Threat Analytics Platform (TAP)

Threat Analytics Platform (TAP)

Threat Analytics Platform (TAP) Deployment Guide April 28, 2014 FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | www.FireEye.com | +1 877.FIREEYE Information provided about third-party products does not imply any recommendation for use of that product. The information is provided as a guidelines only and is not guar- anteed to be accurate. © 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners. Use of this product and this document are subject to the terms of your license agreement with FireEye, Inc. Document version: v1.0B Contents Threat Analytics Platform (TAP) 1 Contents i About the Deployment Guide 1 Deployment Checklist 1 TAP Overview 2 TAP Architecture 2 Comm Broker Sender 4 Communications Broker Sender Configuration 4 Monitor Comm Broker Sender 5 Remove Comm Broker Sender 5 Troubleshoot Comm Broker Sender 5 Comm Broker Senders Traffic Management 6 Data Sources for TAP 8 Types of Log Data for TAP 8 Log Specifications for TAP 9 Log Aggregation System Configuration for TAP 9 Log Sources Supported by TAP 10 Cisco PIX and ASA Firewall Configuration 12 Juniper Secure Access Configuration 13 Linux Configuration 13 Rsyslog Configuration 13 Syslog-ng Configuration 14 McAfee Nitro Configuration 14 RSA Authentication Manager Configuration 15 Splunk Configuration 15 Symantec Endpoint Protection Configuration 16 Tomcat Configuration via Syslog 16 Trend Micro Control Manager Configuration 17 Appendix A. Windows Logging with NXLog 18 NXLog Installation and Configuration 18 Example nxlog.conf File 20 NXLog Troubleshooting 23 FireEye, Inc. Deployment Guide i Operating System Events 23 DNS Query Logs 23 DHCP Logs 24 Netlogin Debug Logs 24 IIS Logs 24 Process Creation Auditing 25 SQL Events 25 FireEye, Inc. Deployment Guide ii About the Deployment Guide This deployment guide is designed to assist you in configuring log sources and suc- cessfully transmitting them to your TAP instance. It contains information about the fol- lowing: l Overview of TAP including its architecture l Information about log sources for TAP l Comm Broker Sender configuration instructions Deployment Checklist Before deploying TAP, you must first contact FireEye Sales to obtain the proper license for Threat Analytics Platform (TAP). Your data sources will not be fully functional until you obtain this license. To contact the TAP team, including TAP Sales, e-mail to [email protected]. For more information on TAP, see the FireEye Threat Analytics Platform page on the FireEye website. FireEye, Inc. Deployment Guide 1 TAP Overview The FireEyeThreat Analytics Platform (TAP) is a security incident detection and res- olution tracking platform that identifies cyber threats and improves response by layering enterprise-generated event data with real-time threat intelligence from FireEye. TAP Overview TAP is a cloud-based application that: l Collects and indexes database, security, network, and endpoint events from your environment l Compares indicators in your events against FireEye intelligence in real time and generates alerts on hits l Applies both FireEye-defined rules and rules that you define to event data to gen- erate alerts l Provides an incident workflow for tracking both events associated with alerts and any events that you deem suspicious from investigation to remediation l Makes events available for efficient searching and pivoting l Provides visualizations of trending activity TAP Architecture Your TAP instance resides in two environments: your environment and a Virtual Private Cloud (VPC) within Amazon World Servies (AWS). Within your environment is one or more Communication Broker Senders that send log data to a Communications Broker FireEye, Inc. Deployment Guide 2 Receiver within TAP in the VPC. The Comm Broker Receiver and all other TAP components within the VPC are managed by the TAP Operations Team. TAP High-Level Architecture The data flow is as follows: l The Comm Broker sender listens receives log data in your environment and sends it to the Comm Broker Receiver in the VPC. For security purposes, all data in transit, including all metadata, is encrypted with Twofish with a 256-bit key. When data is transmitted over the WAN to the Communication Broker Receiver, it is double-encrypted with two layers of Twofish and 512 bits of key total. The Com- munication Broker Sender/Receiver combination never stores any customer data in clear text. l Log data is parsed according to the TAP taxonomy and then indexed to make it available for fast searches and pivoting. Log data that cannot be parsed is still indexed as raw messages. l Both FireEye-defined and customer defined rules are applied to the events and alerts generated if applicable. l FireEye Intelligence is also applied to all events in real-time and alerts generated for any hits. FireEye, Inc. Deployment Guide 3 Comm Broker Sender The Communications Broker (Comm Broker) Sender is an application runs on an Amazon Machine Image. It collects logs from within your Amazon Cloud environment and forwards them to the Communications Broker Receiver within your TAP architecture. Communications Broker Sender Configuration Before configuring the Comm Broker Sender, be sure that you have available the inform- ation provided by FireEye Product Support. To configure the Comm Broker Sender to send logs to the Comm Broker Receiver in your TAP VPC and to listen for log data: 1. Load the Amazon Machine Image (AMI) from the Amazon Marketplace. 2. Enter the key provided by FireEye Product Support. 3. Run the configuration script: ./ConfigSender.sh 4. Complete the post-install script as follows: l Welcome to the Threat Analytics Platform (TAP) Sender setup script. l Enter this Sender's identification number [38351]: (Enter the number provide by FireEye Support) l Enter symmetric key [NDd- jNjExZjhjZDAyY2IxMGU2YmU3MjI2MjUzN2MyMTgwODlj]: (Enter the number provide by FireEye Support) l Configure Sender listener addresses l Enter interface IP address that sender will listen on [0.0.0.0]: 0.0.0.0 (Hit Enter to select the default of 0.0.0.0) l Enter the protocol: [UDP] (Hit Enter to select the default of UDP or enter TCP) l Enter the port: [514] 514 (Hit Enter to select the default of 514) l Add another?: [no] (Hit Enter to continue; to add additional ports, enter yes.) l Listening configurations: 0.0.0.0\/514\/UDP (Hit Enter to select the default or modify if needed) l Configure Receivers' listener address and port l Enter interface IP address of receiver [ENTER]: (Enter the IP address provided by FireEye Product Support) l Enter the port: [443] 443 (Hit Enter to select the default) l Add another receiver?: [no] (Hit Enter to continue if you have only one receiver; enter yes if you have received FireEye, Inc. Deployment Guide 4 information from FireEye Support for additional Comm Broker Receivers) l List of receivers: (Hit Enter to select the default or make modifications as needed) 5. You should see the following messages: l Replacing senders in init file l tap-cbs stop/waiting l tap-cbs start/running, process 1448 l Sender has successfully been initialized Monitor Comm Broker Sender To monitor overall health, we recommend you monitor your systems in accordance with your corporate monitoring policy. Some areas to consider: l Network t/x and r/x are useful for watching trends in log traffic l CPU / memory / disk space l Monitor the host system if using virtualization for i/o performance As an application specific check, yhe following processes should appear with the sender has successfully connected to a receiver. Remove Comm Broker Sender You must remove all the tap-cbs files manually in order to reinstall a CB. l service tap-cbs stop l yum remove tap-cbs l rm /etc/init.d/tap-cbs l rmdir /opt/tap-cbs Troubleshoot Comm Broker Sender The following are potential actions for troubleshooting the Comm Broker Sender. Step1. Verify the process is running (e.g. ps aux | grep sender) FireEye, Inc. Deployment Guide 5 Step 2. Verify network connectivity between the Communications Broker and the cus- tomer instance (e.g. netstat –anp | grep sender) Step 3. Use tcpdump to verify the Communication Broker is receiving syslog traffic from log sources (e.g. tcpdump –ni eth1 –c 50 –s0 –A udp port 514) Alternatively, you can verify the Communication Broker is listening and receiving log traffic on the configured ports. Use the Netcat utility to send traffic from another device to the Communication Broker (e.g. echo -n "TEST TEST TEST" | nc -4u -w1 <ip address of sender> 514 ) Look for this traffic on the Communication Broker (e.g., tcpdump –ni eth1 –c 50 –s0 –A udp port 514 ) Comm Broker Senders Traffic Management To manage large streams of data both to the Comm Broker Sender and between the Comm Broker Sender and Comm Broker Receiver, TAP supports multiple options: l Multiple Comm Broker Senders l Load Balancers l Domain Name Servers (DNS) FireEye, Inc. Deployment Guide 6 TAP supports the use of multiple Comm Brokers Senders and Comm Broker Receivers. One Comm Broker Receiver can receive traffic from multiple Comm Broker Senders. Comm Broker Senders operate independently. Installing Comm Broker Senders closer to the log source conserves bandwidth. If your environment includes data centers that are regional, you could deploy one or more Comm Broker Senders within each data center. Comm Broker Senders can be deployed in arrays with load balancers for redundancy and load sharing. Load balancers can be used to detect when systems are in need of maintenance or repair, share the load across multiple systems, and provide redundancy. A Domain Name System (DNS) round robin can also be used to provide redundancy. Some system may not have the ability to syslog to a DNS and are limited to an IP des- tination only.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    29 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us