API 2.0 Overview API 2.0 Reference API 1.0 Reference What's New
Alliance Partners
Become a Partner

Trellix ESM

Developed by Trellix

Security Insights for Proactive Detection

By integrating Mimecast with Trellix ESM, organizations can analyze and investigate reported phishing attempts in minutes - stopping attacks before malicious actors can gain momentum in the network. Security teams can save time by accelerating the onboarding process, leveraging an intuitive dashboard to cut cyber attack detection time, and full visibility into the kill chain for proactive response.

Developer: Trellix
Contact: Trellix Support
Documentation: View
Release Date: September 2020
Version: 1.0
Talk to a Specialist
GET STARTED

Solution Overview

1. Emails received by Mimecast are passed through a series of hygiene scanning techniques, to ensure that they are safe before delivery to the recipient.

2. Email intelligence provided by Mimecast is sent to Trellix for normalization.

3. Trellix uses the email intelligence to alert analysts and add context to data from other sources.

Mimecast + Trellix Use Cases:

Mimecast data ingested adds additional data and context within Trellix ESM to aid: 

Phishing

Phishing email is sent, the user clicks on the link and then Mimecast identified link as malicious and blocks user access. SIEM ingests email telemetry from Mimecast including URL logs. SIEM analyses phishing link for additional IOCs and identifies 10 matching emails. Analyst runs remediation process to remove the malicious email.

Compromised Accounts

SIEM triggers an alert based on suspicious user behavior. SIEM enriches indicators from the alert in Mimecast and web security, looking for URL events. Events relating to malicious URLs are found in Mimecast and web security. Analysts resets user credentials.

Lateral Movement

A user's laptop is connected to open Wi-Fi and infected with malware which phones home to a C&C server. The attacker uses it as a foothold to propagate malware via email. Mimecast identifies malware, blocks email and removes from user inboxes. SIEM correlates events from agents and email activity to gather a full timeline and TTPs of the incident. Analyst quarantines the laptop, creates firewall deny rule for the C&C server IP address.

Key Benefits

01.

Improve Visibility - Gain visibility into threats that start with email.

02.

Enhance Intelligence - Correlate email-borne attacks with events observed in other security systems and leverage McAfee ESM advanced analytics to help detect and prioritize threats. 

03.

Get ahead of attacks - Use email activity data to spot anomalies that could be a leading indicator of an attack.

Related Resources

Trellix Helix
Back to Top