Step

Instructions

Image or amplifying instructions.

1.

Upon receiving your grant number access the software download portal from the following link

URL: http://www.mcafee.com/us/downloads/downloads.aspx

2.

Enter your grant number under Download My Products and Click Go 

3.

Under Software downloads click on “McAfee Threat Intelligence Exchange”

Note:  These extensions and packages are also available in the ePO Software Manager

Download TIE_Server_1.0.0.xxx.x86_64-MAIN.ova 

Note: The VMWare vSphere client will need access to this file

Download the following extensions and packages from the McAfee download site or check in from the Software Manager in ePO:

• DXLBrokerMgmt_1.0.0_Build_xxxx Package #x.zip 
  
• DXLClient_1.0.0_Build_xxxx Package #x.zip 
  
• DXLClientMgmt_1.0.0_Build_xxx Package #x.zip
  
• help_dxl_100.zip
  
• DXL 1.0.0 Build xxxx Package #x.zip 
  
• TIEServerMgmt_1.0.0_Build_xxx Package #x.zip
  
• help_tie_100.zip 
  
• TIEmMeta.zip
  
• Help_jtic_100.zip
  
• JTICAgent.zip
  

4. 

In ePO, install the following extensions:

DXLBrokerMgmt_1.0.0_Build_xxxx Package #x.zip

DXLClient_1.0.0_Build_xxxx Package #x.zip 

DXLClientMgmt_1.0.0_Build_xxxx Package #x.zip 

help_dxl_100.zip

TIEServerMgmt_1.0.0_Build_xxx Package #x.zip

help_tie_100.zip 

TIEmMeta.zip

help_jtic_100.zip  

Select Menu | Software | Extensions and then click Install Extension

Repeat this process until all 5 extensions and 3 help files are checked in.

When all extensions are properly installed you should see:

McAfee DXL

McAfee TIE Server

Threat Intelligence Exchange module for VSE

5. 

Check the DXL and TIE package into the Master Repository

Select Menu| Software | Master Repository and then click Check In Package

Browse to DXL 1.0.0 Build xxx Package #x.zip 

Click Next and Save

Repeat these steps for the

JTICAgent.zip

The Master Repository should appear as follows  

6.

Once the product extension and packages are properly checked in to ePO, you are ready to install the TIE/DXL Server.    

Open the VMware vSphere Client.

Select File | Deploy OVF Template

7.

Browse to the location of the TIEServer_1.0.0.xxx.x86_64‑MAIN.ova file on your computer, and then click Next.

Complete the steps in the wizard, accepting the default values. 

8.

The first time you power on the virtual machine and open the console you will see the following End User Agreement License.

Click enter several times and Y to accept and begin the installation. 

9. 

Create a root password for the Threat Intelligence Exchange virtual server. The password must be at least nine characters.

Press Y to create.

9.

The operational account will have limited permissions.

Enter an Account Name, Real Name, and Password. 

Use the Tab key to move to the next field. When finished, press Y to continue.

10.

Only one option appears on this page, enter N to continue.

*Note: N is the only option to move forward.  When only 1 option is present tab or enter will not work. 

11.

Select DHCP or Manual IP address configuration. Enter D for DHCP or M for Manual.  If you select Manual, enter the remaining information. 

When finished, enter Y to continue.

12.

Enter the Hostname and  Domain Name (if appropriate) of the computer where you are installing the Threat

Intelligence Exchange server appliance.

Enter Y to continue.

13. 

Enter up to three Time Servers to synchronize the time of the Threat Intelligence

Exchange server. Use the default servers listed, or enter the address for up to three servers. 

Enter Y to continue.

14.

Enter the IP Address or fully qualified domain name, port, and account information for your McAfee ePO server.

Enter Y to continue.

Note:  The ePO server must be available.  At this point the installation will begin to configure the McAfee Agent.

15.

Enter the ePO Agent Wake-up Port.  The default is 8081.

Enter Y to continue.

16.

Select the services to run on the Threat Intelligence Exchange server. 

Enter Y for both DXL Broker, and TIE Server.

Enter Y to continue.

17. 

A Master server replicates the Threat Intelligence Exchange database to all Slave servers, if you have them.

Enter M for configuration.

Enter Y to continue. 

Note: For the POC only install a Master  

Master server replicates the TIE database to all Slave servers, if you have them.

Write-only Master server does not process reputation requests or any non-essential functionality beyond writing and maintaining the database. Because a write-only Master server does not process requests over the Data Exchange Layer, it increases system performance by replicating the database, leaving the Data Exchange Layer requests to the Slave servers.

Slave server processes Data Exchange Layer requests exactly like a Master server using a database that's replicated from the Master database. The Slave server must have access to the Master server.

Reporter is a Slave server that does not process reputation requests. It improves McAfee ePO reporting by replicating the database information without processing Data Exchange Layer requests.

18. 

The Read-Only Account enables McAfee ePO to communicate with the Threat Intelligence Exchange server postgres database.  You will enter this information in the ePO Registered Servers in a later step to allow ePO to connect to and receive data from the TIE server database.

Enter the Read-Only Account Name and the Password. 

Enter Y to continue.

Note: the password may only use the following characters: a-z A-Z 0-9 ~@#$%^_+=-

19.

Specify the DXL Broker Port that the Data Exchange Layer uses. Use the default port 8883, or enter a port number within the range shown.

Enter Y to continue.

20.

Do nothing on this page.  TIE Server setup is complete. 

21. 

To view TIE database information in McAfee ePO reports and dashboards, create a new registered server.

In McAfee ePO, click Menu | Configuration | Registered Servers, then click New Server.

In the Server type drop-down list, click Database Server.  Enter a Name, for example, TIE Database, and then click Next.

22.

Select the checkbox for Make this the default database for the selected database type. 

Database Vendor: select TieServerPostgres.

Host name or IP address: enter the host name of the system where you installed the TIE server.

**If you use the host name, make sure it’s registered in DNS.  Since the TIE Server is Linux, it doesn’t automatically get registered into DNS upon creation

Database name: enter tie.  **This is case sensitive

User name and password: enter the read-only postgres user name and password you specified on the PosgreSQL Read-Only Account Setup page during the TIE server installation.

Click Test Connection to verify the connection information and user credentials.

23.

To verify that the TIE/DXL server is installed and communicating properly, open the System Tree in ePO. The TIE Server is listed as a managed system. 

Note: You may have to change the Preset field to This Group and All Subgroups to see the TIE Server entry.

24. 

Click the TIE server name, then click the Products tab. Verify that the following products are listed:

• Agent

• McAfee DXL Broker

• McAfee DXL Client

• McAfee Threat Intelligence Exchange Server

You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with Force complete policy and task update checked can speed up this process.

Note: It is important you do not push the McAfee Agent, DXL Cleint or TIE module to the TIE server.  The products listed above will be installed as part of the install process.   

25.

Click the DXL Status tab to verify the TIE Server is connected.

26. 

Click Actions | DXL | Lookup in DXL

You should see the TIE server is Connected 

Step

Instructions

Image or amplifying instructions.

1. 

Prior to deploying the DXL and TIE Client verify McAfee Agent 5.0 and VSE 8.8.0.1263 are installed on your endpoint.  

Click into the endpoint in the System Tree and click the Products tab.

Note: It is important that the VSE hotfix 929019 is installed.  The version 8.8.0.1263 indicates it is installed.  If it is not yet applied to the endpoint you will see version 8.8.0.1247

2.

In McAfee ePO, click Menu | Software | Product Deployment, then click New Deployment.

3.

Name the deployment DXL 

For Type select Fixed

Choose Data Exchange Layer Client 1.0.0 package.  

Note: This is the same package that was checked into the master repository in the beginning of the installation section. 

4. 

Click Select Systems

The System Selection screen will pop up.  Select only the endpoints you wish to deploy the DXL client to.  

Note: Do not deploy the DXL client to the TIE Sever. 

When the endpoints are selected Click OK

5.

To complete the Product Deployment form select Run Immediately

6. 

At the top of the Product Deployment page click Save to begin deployment 

7. 

Once the product deployment page shows successful completion of DXL on your endpoint, verify McAfee DXL Client appears in the Products tab of your system.

In McAfee ePO, click Menu | System Tree

Click the endpoint and click the Products tab

Note:  You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with Force complete policy and task update checked can speed up this process.

8.

Repeat the same Product Deployment process for the TIE Module for VSE.  

In McAfee ePO, click Menu | Software | Product Deployment, then click New Deployment.

9.

Name the deployment TIE 

For Type select Fixed

Choose the Threat Intelligence Exchange module for VirusScan Enterprise 1.0.0 package.  

Note: This is the same package that was checked into the master repository in the beginning of the installation section. 

10. 

Click Select Systems

The System Selection screen will pop up.  Select only the endpoints you wish to deploy the TIE module to.  

Note: Do not deploy the TIE Module to the TIE Sever. 

When the endpoints are selected Click OK

11.

To complete the Product Deployment form select Run Immediately

12. 

At the top of the Product Deployment page click Save to begin deployment 

13. 

Verify the Product deployment page shows successful completion of TIE on your endpoint. 

Note:  You may have to wait for 2 ASCIs for all components to install and check in properly.  Doing an Agent Wake-Up Call with ‘Force complete policy and task update’ checked can speed up this process.

14.  

Click into the endpoint in the System Tree and click the Products tab to verify the Threat Intelligence Exchange module for VSE installation was successful.

15.

Click the DXL Status tab to verify the client is Connected.

16. 

Click Actions | DXL | Lookup in DXL

You should see the endpoint is Connected

Step

Instructions

Image or amplifying instructions.

1.

Configure the TIE Server Extension under Menu | Configuration | Server Settings | Threat Intelligence Exchange Server

Click Edit.

2.

Enter your VirusTotal Public/Private Key. Click Save.

**For more information on how to obtain the VirusTotal Public/Private Key see appendix

3.

To access the TIE Server settings policy, select Menu | Policy | Policy Catalog and select McAfee TIE Server Management 1.0.0 in the Product dropdown. 

Click into My Default to edit.

4.

On the General tab, you can enable and disable GTI Reputations and set Proxy and Product Improvement Program settings.

For this POC guide to perform as documented GTI reputations must be Enabled

Note: The Product Improvement Program helps McAfee learn about threats and prioritize what is allowed or blocked.

5.

On the Advanced Threat Defense (ATD) tab, you can configure ATD server settings. Files can be sent to ATD for further evaluation.

This step is not required if ATD is not included in the POC.  

Check Enabled

Enter the User name and Password for the ATD Server.  

Note: The sample will be submitted from the TIE Server.

The online help provides guidance on each option.

6.

To access the TIE Client policy, select Menu | Policy | Policy Catalog and select Threat Intelligence Exchange Module for VSE 1.0.0 in the Product dropdown. 

Click My Default to configure.

7.

Configure your Client policy.  Leave Self Protection Enabled 

Self Protection: If selected, prevents users on managed endpoints from changing Threat

Intelligence Exchange module settings.

8.

Set Operation Mode to Enforce

Operation Mode: Specifies whether the module applies the policy settings on this page. 

Enforce: Enforce the policy per the settings on the page.

Observe: Collect data as if the policy were enforced and send it to the server, but don't actually enforce the policy. This option allows you to see what effect the policy would have without running it.

Disabled: Do not enforce the policy.

9. 

Check Enable or not depending on your preference.  

For the POC it does not matter which is chosen.

Telemetry Settings: Specify whether file information is sent to McAfee.  Selecting Enabled helps McAfee learn about threats and prioritize what is allowed or blocked

10. 

Set Balance Security for Typical systems

Balance Security For: There are three levels that reflect the amount of risk, or security, allowed on the systems that use this policy. 

High change systems: block and prompt the least

Typical systems: block and prompt more

Low change systems: block and prompt the most

**To enable or disable specific rules for each security level review the server settings for the TIE module for VSE 

11. 

Set Clean at: Known Malicious

Set Block at: Unknown

Reputation Responses for Executables, DLLs, Drivers: Specify what happens when a file with a specific reputation level tries to run on a system that uses this policy.

Clean at:  Select a file reputation level at which the file is cleaned using VirusScan Enterprise and then allowed to run. This option is available only for High change systems and Typical systems security levels.

**We recommend using Clean at only with known malicious file reputations because Clean at might delete the file.

Block at: Select a file reputation level where files are blocked. When a file with this reputation tries to run in your environment, it's prevented from running but remains in place. If you discover that the file is safe and you want it to run, you can change its file reputation to a level that is allowed to run, such as Known Safe.

12. 

Leave End User Prompting disabled for the POC

Prompt at: Specify the file reputation level when users are prompted to allow or block the file. The prompt level must not conflict with the Clean at or Block at settings. For example, if you block unknown files, you can't set this field to Might Be Malicious because it has a higher security threat than Unknown.

Default action: Specify what happens if the user doesn't respond to the prompt.

Timeout: Specify how long the prompt displays before performing the Default action.

Custom Prompt Text: Enter text the user sees when a file that meets the prompting criteria attempts to run. If you don't enter custom text, a default message is used.

13.

Check Enable or not depending on your preference.  

For the POC it does not matter which is chosen.

Use GTI: Get file reputation information from the Global Threat Intelligence cloud if the module can't access the server.

Prompting Disabled: If the server is unavailable, disable prompting so that users don't receive prompts about files with reputations that are unavailable.

14.

If ATD is being used and configured in the TIE Server extension, check submit files to ATD at Unknown. 

This step is not required if ATD is not included in the POC.  

The files are sent to Advanced Threat Defense when the following occurs:

• The Threat Intelligence Exchange server does not have Advanced Threat Defense information about the file.
  
• The file is at or below the reputation level you specify.
  
• The file is at or below the file size limit you specify.
  

Pain point

McAfee Capability to Solve the Pain

Fragmented visibility – limited or no understanding of what files are running on endpoints

TIE baselines and shows you what is actually running in the environment.

TIE synthesizes attack insights into actionable intelligence, such as first contact, local prevalence, file trajectory, and infection artifacts that help guide investigations and timelines.  

Increasing complexity – too many siloed technologies

TIE transforms disparate security components to create a single collaborative system that instantly shares contextual insights while delivering immediate adaptive threat protection.

Step

Instructions

Image or amplifying instructions.

1.

Login to ePO 

2.

Click on Menu | Systems Section | TIE Reputations

3.

In the File Search tab Enter * in the search field and click Find Files.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.

4.

You will see a list of files that have been executed on your endpoints.

You may need to execute a few files before this page is populated.    

Each column can be clicked to sort the information including ATD reputation, comments, hashes etc.

Clicking to sort by GTI reputation will highlight some of the more interesting files being executed.  

The TIE reputations page is a collective source of threat intelligence from all security products connected to DXL allowing the user visibility and the ability to make informed decisions.    

5.

File details can be added to the initial search results by clicking Actions | Choose Columns

Add columns as desired.

In the case where ATD is being used, add the ATD column for added reputation information.

6.

On the endpoint run the Artemis-High.exe provided in the test samples.

The file execution will be blocked.

7. 

In the TIE Reputations page search for artemis  

You will see the file was blocked based off of its GTI reputation ‘Might be Malicious’.

Click Artemis-High.exe to research additional information about the executable.

8.

The File Details tab provides additional information about the file properties.

9.

The Additional Information tab includes data collected from the first system to execute the file.  This includes:

• File exists in “Add or Remove Programs”
  
• Registered as a Service
  
• Registered for Auto-run 
  

10.

The Virus Total tab allows the user to cross reference the file against VirusTotal.  Click Retrieve VirusTotal Information.

Note:  You must configure your VirusTotal API Key for this to work.  See the VirusTotal section of Appendix for details.   

11.

The same steps apply to Certificates.  In the TIE Reputations page of ePO go to the Certificate Search tab and enter * in the search field and click Find Certificates.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.

12.  

In this case Dropbox had been run.  You will have several certificates to research.  Microsoft is a very common one.  

Click into a certificate to research additional information.

13.

In order to help separate real enterprise threats from general background noise in the environment, the TIE Server Dashboard focuses in on new and notable information. 

14.

New files by GTI reputation — Shows new executable files by McAfee GTI reputation that attempted to run in your environment in the past week. This report is especially useful to quickly see the new files that were malicious or unknown in your environment.

Clicking into the Not Set portion of the graph narrows the files that GTI does not have a reputation for.  This makes it easy for an admin to determine where to investigate first. 

15.

New files in the past 30 days — Shows new executable files that attempted to run in your environment in the past 30 days. 

Once TIE has been running in your environment for a few days you will start to only see spikes when there is a possible reason for concern.  

Clicking into a data point will show new files by day.    

16.

Files with changed GTI reputations — Shows files whose reputations were changed in McAfee GTI in the past month.

On further research or new information received, McAfee may determine a reputation change is needed.  

The administrator may want to investigate enterprise overrides further if the GTI reputation has changed.

17.

Systems with new executable files — Shows the top 10 systems that had the most new executable files attempting to run. This report shows systems that are potentially at risk for new infections because they are accessing the most new executables.

A high new file count in on unexpected system such as a POS device or production server might alarm the administrator of suspicious behavior.  

18.

Quick file search — Allows you to search for a specific file string or hash.  Partial entries will search for all occurrences.

Any news alert or notification of compromise can be searched.  This is a quick place to easily research a specific file or hash (also good place to research results even from another security product).  

Pain point

McAfee Capability to Solve the Pain

Ineffective protection

TIE provides organizations with immediate visibility and protection from attacks.  Threats are stopped. 

Step

Instructions

Image or amplifying instructions.

1.

Based on our research we know that malware tends to hide itself in specific folders.  In this use case we will explore the root of $appdata$\roaming as an indicator of risky behavior.  

On the endpoint in explorer navigate to C:\ and select Organize | Folder and Search Options.

On the View tab click Show hidden files, folders, and drives