cancel
Showing results for 
Search instead for 
Did you mean: 

Threat Intelligence Exchange Getting Started Guide

Introduction

This Getting Started Guide will walk you through McAfee Threat Intelligence Exchange (TIE) 1.0 Installation and Configuration required to begin working with TIE 1.0.

Prerequisites

In order to successfully deploy the McAfee TIE solution for evaluation, the following is required:

McAfee software

  • ePO 5.1.1  or later running on Windows Server 2008 R2 or later
  • McAfee Agent 5.0 or later installed on endpoints
  • VSE 8.8 with patch 4 hotfix 929019 installed on endpoints

Customer provided

  • VMware / ESXi server for hosting the TIE/DXL server

Network requirements

  • IP Address for:
     TIE/DXL Server
  • Ports:
     ePO Ports (Default TCP 80, 443, 8081, 8443, 8444, 1433 UDP 8082, 1434)  For more detailed information see (KB66797)
     TIE Server/DXL Ports (Default 8883, 1883)
     Postgres (TCP and UDP 5432)
  • Private API Key from VirusTotal (See appendix for instructions on obtaining this)

 

Endpoints
You can install Threat Intelligence Exchange Client on the following operating systems:

Microsoft Windows         Windows 7 (64 bit)
                                       Windows 8.0 (32 and 64 bit)
                                       Windows 8.1 (32 and 64 bit)
                                       Windows 8.1U1/U2 (32 and 64 bit)
                                       Windows Server 2008 R2
                                       Windows Server 2012/2012 R2


**It is more accurate and interesting when using a typical system in your environment for testing.  If a live production system is not available we suggest using VMware physical to virtual conversion to make a copy of a production system.  For additional information regarding vCenter

Converter see http://www.vmware.com/products/converter/features

 

Installation and Configuration of McAfee Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL)

 

For a Threat Intelligence Exchange Installation and Configuration Checklist see https://community.mcafee.com/docs/DOC-6455

 

The installation and configuration assumes:

  • ePO 5.1.1 is installed and configured
  • McAfee Agent 5.0 and VSE 8.8 patch 4 with hotfix 929019 is installed and deployed on the endpoints
  • ESXi server is accessible for OVA deployment

 

This section is comprised of 3 main steps:

  • Installing the TIE/DXL server
  • Deploying the TIE/DXL endpoint components
  • Configuring the TIE solution

 

Installing the TIE/DXL server

VM Specifications for the TIE/DXL server:

  • The TIE/DXL server is deployed as a Virtual Server.  Ensure the virtual machine has the following hardware specifications. For the purposes of this guide, we assume the TIE server and DXL broker will be installed on the same server:
    • VMWare ESXi 5.1.0 and above
    • The OVA (VMWare image) is pre-configured with 16GB of RAM and 8 CPU’s.  The ESXi server must be able to handle this configuration.
    • Sufficient SSD or hard disk for the database (116 GB when thick provisioned)
      **The TIE/DXL server is a single McAfee provided OVA file that includes both components.

Other considerations:

  • Determine the IP address to be used during the POC.  Both Manual and DHCP options are available.
  • Determine the IP address and administrator username and password of the ePO server that TIE/DXL will be connecting to.

For a quick video demonstration of the TIE/DXL server deploy and installation go to: <This is a placeholder>

These steps will walk you through downloading, installing and configuring the McAfee Threat Intelligence Exchange and Data Exchange Layer Server:

 

Upon receiving your grant number access the software download portal from the following link http://www.mcafee.com/us/downloads/downloads.aspxMcAfee Downloads - Antivirus, Antimalware, Virus Scan | McAfee

 

Enter your grant number under Download My Products and Click Go

download page.png

 

Under Software downloads click on “McAfee Threat Intelligence Exchange”

Note:  These extensions and packages are also available in the ePO Software Manager

Download TIE_Server_1.0.0.xxx.x86_64-MAIN.ova
Note: The VMWare vSphere client will need access to this file

 

Download the following extensions and packages from the McAfee download site or check in from the Software Manager in ePO:

  • DXLBrokerMgmt_1.0.0_Build_xxxx Package #x.zip
  • DXLClient_1.0.0_Build_xxxx Package #x.zip
  • DXLClientMgmt_1.0.0_Build_xxx Package #x.zip
  • help_dxl_100.zip
  • DXL 1.0.0 Build xxxx Package #x.zip
  • TIEServerMgmt_1.0.0_Build_xxx Package #x.zip
  • help_tie_100.zip
  • TIEmMeta.zip
  • help_jtic_100.zip
  • JTICAgent.zip

 

In ePO, install the following extensions:

 

  • DXLBrokerMgmt_1.0.0_Build_xxxx Package #x.zip
  • DXLClient_1.0.0_Build_xxxx Package #x.zip
  • DXLClientMgmt_1.0.0_Build_xxxx Package #x.zip
  • help_dxl_100.zip
  • TIEServerMgmt_1.0.0_Build_xxx Package #x.zip
  • help_tie_100.zip
  • TIEmMeta.zip
  • help_jtic_100.zip

Select Menu | Software | Extensions and then click Install Extension

extenstions.png

Repeat this process until all 5 extensions and 3 help files are checked in.

 

When all extensions are properly installed you should see:

  • McAfee DXL
  • McAfee TIE Server
  • Threat Intelligence Exchange module for VSE

extensions 2.png

 

Check the DXL and TIE package into the Master Repository. Select Menu | Software | Master Repository and then click Check In Package.  Browse to DXL 1.0.0 Build xxx Package #x.zip

master repository.png

Click Next and Save

 

Repeat these steps for the JTICAgent.zip

The Master Repository should appear as follows:

master repository 2.png

Once the product extension and packages are properly checked in to ePO, you are ready to install the TIE/DXL Server.    Open the VMware vSphere Client.  Select File | Deploy OVF Template

deploy.png

Browse to the location of the TIEServer_1.0.0.xxx.x86_64‑MAIN.ova file on your computer, and then click Next.  Complete the steps in the wizard, accepting the default values.  As noted above the OVA (VMWare image) is pre-configured with 16GB of RAM and 8 CPU’s.  The ESXi server must be able to handle this configuration.

deploy2.png

The first time you power on the virtual machine and open the console you will see the following End User Agreement License. Click enter several times and Y to accept and begin the installation.

l1.png

Create a root password for the Threat Intelligence Exchange virtual server. The password must be at least nine characters.  Press Y to create.

l2.png

The operational account will have limited permissions.  Enter an Account Name, Real Name, and Password. Use the Tab key to move to the next field. When finished, press Y to continue.

l3.png

Only one option appears on this page, enter N to continue.  *Note: N is the only option to move forward.  When only 1 option is present tab or enter will not work.

l4.png

 

Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter the remaining information.

When finished, enter Y to continue.

l5.png

Enter the Hostname and  Domain Name (if appropriate) of the computer where you are installing the Threat Intelligence Exchange server appliance.

Enter Y to continue.

l6.png

Enter up to three Time Servers to synchronize the time of the Threat Intelligence Exchange server. Use the default servers listed, or enter the address for up to three servers.

Enter Y to continue.

l7.png

Enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

Enter Y to continue.

Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.

l8.png

Enter the ePO Agent Wake-up Port.  The default is 8081.

Enter Y to continue

l9.png

Select the services to run on the Threat Intelligence Exchange server. Enter Y for both DXL Broker, and TIE Server.

Enter Y to continue.

m1.png

 

A Master server replicates the Threat Intelligence Exchange database to all Slave servers, if you have them.  Enter M for configuration.  Enter Y to continue.

Note: For this guide, we will only be installing a Master

 

Master server replicates the TIE database to all Slave servers, if you have them.

Write-only Master server does not process reputation requests or any non-essential functionality beyond writing and maintaining the database. Because a write-only Master server does not process requests over the Data Exchange Layer, it increases system performance by replicating the database, leaving the Data Exchange Layer requests to the Slave servers.

Slave server processes Data Exchange Layer requests exactly like a Master server using a database that's replicated from the Master database. The Slave server must have access to the Master server.

Reporter is a Slave server that does not process reputation requests. It improves McAfee ePO reporting by replicating the database information without processing Data Exchange Layer requests.

m2.png

 

The Read-Only Account enables McAfee ePO to communicate with the Threat Intelligence Exchange server postgres database.  You will enter this information in the ePO Registered Servers in a later step to allow ePO to connect to and receive data from the TIE server database.

Enter the Read-Only Account Name and the Password. Enter Y to continue.

 

Note: the password may only use the following characters: a-z A-Z 0-9 ~@#$%^_+=-

m3.png

Specify the DXL Broker Port that the Data Exchange Layer uses. Use the default port 8883, or enter a port number within the range shown.

Enter Y to continue.

m4.png

Do nothing on this page.  TIE Server setup is complete.

m5.png

To view TIE database information in McAfee ePO reports and dashboards, create a new registered server.

In McAfee ePO, click Menu | Configuration | Registered Servers, then click New Server.

In the Server type drop-down list, click Database Server.  Enter a Name, for example, TIE Database, and then click Next.

 

m6.png

Database Vendor: select TieServerPostgres.

Host name or IP address: enter the host name of the system where you installed the TIE server.

**If you use the host name, make sure it’s registered in DNS.  Since the TIE Server is Linux, it doesn’t automatically get registered into DNS upon creation

Database name: enter tie.  **This is case sensitive

User name and password: enter the read-only postgres user name and password you specified on the PosgreSQL Read-Only Account Setup page during the TIE server installation. The password field won’t be displayed for TIE Server 1.3.0 as Certificate Authentication is performed.

Click Test Connection to verify the connection information and user credentials.

m7.png

To verify that the TIE/DXL server is installed and communicating properly, open the System Tree in ePO. The TIE Server is listed as a managed system.

Note: You may have to change the Preset field to This Group and All Subgroups to see the TIE Server entry.

 

m8.png

 

Click the TIE server name, then click the Products tab. Verify that the following products are listed:

  • Agent
  • McAfee DXL Broker
  • McAfee DXL Client
  • McAfee Threat Intelligence Exchange Server

You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with Force complete policy and task update’ checked can speed up this process.

Note: It is important you do not push the McAfee Agent, DXL Cleint or TIE module to the TIE server.  The products listed above will be installed as part of the install process.

 

m9.png

Click the DXL Status tab to verify the TIE Server is connected.

n1.png

Click Actions | DXL | Lookup in DXL.  You should see the TIE server is Connected
n2.png

n3.png

Installing and verifying the DXL client and McAfee Threat Intelligence Exchange Module for VSE on your endpoint

Prerequisites for the TIE Client:

  • McAfee Agent 5.0
  • Virus Scan 8.8 patch 4 with hotfix 929019

The following steps will walk you through installing and verifying the DXL client and McAfee Threat Intelligence Exchange module for VSE

 

Prior to deploying the DXL and TIE Client verify McAfee Agent 5.0 and VSE 8.8.0.1263 are installed on your endpoint.  Click into the endpoint in the System Tree and click the Products tab.

Note: It is important that the VSE hotfix 929019 is installed.  The version 8.8.0.1263 indicates it is installed.  If it is not yet applied to the endpoint you will see version 8.8.0.1247

o1.png
In McAfee ePO, click Menu | Software | Product Deployment, then click New Deployment.

o2.png

Name the deployment DXL. For Type select Fixed.  Choose Data Exchange Layer Client 1.0.0 package.

Note: This is the same package that was checked into the master repository in the beginning of the installation section.

o3.png

Click Select Systems.  The System Selection screen will pop up.  Select only the endpoints you wish to deploy the DXL client to.

Note: Do not deploy the DXL client to the TIE Sever.
o4.png
When the endpoints are selected Click OK

o6.png

To complete the Product Deployment form select Run Immediately

o7.png

At the top of the Product, Deployment page click Save to begin deployment

o8.png

Once the product deployment page shows successful completion of DXL on your endpoint, verify McAfee DXL Client appears in the Products tab of your system.

o9.png

In McAfee ePO, click Menu | System Tree Click the endpoint and click the Products tab

Note:  You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with Force complete policy and task update checked can speed up this process.

p1.png

Repeat the same Product Deployment process for the TIE Module for VSE.  In McAfee ePO, click Menu | Software | Product Deployment, then click New Deployment.

p2.png

 

Name the deployment TIE.  For Type select Fixed.  Choose the Threat Intelligence Exchange module for VirusScan Enterprise 1.0.0 package.

Note: This is the same package that was checked into the master repository in the beginning of the installation section.

 

p3.png

 

Click Select Systems.  The System Selection screen will pop up.  Select only the endpoints you wish to deploy the TIE module too.

Note: Do not deploy the TIE Module to the TIE Sever.
p4.png
When the endpoints are selected Click OK

p6.png

To complete the Product Deployment form select Run Immediately

p7.png

 

At the top of the Product Deployment page click Save to begin deployment

o8.png

 

Verify the Product deployment page shows successful completion of TIE on your endpoint.

Note:  You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with ‘Force complete policy and task update’ checked can speed up this process.

p9.png

Click into the endpoint in the System Tree and click the Products tab to verify the Threat Intelligence Exchange module for VSE installation was successful.

q1.png

Click the DXL Status tab to verify the client is Connected.

q2.png

Click Actions | DXL | Lookup in DXL

q3.png

You should see the endpoint is Connected

q4.png

 

Configuring the TIE Solution

Prerequisites
Before completing this section you must have completed the server and client installation sections.  The policies set in this section must be mirrored in order for the use cases found in the POC Guide and on the Expert Center to run as documented.

Considerations
For the POC we will be setting the client policy to block at ‘Unknown’.  In order to demonstrate the capabilities without compromising safety, the files used in the sample set are benign.  In production, it would be more common that blocking will be set to ‘Might be Malicious’.  See below for recommendations:

 

Block at Unknown:  Point of Sale devices, Production Servers where little to no changes occur

Might be Malicious:  Most endpoints would fall into this category (**depending on risk tolerance of your organization)

Observe mode:   Run in observe mode to establish a system baseline and to populate the TIE server with commonly used files.  Once the system policy is changed to enforce the files that were already evaluated in observe mode the files would not be considered unknown.

TIE Scanning tool: The TIE Scan tool performs TIE analysis on user-specified files and folders, and populates a TIE server database with baseline data from a gold image.  The TIE Scanning tool is not an official part of the product and comes with minimal/no support or documentation.  Please refer to the Baseline Gold Images with the TIE Scanner document.

 

The following steps will walk you through TIE server and client extension configuration as needed for the user story section:

 

Configure the TIE Server Extension under Menu | Configuration | Server Settings | Threat Intelligence Exchange Server

Click Edit.

a1.png

 

Enter your VirusTotal Public/Private Key. Click Save.

**For more information on how to obtain the VirusTotal Public/Private Key see

a2.png

To access the TIE Server settings policy, select Menu | Policy | Policy Catalog and select McAfee TIE Server Management 1.0.0 in the Product dropdown.
Click into My Default to edit.

 

a3.png

On the General tab, you can enable and disable GTI Reputations and set Proxy and Product Improvement Program settings.

a4.png

Note: The Product Improvement Program helps McAfee learn about threats and prioritize what is allowed or blocked.

a5.png

 

On the Advanced Threat Defense (ATD) tab, you can configure ATD server settings. Files can be sent to ATD for further evaluation. This step is not required if ATD is not included. Check Enabled

Enter the User name and Password for the ATD Server.

Note: The sample will be submitted from the TIE Server.

a6.png

a7.png

To access the TIE Client policy, select Menu | Policy | Policy Catalog and select Threat Intelligence Exchange Module for VSE 1.0.0 in the Product dropdown.
Click My Default to configure.

a8.png


Configure your Client policy.  Leave Self Protection Enabled

Self Protection: If selected, prevents users on managed endpoints from changing Threat Intelligence Exchange module settings.

a9.png

Set Operation Mode to Enforce

Operation Mode: Specifies whether the module applies the policy settings on this page.

Enforce: Enforce the policy per the settings on the page.
Observe: Collect data as if the policy were enforced and send it to the server, but don't actually enforce the policy. This option allows you to see what effect the policy would have without running it.
Disabled: Do not enforce the policy.

b1.png

 

Check Enable or not depending on your preference.  Telemetry Settings: Specify whether file information is sent to McAfee.  Selecting Enabled helps McAfee learn about threats and prioritize what is allowed or blocked

b2.png

Set Balance Security for Typical systems

Balance Security For: There are three levels that reflect the amount of risk, or security, allowed on the systems that use this policy.

High change systems: block and prompt the least
Typical systems: block and prompt more
Low change systems: block and prompt the most

**To enable or disable specific rules for each security level review the server settings for the TIE module for VSE

b3.png

 

Set Clean at: Known Malicious

Set Block at: Unknown

Reputation Responses for Executables, DLLs, Drivers: Specify what happens when a file with a specific reputation level tries to run on a system that uses this policy.


Clean at:  Select a file reputation level at which the file is cleaned using VirusScan Enterprise and then allowed to run. This option is available only for High change systems and Typical systems security levels.
**We recommend using Clean at only with known malicious file reputations because Clean at might delete the file.

 

Block at: Select a file reputation level where files are blocked. When a file with this reputation tries to run in your environment, it's prevented from running but remains in place. If you discover that the file is safe and you want it to run, you can change its file reputation to a level that is allowed to run, such as Known Safe.

b4.png

Leave End User Prompting disabled
Prompt at: Specify the file reputation level when users are prompted to allow or block the file. The prompt level must not conflict with the Clean at or Block at settings. For example, if you block unknown files, you can't set this field to Might Be Malicious because it has a higher security threat than Unknown.

Default action: Specify what happens if the user doesn't respond to the prompt.

Timeout: Specify how long the prompt displays before performing the Default action.

Custom Prompt Text: Enter text the user sees when a file that meets the prompting criteria attempts to run. If you don't enter custom text, a default message is used.

b6.png

Check Enable or not depending on your preference.

Use GTI: Get file reputation information from the Global Threat Intelligence cloud if the module can't access the server.

Prompting Disabled: If the server is unavailable, disable prompting so that users don't receive prompts about files with reputations that are unavailable.

b7.png

 

If ATD is being used and configured in the TIE Server extension, check submit files to ATD at Unknown.

This step is not required if ATD is not included. 
The files are sent to Advanced Threat Defense when the following occurs:

  • The Threat Intelligence Exchange server does not have Advanced Threat Defense information about the file.
  • The file is at or below the reputation level you specify
  • The file is at or below the file size limit you specify

 

b8.png

Labels (1)
Contributors
Version history
Revision #:
4 of 4
Last update:
‎03-25-2019 08:07 PM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community