Transcription
DATA SHEETMcAfee MVISION Endpoint Detection andResponse (MVISION EDR)Powerful threat detection, guided investigation, and response—simplifiedAdversaries maneuver in covert ways—camouflaging their actions within the most trustedcomponents already in your environment. They don’t always install something tangible likemalware, but they always leave behind a behavioral trail. Endpoint detection and response(EDR) continuously monitor and gather data to provide the visibility and context needed todetect and respond to threats. But current approaches often dump too much informationon already stretched security teams. McAfee MVISION EDR helps to manage the highvolume of alerts, empowering analysts of all skill levels to do more and investigate moreeffectively.Key Benefits Strengthen, Speed, and Simplify EDRMVISION EDR reduces mean time to detect and respondto threats by enabling all analysts to understand alerts,fully investigate, and quickly respond. Advanced analyticsbroaden detection and make sense of alerts. Artificialintelligence (AI) guided investigations and automationequip even novice analysts on how to analyze at a higherlevel and free your more senior analysts to apply theirskills to the hunt and accelerate response time.Detect Advanced Endpoint Threats and RespondFasterWithout the right data, context, and analytics, EDRsystems either generate too many alerts or miss1McAfee MVISION Endpoint Detection and Response (MVISION EDR)emerging threats, wasting precious time and resourceswithout improving security. MVISION EDR offersalways-on data collection and multiple analytic enginesthroughout the detection and investigation stages tohelp accurately surface suspicious behavior, make senseof alerts, and inform action. Gain context and visibility: Endpoint eventinformation is streamed to the cloud, providingthe context and visibility necessary to uncoverstealthy threats. Endpoint information is availablefor immediate inspection and real-time search, inaddition to historical search. Flexible data retentionoptions support the varied needs of diverse securityoperations teams and organizations. Provides high-quality actionablethreat detection without the noise.Faster analysis allows you tomount a more resilient defense.AI-guided investigations provideanalysts with machine-generatedinsights into the attack.Organizations can maximize theimpact of their existing staff.It’s a low-maintenance cloudsolution.Simplify deployments byleveraging existing on-premisesMcAfee ePO software or SaaSbased MVISON ePO.Analysts can focus on strategicincident response withoutburdensome administrationoverhead.Connect With Us
DATA SHEET 2Uncover more with powerful cloud-basedanalytics: Analytic engines inspect endpoint activity touncover a broad spectrum of suspicious behavior anddetect threats—from file-based malware to file-lessattacks—that have slipped by other security defenses.Cloud-based deployment enables rapid adoption ofnew analytic engines and techniques.Think like an attacker: Behavior-based detectionresults map to the MITRE ATT&CK framework,supporting a more consistent process to determinethe phase of a threat and its associated risk and toprioritize a response.Easily navigate: Alert ranking further helps analystsunderstand risk severity and appropriate response.Flexible data display and visualization at this stagehelp analysts with different levels of experienceeasily navigate the data to quickly understand why analert was raised and determine next steps: dismiss,respond, or investigate.Respond with speed: MVISION EDR preconfiguredresponses enable immediate action. Users can easilycontain threats by killing a process, quarantining amachine, and deleting files. Analysts can act on asingle endpoint or scale response to the entire estatewith a single click.McAfee MVISION Endpoint Detection and Response (MVISION EDR)AI-Guided InvestigationIf immediate response to an alert and root causeof the incident is not obvious—and often it is not—security analysts must step outside their EDR solutionand investigate to truly understand all the facets of acomplex threat or campaign and the associated risk.EDR solutions traditionally “enable” investigation byproviding raw data, context, and search functions butstill require knowledgeable analysts to perform theinquiry and analysis. Experienced analysts often do nothave time to validate and investigate numerous alerts,while inexperienced analysts may not know where tostart.With MVISION EDR, analysts at any level can take thenext step and investigate. Rather than simply enablingan investigation with search functionality and data,MVISION EDR guides the investigation. Dynamic investigation guides: Built by combiningthe experience and expertise from McAfeeforensic investigators with artificial intelligence (AI),investigation guides force-multiply the investigationprocess and explore many hypotheses in parallelfor maximum speed and accuracy. Unlike playbooksthat automate scripted tasks for known threats,investigation guides dynamically adjust to the case athand, combining different investigation strategies anddata. MVISION EDR automatically asks and answersquestions to prove or disprove the hypotheses.
DATA SHEETMVISION EDR automatically gathers, summarizes, andvisualizes evidence from multiple sources and iteratesas the investigation evolves. 3Broad data collection and local relevancy:The AI-powered investigation engine gathers andprocesses artifacts and complex event sequences—from endpoints, security information and eventmanagement (SIEM) systems, and McAfee ePolicyOrchestrator (McAfee ePO ) software—to help makesense of alerts. MVISION EDR compares evidenceagainst known normal activity for each organizationand threat intelligence sources to improve localrelevancy and reduce false positives triggered againstnormal activity. Investigations can originate fromeither MVISION EDR or SIEM alerts.MVISION EDR reduces the expertise and effort neededto perform investigations and increases the speed withwhich analysts can determine the risk of the incidentand root cause. At an organizational level, the benefitsmultiply. Each analyst can be more efficient, more casescan be dispositioned by junior analysts, and senioranalysts can spend time on the highest value activities.The Right Data—at the Right Time—for the Taskat HandIn addition to guided investigation, analysts and threathunters can use the powerful MVISION EDR search anddata collection capabilities to expand inquiries and lookdeeply into and across systems. Different views for different users: The flexibledata display applies the appropriate lens for userswith different levels of experience, so all analystscan quickly understand how artifacts and events areconnected without pivoting to multiple screens.Phishing investigation: MVISION EDR easily plugsinto security operations phishing investigationworkflows. Suspicious emails can flow to MVISIONEDR for inspection. If found to be malicious, MVISIONEDR can quickly determine which machines across theorganization may be impacted.McAfee MVISION Endpoint Detection and Response (MVISION EDR) Historical search: The always-on and comprehensivedata collection streams endpoint event informationfrom all monitored systems to the cloud. Analysts cansearch this centralized data—regardless of currentonline or offline status of each endpoint—to findindicators of compromise (IoCs) and indicators ofattack (IoAs) that may be present along with deletedfiles.Real-time search: For active incident inquiries,real-time search reaches out to endpoints acrossthe estate to quickly query for up-to-the-momentinformation. Flexible syntax enables a range ofcapabilities, from simple queries, such as searchingworkstations for installed applications, to morecomplex searches that return more data from the
DATA SHEETis key to closing data gaps for multifaceted threatinvestigations. Tight integration with securityinformation and event management (SIEM) solutions,such as McAfee Enterprise Security Manager orthird-party products, enables MVISION EDR to expandinvestigation capabilities and insight by correlatingendpoint artifacts with network information and otherdata collected by the SIEM.workstation, such as identifying a user at the timeof event, command line execution, and when thesuspected application was started. This capability caneasily scale queries across the enterprise to tens ofthousands of machines. On-demand data collection: To supportinvestigations, MVISION EDR can take a snapshot ofan endpoint on demand, capturing a comprehensiveview of active processes, network connections,services, and autorun entries. MVISION EDR providesassociated severity and additional information, suchas hash, reputation, and the parent process/service/user that executed a suspect file. Enabled by a nonpersistent data collection tool, snapshots can becaptured on both monitored and non-monitoredsystems.Collaboration Expands Visibility, IncreasesOperational Efficiency, and Improves OutcomesMVISION EDR is a key component of an integratedsecurity ecosystem. It extends endpoint protectioncapabilities and expands visibility while supporting theworkflows and processes of the security team to helpreduce mean time to detect and respond and increaseoperational efficiency. 4Correlate data from across the enterprisefor complete visibility: Collaboration and easyintegration with data sources beyond the endpointMcAfee MVISION Endpoint Detection and Response (MVISION EDR) Support team collaboration and workflows:MVISION EDR plugs into current security operationsworkflows and supports collaboration by sharinginvestigation data and updates through securityincident response platforms.Scalable, simple deployment: MVISION EDR isavailable as a SaaS application. Management withMcAfee ePO software—the industry’s foremostcentralized security management platform—simplifiesdeployment and ongoing maintenance of MVISIONEDR and your entire security infrastructure. Nowavailable both on premises and in the cloud, McAfeeePO software offers management flexibility to fitdiverse organizational needs.For information on MVISION EDR, contact your McAfeerepresentative or visit www.mcafee.com/mvision.
DATA SHEETFigure 1. MVISION EDR investigates for you. It automatically collects artifacts and presents the key findings. Visualization displays relationships andspeeds analyst understanding. MVISION EDR asks and answers the right questions to prove or disprove the hypotheses.2821 Mission College Blvd.Santa Clara, CA 95054888.847.8766www.mcafee.com5McAfee MVISION Endpoint Detection and Response (MVISION EDR)McAfee and the McAfee logo, ePolicy Orchestrator, and McAfee ePO are trademarks or registered trademarks of McAfee, LLC or its subsidiaries inthe US and other countries. Other marks and brands may be claimed as the property of others. Copyright 2019 McAfee, LLC. 4299 0619JUNE 2019
McAfee AI-guided investigations provide analysts with machine-generated insights into the attack. Organizations can maximize the impact of their existing staff. It's a low-maintenance cloud solution. Simplify deployments by leveraging existing on-premises McAfee ePO software or SaaS-based MVISON ePO. Analysts can focus on strategic
