1 Reply Latest reply on Jun 29, 2017 8:48 PM by d_aloy

    Proof of concept for Security Stack Installation (AV, ATD, vNSP etc.) - Generic Guidelines

    wonder007

      Hello Experts

       

      I am new to the Security world and specially to carry out a Proof of Concept. It would be highly appreciated if someone can share an example/sample PoC report which may list all steps which should be completed to carry out a successful PoC. Sorry, it is a very generic question but I need a starting point.

       

      I have to start with the installation of vNSP/NSM integration first followed by AV, ATD etc.

       

      Thanks in advance

      Porter

        • 1. Re: Proof of concept for Security Stack Installation (AV, ATD, vNSP etc.) - Generic Guidelines
          d_aloy

          Hi Porter

           

          Ok... You got me there.. I never thought I would see this sort of question on the forum - it is usually more focused around the NSP technology itself, whilst your question is pre-sales/process/consultancy type. But hey!...- we are all here and there are lots of people around (P!) with experience on PoCs - so we should be able to help you (a bit at least)....

           

          Going back to your  question...

           

          First of all... it scares me that you are *new to security* and you are in front of this challenge. This PoC is definitely not for *security newbies*

          Second... your question is *extremely* generic, and by the way you have formulated it, makes me first of all give you the following advise:

          • If you are a McAfee partner, and there is no one in your company that can help you with this - then your best option is to reach out to the McAfee Sales organisation so that they can assign an SE or consultant to help you with this. The integration of NSP, ATD, DxL, EIA works.... but as with all technology, each environment is different and unless you really know your stuff you may not succeed on this challenge.
          • If you are the end user - then a McAfee partner or a McAfee SE should be doing the hard work for you, making sure it all works

           

          By the way you have formulated the question, I will assume you have to run the PoC, and in this case, you are a winner!!

           

          Or in other words....

           

          Basically, your NSP/ATD/DxL PoC is the mother of all PoCs! You are trying to demonstrate how multiple McAfee solutions can work together to provide a better/faster/more reliable security control than what the customer currently has (or does not have). I would even add the McAfee SIEM on top, so you can create some nice dashboards for the execs to show off what a good investment that was

           

          Said this, let me try to help you a bit more:

           

          • The generic guideline for a successful PoC (proof of concept) is to understand what the customer pain is, and then demonstrate how the technology you are proposing will help them resolve their problem, in the most efficient and economical way. Given this, do you know:
            • What is the 'problem' the customer is trying to resolve?
              • Are they trying to protect online services they provide?
              • Or... Are they looking to protect their users?
              • Do they need IPS for audit reasons? (i.e. PCI)
              • etc...
            • What are the customer requirements? (i.e, are the IPS sensors to be deployed in physical datacenters? If yes, what's the throughput and port density required? What's the network topology? Do they need high availability? Or are they looking to protect private/public cloud, and if yes which cloud(s) are they using?
            • What's their timeline and budget?
            • Who are the internal (customer) sponsors for this project? (that is, the ones holding the money)

           

          • From the technology (and this forum as I understand) point of view, I don't really care about points 3 and 4 above (leave it to the Sales account manager), but I am really interested in question 1 and 2 -  what's the problem and why you think NSP with all the integration add-ons will succeed on the customer environment, and what needs to be  deployed to demonstrate that is the solution they  need?

           

            • The answer to all the above questions will provide the base guideline on what needs to be done on the PoC.

           

          So.. After we've done the pre-sales/consultancy work... Let''s move to the technology:

           

          NSP (Network Security Platform): is the McAfee IPS solution, which includes:

          • NSM: Network Security Manager - you use it to manage the IPS sensors and NTBA appliances, and also to manage integrations with other non-NSP solutions, like ATD, EIA, GTI, TIE/DxL
          • IPS Sensors: you currently have three types of Intrusion Prevention Systems: M-Series (physical device, out of scope in your case I believe), NS-Series (physical device, a potential candidate in your case), and vIPS (virtual IPS, currently working on VMware, Openstack and AWS clouds, also a candidate)
          • NTBA - network threat behavioral analysis - netflow analyser devices, available both in physical and virtual format
          • MLC - McAfee Logon Collector - you get this as a freebie when you purchase NSP - it integrates with Active Directory to get source/destination users for the IPS alerts
          • EIA - Endpoint  Intelligence Agent - it's an ePO endpoint agent that integrates with NTBA and provides data on which executable on the endpoint is generating the network traffic seen by the IPS/NTBA devices. Also a freebie when purchasing NSP.

           

          So basically, there is no integration between vIPS and NSM - you must install the IPS sensors on a manager if you want to use them.

           

          NSP integration points:

          • ePO - ePolicy Orchestrator - is the endpoint manager you will need to deploy to manage all the endpoint bits on this PoC
          • ATD - sandboxing. ATD appliances can receive files from NS-series and vIPS sensors, and also integrate with TIE/DxL to receive and share information (IOC) from files seen at the endpoint
          • TIE/DxL - TIE is the 'private' IOC repository your customer will build over time, and DxL is the communication bus used by McAfee solutions to share IOC information almost in real time (so if a file traversing  the IPS sensors is sent to ATD, and ATD convicts the file as malicious, that information is sent over DxL to the TIE server, which in turn shares that file reputation with the endpoints
          • GTI - McAfee cloud  based  reputation  services
          • EIA/MLC - part of NSP as explained above

           

          Ok... So now we have the customer requirements, and we understand what technology we can use to resolve their problem. These are the *very* generic guidelines for a successful PoC.

          Of course on top of getting the customer requirements and sizing the solution for a successful  PoC, you will need experience in deploying/installing the different solutions involved on this  PoC (NSP, ATD, TIE, ePO, AV, etc), have a good understanding  of networking and network protocols to troubleshoot the *usual* problems on any network, and understand what security features/configuration will be required on each solution (network, endpoint and sandboxing) to *WOW* the customer - and hopefully, get your sales bonus

           

          As I said before, this is one of the most complex proof of concepts you can run - not because of the technology itself (things go wrong anyway, we all know...), but because of the broader IT/ITSEC knowledge required to understand what is that needs to be demonstrated to resolve the customer's problems and the easiest and quickest way to get there.

           

          Based on my experience (having done that), if you aren't 100% clear on all the above and you have not integrated these solutions in your home lab, I would strongly suggest you reach out for some *more* help - you have obviously reached out to this forum, but I believe you will need to engage the vendor directly for this support for this PoC.

           

          I hope this helps.

           

          Regards

          David