McAfee Network User Behavior Analysis

McAfee Network User Behavior Analysis Overview:

McAfee Network User Behavior Analysis gives you a continuous, real-time view of user behavior and activity across your complex network environment. It replaces manual detection efforts, such as log analysis, with automated discovery and analysis based on existing network flow data, as well as application and identity data to deliver reliable results and a clear course of action.

Description:

McAfee Network User Behavior Analysis (UBA) monitor appliances are network-based and designed to capture and analyze critical traffic data inside the network using one of three methods:

Monitors passively capture, decode, and analyze traffic via native deep packet inspection (DPI). They use port mirroring or passive network taps to obtain full packet data for protocol decoding up to the application layer. This level of detail is often required to ensure a tamperproof view of network activity within critical systems.

Flow monitors analyze existing flow-based data from Cisco Netflow, Juniper J-Flow, and others. This broader network view is often useful for gaining a cost-effective, enterprise-wide view of who is doing what and from where across the entire network.

When using McAfee Network UBA management appliances, you can use monitors in a "mixed" mode that combines DPI and flow-based data.

With Network User Behavior Analysis, you get:

Intuitive, accurate information — In a single view, Network User Behavior Analysis shows you the actual user, group, and role associated with each action on the network. It correlates behavior with your existing security policies to show violations. It gives you this information in real time, not after the fact, so you can pinpoint potential risks and make decisions quickly and decisively.

Lowered costs and enhanced security — By automating labor-intensive detection and analysis tasks, Network User Behavior Analysis reduces the cost of keeping your network safe from risks, including insider threats.

Simplified compliance and auditing — Network User Behavior Analysis makes audit preparation faster and easier with ongoing monitoring to ensure compliance with PCI DSS, FISMA, SOX, HIPAA, and GLBA.

Monitor detection capabilities include:

• Network scan detection
• Service probe detection
• Protocol anomaly detection
• Network behavior anomaly detection
• Application behavior anomaly detection
• Unauthorized services detection
• Unauthorized communication channels detection
• Native IDS signature detection, which includes custom signature deployment, and regular and on-demand signature updates

McAfee provides these Network UBA monitor options:

• Monitor SE—bandwidth: up to 1 Gb/s for heavy-traffic networks
• Monitor—bandwidth: up to 400 Mb/s
• Monitor LE:bandwidth up to 100 Mb/s
• Monitor LE—50: for monitoring small, remote office networks of 50 or fewer machines
• Flow Monitor SE: for flow-based monitoring across larger networks and segments
• Flow Monitor:for flow-based monitoring across smaller networks and segments

Note that each monitor is capable of performing its own analysis in a distributed manner, or you can aggregate the data to the McAfee Network UBA Control Center. A reporting appliance is also available for long-term data warehousing and compliance reporting.

Representative McAfee Network UBA Control Center and Monitor appliances deployed
in front of a data center where critical business systems reside.

Benefits and Features:

Network UBA Control Center:

McAfee Network UBA Monitors provide a continuous, real-time view of what business users are actually doing across your complex network environment. They can leverage your existing infrastructure and the identity and role information in your existing directory to deliver cost-effective discovery, analysis, and control of user access and behavior across networks and systems.

McAfee Network UBA Control Center appliances are capable of consolidating and centralizing the ongoing monitoring, analysis, and management of all sizes of deployments—everything from a few Network UBA Monitor appliances at a single site to a worldwide McAfee Network UBA solution deployment.

In addition, large entities can easily stratify and delegate their management capabilities with Network UBA Control Center. For example, you could retain the ability to analyze and control network activity at an overall organizational level while also allowing your various operating divisions or security zones to monitor and manage network activity that’s specific to their group.

Deployment Options

McAfee offers two types of Network UBA Control Centers:

• One Control Center SE can accommodate up to 25 Network UBA Monitors.
• One Enterprise Control Center can consolidate activity from up to 10 Network UBA Monitors.

Thanks to the flexibility of Network UBA Control Centers, you are able to mix and match any of the different Monitor family members: Monitor SE, Monitor, Monitor LE, Monitor LE-50, Flow Monitor SE, and Flow Monitor. This way, you can take advantage of varying bandwidth needs and data collection methods, and still have a single point of management for discovering and controlling network activity.

The Discovery View graphically provides enterprises an initial understanding of what user groups
are accessing which critical systems. This visbility can save significant time in gaining knowledge
about usage of systems by users, protocols/services, bandwidth, etc.

Utilizing role-based controls, the Control View graphically illustrates the network usage of users
to critical systems and clearly denotes what activity is acceptable, unacceptable and
what activity merits a closer look by the security and operations teams.

Network UBA Monitor:

McAfee Network UBA Monitor appliances are the cornerstone of the overall McAfee Network UBA solution. Monitors are network-based and designed to capture and analyze critical traffic data inside the network using one of three methods:

Flow Monitors leverage existing flow-based data from Cisco Netflow and Juniper J-Flow for analysis. This broader network view is often useful for gaining a cost-effective, enterprise-wide view of who is doing what and from where across the entire network, including remote locations.

• Monitors passively capture, decode, and analyze traffic via native deep packet inspection (DPI). They use port mirroring or passive network taps to obtain full packet data for protocol decoding up to the application layer (layer 7). This level of detail is often required to ensure a tamperproof view of network activity within critical data centers and critical business systems.
   
• When using McAfee Network UBA management appliances, you can use Monitors in a "Mixed" mode that combines both DPI and flow-based data.

Note that each Monitor is capable of performing its own analysis in a distributed manner, or you can choose to aggregate the data from your Monitors to a McAfee Network UBA management appliance, such as the McAfee Network UBA Control Center.

Simplified Setup

Deployment takes only a matter of hours and you can gain improved visibility of ‘who, what and where’ in a matter of minutes after deploying. Monitors require no agents, no application integration, and no recoding. For identity-based monitoring, McAfee Network UBA Monitors leverage your existing directory information, such as that found in Microsoft Active Directory, including groups and memberships.

Monitor Options

McAfee provides the following Network UBA Monitor options:

• Monitor SE – bandwidth up to 1 Gbps for heavy-traffic networks
• Monitor – bandwidth up to 400 Mbps
• Monitor LE – bandwidth up to 100 Mbps
• Monitor LE-50 – for monitoring small, remote office networks of 50 or fewer machines
• Flow Monitor SE – for flow-based monitoring across larger networks and segments
• Flow Monitor – for flow-based monitoring across smaller networks and segments

Network UBA Capabilities:

Network Monitoring and Analysis

• Monitoring via port mirroring or passive network taps for deep packet inspection
• Monitoring via flow data from Cisco Netflow, Juniper J-Flow, and others

Identity Capabilities

• User identity tracking via real-time integration with existing directory infrastructure:
  • Leverages existing user, role, and policy contexts
  • All user activity is tracked from the instant a user accesses the network
  • Continuous, non-invasive polling of directory
  • Moves, adds, and changes done once in the which then filter down to NETWORK UBA Monitors
• Identity-, group-, and role-based controls:
  • Control granularity: user groups vs. network
• Controls expressed in easy-to-understand business contexts
• Supports typical, random address pool DHCP environments

Application Decode

• Packet capture and decode at command level for 20 key applications, including: DHCP, AIM, DNS, FTP, HTTP, IRC, Kerberos, POP, SIP, SMTP, SSL, TLS, YIM, and more

Controls

• Over 300 pre-built network and application behavior controls:
• Includes URL and rates controls
• Wizard-based interface to define controls and control groups and one-click customizable control creation feature
• User-defined application layer thresholds by number of events and bandwidth by day and hour
• User-defined HT

Detection Capabilities

• Network scan detection
• Service probe detection
• Protocol anomaly detection
• Network behavior anomaly detection
• Application behavior anomaly detection
• Unauthorized services detection
• Unauthorized communication channels detectio
• Native IDS signature detection:
  • Custom signature deployment
  • Regular and on-demand signature updates

Integration

• Integration with directories such as Microsoft Active Directory and LDAP-based directories
• Integration with network routers and switches for blocking actions
• Integration with flow-based data from Cisco, Juniper, and others
• Export event alerts to security information manager (SIM) and other third-party systems such as ArcSight via:
  • SNMP
  • SMTP
• Integration with non-Windows based identity clients such as Centrify
• Import of vulnerability assessment

Certificationn

• Common Criteria EAL 3 Certified
• U.S. Department of Defense accreditations for operating on SIPRNet, NIPRNet, and JWICS

System Requirements:

These are minimum system requirements only. Actual requirements will vary depending on your environment. Technical information provided by Intel. Specifications may change at any time and without prior notice.

McAfee Network User Behavior Analysis (UBA) Control Center Appliance

Technical specificationss

• 1 Intel Xeon 5150, 2.66 GHz, 1,333 MHz, 4 MB cache, dual-core CPU
• Two 150 GB, 16 MB cache, 10K RPM SATA hard drives
• 4 GB RAM

Power & BTU specifications

• Max. surge amps = 9.5
• Max. running amps = 8.5
• Avg. running amps = 6.25
• Watts = 750
• BTU/hr. = 2,550

Dimensions

• Rack-mountable 1U device
• 17"W x 28 1/2"D x 1 3/4"H

Weight

• 30 lbs.

Temperature

• Operating temperature: 50°–90° F / 10°–35° C (maximum change rate not to exceed 10° C per hour)
• Non-operating temperature: -40°–70° C
• Non-operating humidity: 90%, non-condensing at 28° C

Compliance

• UL60950 - CSA 60950 (USA/Canada)
• EN60950 (Europe)
• IE60950 (International)
• CE - Low-voltage Directive 73/23/EEE (Europe)

Certification

• Common Criteria EAL 3 Certified
• U.S. Department of Defense accreditations for operating in SIPRNet, NIPRNet, and JWICS

Note: Technical information provided by Intel Corporation. Specifications subject to change at any time without prior notice.

McAfee Network User Behavior Analysis (UBA) Monitor Appliance

Technical specifications

• 1 Intel Xeon 5130, 2.00 GHz, 1,333 MHz, 4 MB cache, dual-core CPU (for Monitor SE, Flow Monitor SE, and Flow Monitor: 1 Xeon 5150, 2.66 GHz CPU)
• Two 250 GB, 16 MB cache, 10K RPM SATA hard drives
• 4 GB RAM

Power & BTU specifications

• Max. surge amps = 9.5
• Max. running amps = 8.5
• Avg. running amps = 6.25
• Watts = 750
• BTU/hr. = 2,550

Dimensions

• Rack-mountable 1U device
• 17"W x 28 1/2"D x 1 3/4"H

Weight

• 30 lbs.

Temperature

• Operating temperature: 50°–90° F / 10°–35° C (maximum change rate not to exceed 10° C per hour)
• Non-operating temperature: -40°–70° C
• Non-operating humidity: 90%, non-condensing at 28° C

Compliance

• UL60950 - CSA 60950 (USA/Canada)
• EN60950 (Europe)
• IE60950 (International)
• CE - Low-voltage Directive 73/23/EEE (Europe)

Certification

• Common Criteria EAL 3 Certified
• U.S. Department of Defense accreditations for operating in SIPRNet, NIPRNet, and JWICS

Note: Technical information provided by Intel Corporation. Specifications subject to change at any time without prior notice.

Documentation:

Download the McAfee Network UBA Control Center Datasheet (PDF).

Download the McAfee Network UBA Monitor Datasheet (PDF).