Breach intelligence with cURL, PowerShell and McAfee ePO

Billy Austin

Knowing where unsecured data is stored is fundamental to avoiding data loss. In a recent survey, 75% of CISOs agreed that in order to improve their data protection program, they would need to incorporate risk intelligence. In what follows I'll outline how this can be streamlined using our technology integrated to McAfee ePO as an example. We integrate with most major system management tools, so use your imagination as you read on.

Current tools are not stopping breaches, risk intelligence is required

Most mid-to-large corporations that have experienced data breaches since January of 2014 have had this in common – they already had deployed data loss prevention systems and vulnerability management tools. Clearly using just these tools has not prevented major breaches.

Visualization of data, vulnerabilities, malicious artifacts and unauthorized access is crucial to executing a successful data breach risk plan. Enter Risk Intelligence.

“We want the security… but not the agent!”

CISOs of retailers, higher education institutions and healthcare organizations tell us literally every day that they are tired of wondering if they will wake up to their name in the headlines. At the same time, most say it would take an act of Congress to deploy an additional agent throughout their networks.

It’s clear that another persistent footprint on the CPU is a crowded space. And it’s even more apparent that collecting the intelligence from a network-based technology is on the way out. It has to be with the increase in transient workers and mobility.

Network scans are also far too slow to keep up with vulnerabilities, the backdoors to all of your data including your Crown Jewels. New vulnerabilities are announced daily but network scans take days, weeks, even months. Correlating data, vulnerabilities and file permission access within hours is a must to provide visibility into breach risk.

Your Security ZzzQuil™: iScan Intelligence integrated into your security program

If your organization collects or stores data such as PII, Payment information, Trade Secrets or Intellectual Property, you’re probably one of those people losing sleep about seeing your name in the headlines.

Integrating MAX Risk Intelligence into your security program will get you the sleep you need, your ZzzQuil™.

iScan enables you to visualize data, vulnerabilities, malicious artifacts and unauthorized access. It’s not network-based, and it’s simple to deploy with your existing infrastructure.

iScan Online integrates the command line interface scanner with your systems management tools, such as Active Directory, GPO and McAfee ePO technologies.

iScan to ePO to SIEM. You Judge!

Let’s look at a real-world integration example for many of our customers.Mcafee-Diagram-prod.png

You’ve got existing infrastructure and don’t want hardware appliances or yet another agent. You probably have Active Directory or McAfee ePO.

For this example, we’ll use McAfee ePO integration, which is very popular with many of our customers. ePO management is under security operations in most cases, so that obtaining permission to run a script or needing admin privileges from IT operations is no longer needed.

Simply leverage the iScan command line executable to begin scanning. This binary runtime initiates when the ePO administrator schedules it to perform the assessment.

Data Breach Risk Scan and ePO, PowerShell or cURL

We offer several different scans that can be triggered with ePO or any other tool that can initiate an executable, PowerShell or cURL script. For our example, we’ll choose the most popular one, the Data Breach Risk Scan.

With the Data Breach Risk Scan you will rapidly know:

1. What Data is at Risk? - iScan, by default, discovers unprotected (PII) personal identifiable information on all of your endpoints and illustrates where we found it.

2. Who has Access to the Data? - Once the data has been discovered that is most important to your business, the next step is to understand who has excessive or unauthorized access to it.

3. How Vulnerable is the Device Storing Data? – iScan detects the vulnerabilities on the system where that same data was discovered, the attacker’s backdoor into your data.

4. What it would cost if you were breached today? We call this the “Security Number”. It is the dollar liability a company faces if an incident were to occur. This is calculated from actual data on your network. Our analytics engine places a dollar value on each piece of unprotected data, and factors in the number and severity of vulnerabilities and the level of unauthorized access to the data.

Now that you have all of this intelligence, what’s next?

For our McAfee ePO customers, this valuable information is available in the McAfee SIEM, now known as Enterprise Security Manager. This enables you to correlate the above data points from the scan with other pertinent data you are already collecting.

You have the risk intelligence needed to reduce liability exposure based on the monetary value of your live data. 

Want to know your security number?

Try the PowerShell or cURL scripts on your local Windows, Mac or Linux system listed below, or alternatively register for a trial to have this intelligence on all of your endpoints today.

The following will perform a data breach risk scan on your local system:

Windows: Open a command prompt, copy and paste:

PowerShell (New-Object System.Net.WebClient).DownloadFile('https://app.iscanonline.com/scan_me/templates/PKNBARK/win_script.txt','win_script.bat');&win_script.bat

Mac OS X, RHEL, Ubuntu, Oracle or CentOS: open a terminal window, copy and paste:

curl -L https://app.iscanonline.com/scan_me/templates/PKNBARK/bash_script | bash

For McAfee ePO users:

We'll be on location in the SIA Pavillion at McAfee Focus '15.  If you'd like to get more information about how we work with the McAfee tools you're already using, swing by! Or, head over here to request a 1:1 meeting during the conference.