McAfee ePO: What does it do?

UnixGuyUnixGuy Are we having fun yet?Mod Posts: 4,281 Mod
I'm just trying to understand this product, what it does, and how is it being used by organizations. Read through the website, and got lost!
McAfee ePolicy Orchestrator - ePO | Intel Security Products

Can anyone explain to me what is it exactly? Do you use it? What for?

Pros/cons?

Your personal experience and recommendations?

Appreciate your help :)
Certs: GPEN, GCFA, CISM, CRISC, RHCE
In Progress: MBA

Comments

  • whiteskieswhiteskies Member Posts: 32 ■■□□□□□□□□
    I just did a 5 second google search and I didn't find much detail, just a brief overview. I will say that the best way in my opinion to learn about the product is to attend training online (FedVTE) or one of the regular classes. I would assume that your organization would have to send you to the class. I am going to give you some modules that encompasses McAfee:
    -DLP (Data Loss Prevention)
    -RSD (Rogue System Detection)
    -VSE (Virus Scan Enterprise)
    -Asset Baseline Monitor
    -HIPS
    -Policy Auditor

    I might of missed one or two but I am just giving you a brief very brief write up:
    MA (McAfee Agents) are installed on a node. The node sends events to the ePO. Within the ePO you can manage, install, push, etc to the agent/node. It's a little bit more detailed than that but its 1:18am. Different organizations use different modules. Different organizations use different modules it all depends...it all depends. Most organizations have several of the foundational modules installed. Let's use DLP for example, that prevents/alerts if someone plugs in a thumb drive. Rogue System Detection for example will have systems fall into that particular folder for a number of reasons. Some reasons could be the agent or lack or and even the IP of the system that doesn't relate to the IP Ranges for the customers already in the ePO.

    I feel its like a bundle of security off the shelf all-in-one product. Not saying it's a "all you need" in terms of Security but it does have some great capabilities I am neutral on it personally. I can't speak for Australia but in the US it's very common so common it's mandatory for every computer in the ................... Asset management is great, well beyond great. I can run a query for every system that has Windows Server 2008 or Windows Server 2008 R2. I can run queries for IP address or hostnames or 75 other different kinds of queries. I don't think you'll find anything better as far as asset management goes. I could talk for days but I am not getting paid for this and you didn't look hard enough on the internet you just wanted to answer. Truth be told I blindly found the McAfee Knowledge Base online and acted like I didn't know it existed, just from typing in McAfee Modules in the search field.

    Cons, I am neutral. Neutral because I was one of the primary McAfee Admin where we handled the agents that reported to several of the ePOs around the world. I handled all of the McAfee issues for an entire branch of the Military, not just some guy/gal who has 500 systems and one ePO and think they are SMEs. Truth be told the one con would be that not every application is McAfee friendly. McAfee doesn't get along (initially)with a lot of other programs running on the systems or getting installed.

    Recommendations, well I would need more info. You're not buying this for your home lab. So, if you're saying from a business standpoint is a a great investment, Yes. I have dealt with similar products from different vendors and I am standing by McAfee. You'll see it installed in the government sector. I can speak for the private sector, what I just told you wasn't anything you could not of found out online.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,281 Mod
    Thanks for the write up. I know what each module does (from different vendors), just wanted to see how they all work together in one box....and how/how it's being used.

    I understand that there is information on the Internet (lol?), I just wanted the perspective of someone who actually used it, and you have, so cheers for the write up.
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • 636-555-3226636-555-3226 Member Posts: 976 ■■■■■□□□□□
    McAfee ePO is the master console that manages all of McAfee's security offerings in one place. Geared at medium- to large-enterprises.
  • Mike-MikeMike-Mike Member Posts: 1,860
    I watched a youtube video on it, what I gathered was ePo helped you write the actual policy that the rest of the suite uses. seemed to make it super simple
    Currently Working On

    CWTS, then WireShark
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    UnixGuy as a security guy I use ePo everyday. I'll give you a comprehensive/high level overview after our holiday party today. :D:D:D:Dicon_lol.gif
  • chrisonechrisone Senior Member Member Posts: 2,218 ■■■■■■■■■□
    UnixGuy wrote: »
    I just wanted the perspective of someone who actually used it, and you have, so cheers for the write up.

    I use it everyday along with Intel McAfee SIEM. I think most enterprises have some form of SIEM system in place. We use both McAfee ePO and SIEM. I am not a pro at ePO as the SIEM takes most of my time along with other security related tasks. I was able to read and disect the PDF's (300+) pages on these products and you can learn a vast amount of information on ePO and the modules and be pretty proficient with day to day tasks and installs. I would suggest you read the pdf's from the knowledge base and if you feel fuzzy about anything search the community forums. Also check out youtube tutorials etc. Only then if you feel like things are not sticking then take some form of course. NETEXAM has some ok online elearning courses for $200. I do not know how good they are but if it helps reinforce the material it should be worth $200. Lets face it that is not much money for any IT related online course. NETEXAM is from Intel/McAfee.

    Anyways we use pretty much the same modules that whiteskies mentioned, I think most companies by the same bundles most of the time. We are playing with FRP and HIPS right now. Am I going to take a course? nope, going to knowledge base, grabbing the PDFs (150+) for each and knocking them out to have a fmailiarity with the product. Then will checkout some youtube and online community tutorials. I will contact support as well if I get stuck somewhere. I say be proficient and do as much as you can on your own research and efforts before asking your employer for a 2-4k class that might just show you the basics anyways.

    Knolwdge base: (select product on the left hand side first, version, product guide, best practice, configuration, etc) Most detailed information is in the "product guides."
    https://support.mcafee.com/ServicePortal/faces/knowledgecenter?startover=true

    NETEXAM:
    https://mcafee.netexam.com/catalog.html#center-panel:main-ui-training

    ePO product guide:
    https://kc.mcafee.com/agent/index?page=content&id=PD25504&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

    Online Community:
    https://community.mcafee.com/welcome
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    EnCase Courses: DF120 (in progress), DF210, DF310
    Certs: AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User (obtained), Splunk Enterprise Sys Admin
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    Thanks Chrisone for the follow up. I've used McAfee ePO, virus scan, endpoint encryption, HDLP, NDLP and SIEM. IMHO I'm not a fan of their SIEM product, luckily my new position requires me to learn Qradar. Anyways, back to the question, Chrisone mention and posted some good resources for you. The Netexam training is an O.K training for 200 if you ask me (I paid for the training years ago) - although, you can find a lot of the same material online and on YouTube.
    Pros:
    1. Easy administration of endpoints and systems from the epo console.
    2. Integration with AD makes life easy.
    3. McAfee support service is also nice.
    Cons:
    1. Lots of false positives...gotta keep tuning.
    2. ePO might be slow and resource intense.

    Others can chime in here - Thanks!
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,281 Mod
    You are legends, all of you. THANK YOU
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • JockVSJockJockVSJock Member Posts: 1,118
    I'm being told by higher-ups that I have to have McAfee ePO installed on all RHEL servers that I manage. However most of the info that I see is for Windows and not Linux and when I interact with the support team, they aren't real sure what do, how much resources ePO will need, and how to troubleshoot. For example, will I need to setup a service account to run the processes related to McAfee ePO? I'm going to install on a test server that I use for patching and see how that goes.

    I did check out the FedVTE content and I've already watched the McAfee ePO for managers, and I want to watch the technical videos, however I'm going to have to make time for them (they are 32 hours each and there are two of them!). And they are probably geared towards Windows Servers.

    Thanks for the writeup and any more info on what I can expect or how to prepare my servers for the install will help.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • 27PAYBACK27PAYBACK Member Posts: 5 ■□□□□□□□□□
    I went through the 1st 32 Hour course, Damm its a lot of info.
    U must have either a Mil/Gov account to access certain Modules, such as these.
    I'm going to start the Arc Sight admin next month...
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    JockVSJock wrote: »
    I'm being told by higher-ups that I have to have McAfee ePO installed on all RHEL servers that I manage.

    Thanks for the writeup and any more info on what I can expect or how to prepare my servers for the install will help.

    ePO is the central management server/console for Intel Security (McAfee) complete enterprise endpoint security. So you'd stand up an ePO server or cluster of servers depending on the scale of your environment, a DB server or instance if you already have adequate resources on a SQL server, one or more agent handlers, and the rest of your servers and workstations would get the McAfee Agent. So hopefully your higher-ups know only the agent will be on "all the servers".

    It's very robust but requires significant time and technical resources to deploy and manage. It is not a "turn-key" security solution (none really are).
  • chrisonechrisone Senior Member Member Posts: 2,218 ■■■■■■■■■□
    Also you just don't "install" the product on all your servers at once. You will need a phased approach. You should target non-critical servers first, see how they react towards the product (monitor CPU, disk seek times, memory, latency, etc), then move on to other areas of the network. You can really impress management here if you are able to write out the project first, in a phased approach with time lines and goals.

    Have fun! :)
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    EnCase Courses: DF120 (in progress), DF210, DF310
    Certs: AZ-500, SC-200 (fail 1st attempt), EnCE, Splunk Core Power User (obtained), Splunk Enterprise Sys Admin
  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youMod Posts: 2,781 Mod
    In my opinion, it is too much of a resource hog. It is also alog fun to do update/patches(esp Java) on servers when you keep having to disable the scanner.
    Never let your fear decide your fate....
Sign In or Register to comment.