Dynamic Endpoint Security 3 - Data Exchange Layer and Threat Intelligence Exchange

Version 14

    Table of Contents

     

    Prerequisites

    Before continuing with this section, please ensure you have met the following prerequisites:

     

    Setting Up DxL & TIE

    Download the following packages with your grant number from the McAfee Downloads Site: McAfee Downloads

     

    VirusScan Enterprise 8.8

    You will need the following:

    • Extensions
      • McAfee DXL Broker Management (DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee DXL Client for ePO (DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee DXL Client Management (DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee TIE Server Extension (TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip)
      • Threat Intelligence Exchange module for VSE (TIEm_1.0.1_Build_140_Package_1_ENU_LICENSED_RELEASE_MAIN.zip)
    • Packages
      • Data Exchange Layer Client (DXL_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • Threat Intelligence Exchange module for VirusScan Enterprise (JTICAgent.zip)
    • Other
      • Threat Intelligence Exchange Server (TIEServer_1.2.1.236.x86_64-MAIN.ova.zip)

     

    Endpoint Security 10.1

    You will need the following:

    • Extensions
      • McAfee DXL Broker Management (DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee DXL Client for ePO (DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee DXL Client Management (DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • McAfee TIE Server Extension (TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip)
      • Threat Intelligence Exchange module for ENS (Threat_Intelligence_module_10_1_0_129_extension.zip)
    • Packages
      • Data Exchange Layer Client (DXL_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
      • Threat Intelligence Exchange module for ENS (Threat_Intelligence_10_1_1_101_1_module.zip)
    • Other
      • Threat Intelligence Exchange Server (TIEServer_1.2.1.236.x86_64-MAIN.ova.zip)

     

    *Note: If you are using a mixed environment, with both ENS & VSE, use the extension for ENS.

     

    Installing the DxL & TIE ePO Extensions

     

    In your ePO Console, go to Menu | Software | Extensions

    Click on Install Extension at the top and install the extensions in the following order:

    ePO_install extension.png

    1. DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
    2. DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
    3. DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
    4. Endpoint Module Extension:
      1. For VSE: TIEm_1.0.1_Build_140_Package_1_ENU_LICENSED_RELEASE_MAIN.zip
      2. For ENS: Threat_Intelligence_module_10_1_0_129_extension.zip
    5. TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip

     

    Checking in the DxL & TIE Client Packages

     

    In the ePO Console, go to Menu | Master Repository and click on Check In Package

    Master Repo.png

    Select Product or Update (.ZIP) as the package type, select the package, and click Next.

    TIE_Package Checkin.png

     

     

    Installing the TIE/DxL Combo Box

    After the extensions and packages are installed in ePO, it's time to install the TIE/DxL combo box for the PoC. Here are the production requirements for the server:

    • 8 vCPU
    • 16 GB RAM
    • 116 GB HDD

     

    If using the VMware vSphere Client.  Select File | Deploy OVF Template

    deploy.png

    If using the vSphere Web Client, Click Actions | Deploy OVF Template

    VMware_deploy_ovf.png

     

    Browse to the location of the TIEServer_1.2.1.236.x86_64‑MAIN.ova file on your computer, and then click Next.  Complete the steps in the wizard, accepting the default values.  As noted above the OVA (VMWare image) is pre-configured with 16GB of RAM and 8 CPU’s.  The ESXi server must be able to handle this configuration.

    TIEserver_deploy.png

    The first time you power on the virtual machine and open the console you will see the following End User Agreement License. Click enter several times and Y to accept and begin the installation.

    l1.png

    Create a root password for the Threat Intelligence Exchange virtual server. The password must be at least nine characters.  Press Y to create.

    l2.png

    The operational account will have limited permissions.  Enter an Account Name, Real Name, and Password. Use the Tab key to move to the next field. When finished, press Y to continue.

    l3.png

    Only one option appears on this page, enter N to continue.  *Note: N is the only option to move forward.  When only 1 option is present tab or enter will not work.

    l4.png

     

    Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter the remaining information.

    When finished, enter Y to continue.

    l5.png

    Enter the Hostname and  Domain Name (if appropriate) of the computer where you are installing the Threat Intelligence Exchange server appliance.

    Enter Y to continue.

    l6.png

    Enter up to three Time Servers to synchronize the time of the Threat Intelligence Exchange server. Use the default servers listed, or enter the address for up to three servers.

    Enter Y to continue.

    l7.png

    Enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

    Enter Y to continue.

    Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.

    l8.png

    Enter the ePO Agent Wake-up Port.  The default is 8081.

    Enter Y to continue

    l9.png

    Select the services to run on the Threat Intelligence Exchange server. Enter Y for both DXL Broker, and TIE Server.

    Enter Y to continue.

    m1.png

    Enter M for configuration.  Enter Y to continue.

    m2.png

     

    The Read-Only Account enables McAfee ePO to communicate with the Threat Intelligence Exchange server postgres database.  You will enter this information in the ePO Registered Servers in a later step to allow ePO to connect to and receive data from the TIE server database.

    Enter the Read-Only Account Name and the Password. Enter Y to continue.

     

    Note: the password may only use the following characters: a-z A-Z 0-9 ~@#$%^_+=-

    m3.png

    Specify the DXL Broker Port that the Data Exchange Layer uses. Use the default port 8883, or enter a port number within the range shown.

    Enter Y to continue.

    m4.png

    Do nothing on this page.  TIE Server setup is complete.

    m5.png

     

    Registering the TIE server in ePO

    To view TIE database information in McAfee ePO reports and dashboards, create a new registered server.

    In McAfee ePO, click Menu | Configuration | Registered Servers, then click New Server.

    In the Server type drop-down list, click Database Server.  Enter a Name, for example, "TIE Server", and then click Next.

     

    TIE_register1.png

    • Database Vendor: select TieServerPostgres.
    • Host name or IP address: enter the host name of the system where you installed the TIE server.
      • Note: If you use the host name, make sure it’s registered in DNS.  Since the TIE Server is Linux, it doesn’t automatically get registered into DNS upon creation
    • Database name: enter "tie".  Note: This is case sensitive
    • User name and password: enter the read-only postgres user name and password you specified on the PosgreSQL Read-Only Account Setup page during the TIE server installation.
    • Click Test Connection to verify the connection information and user credentials.  If the test fails, validate the credentials and make sure that there are no firewall rules impacting the ability for the TIE server and the ePO server from communicating with each other.  While the agent on the TIE server may have been able to register with ePO on port 443, the ePO server may not have rights to communicate with the TIE server's DB on 5432 (or other if customized).

    If you still cannot connect, ssh into the TIE server and run the following command to see if your ePO server's IP address appears in the allowed list for remote PostgreSQL connections:

    tail /data/tieserver_pg/pg_hba.conf

    You should see something like the following:

    TIE_registered_servers.png

    TIE_register2.png

     

     

    Configuring the Client Policies

    By default, the client policies are deployed in Observe Mode.  The TIE module will not enforce reputation events, but alert back to ePO only. For production deployments, it may make sense to roll out pilot groups in observe mode, but for POCs, it usually makes sense to deploy in enforce mode.

     

    VirusScan Enterprise 8.8

    At this point in time, modify the "Threat Intelligence Exchange module for VSE 1.0.1" policy, and change the operation mode to Enforce as seen below.  All other modifications will occur at a later stage in the setup: Dynamic Endpoint Security 6 - Configure Advanced Threat Defense

    TIE_enforce.png

     

    Endpoint Security 10.1

    At this point in time, modify the "Endpoint Security Threat Intelligence" policy, and uncheck Enable Observation Mode as seen below.  All other modifications will occur at a later stage in the setup: Dynamic Endpoint Security 6 - Configure Advanced Threat Defense

    ENS_TIE_enforce.png

     

     

    Validation

    To verify that the TIE/DXL server is installed and communicating properly, open the System Tree in ePO. The TIE Server is listed as a managed system.

    Note: You may have to change the Preset field to This Group and All Subgroups to see the TIE Server entry.

     

    m8.png

     

    Click the TIE server name, then click the Products tab. Verify that the following products are listed:

    • Agent
    • McAfee DXL Broker
    • McAfee DXL Client
    • McAfee Threat Intelligence Exchange Server

    You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with Force complete policy and task update’ checked can speed up this process.

    Note: It is important you do not push the McAfee Agent, DXL Client or TIE module to the TIE server.  The products listed above will be installed as part of the install process.

     

    m9.png

    Click the DXL Status tab to verify the TIE Server is connected.

    n1.png

    Click Actions | DXL | Lookup in DXL.  You should see the TIE server is Connected
    n2.png

    n3.png

     

    At this point, the DxL & TIE server setup should be complete.  For next steps, click here: Dynamic Endpoint Security 4 - Configure Active Response