5 Replies Latest reply on Feb 3, 2017 9:09 AM by Daveb3d

    Trying to understand TIE 2.0 reputation

    zahni

      Hi,

       

      we are currently evaluating TIE and I'm not sure about the benefits.

      What is the benefit beyond the normal virus scan? Is GTI faster as the daily signatures? Does it speed up the virus scan operation (only checks hashes against TIE)?

      Can I use TIE to replace Microsofts "Software Restriction Policy"?

       

      TIE detects many files  as  "not available". What  is the differences to "unknown"? I can't build a filter for "not available".

       

      Regards,

       

      Zahni.

        • 1. Re: Trying to understand TIE 2.0 reputation
          maxime.l

          Hello,

           

          TIE is a complementary product with VSE or ENS. When VSE/ENS are based on signatures, TIE is based on file reputations and behavioral rules.

           

          TIE is really efficient on several scenarios. You can kill a process based on its hash in a couple of seconds on all your machines. You can make prevention by adding some malicious hashes in your Database reputations. All actions taken are real time with the DXL protocol.

           

          It is not a perfect product but it brings a real added value. VSE/ENS signatures are released daily at 7:00PM. It is not a question of performance but a permanent connectivity to GTI so you have always latest reputations available.

           

          TIE does not speed up the VSE/ENS operations as far as I know. It has a layered approach, it first checks your white/black files or certificates, then GTI black/white files, ATD reputation (if you have the sandboxing) and TIE module rules listed in Server Settings.

           

          I do not know Microsoft "Software Restriction Policy" but yes you can block a specific application with TIE (always based on  the hash). It depends of your needs, features available, the ergonomic and what you pay for. You can block applications with other products like HIPS or McAfee Application Control as well.

           

          Where do you have the reputation “Not Available”? If it is GTI you can try a manual refresh. In all cases an incident should be opened because it is not an expected behavior. You can build a filter for "Not Available" selecting "Value is blank".

           

          Best regards,

           

          M@xime

          • 2. Re: Trying to understand TIE 2.0 reputation
            andres.more

            A file might have Not Available reputation if it is signed and its signing certificate reputation is used instead by content rules.

            Not Available reputation can be searched using 'Value Is Blank' against GTI Reputation.

            • 3. Re: Trying to understand TIE 2.0 reputation
              Troja

              Hello,

              we already implemented several TIE Systems at different customers. There are many Points which can be descussed.

              First of all. TIE does NOT "detect" anything. TIE acts as your internal Threat Intelligence (LTI). This meas, TIE stores the threat Information which can be used by any DXL enabled device. This coud be VSE, ENS, MAC, MWG, ATD, Move and other non McAfee Products.

               

              What we see at customers: When we take a look how many PEs are completely unknow we most reach a Level of 80% of unknown files. This means, if you take a normal Windows System, you calculate a hash value from any file and you may compare this with virustotal.com you will see how much you do not know what happens on the endpoint.

               

              TIE and Endpoint: If an endpoint executes a file which is completely unknown, the endpoint queries the TIE Server. If the file is not known in the TIE database, TIE queries GTI for more Information. If there is no Information available in any way, the file has a Reputation value of "unknown".

              Important: The final Reputation value is always calculated on the endpoint. As you can see TIE Shows more then 60 data fields for a file. Also on how many Systems the file is located. This value is also available for the endpoint and is used to calculate the final Reputation score.
              There is more Information stored in the TIE Database as viewable in EPO under TIE Reputations. The endpoint collects Meta Information about files and sends it back to the TIE Server.

               

               

              TIE and Composite Reputations: Based on all Information available from local endpoints, other devices and GTI the Composite Reputation is calculated. This value is used by the endpoints. Finally, the most weight is "Enterprise Reputation". If Enterprise Reputation is set to known trusted, a file is always allowed, even GTI or any other source Shows another Reputation.

               

              TIE Usage: Some uses Cases from customers. If something is wrong in your Environment you can take a look which files have beeing executed in e.g. the last hour and are completely unknown. In some cases you can figure out a malicous file within a Minute. AND you are also able to block it within one second. This gives you time to analyze the file. Based on the datafields for one file it makes it easier to rate the file. You can also do a Manual query directly to virustotal to see the detection Information from any vendor listed at virustotal.com.

               

              Data Exchange Layer: DXL enalbes you to send a Reputation Update to hundrets thousands of endpoint within one second. So, in a worst case you can block a file within your Company within one second.

               

              TIE and Integration: With OpenDXL the possible Options have rised. Threat Information can be imported to TIE and afterwards blocked by the endpoint.

              • Structured Threat Information eXpression (STIX™) can be used to Import Threat Information. This can also be fully automated. At the Moment we are working on Uses Cases for that.
              • Threat Informaion form oher sources e.g. checkpoint can be imported into TIE.
              • EPO/TIE can be used to query virustoal.com automatically if there is a suspect file. Based on virustotal Information files can be blocked fully automated.
              • OpenDXL opens much more integrations and usage.

               

              Conclusio: TIE and DXL are giving you the ability to rise your internal security structure to a new Level. Because is can be combined with existing security products.

               

              zahni, i think this will cover your question. Please note, this is just a small overview what is possible. :-)

               

              Hope this helps,

              Cheers

              • 4. Re: Trying to understand TIE 2.0 reputation
                zahni

                Hi Thorsten,

                 

                thank you. This helps me a lot...

                • 5. Re: Trying to understand TIE 2.0 reputation
                  Daveb3d

                  Thorsten,

                   

                  I don't think it is accurate to say that TIE doesn't detect anything, because it does.  For example, if a file runs from a suspect location, TIE can and will outright block it, because it knows that no legitimate files run from that location.  TIE does additional heuristics that also point to suspicious characteristics, such as packed files, rare files, etc.  I'd recommend building a dashboard based upon "Adaptive Threat Protection Events" and then filter out the noise based upon IDs so you can see the interesting stuff. 

                   

                  Dave