Dynamic Endpoint Security 3 - Data Exchange Layer and Threat Intelligence Exchange

1 Kudo

Prerequisites
Setting Up DxL & TIE
VirusScan Enterprise 8.8
Endpoint Security 10.1
Installing the DxL & TIE ePO Extensions
Checking in the DxL & TIE Client Packages
Installing the TIE/DxL Combo Box
Registering the TIE server in ePO
Configuring the Client Policies
Validation

Prerequisites

Before continuing with this section, please ensure you have met the following prerequisites:

ePO installed and configured in accordance with Dynamic Endpoint Security 1 - Getting Started
Endpoint security extensions, etc. installed and configured in accordance with

Setting Up DxL & TIE

Download the following packages with your grant number from the McAfee Downloads Site: McAfee Downloads

VirusScan Enterprise 8.8

You will need the following:

Extensions
- McAfee DXL Broker Management (DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee DXL Client for ePO (DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee DXL Client Management (DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee TIE Server Extension (TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip)
- Threat Intelligence Exchange module for VSE (TIEm_1.0.1_Build_140_Package_1_ENU_LICENSED_RELEASE_MAIN.zip)
Packages
- Data Exchange Layer Client (DXL_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- Threat Intelligence Exchange module for VirusScan Enterprise (JTICAgent.zip)
Other
- Threat Intelligence Exchange Server (TIEServer_1.2.1.236.x86_64-MAIN.ova.zip)

Endpoint Security 10.1

You will need the following:

Extensions
- McAfee DXL Broker Management (DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee DXL Client for ePO (DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee DXL Client Management (DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- McAfee TIE Server Extension (TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip)
- Threat Intelligence Exchange module for ENS (Threat_Intelligence_module_10_1_0_129_extension.zip)
Packages
- Data Exchange Layer Client (DXL_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip)
- Threat Intelligence Exchange module for ENS (Threat_Intelligence_10_1_1_101_1_module.zip)
Other
- Threat Intelligence Exchange Server (TIEServer_1.2.1.236.x86_64-MAIN.ova.zip)

*Note: If you are using a mixed environment, with both ENS & VSE, use the extension for ENS.

Installing the DxL & TIE ePO Extensions

In your ePO Console, go to Menu | Software | Extensions

Click on Install Extension at the top and install the extensions in the following order:

DXLBrokerMgmt_2.0.1_Build_162_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
DXLClient_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
DXLClientMgmt_2.0.1_Build_140_Package_1_(ENU-LICENSED-RELEASE-MAIN).zip
Endpoint Module Extension:
1. For VSE: TIEm_1.0.1_Build_140_Package_1_ENU_LICENSED_RELEASE_MAIN.zip
2. For ENS: Threat_Intelligence_module_10_1_0_129_extension.zip
TIEServerMgmt_1.2.1_Build_236_Package_1_(ENU-LICENSED-RELEASE-Main).zip

Checking in the DxL & TIE Client Packages

In the ePO Console, go to Menu | Master Repository and click on Check In Package

Select Product or Update (.ZIP) as the package type, select the package and click Next.

Installing the TIE/DxL Combo Box

After the extensions and packages are installed in ePO, it's time to install the TIE/DxL combo box for the PoC. Here are the production requirements for the server:

8 vCPU
16 GB RAM
116 GB HDD

If using the VMware vSphere Client. Select File | Deploy OVF Template

If using the vSphere Web Client, Click Actions | Deploy OVF Template

Browse to the location of the TIEServer_1.2.1.236.x86_64‑MAIN.ova file on your computer, and then click Next. Complete the steps in the wizard, accepting the default values. As noted above the OVA (VMWare image) is pre-configured with 16GB of RAM and 8 CPU’s. The ESXi server must be able to handle this configuration.

The first time you power on the virtual machine and open the console you will see the following End User Agreement License. Click enter several times and Y to accept and begin the installation.

Create a root password for the Threat Intelligence Exchange virtual server. The password must be at least nine characters. Press Y to create.

The operational account will have limited permissions. Enter an Account Name, Real Name, and Password. Use the Tab key to move to the next field. When finished, press Y to continue.

Only one option appears on this page, enter N to continue. *Note: N is the only option to move forward. When only 1 option is present tab or enter will not work.

Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual. If you select Manual, enter the remaining information.

When finished, enter Y to continue.

Enter the Hostname and Domain Name (if appropriate) of the computer where you are installing the Threat Intelligence Exchange server appliance.

Enter Y to continue.

Enter up to three Time Servers to synchronize the time of the Threat Intelligence Exchange server. Use the default servers listed, or enter the address for up to three servers.

Enter Y to continue.

Enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

Enter Y to continue.

Note: The ePO server must be available. At this point the installation will begin to configure the McAfee Agent.

Enter the ePO Agent Wake-up Port. The default is 8081.

Enter Y to continue

Select the services to run on the Threat Intelligence Exchange server. Enter Y for both DXL Broker, and TIE Server.

Enter Y to continue.

Enter M for configuration. Enter Y to continue.

The Read-Only Account enables McAfee ePO to communicate with the Threat Intelligence Exchange server postgres database. You will enter this information in the ePO Registered Servers in a later step to allow ePO to connect to and receive data from the TIE server database.

Enter the Read-Only Account Name and the Password. Enter Y to continue.

Note: the password may only use the following characters: a-z A-Z 0-9 ~@#$%^_+=-

Specify the DXL Broker Port that the Data Exchange Layer uses. Use the default port 8883, or enter a port number within the range shown.

Enter Y to continue.

Do nothing on this page. TIE Server setup is complete.

Registering the TIE server in ePO

To view TIE database information in McAfee ePO reports and dashboards, create a new registered server.

In McAfee ePO, click Menu | Configuration | Registered Servers, then click New Server.

In the Server type drop-down list, click Database Server. Enter a Name, for example, "TIE Server", and then click Next.

Database Vendor: select TieServerPostgres.
Host name or IP address: enter the host name of the system where you installed the TIE server.
- Note: If you use the host name, make sure it’s registered in DNS. Since the TIE Server is Linux, it doesn’t automatically get registered into DNS upon creation
Database name: enter "tie". Note: This is case sensitive
User name and password: enter the read-only postgres user name and password you specified on the PosgreSQL Read-Only Account Setup page during the TIE server installation.
Click Test Connection to verify the connection information and user credentials. If the test fails, validate the credentials and make sure that there are no firewall rules impacting the ability for the TIE server and the ePO server from communicating with each other. While the agent on the TIE server may have been able to register with ePO on port 443, the ePO server may not have rights to communicate with the TIE server's DB on 5432 (or other if customized).

If you still cannot connect, ssh into the TIE server and run the following command to see if your ePO server's IP address appears in the allowed list for remote PostgreSQL connections:

tail /data/tieserver_pg/pg_hba.conf

You should see something like the following:

Configuring the Client Policies

By default, the client policies are deployed in Observe Mode. The TIE module will not enforce reputation events, but alert back to ePO only. For production deployments, it may make sense to roll out pilot groups in observe mode, but for POCs, it usually makes sense to deploy in enforce mode.

VirusScan Enterprise 8.8

At this point in time, modify the "Threat Intelligence Exchange module for VSE 1.0.1" policy, and change the operation mode to Enforce as seen below. All other modifications will occur at a later stage in the setup:

Endpoint Security 10.1

At this point in time, modify the "Endpoint Security Threat Intelligence" policy, and uncheck Enable Observation Mode as seen below. All other modifications will occur at a later stage in the setup:

Validation

To verify that the TIE/DXL server is installed and communicating properly, open the System Tree in ePO. The TIE Server is listed as a managed system.

Note: You may have to change the Preset field to This Group and All Subgroups to see the TIE Server entry.

Click the TIE server name, then click the Products tab. Verify that the following products are listed:

Agent
McAfee DXL Broker
McAfee DXL Client
McAfee Threat Intelligence Exchange Server

You may have to wait for 2 ASCIs for all components to install and check in properly. Doing an Agent Wake-Up Call with Force complete policy and task update’ checked can speed up this process.

Note: It is important you do not push the McAfee Agent, DXL Client or TIE module to the TIE server. The products listed above will be installed as part of the install process.