Mcfe CSB

Skyhigh 101
Tim Stead
Cloud Solutions Lead - APJ
McAfee Confidentiality Language

Agenda – Day 1
COURSE INTRODUCTION:
• Agenda overview
CHAPTER 1:
• CASB Overview
• Security Cloud Platform Overview
• Terminology
• Capabilities
• Products & Licencing
• Demo Platform Overview
• Architecture & Integration Points
McAFEE CONFIDENTIAL 2
Agenda – Day 1
CHAPTER 2:
• McAfee Skyhigh Security Cloud for Shadow IT
• Overview:
• Key Use Cases
• Quick overview demo
• Solution Architecture / Components
• Demo Walkthrough of 4 Key Use Cases:
1. Cloud Discovery & Usage Analytics (Video Link)
2. Organizational Cloud Risk Alignment (Video Link)
3. Cloud Governance & CLR (Video Link)
4. Vendor Risk Assessments (Video Link)
• Shadow IT Objection Handling
• Shadow Q&A
Agenda – Day 2
CHAPTER 3:
• McAfee Skyhigh Security Cloud for Office 365
• The Key Use Cases
• API, SMTP and Reverse Proxy
• Demo Walkthrough of Use Case
1. DLP for OneDrive and Exchange Online (OD Video Link & EOL Video Link)
2. Content-Aware Collaboration Control
3. Contextual Access Control (Video Link)
4. Activity Monitoring & Threat Protection
• O365 Objection Handling
• O365 Q&A
Agenda – Day 2
CHAPTER 4:
• McAfee Skyhigh Security Cloud for AWS
• The Key Use Cases
• Demo Walkthrough of Use Case
1. Configuration + Privileged User Audit (Video Link)
2. Activity Monitoring & Threat Protection (AM Video Link TP Video Link)
3. AWS S3 Bucket DLP Discovery
• AWS Objection Handling
• AWS Q&A
DAY 1
CHAPTER 1
Security Cloud Platform Overview
What is a Cloud Access Security Broker?
McAfee Confidential
What is a Cloud Access Security Broker (CASB)?
SaaS IaaS/PaaS
• Cloud access security brokers (CASBs) are on-premises, or cloud- 2 Business 3 Business
Agility Transformation
based security policy enforcement points, placed between cloud
service consumers and cloud service providers to combine and
interject enterprise security policies as the cloud-based resources
are accessed.
Consumer
1 Personal
Productivity
On-Premise, Remote, Unmanaged, Partner/Customer
• CASBs stretch across multiple security disciplines: • CASBs also solve unique cloud problems:
• Risk and Governance • Shared responsibility model Enterprise
• Data security, including DLP, encryption, DRM, • A lack of visibility Data center
access control • Cloud sprawl/business-driven IT
• Audit and logging • Sensitive data collaboration
• BYOD and mobile access
What is a Cloud Access Security Broker (CASB)?
SaaS
IaaS/PaaS
Managed and Un-
Shadow
managed Devices
The McAfee Skyhigh Security Cloud is a single, centralized control point to enforce your security,
compliance, and governance policies across all your cloud services – shadow, sanctioned, permitted,
and home-built apps running in cloud.
McAfee Skyhigh Security Cloud
McAfee Cloud-Native Data Security Framework
Gain complete visibility into data,

Detect context, and user behaviour in the
cloud
SaaS
Take real-time action to correct
Correct PaaS
policy violations and stop
IaaS
security threats
Protect Apply persistent protection to

sensitive information wherever it
goes
Cloud-Native DLP
Key Capabilities
Real-Time Collaboration
Control
IaaS Configuration & User Audit
Detect
UEBA Threat Detection
User Activity Monitoring

SaaS Shadow SaaS, PaaS and IaaS
Correct PaaS Discovery & Risk
IaaS Shadow IT closed-loop
remediation (CLR)
Contextual Access Control
Protect Encrypt structured data with own

keys
Enforce EDRM on content &
context
Flaws of a Network-Centric Approach to Sanctioned Services such as O365
SHARE
Has no Visibility or Coverage of:
• Cloud created/modified content
• Collaboration/sharing
• Data leaving/downloaded from the cloud
CREATE/EDIT • East-west cloud integrations
• Binary diff content synching
SYNC
EMAIL
SWG / UNMANAGED
CASB
SWGs / Other CASBs Require:
• Agent for off-premise coverage
• SSL MITM / privacy concerns
• Proprietary protocols (ActiveSync)
• App breakage; for e.g. calendars
AGENT / MANAGED ON-NETWORK
Two insufficient approaches to protecting data
in the cloud & mobile era
Proxy Other
CASBs
API
Agent
Real time Real time

Complete coverage Complete coverage
Data at rest Data at rest
Data uploaded Data uploaded
Data created in cloud Data created in cloud
Standard apps Standard apps
Certificate pinned apps Certificate pinned apps
Microsoft does not recommend using third-party traffic
redirection or inspection devices, or any other network
solutions that decrypt, inspect, or take protocol-level or
content-level action on Office 365 user traffic.
Source: https://support.microsoft.com/en-us/help/2690045/using-third-party-network-devices-or-
solutions-with-office-365
McAfee’s unique architecture approach
Ground Link
Cloud Web
Sky Gateway Lightning Link Gateway
Sky Link
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
Ground Link (Existing Proxy)
Cloud Discovery
Cloud Risk Alignment Sky Link & Lightning Link (API) McAfee Cloud Web Gateway & MCP
Cloud Governance Cloud-Native DLP (Forward Proxy)
Sky Gateway Content-Aware Collaboration Off-network Shadow IT
(Reverse Proxy + SMTP Proxy) Control Personal vs Corporate service
Contextual Access + EDRM Configuration & User Audit Block uploads and actions
Outbound Email DLP UEBA Threat Protection DLP for unsanctioned & web
Custom Apps User Activity Monitoring Malware downloads
McAfee’s CASB Architecture Approach
Ground Link
Cloud Web
Sky Link & Lightning Link Gateway
Sky Gateway
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
One platform with unified Real time No new agents

polices across cloud services Complete coverage No friction
Data at rest
Data uploaded
Data created in cloud
Standard apps
Certificate pinned apps
Skyhigh Products & Licencing
An annual subscription of
different product modules.
Each module is licenced

accordingly:
SaaS Services
• Licenced per user, per cloud
service
IaaS Services
• Licenced per Account (AWS)
or per Subscription (Azure)
Shadow IT & MCWG

• Each is licenced per user
McAfee’s unique architecture approach
Ground Link
Cloud Web
Sky Gateway Lightning Link Gateway
Sky Link
SaaS
Sanctioned
PaaS
Unsanctioned
IaaS
Shadow IT & Unsanctioned Cloud SaaS & IaaS Services SaaS Services & IaaS Custom Apps
McAfee Skyhigh for Shadow IT Office 365 Office 365
Box Box
Unsanctioned Cloud – Advanced Salesforce Salesforce
McAfee Cloud Web Gateway AWS Etc…
McAfee Skyhigh for Shadow IT Azure In-house built custom apps
Etc….
Demo Platform
Walkthrough
Skyhighdemo.cloud Demo Portal
Users must be ‘Demo Certified’

Email me: tim_stead@mcafee.com for an account - certification must
be passed within 30 days to maintain the account
McAfee Skyhigh Training Architecture
March 2018
McAfee Confidential
McAfee Skyhigh Architecture
• Review of McAfee Skyhigh architecture

- Sky Link & Lightning Link
- Sky Gateway
 Universal Mode (reverse proxy)
 Email Mode – Passive and Inline
- Ground Link
McAfee Skyhigh Security Cloud Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
Ground Link-CLR Mode (Existing Proxy / DLP)
1. Cloud Discovery
2. Cloud Usage Analytics
3. Cloud Risk Alignment
4. Cloud Governance via CLR
5. Integration with existing infra SWG API
6. Tokenize user info Push CLR to cloud SWG SWG
SWG API
Push CLR to on-prem SWG
SWG/NGFW Ground Link
Ingest logs to discover cloud usage
SIEM (Optional) DLP API

Push events to SIEM Push CLR to Endpoint
IAM
Import users from directory services
Traffic Flows with Existing Proxy (Ground Link mode)
TRAFFIC FLOWS
Cloud access via existing egress device
Ground Link-to-Skyhigh API and Ground Link to
CORP SWG/GNFW for log receive/pull and CLR
MOBILE
DEVICES IAM SSO SAML referral for Skyhigh Dashboard access
(MDM)
Ground Link-to-on-premise infrastructure
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
ON-PREM CORP AND BYOD
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
Sky Link
1. API Poll Method
API Integration is established via an Sky Link
OAUTH token from the cloud service SaaS Applications
IaaS Platforms
to Skyhigh to inspect cloud service
activity after the transaction is
completed. Two approaches used:
1. API Poll every few secs
2. Register for Webhook
• Covers core supported SaaS

and IaaS services
• Covers core CASB use cases
• Takes minutes to setup
Sky Link
2. Webhook Method
OAUTH token from the cloud service SaaS Applications
IaaS Platforms

and IaaS services
CASB Connect - API Developer Framework
Universal API Connector
McAfee Skyhigh
Cloud Apps
Security Cloud
API framework and toolkit for Only 2 hours to complete with no Adopted by over 25 Cloud apps
native integration coding required in just one month
Lightning Link
Office 365 only*

Lightning Link
Uses a REALTIME webhook-
method in MSFT API to register
Skyhigh event listeners for any
OneDrive/SharePoint sharing or
collaboration activities
• Used to apply real-time

controls for sharing or
collaboration of files, folders
• Does not apply DLP content
inspection
Sky Link & Lightning Link
Sky Link
Lightning Link
Sky Link
1. Near real-time, in-cloud DLP
2. ODS, in-cloud DLP
3. Content-aware Collaboration
Sky Link
Control
4. IaaS Configuration & User Auditing
5. User Activity Monitoring
6. UEBA Threat Detection
7. Malware Scanning
Ground Link
Lightning Link
1. Real-time Collaboration Control SIEM (Optional)
Push events to SIEM
Traffic flows with Sky Link & Lightning Link
TRAFFIC FLOWS
Direct SaaS Access
Sky Link-to-SaaS API
CORP BYOD USERS /
MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS, PAAS, IAAS
EDRM
ON-PREM SWG/NGFW
Sky Gateway – Universal Mode
Uses a customer-defined and
Skyhigh-managed vanity domain SaaS Applications
Workloads
to redirect traffic for ANY device to
each Sanctioned SaaS, e.g.
office.acmecorp.myshn.net
Sky Gateway
Universal Mode
• For O365 and many public
SaaS reverse proxy is for use
cases not covered via API, e.g.
access control, inline
encryption, etc.
• Can also be used for apps with
no API, e.g: customer’s in-
house built cloud app, or other
long-tail SaaS)
On-premises, remote or mobile user attempts to access customer’s
Sky Gateway – Pervasive Cloud Control sanctioned SaaS instances or even an in-house developed, custom
cloud app hosted on PaaS/IaaS.
The CSP automatically redirects the user to customer’s Identity

Provider.
The identity provider authenticates the user.

IDENTITY PROVIDER
Upon success, the IdP issues a SAML token to access the CSP.
However, the Skyhigh Sky Gateway is defined as the CSP; not the
original Sanctioned SaaS or Custom App instance.
Cloud service access is then directed to the Sky Gateway where the
slack.acmecorp.myshn.net acme.slack.com access context can be assessed: E.g. has a valid corporate device
certificate, an authorized source network or trusted geo, etc. Also, if
policy dictates, the rest of the user’s session can be seamlessly
redirected through the Sky Gateway for inline filtering (e.g. to block
downloads, DLP, etc).
Customer Users: Access policy can also send the user’s session direct, bypassing the
ANY Device, ANY Location Sky Gateway. E.g. for trusted devices / networks, particularly those
McAFEE CONFIDENTIAL
using native device apps. 34
Sky Gateway – Universal Mode (Reverse Proxy)
1. Contextual Access Control

2. Inline DLP for browser access
Sky Gateway
3. EDRM Enforcement Universal Mode
4. Structured & Unstructured
encryption
5. Activity Monitoring + UEBA for
Custom Apps
Ground Link
IAM
Route traffic to Sky Gateway post-authentication via SAML
MDM/EMM (optional)
Identify MDM-Managed devices
Sky Gateway – Email Mode
A cloud-based SMTP gateway for

passively or actively DLP
inspecting customer’s cloud- Sky Gateway
Email Mode
generated emails
• Available for both Exchange

Online and Google Gmail SaaS Email
(currently Passive monitoring
only)
• Passive mode uses an

archiving function
• Inline mode uses SMTP
connectors and mail flow rules
Sky Link & Sky Gateway – Passive Email Mode
Sky Gateway
1. Near real-time email DLP for Sky Link
potentially all mail – internal and
external
Sky Gateway
Passive Email Mode
Sky Link
1. ODS mailbox DLP
2. User Activity Monitoring Ground Link
4. DLP remediation
SIEM (Optional)
Push events to SIEM
Traffic Flows with Sky Gateway – Passive Email Mode
TRAFFIC FLOWS
Direct Exchange Online Access
Outbound SMTP Flow
Sky Link-to-Exchange Online API
CORP
Copy of email sent to Sky Gateway by MOBILE
BYOD USERS /
CONTRACTORS
Exchange Online Journaling DEVICES
(MDM)
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS
EDRM
ON-PREM SWG/NGFW
Sky Link & Sky Gateway – Inline Email Mode
Sky Gateway Sky Link

1. Inline email DLP for externally-
bound mail only
Sky Link Sky Gateway

Inline Email Mode
1. ODS mailbox DLP
3. UEBA Threat Detection Ground Link
4. Quarantine control
SIEM (Optional)
Push events to SIEM
Traffic Flows with Sky Gateway – Inline Email Mode
TRAFFIC FLOWS
Outbound SMTP Flow
CORP
Externally-bound email sent to Sky Gateway MOBILE
BYOD USERS /
CONTRACTORS
by an Exchange Online Mail Flow Connector DEVICES
(MDM)
Clean/released mail sent back to Exchange
Online by Sky Gateway CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
EDRM
ON-PREM SWG/NGFW
A platform built on trust
DAY 1
CHAPTER 2
McAfee Skyhigh Security Cloud for Shadow IT
Shadow IT
Overview
Data Exfiltration Vectors—Shadow IT
Rogue Employee
Data Loss /
Exposure Targeted Data
Theft
Risk & Compliance

Shadow Governance Gap
Data Exfiltration Controls—Shadow IT
Rogue Employee
Data Loss /
Exposure Targeted Data
Theft
User
CLRBehavior
Access Control
Access
Risk-Based Analytics
&Control
AccessInline DLP
Control
 Service
  Block
Governance
RiskHigh Risk
Policy
Risk & Compliance Groups
  Warn / Coach
Block, Warn / Governance Gap
 Warn
 Enterprise
/ Coach
Coach DLP / SWG
Integration
Skyhigh’s unique approach
Ground Link
Sky Gateway Sky Link Lightning Link
SaaS
PaaS
IaaS

Data at rest
Data uploaded
Standard apps
Shadow IT Architecture
Ground Link
SaaS
PaaS
IaaS

Data at rest
Data uploaded
Standard apps
McAfee Skyhigh Security Cloud – Shadow IT Use Case Examples
1. Cloud Discovery & Usage 4. Vendor Risk Assessment

Uncover and understand all shadow IT usage Assess and compare requested services with a
within your organization continuously updated database including
detailed risk attributes
2. Cloud Risk Alignment Enforcement Gap Analysis

Align cloud service risks with specific risk Audit enforcement by firewalls / proxies and
appetite of each individual organization close remediate inconsistencies
3. Cloud Governance & CLR Outbound Data Intelligence

Create and enforce dynamic acceptable use Identifies uploads to untrusted destinations
polices based on service category and risk and flags malicious domains and IP addresses
Shadow IT
Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
Ground Link-CLR Mode (Existing Proxy / DLP)
1. Cloud Discovery
2. Cloud Usage Analytics
3. Cloud Risk Alignment
4. Cloud Governance via CLR
5. Integration with existing infra SWG API
6. Tokenize user info Push CLR to cloud SWG SWG
SWG API
Push CLR to on-prem SWG
SWG/NGFW Ground Link
Ingest logs to discover cloud usage
SIEM (Optional) DLP API

Push events to SIEM Push CLR to Endpoint
IAM
Traffic Flows with Existing Proxy (Ground Link mode)
TRAFFIC FLOWS
Cloud access via existing egress device
Ground Link-to-Skyhigh API and Ground Link to
CORP SWG/GNFW for log receive/pull and CLR
MOBILE
DEVICES IAM SSO SAML referral for Skyhigh Dashboard access
(MDM)
Ground Link-to-on-premise infrastructure
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
Ground Link Overview
• Ground Link is a logical grouping of services

is also used to integrate existing client
infrastructure with Skyhigh Networks
• The enterprise connector provides
• Log processing
• Active Directory / LDAP
integration On-Premise DLP On-Premise SIEM
• SIEM or Log Management
• On-premise Data Loss Prevention (DLP) Skyhigh Enterprise Connector
via DLP Integrator Active Directory On-Premise KMIP
• KMIP integration via Skyhigh key agent
Ground Link – Enterprise Connector
• On-premise log
processor will process
Skyhigh Super POP
proxy, firewall and/or Displayed
SIEM logs Proxies educational
Collected Firewalls
Raw Logs SIEMs
messages upon
access-
• Outbound-only secure attempts to
high-risk
connection to Skyhigh On Prem
Enterprise Connector services and
Networks CASM Tokenized Cloud SSL Transfer prevented
Service Information Port 443 upload/downloa
d via existing
Customer infrastructure
Ground Link (Enterprise Connector) Overview
• Enterprise Connector is a Skyhigh Networks software installed on-premise to collect logs and
process logs
• Use TLS to ensure all data transfer is secure.
• Parse logs to only process Cloud Service Provider (CSP) data
• Only send information of fields necessary to McAfee Skyhigh Security Cloud
• Ability to exclude ranges of IP addresses
• Ability to exclude fields of log data
• Filter Logs based on destination IPs/URLs matching Skyhigh Cloud Service Registry
and Google Safe Browsing Malware Scan
• Filter non-significant casual browsing related events using URL patterns and content
type
• Tokenize personal identifiable information, including directory attributes
Enterprise Connector Overview
• Can process data from multiple sources from a single Enterprise Connector
Skyhigh Enterprise Connector
Firewall / Proxy Firewall / Proxy

Firewall / Proxy
• Can process data from multiple sources from a single Enterprise Connector
Skyhigh Enterprise Connector Skyhigh Enterprise Connector Skyhigh Enterprise Connector
Firewall / Proxy Firewall / Proxy

Firewall / Proxy
• Can process data from different data sources such as a SIEM or IDS/IPS
Skyhigh Enterprise Connector Skyhigh Enterprise Connector Skyhigh Enterprise Connector
Firewall / Proxy SIEM/ Log Manager Intrusion Detection / Intrusion Prevention
Demo Videos -
4 main Shadow IT use cases:
1. Discover & Understand Cloud Usage (Video Link)
2. Align Cloud Usage with Risk Appetite (Video Link)
3. Cloud Governance & CLR (Video Link)
4. Vendor Risk Assessment (Video Link)
Shadow IT
Objection Handling
Shadow IT Objection Handling – #1
OBJECTION
I don’t have a Shadow IT problem: only the 20 approved cloud services that I have written down in a spreadsheet are allowed for
use. Why do I need a CASB for this?
RESPONSE
Share with the customer the independent and McAfee-produced cloud usage data that shows all organizations are blind to a
large percentage of cloud usage: The average organization has 1500 cloud services in use, but are only aware of less than 5%.
What’s more, typically ~30 new cloud services are added by users every week.
Related Materials
Gartner CASB MQ Cloud Adoption & Risk Report: 2016
OBJECTION
My proxy, firewall or SIEM takes care of this.
RESPONSE
SWGs like Bluecoat, Forcepoint and Cisco, as well as Next-Gen firewalls such as Palo Alto, Check Point and FortiNet, typically
only categorize a small number of the cloud services available – typically ~3000 – compared to the 24k on the Skyhigh Cloud
Registry. They also do a poor job of tracking the various hostnames and IP addresses used by such sites – firewalls in particular
struggle because IP addresses are often dynamically re-assigned to different services each day, e.g. Google Mail to Google
Drive, etc. This leads to a lot mis-categorizations or simply no categorization, and since most only block what is explicitly
defined, the result is huge amounts of ‘proxy leakage’.
To add to this, there is no indication of the risk of using the site making it extremely difficult for security teams to make informed,
risk-based decisions on cloud access: E.g. both Box and ZippyShare are cloud storage, however, Box encrypts data at rest and
requires users to have an logon account; ZippyShare does not. Skyhigh tracks 50 different risk attributes across 24k services.
Related Materials
Shadow IT Checklist Cloud Adoption & Risk Report: 2016

OBJECTION
We’ve just refreshed our SWG/NGFW and/or we really don’t want massive network perimeter changes.
RESPONSE
The McAfee Skyhigh Shadow IT solution is intended to work with existing proxies, firewalls and SIEMs – leveraging and
extending their capabilities to the cloud – rather than ripping and replacing.
Skyhigh’s unique and patented log processing approach means that cloud usage can be identified from the log feeds of existing
proxies, firewalls and SIEMs, without ANY need for network changes. Additionally, Skyhigh utilises a unique tokenization
mechanism as part of the log processing, which ensures employee PII remains anonymized and is not stored in the cloud.
Also, Skyhigh utilise its unique CLR mechanism to push policy back to such proxies and firewalls to ensure cloud governance
and acceptable cloud usage policies are enforced. CLR can also be used to push such policies to endpoint and network DLP.
Related Materials
OBJECTION
Don’t you need to do SSL interception for this? Our proxy is not capable/we have not enabled it yet, and/or our privacy team has
ruled out EVER using SSL interception.
RESPONSE
NONE of the CASB modes in the McAfee Skyhigh Security Cloud utilise SSL interception due to these specific reasons and many
others!
For Shadow IT, Skyhigh is able to accurately determine cloud usage using nothing more than the requested hostname, e.g.
drive.google.com, or the destination IP address.
This is possible because of the patented, automated discovery and tracking capabilities of the Skyhigh Cloud Registry, as well
as the dedicated service intelligence team that monitors and maintains it. Skyhigh discovers and tracks each hostname and
destination IP used by each and every cloud service, adjusting these daily, as and when they change. Also, Skyhigh using
advanced machine learning and data science, Skyhigh is able to determine a users cloud usage just from the various fields
available in the proxy or firewall log.
Related Materials

DAY 2
CHAPTER 3
McAfee Skyhigh Security Cloud for Office 365
Software as a Service - O365
Overview
Data Exfiltration Vectors—SaaS Apps
Rogue Employee
Un-managed Compromised
devices Accounts
Collaboration
SaaS Malware
Data Exfiltration Controls—SaaS Apps
Rogue Employee
Un-managed Compromised
devices Accounts
User
Access
DLP, Behavior
Malware
Control &Analytics
Protection
Inline
Collaboration DLP
Control
  Block
Scan
Native Apps
Delete
Collaboration   Untrusted
Remediate
Geos
Quarantine Malware
  Block Downloads
Modify
 EDRM Encrypt
Permissions
McAfee Skyhigh Security Cloud – Sanctioned SaaS Use Case Examples
1. Cloud-Native DLP 4. User Activity Monitoring & Threat

Detect and Remediate regulated and sensitive data
being uploaded/sync’d or created online in cloud Protection
services Create audit log and detect compromised accounts/
insider threats or privileged misuse
2. Collaboration Control Structured Encryption

Protect against unauthorized sharing of Protect data from CSP access by
sensitive data via email, shared links or encrypting on a per-field basis with
collaboration customer-owned keys
3. Contextual Access + EDRM Malware Detection

Disable download of sensitive data from O365, Identifies signatures, sandboxes
SF.com etc. to unmanaged device or protect suspicious files, and detects malware
downloads with EDRM behavior
Software as a Service - O365
Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link
Sky Link
2. Webhook Method
OAUTH token from the cloud service

and IaaS services
Lightning Link
Lightning Link
Uses a REALTIME webhook-
method in MSFT API to register
Skyhigh event listeners for any
OneDrive/SharePoint sharing or
collaboration activities
• Used to apply real-time

controls for sharing or
collaboration of files, folders
• Does not apply DLP content
inspection
Sky Link & Lightning Link
Sky Link
Lightning Link
Sky Link
1. Near real-time, in-cloud DLP
3. Content-aware Collaboration
Control
6. Malware Scanning
Ground Link
Lightning Link
1. Real-time Collaboration Control
SIEM (Optional)
Push events to SIEM
Traffic flows with Sky Link & Lightning Link
TRAFFIC FLOWS
Direct SaaS Access
CORP BYOD USERS /
MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
NETWORK MDM MANAGER SAAS, PAAS, IAAS
EDRM
ON-PREM SWG/NGFW
Skyhigh-managed vanity domain
each Sanctioned SaaS, e.g.
office.acmecorp.myshn.net
Sky Gateway
Universal Mode
• For O365 and many public
SaaS reverse proxy is for use
cases not covered via API, e.g.
access control, inline
encryption, etc.
• Can also be used for apps with
no API, e.g: customer’s in-
house built cloud app, or other
long-tail SaaS)

Provider.

IDENTITY PROVIDER
office.acmecorp.myshn.net login.microsoftonline.com access context can be assessed: E.g. has a valid corporate device
McAFEE CONFIDENTIAL

Sky Gateway
encryption
Ground Link
IAM
MDM/EMM (optional)
Traffic Flows with Sky Gateway – Universal Mode (Reverse Proxy)
TRAFFIC FLOWS
SaaS access directed through Sky Gateway
Sky Gateway SSO SAML intermediation
CORP BYOD USERS /

MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
EDRM
Sky Gateway – Email Mode
A cloud-based SMTP gateway for

passively or actively DLP
inspecting customer’s cloud- Sky Gateway
Email Mode
generated emails
• Available for both Exchange

Online and Google Gmail
(currently Passive monitoring
only)
• Passive mode uses an

archiving function
• Inline mode uses SMTP
connectors and mail flow rules
Sky Link & Sky Gateway – Passive Email Mode
Sky Gateway
1. Near real-time email DLP for Sky Link
potentially all mail – internal and
external
Sky Gateway
Passive Email Mode
Sky Link
1. ODS mailbox DLP
2. User Activity Monitoring Ground Link
4. DLP remediation
SIEM (Optional)
Push events to SIEM
Traffic Flows with Sky Gateway – Passive Email Mode
TRAFFIC FLOWS
Outbound SMTP Flow
CORP
Copy of email sent to Sky Gateway by MOBILE
BYOD USERS /
CONTRACTORS
Exchange Online Journaling DEVICES
(MDM)
CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
EDRM
ON-PREM SWG/NGFW
Sky Link & Sky Gateway – Inline Email Mode
Sky Gateway Sky Link

1. Inline email DLP for externally-
bound mail only
Sky Link Sky Gateway

Inline Email Mode
1. ODS mailbox DLP
3. UEBA Threat Detection Ground Link
4. Quarantine control
SIEM (Optional)
Push events to SIEM
Traffic Flows with Sky Gateway – Inline Email Mode
TRAFFIC FLOWS
Outbound SMTP Flow
CORP
Externally-bound email sent to Sky Gateway MOBILE
BYOD USERS /
CONTRACTORS
by an Exchange Online Mail Flow Connector DEVICES
(MDM)
Clean/released mail sent back to Exchange
Online by Sky Gateway CLOUD SWG
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER SANCTIONED
EDRM
ON-PREM SWG/NGFW
Ground Link Mode
Integration with existing infra:

1. Push incidents to SIEM
2. Pull user groups and attributes
from AD/LDAP
Ground Link
SIEM (Optional)
Push events to SIEM
IAM
Demo Videos -
4 main Office 365 use cases:
1. DLP for OneDrive and Exchange Online (OD Video Link
& EOL Video Link)
2. Content-Aware Collaboration Control
3. Contextual Access Control (Video Link)
4. User Activity and Threat Protection
Office 365
Objection Handling
O365 Objection Handling #1
OBJECTION
Skyhigh only supports OneDrive, SharePoint and Exchange Online. What about the likes of Teams, Yammer, Skype, Dynamics,
OneNote, Online Office Apps, etc?
RESPONSE
This is partly true, but a more accurate description would be that ‘Skyhigh only supports Sky Link API mode for OneDrive,
SharePoint and Exchange Online because MSFT do not provide a full Management API for the other services.’
However, many of these apps, including Teams and the Online Office Apps, actually store their data in either OneDrive or
SharePoint, so as far as DLP is concerned, we can cover them today via API. We can also apply Contextual Access Control to all
such apps using our Sky Gateway Reverse Proxy since they are all actually accessed through the O365 web portal or its
associated domains.
The gap we have today is activity monitoring and threat protection for such apps, since we would typically get this via API. We’re
reliant on MSFT enabling such apps in their Management API, which they are slowly doing. It would be important to point out to
the customer that our competitors also suffer this challenge, unless they are using their forward proxy, which is not supported by
MSFT.
Related Materials
MSFT Statement on Inline CASBs

O365 Objection Handling – Service Capabilities
OBJECTION
You do not support real time DLP for O365

RESPONSE
This is partially true, but we DO apply real-time DLP where it matters, which is for data exfiltration from O365.
We apply DLP using 3 main modes – API, Reverse Proxy and SMTP Proxy and each addresses a different kind of DLP vector: API
covers data created or uploaded to the cloud, which essentially means inbound DLP and is not about addressing data loss, but
meeting regulatory compliance so does not necessarily need to be real-time. Meanwhile, reverse proxy covers data downloaded
from cloud – particularly when downloaded to an unmanaged device – and SMTP proxy covers data emailed out of the cloud. So
these scenarios are about outbound data in motion, which is when data loss can occur, and are both real-time. Then there is
also the possibility that users could share sensitive data in OneDrive or SharePoint, which exposes externally and causes data
loss. We can cover this in REAL-TIME using Lightning Link to block sharing of ANY data that has not been tagged and therefore
has not first been DLP checked.
Also important to remind customer that the only OTHER way to achieve real-time DLP would be with an inline forward proxy,
which would not be supported by MSFT and we covered on the previous page.
OBJECTION
Does Skyhigh provide Encryption with full support for different schemes and native client support?
For example: support for encrypting all files in OneDrive.
RESPONSE
For collaboration solutions, we should not be recommending encrypting all content as a solution, since it impacts user
experience in the cloud service – e.g. breaks Preview, Search, Online Edit, etc – and also breaks collaboration.
Instead, we should recommend the customer first implement Skyhigh content-aware collaboration control to ensure sensitive
data is not shared with individuals who should not have access, and then secondly, the customer can look to utilize an EDRM
solution, which can rights-protect the file both in and out of the cloud service.
OBJECTION
Can Skyhigh reverse proxy connections from desktop clients or mobile clients to provide inline, real-time CASB controls?
RESPONSE
No Skyhigh does not do this and for very good reasons. Firstly, many such native apps use proprietary protocols, binary data
chunking, SSL certificate pinning, etc, which makes it extremely difficult to proxy them – with a reverse or forward proxy. Also,
MSFT does not like proxies.
Also, why would a customer want to do this anyway? Skyhigh already covers the data uploaded, created or shared using our API
and SMTP modes. So the only data in-motion use case left is data downloads and why would a customer care about sensitive
data downloaded to one of their company devices? They wouldn’t, but they would care if it was downloaded to an UNMANAGED
device. However, given native apps typically sync a copy of all data – e.g. OneDrive Sync client downloads all OneDrive files, and
Outlook client downloads whole mailbox – would customers EVER want to allow such native apps from their unmanaged
devices? The answers is ‘no’ and if they want to allow any unmanaged device access, it is usually limited browser access –
typically blocking all file downloads.
Skyhigh can do this with our reverse proxy and Contextual Access Controls. Also, since this is only for a very limited amount of
user O365 access and not ALL user access, it does not run into issues with MSFT’s advice on the use of inline Proxy CASBs.
Q&A
DAY 2
CHAPTER 4
McAfee Skyhigh Security Cloud for AWS
Infrastructure as a Service - AWS
Overview
IaaS—Shared Responsibility Model
IaaS PaaS SaaS
SaaS
IaaS/PaaS
Customer Responsibility
Service Provider Responsibility
Data Exfiltration Vectors—IaaS Platforms & Apps
Rogue Use
Sensitive / Compromised
Regulated Data Accounts
Containers and Workloads
IaaS
Misconfiguration Malware
Workload to Workload Communication
Data Exfiltration Control—IaaS Platforms & Apps
Rogue Use
Sensitive / Compromised
Regulated Data Accounts
Workload
Network and Container
Segmentation
Security andSecurity
Security
Configuration
User
DLP Control
Behavior
Discovery &Analytics
Inline DLP
 S3 Buckets & Azure

Misconfiguration Blobs Malware
Workload
Quarantine  App
to/Workload
Scan uploads /
Communication
/ Remediate
downloads
McAfee Skyhigh Security Cloud – IaaS Use Case Examples
1. Configuration + Audit Log + UEBA

Privileged User Audit Learn activities of a custom app,
Identify and remediate poor security settings and create activity log and detect threats
delete inactive users
2. User Activity Monitoring Inline Cloud-Native DLP

& Threat Protection Remediate the upload/posting or download of
Create audit log and detect compromised accounts/ insider sensitive data in a custom app, with blocking,
threats or privileged misuse encryption or EDRM
3. AWS S3 Bucket & Azure Blob Contextual Access + EDRM

Storage DLP Discovery Disable download of corporate data from a custom
Create audit log and detect insider app to an unmanaged device or protect downloads
threats/compromised accounts with EDRM
Infrastructure as a Service - AWS
Architecture
Sky Gateway
Email Mode
Sky Link
Lightning Link
Sky Gateway
Universal Mode
Ground Link

Sky Link
2. Webhook Method
OAUTH token from the cloud service

and IaaS services

Sky Link
Sky Link
2. IaaS Configuration & User Auditing
Sky Link
Ground Link
SIEM (Optional)
Push events to SIEM

Traffic flows with Sky Link
TRAFFIC FLOWS
Direct SaaS Access
CORP BYOD USERS /
MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
DEVICES
CUSTOMER
NETWORK MDM MANAGER
EDRM
ON-PREM SWG/NGFW


Skyhigh-managed vanity domain
each custom app, e.g. Sky Gateway
app1.acmecorp.myshn.net Universal Mode
• Used for apps with no API, e.g:

customer’s in-house built
cloud app, or other long-tail
SaaS)


Provider.

IDENTITY PROVIDER
app1.acmecorp.myshn.net app1.acmecorp.com access context can be assessed: E.g. has a valid corporate device
McAFEE CONFIDENTIAL
Traffic Flows with Sky Gateway – Universal Mode (Reverse Proxy)
TRAFFIC FLOWS
SaaS access directed through Sky Gateway
Sky Gateway SSO SAML intermediation
CORP BYOD USERS /

MOBILE CONTRACTORS
DEVICES
(MDM)
CLOUD SWG
CLOUD-TO-CLOUD
EXTERNAL USERS
SIEM
GROUND LINK
AD / LDAP
DEVICES IAM SSO
CUSTOMER (SAML)
NETWORK MDM MANAGER
ON-PREM SWG/NGFW
EDRM


Sky Gateway
encryption
5. Activity Monitoring
Ground Link
IAM
MDM/EMM (optional)

Ground Link Mode
Integration with existing infra:

1. Push incidents to SIEM
2. Pull user groups and attributes
from AD/LDAP
Ground Link
SIEM (Optional)
Push events to SIEM
IAM

Demo Videos -
3 main AWS use cases:
1. Configuration + Privileged User Audit (Video Link)
2. Activity Monitoring & Threat Protection
(AM Video Link TP Video Link)
3. AWS S3 Bucket DLP Discovery
Q&A
Competitive Positioning
McAfee Confidentiality Language

The Only Leader in ALL Three CASB Reports
Skyhigh
Networks
Skyhigh Skyhigh
Networks Networks
NOTE: As of January 2018, Skyhigh Networks is the now part of McAfee.

McAfee recognized
as the ONLY 2018
Gartner Peer Insights
Customers’ Choice for Cloud
Access Security Brokers
(CASB)

600+ Customers Including 30% of the Fortune 100

Technology Partners
KEY MGMT
DLP/CLASSIFICATION
EMM & MDM
DRM
IR/TICKETING
THREAT INTEL SWG & NGFW
REPUTATION
SIEM IDAAS & IAM
SANDBOX/MALWARE

McAfee Cloud Security Suite Differentiators
Completeness—Only Solution to Offer Complete Security
Coverage of SaaS and PaaS/IaaS
Frictionless—No new agents, and no app breakage
Cloud Scale—Processes 2 billion events / day / customer, real-

time cloud data controls
Leadership—Created the Market, First CASB with IaaS and

Custom Apps, UEBA
Open Eco-System—CASB Connect, DXL, Large Eco-system,

Network Effect

Skyhighdemo.cloud Demo Portal
Users must be ‘Demo Certified’

Email me: tim_stead@mcafee.com for an account - certification must
be passed within 30 days to maintain the account
Use Cases to Learn for your Demo
1. Discover & Understand Cloud Usage (Video 1. Configuration + Privileged User Audit (Video
Link) Link)
2. Align Cloud Usage with Risk Appetite (Video 2. Activity Monitoring (Video Link) & Threat
Link) Protection (Video Link)
3. Cloud Governance & CLR (Video Link) 3. AWS S3 Bucket DLP Discovery
4. Vendor Risk Assessment (Video Link)

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC.

Mcfe CSB

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Mcfe CSB

Hochgeladen von

Copyright:

Verfügbare Formate

Skyhigh 101

McAfee Confidentiality Language

Gain complete visibility into data,

Protect Apply persistent protection to

User Activity Monitoring

Contextual Access Control

Protect Encrypt structured data with own

Real time Real time

One platform with unified Real time No new agents

Each module is licenced

Shadow IT & MCWG

Users must be ‘Demo Certified’

• Review of McAfee Skyhigh architecture

SIEM (Optional) DLP API

• Covers core supported SaaS

• Covers core supported SaaS

Universal API Connector

Office 365 only*

• Used to apply real-time

The CSP automatically redirects the user to customer’s Identity

The identity provider authenticates the user.

1. Contextual Access Control

A cloud-based SMTP gateway for

• Available for both Exchange

• Passive mode uses an

Sky Gateway Sky Link

Sky Link Sky Gateway

Risk & Compliance

Sky Gateway Sky Link Lightning Link

One platform with unified Real time No new agents

One platform with unified Real time No new agents

1. Cloud Discovery & Usage 4. Vendor Risk Assessment

2. Cloud Risk Alignment Enforcement Gap Analysis

3. Cloud Governance & CLR Outbound Data Intelligence

SIEM (Optional) DLP API

• Ground Link is a logical grouping of services

• KMIP integration via Skyhigh key agent

Skyhigh Enterprise Connector

Firewall / Proxy Firewall / Proxy

Skyhigh Enterprise Connector Skyhigh Enterprise Connector Skyhigh Enterprise Connector

Firewall / Proxy Firewall / Proxy

Skyhigh Enterprise Connector Skyhigh Enterprise Connector Skyhigh Enterprise Connector

Firewall / Proxy SIEM/ Log Manager Intrusion Detection / Intrusion Prevention

Gartner CASB MQ Cloud Adoption & Risk Report: 2016

My proxy, firewall or SIEM takes care of this.

Shadow IT Checklist Cloud Adoption & Risk Report: 2016

McAfee Skyhigh Security Cloud for Shadow IT

McAfee Skyhigh Security Cloud for Shadow IT

1. Cloud-Native DLP 4. User Activity Monitoring & Threat

2. Collaboration Control Structured Encryption

3. Contextual Access + EDRM Malware Detection

• Covers core supported SaaS

• Used to apply real-time

The CSP automatically redirects the user to customer’s Identity

The identity provider authenticates the user.

1. Contextual Access Control

CORP BYOD USERS /

A cloud-based SMTP gateway for

• Available for both Exchange

• Passive mode uses an

Sky Gateway Sky Link

Sky Link Sky Gateway

Integration with existing infra: