Kyle Taylor – increasing your security posture using mc afee epo
1. H T T P S : / / A E . L I N K E D I N . C O M / I N / K Y L E - T A Y L O R -
7 3 2 5 4 2 1 A
2. DLP Initiatives:
◦ Block Bluetooth and USB Printers
◦ Block Wireless NICs and SD Cards
◦ Track File Names copied to External Media
◦ “Dirty Word” search on File copied to External Media
Application Whitelisting:
◦ Using Subject Distinguished Name to Simplify Exemptions
Future Projects:
◦ McAfee Threat Activity Tracer
◦ Epo Deep Command Discovery and Reporting (Free Tool)
◦ McAfee System Information Reporter
IA/CND Dashboards
3. Wireless – Block by Device Definition and Plug and Play Device Rule
◦ Device Class: Network Adapters
◦ Device Name: Allow Partial Match
Bluetooth – Block by Plug and Play Rule – Combine with additional Firewire block
◦ Bus Type: BlueTooth
SD Cards – Block by Plug and Play Rule – allows you to make them Read-Only
◦ Compatible ID
USB Printers – Use Plug and Play Rule
◦ Use Device Definition with USB Class: 07h
Prevent executables from executing from removable media using the Removable Storage File Access rule – it will
block .exe, .msi, .bat, .zip
Create a Windows Portable Device Rule to look for Device Name containing “MTP” to catch iPods, Phones…etc.,
mounting as an MTP device vs. Removable Storage
Wireless WiMax WiFi 802.11 Wlan
RIMMPTSKDisk_SD SDCLASS_STORAGE SCSIDisk
These mount as “Devices” vs. mounting as
“Removable Storage”
KB73171 – MTP Devices… we mainly see MTP devices mounting as
“Windows Portable Devices”
KB77769 – Managing Apple Products KB81602 – Possibility to allow you to record files being burned to CD/DVD –
Not tested.
4.
5. Track files copied to external media
1. In the DLP Console, turn on “Hit Highlighting”
2. Set up a “Removable Media Protection Rule” call it something like,
“Track Files Copied to Removable Media”
3. Assign it all your exempted users but “Monitor Only”
NOTE: It does not track files burned to CD/DVD…
… However, you can track the amount of data burned per hour, day, month,
etc.
6.
7.
8. Checks Files being copied to Removable Media and searches within them for text
patterns
Only works on files being copied OFF to removable media
Create a new Text Pattern definition for “NOFORN”, “FVEY”,”SECRET//”…etc. called
Classification Markings and then a Category called “Category – Classified Markings”
for matches to go into as well as a Tag named similarly – I know…a ton of steps.
Apply this text pattern definition to the Content Tagging Rule called “Possible
Classified Document” and tell it to put matches into the Category “Category –
Classified Markings”
Create a “Removable Storage Protection Rule "looking for the category” Category –
Classified Markings” and apply it to all USB and SD exempted users.
9.
10.
11.
12. Enable Signatures 6010 & 6011
Use Subject Distinguished Name to reduce overall total events
◦ We reduced events from 45,000 to 1,000 per day only using around 50 exceptions
Add all the Signatures into a Single Exception
◦ Adobe, Microsoft (about 10 different sigs), VMWare, Symantec, etc.
Example: “C=US, S=WASHINGTON, L=REDMOND, O=MICROSOFT CORPORATION, CN=MICROSOFT WINDOWS”
The Layered/Effective Policy approach applied at each
level using this hierarchy is recommended.
[Assign a policy for each level with exceptions in each as required.]
Learn to use ClientControl.exe for additional assistance and troubleshooting
◦ i.e. clientcontrol.exe /exportconfig c:WindowsHIPSEXPORT.txt 5
◦ Clientcontrol.exe /log <HIPSPASSWORD> 0 4 …creates files in C:UsersAll UsersMcafeeHost Intrusion
Prevention folder
13.
14.
15. McAfee Threat Activity Tracer – records the remote IP that triggered any events using HIPS and
VSE
◦ In the McAfee Tool Exchange
McAfee System Information Reporter
◦ Free from McAfee Platinum Support
◦ Checks for Files and enforces a version
◦ Checks and enforces registry keys
◦ Enumerates Software, Hotfixes, Services, Shares
◦ Possible CMI Mitigation
EPO Deep Command Discovery and Reporting Tool
◦ Free from McAfee – Plugin and Extension
◦ Hardware Enumeration and Serial Number Tracking
◦ Nice addition for Inventory or Logistics Personnel, also Tech Refreshes
◦ Also Wireless NIC status, BIOS version, System Model and Manufacturer, Last Reboot…etc
◦ Alternatively, use the SystemInfo Tool from McAfee Tool Exchange to write the serial number to
one of the Custom Properties Fields
17. • Checks computers for specific
files or registry keys – and
enforces versions
• Checks for Shares and USB
Devices
• Installed Hotfixes, Software,
patches, services
18.
19. Dashboards and Automated Emails are good ways to keep Incident
Response informed
These do require training and a lot of policy tuning to make them usable to
IA/CND
Track HIPS, VSE, DLP, maybe ABM and Rogues
HIPS and VSE is where you are most likely to catch zero-days or APT’s
Over 70% of our Remedy tickets for IA/CND come from McAfee
24. Note: I will try to make the policies and dashboards
available through the hosts of this symposium.
McAfee Threat Activity Tracer - https://community.mcafee.com/docs/DOC-4231
ePO Deep Command Discovery and Reporting :
-Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en-
us.pdf
-McAfee Community: https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21
McAfee System Information Reporter:
-KB: https://kc.mcafee.com/corporate/index?page=content&id=KB67830
-User Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf
Notes de l'éditeur
This is a bit detailed so please stop me if you have any questions.
Slides edited by Susan Poston
McAfee Threat Activity Tracer - https://community.mcafee.com/docs/DOC-4231
ePO Deep Command Discovery and Reporting :
-Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25071/en_US/edc_210_pg_0-00_en-us.pdf
-McAfee Community: https://community.mcafee.com/blogs/deepakkolingivadi/2014/03/20/deep-command-quick-start-guide-updated-for-21
McAfee System Information Reporter:
-KB: https://kc.mcafee.com/corporate/index?page=content&id=KB67830
-User Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22755/en_US/SIR_User_guide.pdf
Quick Poll of the audience….this is really going to increase the security posture of your network and find gaps in you baselining processes. Unless DLP is added to your computer image, then you should also deploy GPO’s out to block USB and SD storage right off the bat until DLP can be pushed to these computers.
Device Class as Network Cards and Then fill in the following fields in the “Device Name” field
Quick poll of the audience -….tracks the file names being copied off to external media….and, if you set up the “Evidence Folder”, you will have a local or networked repository of the files that were copied to USB and SD.
You can generate this graph then…showing amount transferred per user per day…week…month…There is an opord or taskord out there requiring monitoring of data transfers.
Quick Poll of the Audience…note, this is a long drawn out process…and confusing.
Create a new text Pattern containing classification marking and then a new Content Category for these to go into
Create a new Content Classification Rule and point it to the Text Pattern you created for Classification Markings…there are others here like SSN’s, IP addresses, credit card numbers..etc
Finally create a removable storage protection rule and use the content classification rule you created
NOTE: I have not been able to find an entity to throw zero-days or malware at these, so they are untested, but it’s a lot faster and easier to implement than the NSA Whitelisting Tool and we are not exempting entire folders.
Quick poll of the audience – this took me about 2 months to tune, and a lot of it was spent waiting for the policies to propagate out and then troubleshooting and tuning.
This was done on a very small network of just 200 computers, but these policies should give you about a 98% decrease off of the initial configuration.
The big bonus here is that these should stop zero-days in their tracks and enforce a fairly strict baseline on your servers….and its very easy to expand out down to the desktop.
These starter policies should get you about 95% of the way there.
These are tools I am hoping to implement in my AOR when I can get some facetime….if anyone has done any of these, please let me know…I want to know if they are easy to set up….and, more importantly, are they worth it? I am hoping we can expand HBSS functionality so that it becomes a lot more than just a security tool, but rather a force multiplier for Network Admins, Change Management, and Sysops.