McAfee develops the Threat Defense Lifecycle model to create a system that increases protection (Protect), quickly detects threats, malicious code entering the system, including advanced malware (Detect) and fix and respond quickly to repair the system. The system must also be able to self-learn to be compatible with the development of malicious code.
Modeling the components of the Threat hunting solution:
- ePolicy Orchestrator (ePO): The ePolicy Orchestrator system allows administration, operation, monitoring and coordination of the whole system.
- Dynamic Endpoint Security (ENS): Anti-malware solution for endpoint. Combining many malware protection features in many channels such as:
- McAfee Active Response (MAR): Detection and response solutions need to focus on three essential factors for effective threat prevention: continuous monitoring, automation and adaptation to the evolution of termites. threaten.
- Advanced Threat Defense (ATD): deep analysis system, sandbox, for analysis to detect highly sophisticated threats
- Threat Intelligence Exchange (TIE): a platform for storing, connecting, and exchanging dangerous information between components in a secure, open-standard OpenDXL security system.
- McAfee GTI – McAfee GTI measures the reputation of network communications based on the reputation of billions of IP addresses, files, URLs, protocols and location data around the world.
Solution Importance of Threat hunting:
APT attacks often use methods, technologies, and program codes that have not been detected by traditional security technologies such as firewalls (Firewall / NGFW), intrusion prevention systems (IPS), AntiVirus, AntiSpam. , … After penetration, APT threats often lurk in the system for a long time, silently develop in the organization’s infrastructure and systems, in order to exploit, steal information, execute items. target on which the person / organization attacks.
It is often difficult for organizations / businesses to detect that they have been exposed to an APT attack because of the limitations of traditional technologies and solutions, which are designed to recognize and prevent hazards based on signature. and infringement and rating – the nature of which is known, declared hazards. APT attacks also do not manifest or cause problems for the computers or systems in use.
The current problem is not whether the system can be compromised, how not to be compromised. With the technologies and the evolution of malicious codes today, the system can be compromised at any time, statistics show that the time to attack and compromise a system is usually only minutes.
Therefore, the problem for the security team is to quickly and effectively detect common malware as well as high-level, newly arising and unrecognized malware; detect and promptly prevent harmful and unusual acts and activities of each server or workstation on the system; hunt and respond quickly to clean and repair your system.