tech talk: the data exchange layer (dxl)
TRANSCRIPT
.
Intel Security Confidential
Bret Lenmark, Product MarketingDarren Thomas, Senior Product Manager
The Data Exchange Layer (DXL)
.
Intel Security Confidential2
What is DXL?
.
Intel Security Confidential
DXL is…
3
OPEN
DXL is a bi-directional, open communication platform connecting your security
solutions into a single ecosystem.
INTEGRATED
DXL provides a standardized communication layer for all products, regardless of their
underlying proprietary architecture.
SIMPLE
DXL dramatically simplifies integrations with a one-time
setup, while encouraging open vendor participation.
FAST
With this increased speed, agility, and scalability you
strengthen the foundation for threat detection and response
across the IT landscape.
A Security Information Superhighway
.
Intel Security Confidential4
Security Connected Ecosystem Vision
New era in security where all components come together to work as a single cohesive system, regardless of vendor or underlying architecture
Intel Security
Solutions
3rd PartyThreat
Intelligence
Innovation Alliance Partners
3rd PartyVendors
.
Intel Security Confidential
Result
Slow, heavy, and burdensome
Complex and expensive to maintain
Limited vendor participation
Fragmented visibility
Result
Fast, lightweight, and streamlined
Simplified and reduced TCO
Open vendor participation
Simplicity- one time integration
McAfee Data Exchange LayerStandardized integration and communication to break down operational silos
Disjointed API-Based
Integrations
Collaborative Fabric-Based
Ecosystem (DXL)
5
.
Intel Security Confidential
Partner DXL Integrations
6
Completed Integrations Integrations In Development Integrations in Design PhaseIntel
Security
Innovation
Alliance
.
Intel Security Confidential7
How does DXL work?
.
Intel Security Confidential
Data Exchange Layer Architecture
Broker
Responsible for routing messages between the clients that are
connected to the message bus
Brokers can be connected to each other (“bridged”) to allow for
redundancy, scalability, and communication across different
geographical locations
Brokers run on Linux-based servers distributed as a packaged
appliance (virtual machine)
Communication between brokers is over a TLS-based connection
with bi-directional authentication (PKI)
Client
Clients connect to brokers for the purposes of exchanging messages
Communication with brokers is over a TLS-based connection with bi-
directional authentication (PKI)
.
Intel Security Confidential
Data Exchange Layer Architecture
McAfee ePolicy Orchestrator (ePO)
Used to sign DXL-based certificates on both the clients and brokers
as part of the initial provisioning process
Manage policy for brokers
Fabric Topology
Message topic authorization
Manage policy for clients
Brokers to connect to
Embedded DXL client
Health status of connected brokers/clients
.
Intel Security Confidential
Data Exchange Layer Architecture
DXL Communication Details
Message infrastructure based on MQ Telemetry Transport (MQTT)
Simple and lightweight publish/subscribe messaging protocol
Designed for constrained devices and low-bandwidth, high-latency or
unreliable networks
Communication over configurable port
TCP connections are persistent (always connected)
Client to Broker
Broker to Broker
Transport Layer Security (TLS) 1.2 with mutual authentication
.
Intel Security Confidential
Data Exchange Layer Architecture
A Hub-and-Spoke model is used for the broker topology
DXL allows for 2 brokers in a “hub” to support failover
The topology is managed via ePO (via Policy)
Connections are established one direction (“firewall friendly”)
Communication is bi-directional
.
Intel Security Confidential
Data Exchange Layer Architecture
If one of the brokers within the hub goes down
The topology will continue to function without segmentation
(bridged-child brokers will move to the remaining broker in the hub).
The model allows for both brokers to function simultaneously
(it isn't simply a standby failover, both brokers are active)
Event-based Messaging
Hub
Hub Hub
Broker Broker
Client
Broker BrokerBroker Broker
Client
ClientClient
• Events are traditional publish/subscribe messages
• A Client sends an Event
on a particular topic and
it is delivered to all
Clients that are currently
subscribed
• One-to-many communication pattern
Service-based Request/Response Messaging
World Hub
North America
Hub
Reputation Service
(Instance 3)
Europe Hub
Reputation Service
(Instance 4)
San Francisco
Hub
Broker
Reputation Service
(Instance 2)
Reputation Service
(Instance 1)
Broker
Client
• Client sends a Request on a topic associated with a specific service type (Reputation Service)
• Broker utilizes Service Registry to select a Serviceinstance to handle the Request and routes it via static routing
• Service instance processes the Request and sends back a Response to the Client via static routing
Service Zones
World Hub
North America Service Zone
North America
Hub
Reputation Service
(Instance 3)
Europe Service Zone
Europe Hub
Reputation Service
(Instance 4)
San Francisco Service Zone
San Francisco
Hub
Broker
Reputation Service
(Instance 2)
Reputation Service
(Instance 1)
Broker
• Start with typical Topology
based on geography
• Add some Services
• By default, Requests will round-robin all Serviceinstances of a particular Service type
Client
• A Client connected to a
Broker in San Francisco would
round-robin Reputation
Service instances around the
world- All 4 Service instances
Service Zones
World Hub
North America Service Zone
North America
Hub
Reputation Service
(Instance 3)
Europe Service Zone
Europe Hub
Reputation Service
(Instance 4)
San Francisco Service Zone
San Francisco
Hub
Broker
Reputation Service
(Instance 2)
Reputation Service
(Instance 1)
Broker
Client
• Establishing Service Zones
prevents routing Requests
outside of the current
Zone unless no Service
instance is available
• The Client would now
round-robin the two
Service instances located
in the San Francisco
Service Zone
- Service instances 1 and 2
• In the event that the two Service instances in San Francisco fail, Requestswill be routed to instances in the parent Zone (North America Service Zone)- Service instance 3
Service Zones
World Hub
North America Service Zone
North America
Hub
Reputation Service
(Instance 3)
Europe Service Zone
Europe Hub
Reputation Service
(Instance 4)
San Francisco Service Zone
San Francisco
Hub
Broker
Reputation Service
(Instance 2)
Reputation Service
(Instance 1)
Broker
Client
• If the Service instance in
North America failed,
Requests will be routed to
instances in the parent
Zone (Default “Global”
Service Zone, any available
Services)- Service instance 4
.
Intel Security Confidential18
Application Ecosystems powered by DXL
.
Intel Security Confidential
Threat Intelligence Exchange Approach
Security products
should work
together
Security products
should get stronger
overtime
Security products
should learn from
each other
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
Publish/Subscribe Model
McAfee Data Exchange Layer (DXL)
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
3rd PartySolutions
McAfeeTIE Server
All components which
subscribe to the topic,
listen for information
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
1:1 Query/Response Model
McAfee Data Exchange Layer (DXL)
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
3rd PartySolutions
McAfeeTIE Server
Any DXL integrated
component can query a
service, such as TIE, and
receive a response
.
Intel Security Confidential
Operationalize Threat Intelligence
.
Intel Security Confidential
Improve Your Infrastructure Awareness
Share file reputation
intelligence in
milliseconds
Inform your entire
security infrastructure
Aggregate internal
and external sources
.
Intel Security Confidential
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeATD
McAfeeWeb Gateway
Enhanced Endpoint Protection
Data Exchange
Layer
McAfeeGlobal Threat
Intelligence
3rd PartySolutions
McAfeeTIE Server
File age hidden
Signed with a revoked certificate
Created by an untrusted process
Trust Level: Low
Action: Block
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
Operationalizing Threat Intelligence
Data Exchange
Layer
STIX Import
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
3rd PartySolutions
McAfeeTIE Server
.
Intel Security Confidential
The Threat Intelligence Exchange Integrated Security Ecosystem
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
Advanced Threat Defense Determines File Reputation
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
Unknown files are sent
to ATD for static and
dynamic analysis
Updated file
information is shared
instantly to all
connected solutions,
providing real-time
protection
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
3rd PartySolutions
McAfeeTIE Server
ATD determines
file to be malicious
.
Intel Security Confidential
From Detect to Protect in Milliseconds
Threats Uncovered on Network Provide Local Threat Protection
McAfeeGlobal Threat
Intelligence
Data Exchange
Layer
Intelligence shared
to all connected
solutions, providing
real-time protection
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeMOVE
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
3rd PartySolutions
McAfeeTIE Server
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
McAfee Web Gateway as a Source of Local Threat Intelligence
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
3rd PartySolutions
McAfeeTIE Server
Gateway
Anti-Malware
engine detects
zero-day malware
Web Protection
publishes the new
malware
reputation to TIE
Endpoints and other
sensors are updated
by TIE immediately,
providing reputation
for zero-day malware
before a new DAT is
published
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeATD
McAfeeWeb Gateway
McAfeeNSP
Application Control with Threat Intelligence Exchange Protects IaaS
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
3rd PartySolutions
McAfeeTIE Server
Unknown process is discovered on Cloud Server
Request for information sent to TIE for lookup
Application Control prevents malicious process from running
.
Intel Security Confidential
McAfeeESM
McAfeeTIE Endpoint
Module
McAfeeTIE Endpoint
Module
McAfeeePO
McAfeeWeb Gateway
McAfeeNSP
McAfee Data Loss Prevention and TIE Preventing Possible Breach
Data Exchange
Layer
McAfeeMOVE
McAfeeApplication
Control
McAfeeDLP Endpoint
McAfeeGlobal Threat
Intelligence
3rd PartySolutions
McAfeeTIE Server
Trust Level: Medium
Action: DLP Monitors for Data Loss
File: Possibly Malicious
.
Intel Security Confidential32
What about 3rd party integrations?
.
Intel Security Confidential
Partner DXL Integrations
33
Completed Integrations Integrations In Development Integrations in Design PhaseIntel
Security
Innovation
Alliance
.
Intel Security Confidential
Keep checking back at…
34
http://www.mcafee.com/us/partners/security-innovation-alliance/dxl-integrated-partners.aspx
.
Intel Security Confidential35
Q&A
.
Intel Security Confidential36