Security Information and Event Management

(SIEM) Orchestration
How McAfee Enterprise Security Manager drives action, automates remediation, and optimizes
incident response
Michael Leland, Sr. SIEM Enterprise Architect, Intel Security

Guide
Table of Contents
Introduction

Orchestration Triggers

Orchestrating Action

McAfee ePolicy Orchestrator (McAfee ePO) Software

Reporting on Suspicious Systems

Practical Example: Flagging Suspicious Systems for Follow-Up

Dynamic McAfee ePO Software Policy Changes

Trigger McAfee ePO Software Client Task Execution

Practical Example: Quarantine and Remediation of a Compromised System

McAfee ePO Software Configuration

13

McAfee Network Security Platform

14

Configuring McAfee Network Security Platform

15

Practical Example: Behavior-Based Blacklisting

17

McAfee Threat Intelligence Exchange

18

Configuring McAfee Threat Intelligence Exchange

19

Practical Example: Finding Systems that Have Executed a Malicious File

20

Orchestrating Actions with Other Tools

23

Configuring Scripting

23

Cyber Threat Manager

24

Practical Example: Using Backtrace to Report Systems Identified as Having IOCs within McAfee ePO Software

24

Other Examples

27

Summary

28

Next Steps

28

About Intel Security

28

2
SIEM Orchestration

Guide
Over the last two decades, security information and event management (SIEM) adoption
has increased dramatically, driven largely by complex and demanding compliance
requirements such as Payment Card Industry Data Security Standard (PCI DSS) and
SarbanesOxley (SOX), as well as the needs of incident response teams for threat
management. As adoption increased, enterprises quickly realized the value of the SIEM in
providing and leveraging threat intelligence: giving visibility into known threats occurring
around the world and the ability to identify and track potential threats as they occur. This
situational awareness allows enterprises to detect attacks sooner, and, as a result, take
action to minimize the impact of todays advanced threats.
Introduction
Times change. Todays exploits are executed in a matter of hours or less. However, according to the Ponemon 2015 Cost of Cyber Crime
study, the average time to resolve a cyberattack is 46 days.1

Figure 1. Attacks and losses happen in minutes and hours. Response takes days and weeks.

This slow response is driven largely by processes and tools that have not kept up with the rapid acceleration in attack speed. Attack
responses often are loosely coordinated affairs, requiring the cooperation of multiple teams across the enterprise. Efforts follow manual
workflows that require human intervention at multiple steps along the way. If there is to be any hope of stopping intrusions before the
damage is done, we must find ways to optimize and automate these processes as much as possible.
A similar evolution occurred in the network intrusion detection system (NIDS) space in the early 2000s. At that time, NIDS were wellestablished methods of identifying network attacks, based largely on attack signatures. As detection methodologies improved,
administrators realized that it was feasible to rely on these tools to make policy enforcement decisions, and actually block known
attacks. Then network intrusion prevention systems (NIPS) came into being. While not a silver bullet, NIPS significantly raised the bar for
an attacker to execute a successful attack.
Ten years later, SIEM is at the same crossroads. No longer is it sufficient to simply detect threats to our networks. SIEM can be used not
just to improve situational awareness, but also as a platform to orchestrate responses and to stop attacks well before they become
breaches.
This document begins by outlining the kinds of activities that are well suited to orchestration. Following this, well take a deep look at
McAfee Enterprise Security Manager, Intel Securitys SIEM solution, and examine how it works as part of the Intel Security platform to
optimize incident response processes.

3
SIEM Orchestration

Guide
Orchestration Triggers
The first step in effectively responding to an attack is identifying triggers that will begin the process. The best triggers clearly describe a
suspicious or malicious behavior with enough precision that the reaction to it is clear. Triggers must also be highly accurate and offer
integrated threat intelligence if they are to be relied upon for automated responses. Below are a few examples.

Anti-social behaviors: Most enterprises will see activities coming from within or outside their networks that, while not immediately
alarming, are clearly not related to their business. Often these behaviors are the precursors to an actual attack.
Password guessing: High volumes of incorrect passwords are indicators of automated tools used by attackers to attempt to guess
user credentials.
Network reconnaissance: Host scans, port scans, and similar activities are equivalent to jiggling the doorknob of a house to see if its
locked. This kind of activity should only originate from trusted partners.
Application reconnaissance: Attackers will often begin a campaign with a series of probes designed to understand the attack
surface of their target. This activity may be seen in application logs as high volumes of requests from a host, often for resources that
do not exist.
Threat intelligence: This provides a real-time understanding of the world outsidethreat data, reputation feeds, and vulnerability
statusas well as a view of the systems, data, risks, and activities inside your enterprise. Its a critical tool that prevents security
teams from overlooking indicators of compromise (IOCs) and is effective for incident investigations and remediation.

These activities happen so frequently in most organizations that it is not feasible for human analysts to follow up on each one. As a
result, the records of these activities become fodder for regular executive rollup reports or perhaps part of the evidence chain
uncovered while investigating a breach. However, an effective SIEM platform can take appropriate actions in response to these
behaviors and stop attacks at their earliest stages. In todays ever-evolving threat landscape, McAfee Enterprise Security Manager
enables rapid response to emerging threats.

Signs of malware infection: Fighting malware is a daily part of any enterprise security professionals job. Most malware is detected
and dealt with efficiently by implementing technologies at the endpoint (such as McAfee Endpoint Protection Suites) and malware
detection in network devices, network intrusion prevention systems (McAfee Network Security Platform), web protection gateways
(McAfee Web Gateway), and advanced threat protection appliances (McAfee Advanced Threat Defense). However, when especially
targeted or evasive malware does get around these defenses, it can be difficult to detect and eradicate. Signs of malware infection
include:
o
Alerts and blocking based on IPS events: Most IPS products include signatures designed to identify traffic associated
o

with botnet command-and-control networks, and similar behaviors.

Communication with suspicious hosts: Many IPSs and SIEMs today incorporate geolocation, reputation feeds, and other
contextual feeds that allow enterprises to track known malicious hosts and communication patterns within the enterprise.
Internal hosts seen to be communicating with suspect hosts in other parts of the world merit additional follow-up as these
activities are indicators of infected hosts.
DNS requests: DNS requests for resolution of domain names that are associated with known purveyors of malware are

clear signs of infection.

Indicators of compromise: IOCs provide details of a potential threat within the environment in a standard format. The
SIEM can use this information to detect if those indicators have been seen in the past as well as keep an eye on them in
the future.
Anomalous behaviors: In any network there are unexplained, outlier behaviors that can be valuable signs of systems that have been
o

subverted or are otherwise not being used for their intended purpose.
o
NetFlow volumes and patterns: NetFlow records provide useful metadata about what systems are communicating, and
how much, in the enterprise. While individual NetFlow records may provide little useful information, over time, NetFlow
records can be aggregated to establish a unique fingerprint that identifies how and when a system (or a class of systems)
communicates. Deviations from this baseline can provide useful IOCs.
o
Suspicious network traffic: Tools like McAfee Network Threat Behavior Analysis (used with the McAfee Network Security
Platform) collect and analyze traffic from the entire networkhost and applicationsto detect unusual behavior resulting
from worms, botnets, zero-day threats, spam, and reconnaissance attacks.

4
SIEM Orchestration

Guide
While most enterprises strive to investigate these types of events, the sheer volume can quickly become overwhelming to incident
responders. Even running a simple malware scan on a likely infected host may take hours or days to get scheduled, depending on the
organizations operational maturity. All the while, the malware is free to execute the attackers payloadperhaps exfiltrating dataor it
is free to spread more deeply into the enterprise. Whats needed is a simple, automated method to stop attacks as soon as they are
detected. Freezing the attack gives responders breathing room to investigate the scope and take advanced remediation steps as
needed.

Orchestrating Action
McAfee Enterprise Security Manager provides a rich platform to automate responses to the kinds of triggers discussed above. It
collaborates closely with many Intel Security solutions, allowing administrators to orchestrate responses easily without complicated
custom integrations. In addition, McAfee Enterprise Security Manager provides integration for hundreds of third-party products.
McAfee Enterprise Security Manager actions are driven by alarms triggered by a wide range of events, including those described above.
You can configure each alarm to launch a variety of actions. Below we'll discuss some of the orchestration options possible with McAfee
Enterprise Security Manager and its complementary products.

McAfee ePolicy Orchestrator (McAfee ePO) Software

Integrated closely with McAfee Enterprise Security Manager, McAfee ePolicy Orchestrator (McAfee ePO) software provides policybased management of a wide range of endpoint, data center, and network security countermeasures, including antivirus, host intrusion
prevention, whitelisting, activity monitoring, and data loss prevention.
McAfee ePO software lets administrators categorize systems via manual or criteria-based tags, which may then be used as the basis
for assigning configuration profiles to assets, launching tasks on managed endpoints, or filtering dashboards and reports.
McAfee Enterprise Security Manager integrates with McAfee ePO software via the McAfee ePO software web application programming
interface (API). Through this channel, McAfee Enterprise Security Manager can assign tags to systems in McAfee ePO software in
response to triggers seen by McAfee Enterprise Security Manager, just as a McAfee ePO software administrator might do via the McAfee
ePO software graphical user interface (GUI). Through tags, McAfee Enterprise Security Manager can automate many first response
actions, helping organizations respond to attacks more quickly and efficiently than would be possible when relying solely on security
operations center (SOC) staff to drive incident responses.

Figure 2. McAfee ePO software initiates policy-based responses to systems under attack.

5
SIEM Orchestration

Guide
Reporting on Suspicious Systems
In one of the simplest use cases, a tag may be used as a filter for a dashboard or a report in McAfee ePO software. SOC staff often use a
custom dashboard or role-based report to regularly monitor the status of the technologies managed via McAfee ePO software and to
identify events where a response may be necessary. This process provides excellent visibility into the different security
countermeasures that McAfee ePO software manages, but is blind to the rest of the enterprise environment.
McAfee Enterprise Security Manager provides deep situational awareness to complement standard McAfee ePO software visibility. By
assigning the proper tags, McAfee Enterprise Security Manager can quickly and automatically bring systems exhibiting suspicious
behaviors to the attention of endpoint security operations. Security operations can then take appropriate actions as needed.

Practical Example: Flagging Suspicious Systems for Follow-Up

In many enterprises, the team that handles endpoint security leverages McAfee ePO software as a tool to drive day-to-day workflow for
incident response. For example, a system that reports large volumes of repeated malware infections in a short time often has additional
undetected malware running behind the scenes. In this circumstance, the system requires human analysis to review its state and health
and to identify additional remediation steps needed.
Tagging helps incident response staff track systems that require investigation. A specified McAfee ePO software tag may be used as a
filter for a McAfee ePO software dashboard or report, which, in turn, is monitored by incident response staff to drive daily remediation
activities. This approach may be extended easily to allow McAfee Enterprise Security Manager to tag suspicious systems based on a
wide variety of criteria. Endpoint security staff gains greater awareness of enterprise security posture and can prioritize remediation
efforts on the systems with the most severe security issues.

Set up McAfee ePO software: To take advantage of this use case, it's first necessary to perform appropriate setup in McAfee ePO
software.
o
Identify or create a McAfee ePO software tag to use as a means of flagging systems that require manual analysis. For
purposes of discussion, we'll name this tag "FILTER: Suspicious Systems. Set up this tag as a manual tag in McAfee ePO
software.
o
Identify or create a dashboard in McAfee ePO software that will be used to track suspicious systems. Each query in the
dashboard should include the "FILTER: Suspicious Systems" tag as a filter, ensuring that only data associated with tagged
systems are displayed. For our purposes, we will use the tag as a filter for the McAfee ePO software system tree.
Identify SIEM trigger: The next step is to identify the conditions seen by McAfee Enterprise Security Manager on which you would
like to trigger.
o
Content packs provide prebuilt correlation rules that McAfee ePO software can utilize for common use cases. Content
packs are continuously being developed and updated as new threats emerge. New correlation rules that provide triggers
when malicious behavior is detected are a common element of content packs. The following are currently existing
content packs that can provide triggers for McAfee ePO software incidents

Malware content pack.

Firewall content pack.

McAfee Threat Intelligence Exchange content pack.

6
SIEM Orchestration

Guide

Figure 3. Content packs currently available in the McAfee Enterprise Security Manager console.

In addition to pre-built content packs, the potential to create additional triggers here are virtually limitless. They depend
largely on the data sources that are present in your McAfee Enterprise Security Manager; the correlation rules that you
have at your disposal; and the types of things into which the endpoint security team would like visibility. For our
purposes, we'd like to notify the McAfee ePO software team anytime the enterprise web proxy (such as McAfee Web
Gateway) detects an attempt to download a malicious file. These systems deserve inspection since systems that attempt
to download malware are often already infected with malware.

Figure 4. McAfee Enterprise Security Manager console displays malware detected by McAfee Web Gateway.

Enable alarm: While it's certainly possible to manually trigger the McAfee ePO software tagging action (via the McAfee Enterprise
Security Manager action menu), in our example, we will automate this process to ensure that the endpoint security operations team
has immediate visibility to the latest threats. As the final configuration step, we must configure McAfee Enterprise Security Manager

7
SIEM Orchestration

Guide
with an alarm that is triggered by the event we've identified above and takes the action of applying the "FILTER: Suspicious Systems"
to the target systems.

Figure 5. McAfee Enterprise Security Manager Alarm: McAfee ePO software tagging action.

Monitor dashboard in McAfee ePO software: Once the alarm is configured, you should begin to see systems tagged appropriately in
McAfee ePO software, and they should automatically begin to appear in the "Suspicious Systems" dashboard. After the analyst reviews
the systems and takes appropriate remediation steps taken, the analyst can remove the tag, and the system will be removed from the
dashboard.

Figure 6. Systems with web malware detections flagged as suspicious in McAfee ePO software.

Dynamic McAfee ePO Software Policy Changes

In the context of McAfee ePO software, a policy is a collection of settings that you create and configure and then enforce on a set of
managed systems. McAfee ePO software allows administrators to configure user- and systems-based policy settings for all products
and systems from a central location. For example, McAfee ePO software policies provide complete control over all aspects of endpoint
securityfrom the aggressiveness of on-access scanning to the network connections allowed by the endpoint firewall.
McAfee ePO software policies may be assigned in a number of different ways. One highly flexible method is via policy assignment rules.
With McAfee ePO software policy assignment rules, policies may be assigned to managed systems using a flexible set of criteria and
updated on the fly as those criteria change. Asset tags are one of the criteria supported by policy assignment rules in McAfee ePO

8
SIEM Orchestration

Guide
software. By leveraging McAfee Enterprise Security Manager to manipulate McAfee ePO software asset tags in response to triggers, we
can modify policies on those assets in near real time in response to changing conditions or detected threats.
Essentially, we can take the incremental data that becomes visible through McAfee Enterprise Security Manager-to-McAfee ePO
software integration and use that data to modify policies that, in turn, affect countermeasures.

Figure 7. McAfee software policy assignment rules.

Trigger McAfee ePO Software Client Task Execution

A client task in McAfee ePO software is an action that is pushed to and executed on a managed endpoint. Examples of client tasks
include scheduled anti-malware scans and deployment of security agent software. Like policies, a client task may be assigned to a
system in a variety of ways within McAfee ePO software. For example, client tasks may be tied to asset tags, such that assigning a tag to
a system brings with it a set of associated client tasks.

Figure 8. Client task assigned to systems based on McAfee ePO software asset tags.

By leveraging McAfee Enterprise Security Manager to manipulate McAfee ePO software asset tags in response to triggers, we can
immediately execute tasks on managed systems in response to changing conditions or detected threats.

Practical Example: Quarantine and Remediation of a Compromised System

In the course of investigating an ongoing attack or breach, it sometimes becomes clear that there is a definitive pattern of behaviors that
indicate a compromised system. Examples might include communication with a specific IP address, repeated brute-force password
guessing attempts, or specific malware detections. Regardless of the indicators, the first step for incident responders should be to
isolate the compromised system from the enterprise network as quickly as possible in order to minimize the amount of damage that will
be done.
In this example, we will leverage McAfee Enterprise Security Manager to orchestrate a real-time response with McAfee ePO software,
effectively quarantining the compromised host and launching an aggressive malware scan. These remediation actions should neuter the

9
SIEM Orchestration

Guide
threat in real time, minimizing the impact much more quickly and effectively than would be possible when relying on human analyst
response.

Set up McAfee ePO software policies and tasks: The first step in meeting this use case is to define a set of lockdown policies and
tasks in McAfee ePO software that will be engaged when McAfee Enterprise Security Manager detects the compromise. Your optimal
set of policies will be dictated by the managed products you have in McAfee ePO software. Below you will find some suggestions:
o
McAfee Host Intrusion Prevention Firewall: Enable firewall with a highly restrictive rule set.
o
VirusScan Access Protection: Enable Maximum Protection rules. Consider implementing custom rules to block network
o
o

traffic if McAfee Host Intrusion Prevention Firewall is not deployed in your environment.
VirusScan On-Access: Enable scanning inside archives, eliminate scanning exclusions, and set McAfee Global Threat
Intelligence reputation inquiry to Very High sensitivity level.
VirusScan On-Demand Scan Task: Define a scan task to deeply assess all drives and files, with no exclusions.

Figure 9. Sample lockdown McAfee Host Intrusion Prevention Firewall rule set.

Set up Map McAfee ePO software policies and tasks to tags: Once you define client tasks and lockdown policies, the next step will
be to tie these to one or more tags. In our example, we will define two separate tags:
o
POLICY: Lockdown
o
TASK: Aggressive Scan. The first of these tags will be tied to the various lockdown policies via a McAfee ePO software
policy assignment rule, as shown in the screenshots below.

Figure 10. Selection of lockdown policies in McAfee ePO software policy assignment rule.

Figure 11. Selection of tag in McAfee ePO software policy assignment rule.

10
SIEM Orchestration

Guide
In the case of the on-demand client task, we will leverage client task assignment criteria in order to automatically enable the emergency
scan task on any systems with the TASK: Aggressive Scan tag.

Figure 12. Tying a task to a McAfee ePO software tag, using Task Assignment.

We have now completed the setup within McAfee ePO software. Any systems that are assigned to the relevant tags in McAfee ePO
software will automatically have the proper policies and tasks pushed down the next time the system communicates with McAfee ePO
software.

Identify SIEM trigger: The conditions that are used to trigger the actions in this use case are entirely dependent on the specifics of
the threat you wish to respond to. In our example, we will deal with a hypothetical threat, which has three behaviors that are easily
observable:
o
Communication with known malicious IP addresses.
o
Multiple attempts to guess root account passwords.
o
Attempts to download and install malware.

Given this information, we will define a simple correlation rule that triggers when we see these behaviors together, associated with a
single host.

11
SIEM Orchestration

Guide

Figure 13. A correlation rule can be defined for individual systems.

Enable alarm: All that remains is to define a set of actions that will be executed when our triggering rule fires. We will do
this by defining an alarm tied to the correlation rule. This alarm will take the primary action of Assign Tag with McAfee
ePO.

Figure 14. Alarm action: Assign Tag with McAfee ePO.

12
SIEM Orchestration

Guide
We will leverage this alarm to assign both our POLICY and TASK tags to the affected system. We will also check the box labeled Wake
up client in the McAfee ePO software tagging configuration. By default, McAfee ePO software clients check in with McAfee ePO software
on a regular interval, which is typically every one to two hours. Checking the Wake up client box will ensure that the affected client
immediately communicates with McAfee ePO software and receives its updated policies and tasks in near real time. In practice, policy
enforcement should occur in less than one minute from the time the alarm is triggered.

Figure 15. Define actions: associate policy and task with an action.

McAfee ePO Software Configuration

McAfee Enterprise Security Manager can leverage McAfee ePO software tagging actions for any internal hosts (defined by the
Homenet variable in the Network Discovery tab of the McAfee Enterprise Security Manager Asset Manager). McAfee Enterprise
Security Manager can drive McAfee ePO software tagging actions in two ways. First, an SIEM analyst, via the actions menu in the McAfee
Enterprise Security Manager user interface, may assign McAfee ePO software tags manually. In this model, an SIEM analyst identifies a
triggering event via manual review and leverages McAfee ePO software tagging to orchestrate follow-up activity on the affected system.

13
SIEM Orchestration

Guide

Figure 16. Manual assignment of McAfee ePO software tags.

When the McAfee ePO Tagging option is selected by the analyst, he or she is presented with a list of tags that have been defined in
McAfee ePO software and is then free to select the tags appropriate for the actions the analyst wishes to take.
McAfee ePO software tags may also be applied to systems in McAfee ePO software automatically by leveraging McAfee Enterprise
Security Manager alarms. Alarms are triggered by a wide range of conditions, and each alarm has a set of actions associated with it that
are executed when the alarm triggers. Assign Tag with McAfee ePO is one of the supported options.

Figure 17. Automated assignment of McAfee ePO tags via alarm actions.

As in the manual case described above, when a system administrator clicks the Configure button seen above, the system presents a
list of tags that have been defined in McAfee ePO software. The administrator can then select the appropriate tags for the actions
desired in response to the defined conditions.
As you can see, with proper configuration within McAfee ePO software, asset tags can be used to allow McAfee Enterprise Security
Manager to exert a high degree of control over the security posture of a system managed by McAfee ePO software, either as part of a
manual incident analysis process, or automatically.

McAfee Network Security Platform

The McAfee Network Security Platform provides a full range of network-based intrusion detection and prevention features. The McAfee
Network Security Platform includes a number of components:

14
SIEM Orchestration

Guide

McAfee Network Security Manager: Provides centralized management, analysis, and reporting capabilities for McAfee Network
Security Platform.
McAfee Network Security Platform sensors: Deployed on network segments to monitor traffic and enforce security policy as

configured in the McAfee Network Security Manager. McAfee Network Security Platform sensors, when deployed inline on a network
segment, provide the ability to block attacks in real time.
McAfee Network Threat Behavior Analysis: Collects and analyzes traffic from the entire networkhost and applicationsto detect

worms, botnets, zero-day threats, spam, and reconnaissance attacks. It reports any unusual behavior to help you maintain a
comprehensive and efficient network security infrastructure.
McAfee Network Security Platform provides a highly intelligent security solution that discovers and blocks sophisticated threats in the
network. However, like any IPS, its visibility and ability to react is limited based by where McAfee Network Security Platform sensors are
deployed.
McAfee Enterprise Security Manager is complementary to McAfee Network Security Platform. McAfee Enterprise Security Managers
access to activity logs from the entire enterprise provides it with global visibility, which is often missing in network-based security
controls. McAfee Enterprise Security Manager integrates with McAfee Network Security Manager via the McAfee Network Security
Platform open API.

Figure 18. Overview of the McAfee Enterprise Security Manager/McAfee Network Security Platform operational workflow.

Configuring McAfee Network Security Platform

From within the McAfee Enterprise Security Manager Console, McAfee Network Security Platform blacklist actions are available for any
hostsinternal or external. Successful blacklisting requires a McAfee Network Security Platform sensor to be deployed inlineonly
network traffic that traverses a McAfee Network Security Platform sensor can be blocked in this manner. In practice, this tends to limit
blacklisting to network choke points, such as perimeter links or data center boundaries.
In addition to inline deployment, a few configuration steps are necessary within McAfee Network Security Platform before McAfee
Network Security Platform blacklisting can be enforced. On the McAfee Network Security Manager, an appropriate network access zone
should be defined, which outlines precisely what traffic is blocked and allowed for any blacklisted hosts. Network access zones are
defined in the McAfee Network Security Manager user interface under Policy/Intrusion Prevention/IPS Quarantine/Network Access

15
SIEM Orchestration

Guide
Zones. In addition, the intrusion prevention system (IPS) quarantine feature must be enabled on desired network interfaces. This
selection is located under Devices/Policy/IPS Quarantine/Port Settings.
McAfee Network Security Platform blacklisting can be driven by McAfee Enterprise Security Manager in two ways. First, blacklist entries
can be assigned manually by an SIEM analyst via the actions menu in the McAfee Enterprise Security Manager user interface. In this
model, the SIEM analyst identifies a triggering incident via manual review and leverages McAfee Network Security Platform blacklisting
to block traffic to/from the affected system.

Figure 19. Manual blacklisting of a suspicious host.

When you select the Blacklist option, you see a list of McAfee Network Security Platform sensors where the blacklist should be
enforced. The blacklist entry can be applied to all sensors in your enterprise, via the Global Blacklist, or to an individual sensor you
select.
For an orchestrated approach, blacklist entries may also be implemented automatically by leveraging McAfee Enterprise Security
Manager alarms. As discussed above under Orchestration Triggers, a wide range of conditions can trigger alarms, with associated
actions that execute when the alarm triggers. Blacklist is one of the supported options.

Figure 20. Automated blacklisting via alarm actions.

As in the manual case described above, when you click the Configure button seen above, the system presents a list of McAfee Network
Security Platform sensors. You are then free to select the sensor where the automated blacklist is to be enforced or to apply the new
entry to the Global Blacklist.
When integrated with McAfee Network Security Platform, McAfee Enterprise Security Manager becomes a powerful extension of the
McAfee Network Security Platform detection engines. McAfee Enterprise Security Manager provides actionable intelligence to the
McAfee Network Security Platform sensor, which can then block attacks in real time.

16
SIEM Orchestration

Guide
Practical Example: Behavior-Based Blacklisting
Reconnaissance attacks represent one of the most frequently seen types of alerts coming from network-based intrusion detection
systems (IDS) and firewalls. Reconnaissance activities indicate that an adversary is gathering useful information about an enterprise,
such as IP addresses in use, open ports, applications, and possible weak passwords. Data gathered during reconnaissance may then be
used in later phases of a targeted attack.
While reconnaissance activity is seen frequently, it can be difficult to act on. High volumes of this kind of activity make it impossible for
security analysts to follow up directly on each incident. The nature of reconnaissance techniques makes it very difficult to block outright
without also affecting authorized traffic coming from customers and trusted partners. However, once an attacker has tipped his hat by
showing this kind of behavior, we can leverage McAfee Enterprise Security Manager to orchestrate an automated response at the
network layer, blocking future connections from the attacker.

Set up McAfee Network Security Manager: In this use case, we will leverage a McAfee Network Security Platform sensor to block
traffic from the attacker. In order to properly execute the blacklist, we will assume we have a McAfee Network Security Platform
sensor deployed inline on the perimeter internet connection. You must also define a tightly restricted network access zone and
enable quarantine on the relevant McAfee Network Security Platform sensor interface.
Identify SIEM trigger: There are wide ranges of reconnaissance activities that represent reasonable triggers for a McAfee Network
Security Manager quarantine action. While it might be tempting to aggressively block based on any type of reconnaissance activity,
care must be taken to avoid reacting to potential false positive events. Initially, it's best to focus on a small number of behaviors that
represent clear and accurate signs of bad intent. Good candidates include activities such as repeated failed login attempts or
repeated connections from known malicious IPs, which are unlikely to be triggered benignly.

In our example, we will look for high volumes of HTTP 404 (File Not Found) logs coming from an Apache web server. High volumes of
these logs are very good indicators that an adversary is fingerprinting a web application or identifying the surface area available for a
future attack. In order to provide flexibility in tuning this behavior pattern, we'll define a custom correlation rule in McAfee Enterprise
Security Manager.

Figure 21. HTTP reconnaissance correlation rule.

Enable alarm: Finally, we will configure an alarm in McAfee Enterprise Security Manager. Our alarm will be triggered based on our
custom correlation rule defined above. When the alarm is triggered, we will signal the McAfee Network Security Platform sensor to
block traffic for 60 minutes. In addition, we will trigger a report to run against the McAfee Enterprise Security Manager database and

17
SIEM Orchestration

Guide
automatically send it via email to a security analyst. This report will include a summary of all activity seen from the source of the
reconnaissance activity, for review by security analyst staff.

Figure 22. McAfee Enterprise Security Manager alarm configuration.

McAfee Threat Intelligence Exchange

McAfee Threat Intelligence Exchange provides an ecosystem of connected security components that work collaboratively to share
insights, provide context, and act upon emerging threats. McAfee Threat Intelligence Exchange enables adaptive threat prevention by
sharing relevant security data across endpoints, gateways, and other security products. This exchange of data allows for rapid actions to
be taken on the collective threat intelligence. The information generated from McAfee Threat Intelligence Exchange can be consumed
and correlated by McAfee Enterprise Security Manager to provide alerts and historical views for enhanced security intelligence, risk
prioritization, and real-time situational awareness. It provides a historic view and monitors endpoint event baselines to dynamically act
on significant deviations and established thresholds while adjusting user and asset risk. The combined solution brings unprecedented
synthesis across endpoint events, reputation analysis, and advanced security information and event management (SIEM) correlation to
quickly distill down the wealth of relevant threat information and focus efforts where they matter most.

18
SIEM Orchestration

Guide

Figure 23. Overview of McAfee Enterprise Security Manager/McAfee Threat Intelligence Exchange integration.

Configuring McAfee Threat Intelligence Exchange

McAfee Threat Intelligence Exchange verifies the reputation of executable programs on the endpoints. When you add a McAfee ePO
software device to McAfee Enterprise Security Manager, the system automatically detects the McAfee Threat Intelligence Exchange
server that is on the network. McAfee Enterprise Security Manager starts listening on the Data Exchange Layer and begins to log McAfee
Threat Intelligence Exchange events. When the McAfee Threat Intelligence Exchange server is initially detected, its watch lists, data
enrichment, and correlation rules are added automatically, and its alarms are enabled.
When a McAfee Threat Intelligence Exchange server is added, it will automatically add:

New alarms.

Figure 24. McAfee Threat Intelligence Exchange alarm settings.

19
SIEM Orchestration

Guide

New automated watch lists.

Figure 25. McAfee Threat Intelligence Exchange watch-list settings.

New correlation rules.

Figure 26. McAfee Threat Intelligence Exchange correlation rules.

Practical Example: Finding Systems that Have Executed a Malicious File

The reputation of a file may change from an unknown status to a more severe status with new information provided by McAfee Global
Threat Intelligence, McAfee Advanced Threat Defense, or another threat feed source. With this change of status, McAfee Enterprise

20
SIEM Orchestration

Guide
Security Manager provides an easy method of finding other systems that have executed the file in the past and for adding the system to
a watch list.
McAfee Enterprise Security Manager provides several new correlation rules associated with McAfee Threat Intelligence Exchange. With
the McAfee Threat Intelligence Exchange reputation changed from clean to dirty rule, it will trigger when a previously clean file
becomes dirty and potentially malicious and will provide the file hash of the offending file.

Figure 27. McAfee Threat Intelligence Exchange correlation rule to identify systems that change reputations.

On the Events screen, the McAfee Threat Intelligence Exchange file reputation change will display the new reputation as Known
Dirty. This is an indication that this file is malicious and other systems that contain this file may be harmed. We can use this event to
identify other systems that have executed this file.

21
SIEM Orchestration

Guide

Figure 28. An event with a known dirty reputation.

With this event, we can find all of the systems that have executed this file by selecting the option from the McAfee Enterprise Security
Manager UI. This allows the administrator to manually add these systems identified as potentially compromised to a watch list.

Figure 29. Running the McAfee Threat Intelligence Exchange execution history.

The IP address or hostname of these systems can be added to a watch list for correlation rules. These systems on the watch list can be
set for extra scrutiny in correlation rules or configured as a filter for reports of infected systems.

22
SIEM Orchestration

Guide

Figure 30. Running the McAfee Threat Intelligence Exchange execution history.

Orchestrating Actions with Other Tools

While McAfee Enterprise Security Manager provides simple, pre-built connectivity to many Intel Security technologies via existing APIs,
McAfee Enterprise Security Manager also provides an open interface to allow orchestrating action with other technologies from third
parties. McAfee Enterprise Security Manager can be configured to execute custom scripts in response to triggers. You can write scripts in
any scripting language that is supported on the scripting host, and then run scripts on a designated scripting host or launch them via
secure socket shell (SSH).

Figure 31. Overview of McAfee Enterprise Security Manager scripting operational workflow.

Configuring Scripting
Automated scripts may be set up as an alarm action in the McAfee Enterprise Security Manager user interface. Within McAfee Enterprise
Security Manager, you enter the information necessary to establish SSH communication with the scripting host, as well as the path to
the script and any needed command line parameters.

23
SIEM Orchestration

Guide

Figure 32. McAfee Enterprise Security Manager script action configuration.

Once enabled, McAfee Enterprise Security Manager will execute the configured script each time the relevant McAfee Enterprise Security
Manager alarm conditions are satisfied. This interface provides a highly flexible means to drive automated actions with a wide range of
third party platforms. Common targets for third-party integration include: workflow and ticketing systems, firewalls, and network access
control platforms.

Cyber Threat Manager

McAfee Enterprise Security Manager offers enhanced real-time monitoring and understanding of emerging threats via the dedicated
Cyber Threat Manager dashboards. Suspicious or confirmed threat information reported via threat intelligence sharing standards
Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Indicator Information (TAXII), McAfee Advanced
Threat Defense and/or third-party web URLs can be aggregated and correlated in real time or historically (with McAfee Advanced
Correlation Engine or McAfee Enterprise Security Managers Backtrace feature) against event data, providing security teams with a
deeper understanding of the threat propagation within an environment. In addition, Cyber Threat Manager provides McAfee Enterprise
Security Manager with the ability to automatically ingest IOCs from various sources and use that threat data to identify incidents within
the environment. IOCs are structured files that provide indicatorssuch as an IP address of a botnet or a hash of a malicious filethat
might suggest an attack is taking place.
After IOCs are fed to the McAfee Enterprise Security Manager, an administrator can view the indicators in an easily readable dashboard
within the console. IOCs can also trigger indicators to be automatically added to a watch list. The watch list can then be used within a
correlation rule to identify future attacks.
In addition to being used in watch lists, the McAfee Enterprise Security Manager will also use the IOC and look back at past events with
the Backtrace feature. It will use the indicator and seek out matches with events that were received in the past. If it finds a match, it can
perform various actions. For example, if an IOC contains a malicious file hash, it can review past events and alert if the file hash is
present in an existing event.

Practical Example: Using Backtrace to Report Systems Identified as Having IOCs within McAfee ePO
Software

Set up tags within McAfee ePO software: With the Backtrace feature in the McAfee Enterprise Security Manager, analysts can
automatically search through all of the events to determine if an IOC has been observed in a previous event. If an event with an IOC
is detected, McAfee Enterprise Security Manger can perform a number of actions automatically. For this example, you can tag
systems in McAfee ePO software so that you can create a filter to display systems with IOCs and send out an email to the security
team. To set up the tag in McAfee ePO software, create a tag named FILTER: Identified by IOC in McAfee ePO software, and then
create a filter for the system tree to only show systems with the tag FILTER: Identified by IOC.

24
SIEM Orchestration

Guide

Figure 33. McAfee ePO software tag to create a filter for systems identified with an IOC.

Set up a threat feed: In the Cyber Threat Manager in McAfee Enterprise Security Manager, you can create the Cyber Threat Feed that
allows you to import an IOC and manually upload a STIX file as our IOC source. With this IOC, you can configure McAfee Enterprise
Security Manager to notify the McAfee ePO software team immediately when an IOC matches with events within the environment.
This will notify the security team and allow them to inspect the systems listed in the events within McAfee ePO software easily since
they will be tagged. To notify the McAfee ePO software team, well configure Backtrace to send a message when there is a Backtrace
hit. In addition to sending a message, it will also automatically tag systems associated with the event containing an IOC within
McAfee ePO software.

25
SIEM Orchestration

Guide

Figure 34. Backtrace in Cyber Threat Manager.

McAfee Enterprise Security Manager also provides the ability to parse the IOCs into an easily readable format displayed in the Cyber
Threat Indicator dashboards. Within this view, the individual components of an IOC can be identified, and any events that have elements
of the IOC can be displayed. Additionally, it will display the number of Backtrace hits and show all of the events that contain the IOC.

26
SIEM Orchestration

Guide

Figure 35. IOCs listed in Cyber Threat Indicator dashboard.

Review systems in McAfee ePO software: The security team can now look within McAfee ePO software to see a list of systems that
contain IOCs. After the security team reviews the systems, team members can take appropriate action and remove the tag, which will
then remove the system from the display.

Figure 36. Systems identified with IOCs.

Other Examples

Below are a few additional use case ideas.

Tracking infected systems during a malware outbreak:

o
Trigger: DNS request for specified malware domain associated with the outbreak.
o
Action 1: Apply McAfee ePO software filter tag to system, causing it to appear in the McAfee ePO software dashboard and
drive McAfee ePO software-based remediation workflow.
Action 2: Use custom script to push access control list (ACLs) to third-party firewall or network access control (NAC)
solution, blocking communication with external hosts.
Stopping data exfiltration in progress:
o
Trigger: Flow anomaly indicates unusually large volumes of data leaving the network from a single host.
o
Action: Apply a McAfee ePO software policy tag that brings restrictive data loss prevention policies to provide enhanced
o

visibility of whats happening on the endpoint and then quarantine the endpoint if warranted.
Alert on unauthorized changes:
o
Trigger: Configuration or policy change event coming from a switch, router, or mission-critical application.
o
Action: Custom script queries change management system to verify that the change was expected. Alerts threat
responders if change is not authorized.

27
SIEM Orchestration

Guide

Take action on intelligence received from advanced detection tools:

o
Trigger: A detection-based tool identifies a malicious object in the enterprise.
o
Action: Custom script extracts threat indicators such as malicious file hashes or IP addresses from events, and then sends
them to other security devices within the organization to provide protection.

Summary

In response to an increasingly complex IT ecosystem and expanding attack surface, Intel Security offers a unified threat defense
lifecycle. Intel Security delivers an integrated, connected architecture that dramatically increases speed and capacity of organizations to
prevent and respond to attacks. Our architecture reduces complexity and improves operational efficiency, providing critical integrated,
adaptive, and orchestrated intelligence and response capabilities. This empowers customers to block threats more effectively, identify
compromises, and implement quick remediation and stronger countermeasures.

Next Steps

In this paper we have examined todays reality: manual incident response processes are ineffective an expanding and dynamic threat
landscape. The concept of SIEM orchestration provides immediate, automated responses. It is the only way for a modern enterprise to
protect against advanced attacks. Consider the examples we have provided, and determine how they apply to your organization. Look
for activities that take up significant time, and leverage the orchestration concepts we have provided here to automate and optimize
where it makes sense.
Finally, please share your questions, thoughts, successes, and challenges with others in the Intel Security Community:
https://community.mcafee.com/community/business/siem

About Intel Security

McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and
unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services
that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the
experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in
every architecture and on every computing platform. Intel Securitys mission is to give everyone the confidence to live and work safely
and securely in the digital world. www.intelsecurity.com

1. http://www.ponemon.org/blog/2015-cost-of-cyber-crime-united-states

McAfee. Part of Intel Security.

2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com

SIEM Orchestration

Intel and the McAfee logo, McAfee ePolicy Orchestrator, McAfee ePO, and VirusScan are trademarks of Intel Corporation or McAfee, Inc. in the US
and/or other countries. Other marks and brands may be claimed as the property of others. Copyright 2016 Intel Corporation. 62359gde_siem28
orchestration_0516_pb