This blog was written by Stan Golubchik.
In a previous blog, “How to Gain a Competitive Advantage with an Integrated Approach to Security,” we’ve shown you how adding an advanced threat analysis technology to a large enterprise security ecosystem is contributing to its success both operationally and from a business perspective.
This time, we’ll step through the technical details of how to combat unknown malware in a typical enterprise environment. Let’s look at a company that has just gone through an acquisition. As a result of the acquisition, employees are being required to use many new applications. One of the employees clicks a link in an email for an application that appeared legitimate but is, in fact, malicious and installs a keylogger that captures users’ keystrokes.
Here’s how the McAfee integrated ecosystem approach to security rapidly responds to unknown files of this kind and prevents them from executing and doing damage across the organization.
McAfee Threat Intelligence Exchange discovers the keylogger on endpoints and blocks the file from executing. The Threat Intelligence Exchange client then queries the McAfee Threat Intelligence Exchange server on file reputation and simultaneously queries McAfee Global Threat Intelligence, which gathers file reputation intelligence from millions of sensors all over the world. The file is cached on the server while McAfee Threat Intelligence Exchange checks its blacklist and whitelist. After this query-response process, McAfee Threat Intelligence can update the reputation as “good” or “bad.” However, in this case, the file is unknown and requires further analysis.
Through REST API, McAfee Threat Intelligence communicates with McAfee Advanced Threat Defense, where the unknown file is sent for further analysis via sandboxing. McAfee Advanced Threat Defense spins up a virtual machine (VM) to detonate the file via dynamic analysis, which enables examination of any malicious behavior. At the same time, McAfee Advanced Threat Defense will perform static code analysis by unpacking the file and reverse engineering the code, allowing comparison to known malware families leveraging code reuse and identifying any potentially malicious code. Obfuscated and metamorphic code, which can be highly evasive, can be unveiled through the combination of dynamic and static code analysis. If any malicious intent is identified, McAfee Advanced Threat Defense then convicts the file and updates the reputation, applying a high-severity rating, in this case. This process reveals several indicators of compromise (IoCs) about the file: it attempts to bypass security controls, it installs a keylogger, and it makes connections to risky websites. The file is then sent back to the McAfee Threat Intelligence Exchange server, which updates its local repository and any integrated vector from endpoint to network. McAfee Advanced Threat Defense will also publish IoCs across the McAfee Data Exchange Layer (McAfee DXL), to any subscriber.
McAfee Data Exchange Layer, which enables sharing of threat information across McAfee security components and third-party security products, publishes these IoCs for ingestion by other solutions in the environment.
McAfee Data Exchange Layer will publish IoCs generated from McAfee Advanced Threat Defense to the security information and event management system (SIEM), McAfee Enterprise Security Manager. The SIEM then aggregates the IoCs and correlates these events. For example, it can do historic investigation, looking into its archives of networks or systems to find evidence of this malware and correlate these IoCs with other events. If it finds that systems have connected to malicious URLs associated with the keylogger, it can send out additional alerts so that remediation can be applied. Once the correlation has been done, McAfee Endpoint Threat Defense and Response uses its automated search capability to get access to this information and generates a URL that will open up the McAfee ePolicy Orchestrator (McAfee ePO) management console where McAfee Active Response is housed, and the pivot to remediation can take place.
Since the malware has a high-severity rating, McAfee Enterprise Security Manager triggers an alert, which enables the administrator to take remediation actions, such as killing the process or removing the file—along with any trace files—from the affected machines.
This use case illustrates the value of a unified architecture, where collaboration of all your security components can dramatically improve security operation response and efficiency, reduce threat dwell time, and increase your capacity to handle security events. In a recent McAfee survey, 70% of participants believe that this approach results in reduction of manual efforts through integrated workflows and automation and 65% believe it provides more effective triage automation.
Watch our video, and see the power of McAfee integration and intelligence sharing in action: “Defeat the Grey.”