McAfee has enhanced its business security platform by adding almost real-time querying capabilities to its ePolicy Orchestrator software and also by integrating it with its security information and event management (SIEM) product, allowing it to automatically initiate endpoint security policy changes.
The ePolicy Orchestrator, or ePO, software is the core of McAfee’s Security Connected framework and strategy. This strategy aims to have all security products used in a business environment working together and sharing information. Basically, it’s a central security management software that allows businesses to gather data from endpoint systems, update and deploy configurations, initiate endpoint and network security policies, and interact with other security products from McAfee and other vendors in the McAfee Security Innovation Alliance.
Needless to say, it is no small feat to manage hundreds of thousands of endpoint systems in an enterprise environment. McAfee, in order to reduce the amount of time needed to manage these systems, released McAfee Real Time for ePO, which reduces query time to seconds and allows businesses to get information from products installed on endpoint systems and investigate possible security events a lot faster than usual.
According to Director of Product Marketing for SIEM at McAfee Gretchen Hellman, “For example, if I want to know if all files are up to date on endpoint systems or some information about registry, I can get that in seconds with Real Time for ePO and with very light load on the network at the same time. That’s thanks to a new communication mechanism that uses a chaining query method where instead of querying each endpoint individually, the server sends out a single request that gets passed around in a peer-to-peer fashion.”
It should be noted that the performance improvement will vary depending on the network environment. On smaller networks, operations like the ones mentioned will be performed ten times as quickly, though on very large networks the performance can be up to 1,000 times, Hellman noted.
The second platform enhancement that McAfee announced was the integration of its SIEM product, the McAfee Enterprise Security Manager, with ePO, McAfee Vulnerability Manager and the McAfee Network Security Platform. Although the SIEM already uses McAfee’s Global Threat Intelligence feed, this allows the product to analyze logs and event data collected from endpoints and alert the system administrator of any suspicious communication with the potential bad actor.
According to Hellman, the new SIEM enhancements allow the product to automatically take action based on predefined rules. Should the SIEM see a potential interaction with a bad actor, it can then automatically initiate a scan on the affected endpoint to see if there’s malware running on it. In addition to that, it can even instruct the McAfee Network Security Platform to immediately block the suspicious communication or tell ePO to make policy changes and tag the system for additional investigation.
“What the SIEM actually does now is take intelligence and turn it into intelligent action,” according to Hellman. These enhancements are part of McAfee’s Security Connected strategy that focuses its efforts on achieving greater integration between its own products and the products of partners.
Source: Computer World – McAfee updates business security management tools