McAfee Risk Advisor (MRA) is an ePO-based product which pulls in information from multiple McAfee products and correlates it to provide actionable intelligence to customers about the risk attached to every asset in the organization.  Specifically, MRA gets information about new and emerging threats from the McAfee Threat Intelligence Services (MTIS) feed, vulnerability information from vulnerability detectors like McAfee's Vulnerability Manager (MVM) or Policy Auditor (PA) products, countermeasure information (ie, protection offered by various McAfee products like Virus Scan Enterprise (VSE), Host and Network Intrusion Prevention products) from ePO, and the criticality assigned to assets from the ePO.  MRA uses a proprietary algorithm to calculate risk for every asset which can be used to identify the ones that need immediate attention.

 

MRA is used by our customers to drive their decision making process whenever new patches are released.  Many customers rely on built-in  MRA reports to identify the critical/high priority patches that need to be rolled out immediately.  Lower priority patches are often rolled out only with the service packs that Microsoft releases.   Here's how one of our customers uses the MRA reports -

 

  1. Customer runs the report to get a list of all the patches released on a Patch tuesday, the rating for each patch (supplied by the vendor) and information about the threat including whether it has a known/publicly disclosed exploit, if a McAfee countermeasure will protect against the exploit, etc.  The report from July Patch Tuesday looks like this -

MRA_PatchTuesday.jpg

 

   2.  The next order of business is to determine the "Exploitability" of the vulnerabilities underlying the patches.   Our customers use the CVSS score as a proxy to understand how "exploitable" the threat is.  The report for this would also includes the CVE reference values -

 

MRA_Exploitability.jpg

 

This particular customer has a committee of 5 InfoSec team members who go over each of the items in these two reports to decide which ones need to be rolled out immediately.  Unless the patch tuesday involves a lot of releases, this exercise takes about an hour to complete.  After picking the patches, the customer then identifies which assets to roll it into.  In the next article, we will talk about how this prirotization is done.