Threat Risk Manager in the McAfee ESM

Version 4

    Introduction


    The Threat Risk Management feature in the McAfee ESM provides the ability to identify assets, risks, and threats within the environment. With this information, a security engineer has the ability to determine which vulnerabilities would cause the most impact and prioritize patches based on the existing assets and countermeasures that are in the organization.

    In addition, from a compliance perspective, the Threat Risk Management is able to demonstrate the presence of compensating controls to auditors in the absence of a patch.

     

    Video

     

     

     

    The McAfee Threat Intelligence Service (MTIS) is integrated and provides the latest threat and vulnerability details and is updated with the Rules Update.

    To ensure that you have the latest threat feed, we’ll want to update the rules by first going to the System Properties.

     

    Under the System Information tab, click on “Rules Update”

     

    01.png

     

    You can set it up to automatically check the rules server on a set interval, but I’m just going to click on the Check Now button to make sure that I have the latest threat information.

    After that’s complete, I can click OK and go back to the main System Information page and the threat feed will be downloaded automatically

     

    02.png

     

    Great, next, I’m going to ensure that my assets are imported from ePO. If you're adding ePO to your environment for the first time, just follow the instructions in this guide.

     

    In this example, I’m going to use Policy Auditor as my vulnerability assessment source. To refresh my ePO device, I’ll just open up my ePO Properties, click on the Device Management, and then click on Refresh.

     

    03.png

     

    After ePO has been refreshed, I can view my Assets in the Asset Manager with the icon in the top right. I can click on the View sortable flat list of assets to change its view. I can see the Asset Details in the box below.

     

    04.png

     

    Also in the Asset Manager, I can view the threats that were pulled in by the threat feed in the Threat Management tab. These threats are updated on a daily basis and depending on the Rules Update interval, that’s how often they will be pulled down to your McAfee ESM.

     

    05.png

     

    Here, I can select a threat and click on Threat Details. This will bring up a new window that shows detailed information on the threat.

     

    06.png

     

    There’s a lot of information available in the Threat Details, but I do want to point out the Countermeasures section. Here, we can see what protection options are available for the specific vulnerability. In this example, we can see that several McAfee Products could provide protection as well as a patch from the vendor.

     

    07.png

     

    The Vulnerability Detectors section provide information on what products are able to detect the existence of the particular vulnerability on a system.

     

    08.png

     

    Last, at the bottom there is a list of Disclosures that provide additional information and links to external news sources about the vulnerability.

     

    09.png

     

    Okay, I’m just going to close this Window and go back to the Threat Management tab. If I’m interested in specific threats, I can filter this section by clicking on the filter button at the top right. When I click in the box, there’s a list of filters that I can create. For example, if I’m only interested in threats that are greater than 80 severity from Adobe, I’m just going to use the > sign and enter 80 for the Threat Severity, and I’m going to enter adobe as the threat vendor. I’m also going to click on the case-insensitive button and then click OK.

    This will give me a list of threats that match up with my filter.

     

    10.png

     

    If there are threats that aren’t applicable, I also have the option to disable threats that aren’t in my environment with the Disable button.

     

    11.png

     

    I can also add other vulnerability assessment tools as well. If you select your receiver and click on properties, you can see the Vulnerability Assessment tab.

     

    11.png

     

    Here, I can click on the add button and add a new tool. I'll just need to enter the credentials or other information for the tool. After I'm done, I can just click on OK and close out of the properties box.

     

    12.png

     

    Next, I’m going to take a look at the Asset, Threat, and vulnerability dashboards. The dashboards are listed under the Asset, Threat & Risk menu.

     

    12.png

     

    Here’s the Recent Threat Summary. It'll be helpful to add a filter so that only MTIS threats are shown for this view. You can add a filter by editing the view and then editing the "Top Assets by Risk Score" chart. When you edit the chart, add MTIS as a filter for the Threat type, and now your chart will only display MTIS data. For more information on editing charts, here's a video that describes creating custom views.

     

    13.png

     

    This dashboard provides the latest threats that were discovered and pulled down in a feed. This dashboard shows the most recent threats, top recent threats by risk score, top threats by asset, top threats by vendor, and products that protect against the threats.

     

    13.png

     

    From this dashboard, I can look deeper at the details. As an example, I can use the dropdown in to top left and view the asset details. This will show me the details of the systems affected by this vulnerability. I can also click on the vulnerability details, which will show me the entire list of references to this vulnerability. Lastly, I have the ability to use the menu to ignore this vulnerability or retrieve additional Threat Details.

     

    14.png

     

    There’s also the ability to view the threats based on the Asset with the Asset Threat Summary. Here, I am able to see the assets sorted by the Asset Risk Score. With this information, I can prioritize systems with the highest Asset Risk Score and mitigate vulnerabilities by deploying patches or countermeasures.

     

    15.png

     

    As I review an asset, I can see which vulnerabilities are impacting the asset.

     

    There is also a Vulnerability Dashboard. This will provide me with a count of vulnerabilities on a per asset basis.

     

    16.png

     

    For a look at the vulnerability situation at the enterprise level, we can take a look at the Asset Vulnerability Dashboard under the Dashboard Views menu. With this dashboard, it will show the total severity on an asset, the Total Enterprise Risk score, as well as the Average Enterprise Risk Score. Using this data, you can determine the overall risk within the organization.

     

    17.png

     

    So, that’s a quick overview of the Threat Risk Management features in the McAfee ESM. It is a powerful tool that provides an overview of the risks present as well as how best to tackle vulnerabilities within the environment.