Dynamic Endpoint Security 6 - Configure Advanced Threat Defense

Version 23

     

    Prerequisites

    Before continuing with this section, please ensure you have met the following prerequisites:

     

    Configuring Advance Threat Defense for TIE and DXL

    Our final step in installing and configuring the Dynamic Endpoint will be integration of the McAfee Advanced Threat Defense (ATD) sandboxing solution.  This module assumes you have already performed initial installation of an ATD appliance on your network.If you need additional guidance on initial installation and configuration of McAfee ATD, please visit Advanced Threat Defense in the Intel Security Expert Center.

     

    Once initial depoyment of ATD is complete:

     

    1. Start by logging into the ATD UI as an Administrator
      ATD Login.png
    2. Navigate to “Manage” and then sub menu on the left “ePO Login/DXL”
      ATD EPO MANAGE.png
    3. Check the “Enable ePO Login” and enter the credentials for your ePO Server. Click “Test ePO Login” and once the test has completed successfully click “Submit
      ATD EPO MANAGE 2.png
    4. Now log into the ePO server. Navigate to the “System Tree”. The Agent check in will take a few minutes and ATD will typically be found under “Lost/Found”. 
      Note: System names for ATD will show up as ATD-1000 ATD-1500, ATD-3000, or ATD-6000
      EPO LOSTFOUND.png
    5. Now Navigate back to the ATD UI. Navigate to “Manage” and then sub-menu on the left “ePO Login/DXL”. Click the check box to Enable DXL communication. Click “Test” and once the test has completed successfully click “Apply”. The DXL Client initialization and policy synchronization will take a few minutes. Once this has completed the “DXL Status” will change from red/Down to green/Up.
      ATD DXL STATUS.png
    6. As an optional step you can configure the “Publish Threat Events to ePO”. Select the drop down for all or Malicious (Medium to Very High). Click the check box to “Enable Threat Event Publisher” and click “Apply”. The status icon for Publisher. Threat Events will now show up on the ePO “Threat Events” dashboard.
      ATD PUBLISH TO THREAT.png
    7. Navigate to Policy\Analyzer Profile and select Create new.
      ATD Analyzer Profile Edit 1.png
    8. Create a new Analyzer Profile based on the settings below.
      NEW PROFILE 2.png
    9. Assign the Analyzer Profile to the TIE User. Navigate to Manage\ATD Users. Select the "Threat Intelligence Exchange" user and click edit at the bottom.
      3-21-2016 4-21-29 PM.png

    10. Change the Password. (Ensure you follow the password policy). Update the "Default Analyzer Profile" to the Analyzer Profile you just created and click "Save"
      TIE Users.png

     

    Configuring the TIE Server policies

    1. Log into ePO.
    2. In the ePO Console, go to Menu > Policy Catalog and click the drop down next to product to select “McAfee Threat Intelligence Exchange Server Management 1.2.1.” and select the policy “My Default”. Note this policy is being used for the purposes of documentation simplification.
      epo tie server.png
    3. Click the Advanced Threat Defense Tab. Enter the User Name and Password you configured earlier and click “Save”
      Tie Server Policy.png

    Configuring the TIE Client’s policies for VSE 8.8

    In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base.  If you are using VirusScan 8.8:

     

    1. Go to the Policy Catalog and click the drop down next to the product to select “Threat Intelligence Exchange module for VSE 1.2.1” and select “My Default”.
      TIE Endpoint Policy.png
    2. Set the following as seen in the screen shot below. Red arrows are required and the Blue arrows are optional. Click "Save" when completed.
      TIE Endpoint Policy Configuration edits.png
    3. Typically policy updates happen within a few minutes but, to speed up the testing. Got to System Tree and select all the endpoints in your test/POC including the TIE Server, and AT. Click Wake Up. Ensure you check the "Force complete policy and task update".
      Agentwakeup.png
    4. Your configuration is complete. You can now start your testing.

     

    Configuring the TIE Client policies for ENS 10.x

    In your deployment, you will use either VirusScan 8.8 or ENS 10.x as the base.  If you are using ENS 10.x:

    1. In the ePO System Tree, open "Assigned Policies" and select "Endpoint Security Threat Intelligence".
      ENS 10 Policy.png
    2. Update the Policy as seen below and click Save.
      ENS Endpoint Policy edits.png
    3. Wake up agents and ensure you check "force complete policy and task update". This will push the policy changes you just made out and allow you to start testing.
      ens10 wakeup agent.png
    4. Your configuration is complete you can now start testing.

     

    Validation and Trouble Shooting

    Once ATD integration is complete, check for ATD in Managed System in EPO. Please note that this may take a few minutes to complete.

         EPO LOSTFOUND.png

    If ATD does not register with ePO:

    • Check the ePO credentials used in ATD, and ensure that ATD can properly authenticate.
    • Verify Network connectivity with a pings from ATD CLI to TIE Server and ePO, as well as the other directions.
    • Check ATD ePO/DXL login status

             Screen Shot 2016-03-30 at 11.29.21 AM.png

    • Verify TIE credentials are correct by logging into ATD using the TIE User credentials.