McAfee Enterprise MVISION Cloud for AWS extends MVISION Cloud features to monitor, secure, and audit AWS environments for threat protection, anomaly detection, configuration audit, and forensic audit logs. MVISION Cloud provides this capability by using public AWS APIs.
MVISION Cloud for AWS has SOC-specific threat protection and incident response workflows to remediate potential insider threats, privileged user threats, and compromised accounts.
Prevent data exfiltration
MVISION Cloud offers organizations visibility into critical or sensitive data stored in Amazon Simple Storage Service (S3) to assure proper protection of data used in their AWS environment. Its content engine automatically classifies sensitive information. Then, it enforces controls to remove or quarantine sensitive data and prevent data exfiltration via cloud-based email and messaging.
Identify configuration issues
MVISION Cloud can also help AWS customers identify configuration issues to prevent DevSecOps, workload, container, and other services before they can cause serious issues. It automatically audits the security configuration of cloud services and suggests modifications to improve your security posture based on industry best practices. You can also audit user permissions and apply least-privileged permissions.
- The following AWS regions are currently supported while fetching CloudTrail and VPC flow logs:
- As Continuous Evaluation (CE) CSPM feature is dependent on activities from CloudTrail, any region not mentioned above would be impacted
- On-demand scan (ODS) CSPM will continue to work for all regions (including the ones not mentioned above)
Accelerate incident response
MVISION Cloud finds insider threats, compromised accounts, and suspicious activities like superhuman travel and unusual downloads through user and entity behavior analytics (UEBA) and threat identification. It leverages machine learning to build behavior models that detect active account compromise and insider threats. The solution also uses sandboxing and signatures to identify malware in the cloud and stop threats.
Using AWS CloudTrail, MVISION Cloud for AWS captures activities to provide post-incident investigation insight and forensics support.
CloudTrail logs profile current cloud application security settings and suggest changes to improve security based on industry best practices. MVISION Cloud continuously monitors AWS configuration against regulatory requirements to streamline internal and external audits, such as ISO 27008, PCI, or HIPAA.
This integration is designed to feed McAfee Enterprise MVISION Cloud incident data to AWS Security Hub. In doing so, we provide customers access to more data that’s organized in a single dashboard (AWS Security Hub). Once the data has been delivered, it can be viewed easily in the AWS Security Hub dashboard or used as a data source for complex AWS queries. These queries can in turn be saved for visibility or alerting through workflow provided by AWS Security Hub.
AWS introduced the concept of the Amazon Findings Format (AFF) to simplify and standardize events being stored and shared across their own services. These AFF messages can be sent to the AWS Security Hub which then collects this data and makes it available in a security dashboard. AWS Security Hub is designed in a manner that allows McAfee Enterprise to share incident data that has been found using MVISION Cloud for AWS .
AWS security services like Amazon GuardDuty, Amazon Macie, and AWS Security Hub can be used to identify potential security issues, or findings but sometimes there might be a security finding where you need to dig a lot deeper and analyze more information to isolate the root cause and take action. Amazon Detective service automatically collects log data from AWS resources and uses machine learning, statistical analysis and graph theory to help customers visualize and conduct faster and more efficient security investigations. McAfee Enterprise Support will include full integration with Amazon Detective, allowing for the detection of configuration issues or other cloud risks using MVISION Cloud along with the ability to move more seamlessly into the investigation phase with Detective.
MVISION Cloud for AWS uses existing analytics capabilities, customized for AWS deployments:
- Account Access Analytics. Identifies inactive user accounts and former employees who retain access to AWS so their accounts can be deleted to reduce latent risk.
- User Behavior Analytics. Automatically builds a self-learning model based on multiple heuristics and identifies patterns of activity indicative of a malicious or negligent insider threat.
- Privileged User Analytics. Identifies excessive user permissions, inactive administrator accounts, inappropriate access to data, and unwarranted escalation of permissions and user provisioning.
- Account Compromise Analytics. Analyzes log in attempts to identify impossible cross-region access, brute-force attacks, and untrusted locations indicative of compromised accounts.
Activity Monitoring in MVISION Cloud for AWS means you will be viewing activities within 10 minutes of an activity occurring (after CloudTrail logs it).
Activities are categorized into commonly understood categories, meaning your information security team doesn't need to worry about each activity name. The Activity page also includes geo-locations of activities across accounts.
The Omnibar allows you to search and filter activities by attributes such as user name, IP address, City, Country, IP Organization, and more. You can download a set of activities in a CSV that can be submitted as forensic evidence.
Threat Protection and Anomalies
MVISION Cloud for AWS detects compromised account threats, insider threats, and privileged access misuse threats. MVISION Cloud for AWS also makes sure a SOC is not flooded by anomalies due to sudden changes in MVISION Cloud, AWS event feeds or bulk change patterns in use.
Threat Protection optimizations for AWS include:
- Correlating multiple anomalous events within AWS or across AWS and other cloud services to accurately separate true threats from simple anomalies.
- Detecting AWS usage anomalies related to access, data, or administration.
- Filtering false positives from anomalies based on machine learning and UEBA.
- Allow listing of known "good" entities or acceptable risk for the enterprise.
- Throttling of events to accommodate bandwidth in the SOC team.
Compliance Policies help you secure many different aspects of your AWS deployment. For a full list of policies, see MVISION Cloud Compliance Policies.
Security Configuration Audit
MVISION Cloud for AWS monitors many configuration settings that increase the risk profile of AWS deployments across four categories:
- Security Monitoring
- Secure Authentication
- Unrestricted Access
- Inactive Entities
MVISION Cloud for AWS continuously monitors AWS configuration against regulatory requirements to streamline internal and external audits, such as ISO 27008, PCI, and HIPAA.