WIXLIB

SOLUTION BRIEFMonitor Continuously. Respond Swiftly.McAfee Active Response enhances detection and remediationEvery day last year, 2,803,036 data records were lost or stolen as a result of a databreach—and research indicates that the numbers are climbing at an alarming rate.Data breaches totaled 1,540 last year, up 46% from the previous year.1 Most securityconscious organizations are quickly coming to the realization that traditional set-andforget endpoint solutions are ill-equipped to handle the daily barrage of zero-dayand advanced targeted attacks (ATAs). Security teams need uninterrupted visibilityinto endpoint activity, rather than just alerts from security products after somethinghas already gone wrong. Endpoint detection and response (EDR) is an indispensablesupplement to current defenses. As Gartner points out, “Organizations investing inEDR tools are purposefully moving from an ‘incident response’ mentality to one of‘continuous monitoring’ in search of incidents that they know are constantly occurring.”21Monitor Continuously. Respond Swiftly.

SOLUTION BRIEFThe Defense Deficit in Most Endpoint SolutionsInstead of taking a proactive approach, most incidentresponse teams currently take a reactive approach.Often, threats are not even discovered until long afterthe damage has been done. After bypassing yourdefenses, low-lying ATAs have a prolonged “dwell time,”which enables them to proliferate throughout yourinfrastructure, eventually causing a breach.Traditional endpoint solutions with signaturebased antivirus, data loss prevention, host intrusionprevention, and other key capabilities offer limitedvisibility into what is actually going on with yourendpoints across your entire infrastructure. This isespecially true if multiple tools from different vendorsare in place. This patchwork, siloed approach makessearch and analysis of threat activity difficult and costly.Security teams have had to rely on scheduled scans toget a picture of their company’s security posture, butthese occasional glimpses are far from adequate—especially when you consider that more than 307 newthreats appear every minute, or more than five appearevery second, according to the McAfee Labs’ November2014 Threats Report.3 In addition to the onslaught ofzero-day malware, scheduled scans miss dormant,multivector threats that might have crept into yourinfrastructure undetected, waiting to unleash their fury.In general, security teams are unable to keep abreastof malicious activity because resources are scarce,practitioners have limited time, and rigid incidentresponse processes don’t necessarily scale well enough2Monitor Continuously. Respond Swiftly.to handle the big attacks. As more endpoints are addedto the infrastructure—laptops, desktops, mobile devices,and servers—IT is faced with the challenge of managingthese systems and extracting relevant security andthreat intelligence.Why Everyone Needs McAfee Active ResponseEDR will soon become an essential component ofeveryone’s cybersecurity defense strategy and practice.As security consultant John Reed Stark suggests, “EDRtools improve a company’s ability to detect and respondto outsider and insider threats; enhance a company’sspeed and flexibility to contain any future attack oranomaly; and help a company manage data threatsmore effectively overall.”4McAfee Active Response completes your layeredsecurity strategy and enhances not only your endpointprotection, but your overall security posture as well. It isa critical element of a comprehensive solution set thatincludes essential endpoint security technologies, suchas antivirus, application control, local threat intelligence,and more. Part of the unified security architecture fromMcAfee, the solution provides continuous visibility andinsights into endpoint activity to help you act morequickly to remediate issues in a way that works best foryour business.Administrators, investigators, and responders get anuninterrupted view of activity across your infrastructure—enabling them to respond appropriately to threats thatmay be lying in wait, may have been deleted to avoiddetection, or may be propagating throughout your

SOLUTION BRIEFMcAfee Active Responsenetwork. Built-in, customizable triggers help your securityteam discover today’s and tomorrow’s indicators of attack(IoAs) and act on that information swiftly.The power of intelligent discovery, detailed live andinteractive investigation and analysis, comprehensivereporting, and prioritized alerts and actions areharnessed by the McAfee ePolicy Orchestrator (McAfee ePO ) management platform. McAfee unifiesProtect, Detect, and Correct through the McAfeeePO platform into an adaptive feedback loop, enablingsecurity to evolve and learn in an iterative cycle thatimproves over time. McAfee Active Response is theDetect and Correct component of this threat defenselifecycle, helping organizations identify compromisesmore effectively and implement quick remediation.McAfee ePO software enables scalability, extensibility,and unified, continuous monitoring across yourinfrastructure. It helps you keep costs down too, asadditional technical staff or management agents are notrequired for administration.McAfee Active Response Adaptable3Automation: Triggers or traps can be set based onvarious parameters. They tell all the endpoints inyour environment to look for specific types of IoAs.When a particular type of IoA is discovered, triggersautomatically set in motion a user-definable reaction,such as “reboot system.” Unlike other EDR solutionsthat only collect information constantly, McAfee ActiveResponse automatically applies logic to invoke aspecified reaction under certain conditions.Monitor Continuously. Respond Swiftly.Continuous all files— executable �nd and visualize all files—Settraps, triggeringautomatic orexecutableand dormant. customized responses. Set traps, triggering automaticManage the entire solution from aor customized responses. single console. Manage the entire solutionfrom a single console.AutomatedFigure 1. Automated, adaptable, and continuous protection againstATAs with McAfee Active Response. McAfee Active Response has the three ingredients thatare essential for an effective EDR: endpoints.endpoints.Usecontinuous collectors to find Adaptability: When administrators receive analert, McAfee Active Response adapts the responseaccording to the attack methodologies at play.Customized or standard searches can be doneacross your organization to gain a more thoroughunderstanding of IoAs and align the properremediation efforts and resources.Continuous monitoring: McAfee Active Responseoperates persistently. Triggers set off alerts orresponses when attack events occur—and you canadjust this to monitor systems for future attackactivity.

SOLUTION BRIEFPrecise data collection uncovers breachpotential.Collectors are a key component of McAfee ActiveResponse. Built-in search capabilities allow users totake a deep dive into systems to discover and visualizeinsightful data that can offer clues about lurking malwareor suspicious activity. Collectors are like detectiveswho can look beyond the obvious, examining programexecutables, running processes, and dormant or deletedfiles and objects.McAfee Active Response collectors enable optimalconfigurability, adaptability, and accuracy. You havethe option of either using the provided catalog orwriting and importing your own scripts using McAfeeData Exchange Layer to run them. You can then searchacross traditional data sources or black holes—wheredata packets may be destroyed or discarded withoutyour knowledge—to find the exact combinationof characteristics that correspond to IoAs you areinterested in tracking.Figure 2. McAfee Active Response search results.Triggers and reactions provide automated,continuous response.With just a single set of instructions, triggers help youcontinuously monitor and respond to security events orstate changes today and tomorrow. After you define theset of potential attack behaviors or details you wish tomonitor, you set a trigger to automatically generate analert or execute a reaction when those IoAs are present.In one simple step, your security team can efficientlyand effectively detect and remediate emerging threats.4Monitor Continuously. Respond Swiftly.Figure 3. Setting a trigger and specifying a reaction in McAfee Active Response.

SOLUTION BRIEFGartner recommends this type of EDR capability in its2015 report, Best Practices for Detecting and MitigatingAdvanced Persistent Threats: “ automatic responsivecapabilities for threat detection events when using EDRsolutions, such as ‘kill process,’ delete file, or clear memory,to avert data losses and disrupt an active ‘kill chain.’”5McAfee Active Response in the McAfeeArchitectureThe McAfee framework unifies and integratesmultiple products, services, and partner solutionsfor centralized, efficient, and effective mitigation ofsecurity risk. It helps you respond more rapidly whenATAs threaten your environment. At the core of theintegrated and unified McAfee architecture is theMcAfee ePO management platform, which you use todeploy and manage McAfee Active Response. SinceMcAfee Active Response is so tightly integrated with theMcAfee ePO management platform, it works seamlesslywith other advanced McAfee technologies, includingMcAfee Threat Intelligence Exchange, McAfee CompleteEndpoint Protection suites, and McAfee EnterpriseSecurity Manager.How it worksOnce the McAfee Active Response client is installed onthe endpoint, it integrates with the McAfee Agent andpopulates a file hash cache, a network flow cache, anda registry cache. These are instantly and continuouslyupdated whenever there is any endpoint activity. Thealways-on collector captures the type of informationspecified by your instructions about the malicious files5Monitor Continuously. Respond Swiftly.(even if they are dormant) or suspicious activity. Thisdata is stored and indexed locally on the endpoint andthen served up in the McAfee ePO software interface.There’s no need for a separate data storage applianceor for cloud storage. Persistent collection runs low andslow, so there’s never a spike in resource consumptionon the endpoint. Users can continue their workuninterrupted.If you receive an alert from a security product or wantto hunt down a newly discovered threat that you justlearned about through intelligence sharing, you can doa search, which works much like a Google search. Whenadministrators initiate a search from the McAfee ePOmanagement platform, the McAfee Active Responseclient examines the caches. Results are returned in just10 to 20 seconds—you get an accurate picture of thecurrent state of your environment in real time.Triggers and reactions then come into play. Triggersact like sentries, continuously monitoring endpoints forIoAs. If a particular IoA is present, the trigger activatesand then automatically responds with a reaction, whichyou can customize according to your specific objectives.Typical reactions include sending an alert, deleting a badfile, killing a malicious process, or doing a more detailedforensic analysis.McAfee Active Response in ActionThere’s nothing better than real-world use cases to drivehome the importance of EDR. Here are some examplesof how McAfee Active Response can help detect andrespond to threats under different circumstances.