Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Endpoint Security Solutions (ESS) Administrator 201 ePO 5.10 Student Guide
Typology: Schemes and Mind Maps
1 / 281
This page cannot be seen from the preview
Don't miss anything!
201 Student Guide
This guide is a transcript of the videos that are on DoD Cyber Exchange Users can join the ESS Working Group on Intelink:https://intelshare.intelink.gov/sites/DISA- ID/HBSS/SitePages/Endpoint%20Security%20Working%20Group.aspx
201 Student Guide
201 Student Guide
Welcome to the ESS 201 EPO training. My name is Colleen Guarraia. Let's get started with Lesson 1: The Welcome and Introduction. So, a little bit about the course. We're going to learn about and practice using the tools that you need to use to design, implement, configure, and use within ePO so that you have your centralized management, and you can deploy products that are the McAfee products. A little bit about the prerequisites. It would be very helpful if you already have some understandings of concepts with networking and system administration, basic understanding of computer security concepts and a general understanding of viruses and antivirus technologies. The resources are that you will have your student guides -- those binders belong to you. And at the end, a course evaluation, you also are required to take a test. It is open book, it's an hour long, you have 35 questions which are multiple choice and/or true false. After you're done with this course, you will be able to plan an EPO deployment. You'll even know how to install and configure the ePO software, set up your ePO server, manage the users or resources within ePO, administer and maintain any of the security and the policies in the databases that exist on your SQL server, monitor and report on all of the security status of the McAfee products, and install and use the McAfee Agent and understand what the McAfee Agent is for. Here's some of the acronyms and terms that we're going to use in this course. There's a default administrator account that is created when you install ePO and that's Admin. Whenever I talk about ASCI, that is the agent to server communication interval and that's how often the McAfee Agent communicates with your Agent Handlers. When it communicates, there's an exchange of public keys so that you have what we call the ASSC, or agent-to-server secure communication. So, all of the communication is encrypted, and you don't have to worry about someone capturing the packets and being able to see what is in that communication. Agent is just a short term for the McAfee Agent. We also have what we call an Agent GUID, which is the Global Unique Identifier that the McAfee Agent creates when it's installed on a machine.
201 Student Guide They have their homepage for the ESS. There's the Cyber Training site, and there's also the site or location for the Classroom Training. DISA provides some best practice documents that you can look at. Be sure to check these out at this location. And if you'll notice, we have a lot of guides having to do with all the different products. Everything from the Data Loss Prevention endpoint to Endpoint Security, all the way over to the TIE/DXL if you're using that product or ATD. We also provide some documentation. You can go out to McAfee site and download these guides, or you can go over to the DoD Patch Repository. All of the localized product documentation and the help is available, so be sure you check the DoD Patch Repository on a regular basis to get the most current information. Here's a nice little list of probably the most common KB articles that we have having to do with ePO. Be sure to check these out because lots of times you might say, “well you know, is this supported on ePO?” Yes, it is. You know, as long as it's on this list. To get to some of the KB articles you can go out to our docs.mcafee.com. and this is where you can look up and get all of the product documentation. Now we do have a searchable text box at the top and find your guides that way. DISA has these resources available to you. There's the front door URL, they're Training Wiki, the STIGs site, the McAfee filtered list, the USCYBERCOM, again their Patch Repository, and an email address if you have any questions or comments. DISA also provides these ESS Tech Talks. Check out this link to check and see when these Tech Talks are available because they're very helpful to you on being able to manage these products. Out there on YouTube, we also have a support channel and there's a lot of informational videos, webinars, series that you can see. “How do I configure this?” We do a lot of how-to videos. This is the link for the information of what exists in the new security content, also known as .DAT files. Now, some of these may not mean anything to you, but a good one, for example, is like the Exploit Prevention because you could see what is in the latest signature having to do with the .DAT files for the Exploit Prevention.
201 Student Guide We also have some podcasts that you can get some information that sheds some light on you know, what's this little hackable tool? What is this attack? You know, so be sure to check out these sites. And this concludes the introduction to ESS 201 training.
201 Student Guide So, the ESS product support plan gives you a lot of resources so that, you know, we maintain all the information you need, all the technical information is for you, and they warranty this. So, the help desk will be provided by DISA. The architecture of the help desk is 3 tiers. Out in Oklahoma City, that's where you're going to have levels 1 and 2 of the tier support. If we cannot figure it out, get it all fixed, having to do with those two tiers, what they're going to do is they're going to send it to a level 3, and that all has to do with our subject matter expertise. So, all of this HBSS or ESS application support will be provided on behalf of DISA. Level 3 support is going to be provided by the product vendor. Be sure to go to this page for all of the helpdesk information that you may need. If you need to contact the global service help desk, you know what they want you to do is submit all of your trouble actions to Oklahoma City. Here's the phone numbers. Here's the email addresses and remember we do have a website that you can get more information. Before you contact them, be sure you go and get this checklist. This checklist will answer all the right questions that you need to fill out so that so when support has those questions for you, you have all the information right then. You don't have to sit there and go, “oh hold on well let me go check that out and I'll get back with you and all that. No, have that all written out. Have this filled out before you actually contact them. I always love to talk about the Operational Collaboration because what has going to happen is if you've never been using these products and now you are, you're going to see where you have a lot of problems within your environment. That could be that the problem is that this is totally normal activity it’s just that maybe somebody has another type of product not configured the best way like let's say SQL Server. You know, maybe the web server something like that. So, you need to coordinate with all of the IT groups who are managing these other products, like the email server. You need to have where what's your network configuration. Most sites are totally unaware of that. Here's another issue. Active Directory, because people have a tendency that they'll put some machines in Active Directory and they never get rid of them. Oh yeah, so then when you go in and you do the Active Directory sync, those computers are going to show up in ePO.
201 Student Guide Oh no, not again, so you need to actually work with that person or people who are managing Active Directory and say what can we do so that these machines go away. Also, the other thing is on your site you have lots of different baselines. It would be perfect if we could all say, “this image that you have, operating system configured this way with these products, everybody gets the same thing and everyone’s happy.” That's not going to happen y'all. No way, no. So, the thing is that's going to give you a lot of compatibility issues. And then another thing is, who has the responsibility or ownership of ESS? So, always remember the solution to these issues may not be within the scope of the ESS operator, and upper management is going to have to come up with that. Here's the list of the ESS products. Now note you can go out to the DISA site and download them. And so, I'm going to go through each one of these and we'll talk about what do they do. So, the first one is ePolicy Orchestrator. This is the main centralized management tool that we will use to manage everything. You're going to have the McAfee Agent installed on your computers, and that McAfee Agent comes from your ePO server. Alright, so when that's installed, that machine will communicate with your Agent Handler, and you will log in and you will be just be able to see everything having to do with your management machines and so we always like to say this is a single view because I can see everything having to do with all of my products and all of my managed machines, all the event data that's being uploaded. So, you see the nice thing is, since this is one console, I can do all my different tasks. Normally, maybe, I'd have to go to different products to do this. So, what we're going to do is we're going to teach you how to use policy assignments, client tasks that for the different products, also, let's monitor the health of our network, get all that data on those events and alerts, create my different reports using a little query system that exists in this console, and then also how I can deploy products. Also get the security updates for those products done. ePO has a lot of extensions that you add. Now, an extension you're going to learn is where maybe I want to extend the capabilities of ePO to manage something, or maybe something else within ePO that gives me some more management. This is one of them, the ePolicy Orchestrator Optimizer.
201 Student Guide We teach you more about this in the 301 class because when we talk about Endpoint Security for Servers, that's how we actually use the Cloud Workload Security. Data Loss Prevention Endpoint is another product. This is the one that everybody likes to call it DCM, meaning Device Control Module, but basically the product is called Data Loss Prevention Endpoint. What you're using is you're just using the device control feature of the DLPe. Now, this is where I can have different rules that will allow you to use specific devices while basically making sure that if I have any other removable storage devices, I cannot plug them into your computer. Nope, not going to let it happen. The McAfee Application Control features, also known as MAC is a great product that you can install onto your computers. You'll see where it's also called Solidcore, so lots of times when you go into the ePO console you'll see Solidcore admin, Solidcore reviewer, you'll see Solidcore rules. Well that still all has to do with the Application Control. Application Control gives you the ability to enable it, and at that point it's going to scan and find all applications that exist onto your computer. It'll get all their DLLs, all their executables, everything. With that, at that point, if it's enabled mode, when it's done because it builds this inventory, then no one can make any changes to those applications. No, not at all. Really, yeah. So, that's where we teach you how to set up what we call a Trust Model. So, you will have like what trusted updater or trusted installer can actually go in and update that application. Okay, now the other thing that you have with this is where I can go in and basically say, “I'm not going to allow this application to run and oh, by the way, if that application did not exist before, it's not going to run on there now.” Now, along with this we have Memory Protection, but what you will do is if you're using this along with Endpoint Security, you're going to disable that because the two will fight, fight, fight, fight, fight, and we don't want them fighting with each other, so you just disable it here. Now the other thing that you can utilize is if you want to integrate with our McAfee Global Threat Intelligence, also known as GTI, where we can get what is the reputation of this particular executable. Even though it built the inventory and said well, this exists now. If you go in and say if the reputation Might be Malicious or Known Malicious, you're not going to let it run, it will not let it run, and of course you can use TIE that also helps with that, and I'll talk more about that in a moment.
201 Student Guide Now Endpoint Security is the new product that is replacing VirusScan and Host Intrusion Prevention. Those two products are going bye-bye. So, what we have is you have different modules that exist within this application, so think of it as sort of a modular product. So, you can add certain modules to it or not. So, the first one is what we call Threat Prevention. That all has to do with what we had with VirusScan Enterprise, all the same capabilities, only better. Now, the other thing that we have in the Threat Prevention module is remember all those IPS rules that we had in Host Intrusion Prevention? That's now Exploit Prevention in the Threat Prevention module. You still have the Firewall module, so I can go in and still use those same little Firewall rules. What you would do is you would migrate everything over from the Host Intrusion Prevention Firewall, so that I can have those same policies again in this product. And then if you want to, there's also an optional product having to do with Web Control that used to be called SiteAdvisor Enterprise. What it does is I can go in and have it where I can block you from going to certain websites that their reputation is really bad, and also it gives you the ability that when you go to download a file from one of those sites, we'll do an on-demand scan of that download. What we have built into the Endpoint Security is now what we call Anti Malware Engine Core, AMCore. This technology, which is going to be the DAT files that you're going to update every day onto these machines, they have where there's more intelligence built into it. So, the idea is it will only scan items that need to be scanned, so ideally you don't have to create as many exclusions. Oh, that would be great. So, you should have better performance with this product than when you had before with VirusScan Enterprise. The Adaptive Threat Protection is also a module that exists for the Endpoint Security. What this does is this goes beyond the normal Threat Protection, so you have the Threat Protection that says, oh, I know who this is, we're done. Okay, well, this goes and says well now if we didn't have any detection with that, let's actually look at the actual content that exists in that executable, because what we do is we call it dynamic and static, so I can actually say ooh, I can see that this is going to do some malicious activity.
201 Student Guide So, in Policy Auditor you will create your audit, you'll schedule how often you want them to run, and then your job will be to look at all the detailed reports so that you know why this machine failed this audit and what needs to be fixed. So, we have a nice reporting system that you can customize to get the information having to do with your audits, and I can also archive the reports so I can save a copy of that data. With Policy Auditor, they added what we call Advanced Host Assessment. This is going to replace the ACCM. So, this is going to scan for any inventory that exists on that particular managed system. It's going to give you everything having to do with the applications installed and your services that are running, information about the operating system, what kind of NICs are on that computer, any registered extensions, it's going to look at any CPEs, any ports, and again any other system information. So, I can monitor all of these inventory items, and I can see what changes are happening, and I can identify what might be a deviation from my baseline that they're supposed to have. Like I said, this is going to replace the ACCM. Rogue System Detection, that we'll learn about later on in this class, is where I will have a sensor on my different broadcast subnets. And what it's going to do is it's going to hear all the computers that are joining your network, and it's going to report that back to your Agent Handler. And the Agent Handler what will do is it will compare that information to the database, and they'll say, oh, we have a new rogue. So, you set up a little notification that if there is one of those rogues detected, you'll get that, and then you can do something about it. Let's talk about TIE. So, I know we already talked about DXL, but this goes hand in hand with TIE. So, what you do is you install what we call a broker. The broker is going to be the communicator between your different TIE systems and all of your managed machines. Now the TIE server can also be a broker, depends on how many managed machines do you have out there. So, the TIE server, what it does, even though it's not really truly a server, it has a little database that's on it locally, but what it's going to do is if I have a machine that says, what is this? So, you have this PC see something that's suspicious. Remember the ATP?
201 Student Guide Alright, didn't catch it with the AMCore DAT file, so I'm going to send that hash to the TIE server with, can you give me that reputation. The TIE server is going to communicate with McAfee GTI. GTI is going to give that reputation back. What is a reputation? Good, bad, unknown, not really sure about it just yet -- don't have a reputation on that. And then, because of the broker like I mentioned here before, we're going to get that broadcast out to all of these other computers. So, if this computer then detects it, it knows immediately what to do. I already know what their reputation is. So, before this what you would have is each machine would go and talk to GTI on their own. Think about all that traffic. Now, all I have to have is one machine ask, and everybody gets the reputation, and we call this the DXL Fabric, so it's bidirectional and it is secure. And then down here, this is you, going in and looking at the activity and looking at the reputations that it says about those various files. And you know something else you can do which is really kind of cool? If you don't want a certain application to run on your network, you can change the reputation and then that will be handled. Because they'll say, oh, this is known malicious, handled, done, deleted, gone. Now I’ve finished talking about the different products that you get from my company. Now, let's look at the government applications. So, the first one is the Asset Publishing Service. What this does is it's going to get all of your host related data and it's going to put that in a local database. So, we can go in and see all the information having to do with what's in that local database because remember ePO, I'm getting all this data uploaded. So, how do I have it that someone else can see into what my data is? So, as you see here, it makes the ESS data visible, accessible, understandable across the whole DoD community. So, here's some of the types of things that it's going to actually publish. As you see, if you're still using ACCM, you'll get that. You'll also get any of the ENS events and compliance.
201 Student Guide This is an end point application that it will collect any command and control and situational awareness information from each individual Department of Defense device and expose the different data. So, as you see here, what they've got is it says it uses the process of embedding “so what” data onto these devices like who owns it, what's the organization that owns it, the location, authorization boundary or anything like that. So, it's an application that will be deployed so you can view and apply any of these attribution tags directly onto your end points. It's supported on Linux and Windows, and you have a user interface so the users can actually apply the tag. It also uses what they call file extension mapping, so you can apply those tags by executing a file, and it's a .datt file. Now, the exposure of the tag information will be limited having to do with the Windows Registry or the Linux RPM. So, basically you could deploy new tags, you could update an existing tag, you could also deploy new organizational location system names and different hierarchies there. Now, be sure to check out the training that they have for the device attribute tab. What's required to manage ESS? Well, there's a lot, you know, so this is just kind of the basic information. You need to be sure you have the latest Product Extension files and the client packages. Your job is to go in and configure and tune policies, makes sense to me. Make sure you have the McAfee Agent on your machine so that they're actually managed. And then think about who needs to do what, so we have what we call permission sets, so what permissions do we give to people so that they can edit these policies? Make sure that the McAfee Agents are communicating so they're getting the policy information. I'm getting notifications having to do with these events. Also, I'm doing my queries and reports so that I can actually see you know ooh what's going on here? Why are these machines out of date? Oh, I need to get a product deployed on that machine, and along with that we also need to manage the ePO server in its database. So, your day-to-day tasks are going to come down to do I need to respond to any events? Let me see if I have any inactive agents. Do I have a rogue machines? What about the inactive agent’s log? Let's look at all those alerts. Do I need to react to those? Don't forget what about your backups? Oh, my backups yeah. Got to have those backups. And be sure you check for any downloads that are out there on the DoD site -- any other general ESS information.
201 Student Guide The ESS Functional Flow which you can go out and download from this site basically shows you the communication paths that we have in the whole DoD environment, so we're going to talk about these different tiers. So, if I wanted to go in and get these diagrams, you can go here and get them. So, the first tier, this is you. This is where you have your EPO server, I can also have another Agent Handler, depends on what you want to do. You also have your own SADRs having to do with all your Distributed Repositories. You also have maybe my ePO database, which is on a separate server because I'm managing so many systems, I can't really have it with that SQL databases on the same server because that'll just kill this server, it's too much overhead. So, as you see here all this information that you're going to get here we can have a Rollup Server so that we're going to roll up this data to the next tier. You could have a separate Rollup Server, or they can just roll up from this server. So, Tier 2 is where now they're going to have what they called their ePO Staging Server. This is where I'm going to configure this server so that it's registered with this server and vice versa, and I'll have a task that's going to run every night that's going to roll up data either from this server or this one, so that it will be stored temporarily here before we roll it up to this server. And so, you have lots of infrastructures that has to have these different tiers so we can get this data rolled up to the people who are actually going to do the reporting. As a reminder, remember we're going to have these DAT files, I call that the content. What you have is the AMCore content that needs to be updated on our ENS product. Along with that, you also have a team called EMC2 that they're going to create any of the new custom exploit signatures that also has to do with the exploit detection. That content is going to exist on the DISA Content Staging Server. What you will do is you will pull it down to your server and then obviously update your particular machines locally. So, as you see here, they call it Content Staging Server and it's distributed repositor, so that Tier 3 can pull the content down. And so, the DoD software manager is where you can pull them software binaries from DoD from their software manager instead of going to the DoD Patch Repository. So, you have to get a document on how do you configure your EPO server to be able to authenticate to the DoD software manager, so anything that's approved software will be placed on their software manager. The Tier 1 Reporting Infrastructure Drill-Down as you see here.
