Beruflich Dokumente
Kultur Dokumente
Tim Stead
Cloud Solutions Lead - APJ
COURSE INTRODUCTION:
• Agenda overview
CHAPTER 1:
• CASB Overview
• Security Cloud Platform Overview
• Terminology
• Capabilities
• Products & Licencing
• Demo Platform Overview
• Architecture & Integration Points
McAFEE CONFIDENTIAL 2
Agenda – Day 1
CHAPTER 2:
• McAfee Skyhigh Security Cloud for Shadow IT
• Overview:
• Key Use Cases
• Quick overview demo
• Solution Architecture / Components
• Demo Walkthrough of 4 Key Use Cases:
1. Cloud Discovery & Usage Analytics (Video Link)
2. Organizational Cloud Risk Alignment (Video Link)
3. Cloud Governance & CLR (Video Link)
4. Vendor Risk Assessments (Video Link)
• Shadow IT Objection Handling
• Shadow Q&A
McAFEE CONFIDENTIAL 3
Agenda – Day 2
CHAPTER 3:
• McAfee Skyhigh Security Cloud for Office 365
• The Key Use Cases
• Quick overview demo
• Solution Architecture / Components
• API, SMTP and Reverse Proxy
• Demo Walkthrough of Use Case
1. DLP for OneDrive and Exchange Online (OD Video Link & EOL Video Link)
2. Content-Aware Collaboration Control
3. Contextual Access Control (Video Link)
4. Activity Monitoring & Threat Protection
• O365 Objection Handling
• O365 Q&A
McAFEE CONFIDENTIAL 4
Agenda – Day 2
CHAPTER 4:
• McAfee Skyhigh Security Cloud for AWS
• The Key Use Cases
• Quick overview demo
• Solution Architecture / Components
• Demo Walkthrough of Use Case
1. Configuration + Privileged User Audit (Video Link)
2. Activity Monitoring & Threat Protection (AM Video Link TP Video Link)
3. AWS S3 Bucket DLP Discovery
• AWS Objection Handling
• AWS Q&A
McAFEE CONFIDENTIAL 5
DAY 1
CHAPTER 1
Security Cloud Platform Overview
What is a Cloud Access Security Broker?
McAfee Confidential
McAFEE CONFIDENTIAL 7
What is a Cloud Access Security Broker (CASB)?
SaaS IaaS/PaaS
• Cloud access security brokers (CASBs) are on-premises, or cloud- 2 Business 3 Business
Agility Transformation
based security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources
are accessed.
Consumer
1 Personal
Productivity
On-Premise, Remote, Unmanaged, Partner/Customer
• CASBs stretch across multiple security disciplines: • CASBs also solve unique cloud problems:
• Risk and Governance • Shared responsibility model Enterprise
• Data security, including DLP, encryption, DRM, • A lack of visibility Data center
access control • Cloud sprawl/business-driven IT
• Audit and logging • Sensitive data collaboration
• BYOD and mobile access
McAFEE CONFIDENTIAL 8
What is a Cloud Access Security Broker (CASB)?
SaaS
IaaS/PaaS
Managed and Un-
Shadow
managed Devices
The McAfee Skyhigh Security Cloud is a single, centralized control point to enforce your security,
compliance, and governance policies across all your cloud services – shadow, sanctioned, permitted,
and home-built apps running in cloud.
McAFEE CONFIDENTIAL 9
McAfee Skyhigh Security Cloud
McAfee Cloud-Native Data Security Framework
SaaS
Take real-time action to correct
Correct PaaS
policy violations and stop
IaaS
security threats
SHARE
Has no Visibility or Coverage of:
• Cloud created/modified content
• Collaboration/sharing
• Data leaving/downloaded from the cloud
CREATE/EDIT • East-west cloud integrations
• Binary diff content synching
SYNC
EMAIL
SWG / UNMANAGED
CASB
SWGs / Other CASBs Require:
• Agent for off-premise coverage
• SSL MITM / privacy concerns
• Proprietary protocols (ActiveSync)
• App breakage; for e.g. calendars
AGENT / MANAGED ON-NETWORK
McAFEE CONFIDENTIAL 13
Two insufficient approaches to protecting data
in the cloud & mobile era
Proxy Other
CASBs
API
Agent
Ground Link
Cloud Web
Sky Gateway Lightning Link Gateway
Sky Link
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
Ground Link (Existing Proxy)
Cloud Discovery
Cloud Risk Alignment Sky Link & Lightning Link (API) McAfee Cloud Web Gateway & MCP
Cloud Governance Cloud-Native DLP (Forward Proxy)
Sky Gateway Content-Aware Collaboration Off-network Shadow IT
(Reverse Proxy + SMTP Proxy) Control Personal vs Corporate service
Contextual Access + EDRM Configuration & User Audit Block uploads and actions
Outbound Email DLP UEBA Threat Protection DLP for unsanctioned & web
Custom Apps User Activity Monitoring Malware downloads
McAFEE CONFIDENTIAL 16
McAfee’s CASB Architecture Approach
Ground Link
Cloud Web
Sky Link & Lightning Link Gateway
Sky Gateway
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
SaaS Services
• Licenced per user, per cloud
service
IaaS Services
• Licenced per Account (AWS)
or per Subscription (Azure)
McAFEE CONFIDENTIAL 18
McAfee’s unique architecture approach
Ground Link
Cloud Web
Sky Gateway Lightning Link Gateway
Sky Link
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
Shadow IT & Unsanctioned Cloud SaaS & IaaS Services SaaS Services & IaaS Custom Apps
McAfee Skyhigh for Shadow IT Office 365 Office 365
Box Box
Unsanctioned Cloud – Advanced Salesforce Salesforce
McAfee Cloud Web Gateway AWS Etc…
McAfee Skyhigh for Shadow IT Azure In-house built custom apps
Etc….
McAFEE CONFIDENTIAL 19
Demo Platform
Walkthrough
Skyhighdemo.cloud Demo Portal
McAfee Confidential
McAFEE CONFIDENTIAL 22
McAfee Skyhigh Architecture
McAFEE CONFIDENTIAL 23
McAfee Skyhigh Security Cloud Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
McAFEE CONFIDENTIAL 24
Ground Link-CLR Mode (Existing Proxy / DLP)
1. Cloud Discovery
2. Cloud Usage Analytics
3. Cloud Risk Alignment
4. Cloud Governance via CLR
5. Integration with existing infra SWG API
6. Tokenize user info Push CLR to cloud SWG SWG
SWG API
Push CLR to on-prem SWG
SWG/NGFW Ground Link
Ingest logs to discover cloud usage
IAM
Import users from directory services
McAFEE CONFIDENTIAL 25
Traffic Flows with Existing Proxy (Ground Link mode)
TRAFFIC FLOWS
Cloud access via existing egress device
Ground Link-to-Skyhigh API and Ground Link to
CORP SWG/GNFW for log receive/pull and CLR
MOBILE
DEVICES IAM SSO SAML referral for Skyhigh Dashboard access
(MDM)
Ground Link-to-on-premise infrastructure
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 26
Sky Link
1. API Poll Method
API Integration is established via an Sky Link
OAUTH token from the cloud service SaaS Applications
IaaS Platforms
to Skyhigh to inspect cloud service
activity after the transaction is
completed. Two approaches used:
1. API Poll every few secs
2. Register for Webhook
McAFEE CONFIDENTIAL 27
Sky Link
2. Webhook Method
API Integration is established via an Sky Link
OAUTH token from the cloud service SaaS Applications
IaaS Platforms
to Skyhigh to inspect cloud service
activity after the transaction is
completed. Two approaches used:
1. API Poll every few secs
2. Register for Webhook
McAFEE CONFIDENTIAL 28
CASB Connect - API Developer Framework
McAfee Skyhigh
Cloud Apps
Security Cloud
API framework and toolkit for Only 2 hours to complete with no Adopted by over 25 Cloud apps
native integration coding required in just one month
McAFEE CONFIDENTIAL 29
Lightning Link
McAFEE CONFIDENTIAL 30
Sky Link & Lightning Link
Sky Link
Lightning Link
Sky Link
1. Near real-time, in-cloud DLP
2. ODS, in-cloud DLP
3. Content-aware Collaboration
Sky Link
Control
4. IaaS Configuration & User Auditing
5. User Activity Monitoring
6. UEBA Threat Detection
7. Malware Scanning
Ground Link
Lightning Link
1. Real-time Collaboration Control SIEM (Optional)
Push events to SIEM
McAFEE CONFIDENTIAL 31
Traffic flows with Sky Link & Lightning Link
TRAFFIC FLOWS
Direct SaaS Access
Sky Link-to-SaaS API
CORP BYOD USERS /
MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS, PAAS, IAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 32
Sky Gateway – Universal Mode
Uses a customer-defined and
Skyhigh-managed vanity domain SaaS Applications
Workloads
to redirect traffic for ANY device to
each Sanctioned SaaS, e.g.
office.acmecorp.myshn.net
Sky Gateway
Universal Mode
• For O365 and many public
SaaS reverse proxy is for use
cases not covered via API, e.g.
access control, inline
encryption, etc.
• Can also be used for apps with
no API, e.g: customer’s in-
house built cloud app, or other
long-tail SaaS)
McAFEE CONFIDENTIAL 33
On-premises, remote or mobile user attempts to access customer’s
Sky Gateway – Pervasive Cloud Control sanctioned SaaS instances or even an in-house developed, custom
cloud app hosted on PaaS/IaaS.
Upon success, the IdP issues a SAML token to access the CSP.
However, the Skyhigh Sky Gateway is defined as the CSP; not the
original Sanctioned SaaS or Custom App instance.
Cloud service access is then directed to the Sky Gateway where the
slack.acmecorp.myshn.net acme.slack.com access context can be assessed: E.g. has a valid corporate device
certificate, an authorized source network or trusted geo, etc. Also, if
policy dictates, the rest of the user’s session can be seamlessly
redirected through the Sky Gateway for inline filtering (e.g. to block
downloads, DLP, etc).
Customer Users: Access policy can also send the user’s session direct, bypassing the
ANY Device, ANY Location Sky Gateway. E.g. for trusted devices / networks, particularly those
McAFEE CONFIDENTIAL
using native device apps. 34
Sky Gateway – Universal Mode (Reverse Proxy)
Ground Link
IAM
Route traffic to Sky Gateway post-authentication via SAML
MDM/EMM (optional)
Identify MDM-Managed devices
McAFEE CONFIDENTIAL 35
Sky Gateway – Email Mode
McAFEE CONFIDENTIAL 36
Sky Link & Sky Gateway – Passive Email Mode
Sky Gateway
1. Near real-time email DLP for Sky Link
potentially all mail – internal and
external
Sky Gateway
Passive Email Mode
Sky Link
1. ODS mailbox DLP
2. User Activity Monitoring Ground Link
3. UEBA Threat Detection
4. DLP remediation
SIEM (Optional)
Push events to SIEM
McAFEE CONFIDENTIAL 37
Traffic Flows with Sky Gateway – Passive Email Mode
TRAFFIC FLOWS
Direct Exchange Online Access
Outbound SMTP Flow
Sky Link-to-Exchange Online API
CORP
Copy of email sent to Sky Gateway by MOBILE
BYOD USERS /
CONTRACTORS
Exchange Online Journaling DEVICES
(MDM)
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 38
Sky Link & Sky Gateway – Inline Email Mode
McAFEE CONFIDENTIAL 39
Traffic Flows with Sky Gateway – Inline Email Mode
TRAFFIC FLOWS
Direct Exchange Online Access
Outbound SMTP Flow
Sky Link-to-Exchange Online API
CORP
Externally-bound email sent to Sky Gateway MOBILE
BYOD USERS /
CONTRACTORS
by an Exchange Online Mail Flow Connector DEVICES
(MDM)
Clean/released mail sent back to Exchange
Online by Sky Gateway CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 40
A platform built on trust
McAFEE CONFIDENTIAL 41
DAY 1
CHAPTER 2
McAfee Skyhigh Security Cloud for Shadow IT
Shadow IT
Overview
Data Exfiltration Vectors—Shadow IT
Rogue Employee
Data Loss /
Exposure Targeted Data
Theft
McAFEE CONFIDENTIAL 44
Data Exfiltration Controls—Shadow IT
Rogue Employee
Data Loss /
Exposure Targeted Data
Theft
User
CLRBehavior
Access Control
Access
Risk-Based Analytics
&Control
AccessInline DLP
Control
Service
Block
Governance
RiskHigh Risk
Policy
Risk & Compliance Groups
Warn / Coach
Block, Warn / Governance Gap
Warn
Enterprise
/ Coach
Coach DLP / SWG
Integration
McAFEE CONFIDENTIAL 45
Skyhigh’s unique approach
Ground Link
SaaS
PaaS
IaaS
Ground Link
SaaS
PaaS
IaaS
McAFEE CONFIDENTIAL 48
Shadow IT
Architecture
McAfee Skyhigh Security Cloud Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
McAFEE CONFIDENTIAL 50
Ground Link-CLR Mode (Existing Proxy / DLP)
1. Cloud Discovery
2. Cloud Usage Analytics
3. Cloud Risk Alignment
4. Cloud Governance via CLR
5. Integration with existing infra SWG API
6. Tokenize user info Push CLR to cloud SWG SWG
SWG API
Push CLR to on-prem SWG
SWG/NGFW Ground Link
Ingest logs to discover cloud usage
IAM
Import users from directory services
McAFEE CONFIDENTIAL 51
Traffic Flows with Existing Proxy (Ground Link mode)
TRAFFIC FLOWS
Cloud access via existing egress device
Ground Link-to-Skyhigh API and Ground Link to
CORP SWG/GNFW for log receive/pull and CLR
MOBILE
DEVICES IAM SSO SAML referral for Skyhigh Dashboard access
(MDM)
Ground Link-to-on-premise infrastructure
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 52
Ground Link Overview
McAFEE CONFIDENTIAL 53
Ground Link – Enterprise Connector
• On-premise log
processor will process
Skyhigh Super POP
proxy, firewall and/or Displayed
SIEM logs Proxies educational
Collected Firewalls
Raw Logs SIEMs
messages upon
access-
• Outbound-only secure attempts to
high-risk
connection to Skyhigh On Prem
Enterprise Connector services and
Networks CASM Tokenized Cloud SSL Transfer prevented
Service Information Port 443 upload/downloa
d via existing
Customer infrastructure
McAFEE CONFIDENTIAL 54
Ground Link (Enterprise Connector) Overview
• Enterprise Connector is a Skyhigh Networks software installed on-premise to collect logs and
process logs
• Use TLS to ensure all data transfer is secure.
• Parse logs to only process Cloud Service Provider (CSP) data
• Only send information of fields necessary to McAfee Skyhigh Security Cloud
• Ability to exclude ranges of IP addresses
• Ability to exclude fields of log data
• Filter Logs based on destination IPs/URLs matching Skyhigh Cloud Service Registry
and Google Safe Browsing Malware Scan
• Filter non-significant casual browsing related events using URL patterns and content
type
• Tokenize personal identifiable information, including directory attributes
McAFEE CONFIDENTIAL 55
Enterprise Connector Overview
• Can process data from multiple sources from a single Enterprise Connector
McAFEE CONFIDENTIAL 56
Enterprise Connector Overview
• Can process data from multiple sources from a single Enterprise Connector
McAFEE CONFIDENTIAL 57
Enterprise Connector Overview
• Can process data from different data sources such as a SIEM or IDS/IPS
McAFEE CONFIDENTIAL 58
Demo Videos -
4 main Shadow IT use cases:
1. Discover & Understand Cloud Usage (Video Link)
2. Align Cloud Usage with Risk Appetite (Video Link)
3. Cloud Governance & CLR (Video Link)
4. Vendor Risk Assessment (Video Link)
Shadow IT
Objection Handling
Shadow IT Objection Handling – #1
OBJECTION
I don’t have a Shadow IT problem: only the 20 approved cloud services that I have written down in a spreadsheet are allowed for
use. Why do I need a CASB for this?
RESPONSE
Share with the customer the independent and McAfee-produced cloud usage data that shows all organizations are blind to a
large percentage of cloud usage: The average organization has 1500 cloud services in use, but are only aware of less than 5%.
What’s more, typically ~30 new cloud services are added by users every week.
Related Materials
McAFEE CONFIDENTIAL 61
Shadow IT Objection Handling – #2
OBJECTION
RESPONSE
SWGs like Bluecoat, Forcepoint and Cisco, as well as Next-Gen firewalls such as Palo Alto, Check Point and FortiNet, typically
only categorize a small number of the cloud services available – typically ~3000 – compared to the 24k on the Skyhigh Cloud
Registry. They also do a poor job of tracking the various hostnames and IP addresses used by such sites – firewalls in particular
struggle because IP addresses are often dynamically re-assigned to different services each day, e.g. Google Mail to Google
Drive, etc. This leads to a lot mis-categorizations or simply no categorization, and since most only block what is explicitly
defined, the result is huge amounts of ‘proxy leakage’.
To add to this, there is no indication of the risk of using the site making it extremely difficult for security teams to make informed,
risk-based decisions on cloud access: E.g. both Box and ZippyShare are cloud storage, however, Box encrypts data at rest and
requires users to have an logon account; ZippyShare does not. Skyhigh tracks 50 different risk attributes across 24k services.
Related Materials
We’ve just refreshed our SWG/NGFW and/or we really don’t want massive network perimeter changes.
RESPONSE
The McAfee Skyhigh Shadow IT solution is intended to work with existing proxies, firewalls and SIEMs – leveraging and
extending their capabilities to the cloud – rather than ripping and replacing.
Skyhigh’s unique and patented log processing approach means that cloud usage can be identified from the log feeds of existing
proxies, firewalls and SIEMs, without ANY need for network changes. Additionally, Skyhigh utilises a unique tokenization
mechanism as part of the log processing, which ensures employee PII remains anonymized and is not stored in the cloud.
Also, Skyhigh utilise its unique CLR mechanism to push policy back to such proxies and firewalls to ensure cloud governance
and acceptable cloud usage policies are enforced. CLR can also be used to push such policies to endpoint and network DLP.
Related Materials
McAFEE CONFIDENTIAL 63
Shadow IT Objection Handling – #4
OBJECTION
Don’t you need to do SSL interception for this? Our proxy is not capable/we have not enabled it yet, and/or our privacy team has
ruled out EVER using SSL interception.
RESPONSE
NONE of the CASB modes in the McAfee Skyhigh Security Cloud utilise SSL interception due to these specific reasons and many
others!
For Shadow IT, Skyhigh is able to accurately determine cloud usage using nothing more than the requested hostname, e.g.
drive.google.com, or the destination IP address.
This is possible because of the patented, automated discovery and tracking capabilities of the Skyhigh Cloud Registry, as well
as the dedicated service intelligence team that monitors and maintains it. Skyhigh discovers and tracks each hostname and
destination IP used by each and every cloud service, adjusting these daily, as and when they change. Also, Skyhigh using
advanced machine learning and data science, Skyhigh is able to determine a users cloud usage just from the various fields
available in the proxy or firewall log.
Related Materials
Rogue Employee
Un-managed Compromised
devices Accounts
Collaboration
SaaS Malware
McAFEE CONFIDENTIAL 67
Data Exfiltration Controls—SaaS Apps
Rogue Employee
Un-managed Compromised
devices Accounts
User
Access
DLP, Behavior
Malware
Control &Analytics
Protection
Inline
Collaboration DLP
Control
Block
Scan
Native Apps
Delete
Collaboration Untrusted
Remediate
Geos
Quarantine Malware
Block Downloads
Modify
EDRM Encrypt
Permissions
McAFEE CONFIDENTIAL 68
McAfee Skyhigh Security Cloud – Sanctioned SaaS Use Case Examples
McAFEE CONFIDENTIAL 69
Software as a Service - O365
Architecture
McAfee Skyhigh Security Cloud Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
McAFEE CONFIDENTIAL 71
Sky Link
2. Webhook Method
API Integration is established via an Sky Link
OAUTH token from the cloud service
to Skyhigh to inspect cloud service
activity after the transaction is
completed. Two approaches used:
1. API Poll every few secs
2. Register for Webhook
McAFEE CONFIDENTIAL 72
Lightning Link
Lightning Link
Uses a REALTIME webhook-
method in MSFT API to register
Skyhigh event listeners for any
OneDrive/SharePoint sharing or
collaboration activities
McAFEE CONFIDENTIAL 73
Sky Link & Lightning Link
Sky Link
Lightning Link
Sky Link
1. Near real-time, in-cloud DLP
2. ODS, in-cloud DLP
3. Content-aware Collaboration
Control
4. User Activity Monitoring
5. UEBA Threat Detection
6. Malware Scanning
Ground Link
Lightning Link
1. Real-time Collaboration Control
SIEM (Optional)
Push events to SIEM
McAFEE CONFIDENTIAL 74
Traffic flows with Sky Link & Lightning Link
TRAFFIC FLOWS
Direct SaaS Access
Sky Link-to-SaaS API
CORP BYOD USERS /
MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS, PAAS, IAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 75
Sky Gateway – Universal Mode
Uses a customer-defined and
Skyhigh-managed vanity domain
to redirect traffic for ANY device to
each Sanctioned SaaS, e.g.
office.acmecorp.myshn.net
Sky Gateway
Universal Mode
• For O365 and many public
SaaS reverse proxy is for use
cases not covered via API, e.g.
access control, inline
encryption, etc.
• Can also be used for apps with
no API, e.g: customer’s in-
house built cloud app, or other
long-tail SaaS)
McAFEE CONFIDENTIAL 76
On-premises, remote or mobile user attempts to access customer’s
Sky Gateway – Pervasive Cloud Control sanctioned SaaS instances or even an in-house developed, custom
cloud app hosted on PaaS/IaaS.
Upon success, the IdP issues a SAML token to access the CSP.
However, the Skyhigh Sky Gateway is defined as the CSP; not the
original Sanctioned SaaS or Custom App instance.
Cloud service access is then directed to the Sky Gateway where the
office.acmecorp.myshn.net login.microsoftonline.com access context can be assessed: E.g. has a valid corporate device
certificate, an authorized source network or trusted geo, etc. Also, if
policy dictates, the rest of the user’s session can be seamlessly
redirected through the Sky Gateway for inline filtering (e.g. to block
downloads, DLP, etc).
Customer Users: Access policy can also send the user’s session direct, bypassing the
ANY Device, ANY Location Sky Gateway. E.g. for trusted devices / networks, particularly those
McAFEE CONFIDENTIAL
using native device apps. 77
Sky Gateway – Universal Mode (Reverse Proxy)
Ground Link
IAM
Route traffic to Sky Gateway post-authentication via SAML
MDM/EMM (optional)
Identify MDM-Managed devices
McAFEE CONFIDENTIAL 78
Traffic Flows with Sky Gateway – Universal Mode (Reverse Proxy)
TRAFFIC FLOWS
SaaS access directed through Sky Gateway
Sky Gateway SSO SAML intermediation
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
EDRM
McAFEE CONFIDENTIAL 79
Sky Gateway – Email Mode
McAFEE CONFIDENTIAL 80
Sky Link & Sky Gateway – Passive Email Mode
Sky Gateway
1. Near real-time email DLP for Sky Link
potentially all mail – internal and
external
Sky Gateway
Passive Email Mode
Sky Link
1. ODS mailbox DLP
2. User Activity Monitoring Ground Link
3. UEBA Threat Detection
4. DLP remediation
SIEM (Optional)
Push events to SIEM
McAFEE CONFIDENTIAL 81
Traffic Flows with Sky Gateway – Passive Email Mode
TRAFFIC FLOWS
Direct Exchange Online Access
Outbound SMTP Flow
Sky Link-to-Exchange Online API
CORP
Copy of email sent to Sky Gateway by MOBILE
BYOD USERS /
CONTRACTORS
Exchange Online Journaling DEVICES
(MDM)
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 82
Sky Link & Sky Gateway – Inline Email Mode
McAFEE CONFIDENTIAL 83
Traffic Flows with Sky Gateway – Inline Email Mode
TRAFFIC FLOWS
Direct Exchange Online Access
Outbound SMTP Flow
Sky Link-to-Exchange Online API
CORP
Externally-bound email sent to Sky Gateway MOBILE
BYOD USERS /
CONTRACTORS
by an Exchange Online Mail Flow Connector DEVICES
(MDM)
Clean/released mail sent back to Exchange
Online by Sky Gateway CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS
EDRM
ON-PREM SWG/NGFW
McAFEE CONFIDENTIAL 84
Ground Link Mode
Ground Link
SIEM (Optional)
Push events to SIEM
IAM
Import users from directory services
McAFEE CONFIDENTIAL 85
Demo Videos -
4 main Office 365 use cases:
1. DLP for OneDrive and Exchange Online (OD Video Link
& EOL Video Link)
2. Content-Aware Collaboration Control
3. Contextual Access Control (Video Link)
4. User Activity and Threat Protection
Office 365
Objection Handling
O365 Objection Handling #1
OBJECTION
Skyhigh only supports OneDrive, SharePoint and Exchange Online. What about the likes of Teams, Yammer, Skype, Dynamics,
OneNote, Online Office Apps, etc?
RESPONSE
This is partly true, but a more accurate description would be that ‘Skyhigh only supports Sky Link API mode for OneDrive,
SharePoint and Exchange Online because MSFT do not provide a full Management API for the other services.’
However, many of these apps, including Teams and the Online Office Apps, actually store their data in either OneDrive or
SharePoint, so as far as DLP is concerned, we can cover them today via API. We can also apply Contextual Access Control to all
such apps using our Sky Gateway Reverse Proxy since they are all actually accessed through the O365 web portal or its
associated domains.
The gap we have today is activity monitoring and threat protection for such apps, since we would typically get this via API. We’re
reliant on MSFT enabling such apps in their Management API, which they are slowly doing. It would be important to point out to
the customer that our competitors also suffer this challenge, unless they are using their forward proxy, which is not supported by
MSFT.
Related Materials
This is partially true, but we DO apply real-time DLP where it matters, which is for data exfiltration from O365.
We apply DLP using 3 main modes – API, Reverse Proxy and SMTP Proxy and each addresses a different kind of DLP vector: API
covers data created or uploaded to the cloud, which essentially means inbound DLP and is not about addressing data loss, but
meeting regulatory compliance so does not necessarily need to be real-time. Meanwhile, reverse proxy covers data downloaded
from cloud – particularly when downloaded to an unmanaged device – and SMTP proxy covers data emailed out of the cloud. So
these scenarios are about outbound data in motion, which is when data loss can occur, and are both real-time. Then there is
also the possibility that users could share sensitive data in OneDrive or SharePoint, which exposes externally and causes data
loss. We can cover this in REAL-TIME using Lightning Link to block sharing of ANY data that has not been tagged and therefore
has not first been DLP checked.
Also important to remind customer that the only OTHER way to achieve real-time DLP would be with an inline forward proxy,
which would not be supported by MSFT and we covered on the previous page.
McAFEE CONFIDENTIAL 89
O365 Objection Handling – Service Capabilities
OBJECTION
Does Skyhigh provide Encryption with full support for different schemes and native client support?
For example: support for encrypting all files in OneDrive.
RESPONSE
For collaboration solutions, we should not be recommending encrypting all content as a solution, since it impacts user
experience in the cloud service – e.g. breaks Preview, Search, Online Edit, etc – and also breaks collaboration.
Instead, we should recommend the customer first implement Skyhigh content-aware collaboration control to ensure sensitive
data is not shared with individuals who should not have access, and then secondly, the customer can look to utilize an EDRM
solution, which can rights-protect the file both in and out of the cloud service.
McAFEE CONFIDENTIAL 90
O365 Objection Handling – Service Capabilities
OBJECTION
Can Skyhigh reverse proxy connections from desktop clients or mobile clients to provide inline, real-time CASB controls?
RESPONSE
No Skyhigh does not do this and for very good reasons. Firstly, many such native apps use proprietary protocols, binary data
chunking, SSL certificate pinning, etc, which makes it extremely difficult to proxy them – with a reverse or forward proxy. Also,
MSFT does not like proxies.
Also, why would a customer want to do this anyway? Skyhigh already covers the data uploaded, created or shared using our API
and SMTP modes. So the only data in-motion use case left is data downloads and why would a customer care about sensitive
data downloaded to one of their company devices? They wouldn’t, but they would care if it was downloaded to an UNMANAGED
device. However, given native apps typically sync a copy of all data – e.g. OneDrive Sync client downloads all OneDrive files, and
Outlook client downloads whole mailbox – would customers EVER want to allow such native apps from their unmanaged
devices? The answers is ‘no’ and if they want to allow any unmanaged device access, it is usually limited browser access –
typically blocking all file downloads.
Skyhigh can do this with our reverse proxy and Contextual Access Controls. Also, since this is only for a very limited amount of
user O365 access and not ALL user access, it does not run into issues with MSFT’s advice on the use of inline Proxy CASBs.
McAFEE CONFIDENTIAL 91
Q&A
DAY 2
CHAPTER 4
McAfee Skyhigh Security Cloud for AWS
Infrastructure as a Service - AWS
Overview
IaaS—Shared Responsibility Model
SaaS
IaaS/PaaS
Customer Responsibility
McAFEE CONFIDENTIAL 95
Data Exfiltration Vectors—IaaS Platforms & Apps
Rogue Use
Sensitive / Compromised
Regulated Data Accounts
IaaS
Misconfiguration Malware
Workload to Workload Communication
McAFEE CONFIDENTIAL 96
Data Exfiltration Control—IaaS Platforms & Apps
Rogue Use
Sensitive / Compromised
Regulated Data Accounts
Workload
Network and Container
Segmentation
Security andSecurity
Security
Configuration
User
DLP Control
Behavior
Discovery &Analytics
Inline DLP
McAFEE CONFIDENTIAL 98
Infrastructure as a Service - AWS
Architecture
McAfee Skyhigh Security Cloud Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
Sky Link
1. ODS, in-cloud DLP
2. IaaS Configuration & User Auditing
3. User Activity Monitoring
Sky Link
4. UEBA Threat Detection
Ground Link
SIEM (Optional)
Push events to SIEM
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES
CUSTOMER
NETWORK MDM MANAGER
EDRM
ON-PREM SWG/NGFW
Upon success, the IdP issues a SAML token to access the CSP.
However, the Skyhigh Sky Gateway is defined as the CSP; not the
original Sanctioned SaaS or Custom App instance.
Cloud service access is then directed to the Sky Gateway where the
app1.acmecorp.myshn.net app1.acmecorp.com access context can be assessed: E.g. has a valid corporate device
certificate, an authorized source network or trusted geo, etc. Also, if
policy dictates, the rest of the user’s session can be seamlessly
redirected through the Sky Gateway for inline filtering (e.g. to block
downloads, DLP, etc).
Customer Users: Access policy can also send the user’s session direct, bypassing the
ANY Device, ANY Location Sky Gateway. E.g. for trusted devices / networks, particularly those
McAFEE CONFIDENTIAL
using native device apps. 105
Traffic Flows with Sky Gateway – Universal Mode (Reverse Proxy)
TRAFFIC FLOWS
SaaS access directed through Sky Gateway
Sky Gateway SSO SAML intermediation
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
EDRM
Ground Link
IAM
Route traffic to Sky Gateway post-authentication via SAML
MDM/EMM (optional)
Identify MDM-Managed devices
Ground Link
SIEM (Optional)
Push events to SIEM
IAM
Import users from directory services
Skyhigh
Networks
Skyhigh Skyhigh
Networks Networks
KEY MGMT
DLP/CLASSIFICATION
EMM & MDM
DRM
IR/TICKETING
THREAT INTEL SWG & NGFW
REPUTATION
SANDBOX/MALWARE
1. Discover & Understand Cloud Usage (Video 1. Configuration + Privileged User Audit (Video
Link) Link)
2. Align Cloud Usage with Risk Appetite (Video 2. Activity Monitoring (Video Link) & Threat
Link) Protection (Video Link)
3. Cloud Governance & CLR (Video Link) 3. AWS S3 Bucket DLP Discovery
4. Vendor Risk Assessment (Video Link)