McAfee Web Gateway

MWG 101 for Partner

Hanoi April 14-15th 2020

Vu Ngoc Anh – SE, Vietnam

Intro to McAfee team

TA Dinh Duc
- Business Development Manager

HO Sing Lei (Host)

- Sales Engineer (Shared Services - Asia)

VU Ngoc Anh
- Sales Engineer (Vietnam)
Agenda – Day 1 (Sales) (Morning)
Start/End Time Module/Break Duration (mins)

09:30 01. Welcome & Introduction to MWG

02. MWG usecases / features / 3rd party integrations

03. Key Differentiators

04. SWG and Cloud Proxy Competitive landscape

10:25 – 10:40 Morning Break 15

05. Objection Handling / Customer references

06. Licensing (SKU and differences)

07. WGCS into Unified Cloud Edge (UCE)

Q&A with McAfee Sales

12:00 – 13:30 Lunch Break 90

Agenda – Day 1 (Tech) (Afternoon)
Start/End Time Module/Break Duration (mins)

13:30 – 15:00
08. Architecture Design considerations

09. McAfee Client Proxy and Content Security Reporter

10. Hybrid Deployment configuration / Site-2-Site VPN

15:00 – 15:20 Afternoon Break 20

11. MWG Partner resources & tools

12. Versioning, Sizing and BoM

13. POC best practices

Q&A with McAfee Presales

Agenda – Day 2 (Tech) (Morning)
Start/End Time Module/Break Duration (mins)

8:30 – 10:25 14. WGCS Management Setup and Authentication

15. Authentication & SSL inspection

More time 16. MWG Rules Engine

10:25 – 10:40 Morning Break 15

17. MWG troubleshooting / Rule tracing

Mdemo Walkthrough – Troubleshooting / rule tracing

Intro to MDemo for MWG (ILT request)

Web Protection Demo guide

12:00 – 13:30 Lunch Break 90

Agenda – Day 2 (Afternoon)
Start/End Time Module/Break Duration (mins)

Mdemo Lab – HTTPS scanning

Mdemo Lab – MCP & web gateway

Mdemo Lab – App control

15:00 – 15:20 Afternoon Break

Mdemo Lab – Enhanced URL filtering

Mdemo Lab – URL & media type filtering

Mdemo Lab – DLP

Mdemo Lab – ICAP Server

Self labs (1 scenario)

Rules of engagement

▪︎ Background & expectations

▪︎ Timings – please be punctual
▪︎ Q&A – Chat window (send to everyone / direct to McAfee team)
▪︎ Response might be delayed
▪︎ Questions will be compiled
▪︎ Mini polls
Training Objectives

▪︎ Basic knowledge of McAfee Web Gateway (MWG)

▪︎ Sizing information
▪︎ Bill of Materials (BoM)
▪︎ How to displace Competition (e.g. Bluecoat)
▪︎ Where to find resources
▪︎ How to use MDemo for rapid demonstration
Introduction to MWG
Web Protection Components
Web Gateway Cloud Service
▪︎ Globally available, true multi-tenant secure web gateway cloud service
▪︎ Ability to filter web traffic w/o deploying hardware on premise
▪︎ Allows to connect branch office directly using IPSec
▪︎ Can be managed from the appliances in a hybrid deployment

McAfee Web Gateway Appliances

▪︎ On premise hardware or virtual appliances
▪︎ Unmatched flexibility for policy configuration to adopt enterprise business goals and principle and model
these into an Internet access and security policy
▪︎ Ability to also manage Web Gateway Cloud Service in a hybrid deployment scenario

McAfee Client Proxy

▪︎ End user transparent and tamper resistant end point client that redirects traffic to appliances or the cloud
service
▪︎ Performs end user authentication and allows fully enforced scanning of web traffic
▪︎ Available on Windows Desktop, Server and macOS

Content Security Reporter

▪︎ ePO embedded reporting solution for Internet usage trending and policy enforcement reporting

McAfee Confidential
 McAfee Secure Web Gateway
Addressing the key challenges in securing web traffic for hybrid clouds

Public Cloud

SaaS
SaaS | PaaS
PaaS | IaaS
IaaS
Threat protection

Efficient security operations

Remote Offices Remote Users

Protection everywhere

Enterprise SDDC
Private cloud

McAfee Confidential
 McAfee Web Protection Multilayered Security
Enabling secure web connectivity for every device, user, and location

Increase efficacy and improve

security operations through
integration to sandbox, endpoint,
threat intelligence exchange, Security Content Filter unwanted URLs, categories,
SIEM, and more. Integration Inspection and media types

Rule

eP
Identify all cloud applications Application
SSL
including shadow IT, then control Visibility
Scanning Gain visibility into encrypted
both access and functionality and Control traffic and prevent hidden threats
Engine

Control regulated data with Data Anti-

Protection Malware
pre-built dictionaries and encryption Stop both known and zero-day
for cloud storage malware before it reaches its target

Outbound Traffic
Inbound Traffic
McAfee Confidential
MWG Features

▪︎ Filtering web traffic is a complex process. The key features of Web Gateway contribute to
this process in different ways.
▪︎ Interception of web traffic — Intercepting web traffic is a prerequisite for any filtering. It
is accomplished by the proxy functions of Web Gateway, which can be performed under
different network protocols, such as HTTP, HTTPS, HTTP2, FTP, XMPP, and others.
▪︎ Depending on what you configure, Web Gateway can run in explicit proxy mode or in one
of several transparent modes.
▪︎ Authentication — The authentication functions of Web Gateway check the authorization
of users, relying on information from internal and external databases and using
authentication methods such as NTLM, LDAP, RADIUS, Kerberos, and others.
▪︎ Web filtering — The anti-malware functions of Web Gateway scan and filter web traffic
and block web objects if they are infected.
Secure Web Gateway and CASB convergence
Cloud Access Security Brokers Secure Web Gateways

Synergic
App Risk App Control
Efficiency
API Forward Proxy/
Reverse Proxy Integrated Reverse Proxy
Benefits Identity
Identity
DLP DLP
Malware Malware

McAfee Confidential
Wholistic Web Security
CASB and SWG are players in the same market: Web Security. But they cover different data paths.

SHADOW IT MALWARE PROTECTION DATA PROTECTION

▪ SWG becomes an enforcement ▪ SWGs cover bidirectional data ▪ SWG enables DLP protection
point for a CASB Shadow IT exchanges with cloud apps and for data in motion towards the
setup scan for malware app
▪ CASB becomes the main ▪ CASB provides protection for ▪ CASB closes the gap for data
control for SWG’s Application data inside cloud applications, that cannot be scanned as
Policies i.e. file sharing locations or part of data in motion
▪ Both provide unified reporting storage
for risks and threats on
applications

McAfee Confidential
Current Methodology for Data Security

Endpoint Network Web Cloud

On-prem DLP Gap: visibility or control of data in the cloud

Gap: protection for

mobile workforce Web Protection Gap: Cloud to Cloud traffic

Gap: insights & policies not shared outside of Cloud CASB

Added complexity, control gaps, and administrative overhead

CAN'T MOVE AT THE SPEED OF DIGITAL BUSINESS!

17
 Converging CASB, DLP and Web

Endpoint Network Web Cloud

On–prem Web
On-prem
Gap: insights & policiesMcAfee Unified Cloud
not shared
Gateway
Edge
DLP outside of Cloud
SaaSGap: (UCE)
Webvisibility
Services CASBof data in the cloud
or control

Common policies & insights Closed-loop Remediation

Merged business risk and threat database Tenant restriction for cloud app access

Unified incidents, workflows and Complete context awareness

investigations

McAfee Confidential
McAfee Unified Cloud Edge (UCE)

Unified Management Console

Unified Security/DLP Controls

Unified Infrastructure
(Client, Forward Proxy, Reverse Proxy, data centers…)

McAfee Confidential
MWG Key Differentiators
Key features
• Anti-Malware
• Two traditional AV engines (McAfee + Avira)
• Real-time GTI reputation on files, URLs, and IP addresses
• Real-time emulation with Gateway Anti-Malware (GAM) engine
• Full sandbox capabilities via Advanced Threat Defense (ATD) integration
• 3rd party integrations for sandboxing and browser emulation (Menlo)
• Policy Engine
• Scripting-like policy engine offers unbeatable granularity
• Lots of pre-built policy objects available to customer
• Basic view available for less technical audience
• Hybrid Story
• Tight policy and reporting integration
• Near 100% feature parity between cloud and on-prem
• Very robust cloud footprint with SLA of 99.999%

McAfee Confidential
Highest Customer Satisfaction in the Industry
McAfee Web Gateway has the highest willingness to recommend in the industry

As of December, 10 2018

McAfee Confidential
Highest Customer Satisfaction in the Industry
McAfee Web Gateway has the highest willingness to recommend in the industry

As of February, 18 2020

McAfee Confidential
 An Engine Built for the Internet

Top 10 Internet Media Types

▪ Internet Traffic requires a specialized engine of
web traffic as Internet traffic doesn‘t match data
seen on the endpoint.

▪ McAfee Gateway Antimalware specializes on

Internet traffic and its Media Types.

▪ It applies behavioral, emulation-based application/x-empty text/plain image/gif

detection and is powered by unattended
image/jpeg text/html text/xml
machine learning techniques.
image/png multipart/mixed application/ocsp-response

video/mp4

McAfee Confidential
How Most Organizations Approach Web Threats
URL filtering and antivirus stop known threats, letting the rest hit endpoints and sandbox

WEB GATEWAYS Realtime Protection Gap

SANDBOX

URL Category
URL Rep. AV

Dynamic Analysis

Input Quantity

~90s

~.08ms ~8ms
~.05ms
Filter Known Bad Sandbox (zero-day)
(~80% detected) (~20% detected)

Speed and detection rates are test calculations. Actual figures will vary in each organization. Depth of Inspection
McAfee Confidential
 The McAfee Approach — Erase Zero-Days
Zero-day threat emulation stops nearly 20% more malware

MCAFEE WEB PROTECTION MCAFEE ADVANCED THREAT DEFENSE

URL Category, Reputation

& Geolocation

File Rep. AV

Gateway Anti-Malware
Dynamic and Static
Analysis

Input Quantity
~90s

~5ms

~.08ms ~8ms
~.05ms
Real-Time Behavioral Emulation (zero- Sandbox/Reverse Engineering
Filter Known Bad day) (zero-day)
(~80% detected) (~19.5% detected) (~0.5% detected)

Speed and detection rates are test calculations. Actual figures will vary in each organization. Depth of Inspection
McAfee Confidential
Proven Security Efficacy
▪ Fortune 10 US corporation with worldwide network
BACKGROUND
▪ Existing competitive installation

SCANNED RESULTS

30-Day POC Evaluation 92 million URLs 280,000 URLs categorized

One sixth of web traffic sent to 346,000 websites and incorrectly by current proxy
McAfee Web Protection after web objects 50,000 URLs with
being scanned by existing unacceptable reputations
solution
16,000 discrete web objects
containing malware

▪ 1,000 desktops saved from infection during POC

▪ Remediation costs: $150–$200 per desktop
OUTCOME ▪ During POC: $150,000–$200,000 savings
▪ POC result: Prospect became a customer

McAfee Confidential
Publishing to McAfee Threat Intelligence Exchange
Sharing the powerful zero-day detection capabilities of Gateway Anti-Malware

McAfee
Threat McAfee McAfee
Intelligence Advanced Network Security McAfee
Exchange Server Threat Defense Platform Web Protection Internet
McAfee
Global Threat
Intelligence ?

Third-Party Feeds
Data Exchange Layer

Gateway
EndpointsAnti-Malware engineare
and other sensors
Web
(GAM) Protection
Result: Proactive
detects publishes
and
zero-day the new
efficient
malware
updated by Threat Intelligence
malware
protection
in reputation
real-time for to Threat as
thebehavioral
using organization
Exchange immediately, providing
Intelligence
soon as
emulation a Exchange
threat is discovered
reputation for zero-day malware before
McAfee McAfee McAfee McAfee
Enterprise ePO™ Threat Intelligence Threat Intelligence a new .DAT is published
Security Exchange Endpoint Exchange Endpoint
Manager Module Module
McAfee Confidential
Consuming Threat Reputations from TIE
Expanding the intelligence of Web Protection in real-time

McAfee
Threat McAfee McAfee
Intelligence Advanced Network Security McAfee
Exchange Server Threat Defense Platform Web Protection Internet
McAfee
Global Threat
Intelligence

Third-Party Feeds
Data Exchange Layer

Result: More threats are stopped

Third-party or at
The new fileintelligence
reputation isfeed
shared
both the gateway and
security endpoint
with Websolution discovers
Protection and thenewrest of
through
malware the expanded
and sends intelligence
file reputation of
the connected ecosystem, including
McAfee McAfee McAfee McAfee immediate
to threat
SIEM. SIEM information
shares sharing
with TIE.
Enterprise ePO™ Threat Intelligence Threat Intelligence
endpoints
Security Exchange Endpoint Exchange Endpoint
Manager Module Module
McAfee Confidential
Polling Time !
What does GAM in our MWG capability stand for?

A. Gateway Advanced Machine-

Learning
B. Granular Anti Malware
C. Gateway Anti Malware
(signature-less, behavior
malware
D. Just GAM
Break time until …
SWG and Cloud Proxy
Competitive Landscape
(Partners)
Common SWGs

▪︎ CISCO (OpenDNS)
▪︎ Symantec
What does Gartner say?
Gartner MQ

Strengths
• Strong malware protection
• MVISION Cloud offers strong CASB functionality
• ATD sandbox convictions are shared with endpoints
• Hybrid offering provides single-pane-of-glass for policy

Cautions
• Limited site-to-site VPN deployments in field
• No SaaS-based sandbox offering
• No ability to specify WGCS log storage location

McAfee Confidential
Polling Time !
Do you think Sandbox is a key factor in efficacy for detection of
Malware?

A. Yes absolutely!
B. No.
C. What is a sandbox?
What does customers say?
Customers’ Choice Winners 2019

McAfee Confidential
What about the competition?
Cisco (OpenDNS)

Strengths
• DNS filtering covers all traffic, generally
• Easy to deploy
• Integration with CloudLock gives risk and compliance
information

Weaknesses
• Cloud-based proxy solution is being phased out
• Customers generally deploy DNS filtering only which
leaves no in-line inspection of web requests

McAfee Confidential
What about the competition?
Symantec

Strengths
• Largest market share in on-prem proxies
• Large breadth of protocol support
• Strong offerings for DLP, Web, and CASB
• Full-featured anti-malware capabilities with
sandboxing and browser emulation

Weaknesses
• Expensive
• Multiple boxes needed for full functionality
• Negative feedback on cloud service
performance

McAfee Confidential
Objection Handling &
Customer References
(Partners)
 “We are going to use the web filtering on our
Next Gen firewall”
▪︎ When using a Next Gen firewall:
• How will you protect off network devices?
• There is no true SSL inspection
• At best, very minimal anti-malware filtering & many do not go beyond reputation and AV for web-based
malware
• Scaling issues when “web protection” is enabled on the firewalls
• Very low granularity in policy definition

▪︎ McAfee:
• McAfee Client Proxy (MCP) is able to detect the location of the User and then automatically direct the web
traffic to on-premise appliances or a Cloud service
• Support for full SSL decryption, this is important as more traffic is encrypted via SSL
• Our Gateway Anti-Malware engine (GAM) provides nearly the same level of protection as leading sandboxes,
handles analysis in-line with traffic, and is part of the base solution
• On-premise and Cloud service are fully scalable
• On-premise and Hybrid policies granularity is best in class

GAM Datasheet: https://www.mcafee.com/us/resources/white-papers/restricted/wp-gateway-anti-malware-sets-bar.pdf

McAfee Confidential
 “Other vendors claim to have “advanced anti-
malware” capabilities, too”
▪︎ There is a difference between being effective and having the highest detection rates in
the industry for a web proxy (reference AVTest results).

▪︎ We don’t require additional appliances just to achieve protection beyond the basics.
Without adding a sandbox, for most vendors you’re stuck with just reputation and
signature based AV.
That’s not advanced anti-malware.

▪︎ Our Gateway Anti-Malware engine (GAM) provides nearly the same level of protection as
leading sandboxes, handles analysis in-line with traffic, and is part of the base solution.

GAM Datasheet: https://www.mcafee.com/us/resources/white-papers/restricted/wp-gateway-anti-malware-sets-bar.pdf

McAfee Confidential
 “Symantec is a leader in the Gartner Magic
Quadrant, ahead of McAfee”
▪︎ The Symantec product line is expensive, because it requires multiple components. Symantec is one
of the few vendors in this Magic Quadrant to charge extra for its reporting functionality and
management console.

▪︎ McAfee currently leads in areas of threat protection, information sharing across a broader security
infrastructure, centralized management across form factors, and integrated deployment
architecture.

▪︎ The McAfee Web Gateway Cloud Service is global. Web content can be delivered in local regional
language, and the cloud service architecture is also built to “peer” with the internet backbone at the
world’s largest internet exchange points (IXPs). This eliminates routing hops of intermediate
internet service providers (ISPs) which add latency to the connection.

▪︎ If security is the customer’s #1 priority, McAfee is the best choice. From a cost perspective,
assembling multiple appliances and license agreements with Symantec will add up to a more
expensive solution upfront, and on an ongoing basis to maintain.

McAfee Confidential
“Blue Coat claims they will integrate with Symantec
Endpoint and deliver integrated security”

▪︎ Eventually Symantec will likely deliver this integration.

▪︎ Historically they have not been adept at integrating technology outside of their
portfolio, so the result and timing of release are very uncertain. Even once
integrated, the new Symantec—Blue Coat merged solution will lack the threat
intelligence orchestration of TIE, which is broader than just Web and Endpoint
Security.

▪︎ No other vendor has the orchestration capabilities of TIE across their entire
portfolio and 3rd party sources.

McAfee Confidential
Customer References
 $2.1M SWG business
~135K employees, 70K using cloud
>40 global offices

~$150k Web Renewal

5000 Seats Licensed
$14 Billion in capital
>40 offices worldwide
An Example Customer Case Study Review
McAfee Solutions
▪ McAfee® Advanced Threat Defense

▪ McAfee Endpoint Security

▪ McAfee Enterprise Security Manager, McAfee Enterprise Log Manager, McAfee Event
Receiver

▪ McAfee Investigator

▪ McAfee Threat Intelligence Exchange

▪ McAfee Data Loss Prevention (McAfee DLP)

▪ McAfee Endpoint Threat Defense and Response

▪ McAfee Web Gateway

▪ McAfee Professional Services

Licensing
(SKU & differences)
What Should I Sell in McAfee Web Security?
What Should I Sell in MVISION Unified Cloud Edge?
What Should I Sell for Existing McAfee Web Security
or MVISION Cloud Customer?
Web Gateway Cloud
Service
WGCS - Web Gateway Cloud Service
Highlights

▪︎ Increased to 52 points of presence from 7

▪︎ Peering re-architecture
▪︎ 99.999% SLA for inline traffic data path availability
▪︎ Local internet content in 20+ languages
▪︎ New Global Routing Manager (GRM) provides dynamic POP failover
to nearest, fastest point of presence in milliseconds
▪︎ New micro-pop design provides high-availability through on-
demand, elastic capacity increases in just 15 minutes
McAfee Confidential
Our commitment, our SLA
Your need: Our commitment:

Undisrupted usage of the 99.999% availability of the

Internet, every second, inline data path
every day, every month

McAfee Confidential
Inefficient and Costly Architecture
Traffic backhaul drives unnecessary cost

Main Office Remote Office Remote Office Mobile User

Appliance (vm/hw) Appliance (vm/hw) MPLS Circuit VPN Tunnel

MPLS/VPN backhaul: all traffic

McAfee Confidential
Immediately Reduce Backhaul Costs
Route external web traffic through the cloud

Main Office Remote Office Remote Office Mobile User

Appliance
Tunnel to(vm/hw)
Cloud Appliance
Tunnel to(vm/hw)
Cloud MPLS Circuit VPN Tunnel

MPLS/VPN backhaul: all traffic

McAfee Confidential
 Component Architecture
Top level components and how they interact

Business Platform Service AD Connector

PROVISION USERS

GROUPS

ePO Cloud
Internet

POLICY
WEB TRAFFIC

Reporting Backend

POLICY WEB TRAFFIC

Internet
WGCS PoPs WGCS Backend
McAfee Confidential
 Connect Endpoints Directly to the Cloud
McAfee Client Proxy travels with the client everywhere

McAfee Client Proxy

▪ Location-aware agent
provides consistent protection
MCP
on and off-network
▪ Windows & macOS
On-network
▪ Browser agnostic, port-level
routing
▪ Transparent user/group
MCP
authentication
▪ Identifies process name
generating web requests
Off-network
▪ Included in ENS10.5 *

* Web Protection License also required

McAfee Confidential
After - Direct to Cloud

Open Internet

SaaS
• Reduced MPLS cost
(minimal traffic)
• Appliances no longer mandatory
• Expanded and simplified security
Direct Internet for Office 365 management with UCE
and Open Internet
Optional
WAN Edge • SD WAN options – centralized and
secured traffic routing

Dallas Mobile HQ Chicago

64
Unified Cloud Edge Architecture

Global Threat Intelligence

Web Gateway Cloud Service MVISION Cloud

WAN Edge Infrastructure Players

VPN
Network DLP Web Gateway Sandboxing

DLP Endpoint

Endpoints Endpoints Endpoints

MAJOR CAMPUS REMOTE USERS BRANCH OFFICE

(SWG Appliances) (MCP, PAC, others) (SD-WAN/Direct Internet Breakout)

65
Polling Time !
What is our SLA commitment for our web proxy service?

A. 99%
B. 99.9%
C. 99.99%
D. 99.999%
Q&A with McAfee PreSales
https://www.surveymonkey.com/r/YYWX98S
Thank you.