Close the Door on Endpoint Security Threats with Detection & Response

On-Demand

Video Transcription

Ed Young:
Hi everyone, and thank you for joining our webinar today, between FireMon Lumeta and McAfee. So I show you our integration and talk about some use cases and some customer’s experiences using our integration to further the coverage and secure their networks. So with me today is Pedro. Pedro Haworth from McAfee. Pedro.

Pedro Haworth:
Hi there, Ed. Thanks for having me on. As Ed mentioned, this is Pedro Haworth. I’m the Head of Technology for the Security Innovation Alliance program, which is McAfee’s partnering program through which FireMon and McAfee do business. Again, thanks for having me on.

Ed Young:
Okay, great, thanks. My name is Ed Young. I am the product manager for FireMon Lumeta and we’ll be walking through some brief slides and a quick demo of the integration and some of our capabilities and then we’ll finish off with some questions from the viewers and any slew of information that you would like to continue on. So let me start with our first slide here. Challenges we see with our customers across the board pretty much is common with a lot of our customers across the security space. Security risks, business continuity, compliance, scale, speed of business. Basically first and foremost, we need to all understand our attack surface. We have new devices coming and going on our network. Virtual devices, cloud assets, OT devices, and Lumeta brings forth the visibility into your environment, eliminating any of your blind spots, showing upwards of more than 40% more devices on your network then you originally are aware of.

Ed Young:
So when we go into a lot of customer engagements, we start with a known set of devices that our customers believe are under managed or are under management in their environment and then we go through our process and discover new devices that are not managing their security stack and be able to bring them into full compliance. We bring out the end points that are unknown. We show you how they’re connected to your network. We can test for leak detection, and this is what we would consider any unauthorized communication. This could be a device that’s talking to the internet under unauthorized configuration. It could be a communication path between two sub nets, two locations, anything that’s considered unauthorized under your compliance and your security standards. We can show that to you. So we provide comprehensive visibility, any gaps in your hybrid environment, real time, situational awareness, to make sure that we’re under compliance of your security policies. And we bring that all to you through a single pane of glass.

Ed Young:
We help with our security professionals to prioritize any vulnerabilities. So we get a lot of information thrown at us from a lot of different places. So how do we prioritize those? We’ll help you with that. We’ll take into consideration our partners like McAfee, and we’ll be able to show you based on our discovery devices, our configuration analysis and our path and port information. If and when which devices need to take the higher priority over the other devices. Also we run into a lot of what everybody else has run into, budget, right? So we have to make these most cost-effective. Give you a return on your investment, and we believe with our solution, as well as our partners that we provide the best return on your investment, all across your security stack to provide full coverage and make sure that you’re getting the most return on your investment. Okay. So we’ll let Pedro talk to your next slide, please.

Pedro Haworth:
So as you know, McAfee is one of the major players within the security industry and our primary focus has traditionally been surrounding the endpoint and managing the end point. Today, actually just a few days ago, we’re celebrating 20 years of the ePO management platform that has made major strides in being capable of managing not only end points, but all types of technologies within a customer’s environments. And at the core of the value proposition that we present to our customers and our partners is the ability to enhance the capacity and the overall performance of a security environment by expanding our platform to have partners such as Lumeta integrate their technologies directly into the platform and be able to enhance the overall posture and understanding within the ePO managed platform on customer sites.

Pedro Haworth:
So for those of you that are not familiar with ePO, ePO is really considered one of our core open platforms and we tend to focus on the capabilities of ePO in three primary pillars. One of them is being positioned as an integrated pane of glass. The second one would be the capability to create policy and automated response and remediation around what’s happening within one’s environment. And the third one is creating an open and extensible platform. So from the open perspective, we have technologies such as DXL and from a more extensive platform, we also have SDKs and APIs that are available not only on the ePO platform, but also our DLP technologies, our SIM technologies and various others within the environment that partners such as Lumeta have taken advantage of.

Pedro Haworth:
When we’re thinking about how we do this. Our objectives when we’re targeting these types of partnerships with great companies, such as FireMon and Lumeta is to really simplify what an administrator has to do within an environment. We do that by having the single pane of glass and we also target the ability to increase efficiency and efficacy through processes that allow quickly deployment of technologies and security policies and enforcing the security policies to really maintain a healthy system across the entire enterprise. And lastly we target the maximization of our customer’s investments and our partnered investments as they integrate their technologies using the extensible platform and the open APIs that are available. And one thing that to note is that many of our customers even have the capacity to integrate their own technologies within ePO at any time that they’d like to improve their overall flow and maximize their investment within.

Pedro Haworth:
One thing that that is critically important is the ability to localize, centralize a lot of this interaction with a platform. Administrators have the capability within ePO to manage hundreds of thousands of devices, regardless of where they reside and all this from a single platform. You can manage multiple products from a single pane jumping between tools between McAfee created tools, between McAfee created products as well as McAfee partner created solutions such as FireMon Lumeta. One of the best things about FireMon Lumeta is that they’ve focused their integration with this ePO platform to enhance our overall visibility within the environment and enhance the capabilities of McAfee Rogue System detection, which already exists within many of our customer sites. So with this increased visibility comes an incredible capacity to have a clear vision of what type of assets exist within one’s environment and thus create more effective policies to manage the environment in a clear way.

Pedro Haworth:
We can’t underscore enough the importance of having FireMon Lumeta as partners particularly in some of our larger accounts that have the need to have policies related to bring your own device. And that allows us to create a scenario where our administrators have the ability to know exactly what goes on within environments, which I don’t want to step too much on what Ed is about to say, but let me pass it over to you Ed so that you can go deeper into your integration and your solution.

Ed Young:
Okay, great. Thank you, Pedro. Thanks. So going back to what Pedro was alluding to is our core competency inside of our Lumeta product line is about real-time visibility. Using passive and active discovery techniques, we will maneuver through your network routing and hopping through without the use of an agent and let the network tell us information about itself. So you’ll get a hundred percent real-time visibility and what we mean by that is changing network devices, changing paths, changing routes, all of that will get reported back to us in a real-time fashion, because we’re not relying on an agent to report back to a repository on a polling cycle. We’re going through and we are getting alerted about the changes in real time. So when a new system comes on board, we get an alert, when one goes inactive and leaves your network, we know that as well. Changes within your devices, was a windows machine previously is now profiled as a Linux machine. Why is that changing inside of your environment and was that an authorized change?

Ed Young:
We also help to define the network as far as the edges and the subnets and where the broadcast domains are and show you that in a visualized and a tabular reporting structure where you can keep an eye on whether again, there’s unauthorized communication between the two networks or if you have, we can correlate against threat feed intelligence, using flow data to find out if you have a node on your network that’s talking to a known bad actor. We can bring all that intelligence forward and show that to you inside of the application so that you have an actionable remediating step that you can take to go and investigate what’s going on on your network.

Ed Young:
These some are capabilities that are inside of the network of the Lumeta product. Again, we do a network discovery layer two discovery using our technologies to move throughout and SNMP responses. We do port and path discovery. Again, the big unknown in your network is what was out there that’s not authorized to be on your network? Is there a lab that still exists that you thought was taken down months ago, but it’s still out there and it’s not being protected? We can bring all that information back to you and let you know that your true attack space is actually much larger than what you think you have. Again, without any agents on it, we’ll interrogate various end points and bring back device` profile information that we can glean from it. Is it a windows device? Is it a Linux device? Is it a router, a switch? What have you, and we’ll bring that information back and give you broad context as to the devices that are living outside your network, and being able to make sure that you have full coverage, everything’s patched and your attack surface is controlled.

Ed Young:
We also bring to you the single pane of glass that Pedro was talking about where we integrate with our partners like McAfee, and we show you your coverage and help you to make sure that you have your full coverage for your endpoint protection, as well as showing you your public and private cloud infrastructure and devices and assets in those environments and how they talk to your on-prem and the communication paths between the two.

Ed Young:
So a couple of examples of some typical projects that we see within our customers. The system of record, so because we have the ability to go throughout your network and discover some dark spots, blind spots to your administrative team. We can bring that information back and a lot of customers use that as the system record, to compare against other third party integrations or homegrown applications that they use, and to make sure that all the devices that they’re currently aware of on the network are covered and if they’re authorized to be on a network, we’re able to be able share that with you for a full coverage and remediation. Mergers, acquisitions, before you bring that new company online, that smaller network, that branch office, we’re able to provide you full visibility into what’s on that network, what assets are on that network, what type of security posture that network has, and be able to give you peace of mind and a clear indication as to what you’re bringing online before you connect it to your larger corporate network.

Ed Young:
Data center migration, to the cloud. We help you walk through that configuration process and give you full visibility into where your assets are. Are they still on my on-prem, are they migrated into the cloud? Are they lined up for which is the highest priority in that migration will help bring you to that as well. Network segmentation. This goes into compliance where we can show you communication paths in and out. Make sure that sensitive information and infrastructure is cordoned off and is not available to any sort of outside communication paths. We can help you with that. And OT. Our OT environment, we have built out over the last couple of years working with other vendors and other applications to make sure that we have a very light touch. We don’t knock over any OT environment devices and we can profile them using a very light touch passive interrogation and discovery mechanisms so that we can give you full coverage on your OT environment where you might not necessarily be able to load an agent or get visibility into that particular network.

Ed Young:
Okay. So this is a representation of the cycle that we would go through in our deployment inside of a specter plus ePO integration so it starts off again with getting to detect and full coverage of your Attack Surface. So going through and finding all of your devices, making sure that you have a full inventory of any sort of device that’s on your network and active on your network. We then correlate that with ePO and communicate over the API to make sure that we have full coverage and we surface up to the ePO administrator and dashboards, and we’ll show you that in just a second. of the devices that Lumeta has discovered and are not being managed by the ePO. Then that gives the ePO administrator the opportunity to be able to deploy the agent and get full coverage inside of the ePO environment.

Ed Young:
And then the next follow on that is the next scan cycle we can confirm that that remediation has taken place. We’ll see that that agent is now under management and then we continue that cycle. So Every time we go through your network and we test these devices and we do our discovery mechanism, and we provide that information back, we can see if the ePO is got full coverage. Is it up to date? When’s the last time it’s been communicated? All the important information to make sure that you’ll have full coverage on your network and that there’s no security gaps for your attack surface.

Ed Young:
Let` me share my screen. We’ll go through a brief demonstration of the products here. All right, and you see my screen. So bringing you into our landing page inside of the Lumeta discovery product, it’s a dashboard that’s showing forwarding devices. We went through the network and we discovered all the forwarding devices and brought that out for the information for our security administrator. No networks is what I touched on earlier, where you provide us with a set of devices and IP space and subnets that you are aware of inside of your network and that’s our starting ground and then we go through the network and then we expand out, whether it’s from routing cables or for hopping through to the next network and so forth and we bring that information back to you.

Ed Young:
Multiple dashboards are cached, are brought out here for canned information. All these dashboards are configurable. You can create any dashboard that you want. Breach detection, I touched base on that. We can talk about any unauthorized communication to a bad actor. We can show you the end points that are leaking out to the internet and then we can also provide some cloud visibility into AWS infrastructure, where we surface up security, brute violations, and other sort of configuration parameters that you want to look at from there.

Ed Young:
So we touched on some of the use cases before. I’ll bring up one real quick. A customer of ours had a project where they had to remediate all of their desktops in their environment so they wanted to make sure that everyone was on a windows 10. So we were able to go in and crawl through her network and expose up all the information. So this is a report of devices found by operating system. If we go into windows, you’ll see that we can profile based on the active responses that we get back, what operating system and this is a lab environment so I have much better coverage than this, but you can see that there’s Windows seven and eight profiles that are showing up and some older environments and if we wanted to locate that particular device, we can go into device details and drill down and find out where we need to go to remediate that particular device. And this is just an example of the type of discovery capabilities that Lumeta will bring to the integration with McAfee ePO. Based on the information that we got back, host discovery, path discovery, here’s some open and closed ports, but this is the device profiling I was referring to.

Ed Young:
So based on the information that was handed back to us from various techniques that we’re using, we could say with high confidence level, that this is a Windows machine in the seven or eight OS environment because it answers up quite the same. That’s an example of some of the customer use cases that we use. We also had a customer who had a routing infrastructure that they wanted to make sure it was up on the latest iOS information. So we went out and we were able to search out and find out all the Cisco devices and find out the OS it was on and they were able to have actionable items to be able to go and patch that information so that they were staying inside of compliance.

Ed Young:
You can see the other type of information that’s going to be coming through from a router. We got the connected layer, three hosts that are on it. We have the interfaces that are hanging off it, things like that. So with the McAfee integration, strictly so with the ePO integration, what we’re doing here, and I’ll bring it up here, is again, we’re using our discovering capabilities to be able to share with our vendor, our partner, McAfee, and we’re showing on the three different widgets within the dashboard. The top one are IP addresses that we have discovered that do not have the ePO client agent assigned to it. Then the second pane is what ePO is telling us that they’re managing that we don’t know about. There’s a number of reasons why we wouldn’t have visibility into this, but ePO administrator may have a prior knowledge to these devices. Then the final pane is what we want to get to is full coverage. So this is where Specter, Lumeta has discovered it, and we know about it and so does ePO. So we have the agent installed, we have full coverage and our attack surface is being controlled and managed because we know that all of our devices have ePO coverage on it.

Ed Young:
So inside of ePO, we have a couple of different things that we could do here. We can see that this one is managed and we could go directly into the ePO management server. This is a custom dashboard that was built out and we feed back all of our discovered devices that aren’t being managed by ePO currently into both the RSD summary dashboard for action items through there, where you could create a custom dashboard like this, and you can see there’s a lot of the shared information around profiling, numbers of devices and types of devices. These need to be added to the ePO server to grant management. And so we push it through what a tag of Lumeta detected systems and ePO ingests that and puts it into the RSD summary. So again, just trying to make sure that you’re getting a return on your investment for McAfee and making sure that your coverage is out there and expanding to make sure that we have full coverage and peace of mind.

Ed Young:
All right. Let’s stop sharing that. Okay. So just reviewing back to the cycle. We talked a lot about the identification and detection capabilities inside of Lumeta that given to use of covering your entire attack surface and bringing everything, closing those gaps, giving complete visibility and sharing that information with McAfee so that we have complete coverage and complete return of investment from there. And well go into DXL as well.

Ed Young:
Okay, so just to touch base on… Pedro had also said that we are certified in DXL. We’re very happy to be a part of the DXL family, there. Our real-time notification capabilities are published to the DXL fabric and that’s obviously made to be used by other vendors within there. That fabric. We’ve had a couple of discussions with a lot of people about utilizing that inside of their environment. So I’ll let Pedro talk to the DXL a little more.

Pedro Haworth:
Sure, so for those of you not familiar with the DXL, DXL is the near real-time message bus that lies beneath ePO and a lot of other technologies that we have. It’s based on the protocol and QTT, and is a pub sub model where there is the concept of multiple topics or channels that one could either publish upon, subscribe to or interact with in order to invoke a service or a third party solution from the perspective of McAfee. So beneath ePO, the DXL bus exists for the purpose of maintaining an open channel for customers to invoke third-party solutions or take advantage of some of the remediation policies that are capable of through automated response. DXL is a very easy platform with which to integrate and it’s very simple as far as how customers can take advantage of it. We have many partners that have integrated into this platform for a number of different reasons, and they span in terms of capabilities from the very small to the very large. As you can see along the top, we’ve actually integrated the DXL framework very closely with Cisco as well. And we are capable of sharing our ecosystems across both, messaging platforms for the purpose of creating a greater value to our common customers.

Pedro Haworth:
But from a let’s say a Lumeta perspective specifically, as we listen to the channels that are published over DXL, those channels can be customized to invoke specific reactions within our technologies, as well as many of the partner technologies that are listed on the screen. It’s very open and very interoperable and additional details about the platform and how to interact with it are available via opendxl.com, so quick little plug there about DXL. Regardless of whether you intentionally integrate with DXL or interact with DXL unintentionally, if you run ePO, you are interacting with DXL via some of the policies that are enabled and expose to you via that platform.

Pedro Haworth:
A very common one that many of our partners use and our customers use is a service that we referred to as threat intelligence exchange. I’m going to show you a quick example of things that can be done via orchestration scripts with this platform. So in the middle, you have the data exchange layer that is communicating over the different topics in near real time and you have the ability to via this orchestration script that exists within your platform, within a partner platform, or with an ePO, trigger an interaction with a solution. So in this case, the little ball that you just saw bounce back and forth, well let’s say that it’s our threat intelligence exchange where any solution can query our database for the reputation of a file or a certificate in real time to validate whether they should allow it to run. So as that script is invoked from any type of product that requires this check, real-time information can be brought back to the originator of that script in order for that decision maker to make a better decision as to whether an application should be allowed to run or not. The tie solution in this case would be supported by our global threat intelligence information as well as local threat intelligence information for the environment.

Pedro Haworth:
I’m going to go forward just a little bit, and you’ll see how we can also do this with third-party solutions directly. So in the case of say a provider that has a database that might have relevant details about whether a device exists or not within the environment, then we could theoretically query that or consume the data that is published via that channel and to make better decisions within the ePO environment, based on the information of that. For example, if FireMon Lumeta were to send data out indicating that there is a new device has been identified, we could theoretically take that from a solution that is not connected to ePO and create a policy around quarantine the device if it is not visible within a known database. And likewise, if we have a service wrapper around an existing API, a product within McAfee or a third-party product could query that service natively through DXL and invoke or change policy or retrieve information from that API, many of our customers have gone on to do this on their own with custom scripts within their environments without the need for any additional help apart from what’s available via opendxl.com. W.

Pedro Haworth:
We encourage our common customers to explore some of the details that are available via the topics that are published from partners such as FireMon Lumeta. So with that, I think that’s all I have. I did see one question, Ed. Where would we get the extension for running FireMon Lumeta within ePO?

Ed Young:
Yeah. Thank you. On our support site, support.lumeta.com, we have the McAfee detailed page of how the two products integrate together. We also have the plug-in installation and instructions on how to do that. We were not able to put that into attachments, but we could put that into… Can we put that into the group chat? We can put…. I’m seeing it’s already posted. Okay. It’s already posted in there. Thanks Pedro. All the information on our McAfee ePO and DXL integrations with Lumeta are found on the support.lumeta.com, and it goes into a great detail for our integration and how to best use the information that comes between the two companies. Just to continue on your DXL example, that’s a perfect example of what would happen, if you had a lockdown environment. We would alert you to the fact that your network has changed. A new device has come on board and then DXL would be able to provide that policy just like you mapped out. That’s the exact use case that we actually have in our portfolio.

Pedro Haworth:
Fantastic.

Ed Young:
Mm-hmm (affirmative).

Pedro Haworth:
Great.

Ed Young:
And then just to circle back, I think that there was an open question about RSD overlapped with Lumeta. If I wasn’t clear on that. Let me just make sure I was clear on that. So again, with our integration with McAfee, we discover all our devices, and then we feed those devices back into ePO with a tag of unmanaged hosts for Lumeta detected systems and then that’s where you would key off of for your RSD summary in your dashboard and be able to report on that. So that’s where the clarification comes from, a source outside of McAfee so it’s coming in as a Lumeta detected system.

Ed Young:
Any additional questions? I’m seeing there’s opportunity to put it in the chat if anybody on online does not have that.

Pedro Haworth:
Ed could you comment on some of the documentation that you can provide related to the integration?

Ed Young:
Sure. So inside of the support site, we have integrations that covers both the ePO server integration, as well as DXL integration and the type of subscriptions that are available and the topics that you refer to that are available for a DXL subscriber to take advantage of. That’s all listed out on our support site. We have installation instructions, how to configure and set permissions. We have best practice guides, things of that nature, that’ll make sure that the user community gets the full value out of the integration between Spectre and McAfee.

Pedro Haworth:
Great.

Ed Young:
I don’t see any additional questions. well, it looks like we are able to wrap up and give some time back for our viewers. Pedro anything else? I think we covered everything.

Pedro Haworth:
Nothing for me. I appreciate the time to talk to our common customers here. And it was a pleasure co-hosting with you on this broadcast.

Ed Young:
Yes. Likewise, likewise, appreciate your time. Some great information. And I look forward to any questions. On the splash screen, you’ll see some additional information on our website. Thank you for everything.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO