cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 1 of 5

TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

Web Gateway integration into Threat Intelligence Exchange and Advanced Threat Defense - some hints.

In an environment, where thounsands of requests/responses are present, some important things you should think about it.

Just one question: If there are 4500 request/second occuring at a company, how this can be an impact when integrating TIE and ATD?

Requirements

  1. EPO and TIE environment
  2. MWG is connected to DXL
  3. ATD is functioning

Goal: Smooth integration into TIE and ATD

  • TIE is queried only for the right files.
  • Only specific files are uploaded to ATD.
  • No multiple uploads and queries to prevent overload on TIE/ATD.

At the moment, TIE only supports executables (default installation and no tweaks in config files). Therefore the rulesets are only active for executables. Feel free to modify the rules in the future when ATD/TIE are also supporting office documents and so on.

  • The debug Log Files can be used to extend the Ruleset as needed.

Integration into TIE

What should be avoided when using TIE.

  • Queries where no file name is available.
  • TIE queries only for executable code.
  • Wrong TIE queries are generating "empthy" entries in the TIE database.
  • Overload in TIE

Also when installing a POC, entries in the TIE database with no file infos, are useless and not really pretty. Also, if you click on "where has file run" under TIE Reputations, you just see an GUID, and not a system name.

TIE Ruleset:

TIE Server is only queried if the downloaded file is not an archive, and it is an executable and it´s no composite object.

     No Query to TIE is the Url.body file name is empthy.

     No Query if the file is not an executable (duplicate rule, just for testing)

     Debug LOG for TIE requests (File is written for Debugging the Request. You can figure out how the properties are filled when querying the TIE server)

     No query if the file is not supported in TIE.

     Block on TIE Reputation.          

TIE1.GIF

Log file entry example

TIE2.GIF

Integration into ATD

What should be avoided when using ATD.

  • Files should not be uploaded several times to ATD to avoid system overload
  • Only supported files should be uploaded to ATD

ATD Ruleset:

Files are only sent to ATD if it is a supported ATD file type, the file is smaller than 10 megabytes and the file is an executable (the other entries are just a test in my environment).

     Writing a Debug LOG for ATD uploads

     No upload to ATD if GAM finds no malware and URL Reputation is okay (just a test).

     No upload if GAM proactive probabilityis set to a given value.

     No upload to ATD if the file has been already analyzed.

     No upload to ATD if there is a report available on ATD.

     Enable a progress page during ATD analysis.

     Block if ATD detects malware.

ATD1.GIF

Log file entry example

ATD2.GIF

Summary

  • Take care when integrating ATD and TIE.
  • Take a look what is going on.
  • If anything is okay there should not be entries in the TIE database without any file details.

Attached the Ruleset examples

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

Hello,

​ posted a very good example with this thread:

There are also sample rules available for download.

Files with Antimalware.Proactive.Probability=0 are sent to ATD in my Environment. I also combined this with my TIE Server. This means, if a file is known trusted in TIE a do not scan the file, neither i send it to ATD.

Addtional, this is our internal developtment. We implemented a Service calles "SPP FiresS". This is a Client, which is directly connected to the DXL fabric. So we can see any DXL request from any DXL enabled device. This meas, regardless if a McAfee Endpoint, ATD, MWG, SIEM or any other DXL enabled McAfee or 3rd Party device asks for a File Reputation we see this.

With this Information we are querying several Information Repositories and we do a Reputation Change in TIE based on the result. This is a really "smooth" Integration with OpenDXL 🙂

Cheers

4 Replies
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 2 of 5

Re: TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

Hi everyone,

hast anyone tested the Offline scanning option in a "not default MWG ruleset" where e.g. are several rulesets available separating the requests by proxy ip and much more.

I spent much time but i was not able to get it up and running. The goal should be.

  • User/Group from company A uses ATD and data trickling/progress page.
  • User/Group from company B uses ATD offline scanning option
  • User/Group from compnay C uses e.g. normal ATD scanning and Progress Page for department A and offline scanning option for department B.

Al of this is included in one MWG Ruleset.

Has anyone this up and running??

Cheers

Re: TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

Hi Thorsten,

How do you solve the problem if GAM says that the file is 0 and the Web GW doesn't send file to ATD?

0-days will always have 0 value.

Highlighted
Reliable Contributor Troja
Reliable Contributor
Report Inappropriate Content
Message 4 of 5

Re: TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

Hello,

​ posted a very good example with this thread:

There are also sample rules available for download.

Files with Antimalware.Proactive.Probability=0 are sent to ATD in my Environment. I also combined this with my TIE Server. This means, if a file is known trusted in TIE a do not scan the file, neither i send it to ATD.

Addtional, this is our internal developtment. We implemented a Service calles "SPP FiresS". This is a Client, which is directly connected to the DXL fabric. So we can see any DXL request from any DXL enabled device. This meas, regardless if a McAfee Endpoint, ATD, MWG, SIEM or any other DXL enabled McAfee or 3rd Party device asks for a File Reputation we see this.

With this Information we are querying several Information Repositories and we do a Reputation Change in TIE based on the result. This is a really "smooth" Integration with OpenDXL 🙂

Cheers

Re: TIE / DXL / ATD Integration with Web Gateway - Example - Experience - Results

Jump to solution

To share information with the community:

Following issues happening sometimes with our ATD integration, support found that we had to add the following condition "Body.Size > 0" to all other rules to enter the ruleset, in order to avoid errors like this:

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator