cancel
Showing results for 
Search instead for 
Did you mean: 

Web Gateway: Integrating with Cloud Threat Detection (CTD)

Web Gateway: Integrating with Cloud Threat Detection (CTD)

Introduction

In December, Cloud Threat Detection (CTD) was announced; this is Intel Security's cloud sandboxing technology. It allows organizations to be more nimble in analyzing advanced threats by leveraging McAfee's Cloud rather than relying on an on-premise Advanced Threat Defense (ATD). CTD is ideal for situation where having an on-premise appliance isn't feasible, or for customers looking for a hybrid sandbox solution consisting of on-premise and off-premise threat detection.

Video Walkthrough

This video will walk you through provisioning Web Gateway with Cloud Threat Detection, configuring the rules needed for your on-premise Web Gateway, and a quick look at the Cloud Threat Detection Workspace.


Provisioning Web Gateway for Cloud Threat Detection

To integrate Web Gateway (MWG) with Cloud Threat Detection (CTD), we need to fill out a challenge/response form in each UI. For MWG use the MWG UI, for CTD use ePO Cloud. We obtain a provisioning key from MWG, which is used to generate an activation key from CTD. The resulting activation key will be used in the MWG UI to set the tenant ID.

  • In Web Gateway, go to Configuration > Cluster > Tenant Info
  • In ePO Cloud, go to Menu > Server Settings > Cloud Threat Detection Setup

The below .gif will shows the order of operation.

CTDUI4.gif

Configuring Web Gateway Rules

In order for Web Gateway to send file to CTD, we must configure rules which dictate which files are sent to the cloud for analysis. There are two rulesets to choose from (Offline scanning or Inline scanning); each has their own user experience (similar to ATD).

Offline scanning

The most preferred methodology is "Offline scanning" mode. Offline scanning means that if a user is downloading a suspicious file, the file will be made available to the user immediately (assuming it wasn't blocked by other rules). If that suspicious file found to be malicious, you can configure the Web Gateway to alert you for remediation. Additionally if another user downloads the same file they should be blocked.

Rules3.gif

Inline Scanning

Inline scanning is less preferred because the user must wait for the file to finish being analyzed by CTD. If you prefer inline scanning, import the "Cloud Threat Detection" ruleset from the Ruleset Library and move it just below Gateway Anti-Malware.

Cloud Threat Detection UI and Analysis Report

Within your ePO Cloud account, navigate to the Cloud Threat Detection Workspace to see files which were submitted by MWG for analysis. Here you will see files which have been convicted based on severity level, time submitted, and the processing time for a reputation verdict.

Below, a visualization is provided on how to navigate to "High Risk" objects and how to extract threat details, reputation information, and the ability to extract IOCs through STIX.

Comments
Troja

Hello,

just a question :-)

How this can be handled if we have a complex Ruleset for Customers e.g. mwg is used by a service provider.

Customer A: Cloud Threat Detection (waiting for result)

Customer B: Uses Cloud Threat Detection with immediate File availabitlity

Customer C: Uses the ATD Appliance with Data Trickling

Customer D: Some users/groups using ATD Appliance with Data Trickling, some users/groups are using ATD with immediate file availabiltly.

Customer E: Uses ATD Appliance with Datatrickling.

Is this possible??

Cheers

Hi Thorsten,

What you're asking for is possible. You'd need to flag the transaction accordingly to set the proper rules.

At the moment though, the Web Gateway Cluster can only talk to one CTD account in ePO Cloud (not sure if that's required for your setup).

Best Regards,

Jon

Version history
Revision #:
1 of 1
Last update:
‎01-25-2017 09:51 PM
Updated by: