Threat Intelligence Exchange 2.1.0 Release Notes

Threat Intelligence Exchange 2.1.0 Release Notes
Release Notes
McAfee Threat Intelligence Exchange 2.1.0
For use with McAfee ePolicy Orchestrator
Contents
About this release
Enhancements
Resolved issues
Upgrade to 2.1.0
Known issues
Getting product information by email
Find product documentation
About this release
This document contains important information about the current release. We recommend that you read the
whole document.
Version and upgrade support
®
McAfee Threat Intelligence Exchange (TIE) server 1.0.X and 1.1.X ended availability on August 15, 2016, and are
scheduled for end of support on August 15, 2017. To ensure protection, upgrade to TIE server 1.3.X or later. See
End-of-life Policy for more details.
We do not support the automatic upgrade of a pre-release software version. To upgrade to a production release
of the software, you must first uninstall the existing version.
Release date — June 2017
Release build — 2.1.0.323.1
Purpose
This release was developed for use with:
1
•
McAfee ePolicy Orchestrator (McAfee ePO ) 5.1.1 on-premise (or later).
•
McAfee Data Exchange Layer (DXL) 2.0.0 (or later).
•
McAfee Threat Intelligence Exchange (TIE) server 1.2.1 (or later, for direct upgrade).
®
®
®
™
®
®
Rating — High Priority
Mandatory
Critical
High Priority
Recommended
•
High priority for all environments.
•
Failure to apply a High Priority update might result in potential business impact.
•
Most patches and hotfixes are considered High Priority.
For more information, see KB51560.
Enhancements
This release of the product includes these enhancements.
Integration with McAfee Cloud Threat Detection (McAfee CTD)
®
®
®
Similarly to the integration with McAfee Advanced Threat Defense, this release enables you to enhance threat
detection by submitting files to McAfee CTD, without imposing an upgrade on endpoint components. You can
apply a policy to select what files to send based on file type.
Automatic deployment configuration
We automated the configuration of the first two installed TIE servers by assigning them with an Operation
mode. The first one becomes a Primary server instance while the second one a Secondary instance. This
automatic configuration covers basic failover by following the minimum recommended setup. If you have more
than two servers, subsequent instances are unassigned because the definite topology settings are
environment-specific.
New operation mode: Reputation Cache server
Reputation Cache is a new operation mode for scenarios where there is low available bandwidth or long delays
in the network. Instead of replicating the Primary node database, a Cache mode synchronizes only the
reputation information requested by endpoints directly related to it. This reduces both bandwidth usage and
the response time for reputation requests.
New health checks on the Topology page
To better monitor the status of the TIE server instances, these checkups are added:
•
Certificate compliance
•
Internal Cache status
•
Performance status
•
McAfee CTD health check
•
Cache topology configuration
New and updated dashboards
In McAfee ePO server, under Reporting | Dashboards, there are new and updated dashboards.
2
•
TIE Server Data Cleanup — Summarizes database size trend, file usage trend, and cleanup activities.
•
TIE Server Infrastructure — Summarizes DXL connectivity, how McAfee GTI reputations are refreshed, and a
combination of packages (server, platform, agent, and broker versions).
•
TIE Server Overrides — Summarizes overrides, trend, and usage, whether they are redundant or conflicting
with McAfee GTI.
•
TIE Server ATD Submissions and TIE Server CTD Submissions — Summarizes daily trends of Advanced Threat
Defense and McAfee CTD reputations and submissions of first and last submission usage and top relevant
submissions.
•
Local Threat Intelligence — Summarizes trends of files classified as malicious, suspicious, and monitored .
Security enhancements
•
Read permissions have more constrained restrictions for the /etc/cron directories. (1142515)
•
The Network Time Protocol (NTP) package was updated to version 4.2.8-p10 to address the CVE-2016-9042
issue. (1188073)
•
The Netcat utility (nc command) busybox package isn't available to TIE users. (1185612)
•
Packages that aren't needed have been removed to prevent access from non-authorized users. (1185006)
•
OpenSSL has been updated to address these issues: CVE-2017-3732 and CVE-2016-7055. (1179659)
•
Sample submissions from endpoints work as expected after performing an upgrade with overlapped
certificate reconfiguration. (1178053)
•
A new version of RSA BSAFE SSL-J is now used to address security vulnerabilities. (1176864)
•
Files in the TIE server's temporary directory now have more constrained restrictions. (1174350)
•
Improved the strength of default PostgreSQL TLS connections using Diffie-Hellman groups. (1155744)
•
There is no longer an error when restarting the sshd service in a TIE server when FIPS mode is enabled.
(1156609)
Default search on TIE Reputations page
We included a search filter on the TIE Reputations page based on the creation date to improve access to report
information.
Optimization of TIE server search capabilities
We included a new flag in the TIE properties file to optimize and control the search response of different
information such as file and certificates, their details, and hash prevalence at endpoint agents. See KB89436 for
details.
3
Resolved issues
These issues are resolved in this release of the product.
Server
•
When a file is submitted to Advanced Threat Defense, the submission and corrected dates are now reported
accurately. (1188887)
•
On the TIE Reputations page, if a file has multiple names, the File Name field is not shown because the file
names are shown in the All File Names field. (1160956)
•
If you try to do a replication task with a primary and secondary database and the secondary database is
down, an error message displays and advises the user to try again when the database is available. (1150638)
•
The TIE server now sends file reputation change event messages to endpoints that are not in the first
reference list of a certificate (where the certificate was prevalent at the time of the reputation change). The
endpoints now receive the reputation change information. (1182066)
•
When upgrading the TIE server, an invalid keystore password issue is fixed. File submissions from endpoints
work as expected after the upgrade. (1178053)
•
When the TIE client sends a file to Advanced Threat Defense for analysis and the file exists on the primary
database but not on the secondary, the secondary server waits for the replication process to copy the new
information from the primary instance. (1177841)
Server Extension
•
When viewing the TIE Reputations page using Chrome or Internet Explorer, the File Details column is now
sized correctly. (1178318)
•
Double-byte characters are now properly displayed in the Comment field on the TIE Reputations page.
(1189047)
•
The TIE policy for multiple McAfee ePO now contains complete topology information. (1186552)
•
We solved the display of invalid information from the metadata detected at the endpoint. You can now see
valid additional information on TIE Reputations page in an endpoint with TIE enabled. (1156020)
Upgrade to 2.1.0
Follow these instructions to upgrade your software to version 2.1.0.
Before you begin
If the TIE server properties or database configuration were modified, create a backup and reapply
changes after the upgrade.
Not all manual customization of the appliance configuration is preserved when upgrading.
The DXL Java Client can't be upgraded independently from McAfee ePO.
Upgrading the TIE server doesn't make your version of the product FIPS-compliant. For the TIE server to be
FIPS-complaint, you must have McAfee ePO installed in FIPS mode and perform a fresh installation of the TIE
server. See the McAfee ePolicy Orchestrator Installation Guide.
When upgrading, consider the following.
4
•
•
Procedures
•
To minimize network disruption, schedule maintenance downtime for the upgrade and run a vacuum
analyze task for database maintenance (see KB86092 for details).
•
The endpoint reputation cache is rebuilt when upgrading the components. Perform incremental
upgrades to minimize the impact on the TIE server capacity.
•
Upgrade the TIE client and the DXL Broker and Client in the endpoints. See the release notes for those
products.
•
First upgrade the extension in McAfee ePO, then the TIE platform and the TIE server packages on the TIE
appliance.
•
The build numbers of the platform and the server packages must match.
Dependencies
•
Upgrade the McAfee Agent for MLOS to version 5.0.4 or later before upgrading the TIE server appliance.
®
•
•
McAfee Agent for MLOS 5.0.4 is only available at McAfee Downloads in the TIE server section. See
KB85586 for instructions to deploy the agent to the TIE server appliance. Do not install the McAfee
Agent for Linux because it is not compatible.
If you upgrade TIE server from a version earlier than 1.2.1, see the release notes for TIE server 1.2.1 and
KB86128 for instructions to reset passwords after the upgrade.
Task
For details about product features, usage, and best practices, click ? or Help.
1
If you have a particular customization of the TIE server properties and database configuration, make sure
you save them before continuing.
Your customized configuration isn't saved after the upgrade.
2
Create a snapshot of your virtual machine (master instance, if applicable) on the VMware vSphere client. For
instructions, see the VMware vSphere documentation.
If you are using a non-virtual environment, see KB86092 for instructions to create bare-metal backups.
3
In McAfee ePO, select Menu | Software | Software Manager.
The Updates Available tab lists the latest versions available for updates.
4
Click Threat Intelligence Exchange to see the available versions, then click Update.
5
If Software Manager doesn't show the TIE server packages, you must perform a manual upgrade.
a
Download the Threat Intelligence Exchange 2.1.0 files from the McAfee product download website, then
check in the files to the Master Repository in McAfee ePO.
b
In McAfee ePO, select Menu | Software | Master Repository.
Click Check in Package, select Package type, then click Next.
On the Package Options tab, check the details of your package. Click Save to complete the check-in.
Perform these steps for each package that you want to check in. First check in the platform package,
then the server package.
Tasks
•
Deploy the Threat Intelligence Exchange products on page 6
To deploy the TIE products to the server appliance, create a client task for deployment on the
McAfee ePO server.
•
Verify the installation on page 6
After upgrading the TIE components, verify the installation.
5
Deploy the Threat Intelligence Exchange products
To deploy the TIE products to the server appliance, create a client task for deployment on the McAfee ePO
server.
For troubleshooting DXL Broker upgrades or installation, see the product guide and release notes for DXL.
If you plan to upgrade the DXL Brokers in your fabric to version 3.1.0, or if you plan to deploy new appliances with
bundled TIE server and DXL Broker from an ISO file or OVF images, first upgrade all DXL extensions in McAfee
ePO.
The TIE server help extension build version is expected to be different from the other components because it is
built separately.
Task
For details about product features, usage, and best practices, click ? or Help.
1
Make sure that you have full connectivity in the DXL fabrics. In McAfee ePO, select Menu | Data Exchange Layer
Fabric, then click the Refresh button.
All your brokers must be listed in green.
2
In McAfee ePO, select Menu | Policy | Client Task Catalog.
3
Select McAfee Agent, then click New Task.
4
Select Product Deployment, then click OK.
5
Complete the new deployment information. For the Target platforms option, make sure that only McAfee Linux
OS is selected.
6
Upgrade the packages in this order:
a
TIE platform
b
TIE server
The DXL Platform package isn't compatible with the TIE appliance.
The TIE server embedded DXL Client can't be upgraded.
7
Save and run the task on the TIE server.
If any of the packages doesn't deploy successfully, try to deploy them again for avoiding network issues. If
they don't, collect logs and contact support. See KB82850.
8
If you have already configured a registered server, follow these steps to verify connectivity.
If you are upgrading from 1.2.1, you must perform this step to reload the database driver.
9
a
In McAfee ePO, select Menu | Registered Servers.
b
Select the server from Database Servers, then select TIE Server.
c
From the Actions drop-down list, select Edit.
d
After the edit is complete, click Next and Save.
Reboot the appliance so that the operating system picks up the new kernel provided by the new TIE platform
package.
Verify the installation
After upgrading the TIE components, verify the installation.
6
Task
For details about product features, usage, and best practices, click ? or Help.
•
In McAfee ePO, select Menu | Server Settings | TIE Server Topology Management and verify that your server
instances are configured correctly. You can also view connectivity status on this page.
For troubleshooting, use the Minimum Escalation Requirements (MER) tool to collect product data from the
server and contact technical support. See KB82850.
If initializing the TIE server takes longer than expected, consider the following options for troubleshooting.
•
Verify that the TIE server extension 2.1.0 is installed in McAfee ePO.
•
In McAfee ePO, run again the server task Apply TIESERVER tags.
•
In McAfee ePO, wake up the agents and all appliances that have DXL brokers to gather policies.
•
Verify the connectivity status of several components using the TIE Server Topology Management page.
•
Verify the DXL Connectivity in the DXL Client for McAfee ePO.
•
Verify that the DXL Topology settings and the DXL Fabric are configured correctly.
•
Go to /data/tieserver_pg/postgresql.conf and /opt/McAfee/tieserver/conf/tie.properties
to reapply your settings, if they were manually customized.
Known issues
See KB85172 for a list of known issues.
Getting product information by email
The Support Notification Service (SNS) delivers valuable product news, alerts, and best practices to help you
increase the functionality and protection capabilities of your McAfee products.
To receive SNS email notices, go to the SNS Subscription Center at https://sns.secure.mcafee.com/signup_login
to register and select your product information options.
Find product documentation
On the ServicePortal, you can find information about a released product, including product documentation,
technical articles, and more.
Task
1
Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2
In the Knowledge Base pane under Content Source, click Product Documentation.
3
Select a product and version, then click Search to display a list of documents.
7
Copyright © 2017 McAfee LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.
0-00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement