Views:

Recommendation

Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation. CTD allows you to block unknown malware or URLs on the endpoints or servers by using Suspicious Objects obtained from other Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.

 
Suspicious Objects are essential part for CTD. Look at what kinds of Suspicious Objects there are before configuration.
 

Deep Discovery Suspicious Objects are defined with 4 data types:

  • IP
  • URL
  • Domain
  • SHA1 (SHA1 hash of a file object)

According to the actors who generate Suspicious Objects, Suspicious Objects can be categorized into 2 groups:

  • User-defined Suspicious Object (UDSO)

    User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.

  • Virtual-Analyzer-detected Suspicious Object (VASO)

    Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.

CTD product capability

With regards to what kind of integrated features are available, refer to the KB article: Connected Threat Defense (CTD) product support capabilities of Control Manager (TMCM) / Apex Central 2019.

System Requirements

Make sure that the versions of the products you use are supported by CTD. Please refer to the product's Administrator's Guide.

Configuration For Scenario 1

  1. If you use DDAN as an external virtual analyzer, register DDAN to Apex Central.

    1. On the Apex Central web console, go to Administration > Managed Servers > Server Registration. then Click Add.

      Server Registration

    2. The Add Server screen appears. Provide the necessary DDAN information on each field. Note to select DDAN on the Product: field. After that, click Save.

      enter DDAN information

    3. DDAN will be listed on the Server Registration Page.

      DDAN on Server Registration Page

  2. Check API key on the Apex Central.
    1. On the Apex Central web console, go to Threat Intel > Distribution Settings.
    2. On the Managed Products tab, make sure that Send suspicious objects to managed products is enabled, and record the Service URL and API key.

      check Send suspicious objects to managed products

  3. Register DDI to the Apex Central
    1. On the DDI web console, go to Administration > Integrated Products/Services > Apex Central.

    2. On Connection Settings, provide the necessary Apex Central information on each field.

      Under the Suspicious Object Synchronization section, enable Synchronize suspicious objects with Apex Central, and type the API key of the Apex Central Server you recorded in the previous step.

      Suspicious Object Synchronization section

    3. Click Test Connection to check the connection status between DDI and Apex Central. If it was successful, click Register.
     
    After this operation, DDI will synchronize suspicious objects from Apex Central only.
     
  4. Check that DDI was registered to the Apex Central successfully.

  5. On the Apex Central web console, go to Administration > Managed Servers > Server Registration. DDI should be listed on this page.

    go to Server Registration

  6. Integrate other products such as Apex One or DDEI with Apex Central. Refer to the product's Administrator Guide for details.

  7. Using the Apex Central web console, administrators can configure scan actions.

     
    For the detailed instructions on how to configure the scan actions on Apex Central, refer to the Apex Central Administrator's Guide.
     
Keywords: configure,scenario 1,enable Connected Threat Defense,ctd,Deep Discovery,VASO,UDSO,SO,suspicious objects,integrate with Apex Central,ddi