Inside Interset + McAfee's Integrated Solution

Security teams and cyberhunters now have a better way to identify emerging threats faster, as they develop

cyber integrated security solution

It is easy to say that you will do something, but it is entirely different to actually do it. McAfee has spoken of the need to bring analytics to their customers, and at the recent MPOWER Cybersecurity Summit in Las Vegas, they actually did it. McAfee announced an OEM agreement with Interset combining McAfee’s popular security offerings with Interset’s security analytics. This will enable McAfee customers to detect emerging threats faster, reduce dwell of time, and contain cyber threats.  

A security analyst in the SOC is looking for a better way to identify emerging threats faster, as they develop. Cyberhunting has typically involved posing a threat hypothesis, then trying to prove that hypothesis. (Often, the hypothesis is not proven out, and time is wasted.) Now, however, SOCs can use a set of high-quality security leads as a starting point for cyberhunting, increasing its effectiveness.

The amount of time a threat goes undetected needs to be reduced as much as possible. The longer the attackers are active and undetected during an attack, the greater the possible damage that can be done. Leveraging security analytics can help uncover undetected threats sooner.

Often attackers use techniques, tactics, and tools that are undetectable by the rules and thresholds that SIEM systems and other security tools rely on. But no attacker has ever broken into a system, and then done nothing. Behaviors we see in entities affected by the attack are often the best indicators that an attack is underway. Since the normal behavior is known, attack causes are easily detected.

Click pic for even more details

If security analytics can detect that an entity has been compromised, it can also notify and alert other systems to mitigate a cyber threat. The integration points between McAfee and Interset provide a wealth of events for security analytics. The McAfee product suite connection to DXL also allows Interset to share analytics results, enabling correction actions to be taken. Interset can take the billions of security events from Enterprise SIEM Manager (ESM), Data Loss Prevention (DLP), and McAfee Active Response (MAR) to generate a handful of security leads that are shared back into the McAfee ecosystem.

  • An ESM dashboard will correlate existing security events, which provides a direct link back to Interset for additional behavioral investigations. This linkage supports the rules and results shown in the existing dashboards. Not only will you see the behaviors that were detected, but you can then link them to the underlying malicious activity captured in ESM.
  • Enable a MAR response to address a potential threat. Response time is big part of reducing dwell time. With Interset seeing cyber threats as they are detected, MAR reactions can be invoked, minimizing the impact of those threats.
  • Begin an investigation in McAfee Investigator (MI) to help guide cyberhunting. Interset will send leads to the MI for the beginning of an investigation. From here, security teams can execute cyberhunting playbooks to further investigate cyberthreats.
  • Enterprise Policy Orchestrator (ePO) can receive DXL messages that allow Interset to place tags on users and machines—to enforce policies in response to detected cyberthreats.

This is just the start of what, together, Interset and McAfee will achieve. In 2018, I will continue to dive into each area of integration in more detail, and describe the value of each part of this integration.

For a more detailed overview of how Interset and McAfee work together, visit our partnership page.