• Create policies that allow or block files and certificates depending on their reputation. Or receive a
prompt each time a file or certificate with a certain reputation attempts to run. You can also send
files automatically to Advanced Threat Defense for further evaluation.
• View events on the Threat Intelligence Exchange dashboards. You can view cleaned, blocked, and
allowed events for the past 30 days or by event type.
Threat Intelligence Exchange server
The server stores file and certificate reputation information. It passes that information to other
systems and endpoints in your environment.
The server enables you to:
• Override a default file or certificate reputation to control what is allowed to run in your
environment. For example, if your organization routinely uses a file that has an unknown security
reputation, you can set its reputation to allow the file to run.
• Identify and track new files that attempt to run in your environment. If the new file is allowed to
run, the server identifies which system or device was the first to run the file, and all other systems
where the file was run.
• Instantly stop threats from spreading throughout your environment. Once the reputation of a file or
certificate is detected as malicious (or suspicious, depending on your settings) it's immediately
blocked from running anywhere in your environment.
• Identify which files were blocked and where they attempted to run. You can see where threats
originate and see patterns as they occur. For example, specific systems might be more prone to
detecting and blocking malicious files so you can increase the security settings on those systems.
• Specify the rules used in the policies, based on the types of systems. Rules are available for:
• Systems that change frequently (programs and files are often installed and uninstalled)
• Typical business systems that change infrequently
• IT-managed systems that access critical or sensitive information and rarely change
Data Exchange Layer
The Data Exchange Layer (DXL) includes client software and one or more brokers that allow
bidirectional communication between endpoints on a network. The DXL client is installed on each
managed endpoint, so threat information can be shared immediately with all other services and
devices. This sharing of information reduces the spread of threats.
DXL works in the background, communicating with services, databases, endpoints, and applications. It
receives and sends encrypted messages throughout your environment to track activity, risks, and
threats in real time. Sharing reputation information as soon as it becomes available reduces the
security assumptions that applications and services make about each other when they exchange
information.
DXL clients maintain a persistent connection to their brokers regardless of their location. Even if a
managed endpoint running the DXL client is behind a NAT (network address translation) boundary, it
can receive updated threat information from its broker located outside the NAT.
DXL has these components:
Overview
Threat Intelligence Exchange components
1
McAfee Threat Intelligence Exchange 1.0.0 Product Guide
9
(15 stránky)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Komentáře k této Příručce