Views:

Recommendation

Connected Threat Defense (CTD) is a layered security approach that gives you a better way to quickly protect, detect, and respond to new threats while simultaneously improving visibility and streamlining investigation. CTD allows you to block unknown malware or URLs on the endpoints or servers by using Suspicious Objects obtained from other Deep Discovery family products. Enabling CTD helps organization combat potential threats at an early stage.

 
Suspicious Objects are essential part for CTD. Look at what kinds of Suspicious Objects there are before configuration.
 

Deep Discovery Suspicious Objects are defined with 4 data types:

  • IP
  • URL
  • Domain
  • SHA1 (SHA1 hash of a file object)

According to the actors who generate Suspicious Objects, Suspicious Objects can be categorized into 2 groups:

  • User-defined Suspicious Object (UDSO)

    User-defined Suspicious Objects are defined by users via management console, pushed from TAXII clients, or downloaded from external threat feeds.

  • Virtual-Analyzer-detected Suspicious Object (VASO)

    Suspicious Objects collected from Virtual Analyzer detection during run-time sandbox simulation.

CTD product capability

With regards to what kind of integrated features are available, refer to the KB article: Connected Threat Defense (CTD) product support capabilities of Control Manager (TMCM) / Apex Central 2019.

System Requirements

Make sure that the versions of the products you use are supported by CTD. Please refer to the product's Administrator's Guide.

Configuration For Scenario 2

  1. Check the API key on DDD.

    To do this, on the DDD web console, go to Help. Product information page appears. Record API key for the succeeding steps.

    Check API key on DDD

  2. Register DDAN to DDD.

     
    If you use DDAN as an external virtual analyzer, perform this step. Otherwise, go to step 3.
     

    On the DDAN Web console, go to Administration > Integrated Products/Services. On the Deep Discovery Director tab, provide the necessary DDAN information under the Connection Settings section. Click Register.

    Register DDAN

  3. Register DDI to DDD.

    On the DDI web console, go to Administration > Integrated Products/Services > Deep Discovery Director. Provide the necessary DDD information on the required fields then click Register.

    Register DDD

  4. Move the appliance to the managed directory.

    1. On the DDD Web console, go to Appliances > Directory. DDI should be listed under the Unmanaged directory.
    2. Move the DDI appliance from the Unmanaged directory to the Managed directory or other customized directory. If DDAN is also listed, do the same operation.

      Move to another directory

Configuration For Scenario 3

  1. Integrate DDI with DDD.

    To do this, do all the steps described in Configuration For Scenario 2.

  2. Register DDD to Apex Central. Refer to the following KB article: Registering Deep Discovery Director (DDD) into Control Manager (TMCM) or Apex Central for suspicious objects synchronization.