McAfee Network Threat Response

McAfee Network Threat Response Overview:

Automatically analyze the threats attempting to spread across your network. McAfee Network Threat Response (NTR) enables security analysts to dig deep into threats and construct forensic analysis to effectively characterize and respond to malware in the way that’s most effective for your organization. McAfee NTR is a perfect complement to McAfee Network Security Platform, our network intrusion prevention solution, and also delivers streamlined integration with McAfee Firewall Enterprise.

Description:

McAfee Network Threat Response (NTR) is an out-of-band appliance that captures, deconstructs, and analyzes malware specific to your own network. McAfee NTR is a powerful tool for security analysts. It automatically identifies malware targeting internal network vulnerabilities, and instantly captures and analyzes it to aid remediation. The McAfee NTR appliance sits inside your network and streamlines the forensic threat analysis process with the following features:

• Find: McAfee NTR finds malware activity in real time and even decodes polymorphic encoders. The Network Threat Response Control Center dashboard provides full visibility into discovered malware.
• Create: McAfee NTR creates analysis to help you better understand the malware, how it is attacking your network, and its payload.
• Prevent: McAfee NTR helps you update your security posture by capturing malware and automatically sending samples to McAfee Artemis Technology, McAfee’s host-based malware protection technology. Updated .DAT files are then pushed out to all protected systems within minutes. These shared signatures bring the full power of McAfee Labs research to McAfee NTR. McAfee NTR offers exceptional integration with McAfee Firewall Enterprise.

Benefits and Features:

Solutions:

The missing link in complete network security protection.

McAfee® Network Threat Response discovers zero-day malware that will use or is using network exploits to attack your network, and then automatically captures that malware for analysis and response. Install the appliances and immediately start detecting malware unique to your internal network. Get full visibility of discovered malware through the Network Threat Response Control Center dashboard. Deploy with McAfee Network Security Platform and McAfee Firewall Enterprise to provide multi-pass analysis of embedded network threats. Integration with McAfee host-based malware technology automatically keeps your threat database up-to-date.

Analyst Tool
McAfee Network Threat Response (NTR) is designed as a security analyst tool. It focuses on two metrics to increase the efficiency of security operation center (SOC) operations; therefore reducing cost. These metrics are: 1) increasing the sensor-to-analyst ratio, and 2) reducing the time-to-respond.

Sensor-to-analyst ratio
The first metric focuses on increasing the sensor-to-analyst ratio. Doing so increases the amount of data that an analyst can handle. By providing meta-data signatures that have correlation elements (data coupling) built into them, the system works as a whole, detecting, validating and reporting events. This allows mundane analysis a means to be done in an automated fashion, and allowing experienced analysts to focus on new and abnormal activity.

Time-to-respond
The second metric focuses on reducing the time-to-respond. By validating data, NTR collects information that is part of the response process, in an automated fashion. In one sense, it performs expert analysis in an automated way supplementing weaker staff. More importantly, it provides stronger information from an event allowing knowledgeable staff necessary data they can act on, as opposed to taking time to collect it.

Reducing response time is a three step process:

1. Find
2. Create
3. Prevent

First, NTR finds malware activity in real-time. It even decodes polymorphic encoders if necessary.

Second, NTR creates analysis information that can be used to better understand the malware, its attack vectors, and its payload.

Third, NTR helps prevent further attacks by capturing the malware and automatically sending samples to McAfee’s host-based malware protection technology called McAfee Artemis Technology. Updated .DAT files are then pushed out to all the protected systems within minutes.

The same signatures used to sort through malware are used by the McAfee Firewall Enterprise appliance IPS subscription to block intruders. These shared signatures are updated constantly, with dozens being added or modified daily.

Implements a process
NTR is a framework that allows automated capability associated with categorization and discovery, allowing next step processes to occur in near-real time. This process framework helps you determine false negatives, false positives, and actual confirmed attacks.

Data reduction
Finding the ―needles in the haystacks‖ requires data analysis to reduce the large datasets. For example:

• Raw Alarm Data - 40,000 Alarms
• Session Correlation - 20,000 Sessions
• Source Grouping - 2,000 Source-destination pairing
• Behavioral Grouping - 230 Behaviors or possible attacks
• Confirmed Attacks - 15 Behaviors confirmed with 70 sources

What you don’t know can hurt you
McAfee Network Threat Response provides visibility inside your own network that others do not see. It protects your network from malicious activity unique to your environment, especially targeted attacks.

There are two categories of attacks: those you know and those you do not know. IPS systems block networks from known attacks. This includes zero-day, Denial of Service (DoS), and encrypted attacks as well as threats like spyware, Voice-over-IP (VoIP) vulnerabilities, botnets, malware, phishing, network worms, Trojans, and peer-to-peer applications. These known attack signatures are created from attack collection systems located globally. They represent the most likely or common attacks in the network, but certainly not all of them.

A system is needed to identify and block the unknown and new attacks. Such a system would greatly assist a first level analyst at a SOC to identify these unknown threats more quickly and with more accuracy. This is the function of the McAfee Network Threat Response sensor appliances.

McAfee Network Threat Response’s strength is its ability to determine what occurs after the initial labeling of an attack. By comprehending the attack, the system can perform actions to prevent further associated attacks and aid the system in recovering from the detected attack.

When deployed in conjunction with an in-line IPS system (NSP) and a firewall (FW), it provides complete attack coverage for malware unique to your network.

McAfee Network Threat Response detects and monitors unknown threats. It performs a gap analysis for what other network-based products are not seeing. It does this by labeling traffic, filtering out the ―knowns‖, and then rebuilding the attack scenario when a payload is detected on a vulnerable system.

Capturing malware
The McAfee Network Threat Response sensor appliances scan your organization’s network traffic looking for new malware payloads and bot distribution websites, including DNS fast flux, which eliminates the changing IP address problem of sophisticated attacks.

This network-based technology focuses on identification, collection, reverse engineering and labeling of malware and bots. It is similar to the McAfee host-based malware protection (McAfee Artemis Technology), but is network-based.

Data coupling for malware identification and analysis is its biggest strength. By using data coupling that is embedded into the signatures’ metadata, McAfee Network Threat Response can confirm that a vulnerability appeared and was attempted to be exploited. When it discovers both a vulnerability and a means to exploit it in the same stream, it confirms the attack.

Analyzing malware
McAfee Network Threat Response is a framework that associates validation of alarms, analyzing the payload of the activity. It looks for Malware that is using network exploits to move on the network, and then captures that malware for analysis and response.

It provides real-time capture and analysis of malware/threats inside your network. It finds new behaviors unique to your network, activity you have never seen before, accelerating your analysis and response. The result is a reduction in analyst’s time-to-evaluate and in time-to-confirmation while increasing the sensor-to-analyst ratio.

The McAfee Network Threat Response shows you confirmed attacks, reducing your time in sifting through thousands of alerts. All network traffic is labeled. Encoded data is decoded. Malware embedded in files is analyzed layer by layer.

Threat signatures
McAfee Network Threat Response provides insight into the network traffic using a large signature database as well as templates (associated code). The SNORT compatible malware signature database contains over 19,000 signatures, growing at a rate of about 200 new signatures per month. NTR helps create new signatures to block future attacks. You can even add your own SNORT compatible signatures.

Responding to malware
McAfee Network Threat Response can aid the compromised system in recovering from the detected attack. It can even replay the attack if desired.

Templates are associated with triggers (signatures), which:

1. Decode payloads
2. Recover malware (intercept / download)
3. Passes malware on for evaluation

The benefits include:

• Captures malware binary before system obfuscation, file names
• DNS names and network addresses from attack
• User names and passwords for backdoor scripts
• Download vectors (http [adodb, xhtml], ftp, tftp, and tcpbind)

McAfee integration
McAfee Network Threat Response typically works in conjunction with an enforcement appliance like McAfee Network Security Platform (NSP / IntruShield) or McAfee Firewall Enterprise (Sidewinder). New malware is captured and sent to McAfee Artemis Technology to prevent further infection. NSP provides payload-based coverage to compliment NSP’s vulnerability-based and exploit-based coverage. NTR is stream-based and checks packet headers for abnormalities.

Web-based management console
The McAfee Network Threat Response Control Center (management console) appliance provides simple, centralized, web-based management of Network Threat Response sensor appliances. It can manage multiple NTR sensors. Control Center is also installed on each sensor appliance for single-box evaluation purposes, however using it will degrade the sensors performance if enabled.

Flexible configurations
McAfee Network Threat Response has several different modes:

1. IDS – The Sensor appliance passively listens to network traffic to discover threats. In this mode, the appliance is connected to one of the following:

• Mirror (SPAN) network switch port (default)
• Network TAP device

2. Decoy – The Sensor appliance is assigned one or more IP addresses, and masquerades as a vulnerable host to lure and capture attacks. In this mode, the appliance is connected to a conventional network switch port. Also referred to as a honey pot or endpoint.

3. Pcap – The Sensor appliance reads in captured packets from a packet capture file.

Accurate, enterprise-wide threat analysis

• Confirmed attacks, malware listings, scripts, binaries, sessions
• Industry leading shell code detector
• GEO IP to determine who is searching your network
• Receive continuous threat updates 24/7 from the global research team at McAfee Avert Labs

Network-class platform with multi-gigabit performance
McAfee Network Threat Response is the perfect fit for enterprises that need real-time security confidence with multi-gigabit performance. Each appliance is built on quality Dell hardware. You get carrier class reliability with the A1000, offering up to 10-Gbps performance with plenty of monitoring ports.

Specifications:

Documentation:

Download the McAfee Network Threat Response Datasheet (PDF).