The Need for Efficiency Security Connected James Sanderhoff SE East James.Sanderhoff@intel.com We need to make security efficient. It gives your team time back in their day and security more effective. Gain alignment with your business – reduce the time you spend on security The outcome is Higher Security Posture lower TCO

A Nasty Math Problem 12.5 Billion 25 billion 50 billion Security Challenges: 469,000 unique malware samples discovered weekly 83% organizations hit by Advanced Persistent Threats Flat to down IT/IS budgets Flat number of trained practitioners SERVERS PC LAPTOP EMAIL DATABASE USB SMART PHONE ROUTING/ SWITCHING CLOUD VIRTUAL ENVIRONMENT SAN VOIP TABLET EMBEDDED DEVICES WIRELESS APPS DECREASED/FLAT BUDGETS LIMITED OR UNTRAINED RESOURCES CHANGING BUSINESS DEMANDS UNPLANNED COMPLIANCE AND REPORTING REQUIREMENTS 12.5 Billion CONNECTED Devices Today 25 billion connected devices BY 2015 50 billion connected devices BY 2020 We are not getting the funding we ask for ( I need 5 Million. Hers is 1.4 make it work) Do you have the Human capital you need ? The hiring pool is SHALLOW, were not getting the talent we need or want Business Priority changes constantly Spending way too much time on compliance efforts because of the cost and it has NOTHING to do with Security Customers control2 things, the methods they employ and the efficiency of their labor hours. Reduce the noise to focus on the important things like your business The problem will have an impact on your environment -- What if I could help you with the math ? Do you feel like you have too many Vendors ? Source: Cisco ISBG IoE Report

Firm or Fixed Function Devices and IoT An onslaught of uncounted devices What do you think about when we say connected devices???? Give me examples???? Refrigerator story Google car story Bad Security Efficiency

Advanced Targeted Attacks The reality ADVANCED TARGETED ATTACKS COMPROMISE TO DISCOVERY DISCOVERY TO CONTAINMENT 12% 2% CONTAINMENT ATTACK COMPROMISE DISCOVERY 4% 23% Months Minutes 9% Years 19% Months Hours Hours 11% 14% Days Weeks Weeks 64% Days 42% $8,769 / Incident $3,840,988 / Year 1.2 incidents / Day 660 customers 200 nodes to 200,000 nodes Average time to discover 80% = Weeks, Months Years……..is proof that efficiency is lacking Discover time to Containment- 79% days weeks months…. You don’t have a bad team, you have an inefficient team. Verizon 2013 data breach report ----this is the evidence to Management that efficiency is lacking Sources: Verizon 2013 Data Breach Investigations Report. Securosis Malware Analysis Quant Metrics Model

Fragmented Security Industry Decreased integration and automation opportunities Endpoint Protection Firewall Gateway Security Network IPS Compliance Data Protection Mobility SIEM This is our fault. We are part of the problem. As sec Practioners , we have done exactly what the industry taught us to do….have a problem? Buy a product, and so on , and so on, and so on –We created Chaos , lack of security , increase in TCO and inefficiency. We can help you solve security issues and NOT diminish your efficiency in Labor and operations! TIME . 5

History of Defining Architecture Largest Dedicated Security Provider Inventor of the world’s most widely used computing architecture Defining countless standards used in everyday lives ranging from USB, WiFi, to IoT Top 10 Most Influential Brands in the World Largest Dedicated Security Provider Broadest security product coverage in the industry Complete portfolio focused upon security Leadership position in 6 of 8 Gartner Security Magic Quadrants Delivering a Next Generation Security Architecture Defining innovative industry approaches for collaborative and adaptive security Introducing security integrations which are sustainable and broadly reaching Developing capabilities for new security paradigms in areas such as Software Defined Datacenter, Cloud, and IoT As we look at our own evolution, it is important to understand where we come from and where we are going. Intel is has a history of defining architectures and invented the most widely used architecture on the planet that is a part of everyday computing around the world. Further, Intel has defined countless standards over the years by creating things such as USB and WiFi. These types of standards don’t happen overnight, they happen by being willing to invest in vision and fund that vision for long-term belief in the impact they can have. Areas such as Internet of Things (IoT) are emerging areas where Intel will continue to define key areas of computing evolution. Intel is one of the most highly regarded and influential brands in the world. By having such global trust and brand recognition, it allows Intel to rally others to support a given technological cause and ultimately help gain adoption of key capabilities. At McAfee, for years we have been the world’s largest dedicated security provider. Since the inception of the company, our entire mission has been to secure the resources of the customers who place their trust in our brand. We have no distractions, security is our focus. Our leadership position is unquestionable as well. We are highly recognized by many key industry outsiders for our leadership in the security industry. This leads us to the creation of “Intel Security”. The is the coming together of Intel’s history of defining architectures, and McAfee’s Security Leadership to define a next generation of security. Our mission at Intel Security is to define the next generation of security architecture where we will: Define what adaptive and collaborative security means. Our mission is to move security beyond the siloed approaches of the past and develop a platform that allows an organization’s security posture to adapt as the threat landscape changes. Further we must build integrations that are sustainable. This means building an infrastructure where integrations and simpler, they are repeatable, and they do not easily break due to changes or other effects in an environment. Lastly we will innovate in key new technology arenas such as Software Defined Datacenter, Cloud, and Internet of Things.

McAfee Security Connected Evolution Achieving A Connected Ecosystem Consolidating Architectures Challenge: Operational Complexity Console Sprawl Mail Gateway Intrusion Prevention Web Gateway DLP Need: Easier Deployment Broader Adoption Deliverables: Console Consolidation Fewer Agents Firewall Value: Easier Policy Management Reduced Computing Resources Advanced Malware Compliance SIEM As we look at the evolution that McAfee has taken to evolve to a connected architecture, it required a number of steps. The first step was creating consolidated architectures. Historically organizations have faced challenges with the complexity of their security operations. The continuous addition of new security technologies has resulted in complexity that limits the effectiveness of the team operating the environment. The result is countless consoles and management environments that make it impossible for a security staff to keep up. The need is for operational simplicity. The result should be environments and models that are easier to adopt and easier to deploy. At McAfee we recognized this challenge many years ago and delivered on a few key promises to make this a reality such as consolidating consoles into a single endpoint management environment around ePO and reducing agent footprint on hosts. The resulting value received by customers was immense, providing for easier policy management for administrative staff. Changes could be made in a single place and easily allow a small number of individuals to manage massive environments. And the reduction of agents created a model that was easier to deploy and created a much lighter footprint on the hosts in the environment. Endpoint

McAfee Security Connected Evolution Achieving A Connected Ecosystem Achieving Return on Investment Consolidating Architectures Challenge: Reduce Budgets Greater Operational Expense Reduced Staffing Challenge: Operational Complexity Console Sprawl Mail Gateway Intrusion Prevention Web Gateway DLP Need: Easier Deployment Broader Adoption Need: Self Provisioning Reduced Infrastructure Overhead Deliverables: Virtual / Cloud Security Fewer Appliances Reduced Vendor Footprint Deliverables: Console Consolidation Fewer Agents Firewall Value: Easier policy management Reduced computing resources Value: Significantly Reduced TCO Simplified Operational Experience Advanced Malware Compliance Endpoint SIEM Our next mission was to deliver a ROI to our customers in their security operations. The challenges our customers face with reduced budgets and staffing in the face of increasing operational expenses mean that customers need operations at that are more sustainable from a cost standpoint. To this end, it meant that customers needed more automation and an environment that reduced the number of moving parts to make it easier to maintain. The result was delivering security technologies that could operate and deliver differentiating capability in a number of cloud oriented models, such as Security-SaaS, MSSPs, and public/private clouds. Reduction of appliance footprint by creating higher performance needs in singular appliances and by providing virtualized appliances that could operate in public/private cloud environments. Most importantly is the reduced vendor footprint that has been so costly over the years. Vendor management is costly since it requires licensing engagement, legal agreements, time with vendors, and even simple relationship management. Our ability to deliver strong differentiating technologies across the security landscape while reducing the management overhead, has allowed countless organizations to reduce their vendor footprint substantially with McAfee. The resulting value is simple in the form of reduced TCO of security and a significantly simplified operational environment for the customer.

McAfee Security Connected Evolution Achieving A Connected Ecosystem Connected Services Framework Achieving Return on Investment Challenge: Reduce Budgets Greater Operational Expense Reduced Staffing Challenge: Siloed Technology Failures Complex Attacks Mail Gateway Intrusion Prevention Web Gateway DLP Need: Self Provisioning Reduced Infrastructure Need: Coordinated Response Adaptive Security Environment Deliverables: Data Exchange Framework Standardized Integration Model Deliverables: Virtual / Cloud Security Fewer Appliances Reduced vendor footprint Firewall Value: Sustainable Integrations Adaptive Protection Models Value: Significantly reduced TCO Simplified operational experience Advanced Malware Compliance Endpoint SIEM This moves us to where we are today in delivering a Connected Services Framework. Organizations are facing increased sophistication on the attack landscape which is resulting in simple failures on a daily basis. The need of the organization is to see improvement from every interaction that a technology has with an adversary. If AV stops something, it needs to be a part of a coordinated response to share what it learned with other parts of the environment to deliver security that adapts as threats are seen. We are delivering a connected services environment by developing a common data exchange. In order to be a common exchange, we are further standardizing the model such that our technologies can all participate. Simply by allowing a security technology to publish or subscribe to information on the wire, allows the organizational controls to effectively integrate without the traditional issues of integration complexity. The resulting value is something that is sustainable. Integrations become less fragile, are repeatable, and are much simpler to accomplish. Most importantly when integrations occur, security technologies can share the context of what they are seeing and deliver a model that allows security to adapt as the landscape changes versus the stagnant environments that are so vendor intelligence dependent today.

McAfee Security Connected Evolution Debunking Common Obstacles A Connected Services Architecture Is Not… A Single Vendor Solution A Monolithic Architecture The Continuous Addition of New Technologies A New Environment Requiring More Resources to Maintain Massive Rip/Replace of Security Infrastructure It is important to point out a few things that are commonly misconstrued about a connected environment. First it is not a single vendor solution. In order to create a connected environment, it should be composed of many of the deliverables previously mentioned, however it can and should be inclusive of many facets that may involve a number of vendor solutions. It is not monolithic. While composed of many different pieces, it should be flexible and adaptable. It is not continuously adding new technologies. In order to sustain security, you should not have to continuously add the latest shiny toy. Rather you should evaluate the need based on its ability to operate and effectively improve the entire environment. It should not require additional resources to maintain. In fact, it’s the opposite. You should be able to manage security more efficiently and effectively in a connected services environment. Lastly it does not require a massive rip and replace. You should be able to take small areas of the environment and adopt connected capabilities to achieve many of the previously stated benefits. As technologies evolve, you can then decide whether the vendor of choice is adequately able to evolve into a functional piece of the connected services environment.

McAfee ePO Server Continuously Monitoring Security Connected Getting more measurable results per labor hour Capabilities delivered by single host agent and console Continuous Diagnostics and Mitigation Dynamic Whitelisting Real time file & directory level change control Rootkit, BIOS, device driver, hypervisor, MBR change detection/prevention Processor enabled KVM without KVM switch USB, Bluetooth, Ethernet, Infrared, other Device Control Data Leakage Prevention Processor-Accelerated Encryption (System & File/Folder) Host Intrusion Prevention Anti-Virus Auditing and Compliance Reporting Systems Management FIPS and Common Criteria certification Section 508 Compliance McAfee ePO Server Continuously Monitoring over 7M USG and DIB endpoints today We recognized that issue years ago and have been evolving the connected strategy, case in point, endpoint integration, HIGH efficiency SINGLE AGENT SINGLE CONSOLE

The Power of Optimization Reduced effort, increased security posture Review Centralized Security Dashboard NON-OPTIMIZED ENVIRONMENT OPTIMIZED ENVIRONMENT Discover Active Botnet Traffic Consoles Required Identify Impacted User/Host 7 consoles 1 console Verify Host Security Configuration Resources Required 4 resources 1 resource Review Host Security Events Review Host Vulnerability Assessment Time Required 7.5 hrs 36 mins Investigate Host Network Events Effectiveness Real life efficiency use case Low/Moderate High Block Identified Attacker from Network

The Data Exchange Layer The new information-sharing ecosystem

The Data Exchange Layer The new information-sharing ecosystem BPM Asset An innovative, real-time, bi-directional communications fabric providing product integration simplicity. Security components operate as one to immediately share relevant data among endpoint, gateway, and other security products, enabling security intelligence and adaptive security. Identity Risk Threat Activity Location Data The data exchange layer is analogous to the nervous system, dedicated to time-sensitive communication and operating alongside the arteries. THE SECURITY CONNECTED FRAMEWORK ADAPTIVE SECURITY ARCHITECTURE

McAfee Data Exchange Layer The new information-sharing ecosystem Real-Time Messaging Common Content Adaptive Workflows Fabric: Real-time messaging infrastructure for security products. Data: Provides enterprise security state and context. Includes information about devices, users, location, reputation, and more. Clients: Security products that use the data exchange layer to publish or consume information.

McAfee Threat Intelligence Exchange TIE is the first solution that is leveraging the DXL technology….Stress this point in talking point..

Global Threat Intelligence Utilizing Intel Security’s global footprint to your organizational advantage Network IPS Firewall Web Gateway Mail Gateway Host AV Public Records Host IPS GTI 55B IP Reputation queries/mo. 55B IP Reputation queries/mo. 8B Web Reputation queries/mo. 260M Msg Reputation queries/mo. 2B Malware Reputation queries/mo. 55B IP Reputation queries/mo. Geo Location Feeds Telemetry of datapoints and time is second to none. We solved an efficiency issue, #2 reason Intel acquired us. Endpoint integration was step 1 All technologies integrate today But this is evolving fast too

Collective Threat Intelligence Apply the power of knowledge Global Threat Intelligence McAfee Global Threat Intelligence Third-Party Feeds Other Data Sources Future ? Organizational Intelligence Administrator Organizational Knowledge McAfee Threat Intelligence Exchange Server Local Threat Intelligence McAfee Web Gateway Email Gateway Network Security Platform Advanced Threat Defense Next Generation Firewall Endpoint Agent Threat Intelligence Assemble, override, augment, and tune the intelligence source information. This is just one example of how Security Connected affects the Cloud 18

Actionable Security Decisions Local Context Execute Prevent and Remediate Tunable Policy Classification Decision Prevent and Quarantine Personalized Threat Intelligence Submit to Application Sandboxing Variable Degrees of Risk Tolerance A component of McAfee Threat Intelligence Exchange provides innovative endpoint prevention, through the use of the TIE module that plugs into VirusScan Enterprise (VSE) This module is an update to the existing VirusScan Enterprise deployment that will make accurate file execution decisions, using configurable rules, leveraging the combined intelligence coming from local endpoint context (file, process and environmental attributes) and the current available collective threat intelligence (e.g. organizational prevalence, age, reputation, etc.). Endpoint protection is now optimized executing security actions through the access to the richest intelligence detail for protection and detection decisions. How is the information stored and maintained by the McAfee TIE Server is to be used by endpoints? When a file is to be executed on an endpoint (using the VSE TIE Module) for the first time, the endpoint is to query the TIE Server for the stored collective intelligence about this file Once received, the VSE TIE Module will take the information with the locally observed context (file, process and environmental attributes) and funnel it through its rules and policy engine The role of the rules and policy engine is to make a classification decision about the file which in turn maps into an action If a file is classified as clean it will be executed If a file is classified as black its execution will be prevented. It may be either erased (remediation) or quarantined. If a file’s classification is undetermined, and ATD is present, the file will be submitted to ATD for classification The rules and policy engine is configurable. Three levels of configurations are to be supported with the 1st product release – High: Fits environments that rarely change and that should be highly trusted (e.g. servers) Medium: COE machines Low: Developer machines Customization based on an organization’s level of risk tolerance at the endpoint gives flexibility to administrators to set execution conditions driven by their requirements. This can be as rigid as adhering to a zero tolerance policy for unknown or ‘gray’ files, setting rules that no file is accessed unless it has a known and acceptable reputation. The ability to tune the rules and policy engine allows McAfee to meet the needs of different operational environments.

The Role of Threat Intelligence Exchange It’s not always black and white. There are some shades of grey. Metadata Sources System properties: Example: run from recycle bin. Reputations: Example: McAfee Global Threat Intelligence, McAfee Advanced Threat Defense, administrator overrides. Enterprise-wide properties: Example: New in environment? Prevalent? On execution, McAfee Threat Intelligence Exchange rules apply this metadata to a set of conditions that indicate risky behavior. Loads as Service File Is New Low Prevalence Packed Suspiciously Runs From Recycle Bin Revoked Certificate

Threat Intelligence Exchange Adapt and Immunize — From Encounter to Containment in Milliseconds McAfee Global Threat Intelligence McAfee TIE Endpoint Module VirusScan® Enterprise Threat Intelligence Module ePO ATD McAfee TIE Server 3rd Party Feeds YES NO Data Exchange Layer File age hidden Signed with a revoked certificate Created by an untrusted process To illustrate the Adaptive Security Model in action, we’ll walk through how McAfee is bringing concepts of the key pillars to market to proactively prevent advanced targeted attacks. In this example, let’s assume a spearphising attack has been created to target an executive user. As this executive opens an email on their endpoint a zero-day payload attempts to run. <build 1> Being a true zero-day attack, this payload is a file that VSE has never seen before and is not part of our DAT file. The file information is sent to the TIE server to determine if it is a known file. In this case, it has determined if it is an unknown file and does not have a reputation for this file. The query is to be performed over the data exchange layer and is to include file, process and environmental attributes recorded by the endpoint with regards to this file. <Build 2> From this point, the TIE server will check the McAfee Global Threat Intelligence in the cloud for a reputation. It will then send back the results of this look up back to the endpoint. <Build 3> At this point, there are some options set per policy, 1. allow the file to execute, 2. prevent it from executing and quarantine it, 3. Prevent execution because it is a known bad file, 4. Or if it doesn’t know the reputation, it can sent it to McAfee Advanced Threat Defense (ATD) for further analysis. <Build4> to next slide

Instant Protection Across the Enterprise Gateways block access based on endpoint convictions McAfee NGFW McAfee NSP McAfee Web Gateway McAfee Email Gateway McAfee Global Threat Intelligence McAfee TIE Endpoint Module VirusScan® Enterprise Threat Intelligence Module ePO ATD McAfee TIE Server 3rd Party Feeds Proactively and efficiently protect your organization as soon as a threat is revealed McAfee ESM Data Exchange Layer Security components operate as one to immediately share relevant data between endpoint, gateway, and other security products <Build 1> The suspect file is sent to ATD for and in depth sandboxing analysis and it is determined that it is indeed malicious. Once classification is determined, ATD publishes the new reputation information for our zero-day spearphishing payload using the collaborative DXL fabric Endpoints, Gateways and other security components consume this classification change instantaneously and automatically update themselves to protect against any future encounter Endpoints in the environment will now immunize themselves automatically and without requiring a traditional DAT file update. Not only will they prevent any future encounters of the payload on endpoints which had not observed this file as of yet. They will also contain and remediate any existing instances of the payload on endpoints which had been previously infected.