind of problem has been faced by nearly every industry vertical that evolved from reliance on trusted physical networks which suddenly got connected to the internet or other untrusted networks. Smart connected devices are a double-edged sword: in the same way they offer greater flexibility and synergy between systems, they can also lead to emergent security issues that need to be considered holistically.

Technical Debt

When developing custom protocols and ad-hoc systems it’s natural to incur technical debt. This is even more true when the life cycle of a device is many years and when it is complicated and expensive to deploy patches and upgrades, leading to a heterogeneous customer base and multiple hardware revisions to support. This can cause situations where more obscure features are not looked at for years and their ownership might be lost or perfunctory. An example of this is the format string vulnerability affecting the json-dbus module. Its usage is obscure, and it was forked from an open-source project many years ago. The original repository fixed bugs that were security bugs but were not flagged as such which led them to fly under the radar for multiple years. Likely, at the time it was forked, the code served its purpose and was never revisited afterwards, leaving the security bug unnoticed. The same can be said for custom-designed protocols and file formats. It may be difficult to evolve them in line with the improvement of best security practices while avoiding breaking “legacy” deployments. In this scenario, mitigations might be the way to go; making sure the systems are isolated, unnecessary features can be disabled and their privilege and access limited to what’s needed. Future-proofing a system is a difficult challenge. If anything, transparency on how the system functions and the components it relies on, coupled with regular audits (code source review or black box audit) can help prevent components from falling in the cracks where they’re not checked against best practices for many years.


This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attacks and malicious actors will look for other lower-hanging fruits. Given the lifespan of medical devices and the difficulties surrounding their updates, it is important to start planning now for tomorrow’s threats. We hope this research will help bring awareness to an area that has been a blind spot for far too long. Dr. Nordeck affirms the importance of this research stating: “The ability to manipulate medical equipment in a way that is potentially harmful to patients, without end-user detection, is effectively weaponizing the device and something only previously conceived by Hollywood yet, McAfee’s ATR team has confirmed is plausible. Device manufactures clearly aim to produce safe and secure products as evidenced by built-in safeguards. However, flaws may exist which allow the device to succumb to a ransom attack or potentially cause harm. Therefore, manufactures should collaborate with security professionals to independently test their products to detect and correct potential threats and thereby preserve patient safety and device security.”

Performing regular security audits, making it easier for medical professionals to keep their devices up to date and offering solid mitigations when this is not possible should really be on every medical vendor’s list of priorities. Medical professionals, policy makers and even the general public should also hold accountable the medical vendors and have them clearly articulate the risk profile of the devices they sell and demand better ways to keep their device secure. We recognize even with this mindset and a holistic approach to security, there will always be flaws that cannot be predetermined. In these cases, vendors should encourage and even seek out industry partners, embrace responsible disclosure and communicate broadly with researchers, stakeholders and customers alike.

From a security research perspective, it is crucial to understand how a device works at a holistic system level, and how each component interacts with each other, which components they can talk to, and so on. For manufacturers, it is important to read between the lines; something may not be in a design document or in the specifications, but sometimes emergent properties will occur as a side-effect of other design decisions.

An offensive project like ours is really meant to highlight structural weaknesses and point out risks. Now, defensive work is necessary to address these concerns. For instance, manufacturers should leverage cheaper and more powerful microcontrollers to implement proper authentication mechanisms. However, it is even more important to study and address the challenges hospitals face when it comes to keeping their devices up to date. This should come as both technical solutions from the vendors and advocacy to promote secure practices and raise awareness on the underlying risks associated with critical devices having outdated software. The FDA tried to lead the way in 2018 with its CyberMed Safety (Expert) Analysis Board (CYMSAB), but so far little progress has been made. The work the German BSI did with the ManiMed project is also extremely encouraging. We see this as an area of cybersecurity with lots of potential and need for attention and look forward to the information security industry taking on this challenge to make this critical sector always more secure.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. As per McAfee’s vulnerability public disclosure policy, McAfee’s ATR team informed and worked directly with the B.Braun team. This partnership resulted in the vendor working towards effective mitigations of the vulnerabilities detailed in this blog. We strongly recommend any businesses using the B.Braun Infusomat devices to update as soon as possible in line with your patch policy and testing strategy.

CVE Details

CVE: CVE-2021-33882

CVSSv3 Rating: 6.8/8.2


CVE Description: Missing Authentication for Critical Function vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source through lack of authentication on proprietary networking commands.

CVE: CVE-2021-33883

CVSSv3 Rating: 5.9/7.1


CVE Description: Cleartext Transmission of Sensitive Information vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping the network traffic.  The exposed data includes critical values for the pumps internal configuration.

CVE: CVE-2021-33884

CVSSv3 Rating: 7.3/5.8


CVE Description: Unrestricted Upload of File with Dangerous Type vulnerability in BBraun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API.  This can result in critical files being overwritten.

CVE: CVE-2021-33885

CVSSv3 Rating: 10.0/9.7


CVE Description: Insufficient Verification of Data Authenticity vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send malicious data to the device which will be used in place of the correct data.  This results in execution through lack of cryptographic signatures on critical data sets

CVE: CVE-2021-33886

CVSSv3 Rating: 8.1/7.7


CVE Description: Improper sanitization of input vulnerability in BBraun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user level command line access through passing a raw external string straight through to printf statements.  The attacker is required to be on the same network as the device.

The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blogs.

Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump Tue, 24 Aug 2021 13:00:19 +0000

Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October...

The post Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump appeared first on McAfee Blogs.


Cyberattacks on medical centers are one of the most despicable forms of cyber threat there is. For instance, on October 28th, 2020, a cyberattack at the University of Vermont Medical Center in Burlington VT led to 75% of the scheduled chemotherapy patients being turned away. Many of us have friends and loved ones who have had to undergo intensive treatments, and the last thing we want in this situation is for their critical care to be delayed due to on-going cyberattacks. Yet, as concerning as ransom attacks can be, what if the process of receiving the treatment was an even bigger threat than a system-wide ransomware event?

McAfee’s Enterprise Advanced Threat Research team, in partnership with Culinda, have discovered a set of vulnerabilities in B. Braun Infusomat Space Large Volume Pump and the B. Braun SpaceStation.

McAfee Enterprise ATR remotely hacks a B.Braun Infusomat Pump

These critical vulnerabilities could allow an attacker to conduct remote network attacks and modify the amount of medication a patient will receive through infusion. This modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication. This attack scenario is made possible through a chain of known and previously unknown vulnerabilities found by McAfee Enterprise ATR. A critical component of this attack is that the pump’s operating system does not verify who is sending commands or data to it, allowing an attacker to carry out remote attacks undetected. For those looking for a more technical analysis of the vulnerabilities, an in-depth blog can be found here.

History and Industry Insights

From the 1960’s to 2000, infusion pumps were mostly electromechanical devices with an embedded operating system, but the turn of the century delivered “smarter” devices with better safety mechanisms and the possibility to program them, which slowly opened the door to computer security challenges. Today, it is estimated that there are over 200 million IV infusions administered globally each year. The infusion pump market is a clear potential target for attackers. The market is valued at an estimated $54 billion in annual revenue, with 2020 sales of IV pumps in the US at $13.5 billion. IV pumps are inherently trusted to be secure and have over time become the mainstay for efficient and accurate infusion delivery of medication. B. Braun is one of the key market share holders in this rapidly growing market, emphasizing the impact of these vulnerability discoveries.

Industry personnel can be the best source of information for determining impact. Shaun Nordeck, M.D, an Interventional Radiology Resident Physician at a Level 1 Trauma Center, prior Army Medic and Allied Health Professional, with more than 20 years in the medical field, states that: “Major vulnerability findings like the ones reported by McAfee’s Enterprise Advanced Threat Research team are concerning for security and safety minded medical staff. The ability to remotely manipulate medical equipment undetected, with potential for patient harm, is effectively weaponizing these point of care devices. This is a scenario previously only plausible in Hollywood, yet now confirmed to be a real attack vector on a critical piece of equipment we use daily. The ransomware attacks that have targeted our industry rely on vulnerabilities just like these; and is exactly why this research is critical to understanding and thwarting attacks proactively.”

These vulnerabilities were reported to B. Braun beginning in January 2021 through McAfee’s responsible disclosure program. Through ongoing dialog, McAfee Enterprise ATR have learned that the latest version of the pump removes the initial network vector of the attack chain. Despite this, an attacker would simply need another network-based vulnerability and all remaining techniques and vulnerabilities reported could be used to compromise the pumps. Additionally, the vulnerable versions of software are still widely deployed across medical facilities and remain at risk of exploitation. Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention, and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation.

Call to Action

This concludes a research project which took two senior researchers a significant amount of time to showcase a life-threatening risk of a medical device being taken over by a remote attacker. For the time being, ransomware attacks are a more likely threat in the medical sector, but eventually these networks will be hardened against this type of attack and malicious actors will look for other lower-hanging fruits.

The unfortunate reality is that individuals can’t do much to prevent or mitigate these enterprise-level risks, outside of staying mindful of security issues and maintaining awareness of possible threats. However, the good news is that security researchers continue to propel this industry towards a safer future through responsible disclosure. We strongly encourage vendors to embrace vulnerability research and consumers to demand it. The medical industry has lagged severely behind others in the realm of security for many years – it’s time throw away the digital “band-aids” of slow and reactive patching, and embrace a holistic “cure” through a security-first mindset from the early stages of development, combined with a rapid and effective patch solution.

Braun Medical Inc. Statement

In May 2021, B. Braun Medical Inc. disclosed information to customers and the Health Information Sharing & Analysis Center (H-ISAC) that addressed the potential vulnerabilities raised in McAfee’s report, which were tied to a small number of devices utilizing older versions of B. Braun software. Our disclosure included clear mitigation steps for impacted customers, including the instructions necessary to receive the patch to eliminate material vulnerabilities.

Braun has not received any reports of exploitation or incidents associated with these vulnerabilities in a customer environment.

The post Overmedicated: Breaking the Security Barrier of a Globally Deployed Infusion Pump appeared first on McAfee Blogs.

Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt Mon, 23 Aug 2021 15:03:10 +0000

Now that we’ve officially kicked off our journey as McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership...

The post Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt appeared first on McAfee Blogs.


Now that we’ve officially kicked off our journey as McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG), we’re celebrating a lot of new firsts and changes. But one thing remains the same: our passion and commitment to make the world a safer, more secure place. And that passion starts with our people. In this new blog series, you’ll meet some of the executives devoted to tackling today’s most pressing security concerns and innovating for the future.

Q: How did you come into this field of work?

I didn’t start out in information technology, I graduated from college with a degree in physics at the end of the Cold War. At the time, all the physics jobs had evaporated, so I started out as an intern in programming at EDS. I did that for a few years and then went into management. I eventually became a CTO and then a CIO.

When I was a CIO, I learned that I really didn’t know much about information security, and it was hindering me in the CIO role. My next job was a director of information security at a financial services company, and I never looked back. I found that I had a passion for information security and have been the CISO at two different Fortune 500 companies. My current role as CIO for a company that creates enterprise cybersecurity software is a perfect marriage of both skill sets.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years?

I think our products like Insights and MVISION XDR are going to change the way we think about security. We have always relied on “after-the-fact” data as opposed to proactively looking at our environment. The days of looking at packet capture and syslogs as our primary defense method are behind us. While they are great for those “after-the-fact” forensic studies, they really don’t do much to proactively defend your enterprise.

Understanding user and device behavior and being able to spot anomalies is the future. Information security leaders need to stop having a negative reaction to new technology and instead embrace it. I also believe blockchain will likely be a good solution for IoT identity and machine learning will take over for the SEIM. You will start to see our tools evolving to meet these new challenges and paradigms.

Q: Since joining the company just over a year ago, how do you feel you’ve been able to help the company grow since last year and the impact you’ve had in your role?

My team has done a very good job in leading the charge to the cloud while at the same time reducing costs. But we are just at the beginning of the journey, and have a long way to go.

We have also challenged our lack of standards and formed the Enterprise Architecture team to drive these patterns into the organization. As Hamlet said, we must suffer “the slings and arrow of outrageous fortune” for trying to drive that change, but I have been impressed by the dedication of members of our Technology Services team. Our security team has worked in lock step with the rest of the organization to drive our outward facing security vulnerabilities down to zero. That is not where we were when I arrived, but the team took a measured approach to dramatically improve our security posture.

I also enjoy spending time with the sales organization and helping them in supporting our customers.   After being in the CISO role for over 12 years, I understand how difficult the role can be. I like to help our sales team understand what pain CISOs are experiencing and how our products can help.

Q: How do you hope to impact change in cybersecurity?

I have been involved in the clean-up of two major breaches. While it is easy to get caught up in the numbers of records lost or how the breach will affect the organization’s stock price, there is a very human cost. Many security or IT leaders lose their job after a breach where stolen records are used to commit identity theft which is very painful to reconcile if you are victim, as we have seen in some of the ransomware attacks on healthcare systems that may have led to the death of patients. The great thing about being a leader in cybersecurity is that you feel you are doing something for the good of the public.

My teams have worked closely with various law enforcement agencies and have caught attackers. There is no better feeling than knowing you have taken down a criminal. I personally want to look back on my career and believe the field of cybersecurity is in a better place than when I started and that the company I work for played a major role in that change.


The post Executive Spotlight: Q&A with Chief Information Officer, Scott Howitt appeared first on McAfee Blogs.

Data Centric Zero Trust for Federal Government Cybersecurity Wed, 11 Aug 2021 17:25:56 +0000 /blogs/?p=125912

As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has...

The post Data Centric Zero Trust for Federal Government Cybersecurity appeared first on McAfee Blogs.


As outlined in Executive Order on Improving the Nation’s Cybersecurity (EO 14028), Section 3: Modernizing Federal Government Cybersecurity, CISA has been tasked with developing a Federal cloud-security strategy to aid agencies in the adoption of a Zero Trust Architecture to meet the EO Requirements. While the government awaits the completion of that effort, I think it’s important to look at the two government reference architectures that have already been published, as they will undoubtedly be considered in the development of CISA’s cloud-security strategy. Both NIST (800-207) and DoD (Version 1.0) have released Zero Trust reference architectures. Both define a Zero Trust telemetry architecture informed by security sensors to dynamically evaluate device and user trust and automatically change access permissions with changes in entity trust. They each accomplish the same goal, even if they take slightly different paths to get there.

Whereas the DoD architecture establishes control planes that each have their own decision point, with data given its own decision point, NIST takes a broader approach to Zero Trust and emphasizes Zero Trust in relation to all resources, not just data. The data control plane within the DoD architecture encompasses data processing resources and applies data-specific context to them. As most networks, applications, storage and services exist to process and store data, it makes sense that access to these resources should be specific to the data contained within them, and not just the access to the resources themselves. Protecting data is central to Zero Trust, and the DoD’s architecture acknowledges this.

Data Centric Enterprise

Today, most Zero Trust efforts seem to focus on defending the applications, networks and services that contain the data but fall short of building data specific protections. And while protecting network, application, and service resources is certainly important and essential to layered protections, improving protection around the data is imperative to successfully adopt Zero Trust architecture. People with alarm systems on their homes still lock up valuables in a safe to guard against failures in controls, or less than trustworthy house guests and hired workers.

The DoD puts data at the center of its reference architecture. User and entity trust is assessed in relation to the data being accessed, and permission levels are dynamically changed specific to individual data resources.  If Zero Trust operates under the assumption that networks and applications are already compromised, then the only logical way to successfully implement Zero Trust is to combine network, application, and service access technologies with a comprehensive data protection platform. In a well-designed Zero Trust architecture, a comprehensive data protection platform serves not only to protect data, but also as a means to inform the analytics layer of potentially malicious insiders or compromised user accounts in order to automatically trigger changes in access permissions.

Imagine a very simple scenario where an organization has classified specific types of data and implemented controls to protect the data. Jane is a contractor, who, because of her contract function, was vetted and cleared for access to critical applications and controlled unclassified data. Jane has a government-issued laptop with data protection software, and she has access to government cloud applications like Office 365 that are protected and governed by the agencies’ CASB solution. Unfortunately, Jane has been having well disguised and undisclosed financial troubles, which have put her in a compromised situation. In order to try to get herself out of it, she has agreed to act as an insider. Jane initially attempts to send sensitive data to herself through her Office 365 email, but the attempt is blocked by the CASB. She then attempts to share the records from SharePoint to an untrusted email domain and again is blocked by the CASB and reported to security. Desperate, she tries to move the data to an external hard drive, and yet again she is blocked. At this point, Jane gives up and realizes the data is well protected.

On the backend of this scenario, each one of these attempts is logged as an incident and reported. These incidents now inform a Zero Trust dynamic access control layer, which determines that Jane’s trust level has changed, resulting in an automatic change to her user access policies and a Security Operations alert. This is one very basic example of how a data protection platform can inform and affect user trust.

What Comprises a Comprehensive Data Protection Platform?

Effectively architecting a comprehensive data protection platform requires a multi-vector and integrated approach.  The platform should be a combination of control points that leverage a common classification mechanism and a common incident management workflow. Data protection enforcement should facilitate enforcement controls across managed hosts, networks, SaaS, and IaaS resources, and whenever possible restrict sensitive data from being placed into areas where there are no controls.

McAfee enables this today through a Unified DLP approach that combines:

  • Host Data Loss Prevention (DLP)
  • Network Data Loss Prevention (DLP)
  • Cloud Access Security Broker (CASB)
  • Hybrid Web Gateway – On-Premises and SaaS
  • Incident Management

This comprehensive approach enables data protection policies to follow the data throughout the managed environment, ensuring that enterprise data is protected at rest, in transit, and in use. Within the platform, user trust is evaluated conditionally based on policy at each enforcement point, and any change to a user’s group through the Zero Trust architecture automatically modifies policies within the data protection platform.

What Next?

Data protection has long been a challenge for every enterprise. Successful implementation of data protection technologies requires a programmatic effort that includes data owners to accurately and successfully identify and build protections around sensitive information. If not implemented properly, data protection opens the door to user disruptions that many organizations have very little tolerance for. That’s why so many organizations focus their efforts on improving perimeter and access protections. Adversaries know this, which is why compromising user credentials or the supply chain to gain access remains a highly leveraged entry point for threat actors, because perimeter and access control protections fail to guard against people already inside the network with appropriate access. As enterprises plan for Zero Trust architectures, data protection has to take center stage.

By mandating that agencies quantify the type and sensitivity of their unclassified data, the EO appears to be steering Executive Branch agencies down the path of data centricity. The Executive Order focuses on improving the adoption of encryption best practices around data and implementing multifactor authentication in an effort to protect access to sensitive data from malicious outsiders. It falls short, however, of encouraging broad adoption of data loss prevention architectures to protect against accidental and malicious data leakage.

CISA has an opportunity to prioritize data as an enterprise’s central resource in their upcoming cloud-security strategy, which will drive agency adoption of Zero Trust Architecture. They should take this opportunity to emphasize the importance of designing a comprehensive data protection platform to serve as both a trust identifier and a mechanism of protection.

The post Data Centric Zero Trust for Federal Government Cybersecurity appeared first on McAfee Blogs.

Critical RDP Vulnerabilities Continue to Proliferate Tue, 10 Aug 2021 18:12:23 +0000 /blogs/?p=125849

This month’s Patch Tuesday brings us a relatively small number of CVEs being patched, but an abnormally high percentage of...

The post Critical RDP Vulnerabilities Continue to Proliferate appeared first on McAfee Blogs.


This month’s Patch Tuesday brings us a relatively small number of CVEs being patched, but an abnormally high percentage of noteworthy critical vulnerabilities.

Vulnerability Analysis: CVE-2021-34535

One such vulnerability is identified as CVE-2021-34535, which is a remote code execution flaw in the Remote Desktop client software, observed in mstscax.dll, which is used by Microsoft’s built-in RDP client (mstsc.exe). The vulnerability is very closely related to a bug released in July of 2020, CVE-2020-1374, which also came through Microsoft’s Patch Tuesday process and had highly similar characteristics. The vulnerability is an integer overflow due to an attacker-controllable payload size field, which ultimately leads to a heap buffer overflow during memory allocation. The vulnerability can be triggered via the RDP Video Redirection Virtual Channel Extension feature [MS-RDPEV], which is typically deployed on port 3389, and is contained inside of compressed UDP payload and encrypted RDP using TLS.

But does this flaw, despite its impressive 9.9 CVSS score, rise to the level of past RDP vulnerabilities, including the infamous BlueKeep (CVE-2019-0708)? Not so fast – there are a few additional factors to take into consideration.

Attack Scenario

First and foremost, this is a client-side vulnerability, meaning there is no real ability for self-propagation, or “wormability” from an Internet perspective. The most likely attack scenario would be to convince a user to authenticate to a malicious RDP server, where the server could trigger the bug on the client side. During reproduction of the issue, we were able to easily trigger the crash and observe a later memcpy using the controlled overflow, which should facilitate exploitation. We think it is likely that exploits will be developed for this vulnerability but the availability of a patch prior to any known public exploitation helps to mitigate risks for organizations and individuals.

Secondly, thanks to the widespread proliferation and reach of BlueKeep and other related RDP vulnerabilities, a significant portion of RDP clients and servers have been disabled or moved from the network perimeter. This is less important given the client-side nature of the bug but does help with the overall attack surface.

In addition to Microsoft’s built-in RDP client (mstsc.exe), which is the more common Remote Desktop network connection, we have also confirmed that some lesser- known RDP vectors are affected by this vulnerability. Microsoft Hyper-V Manager “Enhanced Session Mode” and Microsoft Defender’s Application Guard (WDAG) both use RDP to screen share and present the secured browser respectively. This gives the end user a remote view of their isolated instance in the context of the host system. Rather than reimplementing the RDP session sharing capability, Microsoft ported the existing RDP client code base into Hyper-V and WDAG. Since the RDP client code is self-contained in mstscax.dll (an ActiveX COM object) it can simply be loaded into the Hyper-V (vmconnect.exe) and WDAG (hvsirdpclient.exe) processes to avail of the RDP client functionality. There does not appear to have been any attack surface reduction on this code base as the same DLL is loaded within all three processes mstsc.exe, vmconnect.exe and hvsirdpclient.exe. The impacted components are:

  • Microsoft’s built-in RDP client mstsc.exe uses the vulnerable mstscax.dll when a client remotely connects to an RDP server over the network. We have confirmed mstsc.exe crashes and the vulnerability can be triggered then the client has authenticated to an RDP server.

Mitigation: Patch

  • Microsoft’s Hyper-V Manager software also uses mstscax.dll where the vulnerable function resides. When using “Enhanced Session Mode” (enabled by default in Hyper-V Manager), the process vmconnect.exe loads mstscax.dll. We have confirmed through testing that triggering the vulnerability from inside a Hyper-V Windows 10 image will crash vmconnect.exe on the host. This means that it is subject to guest-to-host escapes using the vulnerability. (Hyper-V is disabled by Default on Windows 10).

Mitigation: Patch or disable “Enhanced Session Mode”

  • Microsoft Defender’s Application Guard also uses mstscax.dll to present the user with a view of their containerized Edge and IE browser. When a “New Application Guard window” is navigated from Edge it launches the process hvsirdpclient.exe which loads mstscax.dll. We have not confirmed the WDAG process hvsirdpclient.exe crashes but it does use the same code base so we recommend patching if using WDAG (WDAG is disabled by Default on Windows 10).

Looking Forward

The built-in RDP client and Hyper-V/WDAG clients communicate over different transport mediums in the form of TCP/IP and VMBus but they both use the same RDP client protocol implementation. Given that the flaw is contained within mstscax.dll, and is self-contained, the vulnerability was ported to these two implementations along with the rest of the code base.

While the urgency for patching remains somewhat lower than past critical vulnerabilities, threat actors will look to weaponize any of these low-hanging fruit that leverage common network protocols. Patching should be a top priority, and furthermore, a comprehensive and ongoing review of internet-facing and internal networked RDP clients and servers would be highly recommended. Eliminating or reducing the attack surface is one of the best counter attacks to vulnerability exploitation.

Microsoft have published a Knowledge Base article for the issue here with corresponding patch information. In the meantime, we are continuing to monitor this vulnerability closely; if exploitation is observed we may release additional content for customers.

For RDP security best practices please see


With thanks to Cedric Cochin, McAfee.

The post Critical RDP Vulnerabilities Continue to Proliferate appeared first on McAfee Blogs.

Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 Tue, 10 Aug 2021 04:01:05 +0000 /blogs/?p=125399

We are in the midst of digital transformation to the cloud – these cloud services fuel transformative projects for businesses, empowering employees with powerful tools...

The post Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 appeared first on McAfee Blogs.


We are in the midst of digital transformation to the cloud – these cloud services fuel transformative projects for businesses, empowering employees with powerful tools to do their jobs better and more efficiently. This cloud transformation has meant that a large portion of enterprise data now resides and is being accessed outside of the network perimeter and beyond the reach of traditional data security controls.  

MVISION™ Unified Cloud Edge is the SASE security fabric between an organizations’s workforce and their resources that enables fast direct-to-internet access by eliminating the need to route traffic through their data center for security. Data and threat protection are performed at every control point in a single pass to reduce the cost of security and simplify your management.  

Sensitive data uploaded to CRM has also put the service on the radar of IT security teams. Based on the Market share report Microsoft Dynamics 365 is amongst the top CRM vendors  

Data in Dynamics 365 represents anything from proprietary business information to sensitive customer data. The high volume and value of this data have made Dynamics 365 security a top priority for companies embarking on cloud security projects.  

Microsoft provides a host of security features for enterprise customers at the infrastructure and software level, but customers default lack many controls around data and user account security. For example, only 36 percent of cloud customers say they can enforce data loss prevention in the cloud. These are key security controls for organizations using Dynamics 365, especially those who upload regulated data to the service.  

MVISION Cloud for Dynamics 365, part of McAfee’s Unified Cloud Edge offering is a comprehensive solution, which allows enterprises to enforce security controls for data in Dynamics 365. It addresses four areas of Dynamics security: 

  • Visibility: Receive insights into usage analytics, user groups, privileges, and data content, both monitored dynamically and through an on-demand scan. This allows enterprises to evaluate the types of data and users within Dynamics and understand their unique risks.  
  • Compliance: Consistently enforce existing and new policies with cloud DLP for structured and unstructured data. Multitier remediation options and match highlighting allow for a positive user experience and efficient evaluation of policy violations from security teams.  

By applying cloud DLP policy you can find any sensitive info stored in Dynamics entity in near real-time. Configure via UI the entities where you know sensitive content is posted by the user and do near real time DLP. Also, you can integrate your Endpoint DLP engine policy and use the single console of MVISION to leverage the DLP policy defined on Dynamics entities. In addition, before the Auditor finds any sensitive information stored in data at rest, you can run on-demand scans on Dynamics 365 entities/attachments to ensure there is no sensitive data in Dynamics entities. MVISION Cloud Compliance scan applies to entities (structured data) and attachments (unstructured data) in Dynamics. Data privacy can save organizations from massive compliance fines, a negative public image, and loss of customer trust. Dynamics 365 data privacy is just as important as security, MVISION Cloud compliance scan ensures GDPR compliance for data at rest. In all cases whenever out of compliance is found, then raise incidents and takes remedial action for complete visibility. Malware scan to detect malware on any Dynamics 365 attachments if there is Malware. This scan could be Near Real-Time and also could be on data at rest.  

  • Threat Protection: Monitor threats from a Dynamics 365 security operations center (SOC) based on insights from user behavior analytics. Machine learning algorithms identify account compromises, insider threats, high-risk privileged users, and more. Mapping to the MITRE framework gives visibility and insights into whether Microsoft Dynamics services are used w.r.t tools and techniques for data compromise and exfiltration. 
  • Data Security: Enforce security controls based on transaction context including the user, device, and data. Block high-risk downloads in real-time.

MVISION Cloud for Dynamics 365 can act as an additional control point between enterprise users and the cloud to provide enhanced analytics into cloud usage, detect threats from insiders, compromised accounts, and privileged users, enforce compliance policies with DLP, and contextual access controls. Additionally, detecting intentional or inadvertent threats from employees or third parties, enforcing granular access controls based on parameters such as role, device, data, and location, and enforcing DLP policies. 

Finally, the MVISION platform provides benefits that a single-point solution for one cloud service cannot satisfy. A single point for cloud control removes gaps in policy enforcement. Visibility into all cloud traffic allows MVISION to correlate activity occurring across multiple cloud services, identifying high-risk users and cloud-to-cloud threats. And MVISION offers integrations with on-premises security tools to extend existing security policies to the cloud and feed cloud threats into SIEM solutions. Consolidating all cloud security data in one tool is the best way to capture a holistic view of cloud risk, in a snapshot and as it changes over time. 

Moving to the cloud does not have to be a trade-off between business results and security. Improved security in the cloud is a reality for companies that have embraced a cloud-native security approach. Using MVISION Cloud for Dynamics 365 can make data safer than ever before while empowering business teams to become more efficient and dynamic.  

For more information or to test out MVISION Cloud for Dynamics please visit us at: 

The post Business Results and Better Security with MVISION Cloud for Microsoft Dynamics 365 appeared first on McAfee Blogs.

White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities Fri, 06 Aug 2021 15:54:42 +0000 /blogs/?p=125705

This is the third in a series of blogs on the Cybersecurity EO, and I encourage you to read those...

The post White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities appeared first on McAfee Blogs.


This is the third in a series of blogs on the Cybersecurity EO, and I encourage you to read those you may have missed. (Part 1, Part 2).

Between the initial publication of the Executive Order (EO) for Improving the Nation’s Cybersecurity on May 12 and late July, a flurry of activity by departments and agencies continues to occur on how best to understand and address potential security gaps. Once identified, these analyses will facilitate plans to fulfill the requirements and further augment agencies’ existing preventative measures to improve their cybersecurity posture. Due to numerous far-reaching cybersecurity breaches that have occurred throughout the past year, one of the primary areas of emphasis in the Executive Order is enhancing the Federal Government’s ability to be more proactive in detecting vulnerabilities and preventing cybersecurity incidents throughout an agency’s network. By introducing an Endpoint Detection and Response (EDR) solution into an enterprise environment, the Government will be able to empower agency SOC teams to engage in active cyber hunting, containment, remediation, and incident response activities more universally.

How Does McAfee’s MVISION EDR Improve an Agency’s Security Posture?

The potential loss and impact of a cyberattack is no longer constrained to a single silo within an agency’s network or a small subset of devices. It can quickly escalate and impact the mission of an agency in seconds. That is why the Executive Order states it is crucial a government-wide initiative is undertaken to begin to get ahead of malicious actors by developing a comprehensive security strategy to prevent attacks before they happen.

Many cyberthreats use multiple attack mechanisms, requiring a different approach to keep our enterprises secure from malicious actors. Endpoint protection platforms still play a critical role in defending agency assets, but they are only one component of a multilayered approach to a robust cybersecurity strategy. Fortunately, McAfee Enterprise’s endpoint protection platform offers a threat detection capability that allows incorporating a next-generation solution (EDR) to track down potential threats if they break through the first layer of countermeasures.

By incorporating endpoint detection and response (EDR), organizations have granular control and visibility into their endpoints to detect suspicious activity. As a cloud service, EDR can incorporate new features and services in much more agile fashion than other solutions. MVISION EDR can discover and block threats in the pre-execution stage, investigate threats through analytics, and help provide an incident response plan. Additionally, by leveraging AI and machine learning to automate the steps in an investigative process, more experienced threat hunters can focus on in-depth analysis of sophisticated attacks, and other members of the SOC team can discover key findings to triage potential threats much faster and with less experience. These new capabilities can learn an agency’s baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.

Is Endpoint Detection and Response (EDR) Enough?

As the attack surface continues to evolve, a far more holistic approach to detection is needed. Although EDR is crucial to surfacing anomalous threats and malicious behavior for workstations, servers, and cloud workloads, their area of influence is confined to the telemetry provided by the endpoint. Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee Enterprise EDR and SIEM technologies to enrich investigations. Still, more telemetry sources are needed to reveal all potential threat vectors an enterprise may encounter. This is where Extended Detection and Response (XDR) comes in, supporting agencies in a journey beyond the endpoint and allowing them to close even more gaps. 

Why Should Agencies Be Focusing on an Extended Detection and Response (XDR) Strategy?

XDR isn’t a single product or solution but rather a journey, as it refers to compiling multiple security products and technologies that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.

SIEMs are largely data-driven, meaning they need data definitions, custom parsing rules and pre-built content packs to retrospectively provide context based on the data they have ingested. In contrast, XDR is hypothesis driven, harnessing the power of machine learning and artificial intelligence engines to analyze high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.

Technically speaking, an XDR is a converged platform leveraging a common taxonomy and unifying language. An effective XDR must bring together numerous heterogeneous signals and return a homogenous visual and analytical representation. XDR must clearly show the potential security correlations that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require excessive amounts of repetitive manual work. Instead, it would allow SOC teams to focus on leading investigations and mitigating attacks. XDR’s presentation of data would be aware of context and content, be advanced technologically, yet be simple enough for analysts to understand and act upon.

As many organizations begin to adopt EDR solutions with the capability to embrace XDR, they also must consider how these solutions enable them to migrate toward a Zero Trust architecture. The wealth of information that will be available in a platform capable of distilling threat telemetry not only from endpoints, the networks they are accessing, and the cloud services they consume will create real advantages. It will greatly improve the granularity, flexibility, and accuracy of the policy engines granting access to enterprise resources and using that degree of trust to determine how much access is granted within the application.

The ideal solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritize and predict threats that matter before the attack and prescribe necessary countermeasures allowing the organization to proactively harden their environment. The ideal solution also must incorporate Zero Trust, and it should be built on an open security ecosystem.

McAfee Enterprise recognized early on that a multi-vendor security ecosystem is a key requirement to building a defense in depth security practice. One of the key building blocks was the Data Exchange Layer (DXL), which was subsequently made available as an open-source project (OpenDXL) for the community to further develop innovative use cases. This enabled our diverse ecosystem of partners from threat intelligence platforms to orchestration tools to use a common transport mechanism and information exchange protocol, thereby encouraging participating vendors to not only communicate vital threat details but also inform them of actions that all connected security solutions should take.

When you combine XDR and an open security ecosystem for XDR capabilities, agencies will have a solid foundation to advance their visibility and detection capabilities across their entire cyber infrastructure.

The post White House Executive Order – Improving Detection of Cybersecurity Vulnerabilities appeared first on McAfee Blogs.

Evolve With XDR – The Modern Approach to SecOps Thu, 05 Aug 2021 15:00:15 +0000 /blogs/?p=125726

If you are part of an organization aspiring to evolve and modernize your SecOps practice with greater efficiencies with XDR,...

The post Evolve With XDR – The Modern Approach to SecOps appeared first on McAfee Blogs.


If you are part of an organization aspiring to evolve and modernize your SecOps practice with greater efficiencies with XDR, this read is for you.

So, what’s all the continuous hype about XDR? Is it for you and what does it mean to your organization? If you haven’t already, I invite you to read our XDR—Please Explain and Unravel to XDR Noise blogs for added context. From here we can begin to ask, what are XDRs and what are they not? What happens once you acquire components that add the “X-factor” to your threat detection and response (TDR) practice? And how can SOC teams use it for investigation, prioritization, remediation and hunting?

I’ll cover the basics in this blog and hopefully by the end I’ve piqued your interest enough to watch our on-demand webinar where we will cover these aspects in detail.

For security practitioners, there’s one question that is top of mind—am I protected against the latest threats? But let’s face it, threats are evolving, adversaries are evolving too and a shortage of talent make it near impossible to keep up with alerts.

In fact, according to the latest XDR research by ESG, The Impact of XDR in the Modern SOC March 2021 [1], the top challenges related to TDR for respondents were:

  1. 31% spend time addressing high priority/emergency threats and not enough time on more comprehensive strategy and process improvement for TDR
  2. Another 29% have “blind spots” on the network due to inability to deploy agents
  3. 23% find it difficult to correlate and combine data from different security controls, which impacts TDR efficiency/efficacy

Advanced threats are now commonplace, challenging most security professionals to detect and respond before damage is done, we know that these attacks leverage multiple attack vectors to gain a foothold and execute. XDR solutions bring together security telemetry across multiple controls, correlating and stitching together complex attacks so analyst can quickly assess and investigate. XDR is seen as having the potential to modernize the SOC with enriched and aggregated security analytics capabilities to accelerate the investigation to a resolution.

What’s more, McAfee Enterprise is here to help you evolve your SecOps practice into the next era of security analytics, threat detection and response. McAfee’s MVISION XDR tools provide visibility across multiple control points to not only detect threats but to help organizations improve their security posture. In addition, MVISION Insights provides relevant threat intel to help customers proactively prevent threats on multiple control points like endpoint.

We invite view our on-demand webinar with Mo Cashman, Enterprise Architect at McAfee Enterprise, and Dave Gruber, Senior Analyst at ESG, as they cover what XDRs are and aren’t, the keys to SOC modernization for XDR with a focus on the SOAPA approach to security, and how McAfee’s MVISION XDR lays out the flexible groundwork for organizations aspiring to evolve with XDR. Here is the link to watch. 

Whether you are building a SOC function with limited resources or maturing a well-established SOC, McAfee Enterprise is here to help you simplify and strengthen your security operations with MVISION XDR. With MVISION XDR, you can proactively identify, investigate and mitigate threat actors targeting your organization before they can gain a foothold in the network. By combining the latest machine-learning techniques with human analysis, XDR connects and amplifies the early warning signals from your sensors at the network, endpoint, and cloud to improve situational awareness, drive better and faster decisions, and elevate your SOC. [2]


1 – ESG Research Report: The Impact of XDR in the Modern SOC by Jon Oltsik

2 – Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry?


The post Evolve With XDR – The Modern Approach to SecOps appeared first on McAfee Blogs.

McAfee NSP Provides Superior Security and Performance Wed, 04 Aug 2021 20:28:37 +0000 /blogs/?p=125711

McAfee Enterprise is pleased to announce that the Network Security Platform (NSP), our industry leading next-gen Intrusion Prevention System (IPS)...

The post McAfee NSP Provides Superior Security and Performance appeared first on McAfee Blogs.


McAfee Enterprise is pleased to announce that the Network Security Platform (NSP), our industry leading next-gen Intrusion Prevention System (IPS) solution, has been awarded Miercom Certified Secure for superior security and performance.

About Miercom

Miercom has been reviewing network products for over 30 years, forming standardized test programs that have grown into a worldwide evaluation service for the latest technology.  Miercom has published hundreds of network product analyses in leading trade periodicals and other publications, thus gaining the reputation of being a leading, independent product test center.

About the Testing

The NSP Next Generation Intrusion Prevention System (NGIPS) solution was independently assessed by Miercom engineers for security, performance, and hands-on use to provide unbiased verification of McAfee Enterprise’s unique qualities.  The NGIPS solution was deployed in a real-world environment and subject to performance tests, multiple iterations of attacks from Miercom’s proprietary malware suite, and exploits from Ixia BreakingPoint and other test tools.

Figure 1. Test Bed Diagram

Figure 2. Test Tools



NSP demonstrated security effectiveness in the attack lifecycle detection and protection through its efficient signature engine along with multiple advanced signature-less detection technologies, including file analysis, protocol behavior analysis, and network behavior analysis. The results not only showed NSP continued to hold the highest standard in exploit prevention capability, but also proved its advantage in zero-day malware and malicious URL protection compared to other IPS solutions in the market.

“Based on our findings, the McAfee Network Security Platform with NS9500 sensors demonstrates competitively superior security and performance.  The McAfee solution was stressed under real-world known and not yet discovered exploits and heavily loaded conditions and passed these tests with ease.  McAfee Network Security Platform has rightfully earned the distinction as Miercom Certified Secure.” – Rob Smithers, CEO, Miercom 

Key Findings

  • Prevented 98.7% of malware from Miercom’s Enterprise Critical Protect Malware Set consisting of compound threats, zero-day threats and ransomware (outperforming the industry average by 25%)
  • Detected 97.8% malicious URLs over HTTP with recommended default configuration (outperforming the competitive industry average by 44%)
  • Detected 100% of malicious URLs over HTTP with optimized settings (outperforming the competitive industry average by 47%)
  • Proved effective URL filtering by detecting 100% of blacklisted URLs
  • Prevented 100% of evasive malicious traffic and exploits mounted with mutated traffic

About McAfee NSP

McAfee Enterprise’s new appliance offerings, NS9500 and NS7500, are scalable hardware platforms that provide investment protection. They offer multiple throughput options with the inspection throughput being controlled by a software license. This provides customers the flexibility to only buy capacity that is needed, and easily scale inspection throughput as needs increase via a software upgrade license and/or by stacking appliances. The appliances are purpose-built for line speed DPI (Deep Packet Inspection) and its efficient architecture preserves performance regardless of security settings unlike other IPS offerings in the market.

To download a copy of the report, please visit

To learn more about McAfee NSP, please visit

To learn more about Miercom, please visit




The post McAfee NSP Provides Superior Security and Performance appeared first on McAfee Blogs.

New Company, Same Commitment: Channel First Wed, 04 Aug 2021 15:30:17 +0000 /blogs/?p=125573

In the last week there has been change, but a lot remains the same, too. First, we are now McAfee...

The post New Company, Same Commitment: Channel First appeared first on McAfee Blogs.


In the last week there has been change, but a lot remains the same, too. First, we are now McAfee Enterprise, a pure-play enterprise cybersecurity company under the new ownership of Symphony Technology Group (STG). It’s an exciting change and true focus for our company, allowing us to concentrate on enterprise and commercial business needs. Our partners are an important part of our journey, and together we are excited to continue to win and drive success.

As we start this chapter as a pure-play enterprise security company, my focus is on adding value for our partners at all levels, ensuring our joint customers understand the power of our technology portfolio, and driving profitability and growth through better cybersecurity outcomes for our customers.

Our strategy continues to be Channel First, and we have worked to create continuity in all that we do for our channel partners and customers through the transition. That means our operations as a company will remain very much the same, so there will be no new systems or tools to learn, and our partners will continue to receive the same program benefits. At the same time, we will continue to evaluate and enhance program benefits, enablement and sales engagement.

We look forward to embarking on this journey with our partners as McAfee Enterprise. Our vision cannot be achieved without our partners’ trust and confidence in us.


The post New Company, Same Commitment: Channel First appeared first on McAfee Blogs.

See Ya Sharp: A Loader’s Tale Wed, 04 Aug 2021 14:00:16 +0000 /blogs/?p=125348

Introduction The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In...

The post See Ya Sharp: A Loader’s Tale appeared first on McAfee Blogs.



The DotNet based CyaX-Sharp loader, also known as ReZer0, is known to spread commodity malware, such as AgentTesla. In recent years, this loader has been referenced numerous times, as it was used in campaigns across the globe. The tale of CyaX-Sharp is interesting, as the takeaways provide insight into the way actors prefer to use the loader. Additionally, it shines a light onto a spot that is not often illuminated: the inner workings of loaders.

This blog is split up into several segments, starting with a brief preface regarding the coverage of loaders in reports. After that, the origin of the loader’s name is explored. Next, the loader’s capabilities are discussed, as well as the automatic extraction of the embedded payload from the loader. Lastly, the bulk analysis of 513 unique loader samples is discussed.

Loaders and their Coverage in Blogs

To conceal the malware, actors often use a loader. The purpose of a loader is, as its name implies, to load and launch its payload, thereby starting the next stage in the process. There can be multiple loaders that are executed sequentially, much like a Russian Matryoshka doll in which the smallest doll, which is hidden inside numerous others, is the final payload. The “smallest doll” generally contains the malware’s main capabilities, such as stealing credentials, encrypting files, or providing remote access to the actor.

While there is a lot of research into the actions of the final payload, the earlier stages are just as interesting and relevant. Even though the earlier stages do not contain the capabilities of the malware that is eventually loaded, they provide insight as to what steps are taken to conceal the malware. Blogs generally mention the capabilities of a loader briefly, if at all. The downside here lies in the potential detection rules that others can create with the blog, as the focus is on the final step in the process, whereas the detection should start as soon as possible.

Per best security practices, organizations should protect themselves at every step along the way, rather than only focusing on the outside perimeter. These threat models are often referred to as the, respectively, onion and egg model. The egg’s hard shell is tough to break, but once inside, an attacker has free roam. The onion model opposes the attacker every step of the way, due to its layered approach. Knowing the behavior of the final payload is helpful to detect and block malware although, ideally, the malware would be detected as early on as possible.

This blog focuses on one specific loader family, but the takeaways are valid in a broader sense. The preferred configurations of the actors are useful to understand how loaders can be used in a variety of attacks.

Confusing Family Names

A recent blog by G Data’s Karsten Hahn provides a more in-depth look into malware families ambiguous naming schemes. This loader’s name is also ambiguous, as it is known by several names. Samples are often named based on distinctive characteristics in them. The name CyaX-Sharp is based upon the recurring string in samples. This is, however, exactly why it was also named ReZer0.

When looking at the most used names within the 513 obtained samples, 92 use CyaX-Sharp, whereas 215 use ReZer0. This would make it likely that the loader would be dubbed ReZer0, rather than CyaX-Sharp. However, when looking at the sample names over time, as can be seen in the graph below, the reason why CyaX-Sharp was chosen becomes apparent: the name ReZer0 was only introduced 8 months after the first CyaX-Sharp sample was discovered. Based on this, McAfee refers to this loader as CyaX-Sharp.

Within the settings, one will find V2 or V4. This is not a reference of the loader’s version, but rather the targeted DotNet Framework version. Within the sample set, 62% of the samples are compiled to run on V4, leaving 38% to run on V2.

The Loader’s Capabilities

Each version of the loader contains all core capabilities, which may or may not be executed during runtime, based on the loader’s configuration. The raw configurations are stored in a string, using two pipes as the delimiting value. The string is then converted into a string array using said delimiter. Based on the values at specific indices, certain capabilities are enabled. The screenshots below show, respectively, the raw configuration value, and some of the used indices in a sample (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4).

The loader can delay its execution by sleeping for a certain number of seconds, use a mutex to ensure it is not already running, display a message box with a custom message, persist itself as a scheduled task, and/or execute a given payload in several ways. The payload can be downloaded from an external location, after which it is started. Alternatively, or additionally, the embedded payload within the loader can be launched. This can be done directly from the loader’s memory with the help of reflective calls, or by hollowing a newly created process. The flowchart below visualizes the process. Note that the dotted line means the linked step can be skipped, depending on the loader’s configuration.

Process Hollowing

The newly created process is one of the following: MSBuild.exe, vbc.exe, RegSvcs.exe, or a new instance of the loader. The process hollowing code segment seems to be taken from NYAN-x-CAT’s GitHub, as the for-loop to start the process hollowing method is present in both the loader and the linked repository. The way an error is handled is not a standardized method, making the link between the publicly available code very likely. The first image below shows the original code from the repository, whereas the second image shows the code from the loader (SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4)

The loop calls the process hollowing function several times to more easily handle exceptions. In the case of an exception during the process hollowing, the targeted process is killed and the function returns. To try several times, a loop is used.

Changes Over Time

Even though the loader has changed over time, it maintained the same core structure. Later versions introduced minor changes to existing features. Below, different loader versions will be described, where the length of the string array that contains the loader’s configuration is used to identify different versions. The graph shows the rise and fall for each of the versions.

There are two notable differences in versions where the config array’s size is larger than 29. Some specific samples have slightly different code when compared with others, but I did not consider these differences sizable enough to warrant a new version.

Firstly, the ability to enable or disable the delayed execution of a sample. If enabled, the execution is delayed by sleeping for a predefined number of seconds. In config_29, the delay functionality is always enabled. The duration of the delay is based on the System.Random object, which is instantiated using the default seed. The given lower and upper limits are 45,000 and 60,000, resulting in a value between these limits, which equals in the number of milliseconds the execution should be delayed.

Secondly, the feature to display a custom message in a prompt has been added. The config file contains the message box’ title, text, button style, and icon style. Prompts can be used to display a fake error message to the victim, which will appear to be legitimate e.g.  43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07, which uses “You do not have the proper software to view this document” as its message.

Payload and Configuration Extraction

To automatically extract the payload and configuration of a given loader, one can recreate the decryption mechanism in a language of choice, get the encrypted data from the loader, and decrypt it. The downside here is the need for an exact copy of the decryption mechanism. If the key were to change, or a slightly different algorithm were to be used, the copy would also need to reflect those changes. To avoid dealing with the decryption method, a different approach can be taken.

This loader mistakenly uses static variables to store the decrypted payload and configuration in. In short, these variables are initialized prior to the execution of the main function of the loader. As such, it is possible to reflectively obtain the value of the two variables in question. A detailed how-to guide can be found on my personal website. The data that was extracted from the 513 samples in the set is discussed in the next section.

Bulk Analysis Results

The complete set consists of 513 samples, all of which were found using a single Yara rule. The rule focuses on the embedded resource which is used to persist the loader as a scheduled task on the victim’s system. In some cases, the Yara rule will not match a sample, as the embedded resource is obfuscated using ConfuserEx (one example being SHA-256 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812). To deobfuscate, one can use ViRb3’s de4dot-cex fork of de4dot. The Yara rule will match with the deobfuscated binary. The graph below shows the number of unique samples over time.

The dates are based on VirusTotal’s first seen date. Granted, this date does not need to represent the day the malware was first distributed. However, when talking about commodity malware that is distributed in bulk, the date is reliable enough.

The sample set that was used is smaller than the total amount of loaders that have been used in the wild. This loader is often not the first stage, but rather an in-memory stage launched by another loader. Practically, the sample set is sizable enough for this research, but it should be noted that there are more unique loader samples in the wild for the given date range than are used in this report.

It is useful to know what the capabilities of a single sample are, but the main area of interest of this research is based upon the analysis of all samples in the set. Several features will be discussed, along with thoughts on them. In this section, all percentages refer to the total of 513 unless otherwise specified.

Widespread Usage

The loader’s usage is widespread, without a direct correlation towards a specific group or geographical region. Even though some reports mention a specific actor using or creating this loader, the fact that at least one builder has leaked makes attribution to one or more actors difficult. Coupled with the wide variety of targeted industries, as well as the broad geographic targeted areas, it looks like several actors utilise this loader. The goal of this research is not to dig into the actors who utilise this loader, but rather to look at the sample set in general. Appendix A provides a non-exhaustive list of public articles that (at least) mention this loader, in descending chronological order.

Execution Methods

The two options to launch a payload, either reflectively or via process hollowing, are widely apart in usage: 90% of all loaders uses process hollowing, whereas only 10% of the samples are launched via reflection. Older versions of the loader sometimes used to reflectively load a decrypted stager from the loader’s resources, which would then launch the loader’s payload via process hollowing. The metrics below do not reflect this, meaning the actual percentage of direct launches might be slightly lower than is currently stated. The details can be viewed in the graph below.

Note that the reflective loading mechanism will default to the process hollowing of a new instance of the loader if any exception is thrown. Only DotNet based files can be loaded reflectively, meaning that other files that are executed this way will be loaded using a hollowed instance of the loader.

Persistence and Mutexes

The persistence method, which uses a scheduled task to start the loader once the computer boots, is used by 54% of the loaders. This does not mean that the other 46% of the samples are not persisted on the victim’s machine, as a different stage could provide persistence as well. Notable is the date within the scheduled task, which equals 2014-10-25T14:27:44.8929027. This date is, at the time of writing, nearly 2500 days ago. If any of the systems in an organization encounter a scheduled task with this exact date, it is wise to verify its origin, as well as the executable that it points to.

A third of all loaders are configured to avoid running when an instance is already active using a mutex. Similar to the persistence mechanism, a mutex could be present in a different stage, though this is not necessarily the case. The observed mutexes seem to consist of only unaccented alphabetical letters, or [a-zA-Z]+ when written as a regular expression.

Delayed Execution

Delayed execution is used by nearly 37% of the samples, roughly half of which are config_29, meaning this setting was not configurable when creating the sample. The samples where the delayed execution was configurable, equal nearly 19% of the total. On average, a 4 second delay is used. The highest observed delay is 600 seconds. The graph below shows the duration of the delay, and the frequency.

Note that one loader was configured to have a delay of 0 seconds, essentially not delaying the execution. In most cases, the delayed time is a value that can be divided by five, which is often seen as a round number by humans.

Environmental Awareness

Prior to launching the payload, the loader can perform several checks. A virtual environment can be detected, as well as a sandbox. Roughly 10% of the samples check for the presence of a virtual machine, whereas roughly 11% check if it is executed in a sandbox. Roughly 8% of the 513 samples check for the presence of both, prior to continuing their execution. In other words, 88% of the samples that try to detect a virtual machine, also attempted to detect a sandbox. Vice versa, 74% of the samples that attempted to detect the sandbox, attempted to detect if they were executed on a virtual machine.

The option to disable Windows Defender was mainly present in the earlier samples, which is why only 15% of the set attempts to disable it.

Payload Families

The loader’s final goal is to execute the next stage on the victim’s machine. Knowing what kind of malware families are often dropped can help to find the biggest pain points in your organization’s additional defensive measures. The chart below provides insight into the families that were observed the most. The segment named other contains all samples that would otherwise clutter the overview due to the few occurrences per family, such as the RedLine stealer, Azorult, or the lesser known MrFireMan keylogger.

The percentages in the graph are based on 447 total payloads, as 66 payloads were duplicates. In other words, 66 of the unique loaders dropped a non-unique payload. Of all families, AgentTesla is the most notable, both in terms of frequency and in terms of duplicate count. Of the 66 duplicates, 48 were related to AgentTesla.

Barely Utilized Capabilities

Two functions of the loader that are barely used are the message box and the download of a remote payload. The usage of both is, respectively, 1.3% and 0.8%. All of the remote payloads also contained an embedded payload, although one of the four remotely fetching loaders does not contain a URL to download the remote payload from. The external file can be used as an additional module for a next stage, a separate malicious payload, or it can be used to disable certain defense mechanisms on the victim’s device.


Companies using the aforementioned onion security model benefit greatly from the dissection of such a loader, as their internal detection rules can be improved with the provided details. This stops the malware’s execution in its tracks, as is shown in the sequential diagram of McAfee’s detection below.

The techniques that this loader uses are commonly abused, meaning that the detection of a technique such as process hollowing will also prevent the successful execution of numerous other malware families. McAfee’s Endpoint Security (ENS) and Endpoint Detection & Response (EDR) detect the CyaX-Sharp loader every step of the way, including the common techniques it uses. As such, customers are protected against a multitude of families based on a program’s heuristics.

Appendix A – Mentions of CyaX-Sharp and ReZer0

Below, a non-exhaustive chronologically descending list of relevant articles is given. Some articles contain information on the targeted industries and/or target geographical area.

  • On the 12th of January 2021, ESET mentioned the loader in its Operation Spalax blog
  • On the 7th of December 2020, ProofPoint wrote about the decryption mechanisms of several known .NET based packers
  • On the 5th of November 2020, Morphisec mentioned a packer that looks a lot like this loader
  • On the 6th of October 2020, G Data mentioned the packer (or a modified version)
  • On the 29th of September 2020, ZScaler mentioned the packer
  • On the 17th of September 2020, I wrote about the automatic payload and config extraction of the loader
  • On the 16th of September 2020, the Taiwanese CERT mentioned the loader in a digital COVID-19 threat case study
  • On the 23rd of July 2020, ClamAV mentioned the loader in a blog
  • On the 14th of May 2020, Security firm 360TotalSecurity links the loader to the threat actor Vendetta
  • On the 21st of April 2020, Fortinet provided insight into the loader’s inner workings
  • On the 1st of March 2020, RVSEC0N mentioned the loader
  • On the 4th of December 2019, Trend Micro provided a backstory to CyaX-Sharp
  • On the 22nd of March 2019, 360TotalSecurity gave insight into some of the loader’s features

Appendix B – Hashes

The hashes that are mentioned in this blog are listed below, in order of occurrence. The SHA-1 and SSDeep hashes are also included. A full list of hashes for all 513 samples and their payloads can be found here.

Sample 1

SHA-256: a15be1bd758d3cb61928ced6cdb1b9fa39643d2db272909037d5426748f3e7a4

SHA-1: 14b1a50c94c2751901f0584ec9953277c91c8fff

SSDeep: 12288:sT2BzlxlBrB7d1THL1KEZ0M4p+b6m0yn1MX8Xs1ax+XdjD3ka:O2zBrB7dlHxv0M4p+b50yn6MXsSovUa

Sample 2

SHA-256: 43d334c125968f73b71f3e9f15f96911a94e590c80955e0612a297c4a792ca07

SHA-1: d6dae3588a2a6ff124f693d9e23393c1c6bcef05

SSDeep: 24576:EyOxMKD09DLjhXKCfJIS7fGVZsjUDoX4h/Xh6EkRlVMd3P4eEL8PrZzgo0AqKx/6:EyycPJvTGVijUDlhfEEIUvEL8PrZx0AQ

Sample 3

SHA-256: 0427ebb4d26dfc456351aab28040a244c883077145b7b529b93621636663a812

SHA-1: 8d0bfb0026505e551a1d9e7409d01f42e7c8bf40

SSDeep: 12288:pOIcEfbJ4Fg9ELYTd24xkODnya1QFHWV5zSVPjgXSGHmI:EEj9E/va


The post See Ya Sharp: A Loader’s Tale appeared first on McAfee Blogs.

Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures Tue, 03 Aug 2021 19:46:45 +0000 /blogs/?p=125528

Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate...

The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.


Hyperautomation is a process where artificial intelligence (AI), machine learning (ML), event-driven software, and other tools are used to automate as many business and IT processes as possible.  Forecasted by Gartner to reach $596.6 billion by 20221, hyperautomation and the global software market that enables it show no signs of slowing.

The myriad of technologies used by a typical organization often are not integrated and exist as siloed disparate tools.  Hyperautomation aims to reduce this “organizational debt” to improve value and brand.  In the context of cybersecurity, a patchwork of stovepipe solutions not only exposes the environment to risk, but also impacts the cyber defender’s ability to fortify the environment and respond to threats at machine speed.  Our target is “shift-left” security — leveraging intelligence to enhance predictability and encourage proactive responses to cyber threats.

The rise of telemetry architectures, combined with cloud adoption and data as the “new perimeter,” pose new challenges to cybersecurity operations.  Organizations will be forced to contend with increased “security debt” unless we figure out how to optimize, connect, and streamline the solutions.  In some cases, we have technologies available to begin this journey (MVISION Insights, MVISION Extended Detection and Response (XDR), MVISION API).  In others, our customers demand more.  They challenge us to build next-generation platforms to see themselves, see their cyberspace, and understand their cyberspace.  Some cyber defenders need more than traditional cyber threat intelligence telemetry to make critical operational impact decisions.

MVISION Insights and MVISION XDR are great starts.  It all begins with the build-up of an appropriate telemetry architecture, and McAfee Enterprise’s billion-sensor global telemetry is unmatched.  Insights provides an automated means to fortify the environment against emerging threats, weaponizing threat intelligence to take a proactive stance in reducing your attack surface from device to cloud.  Why start engaging at an attack’s point of impact when an organization can begin its own awareness at the same point an attacker would?  MVISION XDR brings together the fragmented security solutions accumulated over the years, sharing information and coordinating actions to deliver an effective, unified response across every threat vector.  Workflows are effortless to orchestrate.  The powerful combination of Insights and XDR provides management and visibility of the complete attack lifecycle.  Open architectures reinforce our belief that we are better together and facilitate a cybersecurity ecosystem consistent with the concepts of hyperautomation enablement.

Figure 1 – Attack Lifecycle

Where can we go from here?  How do we secure tomorrow?  From my perspective, we should expand the definition and scope of cybersecurity.

The answer is to look beyond traditional cyber threat telemetry; external factors (environmental, social media, geolocation, law enforcement, etc.) truly matter and are vital in making business impact decisions.  Complete operational visibility, and the ability to investigate, research, and rationalize what matters most to make accurate, critical judgments, is the missing link.  This is a Cyber Common Operating Picture (COP).  A natural extension of our current initiatives within the industry, a COP answers the growing need to provide an integrated cyber defender’s visualization workbench that manages multiple data telemetry sources (beyond cyber threats) and delivers our customers wisdom – a true understanding – regarding their cyberspace on a local, regional, and global scale.

Telemetry data represents change, and telemetry architectures will require new forms of advanced analytics, AI, and ML to make sense of the vast sea of all-source intelligence flowing in from the environment to enhance observations and take definitive action.  If we can “shift-left” for cyber threats, we can leverage that same predictability to identify and prepare for the impact of peripheral threats.  Open source, custom, and third-party data feeds are widely available and create integration opportunities with emerging markets and capabilities to solve unique challenges typically not associated with our platform:

  • How do we identify network or infrastructure hardware (IoT, OT, Industrial Control System) that is on the brink of failing?
  • Can we identify the exact geolocation from which a current cyber-attack is being launched?
  • Does social media and law enforcement chatter indicate a physical threat could be imminent near our headquarters?
  • How do we fuse/correlate inputs from myriad sources to develop regional situational awareness in all layers of cyberspace?

Non-traditional sensor telemetry, a multitude of feeds, and threat intelligence must be overlayed across the Cyber COP to provide AI-driven predictability modeling for next-gen systems and actionable conclusions.  This is a potential future for how hyperautomation can impact cybersecurity; this is orchestrating beyond standard capabilities and expanding the definition and scope of how our complex environments are secured.  AI engineering strategies will continue to expand and deliver data analytics at machine speeds.

McAfee Enterprise has always been a proponent of a platform approach to cybersecurity, creating interoperability and extending the security investments its customers have made. Loosely coupled security systems introduce gaps, and hyperautomation aims to solve that at a much larger scale.  As we look toward the future, we can collectively build the requirements for the next generation of security solutions and broaden the scope of how we defend against our common adversaries. I am confident that the technologies currently exist to provide the framework(s) of a COP solution for enhanced cyber situational awareness.


Source: 1Gartner Press Release: Gartner Forecasts Worldwide Hyperautomation-Enabling Software Market to Reach Nearly $600 Billion by 2022 (April 28, 2021)


The post Hyperautomation and Cybersecurity – A Platform Approach to Telemetry Architectures appeared first on McAfee Blogs.

Data as a Strategic Asset – Securing the New Perimeter in the Public Sector Tue, 03 Aug 2021 19:38:36 +0000 /blogs/?p=125519

Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting...

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.


Every organization has data moving to the multi-cloud; digital transformation is occurring rapidly, is here to stay, and is impacting every major industry.  Organizations are working hard to adopt Zero Trust architectures as their critical information, trade secrets, and business applications are no longer stored in a single datacenter or location. As a result, there is a rapid shift to cloud resources to support dynamic mission requirements, and the new perimeter to defend is data.  At its core, Zero Trust is a data-centric model and is fundamental to what McAfee Enterprise offers.  In the Public Sector, data has now been classified as a strategic asset – often referred to as the “crown jewels” of an organization. Reinforced by the publication of the DoD Zero Trust Reference Architecture, we have arrived at a crossroads where demonstrating a sound data strategy will be a fundamental requirement for any organization.

All DoD data is an enterprise resource, meaning data requires consistent and uniform protections wherever it is created or wherever it traverses. This includes data transmitted across multi-cloud services, through custom mission applications, and on devices.  Becoming a data-centric organization requires that data be treated as the primary asset. It must also be available so that it can be leveraged by other solutions for discovery and analytics purposes.  To achieve this, interoperability and uniform data management are strategic elements that underpin many sections of DoD’s official vision of Zero Trust.

Let us dissect how the DoD plans to create a data advantage and where McAfee Enterprise can support these efforts as we explore the four essential capabilities – Architecture, Standards, Governance, and Talent & Culture:

Figure 1 – DoD Data Strategy Framework


McAfee Enterprise’s open architectural methodology emphasizes the efficiencies that cloud adoption and open frameworks can offer.  The ability to leverage agile development and continuously adapt to dynamic mission requirements – faster than our adversaries – is a strategic advantage.  Data protection and cloud posture, however, must not take a back seat to innovation.

The rapid pace of cloud adoption introduces new risks to the environment; misconfigurations and mistakes happen and are common. Vulnerabilities leave the environment exposed as DevOps tends to leverage open-source tools and capabilities.  Agile development introduces a lot of moving parts as applications are updated and changed at an expedited pace and based on shorter, prescriptive measures. Customers also utilize multiple cloud service providers (CSP) to fit their mission needs, so consistent and uniform data management across all the multi-cloud services is a necessity.  We are at a pivotal inflection point where native, built-in CSP protections have introduced too much complexity, overhead, and inconsistency. Our data security solution is a holistic, open platform that enforces standardized protections and visibility across the multi-cloud.

Together with our partners, we support the architecture requirements for data-centric organizations and take charge as the multi-cloud scales.  Several items – visibility and control over the multi-cloud, device-to-cloud data protection, cloud posture, user behavior and insider threat – play into our strengths while organic partner integrations (e.g., ZTNA) further bolster the Zero Trust narrative and contribute to interoperability requirements.  We are better together and can facilitate an open architecture to meet the demands of the mission.


DoD requires proven-at-scale methods for managing, representing, and sharing data of all types, and an open architecture should be used wherever possible to avoid stovepiped solutions and facilitate an interoperable security ecosystem.  Past performance is key, and McAfee Enterprise has a long track record of delivering results, which is crucial as the DoD moves into a hybrid model of management.

Data comes in many forms, and the growth of telemetry architectures requires machines to do more with artificial intelligence and machine learning to make sense of data.  How do we share indicators of compromise (IoCs) so multiple environments – internal and external – can leverage intelligence from other organizations?  How do we share risks in multi-clouds and ensure data is secured in a uniform manner?  How do we weaponize intelligence to shift “left of boom” and eliminate those post-compromise autopsies?  Let’s explore how McAfee Enterprise supports data standards.

Made possible by Data Exchange Layer (DXL) and a strategic partner, the sharing of threat intelligence data has proven successful.  Multiple environments participate in a security-connected ecosystem where an “attack against one is an attack against all” and advanced threats are detected, stopped, and participants are inoculated in near real-time.  This same architecture scales to the hybrid cloud where the workloads in cloud environments can benefit from broad coverage.

Furthermore, DXL was built as open source to foster integrations and deliver cohesive partner solutions to promote interoperability and improve threat-informed intelligence.  All capabilities speak the same language, tip and cue, and provide much greater return on investment. Consider the sharing of cloud-derived threats.  No longer should we be limited to traditional hashes or IoCs. Perhaps we should share risky or malicious cloud services and/or insider threats.  Maybe custom-developed solutions should leverage our MVISION platform via API to take advantage of the rich global telemetry and see what we see.

Our global telemetry is unmatched and can be leveraged to organizations’ advantage to proactively fortify the device-to-cloud environment, effectively shifting security to the “left” of impact. This is all done through the utilization of MVISION Insights.  Automated posture assessments pinpoint where potential gaps in an organization’s countermeasures may exist and provide the means to take proactive action before it is hit.  Through MVISION Insights, cyber operators can learn about active global campaigns, emerging threats, and whether an organization is in the path – or even the target.  Leadership can grasp the all-important risk metric and deliver proof that the security investments are working and operational.  Combined with native MITRE ATT&CK Framework mappings – an industry standard being mapped across our portfolio – this proactive hardening is a way we use threat telemetry to customers’ advantage.

Standardized data protection, end-to-end, across all devices and multi-cloud services is a key tenant of the DoD Data Strategy.  Protecting data wherever it lives or moves, retaining it within set boundaries and making it available to approved users and devices only, and enforcing consistent controls from a single, comprehensive solution spanning the entire environment is the only data security approach.  This is what Unified Cloud Edge (UCE) does. This platform’s converged approach is tailored to support DoD’s digital transformation to the multi-cloud and its journey to a data-centric enterprise.


DoD’s data governance element is comprised of the policies, procedures, frameworks, tools, and metrics to ensure data is managed at all levels, from when it is created to where it is stored.  It encompasses increased data oversight at multiple levels and ensures that data will be integrated into future modernization initiatives.  Many organizations tend to be driven by compliance requirements (which typically outweigh security innovation) unless there is an imminent mission need; we now have the compliance requirement.  Customers will need to demonstrate a proper data protection and governance strategy as multi-cloud adoption matures.  What better way to incorporate Zero Trust architectures than by leveraging UCE?  Remember, this is beyond the software defined perimeter.

McAfee Enterprise can monitor, discover, and analyze all the cloud services leveraged by users – both approved and unapproved (Shadow IT) – and provide a holistic assessment.  Closed loop remediation ensures organizations can take control and govern access to the unapproved or malicious services and use the information to lay the foundation for building effective data protection policies very relevant to mission needs.

Granular governance and control – application-level visibility – by authenticated users working within the various cloud services is just as important as controlling access to them.  Tight API integrations with traditional SaaS services guarantee only permitted activities occur.  With agile development on the rise, it is just as important that the solution is flexible to control these custom apps in the same way as any commercial cloud service.  Legacy mission applications are being redesigned to take advantage of cloud scale and efficiency; McAfee Enterprise will not impose limits.

Governance over cloud posture is equally important, and customers need to ensure the multi-cloud environment is not introducing any additional source of risk.  Most compromises are due to misconfigurations or mistakes that leave links, portals, or directories open to the public.  We evaluate the multi-cloud against industry benchmarks and best practices, provide holistic risk scoring, and provide the means to remediate these findings to fortify an organization’s cloud infrastructure.

Unified data protection is our end goal; it is at the core of what we do and how we align to Zero Trust.  Consistent protections and governance over data wherever it is created, wherever it goes, from device to multi-cloud.  The same engine is shared across the environment and provides a single place for incidents and management across the enterprise.  Customers can be confident that all data will be tracked and proper controls enforced wherever its destination may be.

Talent and Culture:

Becoming a data-centric organization will require a cultural change.  Decision-making capabilities will be empowered by data and analytics as opposed to experienced situations and scenarios (e.g., event response). Machine learning and artificial intelligence will continue to influence processes and procedures, and an open ecosystem is needed to facilitate effective collaboration. Capabilities designed to foster interoperability and collaboration will be the future.  As more telemetry is obtained, solutions must support the SOC analyst with reduced noise and provide relevant, actionable data for swift decision-making.

At McAfee Enterprise, we hear this.  UCE provides simplified management over the multi-cloud to ensure consistent and unified control over the environment and the data.  No other vendor has the past performance at scale for hybrid, centralized management.  MVISION Insights ensures that environments are fortified against emerging threats, allowing the cyber operators to focus on the security gaps that can leave an organization exposed.  Threat intelligence sharing and an open architecture has been our priority over the past several years, and we will continue to enrich and strengthen that architecture through our platform approach.  There is no silver bullet solution that will meet every mission requirement, but what we can collectively do is ensure we are united against our adversaries.

Data and Zero Trust will be at the forefront as we move forward into adopting cloud in the public sector.  There is a better approach to security in this cloud-first world. It is a mindset change from the old perimeter-oriented view to an approach based on adaptive and dynamic trust and access controls.  McAfee’s goal is to ensure that customers can support their mission objectives in a secure way, deliver new functionality, improved processes, and ultimately give better return on investments.

We are better together.

The post Data as a Strategic Asset – Securing the New Perimeter in the Public Sector appeared first on McAfee Blogs.

Introducing MVISION Private Access Tue, 03 Aug 2021 03:00:53 +0000 /blogs/?p=125216

Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment The current business transformation and remote workforce expansion...

The post Introducing MVISION Private Access appeared first on McAfee Blogs.


Enabling Zero Trust Access with End-to-end Data Security and Continuous Risk Assessment

The current business transformation and remote workforce expansion require zero trust access to corporate resources, with end-to-end data security and continuous risk assessment to protect applications and data across all locations – public clouds, private data centers, and user devices.  MVISION Private Access is the industry’s first truly integrated Zero Trust Network Access solution that enables blazing fast, granular “Zero Trust” access to private applications and provides best-in-class data security with leading data protection, threat protection, and endpoint protection capabilities, paving the way for accelerated Secure Access Service Edge (SASE) deployments.

We are currently operating in a world where enterprises are borderless, and the workforce is increasingly distributed. With an increasing number of applications, workloads and data moving to the cloud, security practitioners today face a wide array of challenges while ensuring business continuity, including:

  • How do I plan my architecture and deploy assets across multiple strategic locations to reduce network latency and maintain a high-quality user experience?
  • How do I keep a tight control over devices connecting from any location in the world?
  • How do I ensure proper device authorization to prevent over-entitlement of services?
  • How do I maintain security visibility and control as my attack surface increases due to the distributed nature of data, users, and devices?

Cloud-based Software-as-a-Service (SaaS) application adoption has exploded in the last decade, but most organizations still rely heavily on private applications hosted in data centers or Infrastructure-as-a-Service) IaaS environments. To date Virtual Private Networks (VPN) have been a quick and easy fix for providing remote users access to sensitive internal applications and data. However, with remote working becoming the new normal and organizations moving towards cloud-first deployments, VPNs are now challenged with providing secure connectivity for infrastructures they weren’t built for, leading to bandwidth, performance, and scalability issues. VPNs also introduce the risk of excessive data exposure, as any remote user with valid login keys can get complete access to the entire internal corporate network and all the resources within.

Enter Zero Trust Network Access, or ZTNA! Built on the fundamentals of “Zero Trust”, ZTNAs deny access to private applications unless the user identity is verified, irrespective of whether the user is located inside or outside the enterprise perimeter. Additionally, in contrast to the excessive implicit trust approach adopted by VPNs, ZTNAs enable precise, “least privileged” access to specific applications based upon the user authorization.

We are pleased to announce the launch of MVISION Private Access, an industry-leading Zero Trust Network Access solution with integrated Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) capabilities. With MVISION Private Access, organizations can enable fast, ubiquitous, direct-to-cloud access to private resources from any remote location and device, allow deep visibility into user activity, enforce data protection over the secure sessions to prevent data misuse or theft, isolate private applications from potentially risky user devices, and perform security posture assessment of connecting devices, all from a single, unified platform.

Why does ZTNA matter for remote workforce security and productivity?

Here are the key capabilities offered by ZTNA to provide secure access for your remote workforce:

  • Direct-to-app connectivity: ZTNA facilitates seamless, direct-to-cloud and direct-to-datacenter access to private applications. This eliminates unnecessary traffic backhauling to centralized servers, reducing network latency, improving the user experience and boosting employee productivity.
  • Explicit identity-based policies: ZTNA enforces granular, user identity-aware, and context-aware policies for private application access. By eliminating the implicit trust placed on multiple factors, including users, devices and network location, ZTNA secures organizations from both internal and external threats.
  • Least-privileged access: ZTNA micro-segments the networks to create software-defined perimeters and allows “least privileged” access to specific, authorized applications, and not the entire underlying network. This prevents overentitlement of services and unauthorized data access. Micro-segmentation also significantly reduces the cyberattack surface and prevents lateral movement of threats in case of a breach.
  • Application cloaking: ZTNA shields private applications behind secure gateways and prevents the need to open inbound firewall ports for application access. This creates a virtual darknet and prevents application discovery on public Internet, securing organizations from Internet-based data exposure, malware and DDoS attacks.

Is securing the access enough? How about data protection?

Though ZTNAs are frequently promoted as VPN replacements, nearly all ZTNA solutions share an important drawback with VPNs – lack of data awareness and risk awareness. First-generation ZTNA solutions have categorically focused on solving the access puzzle and have left data security and threat prevention problems unattended. Considering that ubiquitous data awareness and risk assessment are the key tenets of the SASE framework, this is a major shortcoming when you consider how much traffic is going back and forth between users and private applications.

Moreover, the growing adoption of personal devices for work, oftentimes connecting over unsecure remote networks, significantly expands the threat surface and increases the risk of sensitive data exposure and theft due to lack of endpoint, cloud and web security controls.

Addressing these challenges requires ZTNA solutions to supplement their Zero Trust access capabilities with centralized monitoring and device posture assessment, along with integrated data and threat protection.

MVISION Private Access

MVISION Private Access, from McAfee Enterprise, is designed for organizations in need for an all-encompassing security solution that focuses on protecting their ever-crucial data, while enabling remote access to corporate applications. The solution combines the secure access capabilities of ZTNA with the data and threat protection capabilities of Data Loss Prevention (DLP) and Remote Browser Isolation (RBI) to offer the industry’s leading integrated, data-centric solution for private application security, while utilizing McAfee’s industry-leading Endpoint Security solution to derive deep insights into the user devices and validating their security posture before enabling zero trust access.

MVISION Private Access allows customers to immediately apply inline DLP policies to the collaboration happening over the secure sessions for deep data inspection and classification, preventing inappropriate handling of sensitive data and blocking malicious file uploads. Additionally, customers can utilize a highly innovative Remote Browser Isolation solution to protect private applications from risky and untrusted unmanaged devices by isolating the web sessions and allowing read-only access to the applications.

Fig. 1: MVISION Private Access

Private Access further integrates with MVISION Unified Cloud Edge (UCE) to enable defense-in-depth and offer full scope of data and threat protection capabilities to customers from device-to-cloud. Customers can achieve the following benefits from the integrated solution:

  • Complete visibility and control over data across endpoint, web and cloud.
  • Unified incident management across control points with no increase in operational overhead, leading to total cost of ownership (TCO) reduction.
  • Multi-vector data protection, eliminating data visibility gaps and securing collaboration from cloud to third-parties.
  • Defending private applications against cloud-native threats, advanced malware and fileless attacks.
  • Continuous device posture assessment powered by industry-leading endpoint security.

Additionally, UCE’s Hyperscale Service Edge, that operates at 99.999% service uptime and is powered by intelligently peered data centers, provides blazing fast, seamless experience to private access users. Authentication via Identity Providers eliminates the risk of threat actors infiltrating the corporate networks using compromised devices or user credentials.

What Sets MVISION Private Access apart?

With dozens of ZTNA solutions on the market, we’ve made sure that MVISION Private Access stands out from the crowd with the following:

  • Integrated data loss prevention (DLP) and industry-leading Remote Browser Isolation (RBI): Enables advanced threat protection and complete control over data collaborated through private access sessions, preventing inappropriate handling of sensitive data, blocking files with malicious content and securing unknown traffic activity to prevent malware infections on end-user devices.
  • SASE readiness with UCE integration: MVISION Private Access converges with MVISION UCE to deliver complete data and threat protection to any device at any location in combination with other McAfee security offerings, that include Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Endpoint Protection, while enabling direct-to-cloud access in partnership with leading SD-WAN vendors. This ensures a consistent user experience across web, public SaaS, and private applications.
  • Endpoint security and posture assessment: MVISION Private Access leverages industry-leading McAfee Endpoint Security powered by proactive threat intelligence from 1 billion sensors to evaluate device and user posture, which informs a risk-based zero trust decision in real-time. The rich set of telemetry, which goes well beyond the basic posture checking performed by competitive solutions, allows organizations to continuously assess the device and user risks, and enforce adaptive policies for private application access.
  • Securing unmanaged devices with clientless deployments: MVISION Private Access secures access from unmanaged devices through agentless, browser-based deployment, enabling collaboration between employees, external partners or third-party contractors in a most frictionless manner.

With MVISION Private Access customers can establish granular, least privileged access to their private applications hosted across cloud and IT environments, from any device and location, while availing all the goodness of McAfee’s leading data and threat protection capabilities to accelerate their business transformation and enable the fastest route to SASE. To learn more, visit




The post Introducing MVISION Private Access appeared first on McAfee Blogs.

Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols Thu, 29 Jul 2021 15:17:11 +0000 /blogs/?p=125183

Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed...

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.


Architected for the cloud-first and remote-first deployments, MVISION Cloud Firewall secures access to applications and resources on the internet, accessed from every remote site and location, through a cloud-native service model. The solution inspects end-to-end user traffic – across all ports and protocols, enabling unified visibility and policy enforcement across the organizational footprint. Powered by McAfee Enterprise’s industry leading next-generation intrusion detection and prevention system, contextual policy engine and advanced threat detection platform, and supported by Global Threat Intelligence feeds, MVISION Cloud Firewall proactively detects and blocks emerging threats and malware with a high degree of accuracy, uniquely addressing the security challenges of the modern remote workforce. MVISION Cloud Firewall is an integral component of McAfee Unified Cloud Edge, offering organizations an all-encompassing, cloud-delivered Secure Access Service Edge (SASE) security solution for accelerating their business transformation.

Wherever networks went, firewalls followed

For a long time, firewalls and computer networks were like conjoined twins. Businesses simply could not afford to run an enterprise network without deploying a security system at the edge to create a secure perimeter around their crown jewels. The growing adoption of web-based protocols and their subsequent employment by cybersecurity adversaries for launching targeted malware attacks, often hidden within encrypted traffic, saw the emergence of next-generation firewall (NGFW) solutions. Apart from including stateful firewall and unified threat management services, NGFWs offered multi-layered protection and performed deep packet inspection, allowing organizations greater awareness and control over the applications to counter web-based threats.

Cloud computing changed the playing field

But things took a dramatic turn with the introduction of cloud computing. Cloud service providers came up with an offer the organizations could not refuse – unlimited computing power and storage volumes at significantly lower operating costs, along with the option to seamlessly scale business operations without hosting a single piece of hardware on-premises. Hence began the mass exodus of corporate data and applications to the cloud. Left without a fixed network perimeter to protect, the relationship between firewalls and networks entered complicated terms. While the cloud service providers offered a basic level of security functionality, they lacked the muscle power of on-premises firewalls, particularly NGFWs. This was further exacerbated by the ongoing pandemic and the overnight switch of the workforce to remote locations, which introduced the following challenges:

  • Remote users were required to backhaul the entire outbound traffic to centralized firewalls through expensive MPLS connections, impacting the network performance due to latency and degrading the overall user experience.
  • Remote users connecting direct-to-cloud often bypassed the on-premises security controls. With the firewalls going completely blind to the remote user traffic, security practitioners simply couldn’t protect what they couldn’t see.
  • Deploying security appliances at each remote site and replicating the firewall policies across every site significantly increased the capital and operational expenditure. Additionally, these hardware applications lack the ability to scale and accommodate the growing volume of user traffic.
  • On-premises firewalls struggled to integrate with cloud-native security solutions, such as Secure Web Gateways (SWG) and Cloud Access Security Brokers (CASB), creating a roadblock in Secure Access Service Edge (SASE) deployments.

Enter Firewall-as-a-Service

The distributed workforce has expanded the threat landscape at an alarming rate. According to the latest McAfee Labs Threats Reports, the volume of malware threats observed by McAfee Labs averaged 688 threats per minute, an increase of 40 threats per minute (3%) in the first quarter of 2021. While SWGs and CASBs could address the security challenges for web and SaaS traffic, respectively, how could organizations secure the remaining non-web traffic? The answer lies in Firewall-as-a-Service, or FWaaS. FWaaS can be defined as a firewall hosted in the cloud, offering all the NGFW capabilities, including deep packet inspection, application-layer filtering, intrusion prevention and detection, advanced threat protection, among others. While, at the onset, FWaaS may give the impression of lifting and shifting NGFWs to the cloud, their business benefits are far more profound and relevant for the modern workforce, some of which include:

  • Securing the remote workers and local internet breakouts, allowing direct-to-cloud connections to reduce network latency and improve user experience. Avoiding traffic backhauls from remote sites to centralized firewalls through expensive VPN and MPLS lines reduces the deployment costs.
  • Significant cost savings by eliminating hardware installation at remote branch offices.
  • Aggregating the network traffic from on-premises datacenters, clouds, remote branch offices and remote user locations, allowing centralized visibility and unified policy enforcement across all locations.
  • Seamless scaling to handle the growing volume of traffic and the need for inspecting encrypted traffic for threats and malware.
  • Centralizing the service management, such as patching and upgrades, reducing the operational costs for repetitive tasks.

Introducing MVISION Cloud Firewall

McAfee MVISION Cloud Firewall is a cutting-edge Firewall-as-a-Service solution that enforces centralized security policies for protecting the distributed workforce across all locations, for all ports and protocols. MVISION Cloud Firewall allows organizations to extend comprehensive firewall capabilities to remote sites and remote workers through a cloud-delivered service model, securing data and users across headquarters, branch offices, home networks and mobile networks, with real-time visibility and control over the entire network traffic.

The core value proposition of MVISION Cloud Firewall is characterized by a next-generation intrusion detection and prevention system that utilizes advanced detection and emulation techniques to defend against stealthy threats and malware attacks with industry best efficacy. A sophisticated next-generation firewall application control system enables organizations to make informed decisions about allowing or blocking applications by correlating threat activities with application awareness, including Layer 7 visibility of more than 2000 applications and protocols.

Fig. MVISION Cloud Firewall Architecture

What makes MVISION Cloud Firewall special?

Superior IPS efficacy: MVISION Cloud Firewall delivers superior IPS performance through deep inspection of network traffic and seamless detection and blocking of both known and unknown threats across the network perimeter, data center, and cloud environments. The next-generation IPS engine offers 20% better efficacy than competitive solutions, while far exceeding the detection rates of open-source solutions. The solution combines with MVISION Extended Threat Detection and Response (XDR) to offer superior threat protection by correlating threat intelligence and telemetry across multiple vectors and proactively detecting and resolving adversarial threats before that can lead to any enterprise damage or loss. Additional advantages include inbound and outbound SSL decryption, signature-less malware analysis, high availability, and disaster recovery protection.

End-to-end visibility and optimization: The ability to visualize and control remote user sessions allows MVISION Cloud Firewalls to proactively monitor the end-to-end traffic flow and detect any critical issues observed across user devices, networks, and cloud. This offers network administrators a unified, organization-wide view of deployed assets to pinpoint and troubleshoot issues before the overall network performance and user productivity gets impacted. Optimizing network performance elevates the user experience through reduced session latency while keeping a check on the help desk ticket volumes.

Policy Sophistication: MVISION Cloud Firewall considers multiple contextual factors, such as the device type, security posture of devices, networks and users, and pairs that with application intelligence to define a robust and comprehensive policy lexicon that is more suitable for protecting the modern remote workforce. For example, most NGFWs can permit or block user traffic based on the configured rule set, such as permitting accounting users to access files uploaded on a Teams site. McAfee, on the other hand, utilizes its data protection and endpoint protection capabilities to create more powerful NGFW rules, such as permitting accounting users to access a third-party Teams site only if they have endpoint DLP enabled.

SASE Convergence

MVISION Cloud Firewall converges with MVISION Unified Cloud Edge to offer an integrated solution comprising of industry best Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Zero Trust Network Access (ZTNA), unified Data Loss Prevention (DLP) across endpoint, cloud and network, Remote Browser Isolation (RBI) and Firewall-as-a-Service, making McAfee one of the only vendors in the industry that solves the network security puzzle of the SASE framework. With the inclusion of MVISION Cloud Firewall, McAfee Enterprise customers can now utilize a unified security solution to inspect any type of traffic destined to the cloud, web, or corporate networks, while securing the sensitive assets and users across every location.

The post Introducing MVISION Cloud Firewall – Delivering Protection Across All Ports and Protocols appeared first on McAfee Blogs.

White House Executive Order – Removing Barriers to Sharing Threat Information Mon, 12 Jul 2021 15:00:51 +0000 /blogs/?p=124663

The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to...

The post White House Executive Order – Removing Barriers to Sharing Threat Information appeared first on McAfee Blogs.


The latest guidance in the Executive Order on Improving the Nation’s Cybersecurity (EO), Section 2, discusses removing the barriers to sharing threat information. It describes how security partners and service providers are often hesitant or contractually unable to share information about a compromise. The EO helps ensure that security partners and service providers can share intelligence with the government and requires them to share certain breach data with executive level departments and agencies responsible for investigating and remediating incidents, namely CISA, the FBI, and the IC.  This approach will enable better comprehensive threat visibility across the Executive Branch departments and agencies to promote early detection and coordinated response actions. Indeed, the threat information sharing section will help enhance the public-private sector partnership that McAfee, and our colleagues in the cyber security industry are committed to supporting.  To achieve this goal the EO requires:

  • Elimination of contractual barriers that limit sharing across agencies through FAR modifications
  • The expansion of log retention
  • Mandatory reporting requirements for government technology and service partners
  • Standards-based incident sharing
  • Collaboration with investigative agencies on potential or actual incidents.

The EO is a positive first step towards improving incident awareness at a macro level, though the EO would be even more impactful if it pushed government agencies to share more threat information with the private sector. The U.S. government represents an incredibly large attack surface and being able to identify threats early in one agency or department may very well serve to protect other agencies by enabling stronger predictive and more proactive defenses.  While a government-built threat intelligence data lake is a critical first step, I think a logical next step should be opening the focus of threat intelligence sharing to be both real-time and bi-directional.

The EO focuses on the need for the private sector to improve its information sharing and collaboration with the government. However, the guidance is focused more on “post-breach” and unidirectional threat sharing.  Real-time, not just “post-breach,” threat sharing improves the speed and effectiveness of countermeasures and early detection.  Bi-directional data sharing opens possibilities for things like cross-sector environmental context, timely and prescriptive defensive actions, and enhanced remediation and automation capabilities.  Harnessing real-time sector-based threat intelligence is not a unique concept; companies like McAfee have started to deliver on the promise of predictive security using historical threat intelligence to guide proactive security policy decision making.

Real-time threat sharing will make one of the EO’s additional goals, Zero Trust, ultimately more achievable.  Zero Trust requires a dynamic analysis layer that will continuously evaluate user and device trust. As environmental variables change, so should the trust and ultimately access and authorization given. If the intent of threat intelligence sharing is to identify potentially compromised or risky assets specific to emerging campaigns, then it stands to reason that the faster that data is shared, the faster trust can be assessed and modified to protect high-value assets.

McAfee has identified the same benefits and challenges as the government for targeted threat intelligence and has developed a useful platform to enable robust threat sharing. We understand the value of sector specific data acting as an early indicator for organizations to ensure protection.  Focusing on our own threat intelligence data lakes, we deliver on the promise of sector-specific intelligence by identifying targeted campaigns and threats and then correlating those campaigns to protective measures.  As a result, government agencies now have the advantage of predicting, prioritizing, and prescribing appropriate defense changes to stay ahead of industry-focused emerging campaigns. We call that capability MVISION Insights.

This approach serves to drive home the need for collaborative shared threat intelligence. McAfee’s broad set of customers across every major business sector, combined with our threat research organization and ability to identify sector-specific targeted campaigns as they’re emerging, allows customers to benefit from threat intelligence collected from others in their same line of business. The federal government has a wide range of private sector business partners across healthcare, finance, critical infrastructure, and agriculture, to name a few. Each of these partners extends the government attack surface beyond the government-controlled boundary, and each represents an opportunity for compromise.

Imagine a scenario where an HHS healthcare partner is alerted, in real-time across a public/private sector threat intelligence sharing grid, to a threat affecting either the federal government directly or a healthcare partner for a different government agency. This approach allows them to assess their own environment for attack indicators, make quick informed decisions about defensive changes, and limit access where necessary.  This type of real-time alerting not only allows the HHS partner to better prepare for a threat, but ultimately serves to reduce the attack surface of the federal government.

Allowing industry partners to develop and participate in building out cyber threat telemetry enables:

  • Automation of the process for predicting and alerting
  • Proactively identifying emerging threats inside and across industries
  • Sharing detailed information about threats and actors (campaigns and IOCs)
  • Real-time insight and forensic investigation capabilities

The U.S. government can begin to effectively shift focus from a reactive culture to one that is more proactive, enabling faster action against threats (or something like this). In the next EO, the Administration should bulk up its commitment to sharing cyber threat information with the private sector. The capability to exchange cyber threat intelligence data across the industry in standards-based formats in near real time exists today.  The collective “we” just needs to make it a priority.




The post White House Executive Order – Removing Barriers to Sharing Threat Information appeared first on McAfee Blogs.

Adding Security to Smartsheet with McAfee CASB Connect Thu, 08 Jul 2021 15:00:13 +0000 /blogs/?p=124405

The Smartsheet enterprise platform has become an essential part of most organizations, as it has done much to transform the...

The post Adding Security to Smartsheet with McAfee CASB Connect appeared first on McAfee Blogs.


The Smartsheet enterprise platform has become an essential part of most organizations, as it has done much to transform the way customers conduct business and collaborate, with numerous services available to increase productivity and innovation. Within the McAfee customer base, customers had expressed their commitment to Smartsheet, but wanted to inject the security pedigree of McAfee to make their Smartsheet environments even stronger.

In June 2021, McAfee MVISION Cloud released support for Smartsheet – providing cornerstone CASB services to Smartsheet through the CASB Connect framework, which makes it possible to provide API-based security controls to cloud services, such as:

  • Data Loss Prevention (find and remediate sensitive data)
  • Activity Monitoring & Behavior Analytics (set baselines for user behavior)
  • Threat Detection (insider, compromised accounts, malicious/anomalous activities)
  • Collaboration Policies (assure sensitive data gets shared properly)
  • Device Access Policies (only authorized devices connect)

How does it work?

Utilizing the CASB Connect framework, McAfee MVISION Cloud becomes an authorized third party to a customer’s Smartsheet Event Reporting service. This is an API-based method for McAfee to ingest event/audit logs from Smartsheet.

These logs contain information about what activities occur in Smartsheet. This information has value; McAfee will see user logon activity, sheet creation, user creation activity, sheet updates, deletions, etc. Overall, over 120 unique items are stored in the activity warehouse where intelligence is inferred from it. When an inference is made (example: Insider Threat), the platform can show all the forensics data that lead to that conclusion. This provides value to the Smartsheet customer since it shows potential threats that could lead to data loss, either unintended by a well-meaning end-user or not.

Policies for content detection are another important use-case. Most McAfee customers will utilize Data Loss Prevention (DLP) across their endpoint devices as well as in the cloud utilizing policies that are important to them. Examples of DLP policies could be uncovering credit card numbers, health records, customer lists, specific intellectual property, price lists, and more. Each customer will have some kind of data that is critical for their business, a DLP policy can be crafted to support finding it.

In Smartsheet, when an event from the Event Reporting service is captured that relates to DLP – a field is updated, a file is uploaded, or a sheet is shared, the DLP service in MVISION Cloud will perform an inspection of the event. Should the content or sharing violate a policy, an incident will be raised with forensic details describing what user performed the action and why the violation was flagged. This is important for customers because it operationalizes security in Smartsheet and other cloud applications that MVISION Cloud protects. The same DLP policies can be utilized across all of their critical cloud services, including Smartsheet.

Lastly, MVISION Cloud integrates with most popular Identity Providers (IDP). Through standards-based authentication, MVISION Cloud can enforce policies such as location and device policies that assure that only authorized users connect to Smartsheet; for regulated industries this can be important to ensure no compliance issues are violated as they conduct business.


Smartsheet enterprise customers benefit significantly from MVISION Cloud’s support. Visibility of user activity, threats and sensitive data give users a chance to further entrench their business processes in a cloud app they want to use. Adding security tools to an enterprise platform like Smartsheet reduces overall risk and gives organizations the confidence to more deeply depend on their critical cloud services.

Next Steps:

Trying out Smartsheet and McAfee MVISION Cloud is easy. Contact McAfee directly at or visit resources related to this blog post:



The post Adding Security to Smartsheet with McAfee CASB Connect appeared first on McAfee Blogs.

The Industry Applauds MVISION XDR – Turning Raves into Benefits Tue, 06 Jul 2021 15:00:56 +0000 /blogs/?p=124399

Do you usually read what critics say before deciding to see a movie or read a book? We believe these...

The post The Industry Applauds MVISION XDR – Turning Raves into Benefits appeared first on McAfee Blogs.


Do you usually read what critics say before deciding to see a movie or read a book? We believe these McAfee MVISION XDR reviews were worth the wait. But rather than simply share a few top-tier analyst blurbs with you, we’d like to walk through what these insights mean to our growing set of customers and how their sec operations will evolve with greater efficiencies.

Extended Detection and Response products, better known as XDR, not only extended the capabilities of EDR platforms, but according to Gartner[1] “ XDR products may be able to reduce the complexity of security configuration and incident response to provide a better security outcome than isolated best-of-breed components.”

Rave 1: Be more proactive vs reactive

Our Enterprise Security Manager (ESM)/SecOps team briefed a top-tier analyst firm on ESM product execution and the MVISION XDR platform in particular. His reaction to our use cases? “These are great and it is useful to have examples that cut across different events, which is illustrative more so than anything. The response to the cuts across various tools, and the proactive configuration aspect with the security score type analysis, is also pretty rare in this market.”

The takeaway: Preventing an incident is much better than cleaning up after the fact. MVISION XDR powered by MVISION Insights offers a unified security posture score from endpoint to cloud, delivering a more robust and comprehensive assessment across your environment. It allows you to drill down on specifics to enhance your security.

“The vendor has stolen a march on some of its competitors, at least in the short term, with this offering. A lot of vendors are aiming to get to an offering comprising threat intel + prioritization + recommendations + automation, but few if any have actually reached that point today.” – Omdia

Rave 2: Open to easily unite security

A top-tier analyst firm mentioned that many EDR vendors today call themselves “Open XDR” vendors, but they do not offer a fully effective XDR product. The analyst sees XDR as a significant opportunity for McAfee to expand the breadth of our product portfolio.

The takeaway: A fully effective XDR product unites security controls to detect and assess comprehensively and prevent erratic movement of advanced threats. A robust product portfolio with an integrated service offering from a platform vendor with a proven track record of integrating security (McAfee) is critical to achieve this.

Rave 3: Data-aware to prioritize organizational impact

Noted by a top-tier analyst firm, only McAfee and one other offers data-awareness in the XDR offering. This XDR capability alerts the analyst that the threat impact is targeted at sensitive data.

Rave 4: Automatic analysis across the vectors accelerate investigations and response

The takeaway: Many SOCs have siloed tools that hinders their ability to detect and respond quickly and appropriately. SOC’s must prioritize threat intelligence to rapidly make critical decisions.

Rave 5: Improving the SOC

A top-tier analyst firm believes the primary segments for XDR capabilities are in the three groups to solve problems: 1) Workspace 2) Network 3) Cloud workloads. Giving hardening guidance is good for customers, so any vulnerability exposure and threat scoring are good priorities for MVISION Insights.

The takeaway: McAfee MVISION XDR provides automation that eliminates many manual tasks but more importantly, it empowers SOC analysts to prioritize the threats that matter and stay ahead of adversaries.

Rave 6: Efficiently cloud-delivered

A top-tier analyst firm likes our product direction. “Where you’re going with XDR, and with the cloud console — that’s the way to go. It feels like we have crossed the Rubicon of cloud-delivered.”

The takeaway: By going cloud-native, MVISION XDR enables more efficient, better, and faster decisions with automated investigations driven by correlation analysis across multiple vectors. We can provide unified visibility and control of threats across endpoints, networks and the cloud.

To discover why McAfee MVISION XDR earns rave industry reviews, see our resources on XDR to evolve your security operations to be more efficient and effective.

Resource: [1] Gartner Innovation Insight for Extended Detection and Response, Peter Firstbrook, Craig Lawson , 8 April 2021




The post The Industry Applauds MVISION XDR – Turning Raves into Benefits appeared first on McAfee Blogs.

How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence Tue, 29 Jun 2021 15:00:34 +0000 /blogs/?p=123748

As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And...

The post How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence appeared first on McAfee Blogs.


As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And not just any threat intelligence but actionable intelligence from MVISION Insights. Fortunately, there are several steps you can take to proactively increase your Endpoint Security to help minimize damage from the next Darkside, WannaCry, Ryuk, or REvil

Which Ransomware campaigns and threat profiles are most likely going to hit you?

MVISION Insights provides near real time statistics on the prevalence of Ransomware campaigns and threat profiles detections by country, by sector and in your environment.

Above you can see that although 5ss5c is the most detected ransomware worldwide, in France Darkside and Ryuk have been the most detected campaigns in the last 10 days. You can also sort top campaigns by industry sector.

How to proactively increase your level of protection against these ransomwares?

As you can see above, MVISION Insights measures your overall Endpoint Security score and provides recommendations on which McAfee Endpoint Security features should be enabled for maximum protection.

Then, MVISION Insights assesses out-of-the-box the minimum version of your McAfee Endpoint Security AMcore content necessary to protect against each campaign. As you can see above, two devices have an insufficient coverage against the “CISA-FBI Cybersecurity Advisory on the Darkside Ransomware”. You can then use McAfee ePO to update these two devices.

Below, MVISION Insights provides a link to a KB article for the “Darkside Ransomware profile” with detailed suggestions on which McAfee Endpoint Security rules to enable in your McAfee ePO policies. First, the minimum set of rules to better protect against this ransomware campaign. Second, the aggressive set to fully block the campaign. The second one can create false positives and should only be used in major crisis situations.

How to proactively check if you have been breached?

MVISION Insights can show you whether you have unresolved detections for specific campaigns. Below you can see that you have an unresolved detection linked the “Operation Iron Ore” threat campaign.

MVISION Insights provides IOCs (Indicators of comprises) which your SOC can use with MVISION EDR to look for the presence of these malicious indicators.

If your SOC has experienced threat hunters MVISION Insights also provides information on the MITRE Tactics, Techniques and Tools linked to this threat campaign or threat profile. This data is also available via the MVISION APIs to integrate with your other SOC tools. In fact, several integrations are already available today with other vendors from the McAfee SIA partnership.

Finally, the ultimate benefit from MVISION Insights is that you can use it to show to your management whether your organization is correctly protected against the latest ransomware attacks.

In summary, you can easily leverage MVISION Insights to proactively increase your protection against ransomware by:

    • Identifying which ransomware are most likely going to hit you
    • Adapting your McAfee Endpoint Security protection against these campaigns using McAfee’s recommendations
    • Proactively checking whether you might be breached
    • Showing your protection status against these threats to your management




The post How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence appeared first on McAfee Blogs.

Transforming to a Predictive Cyber Defense Mon, 21 Jun 2021 21:16:55 +0000 /blogs/?p=123553

How much of the global economy is managed from a home network these days? Or, more importantly, what percentage of...

The post Transforming to a Predictive Cyber Defense appeared first on McAfee Blogs.


How much of the global economy is managed from a home network these days? Or, more importantly, what percentage of your company’s most sensitive data passes through employee home networks right now?

If you’re like me, working from a home office, you can’t help but think about all of the cybersecurity tradeoffs that accompanied the widespread shift from on-premises to cloud-delivered services. Better productivity in exchange for deeper vulnerabilities—like man-in-the-middle attacks—wasn’t a choice many cybersecurity pros would make under normal circumstances.

Yet, for better—and worse—there’s no going back to how things were. When Gartner revealed its annual list of top cybersecurity trends last month, we learned that while 64% of employees now work from home, at least 30-40% will continue to do so once the pandemic is over.1 In the foreseeable future, the Wi-Fi streaming your kids’ favorite shows will transport an untold amount of business data, too. All of which must be protected from device to cloud.

In the same report, Gartner said that with so many employees continuing to work from home, “endpoint protection services will need to move to cloud-delivered services.” While the vast majority of our customers made the overnight switch—many still need to adopt a cloud-native architecture.

No doubt the best transformations are the ones you plan for and manage from end-to-end. But the cloud transformation that many didn’t plan for—and most cybersecurity defenses couldn’t handle—turned out to pack the biggest punch. Here are three ways to better prepare for what comes next.

1. Establish Building Blocks

Stopping unauthorized access to corporate assets—and protecting them—is, on the face of it, a never-ending battle. You can’t build a moat, a wall, or a bubble and say, hey, my work here is done. We’ve found our customers need to solve two primary issues:

  • First, identify where data can leak and be stolen.
  • Second, prevent that event from happening with data protection spanning endpoints, web gateway, and the cloud.

So, we created the MVISION Device-to-Cloud Suites to protect all of this data coursing through home networks. Among the many types of threats we’ve tracked, one of the biggest threats is viruses infecting browsers and capturing keystrokes to steal sensitive information. We solve this by isolating a browser so that no one can see what information has been entered.

While paradigms may shift, going forward we believe it’s predictive defenses that will enable faster, smarter and more effective data loss prevention. We get there by enabling optimized endpoint threat protection, Extended Detection and Response (EDRs) that improve mean time to detect and respond to threats, and useful analytics that not only empower your SOC but also help inform and engage executives.

2. Understand Threat Perspectives

Gaining executive and board-level buy-in has long been a topic of concern in the cybersecurity field. Thanks in part to the harsh publicity and severe damage caused by state-sponsored hacks that day is finally in sight. In a recent blog, McAfee’s Steve Grobman indicated SolarWinds is the first major supply chain attack which represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage.”2

Cybersecurity is perceived as the second highest source of risk for enterprises, losing out to regulatory concerns, notes Gartner.3 While today only one in 10 board of directors have a dedicated cybersecurity committee, Gartner projects that percentage will rise to 40% in four years.

One reason why cybersecurity hasn’t been elevated to an ongoing board concern previously is that many executives lack a window into the cybersecurity in their midst. And lacking a window, they have no keen understanding of their organization’s vulnerabilities. Which also makes it difficult to assess the operational value of various cybersecurity investments.

The ability to gain visual insights and predictive assessments of your security posture against dangerous threats is what generates actionable intelligence. A CISO or CSO should be able to look at a single screen and understand in minutes how well protected they are against potential threats. They also need a team that’s ready to take action on these insights and enact appropriate countermeasures to protect corporate assets from imminent attack.

3. Eliminate Headaches

You want to protect your palace from thieves, but when do you finally have too many latches, locks, and bars on your doors? At some point, less is more, particularly if you can’t remember where you put your keys. Consolidation is one of Gartner top five trends this year. Four out of five companies plan to trim their list of cybersecurity vendors in the next three years.4

In fact, Gartner’s 2020 CISO Effectiveness Survey found that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio, while 12% have a whopping 46 or more.5 Mind you, we know there is no end-all, be-all Security vendor who does everything. But with our Device-to-Cloud Suites, your security technology resides in one umbrella platform. Without McAfee, you’d need one vendor on the desktop, another in the cloud, and one more on the web gateway.

Consolidation is intended to remove headaches rather than create them. With one SaaS-based suite that addresses your core security issues, you have lower maintenance, plus the ability to visualize where you’re vulnerable and learn what you need to do to protect it.

We’re Here to Help

McAfee is here to help organizations manage the transformation to a predictive cybersecurity defense and we provide the footprint to secure the data, endpoints, web, and cloud. From my vantage point, securing distributed digital assets demands effective security controls from device to cloud.

MVISION Device-to-Cloud Suites provide a simplified way to help accelerate your cloud transformation and adoption, better defend against attacks, and lower your total cost of operations. The suites scale with your security needs to deliver a unified endpoint, web, and cloud solution.

Learn More About McAfee Device-to-Cloud Suites:



1. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)

2. Why SolarWinds-SUNBURST is a Wakeup Call (McAfee)

3. Gartner Identifies Top Security and Risk Management Trends for 2021 (Gartner)

4. Ibid.

5. Gartner Survey Reveals Only 12% of CISOs Are Considered “Highly Effective” (Gartner)

The post Transforming to a Predictive Cyber Defense appeared first on McAfee Blogs.

Testing to Ensure Your Security Posture Never Slouches Thu, 17 Jun 2021 17:24:26 +0000 /blogs/?p=123469

How well can you predict, prevent and respond to ever-changing cyberthreats? How do you know that your security efforts measure...

The post Testing to Ensure Your Security Posture Never Slouches appeared first on McAfee Blogs.


How well can you predict, prevent and respond to ever-changing cyberthreats? How do you know that your security efforts measure up? The stakes are high if this is difficult to answer and track.  Imagine if you had one place where you found a comprehensive real time security posture that tells you exactly where the looming current cyber risks are and the impact?  Let’s consider a recent and relevant cyber threat.

Take, for example, the May 7th DarkSide ransomware attack that shut down Colonial Pipeline’s distribution network. That well-publicized attack spurred considerable interest in cybersecurity assessments. Ransomware doesn’t just cost money—or embarrassment—it can derail careers. As news spread, we fielded numerous calls from executives wondering: Are my systems protected against DarkSide?

Until recently, discovering the answer to such questions has required exercises such as white hat penetration testing or the completion of lengthy or sometimes generic security posture questionnaires. And we know how that goes — your results may vary from the “norm,” sometimes quite a bit.

To empower you to ask and confidently answer the “am I protected” questions, we developed MVISION Insights Unified Posture Scoring to provide real-time assessments of your environment from device to cloud and threat campaigns targeting your industry.

With the score, you’ll know at a glance: Have you done enough to stave off the most likely risks? In general, the better controls you set for your endpoints, networks and clouds, the lower your risk of breaches and data loss—and the better your security posture score. A CISO from a large enterprise recently stated that the “most significant thing for a CISO to solve is to become confident in the security score.”

Risk and Posture

Assessing risk is about determining the likelihood of an event. A risk score considers where you’re vulnerable and based on those weaknesses how likely is it that a bad actor will exploit it? That scoring approach helps security teams determine whether to apply a specific tool or countermeasures.

However, a posture score goes a step further when it considers your current environment’s risk but also whether you’ve been able to withstand attacks. Where have you applied protections to suppress an attack? It enables you to ask: what’s the state of your defensive posture?

Security posture scoring may answer other critical questions such as:

  • What are the assets and what is their criticality (discover and classify)?
  • What are the threats (events perpetrated by threat actors in the context of the critical assets and vulnerabilities)?
  • What is the likelihood of breach (target by industry, region, other historical perspective)?
  • How vulnerable is my environment (weaknesses in the infrastructure)?
  • Can my controls counter & protect my cyber assets (mitigating controls against the vulnerabilities)?
  • What is the impact of a breach (business assessment based on CIA: confidentiality, integrity & availability)?

Knowing these answers also makes security posture scoring useful for compliance risk assessment, producing a benchmark that enables your organization to compare its industry performance and also choose which concerns to prioritize. The score can also serve as an indicator of whether your organization would be approved for cyber insurance or even how much it may have to pay.

Some organizations use security posture scoring to help prepare for security audits. But it can also be used in lieu of third-party assessments—applying recommended assessments instead of expensive penetration testing.

Scoring Points at Work

No doubt, the pandemic and working from home have exacerbated security posture challenges. According to Enterprise Strategy Group (ESG), a “growing attack surface” from cloud computing and new digital devices are complicating security posture management. So is managing “inexperienced remote workers,” who may be preyed upon by various forms of malware. This can lead not only to management headaches, says ESG, but also to “vulnerabilities and potential system compromises.”

About one year ago we released the initial version of MVISION Insights posture scoring —focused on endpoint assessments. A security score was assigned based on your preparedness to thwart looming threats and the configuration of your McAfee endpoint security products. It enabled predictive assessments based on security posture aligned to campaign-specific threat intelligence.

Customers are tired of piecing together siloed security and demand a unified security approach reflected in our MVISION XDR powered by MVISION Insights. We expanded the scoring capability to also assess cloud defenses, including your countermeasures and controls. Derived from MVISION Cloud Security Advisor, the cloud security posture is weighted average of visibility and control for IaaS, SaaS,and shadow IT. There is an option to easily pivot to MVISION Cloud Security Advisor.  The Unified Security posture score is weighted average of the endpoint and cloud security posture score delivering a more robust and comprehensive assessment with the ability to drill down on specifics to enhance your security from device to cloud. Many endpoint wanna-be XDR vendors cannot provide this critical aggregated security assessment across vectors.

Becoming more robust is what all of us must do. When organizations face the jeopardy of “Ransomware-as-a-Service” payments that may scale up to $2 million, understanding how best to manage your security posture is no longer simply a nice to have, it’s become an operational imperative.

Click here to learn more about Security Posture Scoring from a few practitioners in our LinkedIn Live session.

The post Testing to Ensure Your Security Posture Never Slouches appeared first on McAfee Blogs.

McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG Tue, 15 Jun 2021 15:00:15 +0000 /blogs/?p=123190

The McAfee team is very proud to announce that, for the third year in a row, McAfee was named a...

The post McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.


The McAfee team is very proud to announce that, for the third year in a row, McAfee was named a 2021 Gartner Peer Insights Customers’ Choice for Secure Web Gateways for its Web Solution.

In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner applies rigorous methodology for recognizing vendors with a high customer satisfaction rate.

For the distinction, a vendor needs at least 20+ Reviews from Customers with over $50M Annual Review in 18-month timeframe, above Market Average Overall Rating, and above Market Average User Interest and Adoption.

About Gartner Peer Insights and “Voice of the Customer” report:

Gartner Peer Insights is a peer review and ratings platform designed for enterprise software and services decision makers. Reviews are organized by products in markets that are defined by Gartner Research in Magic Quadrant and Market Guide documents.

The “Voice of the Customer” is a document that applies a methodology to aggregated Gartner Peer Insights’ reviews in a market to provide an overall perspective for IT decision makers. This aggregated peer perspective, along with the individual detailed reviews, is complementary to expert-generated research such as Magic Quadrants and Market Guides. It can play a key role in your buying process, as it focuses on direct peer experiences of buying, implementing and operating a solution. A complimentary copy of the Peer Insights ‘Voice of the Customer’ report is available on the McAfee Web site.

Here are some quotes from customers that contributed to this distinction:

“We were using an on-prem web gateway and we have been migrated to UCE recently due to the pandemic situations. It gives us the flexibility to manage our Web GW as a SaaS solution. The solution also provides us bunch of rulesets for our daily usage needs.” CIO in the Manufacturing Industry [Link here]

“McAfee Secure web gateway provides the optimum security required for the employees of the Bank surfing the Internet. It also provides the Hybrid capabilities which allows to deploy same policies regardless of the physical location of the endpoint.”       [Link here]

MVISION Unified Cloud Edge was specifically designed to enable our customers to make a secure cloud transformation by bringing the capabilities of our highly successful Secure Web Gateway appliance solution to the cloud as part of a unified cloud offering. This way, users from any location or device can access the web and the cloud in a fast and secure manner.

“The McAfee Web Gateway integrated well with existing CASB and DLP solutions. It has been very effective at preventing users from going to malware sites. The professional services we purchased for implementation was the best we’ve ever had from any vendor of any IT security product.” Senior Cybersecurity Professional in the Healthcare Industry   [Link here]

McAfee’s Next-Gen Secure Web Gateway technology features tight integration with our CASB and DLP solutions through a converged management interface, which provides unified policies that deliver unprecedented cloud control while reducing cost and complexity. By integrating our SWG, CASB, DLP, and RBI solutions, MVISION Unified Cloud Edge provides a complete SASE security platform that delivers unparalleled data and threat protection.

“We benchmarked against another very well known gateway and there was no comparison. The other gateway only caught a small fraction of what MWG caught when filtering for potentially harmful sites.” Information Security Officer in the Finance Industry   [Link here]

As the threat landscape continues to evolve, it’s important for organizations to have a platform that is integrated and seamless. That’s why McAfee provides integrated multi-layer security including global threat intelligence, machine learning, sandboxing, UEBA, and Remote Browser Isolation to block known threats and detect the most elusive attacks.

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Web. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

June 2021 Gartner Peer Insights ‘Voice of the Customer’: Secure Web Gateways

McAfee is named a Customers’ Choice in the June 2021 Gartner Peer Insights “Voice of the Customer”: Secure Web Gateways.

Download Now


The post McAfee Named a 2021 Gartner Peer Insights Customers’ Choice for SWG appeared first on McAfee Blogs.

McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms Mon, 14 Jun 2021 15:00:43 +0000 /blogs/?p=123163

The mass migration of employees working from home in the last 14 months has accelerated the digital transformation of businesses. ...

The post McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms appeared first on McAfee Blogs.


The mass migration of employees working from home in the last 14 months has accelerated the digital transformation of businesses.  Cloud applications are no longer a “nice to have,” they are now essential to ensure that businesses survive.  This introduces new security challenges in being able to locate and control sensitive data across all the potential exfiltration vectors regardless of whether they are in the cloud; on premise via managed or unmanaged machines.  Attempting to control these vectors through multiple products results in unnecessary cost and complexity.

McAfee anticipated and responded to this trend, solving all these challenges through the launch of our MVISION Unified Cloud Edge solution in 2020. Unified Cloud Edge doesn’t simply offer data protections controls for endpoints, networks, web and the cloud; rather, Multi-Vector Data Protection provides customers with unified data classification and incident management that enables them to define data workflows once and have policies enforced consistently across each vector. Because of the unified approach and our extensive data protection heritage, we are delighted to be named a Leader in The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021. In our opinion, we were the top ranked dedicated cyber security vendor within the report.

We received the highest possible score in nine criteria with Forrester Research commenting on our “cloud-first data security approachand customer recognition of our “breadth of capabilities (in particular for supporting remote work and cloud use)”.

We continue to innovate within our  Unified Cloud Edge solution through the introduction of remote browser isolation to protect against risky web sites (our “heavy focus in supporting security and data protection in the cloud), which uniquely to the market allows us to continue applying DLP controls even during isolated sessions. Delivering on increased customer value through innovation isn’t just limited to new features, for instance we continue to drive down costs through an unlimited SaaS application bundle.

Click below to read the full report.

The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021

McAfee is delighted to be named a Leader in The Forrester Wave™ Unstructured Data Security Platforms, Q2 2021 report. We received the highest possible score in nine criteria with Forrester Research

Download Now


The Forrester Wave™: Unstructured Data Security Platforms, Q2 2021, 17 May 2021, Heidi Shey with Amy DeMartine, Shannon Fish, Peggy Dostie

The post McAfee a Leader in The Forrester Wave™ Unstructured Data Security Platforms appeared first on McAfee Blogs.

Finding Success at Each Stage of Your Threat Intelligence Journey Mon, 14 Jun 2021 15:00:05 +0000 /blogs/?p=123157

Every week it seems there’s another enormous breach in the media spotlight. The attackers may be state-sponsored groups with extensive...

The post Finding Success at Each Stage of Your Threat Intelligence Journey appeared first on McAfee Blogs.


Every week it seems there’s another enormous breach in the media spotlight. The attackers may be state-sponsored groups with extensive resources launching novel forms of ransomware. Where does your organization stand on its readiness and engagement versus this type of advanced persistent threat? More importantly, where does it want to go?

We believe that the way your organization uses threat intelligence is a significant difference maker in the success of your cybersecurity program. Just as organizations take the journey toward cyber defense excellence at their own rate of speed, some prioritize other investments ahead of threat intelligence, which may impede their progress. Actionable insights aren’t solely about speed, though fast-emerging threats require prompt intervention, they’re also about gaining quality and thoroughness. And that’s table stakes for advancing in your threat intelligence journey.

What is a Threat Intelligence program?

A Threat Intelligence program typically spans five organizational needs:

  • Plan — prepare by identifying the threats that might affect you
  • Collect — gather threat data from multiple feeds or reporting services
  • Process — ingest the data and organize it in a repository
  • Analyze — determine exposure and correlate intelligence with countermeasure capability
  • Disseminate — share the results and adjust your security defenses accordingly

When you disseminate a threat insight, it triggers different responses from various members of your security team. An endpoint administrator will want to automatically invoke counter-measures and security controls to block a threat immediately. A SOC analyst may take actions including looking for signs of a breach and also recommend ways to stiffen your defense posture.

Better threat intelligence provides you with more contextual information — that’s the key. How will this information help your company, in your particular industry, in your region of the world?

The Threat Intelligence journey comes in stages. Where is your program now?

Stage 1: Improving and adapting your protection

Within this stage most companies want to prevent the latest threats at their endpoint, network and cloud controls. They mostly depend on their security vendors to research and keep products up to date with the latest threat intelligence. However, in this stage companies also receive intelligence from other sources, including government, commercial and their own cyber defense investigations, and can use the extra intelligence to further update controls.

Stage 2: Improving the SOC and responding faster

At this stage, organizations advance beyond vendor-provided intelligence and adapt their protection by adding indicators from third-party threat feeds or from other organizational SOC processes such as malware analysis.

Within this stage, companies want to do more than prevent known threats with their tools. They want to understand the adversaries who might target them, improve detection and respond faster by prioritizing investigations.

Stage 3: Improving the Threat Intelligence program

Organizations with this goal know that their industry faces targeted threats every day and they have already invested significantly in their threat intelligence capability. At this stage they most likely have a team utilizing commercial and open-source tools as well as threat data feeds. They’re looking for specialized analysis services and access to raw data.

These organizations can proactively assess their exposure and determine how to reduce the attack surface. They apply threat intelligence to empower their threat hunting, either on a proactive or reactive basis.

Enter new actionable insights, next steps

Until recently it was difficult for security managers to know not just whether their organization has been exposed to a particular threat but whether they have a good level of protection against specific campaigns.

McAfee MVISION Insights is helpful at each stage of your threat intelligence journey because it proactively assesses your organization’s exposure to global threats, integrating with your telemetry, and prescribes how to reduce attack services before the attack occurs.  For stage one, organizations can proactively assess their exposure and determine how to reduce the attack surface. For stage two and three, organizations can apply threat intelligence to empower their threat hunting and analysis, either on a proactive or reactive basis.


MVISION Insights Dashboard

One way we help is by integrating data from both McAfee Threat Intelligence feeds such as our Global Threat Intelligence and Advanced Threat Defense, and also third-party services via MVISION APIs. While McAfee Global Threat Intelligence is one of the world’s largest sources of this information, with more than 1 billion global threat sensors in 120+ countries, and 54 billion queries each day, the key thing to know is that we have 500 plus McAfee researchers providing this form of threat intelligence as a service.  The idea is to help you elevate your threat intelligence at each step of your organization’s journey.


Check out the latest threats from a Preview of MVISION Insights.




The post Finding Success at Each Stage of Your Threat Intelligence Journey appeared first on McAfee Blogs.

The Executive Order – Improving the Nation’s Cyber Security Fri, 11 Jun 2021 19:00:50 +0000 /blogs/?p=123205

On May 12, the President signed the executive order (EO) on Improving the Nation’s Cybersecurity. As with every executive order,...

The post The Executive Order – Improving the Nation’s Cyber Security appeared first on McAfee Blogs.


On May 12, the President signed the executive order (EO) on Improving the Nation’s Cybersecurity. As with every executive order, it establishes timelines for compliance and specific requirements of executive branch agencies to provide specific plans to meet the stated objectives.

It is clear from the EO that the Executive Office of the President is putting significant emphasis on cyber threat intelligence and how it will help government agencies make better decisions about responding to cyber threats and incidents.  The EO also focuses on how federal agencies will govern resource access through Zero Trust and how to comprehensively define and protect hybrid service architectures.  These are critical aspects as government agencies are moving more and more mission-critical applications and services to the cloud.

The call to action in this executive order is long overdue, as modernizing the nation’s cybersecurity approach and creating coordinated intelligence and incident response capabilities should have occurred years ago. Requiring that agencies recognize the shift in the perimeter and start tearing down silos between cloud services and physical data center services is going serve to improve visibility and understanding of how departments and sub-agencies are being targeted by adversaries.

I am sure government leaders have started to review their current capability along with their strategic initiatives to ensure they map to the new EO requirements.  Where gaps are identified, agencies will need to update their plans and rethink their approach to align with the new framework and defined capabilities such as endpoint detection and response (EDR) and Zero Trust.

While the objectives outlined are critical, I do believe that agencies need to take appropriate cautions when deciding their paths to compliance. The goal of this executive order is not to add additional complexity to an already complex security organization. Rather, the goal should be to simplify and automate wherever possible. If the right approach is not decided on early, the risk is very real of adding too much complexity in pursuit of compliance, thus eroding the desired outcomes.

On the surface, it would seem that the areas of improvement outlined in the EO can be taken individually – applied threat intelligence, EDR, Zero Trust, data protection, and cloud services adoption. In reality, they should be viewed collectively. When considering solutions and architectures, agency leaders should be asking themselves some critical questions:

  1. How does my enterprise derive specific context from threat intelligence to drive proactive and predictive responses?
  2. How can my enterprise distribute locally generated threat intelligence to automatically protect my assets in a convict once, inoculate many model?
  3. How does threat intelligence drive coordinated incident response through EDR?
  4. How do threat intelligence and EDR capabilities enable informed trust in a Zero Trust architecture?
  5. How do we build upon existing log collection and SIEM capabilities to extend detection and response platforms beyond the endpoint?
  6. How do we build a resilient, multi-layered Zero Trust architecture without over complicating our enterprise security plan?

The executive order presents a great opportunity for government to evolve their cybersecurity approach to defend against modern threats and enable a more aggressive transition to the cloud and cloud services. There is also significant risk, as the urgency expressed in the EO could lead to hasty decisions that create more challenges than they solve.  To capitalize on the opportunity presented in this executive order, federal leaders must embrace a holistic approach to cybersecurity that integrates all the solutions into a platform approach including robust threat intelligence.  A standalone Zero Trust or EDR product will not accomplish an improved or modernized cybersecurity approach and could lead to more complexity.  A well-thought-out platform, not individual products, will best serve public sector organizations, giving them a clear architecture that will protect and enable our government’s future.



The post The Executive Order – Improving the Nation’s Cyber Security appeared first on McAfee Blogs.

Why May 2021 Represents a New Chapter in the “Book of Cybersecurity Secrets” Thu, 27 May 2021 18:27:17 +0000 /blogs/?p=122548 Was ist ein Trojaner?

May 2021 has been an extraordinary month in the cybersecurity world, with the DoD releasing its DoD Zero Trust Reference...

The post Why May 2021 Represents a New Chapter in the “Book of Cybersecurity Secrets” appeared first on McAfee Blogs.

Was ist ein Trojaner?

May 2021 has been an extraordinary month in the cybersecurity world, with the DoD releasing its DoD Zero Trust Reference Architecture (DoDZTRA), the Colonial Pipeline being hit with a ransomware attack, and the White House releasing its Executive Order on Improving the Nation’s Cybersecurity (EO). Add to that several major vendors that our government depends on for its critical operations disclosing critical vulnerabilities that could potentially expose our nation’s critical infrastructure to even more risk, ranging from compromised email and cloud infrastructures to very sophisticated supply chain attacks like the SolarWinds hack, which could have started as early as 2019.

If the situation sounds ominous, it is. The words and guidance outlined in the DoDZTRA and EO must be followed up with a clear path to action and all the stakeholders, both public and private, are not held accountable for progress. This should not be another roll-up reporting exercise, time to study the situation, or end up in analysis paralysis thinking about the problem. Our adversaries move at speeds we never anticipated by leveraging automation, artificial intelligence, machine learning, social engineering, and more vectors against us. It’s time for us to catch up and just very possibly think differently to get ahead.

There is no way around it: This time our nation must invest in protecting our way of life today and for future generations.

The collective “we” observed what happened when ransomware hit a portion of the nation’s critical infrastructure at Colonial Pipeline. If the extortion wasn’t bad enough, the panic buying of gasoline and even groceries in many of Eastern U.S. states impacted thousands of people seemingly overnight, with help from social and traditional media. It’s too early to predict what the exact financial and social impacts may have been on this attack. I suspect the $4.4M ransom paid was very small in the greater scheme of the event.

May 2021 has provided a wake-up call for public-private cooperation like we’ve never seen before. Perhaps we need to rethink cybersecurity altogether. During his keynote remarks at the recent RSA Conference, McAfee CTO Steve Grobman talked about how “as humans, we are awful at perceiving risk.” Influenced by media, anecdotal data, and evolutionary biology, we let irrational fears drive decision-making, which leads humans to misperceive actual risks and sub-optimize risk reduction in both the physical and cyber world. To combat these tendencies, Steve encourages us to “be aware of our biases and embrace data and science-based approaches to assess and mitigate risk.”

Enter Zero Trust Cybersecurity, which is an architectural approach – not a single vendor product or solution. The DoDZTRA takes a broader view of Zero Trust than the very narrow access control focus, saying it is “a cybersecurity strategy and framework that embeds security throughout the architecture to prevent malicious personas from accessing our most critical assets.” And our most critical assets are data.

NSA also recently weighed in on Zero Trust, recommending that an organization invest in identifying its critical data, assets, applications, and services. The NSA guidance goes on to suggest placing additional focus on architecting from the inside out; ensuring all paths to data, assets, applications, and services are secure; determining who needs access; creating control policies; and finally, inspecting and logging all traffic before reacting.

These practices require full visibility into all activity across all layers — from endpoints to the network (which includes cloud) — to enable analytics that can detect suspicious activity. The ability to have early or advanced warnings of global and local threat campaigns, indicators of compromise, and the capability to deliver proactive countermeasures is a must-have as part of an organization’s defensive strategies.

The Zero Trust guidance from both DoD and NSA is worth following. It’s also worth reprising the concept of defense in depth – the cybersecurity strategy of leveraging multiple security mechanisms to protect an organization’s assets. Relying on a single vendor for all an organization’s IT and security needs makes it much easier for the adversary.

If you believe in a good conspiracy theory, the month of May 2021 could provide great material for a made-for-TV movie. Earlier I mentioned that the collective “we” needs to be held accountable. Part of that accountability is defining success metrics as we take on a new path to real cybersecurity.



The post Why May 2021 Represents a New Chapter in the “Book of Cybersecurity Secrets” appeared first on McAfee Blogs.

Happy Birthday GDPR! Thu, 27 May 2021 15:56:26 +0000 /blogs/?p=122539

Believe it or not, the baby turns 3 today! And like with every three-year-old, there is a lot to watch...

The post Happy Birthday GDPR! appeared first on McAfee Blogs.


Believe it or not, the baby turns 3 today! And like with every three-year-old, there is a lot to watch out for.

Granted, when GDPR was born it was after a 2-year gestation (transition) period. What followed were many sleepless nights with the new baby when it was born on May 25, 2018; not to mention the sleepless nights in the run up to the birth. Some parents (organisations) were running around frantically trying to figure out what the heck was going on, few parents were over-prepared and some, well, some were coasting. We then hit the Terrible (Schrems) Two’s when tantrums prevailed (i.e. Privacy Shield held invalid) and we cut our first teeth (the first fines). And so, we find ourselves raising this rowdy toddler, who will no doubt create more life-altering changes when it hits teenage years! There is certainly more to follow…

All jokes aside, the privacy space has seen a lot of changes (ups and downs) in these last three years:

  • Invalidation of Privacy Shield
  • Brexit
  • first fines and decisions against organisations that fail to comply
  • new laws in other territories mirroring the obligations under GDPR

And it will continue to be interesting to work in this space:

  • Will there be a Privacy Shield 2.0?
  • What will the new Standard Contractual Clauses look like?
  • How will Facebook react to the Irish High Court decision to block the transfer of data to the US?
  • What will be the impact for other controllers and processors in the wake of the Irish decision to block Facebook’s transfers to the US?
  • What will the Biden administration do in terms of a federal privacy law in the US?
  • Will we see more adequacy decisions?
  • What kind of certifications will be created and adopted for use?
  • How will the first codes of conduct shape data processing and international data transfers (in particular)?

And so, as this toddler finds its feet in the world, there is only one thing we can do to wish it along: sing together “Happy Birthday, GDPR!!!”

The post Happy Birthday GDPR! appeared first on McAfee Blogs.

Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry? Wed, 26 May 2021 15:03:10 +0000 /blogs/?p=122485

The security industry is engulfed in the most asymmetric cyberwarfare we have ever seen. The outcome of an Attacker’s mission...

The post Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry? appeared first on McAfee Blogs.


The security industry is engulfed in the most asymmetric cyberwarfare we have ever seen.

The outcome of an Attacker’s mission may depend entirely upon a single misplaced charge on a single memory chip on a single server, perhaps the difference between a vulnerable and secure setting in a registry key, and the difference between success and failure to gain access to infrastructure, information, and identities (I3) to subsequently wreak havoc, disable critical operations or infrastructure, and put lives at risk.

The outcome of a Defender’s day depends entirely upon how well they secure trillions of charges across chips, computers, containers, clouds, and even cars against potentially thousands of simultaneous Attackers running millions of attacks, each scouring the Defender’s kingdom for the crown jewels of control and information.

This ridiculously uneven war between Attacker and Defender has been a well-known challenge in cybersecurity for some time, and a few fear-inducing statistics always find their way into the first few slides of PowerPoint presentations.  However, this asymmetric dynamic remains perhaps the single most fundamental truth that should guide us to innovate and to design solutions to give our Defenders better outcomes every day.  From this lens, first, we must discuss how to shape and prioritize the protection, detection, and response capabilities with which we will arm Defenders.

Tyger, ‘Tis But a Flesh Wound: The Defender’s Déjà Vu

We must face some harsh and humbling truths that history has taught us about our asymmetric war:

A. Better incident response (IR) programs and better IR training will not solve this problem. Best practices and tool upgrades will win a few battles for the Defender.  Still, research suggests a full investment in SOAR and other automation tools will at most reduce costs by roughly 60% for leaders over laggards, all while the cost of breaches continues to rise across all organizations.  Investment in IR programs is unquestionably justified from a financial perspective, but that investment is equivalent to sharpening our spears around the campfire while waiting for the tigers to pounce in the long view of the asymmetric war.

B. Continued entrepreneurship and innovation in novel but transient security controls and frameworks will not solve this problem. Simson Garfinkel, currently Senior Data Scientist at the U.S. Department of Homeland Security, spoke of “The Cybersecurity Mess” and how “cybersecurity is a wicked problem that can’t be solved” almost a decade ago, which was arguably a much simpler and more manageable time for Defenders.  Gartner’s Hype Cycle is an excellent value-lifecycle tracker for categories of inventions, and few categories have a faster ride on the Hype Cycle rollercoaster than cybersecurity.  At best, security controls rapidly transition from revolutionary standalone products to line-item features on a data sheet as Attackers adapt to and overcome their main value proposition.  Perhaps the next ten tigers are caught in camouflaged traps, but we soon notice that they have adapted to avoid them and even set their own.

So, do we accept our fate and ultimate defeat of the Defender at the hands of the Attackers?  Or is there a Mars Shot initiative that could dwarf anything we have accomplished in the past, bringing symmetry to the war and erasing millions of person-years of Attacker experience and superiority in a flash?  And what the heck does this have to do with eXtended Detection and Response (XDR)?

Go and The Great Equalizer: Cybersecurity and Not-your-everyday AI

Almost 25 years ago, IBM’s Deep Blue overcame 1500 years of cumulative chess knowledge to defeat Garry Kasparov.  Five years ago, Google DeepMind’s AlphaGo destroyed over 3000 years of accumulated techniques and strategy to supplant Lee Sedol as the greatest go player ever.  Shortly after, Google’s next-gen AlphaZero rendered its own AlphaGo mentor obsolete, having learned chess and go without any human interaction.  It seems unfathomable that human beings will even attempt to win these titles back, and we have deep reinforcement learning (Deep RL) to thank.

We have the same massively disruptive opportunity to give hope to the Defender by looking to embed self-learning automated AI systems into our prevention, detection, and response controls, as outlined by the MIT Technology Review discussing security uses for AIOps.  Less a point on the Gartner Hype Cycle, and more an entirely new dimension of innovation, this cybersecurity AI system, like all AI systems, requires two major components to feed its hunger to learn: (a) large amounts of data related to the inputs and outputs of the I3 systems across the attack surface, and (b) reliable feedback mechanisms and workflows to train the algorithms.  The precursors of these needs map readily to (a) the well-established SIEM and Security Analytics markets and (b) the newer EDR and emerging XDR markets.


Source: Sutton, R.S., Barto, A.G. (2015).  Reinforcement Learning: An Introduction, pp. 54.

EDR and Security Analytics: The Starter Fluid for This Promethean Fire

Allie Mellen, an analyst with Forrester Research who covers SecOps, has already written an excellent research report succinctly describing key strengths and weaknesses of these markets and the dynamics likely to unfold in the near term:

A. A convergence of critical technologies and capabilities from the SIEM, SOAR, and XDR markets is inevitable; and,

B. EDR and EDR platforms are the natural evolutionary precursors to XDR, given that endpoints have become pivotal nodes in attack chains.

EDR technology on computers, notebooks, and phones has proven to give us the most detailed and robust knowledge about end-user behavior and risk.  EDR provides a natural data-rich progression to XDR on the Gartner 2020 Hype Cycle for Endpoint Security as the “next tech up” to provide meaningful and prescriptive training feedback to emerging AI platforms (e.g., IR Analyst A carried out Steps X, Y, and Z across Controls 1, 2 and 3 to negate Threat A).  Through research such as Google’s multi-task machine learning exercise and Zhamak Dehghani’s groundbreaking rethinking of data architectures, we have also come to understand that future I3 datasets for AI consumption will likely reside in globally distributed data meshes and not monstrous and monolithic data lakes.  The evolution from SIEM to Security Analytics and from EDR to XDR offer the preliminary steps to bring us to a fully integrated “DeepSecOps” platform that has the potential to turn the Attacker-Defender asymmetry on its head.  For this blog, let’s define DeepSecOps as a platform or system that seamlessly and automatically integrates the components and processes described in the diagram above (and potentially more), with self-fueled learning and effective automated response as the fundamental goals.

There also exists a more foreboding reason to invest in XDR as a precursor to DeepSecOps.  Tomorrow’s Attacker is honing their craft today: They will casually launch thousands of containers across a hybrid multi-cloud infrastructure designed to morph into multiple target infrastructure profiles with various off-the-shelf security controls already in place, and then unleash thousands of simulated attacks while their own Deep RL engine watches and measures its success.

To the Defender: Find Allies who are Building Towards that Winnable Future

Defenders should look to cybersecurity partners who offer them a clear path to build the foundation for a DeepSecOps future.  What does this look like today?  Some key considerations:

  • Prioritize working with a security vendor who has a strong foundation in EDR that will inform them as to the best approach to XDR and AI/ML guidance,
  • Ensure that your security vendor has experience providing Security Analytics solutions that integrate into their portfolio and with other vendors and partners to maximize I3 data collection,
  • Consider security vendors who prioritize the integration of third-party APIs and components into a shared ecosystem to increase the amount and types of data available to the DeepSecOps system,
  • At the same time, ensure that your security vendor supports enough organic security controls on their platform to train AI systems on the best path forward without relying on partners (i.e., a native-capable XDR vendor that still encourages hybridization per Mellen’s article). These technologies could include CASB, DLP, SWG, and more, both as raw data sources and as controls upon which to train outcomes.  Ideally, the vendor should have native visibility end-to-end, from end user to cloud, from app user to app coder,
  • Ensure your security vendor has a platform, strategy, and roadmap well-suited to delivering a data mesh architecture,
  • Look for opportunities to work with vendors who already leverage AI/ML to preemptively reduce attack surfaces and provide guided investigations that indicate early adoption of DeepSecOps principles and architectures.

Make these considerations the tactical precursors to unleashing the DeepSecOps technology that will reframe and contain the Attacker-Defender asymmetry.

On what wings dare [they] aspire?

What the hand, dare seize the fire?

Capture that Promethean Fire with MVISION XDR

Whether you are building a SOC function with limited resources or maturing a well-established SOC, McAfee is here to help you simplify and strengthen your security operations with MVISION XDR.  With MVISION XDR, you can proactively identify, investigate and mitigate threat actors targeting your organization before they can gain a foothold in the network.  By combining the latest machine-learning techniques with human analysis, XDR connects and amplifies the early warning signals from your sensors at the network, endpoint, and cloud to improve situational awareness, drive better and faster decisions, and elevate your SOC.

To learn more about what MVISION XDR can do for you watch the video below.


* With apologies to William Blake for dragging his brilliant metaphor into the world of cybersecurity and with a nod to that early Wolverine comic.


The post Cyber Cyber, Burning Bright: Can XDR Frame Thy Fearful Asymmetry? appeared first on McAfee Blogs.

Alert Actionability In Plain English From a Practitioner Tue, 25 May 2021 15:00:09 +0000 /blogs/?p=122314

In response to the latest MITRE Engenuity ATT&CK® Evaluation 3, McAfee noted five capabilities that are must-haves for Sec Ops and displayed in the evaluation.  This blog will speak to the alert actionability capability which...

The post Alert Actionability In Plain English From a Practitioner appeared first on McAfee Blogs.


In response to the latest MITRE Engenuity ATT&CK® Evaluation 3McAfee noted five capabilities that are must-haves for Sec Ops and displayed in the evaluation.  This blog will speak to the alert actionability capability which is essential. This critical ability to react in the fastest possible way, as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity while reducing alert fatigue to allow Sec Ops touphold efficient actionability. 

 As a Sec Ops practitioner and former analyst, I can remember the days of painstakingly sifting through countless alerts to determine if any of them could be classified as an incident. It was up to me to decide if the alert were a false positive, false alarm, or something the business should take more seriously… was it something we should wake someone up in the middle of the night over? 

It’s been years since I sat on the front line, triaging the results of millions of dollars in investments installed on 100’s of 1000’s of systems worldwide. Thank goodness, times have changed. But the concept of “Alert Actionability” is still a very real aspect of SOC tooling, and it seeks to address 3 primary factors:  trustworthiness, detail, and reaction capabilities. 


When I say “trustworthiness” I’m referring to a quality of fidelity that has two equal, yet opposing, faces of efficacy: false positives and false negatives. Now, it would be very easy for a SOC solution provider to claim that its product offers 100% visibility if it creates an alert for every process activity and artifact recorded. Sure, its coverage is present, but how actionable is the needle in a stack of needle? As a result, the vendor is likely pressured to fine tune it’s alerting and as such introduces the risk of false negatives, or actual malicious events which go undetected. In the zeal of appealing to useability requirements the false positive curve decreases but the false negative volumes have no choice but to rise. 

Resulting in a graph like this: 

The secret sauce in the vendor’s capabilities lies in its capacity to push the intersection of these as far right as possible: minimize the false positives and maximize true positives while simultaneously attempting to bring false negatives down to zeroThe better a vendor’s product can perform these non-trivial goals, the more likely it is to win your trust as a solution! And the more likely you are to trust the results you see on the dashboard.  

Endpoint Detection and Response (EDR) tools have a unique property in which they offer both telemetry and alerting. This implies that there are two goals for EDR platforms: to include event level (telemetry) visibility with automated detection and to provide alerting capabilities for triggering action and triage. With telemetry, the concept of “falsing” is negated because it’s used in a post-facto context. After the alert is constructed, the telemetry can be correlated with the alert logic to provide supporting details. Simply, for EDR telemetry, the more the better. 


As an analyst, I remember how much I loved putting together the pieces to tell a story. Extracting key artifacts from several disparate data sources and correlating hypothesis allowed me to present a compelling case as to the conclusion of the alert’s disposition. And I knew that I needed as much detail as possible to make my case; this is just as true today. The detail needs to be easily accessible, and it’s even better when the platform provides the detail proactively. In cases where such supporting evidence may not be possible in the alerting, an analyst’s expectation is that the platform makes hunting for those details easy; I’d even venture to say, “a delight.”  

Reaction Capabilities 

Many EDR platforms on the market offer reaction capabilities to address the “Response” moniker of the acronym. How flexible those response capabilities are in the platform provides a domain of options to act in response to the alert. For example, its rather evident that once an alert is convicted, the analyst may want to block the process, or remove a file from disk. But these reactions imply that the conviction is monolithic in that the analyst is absolutely sure of her conclusion. What if the conclusion is that we simply need more data? Having a robust reaction library that allows for further investigation with routines like sending a sample to a running sandbox, interacting with a given endpoint to act as an administrator, view system logs, or check the history of network connections all empower the analyst with further investigatory options. But why stop there? Having any fixed set of reactions would be presumptive. Instead, EDR products with a dynamic library and flexible, customizable, and modular reaction platform is key as every single SOC I’ve ever worked with has unique Incident Management and Standard Operating Procedures. 

What’s Next? 

MITRE ENGINUITY™ released results for its 3rd round of ATT&CK® Evaluations in April 2021. The industry is certainly fortunate to receive such 3rd party efficacy testing in the EDR market completely free to consumers. It is incredibly important to add that the ATT&CK Evaluations should be used as a single component of your EDR evaluation program. Efficacy helps determine how fit-for-purpose the product is by answering questions like, “Will it detect a threat when I need it to?” or “Can I find what I need, when I need it?”. But practitioners realize there are also pivotal points that need to be addressed around manageability. Understanding that not alerting on everything is just as important as alerting on the right things. And giving you a plethora of alerting response capabilities helps complete the alert investigation and response actions. McAfee’s MVISION EDR embraces all of these key alert actionability factors and will help displace the manual efforts in your analytics processes. McAfee’s MVISION EDR (soon to evolve to MVISION Extended Detection & Response (XDR)provided insight through detail and reduced alert fatigue during the evaluation providing context and enrichment, resulting in a ratio of 62% analytic detections (non-telemetry detections) out of the 274-total detections. 

Check out other McAfee discussion on MITRE (see resources tab.) 




The post Alert Actionability In Plain English From a Practitioner appeared first on McAfee Blogs.

Data Localisation – The Magic Bullet? Thu, 20 May 2021 15:00:14 +0000 /blogs/?p=122116

In the wake of the Schrems II decision[1], and even more in the light of Friday’s Facebook ruling[2], the question...

The post Data Localisation – The Magic Bullet? appeared first on McAfee Blogs.


In the wake of the Schrems II decision[1], and even more in the light of Friday’s Facebook ruling[2], the question on everyone’s mind is how to truly protect personal data from the prying eyes of national security agencies around the world. Despite detailed guidelines[3] issued in November 2020, in the absence of new definitive guidelines for transferring data across European borders[4], many are starting to wonder whether data localisation is the magic bullet to protect personal data.

The terms ‘data sovereignty’, ‘data residency’ and ‘data localization’ are a source of confusion for most people. They are effectively three degrees of a single concept: how data privacy impacts cross-border data flows. This subject has become increasingly important following the Schrems II decision and its requirement that organizations when processing personal data must ensure their privacy is not put at risk and subject to governmental surveillance when shared across borders.

Data residency refers to the country where an organisation specifies that its data is stored, usually for regulatory or policy reasons. A common data residency requirement example is for tax purposes: to prove an organisation conducts a greater portion of its business in a given country, it will put in place an infrastructure that requires a strict data management in order to protect its taxation rights.

Data sovereignty differs from data residency in that not only is the data stored in a designated location, but it is also subject to the laws of the country in which it is physically stored. This difference is crucial, as there will be different privacy and security requirements depending on where the data centres physically sit. From a legal perspective, the difference is important because a government’s data access rights vary from country to country.

Data localisation is the most stringent concept of the three, which is the reason why it is often referred to as “hard data localisation”. It requires that data created within certain borders stay within them and is almost always applied to the creation and storage of personal data, without exception. A good example is Russia’s On Personal Data Law (OPD-Law), which requires the storage, update and retrieval of data on its citizens to be limited to data center resources within the Russian Federation.

In the post-Schrems II world, some organisations have taken the view that the GDPR requires hard data localisation. The question is then whether such practices are realistic, and whether they offer similar privacy protection to that of the GDPR.

What are the implications of hard data localisation?

Data localisation runs counter to the principles of cloud computing (and the internet) – allowing the free flow of data for the greatest use. It is also potentially contrary to the principles of free movement of data under EU law[5]. The Internet is global and beyond the Internet, most companies operate in an integrated global environment, bearing in mind that “remote access by an entity from a third country to data located in the EEA is also considered a transfer.”[6].

The cost of operating a localised service must also be factored in, including support, engineering (e.g. development, debugging and maintenance), and backup (e.g. redundancy) costs. So, whilst the creation of local infrastructure may in the short-term imply jobs for local economies, the reality is that given there are often fully automated, the jobs and investment dividend may be short-lived.

Data localisation is also often touted as a mean to shield European citizen data from 3rd country government surveillance in particular US Government access under the CLOUD Act. While localisation does offer some protections (i.e. from transfer of data out of the territory), it does not automatically mean that data will be protected adequately in country. For example, data localisation does not mean that appropriate encryption standards are met, nor does it mean that there is no local surveillance – even in adequate countries[7].

You have probably heard of the Five EYES, Nine EYES, and Fourteen EYES Alliances. If not, these are all about intelligence sharing agreements. Initially, the Five Eyes Alliance arose out of the cold war era and was a pact between the United States and the UK aimed at decrypting Soviet Russian intelligence. By the late 1950s, Canada, Australia, and New Zealand also joined the Alliance. These five English-speaking countries are the Five Eyes Alliance. On top of this alliance, two other international intelligence-sharing agreements are publicly known: the Nine Eyes (Five Eyes + Denmark, France, Holland, Norway) and the Fourteen Eyes Alliances (Nine Eyes + Germany, Belgium, Italy, Sweden, Spain).

With this in mind, some companies argue, without evidence, that by doing business from a given jurisdiction, they are able to offer more adequate protection against surveillance. And without much surprise, not one country, even within the European Union, offers the same level of protection against surveillance, and the US’ surveillance activity isn’t much more extensive than other countries viewed as providing adequate protection.[8] Let’s take for instance the use of a VPN to protect privacy. Many providers argue that choosing a VPN outside the 5/9/14 Eyes countries may offer further protection.

The truth is once this very obvious statement is said, the question still remains wide open for many valid reasons. VPNs are international operations, meaning effectively, any organisation operating in a given country may be liable to that country’s law enforcement, whether by treaty, or by any other type of court orders. If a country does not have a general treaty and is not part of 5/9/14 eyes, there’s nothing stopping one country from putting political pressure on the other (sanctions, for example) to get what they want. Additionally, operating in a given country, for instance Panama, does not mean a country will refuse to cooperate with another country’s authorities, such as Canada.

There is little chance to find one country that is completely immune to data access laws in one way or the other, and nothing can stop one country from putting pressure on another one to obtain what it wants. That works for companies as well. For instance, Microsoft recently announced that it has “answered Europe’s call,”[9] but it cannot reject a request based on the CLOUD Act, and the compensation offered by Microsoft for a violation of the GDPR is not equivalent to the recourse to an available judicial remedy as requested under the Schrems II decision.

Now, once all of the above is said, it must be kept in mind that just because being anonymous is impossible, that you shouldn’t still try to protect your personal data as much as possible, or request companies to strictly comply with data minimization principles. All in all, governments would not have access to so much data if companies were not holding themselves so much data. Data minimization ends up being not only a good tool for increasing security, since attackers can’t steal what you don’t have, but also because it could potentially help people decrease the costs of data redundancy, storage, etc.

What are the implications for cybersecurity?

In 2020, the Internet Society penned a report on the implication of data localisation for cybersecurity that has much merit, and stated that “Cybersecurity may suffer as organizations are less able to store data outside borders with the aim of increasing reliability and mitigating a wide variety of risks including cyber-attacks and national disasters.”[10]

Data localization practices may harm cybersecurity services through the following facts:

  • A reduction in available information will increase the risks from cyberattacks.
  • A cost increase for implementing and maintaining state-of-the-art tools across different localization regions.
  • A reduction in redundant storage increasing data losses or network outage in the case of a hardware malfunction or natural disaster.
  • Less choice in distributed storage solutions, which assist in deploying privacy, integrity and counter-intrusion protocols on networks

This train of thought also applies to the selling of data to unsecure third parties within the same region or preventing unauthorised access to the data gained by third parties.

Some also argue that data localisation interferes with fraud prevention. For example, the inability to mirror data across several data centers can prevent the provider from seeing patterns and trends of fraud or other risks.

Data localisation may be presented by some as a magic bullet, but the complete implications are yet to be fully understood. Hence policies or commercial practices requiring forced data localisation must be thought through carefully as they can impact the free flow of data, can comprise the ability to scale platforms and services for global customers in addition to the many cybersecurity harms that may impact operational effectiveness.


Disclaimer: This blog reflects the authors’ personal opinions. Any statements, opinions, and any errors are the authors’ own and not those of McAfee. The statements in this blog do not constitute legal advice, and each company must determine for itself its obligations under all laws. Nothing herein establishes an attorney-client relationship.



[2] The EU-U.S. Data Transfer Problem Is Bigger Than Most People Realise (

[3] Recommendations 2020/1 and 2020/2 of the EDPB –

[4] European Standard Contractual Clauses, available on

[5] The European Parliament considers “the free movement of data as the Fifth Freedom in the single market after the free movement of persons, goods, services and capital” – Morrison Foerster Client Alert “New EU Regulation to Strengthen the Free Movement of Data 06 Nov 2018”


[7] For example, French surveillance laws authorises surveillance not only to combat terrorism and other criminal offences, but also to protect France’s major economic, industrial, and scientific interests.


Canada is part of the 5 Eyes but has repeatedly demonstrated its commitment to free and unrestricted internet access and has strong protections for freedom of speech and press, and the government has expressed support for net neutrality. Iran is not part of any of the know alliances. However, VPN providers are required to request government approval before providing their services, and people accessing the international internet network using VPNs without such government approval risk up to 1 year of prison time.



The post Data Localisation – The Magic Bullet? appeared first on McAfee Blogs.

Miles Wide & Feet Deep Visibility of Carbanak+FIN7 Wed, 19 May 2021 18:02:44 +0000 /blogs/?p=122215

In our last blog about defense capabilities, we outlined the five efficacy objectives of Security Operations, that are most important...

The post Miles Wide & Feet Deep Visibility of Carbanak+FIN7 appeared first on McAfee Blogs.


In our last blog about defense capabilities, we outlined the five efficacy objectives of Security Operations, that are most important for a Sec Ops; this blog will focus on Visibility.

The MITRE Engenuity ATT&CK® Evaluation (Round3) focused on the emulation of Carbanak+FIN7 adversaries known for their prolific intrusions impacting financial targets which included the banking and hospitality business sectors.  The evaluation’s testing scope lasted 4 days – 3 days were focused on detection efficacy with all products set to detect/monitor mode only, and the remaining day focused on protection mode set for blocking events.  This blog showcases the breadth and depth of our fundamental visibility capabilities across the 3 days of detection efficacy.

It is important to note that while the goal of these evaluations by MITRE Engenuity is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain significant visibility, achieving:


Scenario Evaluation Scope Visibility Outcome
Scenario – Carbanak Across all 10 Major Steps (Attack Phases) 100%
Scenario – FIN7 Across all 10 Major Steps (Attack Phases) 100%

The evaluation when tracked by Sub-steps shows McAfee having 174 sub-steps with a total 87% visibility.

Going Miles-Wide

When you seek to defend enterprises, you need to assess your portfolio and ensure it can go the distance by spanning across the endpoint and its diverse context, as well as network visibility stemming from hostile activity executed on the target system. More importantly, your portfolio must closely track the adversary across kill-chain phases (miles-wide) to keep up with their up-tempo. The more phases you track, the better you will be able to orient your defenses in real-time.

Scenario 1 – Carbanak

The Carbanak emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day one, and our portfolio provided visibility across every phase.  In these 10 phases, MITRE conducted 96 substeps to emulate the behaviors aligned to the known TTPs attributed to the Carbanak adversary.

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results­

Scenario 2 – FIN7

The FIN7 emulation consisted of an attack with 10 Major Steps (Kill Chain Phases) on day two, and our portfolio provided visibility across every phase.  In these 10 phases, MITRE conducted 78  substeps to emulate the behaviors aligned to the known TTPs attributed to the FIN7 adversary.

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results

Going Feet-Deep

Tracking the adversary across all phases of the attack (miles-wide) is significantly strong, but to be really effective at enterprise defense, you also need to stay deep within their operating mode, and keep up with their movement within and across your systems through different approaches (feet-deep).  At McAfee, we design our visibility sensors across defensible components to anticipate where adversaries will interact with the system, consequently tracing their activities with diverse data sources (context) that enrich our portfolio.  This not only let us track their intentions, but also discover impactful outcomes as they execute hostile actions (sub-steps).

Defensible Components and Telemetry acquired during the evaluation.

If a product is configured differently you can obtain information from each Defensible Component, but this represents telemetry acquired based on the config during the evaluation (not necessarily evidence that was accepted).

Visibility By McAfee Data Sources / Defensible Components

Scenario 1 – Carbanak

Of the 96  Sub-Steps emulating Carbanak, our visibility coverage extends from more than 10 unique data sources including the automated interception of scripted source code used in the attack by our ATD sandbox integration with the DXL fabric.

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results

Scenario 2 – FIN7

Of the 78 Sub-Steps emulating FIN7, our visibility coverage extends from more than 10 unique data sources providing higher context in critical phases with Systems/Api Calls Monitoring to preserve the user’s security awareness as advanced behaviors aim for in-memory approaches conducted by the adversary.

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results

Visibility By McAfee Product

Acquiring data from sensors is fundamental, however, to be effective at security outcomes, your portfolio needs to essentially spread its deep coverage of data sources to balance the security visibility blue-teamers need as the progression of the attack is tracked through each phase.

This essential capability provides the blue-teamer a balance of contextual awareness from detection technologies (EDR and SIEM), and decisive disruption of impactful behaviors from protection products (ENS, DLP, ATD, NSP) oriented to neutralize the adversary’s actions on objectives.
In every phase of the attack, McAfee protection fused with detection products would successfully neutralize the adversary and afford blue teamers rich contextual visibility for investigations needing context before and after the block would have occurred.

Scenario 1 – Carbanak

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results

This chart clearly shows how ENS (in observe mode) would have prevented a successful attack, blocking the Initial Breach, protecting the customers from further damage. For the scope of the evaluation, it’s also important to remark how the products interacted by providing telemetry on each step.

Scenario 2 – FIN7

McAfee MITRE Engenuity ATT&CK Evaluation 3 Results

In the impactful kill-chain phase of “steal payment data”, the DLP product kicks into prevention, while being complemented by the ATD sandbox intercepting the payload that attempts to steal the information, as well as EDR having contextual information within the kill-chain for offline investigations the blue teamer needs.

Visibility Efficacy

Here, we covered the essentials of visibility and how to determine the power of having a strong telemetry foundation, not only as individual sensors or defensible components that provide information, but when analyzed and contextualized, we enable the next level of actionability required to prioritize cases with enriched detections.

Stay tuned for the next blog series explaining how detections were supported by this telemetry where we produced 274 detections that have more than 2 data sources.

The post Miles Wide & Feet Deep Visibility of Carbanak+FIN7 appeared first on McAfee Blogs.

Mission Possible: Hunting Down and Stopping Stealthy Attackers with MVISION XDR Tue, 18 May 2021 04:01:31 +0000 /blogs/?p=121960

Imagine, if you will, a scene straight out of one of your favorite impossible mission movies. The background music is...

The post Mission Possible: Hunting Down and Stopping Stealthy Attackers with MVISION XDR appeared first on McAfee Blogs.


Imagine, if you will, a scene straight out of one of your favorite impossible mission movies. The background music is driving a suspenseful beat while the antagonist attempts to steal the latest technology from a very favored industry competitor called Rad-X Incorporated. It’s a trade secret that will change the industry forever, and if the villain achieves her mission, she will hold the future of aviation in the palm of her hand. She’s bypassed laser motion detectors, swung from the ceiling to avoid floor placed pressure plates, and even performed some seriously intense acrobatics to slip through video surveillance mechanisms. Then, at the apex of suspense while the music ascends to a crescendo, a hard thumping release, she reaches out to grasp a microchip placed in the center of the room on a pedestal as if the room were designed only to show off its magnificence. As her fingers gently nestle against the circuit… the music stops, the alarms sound, and she walks out completely and utterly undisturbed!

All the components in this scene were meant to record and detect when an activity occurs. But when we needed it most all that it amounts to is a noisy detection capability. It did not actually “prevent” the malicious actor from doing anything. Instead, the system merely let everyone know that it occurred… very anticlimactic if you ask me, and frankly not very useful if you’re the good guy.

Deconstructing the SIEM, Log by Log

SIEM technologies have been used in security operations for over 15 years for a few reasons. First, SOCs must be able to tell a story while performing incident response investigations. And to go back in time effectively, logged events of these activities can be more easily accessed if the events are stored centrally and for an appropriate longevity. So, when the police show up, the victim can accurately name the perpetrator. Next, because the data sources are so disparate, SIEMs can be used to correlate activities among usually unrelated feeds. For example, if a floor plate triggered, then a motion sensor fires within 15 seconds of each other, their collective severity may raise more of an alarm. And thirdly, centrally reporting on collective data allows the business to identify where it is effectively investing in control technologies. In this extended example, the victim can run a report monthly showing that the microchip pressure sensor triggered 5 times this month, while the others may have triggered only once or twice. Certainly, all these capabilities are just as important today as they were in 2005.

But there is one glaring gap: why isn’t there a better way to take corrective action after the incident occurs? Extended Detection and Response (XDR) capabilities have some similar outcomes as we would expect in 2021, but with an added response component… and in McAfee’s case, many response components. Some capabilities overlap SIEM’s, which is natural based on each use case, but both of which are still essential to the modern security operations program.

Figure 1: SIEM vs XDR Capabilities

If You See Something, Do Something

While SIEM technologies, for the most part, allow its administrators to integrate through APIs with other technologies, the actions available are often limited in nature and fail to provide a seamless and consistent response option across the landscape. XDR, however, does just that. The platform is designed such that whether the system on which you are acting is an endpoint, network component, or cloud service, the security operations practitioner should expect to enjoy an intimate level of native control on that security control device. Performing actions like restricting further access, retrieving additional information, or gaining console capabilities should be as simple as a click of a button. With XDR, when the alarm sounded, Rad-X would have been able to simply click a button to lock the vaulted room and apprehend the perpetrator.

And since this is a differentiator between XDR and SIEM platforms, it should stand to reason that response capabilities should be a key factor when comparing XDR providers. McAfee offers some of the most robust response capabilities right out of the box such as quarantining affected assets, while simultaneously offering the ability to write your own for Windows, MacOS, or Linux.

Go Where The Data Is – At the Source

While it is painfully apparent that data entering data lakes and massive data collections are regularly changing, data types are changing almost as frequently. SIEM technology, which is heavily based on collectors, parsing, enrichment, ontology, and more, often fails to address the ongoing change of data types on the data source. This means that the collectors need to be updated frequently. However, what if the data was first triaged and analyzed at the source and the results delivered to the collection and correlation points? This would address a large portion of the data type challenge while simultaneously expecting and embracing the idea that the data will continue to live at its source. Sure, there may be cases where the raw data needs to be shipped to mass storage for historical searching and hunting, but those are the minority of the cases. And, since the goal of XDR is not to meet log retention requirements as a compliance tool, it need not focus on collecting all events created.

When running a search in XDR platform, such as McAfee’s MVISION XDR, the searches can be run against mass storage or in real-time. Realtime searches allow the data source to perform the query against the raw origination of the event. And, since both capabilities are available, comparing deltas between the state of the data source is easily done. If Rad-X, were using XDR they would be able to ask questions of the corridors, cameras, and entry ways the villain was using throughout the attack. Instead, they were forced to wait for an event significant enough to have occurred to be alerted that the incident was now in the past.

Figure 2: XDR Logical Architecture

Figure 3: Traditional SIEM Architecture

As you can tell from the illustrations above, XDR offers security teams a simpler cloud-native service architectural model when compared to traditional SIEM.  The majority of SIEM deployments require all the native infrastructure to be deployed as on-premises software or appliances or in IaaS. XDR can reduce the complexity of your security configuration and the expert resources required to operate it.

Hot Pursuit: A Proactive Approach to Finding Threats

Rad-X’s CEO wants answers, and he wants them now! How did this happen? Did we know about this criminal and anything she may have been up to? Were we the only targets? What is our best course of action to investigate what happened here?

MVISION XDR is designed to answer exactly these questions.

MVISION XDR goes beyond consolidation of endpoint detection and response (EDR), network detection and response (NDR), and cloud detection and response capabilities as it leverages threat intelligence and analytical posture assessments from MVISION Insights to guide its ability to predict, to prescribe, and to help prioritize what’s most important in your organization. MVISION Insights would help Rad-X shift its focus left of the moment of impact by telling its defenders about the pending threats from the threat actor. Knowing that she was targeting aviation innovators and that Rad-X was in her line-of-sight would have helped, but it would also call out the gaps in defense capabilities based on her techniques and procedures.

Then, even if the incident were to still have occurred, MVISION XDR would be able to take advantage of its Artificial Intelligence data analytics by examining how the intruder behaved, what kind of artifacts were left behind on the floor, and what may be missing from the environment which “should” be there. It’s like having a virtual Sherlock Holmes analyzing each of your XDR incidents across endpoints, network, and cloud environments.

Mission Accomplished: Go Beyond the Limits with MVISION XDR

Rad-X suffered an unfortunate event, but they learned an incredibly valuable lesson: SIEM is important as it meets some critical functions, but XDR is more appropriate in performing action driven investigations, threat analytics, rapid response, and more. So, if you find yourself in a position like Rad-X and are curious about the value and benefits of XDR in your environment, take a page out of Rad-X’s playbook and consider MVISION XDR to provide a shift left in threat predictions, prescriptions, and prioritization. Consider MVISION XDR to enhance your incident analytics capabilities with cloud-based AI playbooks. And consider MVISION XDR to provide detection and response capabilities from device to cloud.

If you’d like to learn more about what MVISION XDR can do for you and how it is evolving at McAfee, join me for a live tech talk on May 25, 2021.  I’ll be joined by Randy Kersey, XDR Product Manager at McAfee, to discuss how security operations teams can respond more effectively to incidents by harnessing their extensive security telemetry with the latest release of MVISION XDR. Be sure to register via LinkedIn. I hope to see you there!

The post Mission Possible: Hunting Down and Stopping Stealthy Attackers with MVISION XDR appeared first on McAfee Blogs.

POPIA – July 1st Deadline Approaches For New South African Data Protection Act Mon, 17 May 2021 21:19:19 +0000 /blogs/?p=122125

Data protection acts are regularly coming into force around the world and on July 1st 2021 it is the turn...

The post POPIA – July 1st Deadline Approaches For New South African Data Protection Act appeared first on McAfee Blogs.


Data protection acts are regularly coming into force around the world and on July 1st 2021 it is the turn of South Africa, as the POPIA (Protection of Personal Information Act) will be enforced from that date.  I caught up with David Luyt, Privacy Counsel at Michalsons in Cape Town to discuss what this means for South African consumers, businesses and IT teams.

Nigel: Must my organisation comply with POPIA?

David: Essentially, if you are domiciled in South Africa or you process personal information in South Africa, then you need to comply with POPIA. POPIA, unlike the GDPR, does not apply extraterritorially. Meaning that it only applies to organisations in South Africa.

Nigel: How can I find out more about the POPI Act?

David: Knowledge is Power. Having a high-level awareness of POPIA is crucial in helping you decide what your next steps are going to be. To learn more about the impact of POPIA on your organisation, take the Michalsons’ complimentary impact assessment for your specific organisation, read our insights on it, or watch our video.

Nigel: Who is the right person to be responsible for this?

David: Every organisation has an Information Officer by default and they are responsible for ensuring that the organisation complies with POPIA. However, the whole organisation needs to understand its responsibilities. Any employee that handles personal information, all systems that store and process that information and all 3rd party and cloud providers that are part of that data processing need to be reviewed and understand their responsibilities.

Nigel: What is the impact on my organisation?

David: You need to know the impact of POPIA on your specific organisation so that you can decide what the next best steps are.

Complying with POPIA is not a case of one size fits all. Different organisations need to take different actions to comply. For example, what a small enterprise (or SME) has to do is very different from what a medium or large-sized organisation has to do.

An organisation’s actions are also dependant on the foundations already built to protect personal information. Some organisations may have many safeguards in place while others are new to the issue.

Nigel: What are my organisation’s next steps?

David: At Michalsons we believe that data protection is like personal fitness – it takes time to get fit! To learn more, have a look at our top tips for data protection projects. And if you’re wondering ‘how much does data protection compliance cost?’ then we have the answer for that too!

Nigel: Which departments seem to need the most help understanding POPIA?

David: It would be unfair to single out a single group or department, but the adage “you cannot manage what you cannot see” is very true in this situation.  Every organisation needs to know where its personal data is kept, how it is handled and make sure that all employees recognise the importance of the Act.

A lot of initial work falls to the IT department to find all the current data on employees, business partners and clients and to ensure that this data is kept secure – whether inside or outside the organisation.

As we discussed in our joint webinar, this includes reviewing all outsourcing and cloud services – when you share or pass data to other organisations you are STILL responsible for everything that happens to that data, so you need to review these providers and put in appropriate measures to make sure that the data handling policies are designed to conform to the Act.

Your document on mapping POPIA to Cloud Computing has some good ideas for IT people to review – and not just for cloud, but all data handling should be reviewed in a similar way.

Nigel: Thank you for your time.

David: My pleasure.


The post POPIA – July 1st Deadline Approaches For New South African Data Protection Act appeared first on McAfee Blogs.

What the MITRE Engenuity ATT&CK® Evaluations Means to SOC Teams Wed, 12 May 2021 15:00:16 +0000 /blogs/?p=121876

SOCwise Weighs In When the infamous Carbanak cyberattack rattled an East European bank three years ago this month few would...

The post What the MITRE Engenuity ATT&CK® Evaluations Means to SOC Teams appeared first on McAfee Blogs.


SOCwise Weighs In

When the infamous Carbanak cyberattack rattled an East European bank three years ago this month few would have guessed it would later play a starring role in the MITRE Engenuity™ enterprise evaluations of cybersecurity products from ourselves and 28 other vendors. We recently shared the results of this extensive testing and in a SOCwise discussion we turn to our SOCwise experts for insights into what this unprecedented exercise may mean for SOC teams assessing both strategy concerns and their tactical effectiveness.

Carbanak is a clever opponent known for innovative attacks on banks. FIN7 uses the similar malware and strategy of effective espionage and stealth   to target U.S. retail, restaurant and hospitality sectors, according to MITRE Engenuity™, and both were highlighted in this emulation. These notorious actors have reportedly stolen more than $1 billion worldwide over the past five years. An annual event, the four-day ATT&CK Evaluation spanned 20 major steps and 174 sub-steps of the MITRE framework.

The first thing to realize about this exercise is few enterprises could ever hope to match its scope. What do you get when you match up red and blue teams? “I have not been through an exercise like that in an organization with both the red team and blue teams operationally trying to determine what their strengths and weaknesses are,” said Colby Burkett, McAfee XDR architect, a participant in the event, on our recent SOCwise episode. “And that was fantastic.”

A lot of SOC teams conduct vulnerability assessments and penetration testing, but never emulate these types of behaviors, noted Ismael Valenzuela, McAfee’s Sr. Principal Engineer and co-host of SOCwise. And, he adds that many organizations lack the resources and skills to do purple-teaming exercises.

While our SOCwise team raved about the value of conducting broad scale purple-team exercises, they expressed concern that the emphasis on “visibility” is no more valuable than “actionability.” McAfee, which scored 87% on visibility, one of the industry’s best, turned in a remarkable 100% on prevention in the MITRE Engenuity™ evaluations.

Illuminating Visibility

When we think about visibility, we think about how much useful information we can provide to SOC analysts when an attack is underway. There may be a tsunami of attack data entering SOCs, but it’s only actionable when the data that’s presented to analysts is relevant, noted Jesse Netz, Principal Engineer at McAfee.

A well-informed SOC finds a sweet spot on an axis where the number of false positives is low enough and the true positives are high enough “where you can actually do something about it,” added Netz.

He believes that for SOC practitioners, visibility is only part of the conversation. “How actionable is the data you’re getting? How usable is the platform in which that data is being presented to you?”

For example, in the evaluation we saw McAfee’s MVISION EDR preserve actionability and reduce alert fatigue. We excelled in the five capabilities that matter most to SOC teams: time-based security, alert actionability, detection in depth, protection, and visibility.\

If you can’t do anything about the information you obtain, your results aren’t really useful in any way. In this regard, prevention also trumps visibility. “It’s great that we can see and gain visibility into what’s happening,” explained Netz. “But it’s even better at the end of the day as a security practitioner to be able to prevent it.”

Expanding the Scope

The SOCwise team overall applauded the progressively sophisticated approach taken by the MITRE Engenuity™ enterprise evaluations of cybersecurity products—now in its third year. However, our panel of experts noted that this round of testing was more about defending endpoints, rather than cloud-based operations, which are fairly central to defending today’s enterprise. They expect that focus may change in the future.

The MITRE Engenuity™ enterprise evaluations provide a lot of useful data, but they should never be the single deciding factor in a cybersecurity product purchase decision. “Use it as a component of your evaluation arsenal,” advises Netz. “It’ll help to provide kind of statistics around visibility capabilities in this latest round, including some detection capabilities as well, but be focused on the details and make sure you’re getting your information from multiple sources.”

For instance, Carbanak and FIN 7 attacks may not be relevant to your particular organization, especially if they’re centered on Cloud-based operations.

While no emulation can perfectly replicate the experience of battling real-time, zero-day threats, McAfee’s Valenzuela believes these evaluations deliver tremendous value to both our customers and our threat content engineers.



Optimize your Security Operations Center with SOCwise
Visit Now

The post What the MITRE Engenuity ATT&CK® Evaluations Means to SOC Teams appeared first on McAfee Blogs.

Cloud Native Security Approach Comparisons Tue, 11 May 2021 15:00:49 +0000 /blogs/?p=121693

Vinay Khanna, Ashwin Prabhu & Sriranga Seetharamaiah also contributed to this article.  In the Cloud, security responsibilities are shared between the...

The post Cloud Native Security Approach Comparisons appeared first on McAfee Blogs.


Vinay Khanna, Ashwin Prabhu & Sriranga Seetharamaiah also contributed to this article. 

In the Cloud, security responsibilities are shared between the Cloud Service Provider (CSP) and Enterprise Security teams. To enable Security teams to provide compliance, visibility, and control across the application stack, CSPs and security vendors have added various innovative approaches across the different layers. In this blog we compare the approaches and provide a framework for Enterprises to think of these approaches.


Cloud Service Providers are launching new services at a breakneck pace to enable enterprise application developers to bring in new business value to the marketplace faster. For each of these services the CSPs are taking up more and more of the security responsibility while letting the enterprise security teams focus more on the application. To be able to provide visibility, security and enhance existing tools in such diverse and fast changing environments CSPs enable logs, APIs, Native agents and other technologies, that can be used by Enterprise security teams.


There are many different approaches to security and each have varying tradeoffs in terms of the depth of visibility and security they provide, the ease of deployment, permissions required, the costs, and the scale they work at.

APIs and logs are the best approach to do get started with discovering your Cloud accounts and finding anomalous activity interesting to security teams in those accounts. It is easy to get access to data from various accounts using these mechanisms, without the security teams having to do much more than get cross account access to the numerous accounts in the organization. The approach provides great visibility but needs to be complemented with protection approaches.

Image and snapshot analysis are a good approach to get deeper data of the workloads both before the application starts and as they run. In this method the image/ snapshot of the disk of the running system can be analyzed to detect any anomalies, vulnerabilities, config incidents etc. Snapshots provide deep data of workloads but may not detect memory resident issues like fileless malware. Also, as we move to ephemeral workloads, analyzing snapshots periodically may have limited usage. The mechanism may not work for cloud services for which disk snapshots may not be possible to obtain. The approach provides deep data of snapshots but needs to be complemented with some protection approaches to be useful.

Native agents and scripts are a good approach to enable deeper visibility and controls by providing an easy way to enhance Cloud native agents like SSM on a machine. Based on the functionality agents can have high resource usage. Native agent support is limited by the CSP provided capabilities, like OS support/ features provided. In a lot of cases the native agents run commands that log the information needed, which implies we need to have the logging approach working in parallel.

DaemonSet and Sidecar containers is an approach to deploying agents easily in Container and serverless environments. Sidecar allow running one container per pod which provide deep data but the resource usage and the cost as a result are high, because multiple sidecars would run on a single server. Sidecars can work in Container Serverless models in which case DaemonSet containers do not work. As the functionality of a Sidecar and DaemonSet is like that of an agent, many of the agent limitations mentioned apply here too.

Agent approach provides the deepest visibility and best control of the environment in which an application runs, by running code coresident with the application. This approach is however harder because the security teams need to have deep discovery capabilities beforehand to be able to deploy these agents.  There is also friction in adding agents as it has to run on every machine and security teams do not have rights to run software on every machine, especially in the cloud. The resource usage and cost of a solution can be high depending on the use cases supported. Newer technologies like Extended Berkley Packet Filters (eBPF) enable reducing resource usage of agents to make them more palatable for broader usage.

Built-into-Image/ Build-into-code approach allows for the security being built into the application image deployed. This allows security functionality to be deployed without having to work on deploying an agent with each workload. This approach provides deep visibility of the application and works even for serverless workloads. Compiling in code adds immense friction by having to add code into the build process, and code libraries need to be available in every application language.


MVISION Cloud takes a Multi-pronged approach to securing applications and enable security teams to gain control of their Cloud environments.

  1. Security teams often lack visibility into their ephemeral Cloud infrastructures and MVISION Cloud provides a seamless way by using Cross-Account IAM access and then using API and Logs to provide visibility into Cloud environments.
  2. Using the same access MVISION Cloud can not only provide an Audit of the configuration of customer environment but also do image scans to identify vulnerabilities in the components of the workload.
  3. MVISION Cloud can then help identify risk against resources, so security teams can focus on securing the right resources. All of this without having to deploy an agent.
  4. Then using approaches like Sidecars, DaemonSet containers and agents MVISION CNAPP helps provide deep visibility and protect the applications against the most sophisticated attacks by providing File Integrity Monitoring (FIM), Application Allow Listing (AAL), Anti-Malware, run time Vulnerability analysis and performing hardening checks.
  5. Using the data from all the sources MVISION CNAPP provides a Risk score against incidents to help security teams prioritize incidents and focus on the biggest risks.


The various approaches to security have their own unique tradeoffs and no one approach can satisfy all the requirements for the various teams, for the diverse set of platforms they support.

At any point of time different cloud services will be at different levels of adoption maturity. Security teams need to take an incremental approach where they start off adopting solutions that are easy to insert and can provide the basic guardrail of security and visibility, at the start of the service adoption cycle. As applications on a service mature and more high value apps come online, an approach to security that provides deeper discovery and control will be necessary to complement the existing approaches.

No one approach will be able to satisfy all customer use cases and at any time there will be different sets of security solutions that will be active. We are headed to a world of even more diverse security approaches, that have to all work seamlessly to help secure the Enterprise.


The post Cloud Native Security Approach Comparisons appeared first on McAfee Blogs.

Gartner names McAfee a Leader in 2021 Magic Quadrant for Endpoint Protection Platforms Mon, 10 May 2021 17:00:14 +0000 /blogs/?p=121789

At McAfee, we believe no one person, product or organization can combat cybercrime alone. That is why we continue to...

The post Gartner names McAfee a Leader in 2021 Magic Quadrant for Endpoint Protection Platforms appeared first on McAfee Blogs.


At McAfee, we believe no one person, product or organization can combat cybercrime alone. That is why we continue to build our device-to-cloud security platform on the premise of working together – together with customers, partners and even other cybersecurity vendors. We continue this fight against the greatest challenges of our digital age: cybercrime. As part of our ongoing effort to protect what matters, we have developed breakthrough technologies over the past several years that enable customers to proactively respond to emerging threats and adversaries despite a constantly evolving threat landscape. So, today, we are extremely proud to announce that McAfee is positioned as a “Leader” in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP).   

This is a monumental development in so many ways, especially when you consider that we were not recognized in the Magic Quadrant a few years ago. This recognition speaks volumes about the innovations we are bringing to market that resonate both with our customers and industry experts. Let me review, from my perspective, why McAfee is recognized in the Leaders Quadrant.  

Here are some key innovations in our Endpoint Protection Platform that contributed to our Leader recognition: 

  • MVISION Endpoint Security (ENS) – to prevent ransomware, fileless attacks, and defend against other advanced persistent threats.  
  • MVISION Insights – to preempt and prevent attacks before they hit. 
  • MVISION EDR – to identify and stop sophisticated threat campaigns 
  • Unique capabilities to Auto-recover from ransomware attacks (Demo) 


We set out with a vision, to create the most powerful endpoint protection platform and we are aggressively executing towards this vision. Over the past 12 months, we have made great strides in developing a market leading product, MVISION Insights, and our cloud delivered MVISION EDR. Looking ahead, our goal is to develop a unified and open eXtended Detection and Response (XDR) solution and strategy that further delivers on our device-to-cloud strategy 

We believe, McAfee’s position as a Leader further acknowledges some of our key differentiators, such as MVISION Insights, and our ability to eclipse the market with an innovative device-to-cloud strategy that spans the portfolio, including web gateway, cloud, and our network security offerings. 

Executing on Innovation 

We started by redefining our endpoint security offering with the release of MVISION Insights, a game-changing product that functions as the equivalent of an early warning system – effectively delivering preventative security. It’s hard to understate the significance of this innovation; we’re breaking the old paradigm of post-attack detection and analysis and enabling customers to stay ahead of threats. In parallel, we streamlined our EDR capabilities, which now provide AI-driven, guided investigations that ease the burden on already-stretched Security Operations Centers (SOCs) 

Increasing Value 

The bottom line is that we’re the only vendor taking a proactive risk management approach for safer cloud usage while reducing total cost of ownership. In addition, we have improved our licensing structure to fit customer needs and simplify consumption of our endpoint security solutions. We’ve made it easy to choose from a simplified licensing structure allowing customers to buy subscriptions for complete endpoint protection with no add-ons or extra costs. Our user-based licensing agreements provide for 5 devices, thus enabling frictionless expansion to incorporate additional device support in remote work environments 


In just under a year, our latest release of McAfee Endpoint Security (ENS) 10.7 has emerged as our highest deployed version of any McAfee product worldwide and our fastest-ever single-year ramp. More than 15,000 customers comprising tens of millions of nodes are now on ENS 10.7 and are deploying its advanced defenses against escalating threats. Customers get added protected because ENS 10.7 is backed by our Global Threat Intelligence (GTI) service to provide adaptable, defense in-depth capabilities against the techniques used in targeted attacks, such as ransomware or fileless threats. It’s also easier to use and upgrade. All of this means your SOC can be assured that customers are protected with ENS 10.7 on their devices.  

Customer input guides our thinking about what to do next. Since the best critics are the people who use our products, let’s give them the last word here.  

“We are now positioned to block usage of personal instances of Sanctioned services while allowing the business to move forward with numerous cloud initiatives, without getting in the way. We also now have the visibility that was lacking to ensure that we can allow our user community to work safely from their homes without introducing risks to our corporate environment.” 

 Kenn JohnsonCybersecurity Consultant 


Our continued commitment to our customers is to protect what matters. We believe that McAfee’s position in the Leaders  Quadrant validates that we are innovating at the pace and scale that meets the most stringent needs of our enterprise customers. We are proud of our product teams and threat researchers who continue to be driven by our singular mission, and who strive to stay ahead of adversaries with their focus on technological breakthroughs, and advancements in researching threats and vulnerabilities. 

What we have accomplished over the past several years, and our position as a Leader in the 2021 Gartner Magic Quadrant for EPP, is only the tip of the iceberg for what’s ahead.  

2021 Gartner Magic Quadrant for Endpoint Protection Platforms

McAfee named a Leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms. Download the Magic Quadrant report, which evaluates the 19 vendors based on ability to execute and completeness of vision.

Download Now

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Gartner Magic Quadrant for Endpoint Protection Platforms, 5 May 2021 Paul Webber, Peter Firstbrook, Rob Smith , Mark Harris, Prateek Bhajanka

The post Gartner names McAfee a Leader in 2021 Magic Quadrant for Endpoint Protection Platforms appeared first on McAfee Blogs.

RSA Conference 2021: The Best Place to Strengthen Your Resilience Fri, 07 May 2021 17:58:43 +0000 /blogs/?p=121723

This year’s RSA Conference will look a little different. Instead of booking flights and hotel rooms in the busy city...

The post RSA Conference 2021: The Best Place to Strengthen Your Resilience appeared first on McAfee Blogs.


This year’s RSA Conference will look a little different. Instead of booking flights and hotel rooms in the busy city of San Francisco, we’ll be powering up computers in our home office with family in the next room. We’ve all had a tumultuous year and with that comes resilience, which is also this year’s conference theme.

Ahead of the RSA virtual conference, I spoke with a few of my colleagues about the major themes we should expect to see at RSA this year.

Q: This year’s RSA Conference theme is resilience. What does ‘resilience’ mean to you when protecting the world from cyberthreats?

Scott Howitt, Senior Vice President and Chief Information Officer – The COVID lockdown has exposed to enterprises that the ability to recover your business (Business Continuity) is important in the face of disaster, but Business Resilience means that your business will be able to adapt to Black Swan events. I’ve seen technology be the catalyst for resilience for most organizations.

Raj Samani, Chief Scientist and McAfee Fellow – For me, it would be ability to continue operations in light of disruption. Whether that disruption originated from digital factors, or indeed physical but to keep the wheels turning.

John Fokker, Principal Engineer and Head of Cyber Investigations for McAfee ATR – Just like Boxing: Isn’t as much about not being hit, because you are in the ring and punches are thrown, but resilience to me is more about how fast you can get back up on your feet once you do get hit. The same is true with security operations, attackers are going to try to hit you, but how good is your defense so you can minimize the impact of the attack and in the case you do get knocked down what controls do you have in place that you can get back up and resume operations.

Amanda House, Data Scientist – Cybersecurity is a unique industry in that new cyberthreats are always improving to avoid detection. A machine learning model made a month ago could now have weakness an adversary has learned to exploit. Machine learning model practitioners need to be resilient in always innovating and improving on past models to outpace new threats. Resilience is constantly monitoring machine learning models so that when we notice decay we can quickly improve them to stop new cyberthreats.

Sherin Mathews, Senior Research Scientist – To me, cyber-resilience implies being able to protect critical assets, maintain operations, and, most importantly, embrace new technologies in the face of evolving threats. The cybersecurity field is an arms race scenario with the threat landscape changing so much. In case of threats like deepfakes, some deepfakes will reach ultra-realism in the coming few years, many will still be more amateurish, and we need to keep advancing towards the best detection methods with newer forms of threats. I feel resiliency doesn’t mean you can survive or defend against all attacks, but it means that if you are compromised, you have a plan that lets us recover quickly after a breach and continue to function. Deepfakes and other offshoots of AI will require businesses to create a transparent, agile, and holistic detection approach to protect endpoints, data, apps, and cloud services.

Q: What topic(s) do you think will play an important role at this year’s RSAC? 

Samani – I anticipate Zero Trust will play a prominent role, considering the year of remote working, and a myriad of significant threats being realised. 

Fokker – Definitely Zero-Trust but also combatting threats that come with working from home, and threat intelligence so organization can better understand the actions of their adversaries even before they step into the ring.

Q: What are you hoping to get out of RSAC this year and what do you want your attendees to take away from your session?

Howitt – I am hoping to see how others have adapted to life with COVID and now that it is receding, what do they think life with look like after.  As for my session, I want to highlight the importance of adaptability and stress that this paradigm shift means we will never go back to normal.

Q: What led you to pursue a career in cybersecurity, and what makes you stay in the industry?

House – Cybersecurity is not a career path I ever imagined for myself. As a student I always enjoyed math and computer science and I naturally gravitated toward those topics. My love of both subjects led me to pursue data science and machine learning. My first job out of college was in the cybersecurity industry and that was my first introduction to this career. Since then, I have loved how cybersecurity requires constant innovation and creative ways of using AI to stop new threats.

Mathews – My background and Ph.D. focused on developing novel dictionary learning and deep learning algorithms for classification tasks related to remote health monitoring systems (e.g., activity recognition for wearable sensors and heartbeat classification). With a background in machine learning, deep learning with applications to computer vision areas, I  entered the field of cybersecurity during my work at Intel Security/Mcafee in 2016.  I contributed towards increasing the effectiveness of cybersecurity products by creating novel machine learning/deep learning models to detect advanced threats(e.g., ransomware & steganography). In my industry work experience, I also had a chance to develop leading-edge research such as eXplainable A.I. (XAI) and deepfakes.   Overall, the advent of artificial intelligence can be considered a significant milestone as A.I. is steadily flooding several industries. However, A.I. platforms can also be misused if in the wrong hands, and as research professionals, we need to step up to detect attacks or mishaps before they happen. I feel deeply passionate about XAI, ethical A.I., the opportunity to combat deepfakes and digital misinformation, and topics related to ML and DL with cybersecurity applications. Overall, it is an excellent feeling as a researcher to use your knowledge to combat threats that affect humanity and safeguard humans.  Also, I believe that newer A.I. research topics such as GANs, Reinforcement learning, and few-shot learning have a lot to offer to combat advanced cybersecurity threats.

Q: Follow-up: What can women bring to the cybersecurity table?

House – I am fortunate to work with a lot of great women in technology at McAfee. Not only are these women on the cutting edge of innovation but they are also great mentors and leaders. We need more smart people pursuing jobs in this industry and in order to recruit new talent, especially young graduates, we need to mentor and encourage them to pursue this career. Every woman I have met in this industry wants to see new talent succeed and will go the extra mile to provide mentorship. I have also noticed women tend to have unique backgrounds in this industry. For example, some of the women I look up to have degrees in biomedical engineering or physics. These unique backgrounds allow these women to bring innovative ideas from outside cybersecurity to solve some of the toughest problems in the cybersecurity industry. We need more talent from diverse backgrounds to bring in fresh ideas.

McAfee is a proud platinum with keynote level sponsor of RSA Conference 2021. Take in the McAfee virtual booth and sessions presented by McAfee industry leaders Here are some of the best ways to catch McAfee at RSA. Can’t wait to see you there!

The post RSA Conference 2021: The Best Place to Strengthen Your Resilience appeared first on McAfee Blogs.

McAfee Proactive Security Proves Effective in Recent MITRE ATT&CK™ Wed, 05 May 2021 21:30:19 +0000 /blogs/?p=121576

McAfee Soars with Superior Protection Results    Bottom Line: McAfee stopped the MITRE ATT&CK Evaluation Carbanak and FIN7 threats in their tracks within the first 15% of...

The post McAfee Proactive Security Proves Effective in Recent MITRE ATT&CK™ appeared first on McAfee Blogs.


McAfee Soars with Superior Protection Results   

Bottom Line: McAfee stopped the MITRE ATT&CK Evaluation Carbanak and FIN7 threats in their tracks within the first 15% of the major steps of the attack chain (on average), delivering on a critical security operations center (SOC) strategy: Stop the attack as early as possible.  

In April 2021, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations that leveraged Tactics, Techniques, and Procedures (TTP’s) from the MITRE ATT&CK framework. McAfee and 28 other vendors tested the capabilities of our cybersecurity solutions across a wide range of attack vectors. These multi-stage simulated attacks leveraged a full range of known TTPs to execute the Carbanak and FIN7 attack campaigns. 

The Carbanak attack requires stealth and time. Threat actors count on operating undetected inside your infrastructure long enough to penetrate and own your crown jewel assets and information. They methodically step through complex custom TTPs to achieve their objectives. The sooner an attack can be detected and stopped, the lower the risk of a successful breach, damage to assets, and exfiltration of critical information.  

Shift left: Stopping Threats Before They Can Gain a Foothold 

McAfee displayed superior protection by blocking 100% across all 10 tests. On the other hand, several endpoint security providers failed to detect and block all threats. CrowdStrike, for example, was unable to block 30% of protection tests.  

Additionally, McAfee was able to block the attacks within the first 15% of attack steps on average across all testsOn the other hand, CrowdStrike allowed 50% of the attack chain steps on average to execute before blocking. The earlier in the attack chain that a threat is detected, the more likely it will be shut down before it causes damage. 

McAfee combines data and telemetry with comprehensive analytics-based detections that accelerate the pivot to defensive execution. This Time-Based Security metric determines if a blue team will have meaningful, timely, and actionable information. McAfee scores well on this metric by including specific references to MITRE Engenuity’s ATT&CK framework with centralized incident pivots to enriched telemetry, enabling faster detection, investigation, and reaction, and therefore lower exposure. Prioritizing Time-Based Security* (TBS) contributes to McAfee’s ability to block early and mitigate further damage. McAfee significantly outperformed CrowdStrike on the dimension of Time-Based Security.  

How did McAfee achieve this success in the evaluation and against such a sophisticated threat? 

Core to McAfee’s success is the alignment of products and capabilities around the ability to “shift left” in the attack cycle. Shifting left, or engaging as early as possible in the kill chain timeline, allows defenders to detect and stop an attack, minimize risk, and achieve these results at the lowest cost. 

For scenarios where threats are not blocked, McAfee provides extensive and actionable alerting and intelligence to ensure that responses and remediations are timely.  In the case of the MITRE Carbanak+FIN7 testing, McAfee demonstrated clear superiority over CrowdStrike in terms of Alert Actionability*. 

(For more information on Time-based Security and Alert Actionability, please review the following blog: SOC vs MITRE APT29 evaluation – Racing with Cozy Bear | McAfee Blogs)  

Defenders, Now is Your Time to Prevail Against Threat Actors 

Sophisticated adversaries surround us, and MITRE ATT&CK evaluations emulated their techniques and procedures. It’s time to let your teams know that with the right tools from McAfee and Shift Left best practices, intelligent defenders will prevail.  

Sneaky attackers traverse infrastructures and assets opportunistically and unpredictably. The complexity and variability in the attack chains associated with these threat actors make threats challenging to identify. McAfee will continue to evolve extended detection and response capabilities that go beyond the endpoint. The integration of these capabilities with solutions such as McAfee’s MVISION XDR enables the security operations team to benefit from unified visibility and control across the hybrid enterprise: endpoints, network, and the cloud.  

Most important is the integration of the ecosystem to fight and defeat attackers. McAfee MVISION XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations. 

As illustrated by the recent MITRE Carbanak+FIN7 protection tests, the industry recognizes the value of proactive capabilities to detect and block early, reducing reactive cyber defense efforts and damage. This dynamic enables your team to stop these sophisticated attacks earlier and more effectively. McAfee empowers your security operations teams to achieve faster and more effective results.  

To find out more about the MITRE ATT&CK Evaluation results, please reach out to 


* These critical capabilities are defined by McAfee algorithms designed to maximize value to SOC and XDR needs.  Please see this McAfee MITRE blog for details on these algorithms 

Assessments of performance are McAfee’s and not those of MITRE Engenuity.  

MITRE Engenuity ATT&CK Evaluations are paid for by vendors and are intended to help vendors and end-users better understand a product’s capabilities in relation to MITRE’s publicly accessible ATT&CKⓇ framework. MITRE developed and maintains the ATT&CK knowledge base, which is based on real word reporting of adversary tactics and techniques. ATT&CK is freely available and is widely used by defenders in industry and government to find gaps in visibility, defensive tools, and processes as they evaluate and select options to improve their network defense. MITRE Engenuity makes the methodology and resulting data publicly available so other organizations may benefit and conduct their own analysis and interpretation. The evaluations do not provide rankings or endorsements.  


The post McAfee Proactive Security Proves Effective in Recent MITRE ATT&CK™ appeared first on McAfee Blogs.

McAfee Recognised in 2021 Gartner Solution Scorecard Report Mon, 03 May 2021 15:22:36 +0000 /blogs/?p=121093

Industry analysts perform a huge service in evaluating markets, technology, vendors and sharing their insights with customers via one-on-one discussions...

The post McAfee Recognised in 2021 Gartner Solution Scorecard Report appeared first on McAfee Blogs.


Industry analysts perform a huge service in evaluating markets, technology, vendors and sharing their insights with customers via one-on-one discussions and regular publications and events. Gartner publishes Magic Quadrant reports that review a particular market and evaluate vendors for their Completeness of Vision and Ability to Execute.

Gartner also has a separate team of analysts that evaluates single products in greater depth. Their reports review each product or product family across hundreds of criteria and produce a scorecard, key findings and customer recommendations.

We are proud to read the new Solution Scorecard for McAfee MVISION Cloud by Gartner, where we scored “94 out of 100 against Gartner’s 480-point Solution Criteria for Cloud Access Security Brokers”. MVISION Cloud was the only CASB product to score 94 out of 100 in the 2021 scorecards.”

We have licensed it for anyone to read.

We believe, for this review, they reviewed 480 sets of criteria across eleven areas from architecture, management and functions such as data security, threat protection and Cloud Security Posture Management. Once they had reviewed and weighted each attribute, MVISION Cloud came out with a total blended total score of 94 out of 100.

The framework that they used splits each of the criteria into one of three categories – Required, Preferred and Optional. We are pleased to see that they consider MVISION Cloud provides 97% of the Required functionality.

We have also licensed the Magic Quadrant for Cloud Access Security Brokers report from October 2020 – available here.


GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from McAfee. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner, Solution Scorecard for McAfee MVISION Cloud, 5 April 2021, Sushil Aryal, Dennis Xu, Patrick Hevesi


The post McAfee Recognised in 2021 Gartner Solution Scorecard Report appeared first on McAfee Blogs.

New Security Approach to Cloud-Native Applications Tue, 27 Apr 2021 15:05:36 +0000 /blogs/?p=120502

With on-premises infrastructure, securing server workloads and applications involves putting security controls between an organization’s network and the outside world....

The post New Security Approach to Cloud-Native Applications appeared first on McAfee Blogs.


With on-premises infrastructure, securing server workloads and applications involves putting security controls between an organization’s network and the outside world. As organisations migrate workloads (“lift and shift”) to the cloud, the same approach was often used. On the contrary to lift and shift, many enterprise businesses had realized that in order to use the cloud efficiently they need to redesign their apps to become cloud-native. Cloud native is an approach to building and running applications that exploits the advantages of the cloud computing delivery model. Cloud native development incorporates the concepts of DevOps, continuous delivery, microservices, and containers.

IDC predicts, by 2025, nearly two-thirds of enterprises will be prolific software producers with code deployed daily, over 90% of new apps cloud native, 80% of code externally sourced, and 1.6 times more developers”

Monolithic Apps vs Cloud Native Apps                         

So, how do you ensure the security of your cloudnative applications?

Successful protection of cloud-native applications will require a combination of multiple security controls working together and managed from one security platform. First, the cloud infrastructure where is the cloud-native application is running (containers, serverless functions and virtual machines) should be assessed for security misconfigurations (security posture ), compliance and for known vulnerabilities.  Second, securing the workloads needs a different security approach. Workloads are becoming more granular with shorter life spans as development organizations adopt DevOps-style development patterns. DevOps delivers faster software releases , in some cases, several times per day. The best way to secure these rapidly changing and short-lived cloud-native workloads is to start their protection proactively and build security into every part of the DevOps lifecycle.

Cloud Security Posture Management (CSPM):

The biggest cloud breaches are caused by customer misconfiguration, mismanagement, and mistakes. CSPM is a class of security tools to enable compliance monitoring, DevOps integration, incident response, risk assessment, and risk visualization. It is imperative for security and risk management leaders to enable cloud security posture management processes to proactively identify and address data risks.

Cloud Workload Protection Platforms (CWPP):

CWPP is an agent-based workload security protection technology. CWPP addresses unique requirements of server workload protection in modern hybrid data center architectures including on-premises, physical and virtual machines (VMs), and multiple public cloud infrastructure. This includes support for container-based application architectures.



MVISION CNAPP is the industry’s first platform to bring application and risk context to converge Cloud Security Posture Management (CSPM) for multi public cloud infrastructure, and Cloud Workload Protection (CWPP) to protect hybrid, multi cloud workloads including VMs, containers, and serverless functions. McAfee MVISION CNAPP extends MVISION Cloud’s data protection – both Data Loss Prevention and malware detection – threat prevention, governance and compliance to comprehensively address the needs of this new cloud-native application world thereby improving security capabilities and reducing the Total Cost of Ownership of cloud security.

7 Key elements of MVISION CNAPP:

1. Single Hybrid multi cloud security platform: McAfee MVISION Cloud simplify multi-cloud complexity by using a single, cloud-native enforcement point. It’s a comprehensive cloud security solution that protects and prevents enterprise and customer data, assets and applications from advanced security threats and cyberattacks across multiple cloud infrastructures and environments.

2. Cloud Security Posture Management: McAfee MVISION Cloud provide a continuous monitoring for multi cloud IaaS / PaaS environments to identify gaps between their stated security policy and the actual security posture. At the heart of CSPM is the detection of cloud misconfiguration vulnerabilities that can lead to compliance violations and data breaches.

3. Deep discovery and risk based application:You can’t protect what you can’t see. Discovering all cloud resources and prioritise them based on the risk. MVISION CNAPP uniquely provided deep discovery of all workloads, data, and infrastructure across endpoint, networks, and cloud. If you can quickly understand those risks relative to each other, you can quickly prioritize your remediation reducing overall riskMas quickly as possible.

4. Shift Left posture and vulnerability:By moving security into the CI/CD pipeline and make it easy for developers to incorporate into their normal application development processes and ensuring that applications are secure before they are ever published reduces the chance of introducing new vulnerabilities and minimizing threats to the organization.

5. Zero Trust policy control: McAfee’s CNAPP solution supported by CWPP focus on Zero Trust network and workload policies. This approach not only allows you to gain analytics about who is accessing your environment and how an important component of your SOC strategy but it also ensures that people and services have appropriate permissions to perform necessary tasks.

6. Unified Threat Protection:CWPP unifies threat protection across workloads in the cloud and on-premise. Including OS Hardening, Configuration and Vulnerability Management, Application Control/Allow-Listing and File Integrity control. It also synthesizes workload protections and account permissions into the same motion. Finally, by connecting cloud-native application protection to XDR, you are able to have full visibility, risk management, and remediation across your on-premise and cloud infrastructures.

7. Governance and Compliance:The ideal solution for protecting cloud-native applications includes the ability to manage privileged access and address threat protection for both workloads and sensitive data, regardless of where they reside

Business value:

  • One Cloud Security Platform for all your CSPs
  • Scan workloads and configurations in development and protect workloads and configurations at runtime.
  • Better security by enabling standardization and deeper layered defenses.
  • The convergence of CSPM and CWPP


IDC FutureScape: Worldwide IT Industry 2020 Predictions

The post New Security Approach to Cloud-Native Applications appeared first on McAfee Blogs.

You Don’t Have to Give Up Your Crown Jewels in Hopes of Better Cloud Security Mon, 26 Apr 2021 15:00:44 +0000 /blogs/?p=120487

If you’re like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean’s 11 are...

The post You Don’t Have to Give Up Your Crown Jewels in Hopes of Better Cloud Security appeared first on McAfee Blogs.


If you’re like me, you love a good heist film. Movies like The Italian Job, Inception, and Ocean’s 11 are riveting, but outside of cinema these types of heists don’t really happen anymore, right? Think again. In 2019, the Green Vault Museum in Dresden, Germany reported a jewel burglary worthy of its own film.

On November 25, 2019 at 4am, the Berlin Clan Network started a fire that destroyed the museum’s power box, disabling some of the alarm systems. The clan then cut through iron bars and broke into the vault. Security camera footage published online shows two suspects entering the room with flashlights, across a black-and-white-tiled floor. After grabbing 37 sets of stolen jewelry in a couple of minutes, the thieves exited through the same window, replacing the bars in order to delay detection. Then they fled in a car which was later found torched.[1]

Since then, there’s been numerous police raids and a couple of arrests, but an international manhunt is still underway and none of the stolen jewels have been recovered. What’s worse is that the museum didn’t insure the jewelry, resulting in a $1.2 billion-dollar loss. Again, this is a story ripe for Hollywood.

Although we may not read about jewelry heists like this one every day, we do see daily headlines about security breaches resulting in companies losing their own crown jewels – customer data. In fact, the concept of protecting crown jewels is so well known in the cybersecurity industry, that MITRE has created a process called Crown Jewels Analysis (CJA), which helps organizations identify the most important cyber assets and create mitigation processes for protecting those assets.[2] Today exposed sensitive data has become synonymous with cloud storage breaches and there is no shortage of victims.

To be fair all of these breaches have a common factor – the human element in charge of managing cloud storage misconfigured or didn’t enable the correct settings. However, at the same time we can’t always blame people when security fails. If robbers can so easily access multiple crown jewels again and again, you can’t keep blaming the security guards. Something is wrong with the system.

Some of the most well-versed cloud native companies like Netflix, Twilio, and Uber have suffered security breaches with sensitive data stored in cloud storage.[3] This has gotten to the point that in 2020, the Verizon Data Breach Report listed Errors as the second highest cause for data breaches due “in large part, associated with internet-exposed storage.”[4]

So why is securing cloud storage services so hard? Why do so many different companies struggle with this concept? As we’ve talked to our customers and asked what makes protecting sensitive data in the cloud so challenging, many simply don’t know if they had sensitive data in the cloud or struggle with handling the countless permissions and available overrides for each service.[5] Most of them have taken the approach that someone – whether that be an internal employee, a third-party contractor, or a technology partner – will eventually fail in setting the right permissions for their data, and they need a solution that will continuously check for sensitive data and prevent it from being accessed regardless of the location or service-level permissions.

Enter in Cloud Native Application Protection Platform (CNAPP). Last month our new CNAPP service dedicated to securing hybrid cloud infrastructure and cloud native applications became generally available. One of the core pillars behind CNAPP is Apps & Data – meaning that along with Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP), CNAPP provides a cohesive Data Loss Prevention (DLP) service.

Figure 1: CNAPP Pillars

Typically, the way security vendors perform DLP scans for cloud storage is by copying down customer data to their platform. They do this because in order to scan for sensitive data, the vendor needs access to your data from a platform that can run their DLP engine. However, this solution presents some challenges:

  • Costs – copying down storage objects means customers incur charges for every bit of data that goes across the wire which include but aren’t limited to requests charges, egress charges, and data transfer charges. For some customers these charges are significant enough where they have to pick and choose which objects to scan instead of protecting their entire data store in the cloud.
  • Operational burden – customers who aren’t comfortable sending the data over the public internet have to create tunnels or direct connections to vendor solutions. This means additional overhead, architectural changes, and sometimes backhauling large amounts of data across those connections.
  • Defeats the Purpose of DLP – this was a lesson learned from our MVISION Cloud DLP scanning; for some customers performing DLP scans over network connections was convenient but for other customers it was a huge security risk. Essentially, these solutions require customers to hand over their crown jewels in order to determine if that data has the crown jewels. Ultimately, we arrived at the conclusion that data should be local, but DLP policies should be global.

This is where we came up with the concept of in-tenant DLP scanning. In-tenant DLP scanning works by launching a small software stack inside the customers’ AWS, Azure, or GCP account. The stack is a headless, microservice (called a Micro Point of Presence or Micro PoP) that pushes out workload protection policies to compute and storage services. The Micro PoP connects to the CNAPP console for management purposes but allows customers to perform local DLP scans within each virtual network segment using direct access. No customer data ever leaves the customers’ tenant.

Figure 2: In-tenant DLP Scanning

Customers can also choose to connect multiple virtual network segments to a single Micro PoP using services like AWS PrivateLink if they want to consolidate DLP scans for multiple S3 buckets. There’s no capacity limit or license limitation to how many Micro PoPs customers can deploy. CNAPP supports in-tenant DLP scanning for Amazon S3, Azure Blob, and GCP storage today with on-prem storage coming soon. Lastly, customers don’t have to pick and choose only one deployment model – they can use our traditional DLP scans (called API scans) over network connections or select our in-tenant DLP scans for more sensitive workloads.

In-tenant DLP scanning is just one of the many innovate features we’ve launched with CNAPP. I invite you to check out the solution for yourself. Visit for more information or request a demo at We’d love to get your feedback and see how MVISION CNAPP can help your company stay out of the headlines and make sure your crown jewels are right where they should be.


Disclaimer: this blog post contains information on products, services and/or processes in development. All information provided here is subject to change without notice at McAfee’s sole discretion. Contact your McAfee representative to obtain the latest forecast, schedule, specifications, and roadmaps.






The post You Don’t Have to Give Up Your Crown Jewels in Hopes of Better Cloud Security appeared first on McAfee Blogs.

Lessons We Can Learn From Airport Security Wed, 21 Apr 2021 15:05:36 +0000 /blogs/?p=119977 Remote Learning

Most of us don’t have responsibility for airports, but thinking about airport security can teach us lessons about how we...

The post Lessons We Can Learn From Airport Security appeared first on McAfee Blogs.

Remote Learning

Most of us don’t have responsibility for airports, but thinking about airport security can teach us lessons about how we consider, design and execute IT security in our enterprise. Airports have to be constantly vigilant from a multitude of threats; terrorists, criminals, rogue employees and their security defenses need to combat major attacks, individual threats, stowaways, smuggling as well as considering the safety of passengers and none of this can stop the smooth flow of travelers as every delay has business knock on effects. Whew! And this is just the start.

The airport operators are a lesson in supply-chain and 3rd party communications. They cooperate with airlines, retailers and government agencies, and their threats can be catastrophic. They also need to consider mundane problems like how do you move a large number of people around quickly, what to do when someone leaves a bag to go shopping and how to balance risk reduction with traveler comfort – many needs to be considered, planned for and the execution when a risk is identified needs to be immediate. All this before thinking about IT-related issues, thefts from retailers, employee assessments and training, building safety, people tracking and … the list seems almost endless.

Our business IT security needs might not seem so complex; however every enterprise has its external and internal attackers; hackers, ransomware, DDoS attacks to take down your systems and rogue employees or inadvertent actions by good employees who don’t realize what link they are clicking on or data they are over-sharing. At the same time, the business needs to be able to enable the newest and most effective apps and systems and employees hate anything that appears to get in their way.

So, let’s see what airports can teach us about thinking about possible threats and appropriate safeguards to deploy a layered approach that protects your data, users and infrastructure.

If you take just one threat; terrorism as – this image shows that US airports have more than 20 layers of security – a mixture of human and technological measures.

There’s no silver bullet, there’s not one piece of security awareness or technology that will solve all problems – but if integrated, they can all build together to draw a picture of the possible threat.  Our defenses shouldn’t rely on just one technology either, but when we have multiple capabilities working together, we can evaluate, identify and address our security needs.

Here’s my table of some of the needs of an airport and equivalent areas in general IT security. Just as in an airport, individual pieces are of limited benefit unless they are brought together. Even though each item improves overall security, a single management console that can correlate all these pieces of knowledge and suggest or make policy decisions is crucial to ensure you get maximum benefit.

Airport Enterprise IT
Check ticket against passport Global SSO and multi-factor authentication for every app (including cloud)
X-ray baggage Scan attachments for malware
Security gates and handbaggage check DLP for confidential data loss control
Facial recognition comparing security gate and plane gate with ticket Zero trust – keep checking at all times
Baggage weight check Review email attachments – treat previously unseen executables as suspect
CCTV as passengers move around airport User behavior analytics for risky behavior
Database of travellers, prior travel, destination information Logging / analytics
Temperature tests for COVID Block surfing to high risk web sites
Visa requirements Access control to sensitive areas or sensitive data
Check expiry date on passport Reconfirm credentials after a period
History of prior travel User behavior analytics to understand “normal traffic” for each individual user and alert on unusual patterns.
Open Skies Initative – sharing data with destination – allowing arrest on landing Insights to check and implement defences before attacks based on other organization’s threats
Landing card (where staying, reason etc.) Employee justification for actions – feedback loops when challenged
Finger prints on landing – check against previous travel history Insights
Security guards, customs agents, check in staff, people monitoring CCTV The personal touch – the SOC team investigating threats and defining and implementing policies
Different security lines for additional checks Remote Browser Isolation
Overall SOC center to correlate all inputs Global management


What have we learned?

Firstly, the job of securing an airport is complex and involves a lot of planning, cooperation with 3rd parties and a vast mixture of people and technology-based security.

Secondly, we cannot rely on one defense, just like airports.

Thirdly, concepts like zero trust, MITRE ATT&CK framework, Cyber Kill Chain are all aiming to look at threats in the round – we need look at threats from every angle we can and implement the best technology we can.

The best solutions will be integrated, you need to be able to collate activity patterns to evaluate risks and define defenses.  McAfee’s Device to Cloud Suites are designed to bring together multiple systems all under one umbrella and let you accelerate cloud adoption, improve productivity and bring together more than ten different security technologies all managed by McAfee ePO.


Device to Cloud Suites

Easy, comprehensive protection that spans endpoints, web, and cloud

Learn more


The post Lessons We Can Learn From Airport Security appeared first on McAfee Blogs.

McAfee Provides Max Cyber Defense Capabilities in MITRE’s Carbanak+FIN7 ATT&CK® Evaluation Tue, 20 Apr 2021 16:26:46 +0000 /blogs/?p=120403

Each year, MITRE Engenuity™ conducts independent evaluations of cybersecurity products to help government and industry make better decisions to combat security...

The post McAfee Provides Max Cyber Defense Capabilities in MITRE’s Carbanak+FIN7 ATT&CK® Evaluation appeared first on McAfee Blogs.


Each year, MITRE Engenuity™ conducts independent evaluations of cybersecurity products to help government and industry make better decisions to combat security threats and improve industry’s threat detection capabilities. These evaluations are based on MITRE ATT&CK®, which is widely recognized as the de facto framework for tracking adversarial tactics and techniques. At McAfee we know that cybercriminals are always evolving their tradecraft, and we are committed to providing blue teams (cyber defenders) the capabilities needed to win the game. To do so, we believe in the importance of putting our security solutions through rigorous testing. To demonstrate our commitment, McAfee has participated in all MITRE Engenuity Enterprise Evaluations to date, including the previous round 1 (APT3 emulation) and round 2 (APT29 emulation). 

Today, MITRE Engenuity released the results of the Carbanak and FIN7 evaluations (round 3) that were conducted over the last few months. McAfee participated in this evaluation, along with 28 other vendors, which tested the capabilities of their cybersecurity solutions, in what has been the most comprehensive ATT&CK Evaluation to date, covering 20 major steps and 174 sub-steps.  

For the first time ever, MITRE Engenuity offered an optional extension to the detection evaluations to examine a vendor’s ability to protect against specific adversary techniques utilized by these groups. This was also the first time that the evaluations went beyond Windows systems and addressed techniques aimed at the Linux devices that are often used on networks as file servers or domain controllers. 

While it’s important to note that the goal of these ATT&CK Evaluations is not to rank or score products, our analysis of the results found that McAfee’s blue team was able to use MVISION EDR, complemented by McAfee’s portfolio, to obtain a significant advantage over the adversary, achieving: 

  • 100% visibility across the 10 major attack steps on Day 1 (Carbanak), and 100% visibility across the 10 major attack steps on Day 2 (FIN7). 
  • 100% analytic detections (any non-telemetry detection) across the 10 major attack steps on Day 1 (Carbanak), and 100% analytic detections across the 10 major attack steps on Day 2 (FIN7). 
  • 87visibility across the total of 174 sub-steps for the 2 attack scenarios. 
  • 72% detections leveraging two or more data sources for additional context and enrichment. 
  • 100% of blocking of the 10 major attack steps emulated in the protection test (Carbanak + FIN7) and blocking early in the attack cycle. 

Adversarial Emulation 

While prior emulated groups were more focused on espionage, the ATT&CK Evaluations team chose to emulate Carbanak and FIN7 due to the wide range of industries these groups target for financial gain. Both groups carry a firm reputation of using innovative tradecraft. Efficient espionage and stealth are at the forefront of their strategy, as they often rely heavily on scripting, obfuscation, “hiding in plain sight,” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administration tools capable of interacting with various platforms.  

The ATT&CK Evaluation was conducted over a total of 4 days, including the protection testing. On each day a different version of the attack comprised of 10 steps was executed. On Day 1, MITRE Engenuity emulated an attack carried out by the Carbanak group to a financial institution that starts with the breach of the HR Manager’s workstation, and includes elevation of privileges, credential theft, lateral movement to the CFO’s system, collection of sensitive data on both Windows and Linux systems, and the spoofing of money transfers. On Day 2, MITRE Engenuity emulated an attack carried out by the FIN7 group against a hotel, involving the breach of the hotel manager’s system, persistence, credential theft, discovery, lateral movement to an accounting system and the skim of customer payment data. 

The McAfee blue team successfully defended against these two advanced adversaries, demonstrating the power of the McAfee portfolio, including MVISION EDR, complemented by MVISION Endpoint Security (ENS), Advanced Threat Detection (ATD), Network Security Platform (NSP), Data Loss Prevention (DLP), and Enterprise Security Manager (ESM). These products were configured following MITRE Engenuity’s standards: 

  • For the detection evaluation all ENS scanners and rules were set to report-only. 
  • For the protection evaluation ENS Attack Behavior Blocking (ABB)/Attack Surface Reduction (ASR) rules were set to block while the “Remotely creating or modifying files or folders” rule was disabled at MITRE’s request. 

During these 4 days of extensive purple teaming, McAfee demonstrated that its portfolio provides solid cyber defense across the top 5 capabilities that matter the most to any security operations team: time-based securityalert actionability, detection in depth, protection, and visibility 

Time-Based Security 

Time-Based Security (TBS) is one of the most relevant, effective, and simple security models a defender can apply.  It provides a mechanism to determine if a blue teamer would have the necessary, timely, and actionable information to effectively defend against adversarial attacks. 

Using the results of the ATT&CK Evaluation, we modeled the data following an attack timeline, grouping the techniques executed by the ATT&CK red team for Days 1 (Carbanak) and 2 (FIN7) into each of the steps (attack milestones) they employed. To represent the data for each evaluation day, we list the detection categories used by MITRE Engenuity. As Figures 1 and 2 show, during the evaluation, McAfee provided the maximum level of visibility, detection and context for every major step in the attack. An analyst that used McAfee’s products would have received a correlated and enriched threat alert for each of the steps of these advanced attacks, including references to MITRE Engenuity’s ATT&CK framework and pivoting points to enriched telemetry, enabling faster detection, investigation and reaction, and therefore resulting in reduced exposure. 

Figure 1. Time Based Security for Carbanak (Day 1) 

Figure 2. Time Based Security for FIN7 (Day 2) 


To be successful as a defender, it is essential to react in the fastest possible way, raising an alarm as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity to preserve actionability.  McAfee’s MVISION EDR preserved actionability and reduced alert fatigue during the evaluation providing context and enrichment, resulting in a ratio of 62%1 analytic detections (non-telemetry detections) out of the 274-total count of detections. This was possible due to McAfee’s strong correlation and having all telemetry tagged and labeled as close to the source as possible.  

Detection In-Depth 

Effective attack technique detection requires certain vantage points. Additional perspective improves context, correlation, and subsequently fidelity.  Having diverse data sources for every technique enables coverage quantity and quality. 

McAfee demonstrated coverage across a dozen of different data sources during the evaluation with 72% of detections utilizing two or more data sources. 

Figure 3McAfee data source diversity across 274 detections 


For the first time in an ATT&CK Evaluation, MITRE Engenuity exercised 10 protection scenarios; a subset of the attack sequences used during the detection assessment.  McAfee demonstrated its superior protection efficacy by successfully disrupting all 10 attacks, early in the chain, before any impact occurred. Before the disruption, high context detections and telemetry was produced to alert the analyst.  

Figure 4100% blocking at every protection test  


Many organizations live in an alert driven world where there is not enough data to support key security operations activities, including investigations or threat hunting. During the Carbanak+FIN7 evaluation, McAfee provided visibility across all major steps of the attack, and 87% visibility of the total count of sub-steps across both days. It is worth noting that the remaining 13% does not necessarily represent blind spots, but rather that the minimum criteria selected by MITRE Engenuity was not met, according to the evaluation rules. For example, more visibility was obtained through the automated detonation of samples in our ATD sandbox, which provides additional data context to security analysts during a real attack. 


At McAfee, we know how security operations work, and that’s why we designed our detection and response platform with Human Machine Teaming’ in mind. For this latest round of the MITRE Engenuity ATT&CK Evaluation, our Threat Detection Engineering and Applied Countermeasures (AC3) team have delivered 85% more visibility and over 22% more analytic detections than in the previous APT29 evaluation.  

During this evaluation, we demonstrated that McAfee delivers best-balanced defense across the top 5 capabilities that matter the most to any security operations team: time-based securityalert actionability, detection in depth, protection, and visibility. Our McAfee detection and response platform offered enhanced meaningful context across the entire attack chain, allowing cyber defenders to disrupt attacks early, before damage occurs. 

Stay tuned for upcoming details on how each of these security capabilities played a key role in the Carbanak+FIN7 evaluation as part of our ATT&CK Evaluation blog series. 


MITRE ATT&CK and ATT&CK are registered trademarks of the MITRE Corporation. 

The post McAfee Provides Max Cyber Defense Capabilities in MITRE’s Carbanak+FIN7 ATT&CK® Evaluation appeared first on McAfee Blogs.

SOCwise Series: A Tale of Two SOCs with Chris Crowley Mon, 19 Apr 2021 23:01:26 +0000 /blogs/?p=120373 coin miners

In a recent episode of McAfee’s SOCwise Series, guest security expert Chris Crowley revealed findings of his recent survey of security efforts within SOCs....

The post SOCwise Series: A Tale of Two SOCs with Chris Crowley appeared first on McAfee Blogs.

coin miners

In a recent episode of McAfee’s SOCwise Series, guest security expert Chris Crowley revealed findings of his recent survey of security efforts within SOCs. His questions were designed to gain insight into all things SOC, including how SOCs can accomplish their full potential and how they assess their ability to keep up with security technology. 

Hosts Ismael Valenzuela and Michael Leland tapped into Chris’ security operations expertise as he told “A Tale of Two SOCs. 

“Chris has a tremendous experience in security operations,” Ismael said. “I always like people who have experience both in the offensive side and the defensive side. Think red, act blue, right? . . . but I think that’s very important for SOCs. Where does ‘A Tale of Two SOCs’ come from?”  

In reference to the Charles Dickens’ classic, Chris explained how survey responses fell into two categories: SOCs that had management support or those that did not. 

“It’s not just this idea of does management support us. It’s are we effectively aligned with the organization?” Chris said. And I think that is manifest in the perception of management support of not management support, right? So, I think when people working in a SOC have the sense that they’re doing good things for the organization, their perceptions is that the management is supporting them.” 

In this case, Chris explains “A Tale of Two SOCs” also relates to the compliance SOC versus the real security SOC. 

“A lot of it has to do with what are the goals when management set up to fund the SOC, right? Maybe the compliance SOC versus the SOC that’s focused on the security outcomes on defending, right?There are some organizations that are funding for basic compliance,” Chris said. [If the] law says we have to do this, we’re doing that. We’re not really going to invest in your training and your understanding and your comprehension. We’re not going to hire really great analysts. We’re just going to buy the tools that we need to buy. We’re going to buy some people to look at monitors and that’s kind of the end of it. 

One of the easiest and telling methods of assessing where an SOC sees itself in this tale is having conversations with staff. Chris recommends asking staff if they feel aligned with management and do they feel empowered? 

“If you feel like you’re being turned into a robot and you pick stuff from here and drop it over there, you’re probably in a place where management doesn’t really support you. Because they’re not using the human being’s capability of synthesis of information and that notion of driving consensus and making things work,” Chris said. “They’re looking more for people who are replaceable to put the bits in the bucket and move through.” 

Chris shared other survey takeaways including how SOCs gauge their value, metrics and tools. 


The survey included hypotheses designed to measure how organizations classify the value of a SOC: 

  • Budget – The majority of respondents did not list budget as a sign of how their organization value them 
  • Skilled Staff  Many valued the hiring of skilled workers as a sign of support for their SOC. 
  • Automation and Orchestration – The SOC teams that believed their organizations already supported through the hiring skilled staff reported their biggest challenge was implementing the automation and orchestration. 

“This showed that as SOC teams met the challenge of skilled staffing, they moved on to their next order of task: Let’s make the computers compute well,” Chris said. 


Ismael asked about the tendency for some SOC management not to report any metrics, and those that simply reported number of incidents not reporting the right metrics. Chris reported that most people said they do provide metrics, but a stillsurprising number of people said that they don’t provide metrics at all. 

Here’s the breakdown of how respondents answered, “Do you provide metrics to your management?” 

  • Yes  69 
  • No  24 
  • We don’t know – 6 

 That roughly a third of respondents either do not report metrics or don’t know if they report metrics was telling to the survey’s author. 

In which case [metrics] obviously don’t have a central place of importance for your SOC,” Chris said. 

Regarding the most frequently used metric – number of incidents – Chris speculated that several SOCs he surveyed are attempting to meet a metric goal of zero incidents, even if it means they’re likely not getting a true reading of their cyber security effectiveness.  

You’re allowed to have zero incidents in the environment. And if you consistently meet that then you’re consistently doing a great job,” Chris said. Which is insane to me, right? Because we want to have the right number of incidents. If youactually have a cyber security problem … you should want to know about it, okay? 

Among the group of respondents who said their most common metric is informational, the desired information from their “zero incidents” metrics doesn’t actually have much bearing on the performance or the value of what the SOC is doing.

“The metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org,” Chris said. And at that point you have something you can show to get more funding and more support right over time. 

Chris suggests better use of metrics can truly depict the value that the SOC is providing the organization and justify the desired support it seeks. 

One which I like, which is not an easy metric to develop is actually loss prevention. If I can actually depict quantitatively, which it will not be precise, there will be some speculation in that,” Chris said. “But if I can depict quantitatively what the SOC did this month, or quarter where our efforts actually prevented or intervened in things which were going wrong and we stopped damage that’s loss prevention, right? That’s what the SOC is there for, right? If I just report, we had 13 incidents there’s not a lot of demonstration of value in that. And so always the metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org. “ 


Michael steered the discussion to the value discussion around incident metrics and their relationship with SOC capacityHow many incidents can you handle? Is it a tools issue or a people issue or a combination of both? Chris’ study also revealed subset of tools that respondents more frequently leveraged and added value to delivery of higher capacity of incident closure. 

One question on the survey asked“Do you use it? 

 “Not whether you like it or not, but do you use it? And do you use it in a way where you have full coverage or partial coverage? Because another thing about technology, and this is kind of a dirty secret in technology applications, is a lot of people buy it but actually never get it deployed fully,” Chris said. 

His survey allowed respondents to reveal their most-used technologies and to grade tools. 

The most common used technologies reported in the survey were: 

  1. SIEM 
  2. Malware Protection Systems 
  3. Next-gen Firewall 
  4. VPN 
  5. Log management  

Tools receiving the most A grades: 

  • EDR 
  • VPN 
  • Host-based Malware Protection 
  • SIEM 
  • Network Distributed Denial of Service 

Tools receiving the most F grades: 

  • Full Peak App 
  • Network-Based Application Control 
  • Artificial Intelligence 
  • TLS Intercept 

Chris pointed out that the reasoning behind the F grades may be less a case of failing and more a case of not meeting their full potential. 

“Some of these are newer in this space and some of them just feel like they’re failures for people” Chris said. Now, whether they’re technology failures or not this is what people are reporting that they don’t like in terms of the tech.  

For more findings read or download Chris Crowley’s 2020 survey here. 

Watch this entire episode of SOCwise below.


The post SOCwise Series: A Tale of Two SOCs with Chris Crowley appeared first on McAfee Blogs.

5 Ways MVISION XDR Innovates with MITRE ATT&CK Mon, 29 Mar 2021 14:00:09 +0000 /blogs/?p=119332 What is a DDoS attack?

The MITRE ATT&CK® Framework proves that authority requires constant learning and the actionable information it contains has never held greater...

The post 5 Ways MVISION XDR Innovates with MITRE ATT&CK   appeared first on McAfee Blogs.

What is a DDoS attack?

The MITRE ATT&CK® Framework proves that authority requires constant learning and the actionable information it contains has never held greater currency. Likewise, XDR, the category of extended detection and response applications, is quickly becoming accepted by enterprises and embraced by Gartner analysts, because they “improve security operations productivity and enhance detection and response capabilities.” 

It is less well known how these tools align to improve the efficacy of your cybersecurity defenses leveraging key active cyber security industry frameworks. In MVISION XDR there’s a dynamic synergy between the MITRE ATT@CK Framework and XDR. Let’s consider how and why this matters.  

One of the biggest issues with XDR platforms, according to Gartner, is a “lack of diversity in threat intel and defensive techniques.” By aligning our XDR with MITRE, we greatly expand the depth of our investigation, threat detection, and prevention capabilities while driving confidence in preventing the attack chain with relevant insights.  

With MITRE ATT&CK Framework in the hands of your incident response teams, you’re utilizing a definitive and progressive playbook that articulates adversarial behaviors in a standard and authoritative way.  

The Framework is a valuable resource that contains a knowledge base of adversarial techniques that security defenders can reference to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks.  

In MVISION XDR, this synergy results in a shared source of truth. Adding MITRE ATT&CK into your SOC workflow is essential for analysts who need to conduct a thorough impact analysis and decide how to defend against or mitigate attacks.  

Here are five powerful ways that XDR applies MITRE ATT&CK and helps operationalize the framework:  

  • Alignment. MVISION XDR aligns to the MITRE ATT&CK framework including a knowledge base that maps the attacker’s likely path, flow and targets. Not only does it actively align with MITRE attack insights for the investigation, it offercomplete mapping to predicted and prioritized threat campaigns before they hit your organization. This answers the CISO question “will we be the next victim?”  
  • Investigation. MVISION XDR leverages the framework by offering visual alignment with specific threat campaigns—removing the manual mapping effort—and prioritizing next steps such as the critical incidents to address or accelerate the investigation. 
  • Assessment. MVISION XDR allows organizations to quickly answer key questions such as: Do we have a derivative to an active threat campaign? If the answer is yes, your team will respond faster and more assuredly by assessing the recommended prevention guidance in our XDR. 
  • Data Quality. MVISION XDR uses MITRE as a critical guide for “detect, recommend, and respond” actions, including sorting and filtering aggregated data derived from across the entire ATT&CK matrix and operationalize for better investigations. 
  • Optimization. Mapping attack techniques and behaviors with MITRE ATT&CK Framework enables SOCs to discover the root cause and remove dwell time. MVISION XDR goes beyond attack analysis and validation to offer specific prevention and remediation – before and after the attack across all vectors – endpoints, network and cloud. 

Not a Checklist

At first glance, the MITRE ATT&CK framework matrix, with its myriad of sub-techniques, reads like a checklist of concerns for your SOC analysts to evaluate. But approaching threat analysis or investigations that way may lead to a form of tunnel vision. Knowing that an attacker is not just limited to one set of techniques, MVISION XDR boosts your team’s efficacy by covering the entirety of the matrix including device, network, and cloud detection vectors.

MVISION XDR also increases your team’s situational awareness by making it easy to map and correlate tactics, techniques and procedures (TTPs) directly to MITRE ATT&CK information. XDR supplies visualizations that reduce the burden on analysts to identify patterns and assess the recommended prevention guidance. 

As we’ve pointed out on other occasionsMVISION XDR can chain MITRE ATT&CK techniques into complex queries that describe behaviors, instead of individual events. MVISION XDR is hypothesis driven, utilizing Machine Learning and Artificial Intelligence to analyze threat data from multiple sources and map it to the MITRE ATT&CK framework.  

Increasing the efficacy of your SOC team analysts, incident responders and other members of your team is obviously critical to producing smarter and better security outcomes including faster time to detect (MTTD) or remediate (MTTR). MVISION XDR also boosts team productivity and drives more accurate prevention by automating security functions like detection or response.   

Armed with actionable intelligence your team can proactively harden the enterprise before an attack. When Gartner states that “The goal of XDR is improved detection accuracy and security operations center (SOC) productivity” we tend to think that integrating MITRE ATT&CK framework sets the standard in our competitive set. 

At the end of the day, this winning combination of MITRE ATT&CK and MVISION XDR offers the C-level and Board sufficient level of evidence of resilience. A vibrant information exchange must be a two-way street. We work closely with the MITRE team and actively contributes to the development of new matrices to empower the broader MITRE ATT&CK community. ​ 

Hear more from a SOCwise expert on why MITRE matters.


Learn More


An innovative approach to detection and response

Click Here

The post 5 Ways MVISION XDR Innovates with MITRE ATT&CK   appeared first on McAfee Blogs.

Why MITRE ATT&CK Matters? Tue, 09 Mar 2021 19:31:52 +0000 /blogs/?p=118570

MITRE ATT&CK enterprise is a “knowledge base of adversarial techniques”.   In a Security Operations Center (SOC) this resource is serving...

The post Why MITRE ATT&CK Matters? appeared first on McAfee Blogs.


MITRE ATT&CK enterprise is a “knowledge base of adversarial techniques”.   In a Security Operations Center (SOC) this resource is serving as a progressive framework for practitioners to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks. This resource is centered at how SOC practitioners of all levels can craft purposeful defense strategies to assess the efficacy of their security investments against that knowledge base.

To enable practitioners in operationalizing these strategies, the knowledge base provides the “why and the what with comprehensive documentation that includes the descriptions and relational mappings of the behaviors observed by the execution of malware, or even when those weapons were used by known adversaries in their targeting of different victims as reported by security vendors. It goes a step further by introducing the “how” in the form of adversary emulation plans which streamline both the design of threat-models and the necessary technical resources to test those models – i.e., emulating the behavior of the adversary

For scenarios where SOCs may not have the capacity to do this testing themselves, the MITRE Corporation conducts annual evaluations of security vendors and their products against a carefully crafted adversary emulation plan, and it publishes the results for public consumption.  The evaluations can help SOC teams assess both strategy concerns and tactical effectiveness for their defensive needs as they explore market solutions.

This approach is transformative for cyber security, it provides an effective way to evolve from constraints of being solely dependent on IOC-centric or signature-driven defense models to now having a behavior-driven capability for SOCs to tailor their strategic objectives into realistic security outcomes measured through defensive efficacy goals. With a behavior-driven paradigm, the emphasis is on the value of visibility surrounding the events of a detection or prevention action taken by a security sensor – this effectively places context as the essential resource a defender must have available to pursue actionable outcomes.

Cool! So what is this “efficacy” thing all about?

I believe that to achieve meaningful security outcomes our products (defenses) must demonstrate how effective they are (efficacy) at enabling or preserving the security mission we are pursuing in our organizations. For example, to view efficacy in a SOC, let’s see it as a foundation of 5 dimensions:

Detection Gives SOC Analysts higher event actionability and alert handling efficiencies with a focus on most prevalent adversarial behaviors – i.e., let’s tackle the alert-fatigue constraint!
Prevention Gives SOC Leaders/Sponsors confidence to show risk reduction with minimized impact/severity from incidents with credible concerns – e.g., ransomware or destructive threats.
Response Gives SOC Responders a capacity to shorten the time between detection and activating the relevant response actions – i.e., knowing when and how to start containing, mitigating or eradicating.
Investigative Gives SOC Managers a capability to improve quality and speed of investigations by correlating low signal clues for TIER 1 staff and streamlining escalation processes to limited but advanced resources.
Hunting Enables SOC Hunters a capacity to rewind-the-clock as much as possible and expand the discovery across environments for high value indicators stemming from anomalous security events.


So how does “efficacy” relate to my SOC?

Efficacy at the Security and Technical Leadership levels confirms how the portfolio investments are expected to yield the defensive posture of our security strategy, for example, compare your investments today to any of the following:

Strategy (Investment)

Portfolio Focus

Efficacy Goals


Balanced Security

Ability to:

  • Focus on prevalent behaviors
  • Confidently prevent attack chains with relevant impact/severity
  • Provide alert actionability
  • Increase flexibility in response plans based on alert type and impact situation


  • Needs efficacy testing program with adversary emulation plans

Detection Focus

Ability to:

  • Focus on prevalent behaviors
  • Provide alert actionability
  • Proactively discover indicators with hunting


  • Requires humans
  • Minimal prevention maturity
  • Requires solid incident response expertise
  • Hard to scale to proactive phases due to prevention maturity

Prevention Focus

Ability to:

  • Confidently prevent attack chains with relevant impact/severity
  • Lean incident response plans
  • Provide alert actionability and Lean monitoring plans


  • Hard to implement across the business without disrupting user experience and productivity
  • Typically for regulated or low tolerance network zones like PCI systems
  • Needs high TCO for the management of prevention products

 Response Focus

Ability to:

  • Respond effectively to different scenarios identified by products or reported to the SOC


  • Always reacting
  • Requires humans
  • Hard to retain work staff
  • Unable to spot prevalent behaviors
  • Underdeveloped detection
  • Underdeveloped prevention


MITRE ATT&CK matters as it introduces the practical sense-making SOC professionals need so they can discern attack chains versus security events through visibility of the most prevalent behaviors.

Consequently, it allows practitioners to overcome crucial limitations from the reliance on indicator-driven defense models that skew realistic efficacy goals, thereby maximizing the value of a security portfolio investment.

The post Why MITRE ATT&CK Matters? appeared first on McAfee Blogs.

The Fastest Route to SASE Fri, 05 Mar 2021 18:30:53 +0000 /blogs/?p=118186

Shortcuts aren’t always the fastest or safest route from Point A to Point B. Providing faster “direct to cloud” access...

The post The Fastest Route to SASE appeared first on McAfee Blogs.


Shortcuts aren’t always the fastest or safest route from Point A to Point B. Providing faster “direct to cloud” access for your users to critical applications and cloud services can certainly improve productivity and reduce costs, but cutting corners on security can come with huge consequences. The Secure Access Service Edge (SASE) framework shows how to achieve digital transformation without compromising security, but organizations still face a number of difficult choices in how they go about it. Now, McAfee can help your organization take the shortest, fastest, and most secure path to SASE with its MVISION Unified Cloud Edge solution delivered alongside SD-WAN.

Decision makers seek a faster, more efficient high road to cloud and network transformation without compromising security. The need for speed and scalability is crucial, but corners cannot be cut when it comes to maintaining data and threat protection. Safety and security cannot be left behind in a cloud of transformation dust. This blog will look at the major trends driving SASE adoption, and will then discuss how a complete SASE deployment can deliver improved performance, superior threat & data security, lower complexity, and cost savings. We’ll then explain why fast AND secure cloud transformation requires an intelligent, hyperscale platform to accelerate SASE adoption.

Dangerous Detours, Potholes, and Roadblocks

While digital transformation promises substantial gains in productivity and efficiencies, the journey is littered with security and efficiency challenges that can detour your organization from its desired upgrades and safe destination.

Digital transformation challenges that must be addressed include:

  • The Big Shift – Shifting your organization’s applications and data out of corporate data centers and into the cloud.
  • Going More Mobile – The proliferation of mobile devices leaves your corporate resources more vulnerable as they are being accessed by a growing number of devices many of which are personally owned and unmanaged.
  • Work from Anywhere– The seemingly permanent shift towards “Work from Home” creates an increased demand for more efficient distributed access to cloud-based corporate resources that secures visibility and control amidst the eroding traditional network.
  • Costly Infrastructure – MPLS connections, VPN concentrators, and huge centralized network security infrastructure represent major investments with significant operational expense. The fact that multiple security solutions typically operate in distinct siloes compounds management effort and costs.
  • Slow Performance, High Latency, and Low Productivity – Dedicated MPLS and VPN lines are also slow and architecturally inefficient, requiring all traffic to go to the data center for security and then all the way back out to internet resources – NOT a straight line.
  • Data Vulnerability – Data resides and moves completely outside the scope of perimeter security through collaboration from the cloud to third parties, between cloud services, and access by unmanaged devices, leaving it prone to incidents without security teams knowing.
  • Evolving Threats and Techniques – Staying ahead of the latest malware remains a priority, but many modern attacks are emerging that use techniques like social engineering to exploit the features of cloud providers and mimic user behavior with legitimate credentials. Detecting these seemingly legitimate behaviors is extremely difficult for traditional security tools.

Feel the Need for Safe, But Less Costly Speed

The increasingly difficult challenge of providing a fast and safe cloud environment to an increasingly distributed workforce has become a major detour in the drive to transform from traditional enterprise networks and local data centers. Companies have had to meet the challenge to “adapt or die” in connecting their employees and devices to corporate resources, but many have generally needed to choose between two unsatisfactory compromises: secure but slow and expensive, or fast and affordable but not secure. Adopting a SASE framework is the way to achieve all of the benefits of cloud transformation without compromise:

  • Reduction in Cost and Complexity – A great benefit for your SOC and IT teams, SASE promotes a network transformation that simplifies your technology stack, reducing costs and complexity.
  • Increased Speed and Productivity – Fast, uninterrupted access to applications and data boosts the user experience and improves productivity. SASE provides ubiquitous, low-latency connectivity for your workforce – even remote workers – via a fast and ubiquitous cloud service, and uses a streamlined “single pass” inspection model that ensures they aren’t bogged down by security.
  • Multi-Vector Data Protection – SASE mandates the protection of data traveling through the internet, within the cloud, and moving cloud to cloud, enabling Zero Trust policy decisions at every control point.
  • Comprehensive Threat Defense – A SASE framework fortifies an organization’s threat defense capabilities for detecting both cloud-native and advanced malware attacks within the cloud and from any web destination.

Selecting the Best Path to Transformation

When network and security decision makers come to the proverbial fork in the road to network transformation, what is the best path that enables fast and affordable access without leading to unacceptable security risk? A recent blog by McAfee detailed four architectural approaches based on the willingness to embrace new technologies and bring them together. After examining the pros and cons of these four paths, the ideal solution to achieve fast, secure, and cost-effective access to web and cloud resources is a SASE model that brings together a ubiquitous, tightly integrated security stack with a robust, direct-to-cloud SD-WAN integrated networking solution. This combination provides a secure network express lane to the cloud, cruising around the latency challenges of slow, expensive MPLS links for connectivity to your applications and resources.

MVISION Unified Cloud Edge (UCE) + SD-WAN: Fast, Furious and Secure

Fast Network. Data Protection. Threat Protection. Speed, security and safety turbocharged connectivity throughout a hyperscale cloud network without compromise.

MVISION UCE is the best framework for implementing a SASE architecture to accelerate digital transformation with cloud services, enabling cloud and internet access from any device while empowering ultimate workforce productivity. MVISION UCE brings SASE’s most important security technologies – Cloud Access Security Broker (CASB), Next-gen Secure Web Gateway (SWG), Data Loss Prevention (DLP), and Remote Browser Isolation (RBI) – together in a single cloud-native hyperscale service edge that delivers single-pass security inspection with ultra-low latency and 99.999% availability.

With MVISION Unified Cloud Edge and our SD-WAN integration partners, you can lead a network transformation that reduces costs and speeds up the user experience by using fast, affordable broadband connections instead of expensive MPLS.

MVISION UCE and SD-WAN transforms your network architecture by enabling users to directly access cloud resources without having to go back through their corporate network through MLPS or VPN connection. Now users can directly access cloud resources, and the McAfee cloud infrastructure is so well-optimized that they can often access resources even FASTER than if there was no intervening security stack! Read how Peering POPs make negative latency possible in this McAfee White Paper.

Because of the way we’ve delivered our product, MVISION UCE + SD-WAN unleashes SASE’s benefits, with data and threat protection that other vendors can’t match.

Reduction in Cost and Complexity, Increased Speed and Agility

  • The resulting converged cloud service is substantially more efficient than building your own SASE by manually integrating separate cloud-based technologies
  • Minimize inefficient traffic backhauling with intelligent, efficient, and secure direct-to-cloud access
  • Protect remote sites via SD-WAN using industry standard Dynamic IPSec and GRE protocols leveraging SD-WAN technology that gets office sites to cloud resources faster and more directly than ever before
  • Enjoy low latency and unlimited scalability with a global cloud footprint and cloud-native architecture that includes global Peering POPs (Point of Presence) reducing delays
  • As a cloud service with 99.999% uptime (Maintained Service Availability) and internet speeds faster than a direct connection, you improve the productivity of your workforce while reducing the cost of your network infrastructure.

Multi-Vector Data Protection

  • The McAfee approach to data protection is unified, meaning each control point works as part of a whole solution.
  • All access points are covered using the same data loss prevention (DLP) engine, giving you an easily traceable path from device to cloud
  • Your data classifications can be set once, and applied in policies that protect the endpoint, web traffic and any cloud interaction
  • All incidents are centralized in one management console for a single view of your data protection practice, giving you a streamlined incident management experience

Comprehensive Threat Defense

  • Intelligence-driven unified protection – CASB, Next-gen SWG, DLP – against the most sophisticated cyberattacks and data loss
  • Remote Browser Isolation (RBI) protection from web-based threats and malware through the remote exclusion and containment of all browsing activities to a remote server hosted in the cloud
  • The industry’s most effective in-line emulation sandbox, capable of removing zero-day malware at line speed
  • User and entity behavior analytics (UEBA) monitoring all cloud activity for anomalies and threats to your data

If you are looking for improved productivity and lower costs of cloud transformation without cutting corners, McAfee MVISION UCE offers the fastest route to SASE — without compromising your data and threat security.


The post The Fastest Route to SASE appeared first on McAfee Blogs.

Hacking Proprietary Protocols with Sharks and Pandas Tue, 02 Mar 2021 17:37:25 +0000 /blogs/?p=117904

The human race commonly fears what it doesn’t understand.  In a time of war, this fear is even greater if...

The post Hacking Proprietary Protocols with Sharks and Pandas appeared first on McAfee Blogs.


The human race commonly fears what it doesn’t understand.  In a time of war, this fear is even greater if one side understands a weapon or technology that the other side does not.  There is a constant war which plagues cybersecurity; perhaps not only in cybersecurity, but in the world all around us is a battle between good and evil.  In cyber security if the “evil” side understands or pays more attention to a technology than the “good” side, we see a spike in cyber-attacks.

This course of events demands that both offensively and defensively minded “good guys” band together to remove the unknown from as much technology as possible.  One of the most common unknown pieces of technology in cybersecurity that professionals see on a regular basis are proprietary protocols running across their networks.  By using both the tactics and perspectives from red and blue teams it is possible to conquer and understand these previously unknown packets.  This strategy is exactly what we, Douglas McKee and Ismael Valenzuela, hoped to communicate in our webinar ‘Thinking Red, Acting Blue: Hacking Proprietary Protocols”.

Proprietary protocols are typically a mystery to many practitioners.  Vendors across many industries develop them for very specific purposes and technologies.  We see them in everything from the Internet of Things (IOT), to Industrial Controls Systems (ICS), to medical devices and more.   Since by its nature “proprietary” technology is not shared, there is generally no public Request for Comments (RFC) or public disclosure on how they work.  This provides an opportunity for attackers and a challenge for defenders.  Attackers are aware these networking protocols are less reviewed and therefore more susceptible to vulnerabilities, while defenders have a hard time understanding what valid or benign traffic looks like.   Unfortunately, attackers are generally more financially motivated to spend the time reversing these protocols than defenders, since the rewards can be very substantial.

During the webinar we discussed a two-prong approach to tackling these unknown protocols with the goal of a deeper understanding of this data.  A red team’s purpose may be to look for vulnerabilities, while a blue team may be more interested in detecting or flagging unusual behavior in this traffic.   We discuss how this can be accomplished through visual inspection using Wireshark to compare the traffic across multiple conversations, and we complemented this analysis with python libraries like pandas, numpy and matplotlib, for data exploration and visualization.

For example, consider the packets in the Wireshark captures side-by-side in Figure 1.   An astute reader may notice that the UDP packets are evenly spaced between each other within the same PCAP, yet differently spaced between pcaps.

In protocol analysis this can indicate the use of a status or “heartbeat” packet, which may contain some type of data where the interval it is sent is negotiated for each conversation.  We have seen this as a common trait in proprietary protocols.  This can be difficult for a cybersecurity professional to discern with a small amount of data, but could be very helpful for further analysis.  If we import the same data into pandas dataframes and we add matplotlib visualizations to our analysis, the behavior becomes much clearer as seen in Figure 2.

By using the reverse engineering perspective of a vulnerability researcher combined with the data analysis insight of a defender, we can strengthen and more quickly understand the unknown.  If this type of deep technical analysis of proprietary protocols interests you, we encourage you to check out the recording of our presentation below.  We have made all of our resources public on this topic, including pcaps and python code in a Jupyter Notebook, which can be found on Github and Binder.   It is important as an industry that we don’t give into fear of the unknown or just ignore these odd looking packets on our network, but instead lean in to understand the security challenges proprietary protocols can present and how to protect against them.

The post Hacking Proprietary Protocols with Sharks and Pandas appeared first on McAfee Blogs.

Domain Age as an Internet Filter Criteria Wed, 17 Feb 2021 20:11:17 +0000 /blogs/?p=117466

Use of “domain age” is a feature being promoted by various firewall and web security vendors as a method to...

The post Domain Age as an Internet Filter Criteria appeared first on McAfee Blogs.


Use of “domain age” is a feature being promoted by various firewall and web security vendors as a method to protect users and systems from accessing malicious internet destinations. The concept is to use domain age as a generic traffic filtering parameter. The thought is that hosts associated with newly registered domains should be either completely blocked, isolated, or treated with high suspicion. This blog will describe what domain age is, how domains are created and registered, domain age value, and how domain age can be used most effectively as a compliment to other web security tools.

Domain Age Feature Definition

The sites and domains of the internet are constantly changing and evolving. In the first quarter of 2020 an average of over 40,000 domains were registered per day. If the domain of a target host is known that domain has a registration date available for lookup from various sources. Domain age is a simple calculation of the time between initial domain registration and the current date.

A domain age feature is designed for use in policy control, where an administrator can set a minimum domain age that should be necessary to allow access to a given internet destination. The idea is that since domains are so easy and cheap to establish, new domains should be treated with great care, if not blocked outright. Unfortunately, with most protocols and implementations, domain age policy selection is a binary decision to allow or block. This is not very useful when the ultimate destinations are hosts, subdomains, and destination addresses that can be rapidly activated, changed, and deactivated without ever changing the domain age. As a result, binary security decisions based solely on domain name or domain age will naturally result in both false positives and false negatives that are detrimental to security, user experience, and productivity.

Domain Registration

IANA (Internet Assigned Numbers Authority) is the department of ICANN (Internet Corporation for Assigned Names and Numbers) responsible for managing the registries of, protocol parameters, domain names, IP addresses, and Autonomous System Numbers.

IANA manages the DNS root zone and TLDs (Top Level Domains like .com, .org, .edu, etc.) and registrars are responsible for working with the Internet Registry and IANA to register individual subdomains within the top-level domains.

Details of the registration process and definitions can be found on the IANA site ( Additional details can be found here: This location includes the following statement:

“In some cases, a person or organization who does not wish to have their information listed in WHOIS may contract with a proxy service provider to register domain names on their behalf. In this case, the service provider is the domain name registrant, not the end customer.”

This means that service providers, and end customers are free to register a domain once and reuse, reassign or sell that domain without changing the registration date or changing any other registration information. Registrars can and do auction addresses creating a vast market for domain “squatters and trolls.” An attacker can cheaply purchase an established domain of a defunct business or register a completely new legitimate sounding domain and leave it unused for weeks, months or years.  For example, as of this writing is up for sale on for just $65 USD. The domain was originally registered in 2003. IANA and the registrars have no responsibility or control over usage of domains.

Determining Domain Age

Domain age is determined from the domain record in the Internet Registry managed by the registry operator for a TLD (Top Level Domain). Ultimately the registrar is responsible for the establishment of a domain registration and updating related data. The record in the registry will have an original creation date but that date doesn’t change unless the registration for a specific domain expires and the domain name is re-registered. Because of this, domain age is an extremely inaccurate measure of when an individual destination became active.

And what if only the destination IP address is known at the time of the filtering decision? This could be the case for filtering the first packet sent to a specific destination (TCP SYN or first UDP packet of some other network or transport level protocol). One way to get the domain for the destination would be a reverse DNS lookup, but the domain for the host may not match the domain that was originally submitted for resolution, so what value is domain age there?

For example, can currently resolve to which reverse resolves to While the domain was registered on 1992-08-05, was registered on 1998-08-18. Both are long established domains, but just because this destination, in the well-established domain, is hosted on the well-established domain, this doesn’t provide any indication of when the, or destination became active, or the risk of communicating with that IP address. Domain age becomes even less useful when we consider destinations hosted in the public cloud (IaaS and SaaS) using the providers’ domains.

Obtaining the wrong domain and therefore wrong domain age from reverse lookup could be somewhat mitigated by tracking the DNS queries of the client and attempting to map those domains back to the requested destination IP. However, doing this would also be dependent on having full visibility into all DNS requests from the client, and assumes that the destination IP address was determined using standard DNS or by the system providing the domain age filtering.

Challenges with Using Domain Age as a Generic Filter Criteria

Even if the correct domain for the transmission can be established, and the domain age can be accurately retrieved, there are still issues that should be considered.

Registrars are free to maintain, change, and reassign established domains to any customer, and resellers can do the same. This greatly diminishes the usefulness of domain age as a stand-alone filtering parameter because a malicious actor can easily acquire an existing well-established domain with a neutral or even positive reputation. A malicious actor can also register a new domain long before it is put into use as a command and control or attack domain.

Legitimate and perfectly safe sites are constantly being registered and established in many cases within days or even hours of being put into use. When using domain age as filter criteria there will always be a tradeoff between false positive and false negative rates.

It should also be noted that domain age provides little value relative to when an individual hostname record was created within a domain. Well established domains can have an infinite number of subdomains and individual hosts within those domains, and there is no way to accurately determine hostname age or even when the name was associated with an active IP. All that could possibly be determined is that the destination hostname is part of a domain that was registered at some earlier date.

The bottom line is that domain age is not nearly granular or substantive enough to make a useful filtering decision on its own. However, domain age could provide some limited security value in the complete absence of more specific criteria, provided the false positive rate and false negative rate associated with the selected recency threshold can be tolerated. Domain age can provide supplemental value when combined with other more definitive filter criteria for example protocol, content type, host category, host reputation, host first seen, frequency of host access, web service attributes, and others.

Domain Age in the Context of HTTP/S and Proxy Based Filtering

More specific criteria are always available when the HTTP protocol is in use. HTTP and HTTPS filtering is most effectively handled via explicit or transparent proxy. If the protocol is followed (enforced by the device or service), information cannot be transferred, and a compromise or attack cannot be initiated, until after TCP connection establishment.

Given that the traffic is being proxied, and HTTPS can be decrypted, accurate Fully Qualified Domain Name (FQDNs) for the host, URL path, and URL parameters can be identified and verified by the proxy for use in filtering decisions. The ability to lookup information on the FQDN, full URL path, and URL parameters provides much more valuable information relative to the history, risk level, and usage of the specific site, destination, and service independent of the domain or the domain’s date of registration Such contextual data can be further enhanced when the proxy associates the request with a specific service and its data security attributes (such as type of service, intellectual property ownership, breach history, etc.).

Industry leading web proxy vendors maintain extensive and comprehensive databases of the most frequently used sites, domains, applications, services, and URLs. The McAfee Global Threat Intelligence and Cloud Registry databases associate sites, domains, and URLs with geolocation, category, service, service attributes, applications, data risk reputations, threat reputations and more. As a side benefit, lack of an entry in the databases for a specific host, domain, service, or URL is an extremely strong, and much more accurate, indication that the site is newly established or little used and therefore should not be inherently trusted. Such sites should be treated with caution and blocked or coached or isolated (the latter two options are uniquely available with proxied HTTP/S) based on that criteria alone, regardless of domain age.

McAfee’s Unified Cloud Edge provides all of the above functionality and includes remote browser isolation (RBI) for uncategorized, unverified, and otherwise risky sites. This virtually eliminates the risks of browsers or other applications accessing uncategorized sites, without adding the complications of false positives and false negatives from a domain age filter.

When using HTTP/S, hostname age, or even first and/or last hostname seen date could provide additional value, but domain age is pretty much useless when the FQDN and more specific site or service related information is available. Best practice is to block, isolate, or at a minimum, coach unverified sites and services without regard to domain age. Allowing unverified sites or services based on domain age adds significant risk of false negatives (risky sites and services being allowed simply because the domain was not recently registered). Generically blocking sites and services based on domain age alone would lead to over-blocking sites that have established good reputations and should not be blocked.


Domain age can be somewhat useful for supplementing filter decisions in situations where no other more accurate and specific information is available about the destination of a network packet. When considering use of domain age for HTTP/S filtering, it is an extremely poor substitute for a more comprehensive threat intelligence and service database. If the decision is made to deviate from best practice and allow HTTP/S connections to unverified sites, without isolation, then domain age can provide limited supplemental value by blocking unverified sites that are in newly registered domains. This comes at the expense of a false sense of security and much greater risk of false negatives when compared to the best practice of using comprehensive web threat intelligence, performing thorough request and response analysis, and simply blocking, isolating, or coaching unverified sites.


The post Domain Age as an Internet Filter Criteria appeared first on McAfee Blogs.

Are You Ready for XDR? Tue, 16 Feb 2021 16:02:47 +0000 /blogs/?p=117130

What is your organization’s readiness for the emerging eXtended Detection Response (XDR) technology? McAfee just released the first iteration of this technology, MVISION XDR....

The post Are You Ready for XDR? appeared first on McAfee Blogs.


What is your organizations readiness for the emerging eXtended Detection Response (XDR) technology? McAfee just released the first iteration of this technologyMVISION XDR. As XDR capabilities become available, organizations need to think through how to embrace the new security operations technology destined to empower detection and response capabilities. XDR is a journey for people and organizations. 

The cool thing about McAfee’s offering is the XDR capabilities is built on the McAfee platform of MVISION EDR, MVISION Insights and is extended to other McAfee products and third-party offerings.   This means — as a McAfee customer  your XDR journey has already begun. 

The core value prop behind XDR is to empower the SecOps function which is still heavily burdened with limited staff and resources while the threat landscape roars. This cry is not new. As duly noted in the book,  Ten Strategies of World-class Cybersecurity Operations Center, written quite a few moons ago:  “With the right tools, one good analyst can do the job of 100 mediocre ones.” XDR is the right tool. 

 SecOps empowerment means impacting and changing people and process in a positive manner resulting in better security outcomesOrganizations must consider and prepare for this helpful shift. Here are three key considerations organizations need to be aware of and ready for: 

The Wonder of Harmonizing Security Controls and Data Across all Vectors  

A baseline requirement for XDR is to unify and aggregate security controls and data to elevate situation awareness.  Now consider what does this mean to certain siloed functions like endpoint, network and web.  Let’s say you are analyst who typically pulls telemetry from separate control points (endpoint, network, web) moving from each tool with a login, to another tool with another login and so on. Or maybe you only have access to the endpoint tool. To gain insight into the network you emailed the network folks with artifacts you are seeing on the endpoint and ask if these is anything similar, they have seen on the edge and what they make of it. Often there is a delayed response from network folks given their priorities. And you call the web folks for their input on what they are seeing.  Enter XDR.  What if this information and insights was automatically given to you on a unified dashboard where situation awareness analysis has already begun.  This reduces the manual pivoting of copy and pasting, emailing, and phone calls.  It removes the multiple data sets to manage and the cognitive strain to make sense of it. The collection, triaging, and initial investigative analysis are automated and streamlined. This empowers the analysts to get to a quicker validation and assessment. The skilled analyst will also use  experience and human intuition to respond to the adversary, but the initial triaging, investigation, and analysis has already been doneIn addition, XDR fosters the critical collaboration between the network operations and security operations since adversary movement is erratic across the entire infrastructure  

Actionable Intelligence Fosters Proactive SecOps Efforts (MVISION XDR note-worthy distinction) 

Imagine if your SecOps gained high priority threat intelligence before the adversary hits and enters your environment. What does it mean to your daily SecOps processes and policy?  It removes a significant amount to of hunting, triaging and investigation cycles. It simply prioritizes and accelerates the investigation.  It answers the questions that matter. Any associated campaign is bubbled up immediately.  You are getting over a hundred high alerts, but one is related to a threat campaign that is likely to hit.  It removes the guess work and prioritizes SecOps efforts. It assesses your environment and the likely impact—what is vulnerable. More importantly it suggests counter measures you can take. It moves you from swimming in context to action in minutes.   

This brings the SecOps to a decision moment faster—do they have the authority to respond? Are they a participant in prevention efforts?  Note this topic is Strategy Three in the Ten Strategies of World-class Cybersecurity Operations Center where it is highly encouraged to empower SecOps to make and/or participate in such decisions.  Policies for response decisions and actions vary by organizations, the takeaway here is decision moments come faster and more often with significant research and credible context from MVISION XDR. 

Enjoy the Dance Between Security and IT  

XDR is an open, integrated platform.  So, what does it mean to people and process if all the pieces are integrated and security functions coordinate efforts? It depends on the pieces that are connected. For example, if SecOps can place a recommendation to update certain systems on the IT service system automatically it removes the necessity to login into the IT system and place a request or in some cases call or email IT (eliminating time-consuming step.)  There is a heightened need for whatif scenario policies driven by Secure Orchestration Automation Response (SOAR) solutions.  These policies are typically reflected in a manual playbook or SOAR playbook.  

Let’s consider an example, when an email phishing alert is offered the SOAR automatically (by policy/play required) compares the alert against others to see if there are commonalties worth noting. If so, the common artifacts are assigned to one analyst versus distributing separate alerts to many analysts. This streamlines the investigation and response to be more effective and less consuming. There are many more examples, but the point is when you coordinate security functions organization must think through how they want each function to act under specific circumstances—what is your policy for these circumstances. 

These are just a few areas to consider when you embrace XDR. I hope this initial discussion started you thinking about what to consider when embracing XDR. We have an online SOC audit where you can assess your SOC maturity and plan where you want to go.  Join us for a webinar on XDR readiness where experts will examine how to prepare to optimize XDR capabilities.  We also have a SOC best practices series, SOCwise that offers regular advice and tips for your SOC efforts!   



The post Are You Ready for XDR? appeared first on McAfee Blogs.

XDR – Please Explain? Wed, 10 Feb 2021 23:27:37 +0000 /blogs/?p=116935

SIEM, we need to talk!  Albert Einstein once said, “We cannot solve our problems with the same thinking we used when...

The post XDR – Please Explain? appeared first on McAfee Blogs.


SIEM, we need to talk! 

Albert Einstein once said, We cannot solve our problems with the same thinking we used when we created them. 

Security vendors have spent the last two decades providing more of the same orchestration, detection, and response capabilities, while promising different results. And as the old adage goes, doing the same thing over and over again whilst expecting different results is? Ill let you fill in the blank yourself.   

Figure 1: The Impact of XDR in the Modern SOC: Biggest SIEM challenges – ESG Research 2020

SIEM! SOAR! Next Generation SIEM! The names changed, while the same fundamental challenges remained: they all required heavy lifting and ongoing manual maintenance. As noted by ESG Research, SIEM – being a baseline capability within SOC environments  continues to present challenges to organisations by being either too costly, exceedingly resource intensive, requiring far too much expertise, and various other concerns. A common example of this is how SOC teams still must create manual correlation rules to find the bad connections between logs from different products, applications and networksToo often, these rules flooded analysts with information and false alerts and render the product too noisy to effective. 

The expanding attack surface, which now spans Web, Cloud, Data, Network and morehas also added a layer of complexity. The security industry cannot only rely on its customers analysts to properly configure a security solution with such a wide scope. Implementing only the correct configurations, fine-tuning hundreds of custom log parsers and interpreters, defining very specific correlation rules, developing necessary remediation workflows, and so much more  its all a bit too much. 

Detections now bubble up from many siloed tools, too, including Intrusion Prevention System(IPS) for network protection, Endpoint Protection Platforms (EPP) deployed across managed systems, and Cloud Application Security Broker (CASB) solutions for your SaaS applications. Correlating those detections to paint a complete picture is now an even bigger challenge. 

There is also no R in SIEM – that is, there is no inherent response built into SIEM. You can almost liken it to a fire alarm that isnt connected to the sprinklers.  

SIEMs have been the foundation of security operations for decades, and that should be acknowledged. Thankfully, theyre now being used more appropriately, i.e. for logging, aggregation, and archiving 

Now, Endpoint Detection and Response (EDR) solutions are absolutely on the right track  enabling analysts to sharpen their skills through guided investigations and streamline remediation efforts – but it ultimately suffers from a network blind spot. Similarly, network security solutions dont offer the necessary telemetry and visibility across your endpoint assets.

Considering the alternatives

Of Gartners Top 9 Security and Risk Trends for 2020Extended detection and response capabilities emerge to improve accuracy and productivity ranked as their #1 trend. They notedExtended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capabilityThe primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity. 

That sounds awfully similar to SIEM, so how is an XDR any different from all the previous security orchestration, detection, and response solutions? 

The answer is: An XDR is a converged platform leveraging a common ontology and unifying language. An effective XDR must bring together numerous heterogeneous signals, and return a homogenous visual and analytical representation.. XDR must clearly show the potential security correlations (or in other words, attack stories) that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require exceeding amounts of manual work; allowing SOC analysts to stop serving as an army of translators and focus on the real work  leading investigations and mitigating attacks. This normalized presentation of data would be aware of context and content, be advanced technologically, but simple for analysts to understand and act upon. 

SIEMs are data-driven, meaning they need data definitions, custom parsing rules and pre-baked content packs to retrospectively provide context. In contrast, XDR is hypothesis driven, harnessing the power of Machine Learning and Artificial Intelligence engines to analyse high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.  

The MITRE ATT&CK framework is effective at highlighting how bad guys do what they do, and how they do it. While traditional prevention measures are great at spot it and stop it protections, MITRE ATT&CK demonstrates there are many steps taking place in the attack lifecycle that arent obvious. These actions dont trigger sufficient alerting to generate the confidence required to support a reaction.  

XDR isnt a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform. AnXDR approach will shiftprocesses and likely merge and encouragetighter coordination between different functions likeSOC analysts, hunters, incident respondersand ITadministrators. 

The ideal XDR solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritise and predict threats that matter BEFORE the attack and prescribe necessary countermeasures allowing the organisation to proactively harden their environment. 

Figure 2: Where current XDR approaches are failing

McAfees MVISION XDR solution does just that, by empowering the SOC to do more with unified visibility and control across endpoints, network, and cloud. McAfee XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations. 

What if you could find out if you’re in the crosshairs of a top threat campaign, by using global telemetry from over 1 billion sensors that automatically tracks new campaigns according to geography and industry vertical? Wouldn’t that beinsightful? 

“Many firms want to be more proactive but do not have the resources or talent to execute. McAfee can help bridge this gap by offering organisations a global outlook across the entire threat landscape with local context to respond appropriately. In this way, McAfee can support a CISO-level strategy that combines risk and threat operations.” 

– Jon Oltsik, ESG Senior Principal Analyst and Fellow

But, hang on… Is this all just another ‘platform’ play 

Take a moment to consider how platform offerings have evolved over the years. Initially designed to compensate for the heterogeneity and volume of internal data sources and external threat intelligence feeds, the core objective has predominantly been to manifest data centrally from across a range of vectors in order to streamline security operations efforts. We then saw the introduction of case management capabilities. 

Over the past decade, the security industry proposed solving many of  the challenges presented in SOC contexts through integrations. You would buy products from a few different vendorswho promised it would all work together through API integration, and basically give you some form of pseudo-XDR outcomes were exploring here.  

Frankly, there are significant limitations in that approach. There is no data persistence; you basically make requests to the lowest API denominator on a one-to-one basis. The information sharing model was one-way question and answer leveraging a scheduled push-pull methodology. The other big issue was the inability to pull information in whatever form  you were limited to the API available between the participating parties, with the result ultimately only as good as the dumbest API.  

And what about the lack of any shared ontology, meaning little to no common objects or attributes? There were no shared components, such as UI/UX, incident management, logging, dashboards, policy definitions, user authentication, etc. 

What’s desperately been needed is an open underlying platform – essentially like a universal API gateway scaled across the cloud that leverages messaging fabrics like DXL that facilitate easy bi-lateral exchange between many security functions – where vendors and partner technologies create tight integrations and synergies to support specific use cases benefitting SOC ecosystems. 

Is XDR, then, a solution or product to be procured? Or just a security strategy to be adopted?Potentially, its both.Some vendors are releasing XDR solutions that complement their portfolio strengths, and others are just flaunting XDR-like capabilities.  

 Closing Thoughts

SIEMs still deliver specific outcomes to organisations and SOCswhich cannot be replaced by XDR. In fact, with XDR, a SIEM can be even more valuable. 

For most organisations, XDR will be a journey, not a destination. Their ability to become more effective through XDR will depend on their maturity and readiness toembrace all the requiredprocesses.In terms of cybersecurity maturity, if youd rate your organisation at a medium to high level, the question becomes how and when. 

Most organisations using an Endpoint Detection and Response(EDR) solution are likely quite readyto embrace XDRscapabilities. They are already investigating and resolving endpoint threats and theyre ready to expand this effort to understand how their adversaries move across their infrastructure, too. 

If youd like to know more about how McAfee addresses these challenges with MVISION XDR, feel free to reach out! 

The post XDR – Please Explain? appeared first on McAfee Blogs.

6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign Fri, 05 Feb 2021 18:52:59 +0000 /blogs/?p=116827 Strong passwords

1. Attackers have a plan, with clear objectives and outcomes in mind. Do you have one? Clearly this was a...

The post 6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign appeared first on McAfee Blogs.

Strong passwords

1. Attackers have a plan, with clear objectives and outcomes in mind. Do you have one?

Clearly this was a motivated and patient adversary. They spent many months in the planning and execution of an attack that was not incredibly sophisticated in its tactics, but rather used multiple semi-novel attack methods combined with persistent, stealthy and well-orchestrated processes. In a world where we always need to find ways to stay even one step ahead of adversaries, how well is your SOC prepared to bring the same level of consistent, methodical and well-orchestrated visibility and response when such an adversary comes knocking at your door? 

Plan, test and continuously improve your SecOps processes with effective purple-teaming exercises. Try to think like a stealthy attacker and predict what sources of telemetry will be necessary to detect suspicious usage of legitimate applications and trusted software solutions.

2. Modern attacks abuse trust, not necessarily vulnerabilities. Bethreat focused. Do threat modeling and identify where the risks are. Leverage BCP data and think of your identity providers (AD Domain Controllers, Azure AD, etc.) as ‘crown jewels’.

Assume that your most critical assets are under attack, especially those that leverage third-party applications where elevated privileges are a requirement for their effective operation. Granting service accounts unrestricted administrative privileges sounds like a bad idea – because it is. Least-privilege access, micro segmentation and ingress/egress traffic filtering should be implemented in support of a Zero-Trust program for those assets specifically that allow outside access by a ‘trusted’ 3rd-party.

3. IOCs are becoming less useful as attackers don’t reuse them, sometimes even inside the same victim. Focus on TTPs & behaviors.

The threat research world has moved beyond atomic indicators, file hashes and watchlists of malicious IPs and domains upon which most threat intelligence providers still rely. Think beyond Indicators of Compromise. We should rely less on static lists of artifacts but instead focused on heuristics and behavioral indicators. Event-only analysis can easily identify the low-hanging fruit of commodity attack patterns, but more sophisticated adversaries are going to make it more difficult. Ephemeral C2 servers and single-use DNS entries per asset (not target enterprise) were some of the more well-planned (yet relatively simple) behaviors seen in the Sunburst attack. Monitor carefully for changes in asset configuration like logging output/location or even the absence of new audit messages in a given polling period.  

4. Beware of the perfect attack fallacy. Attackers can’t innovate across the entire attack chain. Identify places where you have more chances to detect their presence (i.e. privilege escalation, persistency, discovery, defense evasion, etc.)

All telemetry is NOT created equal. Behavioral analysis of authentication events in support of UEBA detections can be incredibly effective, but that assumes identity data is available in the event stream. Based on my experience, SIEM data typically yields only 15-20% of events that include useful identity data, whereas almost 85% of cloud access events contain this rich contextual data, a byproduct of growing IAM adoption and SSO practices. Events generated from critical assets (crown jewels) are of obvious interest to SecOps analysts for both detection and investigation, but don’t lose sight of those assets on the periphery; perhaps an RDP jump box sitting in the DMZ that also synchronizes trust with enterprise AD servers either on-premises or in the cloud. Find ways to isolate assets with elevated privilege or those running ‘trusted’ third-party applications using micro segmentation where behavioral analysis can more easily be performed. Leverage volumetric analysis of network traffic to identify potentially abnormal patterns; monitor inbound and outbound requests (DNS, HTTP, FTP, etc) to detect when a new session has been made to/from an unknown source/destination – or where the registration age of the target domain seems suspiciously new. Learn what ‘normal’ looks like from these assets by baselining and fingerprinting, so that unusual activity can be blocked or at the very least escalated to an analyst for review. 

5. Architect your defenses for visibility, detection & response to augment protection capabilities. Leverage EDR, XDR & SIEM for historical and real-time threat hunting.

The only way to gain insight into the attacker behaviors – and any chance of detecting and disrupting attacks of this style – require extensive telemetry from a wide array of sensors. Endpoint sensor grids provide high-fidelity telemetry about all things on-device but are rarely deployed on server assets and tend to be network-blind. SIEMs have traditionally been leveraged to consume and correlate data from all 3rd-party data sources, but it likely does not have the ability (or scale) to consume all EDR/endpoint events, leaving them largely endpoint-blind. As more enterprise assets and applications move to the cloud, we have yet a third source of high-value telemetry that must be available to SOC analysts for detection and investigation. Threat hunting can only effectively be performed when SecOps practitioners have access to a broad range of real-time and historical telemetry from a diverse sensor grid that spans the entire enterprise. They need the ability to look for behaviors – not just events or artifacts – across the full spectrum of enterprise assets and data. 

6. In today’s #cyberdefensegame it’s all about TIME. 

Time can be an attacker’s best offense, sometimes because of the speed with which they can penetrate, reconnoiter, locate and exfiltrate sensitive data – a proverbial ‘smash-and-grab’ looting. Hardly subtle and quickly noticed for the highly visible crime that it is. However in the case of Sunburst the adversary used time to their advantage, this time making painstakingly small and subtle changes to code in the software supply chain to weaponize a trusted application, waiting for it to be deployed across a wide spectrum of enterprises and governmental agencies, quietly performing reconnaissance on the affected asset and those around it, and leveraging low-and-slow C2 communications over a trusted protocol like DNS. Any one of these activities might easily be overlooked by even the most observant SOC. This creates an even longer detection cycle, allowing potential attackers a longer dwell time.  

This blog is a summary of the SOCwise Conversation on January 25th 2020.  Watch for the next one! 

For more information on the Sunburst attack, please visit our other resources on the subject: 


McAfee Knowledge-base Article (Product Coverage)

McAfee Knowledge-base Article (Insights Visibility)


The post 6 Best Practices for SecOps in the Wake of the Sunburst Threat Campaign appeared first on McAfee Blogs.

SOCwise Series: Practical Considerations on SUNBURST Thu, 04 Feb 2021 17:20:56 +0000 /blogs/?p=116785

This blog is part of our SOCwise series where we’ll be digging into all things related to SecOps from a practitioner’s point...

The post SOCwise Series: Practical Considerations on SUNBURST appeared first on McAfee Blogs.


This blog is part of our SOCwise series where we’ll be digging into all things related to SecOps from a practitioner’s point of view, helping us enable defenders to both build context and confidence in what they do. 

Although there’s been a lot of chatter about supply chain attacks, we’re going to bring you a slightly different perspective. Instead of talking about the technique, let’s talk about what it means to a SOC and more importantly focusing on the SUNBURST attack, where the adversary leveraged a trusted application from SolarWinds. 

Below you are going to see the riveting discussion between our very own Ismael Valenzuela and Michael Leland where they’ll talk about the supply chain hacks and the premise behind them. More importantly, why this one in particular was so successful. And lastly, they’ll cover best practices, hardening prevention, and early detection. 

Michael: Ismael, let’s start by talking a little bit about what the common types of supply chain attacks. We know from past experience that they’ve primarily been software; though, it’s not unheard of to have hardware-based supply chain attacks as well. But really, it’s about hijacking or masquerading as a vendor or a trusted supplier and objecting malicious code into trusted, authorized applications. Sometimes even hijacking the certificate to make it look legitimate. And this last one was about injecting into third party libraries. 

In relation to SUNBURST, it was a long game, right? This was an adversary long game attack where they had over 12 months to plan, stage, deploy, weaponize and reap the benefits. And we’re going to talk more about what they did, but more importantly, also how we as practitioners can leverage the sources of telemetry we have for both detection and hopefully future prevention. The first question that most people ask is, is this new and clearly this is not a new technique or tactic, but let’s talk a little bit about why this one was different. 

Ismael: Right! The most interesting piece about SolarWinds is not that much of it is a supply chain attack because as you said, it’s true. It’s not new. We’ve seen similar things in the past. I know there’s a lot of controversy around some of them like Supermicro, we and many others over the last few years and it’s difficult to prove these types of attacks. But to me, the most interesting piece is not just how it got into the environment, but we talked about malicious updates into legitimate applications. For example, we’ve seen some of that in the past with modifying code on GitHub, right? Unprotected reports, attackers, threat actors are modifying the code. 

We’re going to talk a little bit about what organizations can do to identify these but what I really want to highlight out of this is about the attackers, they have a plan right? They compromise the environment carefully, they stayed dormant for about two weeks, and after that, as we have seen in recent research, they started to deploy second stage payloads. The way they did that was very, very interesting, and its changing the game. It’s not radically new, but there’s always something new that we may have not seen before. And it’s important for defendants to understand these behaviors so they can start trying to detect them. In summary, they have a plan and we should ask ourselves if we have a plan for these type of attacks? Not only the initial vector but also what happens after that. 

Michael: Let’s take a look at the timeline (figure 1 below) and talk about the story arc of what took place. I think the important thing is, again the adversary knew long before the attack long before the weaponization of the application, long before the deployment, they had this planned out. They knew they were going after a very specific vendor. In this case, SolarWinds knew as far back as 2018, early 2019, that they had a registration domain registered for it already. And they didn’t even give it a DNS look up until almost a year later. But the code application 2019 was weaponization in 2020. We’re talking about months almost a year of time passed, and they knew very well going into it what their intent was. 

Ismael: Yep, absolutely. And as I mentioned before, even once they have the back door in place, the infamous DLL now stays dormant for two weeks. And then they start a careful reconnaissance discovery trying to find out where they are, what type of information they have around them, the users, and identity management. In some cases, we have seen them pivoting and stealing the tokens and credentials then pivoting to the cloud, all of that takes time. right? Which indicates that the attacker has a lot of knowledge on how to do these in a stealthy way. But if we think in terms of attack chains it also helps us to understand where we could have better opportunities to catch these types of activities. 

Michael: We’ve set the stage to understand kind of what exactly took place and a lot of people have talked about the methodology and the attack life cycle. But they had a plan, they weren’t specifically advanced in the way they leveraged the tools. They were very specific about leveraging multiple somewhat novice or novel methods to make use of the vulnerability. More importantly, it was the amount of effort they put into planning also the amount of time they spent trying not to get seen, right. We look at telemetry all the time, whether it’s in a SIEM tool or EDR tool, and we need those pieces of telemetry that tell us what’s happening, and they were very stealthy in the way they were leveraging the techniques. 

Let’s talk a little bit about what they did that was unique to this specific attack and then we’ll talk more about how we can better define our defenses and prevention around what we learned. 

Ismael: Yep, absolutely! And one of the interesting things that we have seen recently is how they disassociated the stage one and stage two to make sure that stage one, the backdoor/DLL wasn’t going to be detected or burnt. So once again, you were talking about the long game. They were planning, they were architecting their attack for the long game. Even if you would find an artifact from a specific machine, it would be harder for you to trace that back to the original backdoor. So they would maintain persistency in the environment for quite some time. I know that this is not new necessarily. We have been telling defenders for a long time: You need to focus on finding persistency, because attackers, they need to stay in the environment. 

We need to look at command and control but obviously these techniques are evolving. They went to great lengths to ensure that the artifacts, the indicators of compromise on each of these different systems for stage two, and at this point we know they use colon strike beacons. Each of these beacons were unique, not just for each organization, which would make sense but also for each computer within each organization. What does that mean for a SOC? Well, imagine you’re doing this and in response you find some odd behavior coming out of the machine, you look at the indicators and what are you going to do next…. scoping, right? Let’s see where else in my network. I’m seeing activity going into that domain to those IPS or those registry keys or that, you know, WMI consumer, for example. But the truth is that those indicators were not used anywhere else, not even in your environment. So that was interesting. 

Michael: Given that we don’t have specific indicators that we could attribute to something malicious in that stage, what we do know is that they’re leveraging common protocols in an uncommon way. The majority of this tactic took place from a C2 perspective through the partial exfiltration being done using DNS. To the organizations that aren’t successfully or effectively monitoring the types of DNS traffic, the DNS taking place on non-standard ports or more quarterly, the volume of DNS that’s originating from machines that don’t typically have it and volume metric analysis can tell us a lot. If in fact, there’s some heuristic value that we can leverage to detect. What else should we be thinking about in terms of the protection side of things, an abuse of trust? 

We trusted an application; we trusted a vendor. This was a clear abuse of that. Zero trust would be one methodology that can incorporate both micro-segmentation as well as explicit verification and more importantly, least trust methodology that we can ensure. I also think about the fact that we’re giving these applications rights and privileges to our environment and administrative privileges. We need to make sure that we’re monitoring both those accounts and service accounts that are being utilized by these applications; specifically, so that we can prescribe a domain, walls and barriers around what they have access to. What else can we do in terms of detection or providing visibility for these types of attacks? 

Ismael: When we’re talking about a complicated or advanced attack, I like to think in terms of frameworks like the new cybersecurity framework, for example that talks about prevention, detection, and response but also identifying the risks and assets first. If you look at it from that perspective and look at an attack chain, even though some of the aspects of these attack were very advanced, there’s always limitations from the attacker perspective. There’s no such thing as the perfect attack, so be aware of the perfect attack fallacy. There’s always something the attacker’s going to do that can help you to detect them. With that in mind, think about putting the MITRE attack behaviors, tactics and the techniques on one side of the matrix and on the other side, like NIST cybersecurity framework identify, protect, detect. 

Some of the things I would suggest is identifying the assets of risk, and I always talk about BCP. This is continuity planning. Sometimes we work in silos and we don’t leverage some of the information that can be in your organization that can point you to the crown jewel. You can’t protect everything, but you need to know what to protect and know how the information flows. For example, where are your soft spots, where are your vendors located on the network, your/their products, how do they get updated? It will be helpful for you to determine or define a defensible secure architecture that enforces it by trying to protect that…the flow of the data. 

When protection fails, it could be a firewall rule that can be any type of protection. The attempts to bypass the firewalls can be turned into detections. Visibility is very important to have across your environment, that doesn’t mean to just manage devices, it also means the network, and endpoints, and servers. Attackers are going to go after the servers, the main controllers, right? Why? Because they want to steal those credentials, those identities used somewhere else and maybe pivot to the cloud. So having enough visibility across the network is important, which means having the camera’s point to the right places. That is when EDR or XDR can come into play, product that keep that telemetry and give you visibility of what’s going on and potentially detect the attack. 

Michael: I think it’s important as we conclude our discussion to chat about the fact that telemetry can come in various flavors; more importantly, both real-time and historical telemetry that’s of significant value, not only in the detection side, but in the forensic investigation/scoping side, and understand exactly where an adversary may have landed. It’s not just having the telemetry accessible, it’s also sometimes the lack of telemetry. That’s the indicator that tells us when logging gets disabled on a device and we stop hearing from it then the SIEM starts seeing a gap in its visibility to a specific asset. That’s why combination of both real-time endpoint protection technologies deployed on both endpoints and servers, as well as the historical telemetry that we’re typically consuming in our analytics frameworks, and technologies like SIEM 

Ismael: Absolutely, and to reiterate the point of finding those places where attackers are going to be, can be spotted more easily. If you look at the whole attack chain maybe the initial vector is harder to find, but start looking at how they got privileges, their escalation, and their persistence. Michael, you mentioned cleaning logs apparently were disabling the auditing logs by using auditpol on the endpoint or creating new firewall rules on the endpoints. If you consume these events, why would somebody disable the event logging temporarily by turning it off and then back on again after some time? Well, they were doing this for a reason. 

Michael: Right. So we’re going to conclude our discussion, hopefully this was informative. Please subscribe to our Securing Tomorrow blog where you can keep up to date with all things SOC related and feel free to visit for more SOC material from our experts. 


The post SOCwise Series: Practical Considerations on SUNBURST appeared first on McAfee Blogs.

Schrems II – A few Things to Keep in Mind! Thu, 28 Jan 2021 17:33:12 +0000 /blogs/?p=116437

A couple of days ago, I have been asked whether, notably thanks to the GDPR[1] and the CCPA[2], we were...

The post Schrems II – A few Things to Keep in Mind! appeared first on McAfee Blogs.


A couple of days ago, I have been asked whether, notably thanks to the GDPR[1] and the CCPA[2], we were seeing as professionals, a standardization in negotiations governing privacy terms.

Alas, we have possibly never been so much away of such harmonization. 128 out of 194 countries have put in place legislation to secure the protection of data and privacy. And despite the existence of initiatives to develop tools able to harmonize compliance with legal, security and regulatory requirements, privacy is still much of a grey zone.

From the EU’s standpoint, and regardless of the fact that the GDPR is seen as one of the most, if not the most sophisticated regulation in terms of protection of personal data, Mr. Schrems and the European Court of Justice (“ECJ”) are both playing a bit with the nerves of thousands of privacy professionals.

For those who do not know Mr. Schrems, Maximilian is an Austrian privacy activist. As a privacy law student in 2011 at the Santa Clara University, he met a Facebook representative who explained to the students that Europeans had many privacy rights in the EU but were however not doing much to protect them. The words didn’t fall on deaf ears and by 2015, Max had brought a case against Facebook, and achieved to get the Safe Harbor (the then used as a mechanism to transfer personal data to the United States) invalidated[3]. The Safe Harbor was replaced by the Privacy Shield, which – together with European Standard Clauses (“SCCs”) – were suspected of not being able to sufficiently protect European rights against US massive surveillance.

As you may have heard, on 16 July 2020[4], the Privacy Shield has been invalidated. The SCCs are still valid, but not sufficient per se. Following the Schrems II Decision, the European Commission issued some 22 pages of recommendations for the transfer of personal data outside the European Union[5] and the set of happy few countries considered as providing adequate protection, as well as a new draft set of SCCs[6].

So, what’s next for us? Below are a couple of answers to help you out navigating through 2021.


1. How much time do companies have to comply with the requirements of the Schrems II decision?

No grace period was provided by the ECJ: the consequences are applicable since 16 July 2020 and companies who used to rely on the Privacy Shield had to immediately stop using that mechanism and replace with the SCCs.

2. Are SCCs enough to transfer data outside of the EU?

No, SCCs are no longer enough on their own: companies need to assess on a case by case basis whether the laws of the recipient country offer enough protection AND where they don’t, they must include supplementary measures. In addition, if supplementary measures are not possible or insufficient, the parties must suspend, or end transfer OR the transfer must be suspended or ended by the data protection authority.

3. Now that the EU has issued new SCCs, will these replace the hassle of assessing the recipient’s country protections?

No – a simple update of the SCCs will not be enough. SCCs “are not capable of binding the authorities of that third country, since they are not party to the contract.” [7]. Hence, the requirement of implementing technically-enforced supplementary measures.

4. Is it dangerous not to comply with the Schrems II requirements?

It’s expensive and it could jeopardize your business since the Data Protection Authority may request to stop the transfer[8]. In terms of fines provided by the GDPR, we are talking about €20 million or 4% of their global turnover, whichever is greater[9].

5. Is Schrems II a C-Suite / Board level issue?

Yes- lack of corporate changes may constitute “willful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.”[10] This opens Board members and senior executives to potential personal and criminal liability.

6. Can’t I just use encryption or anonymization as Supplementary Measures enough to protect data?

No – that will not be enough. Encryption only protects data in transit and in storage, and anonymization is not recognized as existing by the European Data Protection Board (“EDPB”). Technically-enforced Supplementary Measures are required[11].

Anonymisation is very difficult to very difficult to achieve without deleting important value, and the new requirements under Pseudonymisation entails that the processing of personal data must be accomplished in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, which must be kept separately; and subject to technical and organisational measures able to ensure that the personal data cannot be attributed to identifiable persons without requiring access to the separately and securely stored “additional information.”

7. What types of processing are now clearly unlawful?

Two types of transfers have been designated as unlawful by the EDPB:

  • Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear (EDPB Unlawful Use Case 6); and
  • Remote Access to Data for Business Purposes (EDPB Unlawful Use Case 7)[12].

The only option to render those as lawful is to provide for encryption.

8. What’s next for companies?

Companies need to evaluate what combination of SCCs, Additional Safeguards, data residency and Data Protection by Design and by Default will enable the continued success of business by fostering balanced protection of privacy, as well as legal and contractual trust in the use of technology and in the responsible, protected collection and processing of people’s data.



[1] General Data Protection Regulation 2016/679

[2] California Consumer Privacy Act, AB-375

[3] “Maximillian Schrems / Data Protection Commissioner”, decision 2000/520/CE, Case C-362/14


[5] Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

[6]  The draft SCCs

[7] paragraph 125.

[8] paragraph 121, 135, 146, 154 and 203(3) 

[9] See GDPR Article 83(5)(c).


[11] See EDPB Guidance at :

[12] Ibid.

The post Schrems II – A few Things to Keep in Mind! appeared first on McAfee Blogs.

McAfee Welcomes its ISO 27701 Certificate! Thu, 07 Jan 2021 17:06:31 +0000 /blogs/?p=115798

This post was also written by Darragh McMahon At McAfee, we adhere to a set of core values and principles...

The post McAfee Welcomes its ISO 27701 Certificate! appeared first on McAfee Blogs.


This post was also written by Darragh McMahon

At McAfee, we adhere to a set of core values and principles – We Put the Customer at The Core, We Achieve Excellence with Speed and Agility, We Play to Win or We Don’t Play, We Practice Inclusive Candor and Transparency.

And reaching the ISO 27701 enshrines all of these values.

For those who are not familiar with it, the ISO 27701 is the industry leading certification for information security & privacy management. Achieving the ISO 27701 certification demonstrates that McAfee is able to protect personal data, thanks to a multidisciplinary effort coupled with cross-functional expertise. Because yes, We Play to Win or We Don’t Play.

Over the past years, and all around the world, lawmakers and regulators have been and continue to introduce new laws governing the processing of personal data (such as those adopted in Australia, Brazil, Singapore and Canada) -the GDPR and the CCPA are only few of these. This changing legal environment raises challenges for all businesses, but especially those that must comply globally with regulations in multiple jurisdictions. Compliance to requirements and controls of ISO 27701 is relevant to support the fulfillment of obligations to articles 5 to 49 (except 43) of the GDPR. The application of the ISO 27701 standard can also be used for supporting compliance with other data privacy laws. Because yes, We Practice Inclusive Candor and Transparency.

The ISO 27701 Standard has been published in August 2019, and all companies, whether vendors or customers, should look into it. At the time of certification by McAfee’s assessment firm[1], McAfee is one of the very first companies to achieve the certification within the cyber-security industry. Because yes, not only do We Achieve Excellence with Speed and Agility, but We also Put the Customer at the Core.

Key requirements include, but are not limited to:

  • Fundamental Data Protection Principles: purpose of the data processing, legal basis for the data processing, obtaining individuals’ consent and mechanisms to modify or withdraw that consent, records of data processing activities, and privacy impact assessments;
  • Individuals’ Data Protection Rights: notice, access, correction, erasure, and automated decisions;
  • Privacy by Design and by Default: data minimization, de-identification and deletion, and data retention;
  • Data processing agreements, data transfers and data sharing;
  • Determination of the role of the organization as a data controller and/or data processor;
  • Unified management of IT risks for the organization of privacy risks for data subjects;
  • Appointment of a person responsible for the protection of privacy (DPO or equivalent);
  • Staff awareness; data classification; protection of removable media; user access management and data encryption; backups and event logging; conditions for the transfer of personal data; Incident management; and
  • Compliance with legal and regulatory requirements, etc.

McAfee’s ISO 27701 certificate, along with its other certificates, is publicly available at

[1] Schellman, December 2020

The post McAfee Welcomes its ISO 27701 Certificate! appeared first on McAfee Blogs.

The Road to XDR Tue, 05 Jan 2021 16:00:47 +0000 /blogs/?p=115699

XDR (eXtended Detection and Response) is a cybersecurity acronym being used by most vendors today.  It is not a new...

The post The Road to XDR appeared first on McAfee Blogs.


XDR (eXtended Detection and Response) is a cybersecurity acronym being used by most vendors today.  It is not a new strategy. It’s been around for a while but the journey for customers and vendors has been slow for many reasons. For McAfee, XDR has been integral to our vision, strategy and design philosophy that has guided our solution development for many years. Understanding our road to XDR can help your organization map your XDR journey.

The Building Pressure for XDR

Let’s start with why XDR?  The cry for XDR reflects where cybersecurity is today with fragmented, cumbersome and ineffective security and where folks want to go.  In my CISO conversations it is well noted that security operation centers (SOC) are struggling.  Disjointed control points and disparate tools lead to ineffective security teams.  It allows adversaries to more easily move laterally across the infrastructure undetected and moving intentionally erratic to avoid detection.  Analysts only know this if they manually connect the thousand dots which is time consuming leaving the adversaries with ample dwell time to do damage. It’s no secret. There is a lack of security expertise, and these are regularly tested.  Their investigations are cumbersome, highly manual, and riddled with blind spots. It’s nearly impossible to prioritize efforts, leaving the SOC simply buried in reactive cycles and alert fatigue.  Bottom line—SOC metrics are getting worse—while adversaries are becoming more sophisticated and creative in carrying out their mission.

XDR has the potential to be a one-stop solution to alleviating these SOC issues and improving operational inefficiencies.

XDR Options

Many cybersecurity providers are trying to offer an XDR capability of some sort. They promise to provide visibility and control across all vectors, and offer more analysis, context and automation to obtain faster and better response when reacting to a threat. Point players are limited to expertise in their domain (endpoint or network) and can’t offer a critical, proven cross-portfolio platform. After all, can your endpoint platform offer true XDR functionality it it’s not also connected to network, cloud and web?

McAfee’s long-time mantra has been Better Together. That mantra underscores our commitment to deliver comprehensive security that works cohesively across all threat vectors – device, network, web and cloud and with non-McAfee products.  Industry analysts and customers agree that McAfee is well positioned to deliver a solid XDR offering given our platform strategy and portfolio.

There is more to the McAfee XDR Story

Now, what if you had that same comprehensive XDR capability that not only offered visibility and control across the vectors, but also allows you to get ahead of adversary and empowering you to be more proactive. It could give you a heads up on threats that are likely to attack you based on global and industry trends, based on what your local environment looks like. With this highly credible prediction comes the prescribed guidance on how to counter the threat before it hits you. Imagine it also supplies prescriptive actions you can take to protect your users, data, applications and devices spanning from device to cloud. Other XDR conversations can’t take the conversation to this level of proactivity. McAfee can in our recently announced MVISION XDR.

Not only does McAfee take XDR to the next level, but it also helps you better mitigate cyber risk by enabling you to prioritize and focus on what most matters. What if your threat response was prioritized based on the impact to the organization? You need to understand what the attackers are targeting. How close are they to the most sensitive data based on the users and devices? MVISION XDR offers this context and data-awareness to focus your analysts on what counts. For example, threats that jeopardize sensitive data from a finance executive on his device will automatically be of priority versus a maybe threat on general purpose device with no data. This data-awareness is not noted well in other XDR conversations, but it is with recently announced MVISION XDR.  

Let’s look at McAfee’s journey and investment with XDR and how we got to this exceptional XDR approach.

McAfee XDR Journey

McAfee’s XDR Journey did not simply start up recently because a buzz word appeared that needed to spoke to.   As noted earlier, McAfee’s mantra “Together is Better” sets the stage for a unified security approach, which is core to the XDR promise.  McAfee recognized early on that multi-vendors security ecosystem is a key requirement to build a defense in depth security practice. OpenDXL the open-source community delivered the data exchange layer or the DXL message bus architecture. This enabled our diverse ecosystem of partners from threat intelligence platforms, to orchestration tools to use a common transport mechanism and information exchange protocol. Most enterprise security architectures will be a heterogenous mix of various security solutions. McAfee is one of the founding members of the Open CyberSecurity Alliance (OCA) where we contributed our DXL ontology – enabling participating vendors to not only communicate vital threat details but inform what to do to all connected multi-vendor security solutions.

Realizing EDR is network blind and SIEM is endpoint blind, we integrated McAfee EDR and SIEM.  McAfee continues to deliver XDR capabilities by bringing multiple telemetry sources on a platform from a single console for analytics and investigation, driving remediation decisions with automatic enforcement across the enterprise.  When you combine  MVISION XDR the first proactive, data-aware and open XDR and released MVISION Marketplace and API further supporting the open security ecosystem for XDR capabilities, organizations have a solid starting point to advance their visibility and control across their entire cyber infrastructure.

Before all the XDR hype, McAfee customers have been on the XDR path. Our customers have already gained XDR capabilities and are positioned to grow with more XDR capabilities. I encourage you to check out the video below.






The post The Road to XDR appeared first on McAfee Blogs.

Bring on 2021! Tue, 29 Dec 2020 22:40:46 +0000 /blogs/?p=115648

With 2021 approaching, it is a time to both reflect on the outstanding progress we have each made – personally and professionally,...

The post Bring on 2021! appeared first on McAfee Blogs.


With 2021 approaching, it is a time to both reflect on the outstanding progress we have each made – personally and professionally, and warmly welcome a new chapter in 2021!  

2020 has been one of the most unexpected years in our history. However, despite COVID-19, we had some amazing successes. 

January brought McAfee our new CEO – Peter Leav. It’s hard to believe it has only been a year under his leadership. What an impact! And, McAfee is back on the stock exchange.   

2020 has also seen the rapid acceleration of cloud adoption. Typically, a move like that involves immense planning to minimize complexity. That didn’t always happen.  And, as our Advanced Threat Research team has reported, cybercriminals took full advantage of more ransomware, malware, and general bad behavior. In fact, a recent McAfee report estimates global cybercrime losses will exceed $1 Trillion.  Fortunately, McAfee customers benefited from the get-go with a robust, award-winning cloud-native portfolio that became even stronger in 2020.   

Excelling at Cloud Security with SASE and CNAPP 

Shortly after Peter joined, we closed our LightPoint Acquisition, enabling us to add Remote Browser Isolation (RBI) to MVISION Unified Cloud Edge (UCE). In March, we delivered multi-vector data protection for unified and comprehensive data protection across endpoints, web, and cloud. In August, we further enhanced our MVISION UCE offering by announcing pivotal SD-WAN Technology integrations. Finally, at MPOWER, we announced the industry first integration of Remote Browser Isolation into our Unified Cloud Edge solution.  

To our award-winning and unmatched MVISION Cloud solution which is natively integrated into UCE, we were the first CASB to map cloud threats to MITRE ATT&CK. Introducing MITRE ATT&CK into the MVISION Cloud workflow helps SOC analysts to investigate cloud threats and security managers defend against future attacks with increased precision. Our new MVISION Cloud Security Advisor (CSA) – provides recommendations – broken into visibility and control metrics – to help prioritize cloud security controls implementation.  We also delivered MVISION Cloud for Teams, which provides policy and collaboration controls to enable organizations to safely collaborate with partners without having to worry about exposing confidential data to guest users.   

MVISION Cloud received its FedRAMP High JAB P-ATO designation and McAfee MVISION for Endpoint achieved FedRAMP Moderate Authorization. Both of those are important to enable our Federal customers to take advantage of the MVISION portfolio.  

All of this helps our customers accelerate the easy adoption of a more complete Secure Access Service Edge (SASE) architecture and better defend against advanced web and cloud-based threats. In fact, our MVISION UCE customers can enjoy nearly 40% annual TCO savings when they go from on-prem to cloud. 

For our customers who want cloud native IaaS security while dealing existing on-prem data center deployments, we rolled out our new McAfee MVISION Cloud-Native Application Protection Platform (CNAPP), an integrated hybrid cloud security platform for comprehensive data protection, threat prevention, governance, and compliance for the cloud-native application lifecycle. We also announced native AWS Integrations for MVISION CNAPP.  

Delivering future proof SOC with XDR  

The team and I are also extremely excited about the progress with our Endpoint portfolio across ENSEDR and momentum behind MVISION Insights 

The still unfolding SolarWinds supply chain compromise has shown how unprepared SOC teams can be and why it is ever more important to have proactive and actionable threat intelligence at your fingertips. As news of an emerging campaign becomes viral, SOC teams must answer the topical question raised by the C-level or the Board “Are we impacted” which unfortunately till now took weeks if not days of scrambling to answer. We launched MVISION Insights early this summer to solve for exactly this problem. MVISION Insights leverages McAfee’s cutting-edge threat research, augmented with AI applied to real-time telemetry streamed from over a Billion sensors to identify and prioritize threats, before they hit. MVISION Insights can predict the impact on your countermeasures, and then tells you exactly how and where to improve your security posture. In essence, it enables you to “shift left” and anticipate and stop breaches before they happen. As the SolarWinds compromise was unfolding, MVISION Insights delivered actionable threat intelligence to McAfee’s customers within hours. The fact that we now have hundreds of customers who have adopted MVISION Insights as part of their SOC framework within a few months of release is a testament to the real value add they are enjoying. Best part is that it is also free for all our customers who have our integrated EPP+EDR SKUs: MV6 or MV7. 

Our latest Endpoint protection product, ENS 10.7, is stronger with the highest quality and customer satisfaction than ever. ENS 10.7 couples all our endpoint protection capabilities with machine learning, behavior monitoring, fileless threat defense and Rollback Remediation. It’s also backed by our Global Threat Intelligence (GTI) to provide adaptable, defense in depth capability against the techniques used in targeted ransomware attacks. ENS 10.7 delivers meaningful value. Rollback Remediation, for instance, can save an average $500 per node in labor and productivity costs by eliminating need to reimage machines. ENS 10.7 became generally available about a year ago and has emerged as our #1 deployed enterprise product worldwide – the fastest ramp of any ENS release. 

Equally on the EDR front, we delivered capabilities that make a measurable improvement for the ever tired SOC teams. The included AI Guided investigations can speed threat investigations from greater than 2 hours to as little as 6 minutes per incident. The SolarWinds compromise also showed that Organizations need an integrated platform that delivers complete visibility and control across their infrastructure including their supply chain. The recently announced MVISION XDR builds upon our EDR solution making it easier for our customers to achieve this complete visibility and control. It extends MVISION Insights across endpoints, network and cloud, making it the first proactive XDR platform to manage your risk. MVISION XDR dramatically expands the capabilities of traditional Endpoint Detection and Response (EDR) point solutions by delivering a fully integrated, SaaS-based platform to rapidly discover and mitigate the real threats to your users and data across all threat vectors.  And, complementing our MVSION XDR solution is a host of partner solutions available via MVISION Marketplace.  

Finally, we rolled out the Device-to-Cloud suites, making it easier for our customers to move to a cloud-native architecture. These three SaaS offerings all feature MVISION Insights and endpoint protection to provide right-sized security solutions in a simple-to-acquire package.  

I am so proud that our customers and the industry also recognize the McAfee teams’ hard work. We were able to add a long list of awards and accolades to our portfolio in 2020. 



Now that we’ve looked back at our successes, let’s take a moment to look forward and set goals for ourselves in the coming year. My team and I are committed to:  

  • Expanding on our XDR strategy by changing the landscape of how we enable our customers to being more proactive and get complete visibility and control halting threats before they reach devices, networks, and the cloud.  
  • Strengthening UCE by innovating and expanding our portfolio features and functionality to enable comprehensive Zero Trust and SASE coverage from McAfee that spans all major threat vectors.   
  • Raising the bar of MVISION CNAPP innovation and making it easier (and safer) to accelerate cloud transitions with continued cloud security innovation. 


Against today’s increasingly sophisticated adversaries, your success is our success.    

As we head into 2021, I want to take a moment to wish each of you peace, good health, and prosperity.   

Happy holidays to you and yours! 

Thanks, Shishir 

The post Bring on 2021! appeared first on McAfee Blogs.

Finally, True Unified Multi-Vector Data Protection in a Cloud World Mon, 21 Dec 2020 18:38:12 +0000 /blogs/?p=115513

This week, we announced the latest release of MVISION Unified Cloud Edge, which included a number of great data protection...

The post Finally, True Unified Multi-Vector Data Protection in a Cloud World appeared first on McAfee Blogs.


This week, we announced the latest release of MVISION Unified Cloud Edge, which included a number of great data protection enhancements. With working patterns and data workflows dramatically changed in 2020, this release couldn’t be more timely.

According to a report by Gartner earlier in 2020, 88% of organizations have encouraged or required employees to work from home. And a report from PwC found that, corporations have termed the remote work effort in 2020, by and large, a success. Many executives are reconfiguring office layouts to cut capacity by half or more, indicating that remote work is here to stay as a part of work life even after we come out of the restrictions placed on us by the pandemic.

Security teams, scrambling to keep pace with the work from home changes, are grappling with multiple challenges, a key one being how to protect corporate data from exfiltration and maintain compliance in this new work from home paradigm. Employees are working in less secure environments and using multiple applications and communication tools that may not have been permitted within the corporate environment. What if they upload sensitive corporate data to a less than secure cloud service? What if employees use their personal devices to download company email content or Salesforce contacts?

McAfee’s Unified Cloud Edge provides enterprises with comprehensive data and threat protection by bringing together its flagship secure web gateway, CASB, and endpoint DLP offerings into a single integrated Secure Access Service Edge (SASE) solution. The unified security solution offered by UCE features unified data classification and incident management across the network, sanctioned and unsanctioned (Shadow IT) cloud applications, web traffic, and endpoints, thereby covering multiple key exfiltration vectors.

UCE Protects Against Multiple Data Exfiltration Vectors

1. Exfiltration to High Risk Cloud Services

According to a recent McAfee report, 91% of cloud services do not encrypt data at rest and 87% of cloud services do not delete data upon account termination, allowing the cloud service to own customer data in perpetuity. McAfee UCE detects the usage of risky cloud services using over 75 security attributes and enforces policies, such blocking all services with a risk score over 7, which helps prevent exfiltration of data into high risk cloud services.

2. Exfiltration to permitted cloud services

Some cloud services, especially the high risk ones, can be blocked. But there are others which may not be fully sanctioned by IT, but fulfill a business need or improve productivity and thus may have to be allowed. To protect data while enabling these services, security teams can enforce partial controls, such as allowing users to download data from these services but blocking uploads. This way, employees remain productive while company data remains protected.

3. Exfiltration from sanctioned cloud services

Digital transformation and cloud-first initiatives have led to significant amounts of data moving to cloud data stores such as Office 365 and G Suite. So, companies are comfortable with sensitive corporate data living in these data stores but are worried about it being exfiltrated to unauthorized users. For example, a file in OneDrive can be shared with an unauthorized external user, or a user can download data from a corporate SharePoint account and then upload it to a personal OneDrive account. MVISION Cloud customers commonly apply collaboration controls to block unauthorized third party sharing and use inline controls like Tenant Restrictions to ensure employees always login with their corporate accounts and not with their personal accounts.

4. Exfiltration from endpoint devices

An important consideration for all security teams, especially given most employees are now working from home, is the plethora of unmanaged devices such as storage drives, printers, and peripherals that data can be exfiltrated into. In addition, services that enable remote working, like Zoom, WebEx, and Dropbox, have desktop apps that enable file sharing and syncing actions that cannot be controlled by network policies because of web socket or certificate pinning considerations. The ability to enforce data protection policies on endpoint devices becomes crucial to protect against data leakage to unauthorized devices and maintain compliance in a WFH world.

5. Exfiltration via email

Outbound email is one of the critical vectors for data loss. The ability to extend and enforce DLP policies to email is an important consideration for security teams. Many enterprises choose to apply inline email controls, while some choose to use the off-band method, which surfaces policy violations in a monitoring mode only.

UCE provides a Unified and Comprehensive Data Protection Offering

Using point security solutions for data protection raises multiple challenges. Managing policy workflows in multiple consoles, rewriting policies, and aligning incident information in multiple security products result in operational overhead and coordination challenges that slow down the teams involved and hurt the company’s ability to respond to a security incident. UCE brings web, CASB, and endpoint DLP into a converged offering for data protection. By providing a unified experience, UCE increases consistency and efficiencies for security teams in multiple ways.

1. Reusable classifications

A single set of classifications can be reused across different McAfee platforms, including ePO, MVISION Cloud, and Unified Cloud Edge. For example, if a classification is implemented to identify Brazilian driver’s license information to apply DLP policies on endpoint devices, the same classification can be applied in DLP policies on collaboration policies in Office 365 or outgoing emails in Exchange Online. Alternatively, if the endpoint and cloud were secured by two separate products, it would require creating disparate classifications and policies on both platforms and then ensuring the 2 policies have the same underlying regex rules to keep policy violations consistent. This increases operational complexity and overhead for security teams.

2. Converged incident infrastructure

Customers using MVISION Cloud have a unified view of cloud, web, and endpoint DLP incidents in a single unified console. This can be extremely helpful in scenarios where a single exfiltration act by an employee is spread across multiple vectors. For example, an employee attempts to share a company document with his personal email address, and then tries to upload it to a shadow service like WeTransfer. When both these attempts don’t work, he uses a USB drive to copy the document from his office laptop. Each of these fires an incident, but when we present a consolidated view of these incidents based on the file, your admins have a unique perspective and possibly a different remediation action as opposed to trying to parse these incidents from separate solutions.

3. Consistent experience

McAfee data protection platforms provide customers with a consistent experience in creating a DLP policy, whether it is securing sanctioned cloud services, protecting against malware, or preventing data exfiltration to shadow cloud services. Having a familiar workflow makes it easy for multiple teams to create and manage policies and remediate incidents.

As the report from PwC states, the work from home paradigm is likely not going away anytime soon. As enterprises prepare for the new normal, a solution like Unified Cloud Edge enables the security transformation they need to gain success in a remote world.

The post Finally, True Unified Multi-Vector Data Protection in a Cloud World appeared first on McAfee Blogs.

McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise Mon, 21 Dec 2020 17:09:24 +0000 /blogs/?p=115477

Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the...

The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.


Last month, I discussed the FedRAMP program’s basics and why it’s such a big deal for the federal government. In short, the program protects the data of U.S. citizens in the cloud and promotes the adoption of secure cloud services across the government with a standardized approach.

But within the FedRAMP program, there are different authorizations. We’re pleased that McAfee MVISION for Endpoint Access recently achieved FedRAMP Moderate Authorization, which allows users from federal agencies, state and local government, and other industries in regulated environments to manage Controlled Unclassified Information (CUI) such as personally identifiable information (PII) and routine covered defense information (CDI).

As organizations across the country continue to adapt to a remote workforce, the U.S. government is “in a race to modernize its IT infrastructure to support ever more complicated missions, growing workloads and increasingly distributed teams—and do so facing a constantly evolving threat landscape,” Alex Chapin, our VP of DoD and Intelligence notes.

And he’s right – with the 2021 federal fiscal year in full focus, federal agencies are continuing to push cloud computing as the COVID-19 pandemic continues, creating a real need for security in these applications.

The FedRAMP Moderate designation allows MVISION to provide the command and control cyber defense capabilities government environments need to enable on-premises and remote security teams, allowing them to maximize time and resources, enhance security efficiency and boost resiliency.

This is a massive win for the federal government as it continues to build out its remote workforce capabilities at a time when the GAO is continuing to release best practices for telework, highlighting how remote work is here to stay in the federal government.

MVISION Cloud is currently in use by ten federal agencies, including the Department of Energy (DOE), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), Food and Drug Administration (FDA) and National Aeronautics and Space Administration (NASA).

At McAfee, we are dedicated to ensuring our cloud services are compliant with FedRAMP standards to help the federal government secure its digital infrastructure and prepare for an increasingly digital operation. We look forward to working closely with the FedRAMP program and other cloud providers dedicated to authorizing cloud service offerings with FedRAMP.

The post McAfee MVISION for Endpoint is FedRAMP Moderate As Federal Cloud Usage Continues to Rise appeared first on McAfee Blogs.

3 Reasons Why Connected Apps are Critical to Enterprise Security Thu, 17 Dec 2020 16:00:03 +0000 /blogs/?p=115330

Every day, new apps are developed to solve problems and create efficiency in individuals’ lives.  Employees are continually experimenting with new...

The post 3 Reasons Why Connected Apps are Critical to Enterprise Security appeared first on McAfee Blogs.


Every day, new apps are developed to solve problems and create efficiency in individuals’ lives.  Employees are continually experimenting with new apps to enhance productivity and simplify complex matters. When in a pinch, using DropBox to share large files or an online PDF editor for quick modifications are commonalities among employeesHowever, these apps, although useful, may not be sanctioned or observable by an IT department. The rapid adoption of this process, while bringing the benefit of increased productivity and agility, also raises the ‘shadow IT problem’ where IT has little to no visibility into the cloud services that employees are using or the risk associated with these services. Without visibility, it becomes very difficult for IT to manage both cost expenditure and risk in the cloud. Per the McAfee Cloud Adoption and Risk report, the average enterprise today uses 1950 cloud services, of which less than 10% are enterprise ready. To divert a data breach (with the average cost of a data breach in the US being $7.9 million), enterprises must exercise governance and control over their unsanctioned cloud usage. Does this sound all too familiar? It’s because these are many of the issues we face with Shadow IT, and are facing today regarding a similar security risk with connected apps.   

What are Connected Apps? Collaboration platforms such as Office 365 enable teams and end-users to install and connect third-party apps or create their own custom apps to help solve new and existing business problems. For example, Microsoft hosts the Microsoft Store, where end-users can browse througthousands of apps and install them into their company’s Office 365 environment. These apps help augment native Microsoft office capabilities and help increase enduser productivity. Some examples include WebEx to set up meetings from Outlook or Survey Monkey add-in to initiate surveys from Microsoft Teams.  When these apps are added, they will often ask the enduser to authorize access to their Cloud app resources. This could be data stored in the app, like in SharePoint, or calendar information or email content. Authorizing access