Web Gateway: Integrating with Cloud Threat Detection (CTD)

Version 9

     

    Introduction

    In December, Cloud Threat Detection (CTD) was announced; this is Intel Security's cloud sandboxing technology. It allows organizations to be more nimble in analyzing advanced threats by leveraging McAfee's Cloud rather than relying on an on-premise Advanced Threat Defense (ATD). CTD is ideal for situation where having an on-premise appliance isn't feasible, or for customers looking for a hybrid sandbox solution consisting of on-premise and off-premise threat detection.

     

     

    Video Walkthrough

    This video will walk you through provisioning Web Gateway with Cloud Threat Detection, configuring the rules needed for your on-premise Web Gateway, and a quick look at the Cloud Threat Detection Workspace.

     

     

    Provisioning Web Gateway for Cloud Threat Detection

    To integrate Web Gateway (MWG) with Cloud Threat Detection (CTD), we need to fill out a challenge/response form in each UI. For MWG use the MWG UI, for CTD use ePO Cloud. We obtain a provisioning key from MWG, which is used to generate an activation key from CTD. The resulting activation key will be used in the MWG UI to set the tenant ID.

     

    • In Web Gateway, go to Configuration > Cluster > Tenant Info
    • In ePO Cloud, go to Menu > Server Settings > Cloud Threat Detection Setup

     

    The below .gif will shows the order of operation.

     

    Setup.gif

     

     

    Configuring Web Gateway Rules

    In order for Web Gateway to send file to CTD, we must configure rules which dictate which files are sent to the cloud for analysis. There are two rulesets to choose from (Offline scanning or Inline scanning); each has their own user experience (similar to ATD).

     

    Offline scanning

    The most preferred methodology is "Offline scanning" mode. Offline scanning means that if a user is downloading a suspicious file, the file will be made available to the user immediately (assuming it wasn't blocked by other rules). If that suspicious file found to be malicious, you can configure the Web Gateway to alert you for remediation. Additionally if another user downloads the same file they should be blocked.

     

    Rules3.gif

     

     

    Inline Scanning

    Inline scanning is less preferred because the user must wait for the file to finish being analyzed by CTD. If you prefer inline scanning, import the "Cloud Threat Detection" ruleset from the Ruleset Library and move it just below Gateway Anti-Malware.

     

     

     

    Cloud Threat Detection UI and Analysis Report

    Within your ePO Cloud account, navigate to the Cloud Threat Detection Workspace to see files which were submitted by MWG for analysis. Here you will see files which have been convicted based on severity level, time submitted, and the processing time for a reputation verdict.

     

    Below, a visualization is provided on how to navigate to "High Risk" objects and how to extract threat details, reputation information, and the ability to extract IOCs through STIX.

     

    CTDUI4.gif