Cloud Threat Detection (CTD) is a Cloud sandbox providing organizations to further expand their threat detection capabilities by leveraging McAfee's Cloud. This provides an alternative to deploying Advanced Threat Defense (ATD), the on-premise sandbox solution. CTD provides the flexibility to deploy completely off-premise for when an on-premise appliance is not ideal, but also providing a hybrid deployment solution of on-premise with ATD and off-premise with CTD. CTD integrates with Network Security Platform (NSP), which allows the IPS solution to send files to the Cloud for further analysis. As the file is convicted within the Cloud, the reputation score is sent back to the sensor to update the reputation and then take action based on policies.
Provisioning Network Security Platform for Cloud Threat Detection
To begin the integrating Network Security Platform (NSP) with Cloud Threat Detection (CTD), an activation key must be generated for the Network Security Manager (NSM). Generating the Activation Key will be done inePO Cloud. The provision key found in NSM will be used to generate the activation key. Once the activation key has been generated, it will be used to activate the CTD integration in the Manager.
In your Network Security Manager, go to Manager > Integration > CTD. Check the "Enable CTD Integration" box
In ePO Cloud, go to Menu > Server Settings > Cloud Threat Detection Setup
The .gif below will illustrate the order of operations.
Configuring Advanced Malware Policies in the Manager
In order for the NSP sensor to send files to CTD, we must configure the policy within the Manager to allow for files to be submitted into the cloud for analysis.
We will enable CTD submissions from the sensor through the Manager. To do so, head to your Manager and then to Policy > Intrusion Prevention > Policy Types > Advanced Malware Policies. Utilize a clone of the Default Malware Policy, and then click Edit to proceed to configure the policy.
Under the McAfee Cloud column, you will notice that by default none of the boxes have been checked.
Here you will check three boxes; Executable, PDF Files, and Android Application Packages (APKs). Once you've checked all three, save the policy.
A warning will pop up, informing you that DXL connectivity must be present. It will also state that for GTI File Reputation utilization, name resolution must be confirmed. These dependencies must be enabled on the global device level for the admin domain, but if already enabled on the admin domain level, ignore the warning and click Ok to finalize the policy change.
Malware File Logging
To view the malware files that have been sent through the sensor for Cloud analysis, head to Analysis > Malware Files, and you will be able to see all associated files that were analyzed through the Cloud. These results can be filtered down to Cloud submissions by clicking on the McAfee Cloud filter tab at the top of the field.
Cloud Threat Detection UI and Analysis Report
Within your ePO Cloud account, navigate to the Cloud Threat Detection Workspace to see files which were submitted by NSP for analysis. Here you will see files which have been convicted based on severity level, time submitted, and the processing time for a reputation verdict.
Below, a visualization is provided on how to navigate to "High Risk" objects and how to extract threat details, reputation information, and the ability to extract IOCs through STIX.