Category Archives: public sector

Custom Applications with CASB

More and more organizations are making the decision to move their legacy, in-house applications to the cloud mainly due to the cost savings. One of the major concerns about moving applications to the cloud is how to secure an application that was originally designed to be on-premise.

When these applications were behind on-premise network security there was not a concern about who would be able to access them and what they were doing in the application. Moving to the cloud now introduces this dynamic and with it concerns around how to control who accesses the applications once they are in the cloud.

This move to the cloud now also opens the door to accessing applications from anywhere in the world and potentially any device. Being able to have visibility into where a user is logging in from geographically as well as what activities a user takes beyond an initial login and the context upon which that access occurs will help keep the data secure.

These same applications may have relied on a local directory to store attachments or documents. Moving to the cloud would likely mean storing those same attachments or documents in a cloud-based directory like Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage.

When on-premise access to the application or information within the application would typically be limited to a corporate-wide incident. If access settings in the cloud are misconfigured, then the exposure is much larger.

Having the ability to easily and quickly add these capabilities to applications being moved to the cloud can be addressed by leveraging an API framework into the model. Incorporating an API framework would provide the following capabilities:

  1. Prevent unauthorized sensitive data from being stored in cloud collaboration, file-sharing, or storage devices
  2. Capture a complete audit trail of all user activity for forensic investigations
  3. Detect malware, compromised accounts, privileged access misuse and insider threats
  4. Successful/failed login attempts
  5. Who is accessing the application, device type, IP address, role of the user and geographic location
  6. How much data is being accessed, created, updated, deleted, downloaded, shared, or uploaded

MVC for Custom Applications will enable organizations to enforce CASB policies without the need for developers to spend a lot of valuable time writing code. This will allow legacy applications to have the MVC CASB enforce security policies enforced on it, whether the application is in a private data center or in the cloud.

To learn more about McAfee’s cloud solutions, check out McAfee MVISION Cloud Portfolio.

The post Custom Applications with CASB appeared first on McAfee Blogs.

Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems

Given the title of this article I suspect you are reading this because you have been in a recent situation where you have been asked the question “What is the difference between Zero Trust and SASE?”. I further suspect that the next question you were asked of course is “Which approach is right for my organization?”.  The reality is they are built upon a similar foundation of least privilege management and both matter in the bigger picture. The real question is how do you apply ZTA and SASE to your organization.

The answer is complex. Yes, this may seem like a classic consultant’s default position on just about any complicated question. In this case, it really does depend on several factors. First let’s look at the basic definitions of ZTA and SASE and their origins.

The term Zero Trust was first originated by the industry analyst Forrester a little over a decade ago. The initial concept focused on segmenting and securing the network across locations and hosting models and promoting the idea of the Zero Trust model — the need to challenge and eliminate the inherent trust assumptions in our security strategies that made us vulnerable to external and internal attacks.

Fast forward to the present, Zero Trust has evolved to a framework and or strategy as described by some industry experts. The current definition further extends the concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.

Secure Access Services Edge [“pronounced SASSY”] is a term defined by Gartner in 2019. SASE builds on the ZTA concept however credits digital business transformation and specifically introduces the concept that the future of network security will be in the cloud. The SASE model or framework promotes the concept which inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device — not the data center. SASE suggests that Security and risk management leaders will need a converged cloud-delivered secure access service edge to address this shift.

The National Institute of Science and Technology (NIST) has also weighed in on its definition of Zero Trust with the release of NIST SP 800-207. NIST goes on to define ZTA is not a single network architecture but a set of guiding principles in network infrastructure design and operation that can be used to improve the security posture of any classification or sensitivity level.

Many organizations already have elements of a ZTA and or SASE in their enterprise infrastructure today. Organizations should seek to prioritize the identification of architecture gaps against its current state and incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions towards a future desired state outcome with measurable success criteria well defined in advance.

Most enterprise infrastructures will operate in a hybrid Zero Trust-SASE/Legacy mode for the next several years while continuing to invest in ongoing IT modernization initiatives and improving organization business processes. Organizations need to implement effective information security and resiliency practices for zero trust and SASE to be effective. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and good cybersecurity best practices, ZTA and SASE can reinforce an organization’s security posture using a managed risk approach and protect against common and advanced threats.

Final thoughts on the path forward. Crawl, walk, run towards ZTA and SASE. Engage your security vendors and have them assist you with ZTA/SASE Workshops to assist with identifying your organizations priorities. Shared experiences with implementing ZTA and SASE are key to successful adoption. When exploring ZTA and SASE, remember you need a comprehensive device to cloud strategy.

The post Zero Trust, SASE-Digital Enablers or Adding Complexity to Cyber Ecosystems appeared first on McAfee Blogs.

Smart Government and IoT: The Importance of Integration

How does one define “smart” in the digital age?  It can be argued that the term represents a creative solution driven by a precise mission.  To another, it’s defined by the latest machine learning (ML) algorithms and artificial intelligence (AI)-guided decision-making features in the newest release of a tool.  While its meaning varies for each stakeholder, the public sector – smart government – is evolving toward a unified architecture that encourages integration, agile innovation, and information sharing across platforms and Agencies.

The definition of “endpoint” has evolved beyond a typical operating system (OS) to a myriad of routers/switches, platform technologies, industrial control systems (ICS), and Internet of Things (IoT) devices.  It is forecasted that the number of connected IoT devices will surpass 25 billion by 2021.  This transformation, combined with the rapid adoption of mobility and cloud, creates a complex environment and expanded attack surface at a time when threats are more sophisticated than ever before.

ICS and IoT present unique challenges as weak security controls and lack of asset visibility give attackers the advantage.  A fundamental difference also exists between traditional Information Technology (IT) systems and ICS/IoT; IT is information-focused, while ICS is focused on the physical process with its own set of network protocols.  For example, an exploit which creates Level 2 (Control) access of the Purdue Model is a prime target for cyberwarfare on critical infrastructure.  Most ICS/IoT challenges can be boiled down to three primary categories: Asset Discovery and Tracking, Threat Detection, and Risk Management.

Asset Discovery and Tracking

How can you protect what you can’t see?  Comprehensive security requires full visibility of each asset, its status, and its communications within the environment.  Configuration change control is crucial.  Proper authentication and validity of the PLC commands must be monitored to ensure there are no disruptions to the physical processes.

Threat Detection

Ransomware is a growing threat and is expected to target an increasing number of IoT devices.  Embedded security controls paired with the latest threat intelligence combat threats that may be prevalent on the network and/or specific devices.  With critical infrastructure, zero-day malware is a top concern and highlights the importance of vendor integrations that share a common message bus.  The ability for one tool to identify a previously unknown threat, simultaneously inoculate the enterprise, and share the indicators in real-time across Agencies sends a powerful message.

Risk Management

It only takes a single compromised device to infiltrate the network.  Understanding vulnerable devices, patch levels, and misconfigurations is a crucial step in reducing the attack surface.  Comprehensive reporting and behavior analysis help lesson the environment risk profile and answer some common questions: What has exceeded the baseline?  Is this unauthorized use?  What changes were made to the system configuration?

As the public sector continues to innovate, adopt new technologies, and embark on the journey to cloud, integration becomes the “smart” path to mission success.  Convergence creates simplicity.  Security solutions must be unified to create an efficient and consistent security management experience that adapts to dynamic and hybrid environments.  Today’s cybersecurity challenges require an open and collaborative approach to reduce risk and combat the adversary; no single vendor can satisfy every requirement of the enterprise.  Interoperability provides a cohesive ecosystem which maximizes the value of existing security investments.

As environments evolve and become more complex, ensure your security vendors share the same passion and tenacity for your mission. Constant innovation should be the norm as we face our adversaries together as one team.  With our partners, we can provide a holistic and unified architecture that breaks the traditional silos and ushers in a new era of cybersecurity prowess.  We are better together. Challenge your security vendors to work together with you in support of reaching the desired outcome and mission objectives.

Learn more about MVISION Cloud Portfolio

The post Smart Government and IoT: The Importance of Integration appeared first on McAfee Blogs.

Interoperability Is Key To Cybersecurity – A Conversation at CSIS

Interoperability – a subject that for too long cybersecurity companies have treated as an inconvenient nuisance – is finally getting the attention it deserves. In February, I had the opportunity to discuss the critical nature of interoperability with true security experts in the public and private sectors. We agreed that to solve the world’s biggest security problems, collaboration in the cybersecurity industry should become the new norm.

McAfee has long promoted interoperability in our products and through our corporate tagline “Together Is Power.” It was encouraging to hear the perspective of NIST’s Donna Dodson, Cyber Threat Alliance’s CEO Michael Daniel and CSIS’s Jim Lewis, all of whom agreed that designing tools that interoperate with each other is integral to successful cybersecurity and will improve security outcomes for organizations and governments.

Here are some highlights of our discussion:

  • For too long, vendors touted their proprietary “secret sauce” to compete on who had the best (yet incomplete) data set. They’d be better off taking advantage of initiatives like the Cyber Threat Alliance’s information-sharing program, allowing them to shift their focus from improving data sets, to the power of their analytics and the tools they develop for understanding the data. Competing at this level and not on the level of proprietary data sets will help the industry with better insights that ever before, providing a more complete picture of the threat landscape.


  • The federal government has added new cyber tools to its arsenal in recent years, but many of them can’t talk to each other. As NIST’s Donna Dodson noted, enabling these tools to work together has significant security and operational benefits. In short, interoperability has real-world business advantages, not just technical ones. Giving businesses and organizations, including the federal government, a full suite of interoperable solutions and tools will have benefits that extend beyond just security.


  • Major efforts are underway to make widespread interoperability a reality. From the standards work of various standards development organizations such as OASIS, IETF and others, as well as industry groups such as the Open Cybersecurity Alliance, dedicated to advancing integrated interoperability, organizations are collaborating to help develop standards, open source common communications and data federation capabilities, tools and policies.

Interoperability is critical and vital on multiple levels, as cyber threats continue to challenge organizations across the globe.  We must be able to share standardized threat data. We must be able to integrate our cyber defense tools in a much simpler fashion than is possible today. Organizations need to be able to purchase best-of-breed defensive solutions and integrate them quickly and easily.  We cannot continue to put the cumbersome burden of product and data integration on each organization that buys cybersecurity products.

Cybersecurity vendors should not be competing on plumbing. We must find ways to up-level competition between vendors while focusing on defending against the adversary we all face daily. We need to focus on improving security in order to, for example, help hospitals better understand the threat landscape to prevent life-threatening attacks and help the Department of Defense better identify national security threats. Interoperability makes these things possible, and we must continue to have important conversations like these to make interoperability a reality.

To watch our full discussion, click here.



The post Interoperability Is Key To Cybersecurity – A Conversation at CSIS appeared first on McAfee Blogs.

Why do I need a CASB for Shadow IT when I already have a SIEM?

Why does my organization need to have a Shadow IT solution when we already own a Next-Gen Firewall / Web Proxy and have all the logs in a Security Information and Event Management (SIEM) solution?

This is a question we are often asked by our customers. The answer is that MVISION Cloud CASB allows organizations to uncover Shadow IT usage that is not visible via a query in a SIEM or with Next-Generation Firewall (NGFW) / Secure Web Gateway (SWG) tools. NGFW and Web Proxies typically catalog web services using a category and a reputation score. So, a Russian email service, like, would simply be categorized as “Web-based Email” with “Trustworthy” reputation. A typical output of a web reputation score from NGFW / SWG is shown below.

Source: WebRoot BrightCloud Threat Intelligence

What it doesn’t tell you is that is hosted in Russia, that it does not encrypt user data at rest, and that it is a source of leaks to the Darknet. It’s definitely not the kind of site a security-conscious organization would want its employees using at work.

The reason for this discrepancy in cloud service assessment is that NGFW/SWG products primarily look at a cloud services from a traditional cyber security perspective: Is the site a source for spam, web attacks, malware, etc.? MVISION Cloud CASB starts there, and also looks at the cloud service business risk. MVISION Cloud provides each cloud service a risk score based on an assessment of 46 control points, covering over 240 risk attributes. Furthermore, McAfee MVISION Cloud maintains a detailed registry of over 26,000 cloud services, with approximately 100 new services added to the registry each month. For comparison, the registry of a leading NGFW vendor currently has a little over 3,000 services. The good news is that Shadow IT data discovered by MVISION Cloud can be consumed by an organization’s existing security stack to block user access or limit the scope of user activity within a service. Here’s how this service ranks in MVISION Cloud:

McAfee often gets asked the following question: If Shadow IT findings are based on web traffic log data stored in a SIEM, why can’t I find information about an organization’s Shadow usage directly from a SIEM console? The main reason is that a SOC analyst doesn’t know what he doesn’t know. If asked “Show me all PDF converters hosted outside of US that are used on organization’s network,” where does a SOC analyst even start, what does he search for?

The easier route is to utilize McAfee MVISION Cloud CASB and search the MVISION Cloud Registry for “Document Conversion” services and see which unsanctioned PDF converters are “in use.” The SOC analyst can then send the MVISION Cloud Registry data about the suspect services directly to a SIEM via API. This data can now be used to seed searches within the SIEM tool for further analysis by SOC analyst.

Another scenario where MVISION Cloud makes a traditional SIEM more “cloud aware” is logging URL space for complex services. For example, if a SOC analyst wants to block Netflix and creates a rule to block all * URLs, he will be surprised to find that Netflix is not actually blocked, and users can still access the content. The reason for this is that most NGFW/SWG products know of only a handful of ways to get to a cloud service. MVISION Cloud, through its crowd sourcing approach, knows of 100s of ways to get to a cloud service and updates these as URLs change. Going back to the Netflix example, below is a screenshot from the MVISION Cloud console showing some of the other URLs associated with the video streaming service.

If a SOC analyst searches for * in a SIEM console, he will only get a partial view of all Netflix activity. The SOC analyst would need MVISION Cloud to figure out the * domains and other ephemeral URL strings to get a complete view of the Netflix service on the organization’s network. Ultimately, MVISION Cloud for Shadow IT should be used as a complimentary tool to an organization’s SIEM capability. It’s a symbiotic relationship. An organization’s SIEM is the source of Shadow IT data for MVISION Cloud, but it is MVISION Cloud that makes the SIEM tool cloud aware.

Keep reading about MVISION Cloud here.

The post Why do I need a CASB for Shadow IT when I already have a SIEM? appeared first on McAfee Blogs.

Cybersecurity through openness: creating the right company culture

Interoperability and openness are concepts that have a tendency to turn technical quickly. But for McAfee, it goes beyond software. To stay cybersecure, organisations need to build in openness in their company structures, ensuring that different departments, from engineering, to legal, HR and business development teams all work together to protect the company and its assets.

At McAfee, we’ve embedded openness and interoperability both in how we develop our software and in the way the company works because it’s good for business. Increasingly we see that in a maturing cybersecurity protection market, companies need to break out of some of the silos they have built into their organisations, or risk exposing vulnerabilities to the ever-growing threat of cybercrime.

Business culture issues crop up too regularly to be ignored. Whether it’s a privacy officer locking down data that could prove critical to ensure a company’s cybersecurity, security officers failing to explain to other business units how to use a new piece of technology or software in a safe way, or business development executives cutting corners on security to drive down cost these all can leave an organisation exposed to malicious actors. Just as different pieces of software need to work alongside each other, different parts of the business need to work in lockstep to keep cybercriminals out.

Of course, the technical challenge remains. A recent paper from the Center for Strategic and International Studies (CSIS), a top-tier think-tank based in Washington D.C., put the challenge succinctly: “Instead of spending their time responding to threats,” the paper says, “cyber professionals are occupied with managing a complex web of products and services that was supposed to make their jobs easier.”

The proliferation of tools is never going to be solved entirely, but a common set of standards, protocols, taxonomies and foundational open-source software can help ensure that threat intelligence is classified in a common way, anomalies are communicated effectively, and responses are efficient and automatable.

Kent Landfield, our chief standards and technology policy strategist, explained how McAfee approaches interoperability at an event hosted by CSIS in February: “We’re not fighting over the plumbing, or the data communications, but over the real value of the product and what it is bringing to the market.”

In short, Cybersecurity vendors should compete on providing the best solutions, such as threat protection services, to their customers, not on who has the best messaging system or the least-incomplete set of threat-intelligence data.

Work is already being done to solve this issue, through the Open Cybersecurity Alliance, comprising some of the leading interoperability-friendly cybersecurity companies in the market, and information and security executives in companies can help in this effort by building in openness and interoperability into their buying decisions.

Technical and commercial interoperability among vendors is only one part of the solution. Companies need to also look into their own organisation and structure to make sure their security culture allows these tools to be as efficient in tackling cyber threats as possible.

The post Cybersecurity through openness: creating the right company culture appeared first on McAfee Blogs.