.

Intel Security Confidential

Bret Lenmark, Product MarketingDarren Thomas, Senior Product Manager

The Data Exchange Layer (DXL)

.

Intel Security Confidential2

What is DXL?

.

Intel Security Confidential

DXL is…

3

OPEN

DXL is a bi-directional, open communication platform connecting your security

solutions into a single ecosystem.

INTEGRATED

DXL provides a standardized communication layer for all products, regardless of their

underlying proprietary architecture.

SIMPLE

DXL dramatically simplifies integrations with a one-time

setup, while encouraging open vendor participation.

FAST

With this increased speed, agility, and scalability you

strengthen the foundation for threat detection and response

across the IT landscape.

A Security Information Superhighway

.

Intel Security Confidential4

Security Connected Ecosystem Vision

New era in security where all components come together to work as a single cohesive system, regardless of vendor or underlying architecture

Intel Security

Solutions

3rd PartyThreat

Intelligence

Innovation Alliance Partners

3rd PartyVendors

.

Intel Security Confidential

Result

Slow, heavy, and burdensome

Complex and expensive to maintain

Limited vendor participation

Fragmented visibility

Result

Fast, lightweight, and streamlined

Simplified and reduced TCO

Open vendor participation

Simplicity- one time integration

McAfee Data Exchange LayerStandardized integration and communication to break down operational silos

Disjointed API-Based

Integrations

Collaborative Fabric-Based

Ecosystem (DXL)

5

.

Intel Security Confidential

Partner DXL Integrations

6

Completed Integrations Integrations In Development Integrations in Design PhaseIntel

Security

Innovation

Alliance

.

Intel Security Confidential7

How does DXL work?

.

Intel Security Confidential

Data Exchange Layer Architecture

Broker

Responsible for routing messages between the clients that are

connected to the message bus

Brokers can be connected to each other (“bridged”) to allow for

redundancy, scalability, and communication across different

geographical locations

Brokers run on Linux-based servers distributed as a packaged

appliance (virtual machine)

Communication between brokers is over a TLS-based connection

with bi-directional authentication (PKI)

Client

Clients connect to brokers for the purposes of exchanging messages

Communication with brokers is over a TLS-based connection with bi-

directional authentication (PKI)

.

Intel Security Confidential

Data Exchange Layer Architecture

McAfee ePolicy Orchestrator (ePO)

Used to sign DXL-based certificates on both the clients and brokers

as part of the initial provisioning process

Manage policy for brokers

Fabric Topology

Message topic authorization

Manage policy for clients

Brokers to connect to

Embedded DXL client

Health status of connected brokers/clients

.

Intel Security Confidential

Data Exchange Layer Architecture

DXL Communication Details

Message infrastructure based on MQ Telemetry Transport (MQTT)

Simple and lightweight publish/subscribe messaging protocol

Designed for constrained devices and low-bandwidth, high-latency or

unreliable networks

Communication over configurable port

TCP connections are persistent (always connected)

Client to Broker

Broker to Broker

Transport Layer Security (TLS) 1.2 with mutual authentication

.

Intel Security Confidential

Data Exchange Layer Architecture

A Hub-and-Spoke model is used for the broker topology

DXL allows for 2 brokers in a “hub” to support failover

The topology is managed via ePO (via Policy)

Connections are established one direction (“firewall friendly”)

Communication is bi-directional

.

Intel Security Confidential

Data Exchange Layer Architecture

If one of the brokers within the hub goes down

The topology will continue to function without segmentation

(bridged-child brokers will move to the remaining broker in the hub).

The model allows for both brokers to function simultaneously

(it isn't simply a standby failover, both brokers are active)

Event-based Messaging

Hub

Hub Hub

Broker Broker

Client

Broker BrokerBroker Broker

Client

ClientClient

• Events are traditional publish/subscribe messages

• A Client sends an Event

on a particular topic and

it is delivered to all

Clients that are currently

subscribed

• One-to-many communication pattern

Service-based Request/Response Messaging

World Hub

North America

Hub

Reputation Service

(Instance 3)

Europe Hub

Reputation Service

(Instance 4)

San Francisco

Hub

Broker

Reputation Service

(Instance 2)

Reputation Service

(Instance 1)

Broker

Client

• Client sends a Request on a topic associated with a specific service type (Reputation Service)

• Broker utilizes Service Registry to select a Serviceinstance to handle the Request and routes it via static routing

• Service instance processes the Request and sends back a Response to the Client via static routing

Service Zones

World Hub

North America Service Zone

North America

Hub

Reputation Service

(Instance 3)

Europe Service Zone

Europe Hub

Reputation Service

(Instance 4)

San Francisco Service Zone

San Francisco

Hub

Broker

Reputation Service

(Instance 2)

Reputation Service

(Instance 1)

Broker

• Start with typical Topology

based on geography

• Add some Services

• By default, Requests will round-robin all Serviceinstances of a particular Service type

Client

• A Client connected to a

Broker in San Francisco would

round-robin Reputation

Service instances around the

world- All 4 Service instances

Service Zones

World Hub

North America Service Zone

North America

Hub

Reputation Service

(Instance 3)

Europe Service Zone

Europe Hub

Reputation Service

(Instance 4)

San Francisco Service Zone

San Francisco

Hub

Broker

Reputation Service

(Instance 2)

Reputation Service

(Instance 1)

Broker

Client

• Establishing Service Zones

prevents routing Requests

outside of the current

Zone unless no Service

instance is available

• The Client would now

round-robin the two

Service instances located

in the San Francisco

Service Zone

- Service instances 1 and 2

• In the event that the two Service instances in San Francisco fail, Requestswill be routed to instances in the parent Zone (North America Service Zone)- Service instance 3

Service Zones

World Hub

North America Service Zone

North America

Hub

Reputation Service

(Instance 3)

Europe Service Zone

Europe Hub

Reputation Service

(Instance 4)

San Francisco Service Zone

San Francisco

Hub

Broker

Reputation Service

(Instance 2)

Reputation Service

(Instance 1)

Broker

Client

• If the Service instance in

North America failed,

Requests will be routed to

instances in the parent

Zone (Default “Global”

Service Zone, any available

Services)- Service instance 4

.

Intel Security Confidential18

Application Ecosystems powered by DXL

.

Intel Security Confidential

Threat Intelligence Exchange Approach

Security products

should work

together

Security products

should get stronger

overtime

Security products

should learn from

each other

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

Publish/Subscribe Model

McAfee Data Exchange Layer (DXL)

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

3rd PartySolutions

McAfeeTIE Server

All components which

subscribe to the topic,

listen for information

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

1:1 Query/Response Model

McAfee Data Exchange Layer (DXL)

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

3rd PartySolutions

McAfeeTIE Server

Any DXL integrated

component can query a

service, such as TIE, and

receive a response

.

Intel Security Confidential

Operationalize Threat Intelligence

.

Intel Security Confidential

Improve Your Infrastructure Awareness

Share file reputation

intelligence in

milliseconds

Inform your entire

security infrastructure

Aggregate internal

and external sources

.

Intel Security Confidential

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeATD

McAfeeWeb Gateway

Enhanced Endpoint Protection

Data Exchange

Layer

McAfeeGlobal Threat

Intelligence

3rd PartySolutions

McAfeeTIE Server

File age hidden

Signed with a revoked certificate

Created by an untrusted process

Trust Level: Low

Action: Block

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

Operationalizing Threat Intelligence

Data Exchange

Layer

STIX Import

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

McAfeeGlobal Threat

Intelligence

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

3rd PartySolutions

McAfeeTIE Server

.

Intel Security Confidential

The Threat Intelligence Exchange Integrated Security Ecosystem

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

Advanced Threat Defense Determines File Reputation

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

McAfeeGlobal Threat

Intelligence

Unknown files are sent

to ATD for static and

dynamic analysis

Updated file

information is shared

instantly to all

connected solutions,

providing real-time

protection

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

3rd PartySolutions

McAfeeTIE Server

ATD determines

file to be malicious

.

Intel Security Confidential

From Detect to Protect in Milliseconds

Threats Uncovered on Network Provide Local Threat Protection

McAfeeGlobal Threat

Intelligence

Data Exchange

Layer

Intelligence shared

to all connected

solutions, providing

real-time protection

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeMOVE

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

3rd PartySolutions

McAfeeTIE Server

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

McAfee Web Gateway as a Source of Local Threat Intelligence

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

McAfeeGlobal Threat

Intelligence

3rd PartySolutions

McAfeeTIE Server

Gateway

Anti-Malware

engine detects

zero-day malware

Web Protection

publishes the new

malware

reputation to TIE

Endpoints and other

sensors are updated

by TIE immediately,

providing reputation

for zero-day malware

before a new DAT is

published

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeATD

McAfeeWeb Gateway

McAfeeNSP

Application Control with Threat Intelligence Exchange Protects IaaS

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

McAfeeGlobal Threat

Intelligence

3rd PartySolutions

McAfeeTIE Server

Unknown process is discovered on Cloud Server

Request for information sent to TIE for lookup

Application Control prevents malicious process from running

.

Intel Security Confidential

McAfeeESM

McAfeeTIE Endpoint

Module

McAfeeTIE Endpoint

Module

McAfeeePO

McAfeeWeb Gateway

McAfeeNSP

McAfee Data Loss Prevention and TIE Preventing Possible Breach

Data Exchange

Layer

McAfeeMOVE

McAfeeApplication

Control

McAfeeDLP Endpoint

McAfeeGlobal Threat

Intelligence

3rd PartySolutions

McAfeeTIE Server

Trust Level: Medium

Action: DLP Monitors for Data Loss

File: Possibly Malicious

.

Intel Security Confidential32

What about 3rd party integrations?

.

Intel Security Confidential

Partner DXL Integrations

33

Completed Integrations Integrations In Development Integrations in Design PhaseIntel

Security

Innovation

Alliance

.

Intel Security Confidential

Keep checking back at…

34

http://www.mcafee.com/us/partners/security-innovation-alliance/dxl-integrated-partners.aspx

.

Intel Security Confidential35

Q&A

.

Intel Security Confidential36