A Well-Connected Sandbox

Solution Brief
A Well-Connected
Sandbox
Ensure the success of your advanced threat defense strategy
Top of mind for most CSOs is the growing risk of advanced threats and
the technical requirements to effectively defend against them. Threats are
constantly evolving to mask their intent, conceal malicious payloads, exploit
newly disclosed vulnerabilities, and evade detection.
Today’s most effective method to address these challenges includes sandbox technology, which
provides in-depth analysis of new or unknown files and executables in a secure environment. The
effectiveness of a sandbox technology is determined by several factors. The first is the ability to
detect evasive threats. Another key factor is how well the sandbox is integrated into the existing
security infrastructure—from network edge through the endpoint.
A well-connected sandbox is critical to the success of an effective threat defense strategy. Unlike
stand-alone sandboxes that add complexity through isolation, McAfee® Advanced Threat Defense
adds in-depth analysis as a tightly integrated, shared resource that strengthens and synchronizes
defensive capabilities throughout the network.
In this brief, we’ll take a look at common use cases that show how integration between McAfee
Advanced Threat Defense and other security controls from McAfee, a part of Intel Security, create
a multipronged strategy designed to make enterprise defenses both more effective in detecting
previously unknown malware and globally responsive when a new attack occurs.
Start with a Great Sandbox
The first factor that extends—or limits—sandbox detection capabilities is the range of inspection
techniques available. Many provide dynamic analysis only, which most commonly includes file
detonation and observation of the resulting behavior. Dynamic analysis, while a good start, is
vulnerable to evasive techniques, such as delayed execution and hidden execution paths.
McAfee Advanced Threat Defense
McAfee Advanced Threat Defense represents the next generation of advanced threat detection.
This multilayered solution wraps a dynamic inspection engine with additional tools to detect
evasive tactics. It applies a series of analytics in a down-select sequence of increasing computa­
tional intensity to deliver high levels of detection accuracy with extremely high throughput
performance.
Solution Brief
The on-board features include:
■■
■■
■■
■■
■■
Signature-based detection of viruses, worms, spyware, bots, Trojans, buffer overflows,
and blended attacks using a comprehensive knowledgebase created and maintained by
McAfee Labs, which currently includes more than 300 million signatures.
Reputation-based detection using the McAfee Global Threat Intelligence (McAfee GTI)
network to detect newly emerging threats.
Real-time emulation that simulates code execution using lightweight runtime
environments and heuristic behavioral analytics to quickly find malware threats that
evade signatures and reputation-based inspection.
Dynamic sandbox analysis that executes files in a run-time environment and observes
the resulting behavior. While requiring more resources and time than real-time
emulation, it accurately discovers more sophisticated threats. McAfee Advanced Threat
Defense uniquely configures virtual run-time environments to match the target host
based on queries to McAfee® ePolicy Orchestrator® (McAfee ePO™) software. Analyzing
behavior under the conditions of an intended host quickly produces accurate results,
revealing behaviors often not triggered in a generic environment.
Full static code analysis that analyzes the source code and instruction sets without
execution. Comprehensive unpacking capabilities open all types of packed and
compressed files to enable complete analysis and classification. Full static code
analysis provides critical insight into input-dependent behaviors and delayed or hidden
execution paths that often do not execute during dynamic analysis and are overlooked
by less comprehensive solutions.
Connect the Sandbox
The in-depth inspection capabilities of McAfee Advanced Threat Defense are of most value when
deeply integrated with inline security controls that can intercept and forward unknown files for
analysis. With integration, sandbox convictions are quickly communicated so that security controls
can take immediate action: blocking a malicious file, preventing its execution on an endpoint, or
updating the defenses on other potential targets. Tight integration between McAfee Advanced
Threat Defense and other Intel Security solutions creates new opportunities to reinforce malware
security throughout the environment.
Use Cases
The well-connected sandbox offers robust protection against advanced threats across the entire
enterprise environment. Let’s take a look at some use cases that clearly demonstrate how the
Security Connected approach supports and extends the capabilities of McAfee Advanced Threat
Defense throughout the infrastructure­—from the network to content gateways to endpoints.
Use case 1: Strengthening malware security at the network edge
Intel Security products on deck: Deploy McAfee Advanced Threat Defense with McAfee Network
Security Platform (IPS) and/or McAfee Next Generation Firewall to find and freeze emerging
malware threats.
Security Connected in action: When the intrusion prevention system (IPS) or firewall intercepts
a file or executable, and cannot make a positive conviction with the real-time analytics available
onboard, they forward a copy of the file or executable to McAfee Advanced Threat Defense for
further analysis. McAfee Advanced Threat Defense applies its inspection engines in sequence,
avoiding any that have already been run by the referring system. McAfee Advanced Threat Defense
then posts the resulting score and report to the referring solution, which immediately incorporates
the score into its own policy enforcement processes. The convictions appear in IPS and firewall
A Well-Connected Sandbox
Intel Security Security for
the Network Edge
McAfee Network Security
Platform discovers and
blocks sophisticated threats
in the network using a
set of real-time detection
technologies. It delivers
inline speeds up to 40 Gbps
on a single appliance and
maintains exceptional
throughput performance
and accuracy, regardless of
security settings.
McAfee Next Generation
Firewall combines security
with high availability and
manageability, delivering
advanced protection for
corporate headquarters, data
centers, or branch offices. It
integrates layer 7 network
application control, intrusion
prevention, virtual private
networking, and evasion
prevention functionality on
a unified software core.
2
Solution Brief
logs and dashboards in near real time, as if the entire analysis had been completed onboard. This
streamlines investigative workflows, allowing administrators to efficiently manage alerts through a
single interface.
Key advantages: Both McAfee Network Security Platform and McAfee Next Generation Firewall can
leverage the complete McAfee Advanced Threat Defense inspection stack to find and stop stealthy
malware attacks that would otherwise defeat their onboard defenses.
McAfee
Advanced Threat
Defense
McAfee Email
Gateway
McAfee
Enterprise Security Manager (SIEM)
McAfee Web
Gateway
McAfee Network
Security Platform
McAfee Next
Generation
Firewall
Internet
Corporate User
McAfee
Global Threat
Intelligence
McAfee ePO
Figure 1. Integration points for finding, freezing, and fixing malware.
Use case 2: Strengthening malware security at content service gateways
Intel Security products on deck: Deploy McAfee Advanced Threat Defense with direct integration to
McAfee Web Gateway or McAfee Email Gateway to find and freeze stealthy, evasive malware attacks
embedded in web and email traffic.
Security Connected in action: McAfee Web Gateway and McAfee Email Gateway scan their assigned
traffic flows for potential threats embedded in web traffic and email messages. Any files that cannot
be cleared or convicted with onboard analytics are forwarded to McAfee Advanced Threat Defense
for further analysis. The referring gateway receives the score and automatically incorporates it in
policy enforcement workflows and dashboards. Convicted files are blocked immediately and on all
future appearances.
Unlike most web security solutions, McAfee Web Gateway features onboard SSL decryption. This
allows the gateway to send decrypted files to McAfee Advanced Threat Defense for faster, more
accurate analysis. And because both gateways offer device profiling, suspect files can be sent to
McAfee Advanced Threat Defense along with header information indicating the target platform
(if McAfee ePO software is not available to provide that information). This helps the dynamic analysis
engine load a matching virtual machine image for more accurate and complete analysis.
Key advantages: With McAfee Advanced Threat Defense in the environment, McAfee Web Gateway
and McAfee Email Gateway can leverage its complete file inspection stack to find and stop stealthy
malware attacks that might otherwise slip past their onboard defenses. Because email traffic can
tolerate small amounts of latency, suspect files can be held at the gateway until analysis is complete.
And the web gateway’s flexible rules engine lets administrators set policy for whether files are held
during analysis or allowed and tracked. Both instances allow “patient zero protection,” in which the
first detected instance of a new threat is blocked, eliminating the need to locate and remediate one
or more infected endpoints.
A Well-Connected Sandbox
Intel Security for Content
Gateways
McAfee Email Gateway
McAfee Email Gateway
combines inbound threat
protection, outbound
encryption, advanced
compliance, data loss
prevention, and adminis­
tration in a single, easy-todeploy appliance.
McAfee Web Gateway
McAfee Web Gateway
provides broad capabilities,
from web filtering and
anti-malware scanning to
deep content inspection and
granular control over how
websites and applications
are used.
3
Solution Brief
Use case 3: Strengthening malware security on the endpoint and beyond
McAfee
Next Generation
Firewall
McAfee
Global Threat
Intelligence
McAfee
Network
Security
Platform
McAfee
McAfee
Web Gateway Email Gateway
McAfee
McAfee
Threat Intelligence Advanced Threat
Exchange Server
Defense
Third-Party
Feeds
Data Exchange Layer
McAfee
ePO
McAfee
Enterprise Security
Manager
McAfee
McAfee
VIrusScan Threat
VIrusScan®
Intelligence
Enterprise Threat
Module
Intelligence
Module
Figure 2. Security components operate as one to immediately share relevant data among endpoint, gateway, and other
security products.
Intel Security products on deck: Deploy McAfee Advanced Threat Defense along with McAfee
Threat Intelligence Exchange, McAfee ePolicy Orchestrator (ePO) and McAfee Endpoint Protection
products to prevent patient-zero infections and remove convicted files from endpoints across the
network. Leverage the data exchange layer to integrate additional security products and share new
threat discoveries throughout the entire security environment in near real time.
Security Connected in action: McAfee Advanced Threat Defense and McAfee Threat Intelligence
Exchange work with McAfee ePO software to provide endpoint systems with real-time situational
awareness about security events throughout the network. When a new file attempts to execute on
an endpoint, it is initially inspected by endpoint security using signatures, rules, and reputation from
McAfee Global Threat Intelligence. If endpoint security cannot convict or clear the file, it forwards a
hash to McAfee Threat Intelligence Exchange, which consults local hash files, whitelists, blacklists,
and various reputation sources to make a decision. If no reputation is available, McAfee Threat
Intelligence Exchange forwards the file to McAfee Advanced Threat Defense for in-depth static code
analysis and dynamic interrogation. Endpoint security is configurable to either hold execution of the
unknown file until McAfee Advanced Threat Defense returns a verdict, or to allow execution of the file
while McAfee Advanced Threat Defense completes its analysis. These results are returned to McAfee
Threat Intelligence Exchange and immediately published to all endpoints and other security measures,
including the referring endpoint, which will immediately close malicious process execution if it started
during the analysis period. Additionally, McAfee Threat Intelligence Exchange-enabled endpoints
continue to receive file conviction updates when off the network, extending protection to off-network
assets and eliminating blind spots from out-of-band payload delivery.
Intel Security Security
for Network Endpoints
and Beyond
McAfee Threat Intelligence
Exchange
This tool enables adaptive
threat prevention by sharing
relevant security data across
endpoints, gateways, and
other security products.
It relies on the data exchange
layer, a bi-directional
communications fabric
that provides a persistent
connection over which
connected components
share intelligence in real time,
regardless of their location.
McAfee ePO Software
Our centralized manage­
ment console provides
enterprise-class, unified
management of endpoint,
network, and data security.
End-to-end visibility and
powerful automations slash
incident response times.
McAfee Endpoint Security
This comprehensive solution
integrates numerous techn­
ol­ogies for coordinated,
complete protection against
all five threat vectors—
system, email, web, data,
and network.
Beyond endpoint protection, connecting McAfee Advanced Threat Defense to McAfee Threat
Intelligence Exchange and other security measures through the data exchange layer creates a single
collaborative system. New malware threats uncovered by McAfee Advanced Threat Defense working in
tandem with edge, gateway, or endpoint security measures are instantly reported to connected security
measures in near real time. The result is adaptive, cross-vector detection, blocking, and containment
of advanced targeted attacks. The entire enterprise environment can now be secured against a newly
discovered attack within a fraction of a second. Endpoints are protected against executing a known
malicious file, and gateways are on alert to block subsequent instances at the network edge.
A Well-Connected Sandbox
4
Solution Brief
Key advantages: Any newly identified malicious file, no matter where it is first detected, can now be
recognized and blocked at every endpoint and across the network. This adaptive response provides
instant protection across the entire environment, including network, gateway, and endpoints.
Responsive agility is increased, while the time-to-containment and time-to-remediation are
dramatically reduced, all without the need to re-architect the network.
Use case 4: FInding and fixing infected endpoints fast
Intel Security products on deck: Deploy McAfee Enterprise Security Manager (SIEM) with McAfee
Advanced Threat Defense, McAfee Complete Endpoint Protection, and McAfee ePO software to
dramatically reduce the time required to track down and remediate compromised endpoint systems.
Security Connected in action: When deployed in a network, McAfee Enterprise Security Manager
collects, parses, correlates, and stores log and event information from security systems and other
network devices. When McAfee Advanced Threat Defense convicts a suspect file, it funnels a CybOX
STIX formatted indicator of compromise (IoC) to McAfee Enterprise Security Manager, which can
then interpret and act on these artifacts. For both the original payload and any nested (unpacked)
payloads revealed in the analysis, the data transferred includes the name, hash (MD5 or SHA-1), and
severity of the convicted file; the gateway or device that first detected it; the message that carried
it; the source and destination systems; and the source URL. The cyberthreat manager in McAfee
Enterprise Security Manager incorporates this data in its correlations and analysis.
All values are parsed and can be used to trigger security responses—both automated and interactive.
Security analysts can query McAfee Enterprise Security Manager to correlate security event histories
with IoCs reported by McAfee Advanced Threat Defense. Destination hosts can be listed to indicate
potentially compromised machines. Source domains and IP addresses involved in multiple attacks
can be identified. McAfee Enterprise Security Manager can also coordinate a variety of attack
responses. It can create a blacklist of suspect IP addresses and instruct McAfee Network Security
Platform or McAfee ePO software to disallow any connection requests. It can also create a watch list
of suspect IP addresses and alert whenever it sees a connection attempt to or from an internal host.
Solutions for Incident
Analysis and Response
McAfee Enterprise Security
Manager
McAfee Enterprise Security
Manager brings together
security intelligence and
information management
(SIEM) to provide situational
awareness across the entire
environment. It collects,
processes, and correlates
billions of log events and
flow data from a distributed
network of receivers, making
years of data continuously
available for immediate
access and analysis. It
calculates baseline activity
norms and alerts on varia­
tions that might indicate an
imminent threat.
Tight integration between products from McAfee Enterprise Security Manager, McAfee Threat
Intelligence Exchange, and others enables coordinated, timely response. A newly discovered file
can be flagged as malicious, initiating a search across the network for additional instances of the
same file, removal of the file, or blocked execution. Remediation actions can also include issuing new
configurations, implementing new policies, removing files, and deploying software updates that can
proactively mitigate risk.
Key advantages: Security analysts can correlate IoCs extracted from malware analytics against
aggregated security event histories to quickly identify compromised endpoints, contain attacks,
mitigate damages, and remediate all affected systems.
Learn more about McAfee Advanced Threat Defense at: www.mcafee.com/atd.
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, ePolicy Orchestrator,
McAfee ePO, and VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and
brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject
to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc.
61642brf_well-connected-sandbox_0115_fnl_ETMG
McAfee. Part of Intel Security.
2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com