Module 2:

Introduction to McAfee®
Network Security
Platform

McAfee Network Security Platform 10.1

Administration
McAfee Confidential

© 2020 McAfee M02 - 1 McAfee Confidential

Module Goals
What you will Learn

By the end of this module you should be able to:

 Describe the Network Security Manager (NSM) solution and its key
features.
 Identify the components in a basic NSM deployment architecture.
 Identify the McAfee products with which NSM integrates.
 Describe how to utilize NSM to provide security in an organizational
environment.

McAfee Confidential Education Services 2

The McAfee® Network Security Manager (NSM) is an award-winning intrusion network prevention system. The NSM goes
beyond traditional intrusion protection, offering intuitive security controls (based on users and applications) to protect
against sophisticated, next-generation attacks.

What You Will Learn

In this module, you will learn the key features and benefits of the NSM solution and how to use NSM to enhance security in
your organization.

Module Goals
The module goals are:
 Describe the Network Security Manager (NSM) solution and its key features.
 Identify the components in a basic NSM deployment architecture.
 Identify the McAfee products with which NSM integrates.
 Describe how to utilize NSM to provide security in an organizational environment.

© 2020 McAfee M02 - 2 McAfee Confidential

Network Security Platform Overview
Award-Winning Next-Generation Intrusion Prevention System

Signature-
less
Defenses

Network Security 
Network
Platform
Security
Platform

Security Cloud
Connected Scalability

McAfee Confidential Education Services 3

McAfee Network Security Platform (NSP) detects and blocks known and unknown threats across the network perimeter,
data center and cloud environments. With multiple signature-less detection technologies including file analysis and
network behavior analytics, McAfee Network Security Platform can find malicious activity and lateral movement across the
entire life of a breach. Combined with on-box IPS enforcement and intelligent workflows, Network Security Platform
delivers a simplified approach to threat visibility that minimizes the alert fatigue usually associated with network security
solutions.
 Signature-less Defenses: Stop advanced targeted attacks with a layered signature-less approach that intelligently finds
and blocks unknown threats.
 Cloud Scalability: Enable administrators with an innovative approach to virtual inspection that easily scales into the
dynamic nature of private and public, while unifying all network and cloud threat data into a single dashboard.
 Security Connected: Improve ROI and lower TCO by leveraging data and workflows from multiple security products.

© 2020 McAfee M02 - 3 McAfee Confidential

Network Security Manager Overview (Continued)
Key Features

 Web-based management interface

 Policy management

 Authentication: Local, LDAP, RADIUS, and CAC

 Users, role assignments, and admin domains

 Auto acknowledged

 Notifications and alerts

 McAfee and third-party product Integration

McAfee Confidential Education Services 4

Key Features

 Web-based Management Interface

The user interface is a two-tiered structure to facilitate ease of navigation. You can use the menu bar to logically
navigate around the user interface based on what task you want to perform.
 Policies
A policy basically identifies the malicious activity you want to detect on the network and how you want to respond when
this activity is detected. McAfee supplies preconfigured policies to get your system up and running quickly. The Default
Prevention policy is applied by default to Sensors configured with an inline mode (in front of a network segment) when
NSM is initialized. You can use the preconfigured policies out-of the-box, and fine-tune/customize them later to meet
your specific needs. NSM provides multiple policy types to meet your needs. These include: IPS, Firewall, Advanced
Malware, QoS, Inspection Options, and Connection Limiting policies.
 Authentication
By default, NSM uses own database to provide authentication (local). As most companies now centralize their user
management and authentication, the NSM also supports Remote Authentication Dial-In User Service (RADIUS),
Lightweight Directory Access Protocol (LDAP), and Common Access Card (CAC) authentication for users. For either
authentication method, you configure the authentication server information, and then when creating a user, you can
choose whether the user is a RADIUS, LDAP, CAC or Local user.

Continued on the next page…

© 2020 McAfee M02 - 4 McAfee Confidential

Hidden

McAfee Confidential Education Services 5

Admin Domains
Security organizations are usually comprised of multiple individuals, and management of the overall system is generally
delegated to different people according to some logical categorization for example, by department, geographic location,
system, and so on. In NSM, you delegate the management of system components by organizing the components logically
into admin domains and then granting various management privileges for the domains to your NSM users.
The Manager enables the creation of multiple users within the system, and enables Super Users to grant specific privilege
rules, called roles, to those users to allow them to manage an admin domain and any of its children. Within each admin
domain, permission to carry out tasks is limited to only those users with appropriate roles.
Auto Acknowledged
By default, Auto Acknowledged of non-recommended for Smart Blocking (RFSB) attacks is disabled. Optionally, you can
enable this feature and specify the attacks auto-acknowledged. For example, if you specify 2 (Low), then NSM considers all
attacks with a severity level of 2 or less. The default value is 3 (Low).
Notifications and Alerts
When a packet violating your enforced security policies is detected, Sensor compiles information about the offending
packet and sends the information to NSM in the form of an alert. You can configure NSM to send alert information to third-
party machines, such as SNMP servers and syslog servers. You can also configure NSM to notify you through email, pager
or scripts, based on the attack or attack severity.
McAfee and Third-party Product Integration
Improves network security posture, optimizes network security for greater cost effectiveness, and aligns intrusion detection
and prevention strategically with business initiatives. Security Connected is an integrated approach to network IPS that
seamlessly incorporates data and workflows from other security products. NSM then goes beyond signature-based
detection with advanced signatureless technologies, such as:
• Advanced botnet detection.
• Advanced malware detection.
• Deep file analysis.
• In-line browser and JavaScript emulation with behavioral and structural heuristic malware detection.
• Endpoint process visibility.
• Integration with other products in the McAfee security portfolio, including Advanced Threat Defense (ATD).

© 2020 McAfee M02 - 5 McAfee Confidential

New Features
 Introducing Manager UI 2.0
Network Security Manager UI introduces a dark theme to
improve visibility for end users.

 Log UI Redesign
The Logs page is introduced to consolidate several types of logs
pages and enhance the user experience in accessing the logs.

 Product Registration
The Network Security Manager and Network Security Central
Manager should be registered with McAfee to receive automatic
updates in real time.

 Microsoft Office Deep File Inspection

Compressed Microsoft Office files in HTTP traffic are inspected.

 URL Reputation
Network Security Platform supports URL Reputation for
McAfee's Global Threat Intelligence service.

McAfee Confidential Education Services 6

Introducing Manager UI 2.0

With this release of 10.1, the Network Security Manager UI introduces a dark theme to improve visibility for end users. It
also provides a few changes in the Manager application for users who spend long durations working with the Manager.

Log UI redesign
With this release of 10.1, the Logs page is introduced to consolidate several types of logs pages and enhance the user
experience in accessing the logs.
The Logs page has 5 individual tabs as follows:
 Faults: Displays system faults information.
 System Files: Displays system logs information based on user activity or general system information.
 Background Tasks: Displays status of long running processes in your system.
 User Activities: Displays all user actions in the Manager.
 MDR Events: Displays previous MDR activities.
The logs in the mentioned tabs provide detailed information inline.
You can view the Logs page at Manager > (Admin Domain Name) > Troubleshooting > Logs.
For more information about Logs, refer to the McAfee Network Security Platform 10.1.x Product Guide.

Product Registration
With this release of 10.1, the Network Security Central Manager should be registered with McAfee to receive
automatic updates in real time. To register your Central Manager with McAfee, you must procure the NSM
Registration key from the McAfee Download Server and perform Product Registration in the Manager.
McAfee recommends you to perform Product Registration immediately after the initial login when the Product
Registration window post install/upgrade. You can choose to skip the Product Registration in the initial sign-in,
but when the Manager is not registered with McAfee, the following features are automatically disabled:
 Download Signature Sets
 Download Automatic Signature Set
 You can view the registration status of the Central Manager at Manager → Summary.
 To register the Central Manager with McAfee, go to Manager → Summary. Click Product Registration

Continued on the next page.

© 2020 McAfee M02 - 6 McAfee Confidential

Hidden

McAfee Confidential Education Services 7

New features continued…

Microsoft Office Deep File Inspection

With this release of 10.1, compressed Microsoft Office files in HTTP traffic are inspected. The process of
Microsoft Office Deep File Inspection in the Sensors is achieved using advanced signature sets with multi-level
threat detection mechanism. These signature sets are customized for deep file inspection.
Points for consideration:
 Microsoft Office Deep File Inspection feature is supported only for .docx, .pptx, and .xlsx file extensions in
HTTP traffic on NS-series Sensor version 10.1 and later.
 Microsoft Office Deep File Inspection is disabled by default.
 To enable Deep File Inspection, HTTP Response Traffic Scanning should be enabled.
 Microsoft Office Deep File Inspection feature detects malicious hostnames present in URLs mentioned in
any .docx, .pptx, or .xlsx files submitted for inspection. The files downloaded from a URL in the Microsoft
Office files are inspected as new files.
 Microsoft Office Deep File Inspection is supported in inline and span modes for both Intrusion Prevention
Systems (IPS) and Intrusion Detection Systems (IDS).
 This feature impacts the Sensor performance depending on the number of Microsoft Office files (i.e.
docx, .pptx, or.xlsx) in the traffic.
 The Microsoft Office files (i.e. docx, .pptx, or.xlsx) can have any number of files embedded within it. While
inspecting such Microsoft Office files, the Sensor scans all the embedded files. Only a few files are
selectively
decompressed using deep file inspection signatures and further inspected.
 Nested decompression is not supported in the following scenarios:
1. When a Microsoft Office file is zipped inside another .zip file.
2. When the traffic flowing through the network is zipped. That is, when traffic to be inspected is
completely zipped and contains the Microsoft Office files (i.e.docx, .pptx, or.xlsx) files in the zipped
content.
 User defined signatures, McAfee Snort, and Suricata Snort signatures cannot be used to create signatures
for deep file inspection.
 To disable any Microsoft Office attack, you should disable the correlation attack for the respective attack in

© 2020 McAfee M02 - 7 McAfee Confidential

 IPS policies.

Continued on the next page…

© 2020 McAfee M02 - ‹#› McAfee Confidential

Hidden

McAfee Confidential Education Services 8

New features continued…

Deep file inspection and malware analysis features are mutually exclusive. If malware analysis is enabled, the
malware analysis engine takes precedence over Microsoft Office Deep File Inspection. Microsoft Office Deep
File Inspection feature considers files in the traffic as zipped archives unlike Advance Malware Inspection
feature where the files are inspected as single executables.
To enable deep file inspection, go to Policy > <Admin Domain Name> > Intrusion Prevention > Policy
Types > Inspection Options. Double-click on any inspection policy and select Inspection Options > Traffic
Inspection tab. From the Microsoft Office Deep File Inspection drop-down list, select Inbound only,
outbound only, or Inbound and Outbound

URL Reputation
With this release of 10.1, Network Security Platform supports URL Reputation for McAfee's Global Threat
Intelligence service. You can use this feature to obtain reputation scores for URLs present in the header fields
of
the HTTP and HTTPS traffic inspected by the Sensor. The GTI server hosted in the cloud provides URL
reputation
information for millions of URLs. Using this service, the Network Security Platform provides real time
protection
when browsing websites.
The following new monitors are available in the Dashboard tab to view the URL Reputation details:
 Top Risky URLs: You can view the top risky URLs that are accessed from your systems.
 Top Endpoints Using Risky URLs: You can view the top endpoint systems that are sending requests to
risky URLs.
To enable URL reputation in the Manager, go to Policy > <Admin Domain Name> > Intrusion
Prevention > Policy Types > Inspection Options. Double-click on any inspection policy and select Inspection
Options > GTI Reputation Services > URL tab. From the URL Reputation Analysis drop-down list,
select Inbound only, Outbound only, or Inbound and Outbound.
You can also enable URL Reputation at the interface level of a Sensor. To enable URL reputation at an interface
level, go to Policy > <Admin Domain Name> > Intrusion Prevention > Policy Manager.

© 2020 McAfee M02 - 8 McAfee Confidential

 For more information about URL Reputation, refer to the McAfee Network Security Platform
10.1.x Integration Guide.

© 2020 McAfee M02 - ‹#› McAfee Confidential

Enhanced Features

 HTTP Response Decompression for deflate compressed

files
Network Security Platform supports deflate compressed traffic
along with gzip compressed traffic.

 Chunked HTTP response decoding

The Chunked HTTP Response Decoding engine is enhanced to
support evasion techniques that are based on HTTP response
deviations from RFC standards.

 CAC authentication
The CAC Authentication page is introduced in the Manager UI
to enable CAC Authentication. You can also import the trusted
certificates to the Manager database from this page.

 Licensing for proxy-based SSL decryption

The proxy-based SSL licenses are assigned to specific Sensors.

McAfee Confidential Education Services 9

Enhanced Features

HTTP Response Decompression for deflate compressed files

With this release of 10.1, Network Security Platform supports deflate compressed traffic along with gzip
compressed traffic. This improves the performance by reducing the transfer time and bandwidth
consumption.
Note the following:
 HTTP Response Decompression is supported for gzip and deflate compressed files only.
 HTTP Response Decompression is disabled by default.
 To enable HTTP Response Decompression, HTTP Response Traffic Scanning should be enabled.
 Advanced malware inspection of decompressed files is not supported.
 This feature is supported on NS-series.
To enable HTTP Response Decompression, go to Policy > <Admin Domain Name> > Intrusion
Prevention > Policy Types > Inspection Options. Double-click on any inspection policy and select Inspection
Options > Traffic Inspection tab. From the HTTP Response Decompression drop-down list, select Inbound
only, Outbound only, or Inbound and Outbound.
For more information about HTTP Response Decompression, refer to the McAfee Network Security Platform
10.1.x Product Guide.

Chunked HTTP response decoding

With this release of 10.1, the Chunked HTTP Response Decoding engine is enhanced to support evasion
techniques that are based on HTTP response deviations from RFC standards.
Points for Consideration:
 Chunked HTTP Response Decoding is disabled by default.
 To enable Chunked HTTP Response Decoding, HTTP Response Traffic Scanning should be enabled.
 Chunked HTTP Response Decoding is supported in inline and span modes for both Intrusion Prevention
Systems (IPS) and Intrusion Detection Systems (IDS).
 Chunked HTTP Response Decoding feature impacts the Sensor performance depending on chunked
content
in the network traffic.
 Advance malware inspection of dechunked payload is not supported.

© 2020 McAfee M02 - 9 McAfee Confidential

 Continued on the next page

© 2020 McAfee M02 - ‹#› McAfee Confidential

Hidden

McAfee Confidential Education Services 10

To enable HTTP Response Decompression, go to Policy > <Admin Domain Name> > Intrusion
Prevention > Policy Types > Inspection Options. Double-click on any inspection policy and select Inspection
Options > Traffic Inspection tab. From the Chunked HTTP Response Decoding drop-down list,
select Inbound only, Outbound only, or Inbound and Outbound.
For more information about the chunked HTTP response decoding, refer to the McAfee Network Security
Platform
10.1.x Product Guide.

CAC authentication
with this release of 10.1, the CAC Authentication page is introduced in the Manager UI to enable CAC
Authentication. You can also import the trusted certificates to the Manager database from this page.

The CAC Authentication page has two tabs:

Settings: You can enable CAC Authentication and OCSP options in this tab. In addition to this, you can also
configure the Manager to raise alerts when the certificates reach expiration threshold and enable OCSP
Options.
Trusted Certificates: Lists the trusted certificates for CAC authentication in the Manager. You can add or
delete the
certificates, or save the certificates in CSV format.
For more information about CAC Authentication, refer to McAfee Network Security Platform 10.1.x Product
Guide.

Licensing for proxy-based SSL decryption

With this release of 10.1, the proxy-based SSL licenses are assigned to specific Sensors. You can enable the SSL
decryption feature now even before adding the proxy-based SSL license to the Manager. After license
expiration, still the SSL decryption feature will be in enable mode. You cannot perform configuration updates
to the Sensor till a new proxy-based SSL license is assigned to the Sensor. Configuration updates such as
signature
set update and policy update are also disabled when an invalid license is assigned to the Sensor.

© 2020 McAfee M02 - 10 McAfee Confidential

New Features ( NSM Product Registration)

Starting with Version 10.1, you will need to register within the NSM to receive updates for signature
sets, callback detectors, and device software thru the NSM.
You can find the registration key on Product Download page of the McAfee Portal.
If you do not register the NSM or your NSM resides on an air-gapped network, then the following
will not be available thru the NSM:
 Manual and scheduled updates of signature sets from the NSM.
 Manual and scheduled updates of callback detectors from the NSM.
 Manual download of device software.
 Automatic GAM updates.

McAfee Confidential Education Services 11

© 2020 McAfee M02 - 11 McAfee Confidential

New Features ( MS Office Deep File Inspection)

Microsoft Office version 2007 and later uses Office Open XML format, a zipped XML based file format.
The zipped file contains multiple files after extraction. Enabling this option instructs the Sensor to
decompress compressed Office files for inspection.
 Compressed Microsoft Office files (.docx, .pptx, and .xlsx) in HTTP traffic are inspected. Further,
the traffic segments are decompressed for detection of any threats and anomalies.
 Deep file inspection signatures identify the files that are to be decompressed. The decompressed
files are inspected further for attack identification.
 When an attack is detected, the malicious files are blocked, and alerts are generated in the
Manager.
 The process of Microsoft Office Deep file inspection in the Sensors is achieved using
advanced signature sets with a multi-level threat detection mechanism.
 These signature sets are customized and cannot be created using UDS framework.
NS Series only

McAfee Confidential Education Services 12

© 2020 McAfee M02 - 12 McAfee Confidential

Layers of Protection
What does NSM Protect?

McAfee Confidential Education Services 13

NSM acts as a network Intrusion Prevention System (IPS), providing protection across multiple layers of the Open Systems
Interconnect (OSI) model. NSM correlates threat activity with application usage, including layer 7 visibility of more than
1,500 applications and protocols, to allow you to make more informed decisions about which applications you allow on
your network. In addition to application identification, NSM provides user and device visibility. It prioritizes risky hosts and
users, including active botnets, through the identification of anomalous network behavior.

© 2020 McAfee M02 - 13 McAfee Confidential

Why a Network IPS is Important
Detects and Prevents

Malicious
Spyware VoIP
Server Encrypted
Server Attacks
Web
Server

 Provides an extra layer of protection Switch

Router/Switches
for the network. Vulnerabilities Worms

 Recognizes attacks that firewalls do

not normally detect.
 Inspects inbound and outbound User Desktops-
Vulnerable
traffic for suspicious patterns. Web Clients

 Validates traffic at multiple layers of

OSI model. Database Bot Zombies
Zero-day
 Very useful against DDoS Attacks. Attacks Server

McAfee Confidential Education Services 14

An Intrusion Protection System (IPS) provides an extra layer of protection for the network, recognizing attacks that a
firewall cannot see. As an example, assume your firewall is configured to allow HTTP traffic. The firewall typically relies on a
destination port, such as Transmission Control Protocol (TCP) port 80, to judge the nature of the content. Although the
firewall can proxy network requests that implicitly ensure legitimate HTTP traffic, the firewall does not scan the traffic for
exploits.
The IPS inspects inbound and outbound traffic, application-specific headers and payloads, for suspicious patterns and
malicious code. It also validates traffic at multiple layers of the Open Systems Interconnection (OSI).

© 2020 McAfee M02 - 14 McAfee Confidential

Solution Components

McAfee Update Server NSM Server

Signatures and patches Optional Secondary NSM
server with Manager Disaster
Recovery (MDR) deployment

GUI
SSL

Database
(NSM-supplied
MariaDB
embedded)

Clients
Physical and/or
running supported
Virtual Sensors
browsers

McAfee Confidential Education Services 15

Basic solution components are:

1. NSM (Manager) Server: Hosts the NSM software and database. It runs on supported Windows Server OS (64-bit only).

2. Browser-based GUI: Used to view, configure, and manage network security appliance deployments. It is accessed by a
client system. An optional Manager Disaster Recovery (MDR) configuration is supported.

3. Database: Stores persistent configuration information and event data. It is installed (embedded) on target server
(NSM-supplied version of MariaDB only).

4. Clients: Connect to the NSM server and its hosted NSM GUI via a supported browser. This is recommended method
for accessing NSM.

5. Physical and/or Virtual Sensors: Provide real-time traffic monitoring to detect malicious activity, and responds to the
malicious activity, as configured by the administrator. They are installed in the network at key points. Physical and
virtual Sensors are supported.

6. McAfee Update Server: McAfee-owned and operated file server that houses updated signature and software files for
NSM and Sensors installations. It provides fully automated, real-time signature updates without requiring any manual
intervention. It ensures the NSM and Sensors have the most current signatures and patches for proper detection and
protection against malicious activities. It requires a connection between the NSM and Update Server (SSL-secured).

© 2020 McAfee M02 - 15 McAfee Confidential

Attack Detection Framework

Traffic Flow Identification

 Sensor identifies flows by protocol (UDP/TCP) and endpoint ports and IP addresses (source and
destination).
 Timer-based flow context is implemented for stateless UDP traffic.
 Traffic is divided into flows and passed to appropriate protocol parsing engine.

Protocol Parsing
 Protocol specifications parse through networks flows to validate traffic and divide it into protocol
fields.
 It is then actively tested against NSM-supplied or custom attack definitions.
 Since the parsing process is fully stateful, it allows detection of anomalies in the protocol’s
behavior.

Packet Searches
 NSM passes traffic flows identified as belonging to any particular protocol to packet search protocol
specification engine for further parsing.
 It presents each direction of flow to attack definitions.
 Packet search tests typically take form of specific ordered pattern matches to prevent false
positives and performance issues.

McAfee Confidential Education Services 16

Traffic Flow
At the highest level, the Sensor identifies traffic based on the concept of a flow. Flows are defined by their protocol
(UDP/TCP) and endpoint ports and IP addresses (source and destination). Because UDP is stateless, the Sensor implements
a timer-based flow context for UDP traffic. After dividing traffic into flows, the Sensor makes use of port mappings (or in the
case of traffic running on non-standard ports, intelligent protocol identification) to pass each flow to the appropriate
protocol parsing mechanism.

Protocol Parsing
Traffic is parsed into protocol fields, enabling the Sensor perform matches against the field or subfield pertinent to an
effective attack, reducing false-positive rates. The parsing process is fully stateful, allowing anomaly detection in the
protocol's behavior. It also provides an additional benefit in the form of qualifiers, or tests. Qualifiers (tests) are embodied
in the name of a particular protocol field. For example, rather than specifying an HTTP request method must be GET, NSM
allows you to use http-get-req-uri as the field name, saving you the requirement of providing that test in the custom attack,
and the Sensor from having to perform an extra pattern match.

Packet Searches
NSM passes traffic flows identified as belonging to any particular protocol to packet search protocol specification engine for
further parsing. NSM presents each direction of the traffic flow to attack definitions. Tests against packet search traffic
typically take the form of specific ordered pattern matches to prevent false positives and performance issues.

© 2020 McAfee M02 - 16 McAfee Confidential

 Multiple Detection Engines
Parsed Data Passes through Various Detection Engines

Advanced Malware 
Detection Advanced Malware Detection: Based on
selected file types and report confidence level
to determine probability of infection.
Anomaly Detection
Anomaly Detection: Examines data using
baseline to detect abnormal behavior.
DoS Detection
DoS Detection: Combines threshold-based
and self-learning profile-based detection.
Signature Detection
Signature Detection: Searches flow for
multiple triggers (sub-signatures) in protocol
fields using embedded signature files.

McAfee Confidential Education Services 17

The parsed data passes through its various engines, such as:

 Advanced Malware Detection Engine: The Advanced Malware Detection Engines scan are based on selected file types
and report a confidence level to determine the probability of infection. Types of engines include:

− McAfee® Advanced Threat Defense (ATD)

− McAfee® Global Threat Intelligence File Reputation (GTI) Engine
− McAfee® Network Threat Behavior Analysis (NTBA) Engine
− PDF Emulation Engine
− White List and Black List Engine

ATD and other malware engines are discussed in more detail in “Advanced Malware Detection” module.

 Anomaly Detection Engine: The Anomaly Detection Engine examines the data, using a normal, predefined standard, or
baseline to detect abnormal behavior.

 DoS Detection Engine: The DoS Detection Engine combines threshold-based detection and self-learning profile-based
detection. With threshold-based detection, administrators can use pre-programmed limits on data traffic to ensure
servers will not become unavailable due to overload. At the same time, self-learning methodologies enable administrators
to study the patterns of network usage and traffic to understand the usage patterns during legitimate network
operations.

© 2020 McAfee M02 - 17 McAfee Confidential

  Signature Detection Engine: The Signature Detection Engine searches in a flow for multiple triggers
(sub-signatures) in multiple fields of a protocol using embedded signature files to increase the precision
by which an attack can be unambiguously detected. Example categories of unknown attacks are new
worms, intentionally stealthy assaults and variants of existing attacks in new environment.

© 2020 McAfee M02 - ‹#› McAfee Confidential

 Signature Detection
Uses well known Patterns to Predict/Detect Similar Subsequent Similar Attempts

Benefits:
 Effective for well-known attacks.
 Updates the database as new
attacks are detected.
Challenges:
 Updates the database frequently.
 Leaves your network unprotected
against new and complex attacks
Example: Seeing default.ida that do not match existing
means Code Red attack.
signatures.

McAfee Confidential Education Services 18

Signature detection, also known as misuse detection or rule-based detection, uses known patterns of unauthorized behavior
to predict and detect subsequent similar attempts. These known patterns are called signatures. With signature matching,
network traffic is compared to a database of known attack patterns (signatures). This is effective for well-known attacks,
however relying on signature detection alone leaves your network unprotected against new and complex attacks.

In this example, if the system sees default.ida in the Uniform Resource Locator (URL) field of an HTTP packet, along with a
pattern in the URL argument name field, it identifies this as a Code Red attack. This is because the attack matches a standard
signature. Another example is an exploit signature that matches byte patterns at Layers 3 to 7.

© 2020 McAfee M02 - 18 McAfee Confidential

 DoS/DDoS Detection
Combines Threshold/Profile-Based Detection with Self-Learning

Detected through:

 Self-learning: Study
patterns and adapt
behavior over time.

 Exceeded Thresholds:
Network behavior
changes.

 Signature Matching:
Example: Comparing normal Matches attack pattern.
traffic to today’s traffic.

McAfee Confidential Education Services 19

DoS/DDoS detection is essential because popular websites and networks experience legitimate and sometimes unexpected
traffic surges during external events, or for a particularly compelling new program, service, or application. DoS detection
combines threshold- and profile-based detection with self-learning to protect against attacks.

 Self-learning: The system detects and studies network behavior, and modifies its behavior over time.

 Threshold-based: The network behavior changes from a predefined or learned baseline for example, thresholds are
exceeded.

 Signature Matching: The system detects a specially-crafted attack that is known and matches a signature (attack pattern).

© 2020 McAfee M02 - 19 McAfee Confidential

 Anomaly Detection
Looks for Patterns that do not Match Specifications, such as RFCs

Statistical Anomaly:
 Too much UDP traffic,
compared to TCP Traffic.
 High traffic volume high at a
typically low volume time.
HTTP RFC
Application Anomaly:
 Shell code in unexpected fields
of a packet.
Protocol Anomaly:
 HTTP traffic on non-shared
Example: Web traffic with syntax
not in compliance to HTTP
port.
specification.
 Corrupted Checksums.

McAfee Confidential Education Services 20

Anomaly detection is the detection of an event, state, content or behavior that does not match what is considered to be a
normal, predefined standard or baseline. You can program this baseline, or the IPS can self-learn.

The system looks for patterns that do not match defined specifications, such as Request for Comments (RFCs) for example,
web traffic with syntax not in compliance to a Hypertext Transfer Protocol (HTTP) specification.

There are different types of anomaly detection. Each has advantages and challenges.

 Statistical Anomalies: Statistical anomalies are network-dependent, because networks can have different behaviors and
traffic types. An in-depth knowledge of the network is important to tune out false positives.

 Application Anomalies: Application anomalies require analysis of the traffic has to ensure the various fields contain the
correct data, according to their defined protocols.

 Protocol Anomalies: Protocol anomalies are where the format or behavior of the protocol does not match specifications
or baseline of traffic behavior considered normal.

© 2020 McAfee M02 - 20 McAfee Confidential

 Advanced Malware Detection
Scans File Types and Reports Confidence Level

Symptoms:

 Poor performance

 Longer startup times

 Unexpected closing/stopping
of browser

 Unresponsive or redirected
links

 Pop-up advertising
Example: High confidence
indicates high probability of
 Additional toolbars on
infection. browser

McAfee Confidential Education Services 21

Malware represents malicious software that was created for the sole purpose to contaminate the computer it gets installed
onto and make it vulnerable against attacks.

There are numerous types of malware types, including, but not limited to, viruses, spyware, rootkits, Trojans, botnets, and
worms. With malware detection, the system scans selected file types in the network traffic and reports a confidence level.
The confidence level is based on the specificity and severity of the malware, and is indicative of the extent to which the file is
infected. For example, a high confidence level indicates a high probability of the file being infected.

Some symptoms of malware infection are:

 Poor system performance

 Longer startup times

 Unexpected closing/stopping of browser

 Unresponsive links or redirected links

 Pop-up advertising windows

 Additional toolbars on browser

© 2020 McAfee M02 - 21 McAfee Confidential

 Traffic Normalization
In-line Sensor Deployments

• Cleans malformed packets (packet scrubbing).

• Prevents hosts from responding to malformed packets.
• Drops illegal packets (fragments).
Recall TCP handshake:
 Client performs active open by sending
a synchronization (SYN) request to
Packet 
Scrubber
server.
 Server replies with a SYN-ACK
Clean packet (acknowledgment) response.
 Client sends ACK back to server.
Issues corrected in normalization:
Illegal 
packet  Removes TCP Timestamp when it is not
negotiated.
 Removes maximum segment size
(MSS) when it appears in non-TCP
packet.

McAfee Confidential Education Services 22

Traffic normalization, available when the system is operating in inline mode, removes any traffic protocol ambiguities,
protecting the end systems by cleaning potentially harmful traffic in real time. Traffic normalization consists cleaning
malformed packets and dropping illegal packets (default behavior). Packet scrubbing must be enabled manually.

Traffic normalization also thwarts any attempts to evade the system while boosting attack detection accuracy. This feature,
also known as protocol scrubbing or packet scrubbing allows network systems prevent hackers from fingerprinting a host
system. Often attackers send abnormal traffic in the hope that the end system responds in a way that allows the attacker
determine what environments and technologies are deployed at a particular site. This makes it easier to launch
subsequent attacks against known vulnerabilities in host network hardware or software resources.

Specifically when enabled, normalization does the following:

 When the TCP Timestamp option is not negotiated in the synchronization/acknowledgment SYN/SYN_ACK
packet for a connection but appears in any of the packets for the rest of the connection, the TCP Timestamp is
removed from the headers of these packets.

 The maximum segment size (MSS) option is permitted only in the SYN/SYN_ACK packets for a TCP connection. If
any other packets in the flow contain the MSS option, the Sensor removes it.

In both cases, the network performs an incremental checksum of the TCP header and regenerates the cyclic redundancy
check (CRC) integrity value.

© 2020 McAfee M02 - 22 McAfee Confidential

Ten Steps to Using NSM

1. Install Manager software.

2. Set up and configure the Sensor(s).
3. Establish trust between the Manager
and the Sensor(s).
4. Configure policies in the Manager.
5. Configure the Update Server and
download the latest signature sets.
6. View alerts.
7. Tune your Network Security Platform
deployment.
8. Check the system health status.
9. Block malicious or unwanted traffic.
10. Generate Reports.

McAfee Confidential Education Services 23

Install the Manager software

Install the Manager software on the server machine and ensure that you are able to log onto the Manager.
For details, refer to the McAfee Network Security Platform Installation Guide.

Set up and configure the Sensor(s)

Cable and install your Sensor(s) using a command line interface (CLI) and the Manager.
For details, refer to the McAfee Network Security Platform Sensor Reference Guide(s), and McAfee Network Security
Platform Installation Guide.

Establish trust between the Manager and the Sensor(s)

The Sensor initiates all communication with the Manager server until secure communication is established
between them. Later, configuration information is pushed from the Manager to the Sensor.
 Verify on the appliance CLI that the Sensor has established communication with the Manager.
 Verify in the Manager GUI that a node representing the Sensor appears in the Resource Tree under the
Device List.
For details, refer to the McAfee Network Security Platform Installation Guide.

Configure policies in the Manager

Determine the IPS policies applicable to your network. Use the Manager GUI to set up policies. By default, the
provided Default policy is applied to all of your Sensor ports. You can choose a specific policy to apply by
default to the Root Admin Domain (and thus all monitoring interfaces on the Sensor).
For details, refer to the McAfee Network Security Platform Product Guide.

Configure the Update Server and download the latest signature sets
For your Network Security Platform to properly detect and protect against malicious activity, the Manager and
the Sensors must be frequently updated with the latest signatures and software patches available - made
available to you via the Update Server.
Authenticate your credentials with the Update server and download the latest signature set for your Network
Security Platform deployment.

© 2020 McAfee M02 - 23 McAfee Confidential

 For details, refer to the McAfee Network Security Platform Product Guide.

Continued on the next page…

© 2020 McAfee M02 - ‹#› McAfee Confidential

Hidden

McAfee Confidential Education Services 24

View alerts
The Attack Log page displays detected security events that violate your configured security policies. The page
also provides powerful drill-down capabilities to enable you to see details on a particular alert such as its type,
source and destination addresses, and packet logs where applicable.
View the alerts periodically and perform forensic analysis on the alert to help you can tune Network Security
Platform, and provide better responses to attacks.
For details, refer to the McAfee Network Security Platform Product Guide.

Tune your Network Security Platform deployment

Once you have configured and started using Network Security Platform, you can further enhance your
deployment using the Manager GUI by utilizing some of the more advanced features such as changing your
deployment mode, creating multiple admin domains, defining specific user roles, applying multiple policies to
multiple domains so on.
For details, refer to the McAfee Network Security Platform Product Guide.

Check the system health status

The system health monitor in the Manager details the functional status for all of your installed Network
Security Platform system components. Check the system health at regular intervals to view messages that
detail faults experienced by your Manager, appliances, or database.
For details, refer to the McAfee Network Security Platform Product Guide.

Block malicious or unwanted traffic

Analyze the attacks that your network is receiving on a regular basis and take actions, which can range from
analyzing the impact and modifying policies, or blocking specific traffic from transmitting through your system.
For details, refer to the McAfee Network Security Platform Product Guide.

Generate Reports
The Report Generator enables a customer to generate reports for the security events detected by the system
and reports on system configuration. Configure your report settings to generate generated reports manually

© 2020 McAfee M02 - 24 McAfee Confidential

 or automatically, save for later viewing, and/or email to specific individuals.
For details, refer to the McAfee Network Security Platform Product Guide.

© 2020 McAfee M02 - ‹#› McAfee Confidential

 Product Registration
Overview

 A freshly-installed or upgraded (from any version lower than v10.1) Manager will be in an
“Unregistered” state.
 A prompt for registration is added to your existing initial logon workflow.
 Assumed a valid registration key is provided and validated successfully, the Manager will move
to “Registered” state.
 If registration is skipped, the Manager remains in an “Unregistered” state.
 A new Manager “Summary” page is added from where you can subsequently register at any
time, if skipped.
 When the Manager is in an unregistered state, you will disallow access to the UI pages where
the you can set up automatic updating or manually download updates for:
− Manual and scheduled update of Signature Sets from the Manager.
− Manual and scheduled update of Callback Detectors from the Manager.
− Manual download of device software.
− Automatic GAM Update.
Note: Internet connectivity is required for Product registration process.

McAfee Confidential Education Services 25

This feature aims at implementing a mechanism to authenticate the NSM with the McAfee “IAM” server as a means to
validate that a trusted entity is using the solution.

To accomplish the goal, we have introduced a new workflow of “Manager Registration” in version 10.1 of the Manager.

A freshly-installed or upgraded (from any version lower than v10.1) Manager will be in an “Unregistered” state.

When an NSM is successfully registered, it tries to upload the elementary data for the general set of details of the NSM onto
the McAfee TAU over.

© 2020 McAfee M02 - 25 McAfee Confidential

 Product Registration (Continued)

 Log in to the NSM 10.1 using valid credentials.

McAfee Confidential Education Services 26

This is the logon page for standard version of Network Security Manager. A customer must use the valid credentials to log in
to the Manager.

© 2020 McAfee M02 - 26 McAfee Confidential

 Product Registration (Continued)
 A freshly-installed Manager is in an “Unregistered” state.

 Registration Window pops up. Enter the valid registration key and click Register.

McAfee Confidential Education Services 27

Registration Window pops up. Enter the valid registration key and click Register.

In order to get the registration key, you should visit the McAfee download site. Log in to the McAfee download site with a
grant number and an email id and obtain the restriction key for the NSM 10.1 version.

This information is also available in the Lost Key tab on the Product Registration window. To acquire registration
key and get a link to the download site, customer can also click Lost Key tab.

© 2020 McAfee M02 - 27 McAfee Confidential

 Product Registration (Continued)

When a valid registration key is provided (and successfully authenticated with IAM), the Manager will
move to “Registered” state.

McAfee Confidential Education Services 28

Once the registration key is added, successful registration window is popped up. Click Ok.

© 2020 McAfee M02 - 28 McAfee Confidential

 Manager Summary Page with Successful Register
The NSM displays Dashboard now.

McAfee Confidential Education Services 29

Now the NSM displays Dashboard. Click Manager tab where the complete Manager details are available. Since the Manager
has registered successfully, the status displays as registered.

After successful registration of Manager, the customer will have access to Download Signature Sets, Download Callback
Detectors, Download Device Software, and Automatic Updating (Signature Sets and Callback Detectors).

This is the process for successful registration of NSM.

© 2020 McAfee M02 - 29 McAfee Confidential

 Product Registration (Continued)

If you register the Manager with McAfee, the following details will be sent to McAfee Corporate team
when Telemetry is enabled.

Device Details:
 Serial number
 Model
 Software version
 Hardware version
 VM type
The Default - Telemetry (McAfee) report lists the Telemetry data sent to McAfee Corporate team in
detail. The Default -Telemetry (McAfee) report is available in the Manager under Analysis > (Admin
Domain Name) > Event Reporting > Next Generation Reports.

McAfee Confidential Education Services 30

After successful registration of Manager with McAfee, the following details will be sent to McAfee Corporate team when
Telemetry is enabled:

Device Details:
 Serial number
 Model
 Software version
 Hardware version
 VM type

The Default - Telemetry (McAfee) report lists the Telemetry data sent to McAfee Corporate team in detail. The Default -
Telemetry (McAfee) report is available in the Manager under Analysis > (Admin Domain Name) > Event Reporting > Next
Generation Reports.

© 2020 McAfee M02 - 30 McAfee Confidential

 Product Registration (Continued)

If the Registration is skipped, the Manager remains in an “Unregistered” state.

McAfee Confidential Education Services 31

If you want to skip the registration, click Skip. When you click Skip, it shows up a warning message download updates are not
allowed. Click Ok.

Note: The Manager is not registered now, hence you will not receive any updates.

© 2020 McAfee M02 - 31 McAfee Confidential

 Manager Summary Page with Unsuccessful Register

 Provides a new Manager “Summary” page from where you can subsequently register at any time.
 You can check the registration state and choose to select product registration to register the
product, if the license key is available.

McAfee Confidential Education Services 32

Next, NSM displays Dashboard window. Click Manager tab where the complete Manager details are available. Since the
Manager has not registered successfully, the status displays as an unregistered.

NSM allows you register at anytime. To register NSM, click Register Product. If you click the Product Register button, it
displays the same Product Registration window.

When the manager is in an unregistered state, It will disallow access to the UI pages where the you can set up automatic
updating or manually download updates for:
 Signature sets
 Callback Detectors
 GAM
 Sensor software

© 2020 McAfee M02 - 32 McAfee Confidential

 Product Registration Connectivity Error

Connectivity issues during the Manager registration.

McAfee Confidential Education Services 33

If any connectivity issue occurs during registration of the Manager using the correct registration key, a
registration error pops up.

General tips in order to avoid connectivity issues.

 Make sure you have proper internet connectivity.
 If proxy configuration is required in the NSM, that should route through the proper Proxies in order to connect to
particular servers.
 If these steps do not resolve connectivity issues, reach out to McAfee support.

© 2020 McAfee M02 - 33 McAfee Confidential

 Introducing Network Security Manager (NSM) UI 2.0

With this release of 10.1, the Network Security Manager UI introduces a dark theme to improve
visibility for end users. It also provides a few changes in the Manager application for users who spend
long durations working with the Manager.

McAfee Confidential Education Services 34

You can see the new look and feel of Network Security Manager from the logon page. The new UI change includes addition of
a dark theme.

© 2020 McAfee M02 - 34 McAfee Confidential

 Introducing Network Security Manager UI 2.0 (Continued)

McAfee Confidential Education Services 35

The significant changes from NSM 9.2 to NSM 10.1 are as follows:
 Dark theme
 Bigger font
 Information icons in the menu page
 A few User Experience changes

© 2020 McAfee M02 - 35 McAfee Confidential

 NSM Functionality
How can NSM help My Organization?

McAfee Confidential Education Services 36

Now, you have an overall introduction to NSM. A Network Security Lead (Ken) in a company relies on intellectual property to
run a profitable business and uses NSM to perform daily job activities.

Ken starts his day by logging into the NSM GUI and reviewing the Dashboard. NSM has built the intelligence directly into the
workflow. So, the Dashboard immediately draws his attention to the problem area, where he can peel back the layers until he
has the appropriate level of detail for the situation at hand.

He immediately notices callback activity. He is particularly interested in the Zeus activity because he recognizes the name and
heard that it is dangerous, but he doesn’t actually know how Zeus works.

© 2020 McAfee M02 - 36 McAfee Confidential

 NSM Functionality (Continued)
Investigate Callback Activities

McAfee Confidential Education Services 37

Ken’s first step is to click Zeus to get more information around this particular activity. This takes him to the Callback Activity
page on the Analysis menu, which is automatically filtered for Zeus.

Next, Ken clicks info icon next to Zeus in the top panel to display detail, including a description of Zeus, changes it makes to an
endpoint, how it behaves on the network, and even tips for preventing and removing it.

© 2020 McAfee M02 - 37 McAfee Confidential

NSM Functionality (Continued)
View Endpoint

McAfee Confidential Education Services 38

Double-Click jscott to view the Attack Log.

© 2020 McAfee M02 - 38 McAfee Confidential

 NSM Functionality (Continued)
View Attack Log with Zeus filter

 Displays individual Zeus activities on selected endpoint.

 Narrows down list of pertinent attacks.
 From here, you can view alert details, export packet captures, and update policies.

McAfee Confidential Education Services 39

Further drilling into jscott’s endpoint brings up the Attack Log. So, Ken can see all Zeus activities specific to jscott’s IP address.

The individual attacks and their severities enable Ken to conclude that jscott’s endpoint has compromised. Before he takes
action, he wants to understand the extent of jscott’s suspicious activity on the network.

Note: If you click the jscott endpoint, it displays the individual Zeus activities that caused the endpoint to be considered a
Zeus zombie and brought it to our attention.

At this point, you already have a narrow list of pertinent attacks, and with just one click, you can view alert details, export
packet captures, and update policies.

© 2020 McAfee M02 - 39 McAfee Confidential

 NSM Functionality (Continued)
View All Attacks

 Remove the Zeus filter to view all attacks match jscott’s endpoint.
 Attack Log makes it easy to increase or decrease scope of information displayed to provide
the appropriate level of focus.

McAfee Confidential Education Services 40

To see all attacks involving jscott’s endpoint, Ken clicks the Callback Activity column and clears the Filters checkbox to
remove the Zeus filter from the Attack Log window.

From this, he sees the additional attacks and realizes that jscott’s endpoint is involved in many other attacks besides those
from Zeus.

© 2020 McAfee M02 - 40 McAfee Confidential

NSM Functionality (Continued)
Review Options

McAfee Confidential Education Services 41

Ken selects an attack and clicks Other Actions button to review the possibilities.

There is no need for a policy change or exception creation at this point, and it is a bit premature to take quarantine or tagging
action on the endpoint. Instead, Ken decides to take a step back and look more closely at jscott’s endpoint.

© 2020 McAfee M02 - 41 McAfee Confidential

 NSM Functionality (Continued)
Investigate Endpoint Specific Details

 Close the Attack Log to return to the Callback Activity page.

 Review the tabs at the bottom of the page to investigate endpoint specific details.
 View the Endpoint Security Events tab to view the last ten anti-virus alerts and last ten HIPS
events.

McAfee Confidential Education Services 42

Ken wants to understand if the security software on jscott’s endpoint is reporting anything out of the ordinary, so he backs out
of the Attack Log and reviews the tabs on the bottom panel of the previous (Callback Activity) page.

On the Endpoint Security Events tab, Ken can see that the anti-virus software running on jscott’s machine has blocked IRC
communication.

He also notices that Host Intrusion Prevention System (HIPS) has blocked port scans by an internal IP address, which could
be the source of the infection. Now Ken wants to confirm that Jonathan is running the latest virus definitions.

© 2020 McAfee M02 - 42 McAfee Confidential

 NSM Functionality (Continued)
Investigate Endpoint Information

 Information shown on this tab is gathered automatically from ePO, Vulnerability Manager,
and the NSM Sensor.

McAfee Confidential Education Services 43

Ken opens the Endpoint Information tab to view the countermeasures installed on the endpoint.

From this, Ken sees that McAfee Agent, Endpoint Intelligence Agent, and VirusScan software are installed. However, the
engine version and virus definitions have values of N/A.

This tells Ken, something or someone has interfered with the anti-virus software installed on jscott’s endpoint, and he knows
it’s time to take action.

© 2020 McAfee M02 - 43 McAfee Confidential

 NSM Functionality (Continued)
Quarantine Endpoint

 Quarantining an endpoint allows time for further research.

McAfee Confidential Education Services 44

With approval from his manager, Ken decides to quarantine Jonathan’s endpoint until further notice. Once quarantined, no
traffic originating from Jonathan’s machine can traverse the segments of the network protected by the NSM Sensor.

With jscott’s endpoint safely quarantined, Ken can further research how it actually became infected and any exposure possibly
caused by that infection.

The Callback Activity page is just one example of the overall logic applied across all the Analysis pages, which is to correlate
data in a way that gives you a list of items needing attention, for example callback activity, malware files, and high-risk
endpoints, and make it easy to get the context needed to make an informed decision quickly.

© 2020 McAfee M02 - 44 McAfee Confidential

 NSM Functionality (Continued)
Threat Explorer

McAfee Confidential Education Services 45

With jscott’s endpoint safely in quarantine, Ken jumps to the Threat Explorer to take a step back and view correlated, top N
attack information surrounding the host.

© 2020 McAfee M02 - 45 McAfee Confidential

 NSM Functionality (Continued)
Viewing Top N Attacks

 View correlated, top N attack information surrounding the host.

McAfee Confidential Education Services 46

Ken quickly recognizes the callback and botnet-specific attacks, and he confirms they are indeed accompanied by a few
exploits as well.

© 2020 McAfee M02 - 46 McAfee Confidential

 NSM Functionality (Continued)
Network Forensics

If you have at least one NTBA appliance added to the Manager, you can configure the required Sensor
monitoring ports to export Layer 7 data to NTBA appliances.
Refer to the McAfee Network Threat Behavior Analysis Product Guide for more information.

McAfee Confidential Education Services 47

Ken wants to raise his situational awareness around the recent events and understand if there is exposure, so he opens the
Network Forensics window from the Endpoint Information tab, which displays network activity to and from jscott’s endpoint.

The content shown in this window comes from your Network Threat Behavior Analysis (NTBA) solution, which collects
NetFlow data from routers and/or IPS Sensors.

Ken looks at the 60 minutes before and after he quarantined the endpoint. The window summarizes the traffic to and from
the endpoint during that time, including connection counts, the applications and services seen, and, thanks to Endpoint
intelligence Agent (EIA) integration, even the executables running on jscott’s machine that made network calls.

© 2020 McAfee M02 - 47 McAfee Confidential

 NSM Functionality (Continued)
Suspicious Flows

McAfee Confidential Education Services 48

The Suspicious Flows grid shows all the flows that took place just before or after an attack, which helps determine whether
jscott’s endpoint is spreading Zeus on the internal network. In this case, it is a good sign that no flows with other internal
endpoints are seen.

The Suspicious Flows grid also takes advantage of Global Threat Intelligence (GTI) capabilities to highlight activities to and
from this endpoint that may put the endpoint or the rest of the internal network at risk. In particular, if a flow includes a URL,
file, or endpoint whose risk is known to be bad or cannot be verified, it is also shown here.
In this case, the endpoint appears to be the victim of a drive-by download. It browsed to a compromised website where it
was exploited and infected, and it can control external zombies of its own.

Ken doesn’t recognize the name of the executable running on jscott’s machine, nor does he recognize the PDF file it
downloaded, but he sees that both have a Very High malware confidence, so he notes the information for both files to be able
to investigate them further.
 gkcalt.exe (9c7aa16e59d7a54a1bb10a34ce1fc763)
 collectmail.pdf (a4bf70bdfa21192c1b33f44fb087220c)

© 2020 McAfee M02 - 48 McAfee Confidential

 NSM Functionality (Continued)
Endpoint Executables

 Endpoint Executables page provides default filter to show executables with high malware
confidence.

McAfee Confidential Education Services 49

Ken opens the Endpoint Executables page to get a global view of gkcalt.exe’s posture and prevalence on his network.

The Endpoint Executables page provides a default filter to only show the executables with high malware confidence, so
gkcalt.exe is already visible by default.

Ken selects it to see its details.

© 2020 McAfee M02 - 49 McAfee Confidential

 NSM Functionality (Continued)
EIA Details

McAfee Confidential Education Services 50

The EIA Details tab on the bottom of the page shows product name and version information for signed executables, and it
summarizes the malware specific findings.

In this case, the executable does not have a certificate, nor it is known to GTI, which is a good indication that it is homegrown
and new. Ken reviews the File Execution Summary tab to get a sense of how active the file is, and he then reviews and saves
out the File Execution Details tab, confirmation of malicious behavior.

© 2020 McAfee M02 - 50 McAfee Confidential

NSM Functionality (Continued)
Check for Endpoints running gkcalt.exe

 Confirms jscott’s machine is the only endpoint running gkcalt.exe.

McAfee Confidential Education Services 51

Ken goes to the Endpoints tab where he confirms that only jscott’s machine is seen running gkcalt.exe. Now he can take
action.

© 2020 McAfee M02 - 51 McAfee Confidential

NSM Functionality (Continued)
Blacklist gkcalt.exe

 If NTBA sees gkcalt.exe running on another endpoint, it generates an alert.

 If an IPS Sensor sees gkcalt.exe transferred on the wire, it generates an alert and blocks the
transfer.

McAfee Confidential Education Services 52

Ken clicks the Take Action hyperlink for gkcalt.exe and selects Blacklist.
Moving forward:
 If NTBA sees gkcalt.exe running on another endpoint, it generates an alert.
 If an IPS Sensor sees gkcalt.exe transferred on the wire, it generates and alert and blocks the transfer.

Note: The response actions taken by IPS Sensors for blacklisted executables are ultimately controlled in the advanced
malware policy.

© 2020 McAfee M02 - 52 McAfee Confidential

 NSM Functionality (Continued)
Investigate collectmail.pdf on the Malware Files page

 Click the info icon to view engine-specific details for each engine.

McAfee Confidential Education Services 53

Ken clicks Malware Files in the left menu to move to the Malware Files page to get a global view of collectmail.pdf’s
posture and prevalence on his network.

He starts to type the file name into the search field and quickly realizes that there are multiple malware files that use the
same file name, so he consults the hash to clarify the file in question (a4bf70bdfa21192c1b33f44fb087220c).

At a glance, Ken can see that multiple engines have caught the file. Ken clicks the info icon to view engine-specific details
for each engine.

© 2020 McAfee M02 - 53 McAfee Confidential

NSM Functionality (Continued)
Blacklist collectmail.pdf

 If an IPS Sensor sees collectmail.pdf transferred on the wire, it generates an alert and
blocks the transfer.

McAfee Confidential Education Services 54

Ken clicks the Take Action hyperlink for his instance of the collectmail.pdf file and selects Blacklist.

Moving forward, if an IPS Sensor sees collectmail.pdf transferred on the wire, it generates and alert and blocks the transfer.

Note that the response actions taken by IPS Sensors for blacklisted files are ultimately controlled in the advanced malware
policy.

© 2020 McAfee M02 - 54 McAfee Confidential

 NSM Functionality (Continued)
Scenario Recap

Followed the trail

Detected callback Confirmed the
back to an infected
activity infection
machine

Neutralized the Learned the root

Quarantined the
threat moving cause of the
endpoint
forward infection

McAfee Confidential Education Services 55

Today’s attacks are multilayered and typically targeting high-value assets in the organization.

In your user story, you initially detected callback activity and readily followed the trail back to an infected VP of Development at
the company.

With a few steps, you confirmed the infection and quarantined the endpoint. You learned the root cause of the infection and
took action to neutralize the threat moving forward.

The same situation is challenging to diagnose and remediate with traditional network security tools because they do not
provide the same level of intelligence built directly into the workflows.

NSM does a lot of the research for you, and it makes it easy for you to educate yourself and to take swift and meaningful
action.

© 2020 McAfee M02 - 55 McAfee Confidential

 Related Security Products
Management, Monitoring, Reporting, and Threat Information Sharing

 HP Network Automation
 McAfee Advanced Threat Defense
 McAfee Logon Collector HP Network (ATD)
(MLC) Automation
 McAfee Data Exchange Layer
 Security Information and MLC ATD (DXL)/Threat Intelligence

NS
Event Management (SIEM) Exchange (TIE)
Products SIEM DXL
TIE  McAfee ePolicy Orchestrator

M
 Open Security Controller (ePO)
OSC ePO
(OSC)
 McAfee Global Threat Intelligence
 Host Intrusion Prevention HIPS GTI (GTI)
(Host IPS or HIPS)
 Nessus
Nessus

McAfee Confidential Education Services 56

The slide shows the many products that can be integrated with NSM.

HP Network Automation
HP Network Automation is a network automation software used to automate network changes, configuration, and compliance
management. NSM communicates with the HP Network Automation Server about the changes in Sensor configuration due to
the pushing of signature set to Sensors.

McAfee Advanced Threat Defense

McAfee Advanced Threat Defense (ATD) is a multilayered malware detection solution that stacks an extensible series of
inspection engines and analytical capabilities in a down-select sequence of increasing computational intensity. This approach
delivers a very high level of detection accuracy and reliability with extremely high throughput performance.
When NSM is integrated with ATD, both the Sensor and the Manager communicate with McAfee ATD separately to augment
your defense against malware. The integration enhances the Advance Malware feature of NSP, enabling detection of even
unknown malware.

McAfee Data Exchange Layer and McAfee Threat Intelligence Exchange

McAfee® Data Exchange Layer (DXL) is a messaging technology for real-time information exchange. The technology is used to
exchange security-related information, for example, file reputation scores between Web Gateway and other web security
products to which it connects. You can exchange information under DXL in two main scenarios. One is publishing a message
about a security topic in an event and receiving this message after subscribing for the topic. The other is sending a query for
information about a security topic to a service and receiving a response from this service.

McAfee ePolicy Orchestrator

As the single source for consolidated information, the McAfee ePolicy Orchestrator (ePO) platform helps you quickly identify
and mitigate problems and improve compliance management.
NSM integration with ePO enables you to query the McAfee ePO server from the Manager for viewing details of a network host,
providing increased visibility and relevance for security administrators performing forensic investigation of security events seen
on a network.

Continued on the next page.

© 2020 McAfee M02 - 56 McAfee Confidential

Hidden

McAfee Confidential Education Services 57

McAfee Global Threat Intelligence

NSM leverages the McAfee® Global Threat Intelligence (GTI) reputation technology. This technology creates a profile of all
Internet entities, including websites, email, and IP addresses. These profiles are based on hundreds of different attributes
gathered from the massive, global data collection capabilities of McAfee Labs.
The integration of NSM and GTI for IP Reputation enables appliances and services to more accurately filter communications
and protect electronic communications and transactions between people, companies, and countries.
Nessus
Nessus is an open-source vulnerability assessment scanner that follows a client/server model. The Nessus
server (nessusd) only runs on UNIX, but there are Nessus clients available for both UNIX and Windows.
Network Security Platform supports the popular Windows client, NessusWX. Note that NessusWX reports
should be saved as plain text, since in this case, Network Security Platform supports only plain text format.
McAfee Host Intrusion Prevention
McAfee Host Intrusion Prevention (Host IPS or HIPS) prevents external and internal attacks on the hosts in the network, in turn
protecting services and applications running on those networks.
When integrated with NSM, HIP functions such as a Sensor with the Manager receiving events information from HIPS and
incorporating these events into its database. NSM will then provide the events for further viewing/actions in the Attack Log and
reports.
OSC
Open Security Controller (OSC) is a centralized platform to enable software-defined security for software-defined datacenters
and provides a common set of management services, acting as a broker between the security solutions and the virtual
infrastructure.
OSC integration with NSM allows provision of security services for virtual networks.
Security Information and Event Management Products
You can extend NSM data to third-party Security Information and Event Management (SIEM) products, allowing further
processing of NSM data. You can extend Manager data to SIEM products by configuring the Manager to push data to a SIEM
product, configuring a SIEM product to pull data from the Manager or querying the Manager database for data.
McAfee Logon Collector
NSM integrates with McAfee Logon Collector (MLC) to display user names of the hosts in IPS and NTBA deployments. The
Logon Collector provides an out-of-band method to obtain user names from the Active Directories, helping to provide
information about source and destination users.

© 2020 McAfee M02 - 57 McAfee Confidential

Check your Learning
Fill in the blank(s)

A ____________ basically identifies the malicious activity you want to detect on the
network and how you want to respond when this activity is detected.

____________________________________

McAfee Confidential Education Services 58

Answer: Policy. Refer to the Network Security Manager Overview (Key Features).

© 2020 McAfee M02 - 58 McAfee Confidential

 Check your Learning
Multiple choice: Choose the Correct Answer(s)

Which component is used to centrally manage NSP Platform?

A. NSM (Manager) Server

B. Network Security Sensors
C. Database
D. McAfee Update Server

McAfee Confidential Education Services 59

Answer: A. NSM (Manager) Server. Refer to the Solution Components.

© 2020 McAfee M02 - 59 McAfee Confidential

 Review
Key Points

 Sensors discovers and blocks sophisticated threats in the network.

 NSM organizes multiple security technologies to collectively tackle elusive and evasive attacks
that are missed when only one approach is used in an intrusion detection system.

 Basic solution components of NSM Eco system consists of Manager, Database, Browser-based
GUI, Clients, Network Security Sensors, and McAfee Update Server.

 NSM integrates with a number of McAfee products for monitoring, reporting, and threat
information sharing.

McAfee Confidential Education Services 60

The slide highlights key points for this module. There is no lab for this module.

© 2020 McAfee M02 - 60 McAfee Confidential