Add to collection(s) Add to saved
  1. Business

FireEye TAP Form

advertisement 
THREAT ANALYTICS PLATFORM (TAP)
TAP Scoping Guide- FCAP
October 2015
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 2
1. Table of Contents
2. Executive Summary ............................................................................................................................... 4
3.
Survey .................................................................................................................................................... 5
3.1.
Contact and Shipping Information ................................................................................................... 5
3.2.
FCAP TAP Main Contact/Administrator .......................................................................................... 6
3.3.
Timeline ........................................................................................................................................... 6
4.
FCAP Partner User Accounts ................................................................................................................ 6
5.
Client Network and Physical Infrastructure ............................................................................................ 7
6.
5.1.
Internal IPs ...................................................................................................................................... 7
5.2.
External (Public) IPs ........................................................................................................................ 7
5.3.
OPTIC- Public IPs ........................................................................................................................... 8
Sender:Comm broker/cloud collector .................................................................................................... 8
6.1.
Communications Broker .................................................................................................................. 8
6.1.1.
Comm Broker Requirements .................................................................................................... 9
6.1.2.
Comm Broker Recommendations .......................................................................................... 10
6.2.
Cloud Collector Device .................................................................................................................. 11
6.3.
Sender Worksheet: cloud collector/comm broker ......................................................................... 12
7.
TAP Data Sources ............................................................................................................................... 13
8.
Estimated Events per Second (EPS) & Storage.................................................................................. 13
9.
Special Cases and Considerations ...................................................................................................... 14
10. Ports, Protocols and Services.............................................................................................................. 14
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 3
2. EXECUTIVE SUMMARY
The Threat Analytics Platform (TAP) allows clients to utilize the vast intelligence gathered by FireEye
and Mandiant resources and put context around their event data on Advanced Targeted Attackers.
Clients may send all pertinent event data into a Virtual Private Cloud (VPC) that alleviates them of all
the management, configuration and maintenance of the infrastructure needed to store, process and
archive this data. In addition, TAP provides exceptionally fast response time to event queries allowing
for rapid drill-down during the most critical phases of an incident response investigation.
The information gathered in the TAP Scoping Guide is required to establish and configure your TAP
instance, and a complete Guide must be submitted before any instance will be approved for build.
This document can serve as a primary resource for initial conversations about TAP and the TAP startup
process. It is intended to facilitate TAP planning discussions and the initial gathering of information.
This guide is designed as a foundation for the overall deployment planning process. The other
documents that are necessary for a complete installation and deployment are:

TAP Deployment Guide – Documents the procedures for installing your TAP instance.

TAP User Guide
These documents, as well as current versions of the Comm Broker ISO and additional resources, are
located in the Securefile share provided by your FireEye Deployment Engineer. If you do not already
have access to the Securefile share, please contact your FireEye Deployment Engineer.
This document is intended solely for the use of FireEye/Mandiant personnel and the client
referenced in this document exclusively. Replication or distribution to other than those
individuals listed in this document without the written consent of FireEye/Mandiant is prohibited
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 4
3. SURVEY
For FireEye/Mandiant teams to exceed your expectations and conduct the engagement as effectively
as possible, we require the following information. If the answer to the question exceeds the space
provided, please attach supporting documentation.
3.1. Contact and Shipping Information
Please identify a point of contact for our support staff to work with on deployment of the technology. In
most organizations this is a person within the IT organization familiar with deployment of enterprise
applications and infrastructure. This person needs to be able to coordinate the following issues:
assignment of network addresses, allocation of physical space and power within a computer room or
other facility, network and host security configuration changes, and deployment of software to target
systems for the engagement.
Name
Company
Office Phone
Mobile Phone
Email
Main Engagement Contact
Shipping Contact
(
(
(
(
)
)
Client Name:
Client Site Address:
Client Shipping Address (if different
from site address):
Department, Division, Agency or
Branch:
Executive Sponsor @ client
-
)
)
-
Street Address
City:
State:
Zipcode:
Street Address
City:
State:
Zipcode:
-
Name:
Title:
Office Phone:
Email:
(
Suite/Dept #:
Suite/Dept #:
)
-
Special Shipping Instructions:
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 5
3.2. FCAP TAP Main Contact/Administrator
An FCAP partner contact can be enabled to add/remove client users to the TAP instance, or can be
identified as having the authority to authorize the addition/removal of client users. This user should also
have direct access to the TAP/FIC instance.
Name
Office Phone
Mobile Phone
Email
TAP Administrator(primary)
TAP Administrator(secondary)
(
(
(
(
)
)
-
)
)
-
3.3. Timeline
Requested TAP
environment Build Date
Requested Sender
Deployment Date
TAP User Access Date
4. FCAP PARTNER USER ACCOUNTS
Please enter contact information for any users who will be granted access to the TAP application user
interface for the client’s instance. Access to the TAP environment requires Single Sign-On (SSO)
Authentication. Users will be e-mailed an invitation to the instance and will need to configure two-factor
authentication. Access to the UI is limited via ACL, so please be certain to include any IP ranges
users are permitted to access TAP in section 5.2 of this form.
Full name
Email
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 6
5. CLIENT NETWORK AND PHYSICAL
INFRASTRUCTURE
5.1.
Internal IPs
Please list all client internal IP address ranges. This list will be used for intel matching, custom parser
creation, and rule generation.
Internal IP Addresses / Ranges
5.2.
External (Public) IPs
In order to properly communicate with the Virtual Private Cloud (VPC), a client’s external IPs must be
added to the ACL. Please list all public IP addresses for Communications Brokers connection(s) and
TAP User Interface access for ACLs on the VPC.
External IP Addresses / Ranges
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 7
5.3. OPTIC- Public IPs
OPTIC is a software-as-a-service offering that provides real-time visibility into malicious communications
on customer networks. OPTIC actively tracks millions of compromised IPs and thousands of command
and control servers, and identifies connection attempts from customer’s networks. OPTIC does not
require installing any software or hardware, and is configured by the FireEye Deployment Engineer as
part of the TAP engagement.
Please list all client Public IP address ranges for use with OPTIC.
Public IP Addresses / Ranges
6. SENDER:COMM BROKER/CLOUD COLLECTOR
6.1.
Communications Broker
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 8
TAP Sender capability is provided by the Communications Broker (Comm Broker). Sender is an
application that runs on a physical or virtual server in a client’s environment. It collects logs from within
the physical environment and forwards those logs to the Communications Broker Receiver hosted
within a Virtual Private Cloud (VPC) at Amazon World Services (AWS).
The Comm Broker can be deployed via several methods:

FE provided ISO – CentOS 7 with the Sensor software installed-available for install
in clients VM environment or on physical hardware

Existing client VM that meets the Requirements below
For production environments, it is recommended to place a Comm Broker in each of the client’s data
centers and/or locations where critical data or processes reside. Comm Brokers should be paired to
provide redundancy and ensure proper TAP operation. For more detail on Comm Broker redundancy
and placement, please consult the TAP Deployment Guide. If you have questions please contact your
FireEye PM.
6.1.1. COMM BROKER REQUIREMENTS
The Comm Broker sender application has basic system requirements and works with any Linux
distribution that supports Red Hat Package Manager (RPM) or Debian package format.
The Comm Broker Sender does not require a dedicated machine and can be deployed on existing
Linux virtual image that meets the following requirements:

Supported OS: x64 CentOS or RedHat 6.4 or later, Ubuntu 12.04 LTS, or SUSE

8 CPU cores (modern CPU—Nehalem for example)

8 GB RAM

100 GB disk

Reliable NTP source
The Comm Broker Sender application is not proxy aware. It requires the following:

Listener default is UDP 514, the standard for syslog (can be any port)

Direct access to the IP address of your dedicated TAP Virtual Private Cloud (VPC) on the
specified port (TCP 443 by default).

NTP (must be kept accurate with a reliable source)

DNS
Network traffic between the Comm Broker Sender in your environment and the Comm Broker Receiver
in your TAP Virtual Private Cloud (VPC) is encrypted with Twofish and access keys are public/private
as specified in the TAP architecture.
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 9
If the client has a proxy in use, please notify the FireEye Deployment Engineer prior to any attempt at
Comm Broker configuration.
6.1.2. COMM BROKER RECOMMENDATIONS
While not essential to the successful deployment of the Comm Broker, the following are recommended
and should be implemented wherever possible.

Hardening, maintenance, and monitoring of the system on which the Comm Broker Sender is
installed, including key maintenance, should be done in accordance with your corporate
standards.

Whenever possible, access to the Comm Broker via SSH from the FE network should be
provided. This greatly increases our ability to support and troubleshoot the Comm Broker and
assist in the deployment process.
Additional recommendations for Comm Broker deployment are as follows:

Access to approved repositories

Nano Text Editor

Tcpdump

Wget

Lsof

Bwm-ng or similar bandwidth tool
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 10
6.2.
Cloud Collector (currently available as .iso)
The Cloud Collector combines the Tap Sender (Communications Broker) with Bro Sensor capabilities, and
quickly and efficiently provides visibility into a client’s environment. The Cloud Collector requires an
available Span port, and placement inside the client’s egress firewall.
Required information for all Cloud Collectors
TAP INSTANCE NAME
PROVIDED BY OPS
TAP VPC IPs
CC MANAGER IPs
PROVIDED BY OPS
CC MANAGER FQDN
DEFAULT USERNAME
DEFAULT PASSWORD
52.11.98.183
52.11.198.226
ccmaster01.map.mandiant.com
ccmaster02.map.mandiant.com
fireeye
f1re3ye
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 11
6.3.
Sender Worksheet: cloud collector/comm broker
Please complete the requested fields below for each Comm Broker or Cloud Collector that is to be deployed in the customer environment.
Please review the system requirements and information provided in the sections above. If you need additional guidance, please consult your
TAP Deployment Engineer.
Host
Name
CPU
Cores
Memory
Monitored
bandwidth
Internal IP
External
IP
DNS
Server
Search
Domain
NTP
Server
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 12
Gateway
IP
Netmask
7. TAP DATA SOURCES
If an existing SIEM or log aggregator is already in use, please list it below. The success TAP
implementation is highly dependent on the quality of the data sources that are integrated into TAP.
Without sufficient or properly configured data sources, the effectiveness of TAP can be severely limited.
Please review the TAP Data Source integration Guide for recommendations regarding device selection
and configuration.
Product Name
Version
Feed Interface
Total # of
End Devices
Total EPS
Rate
Please Choose One
Please Choose One
Please Choose One
Please Choose One
Please Choose One
Please Choose One
Please Choose One
8. ESTIMATED
STORAGE
EVENTS
PER
SECOND
(EPS)
&
Estimated EPS
EX. 2000 or 2K
To determine estimated EPS requirements, please refer to the current EPS calculator available
at__________________________________________.
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 13
9. SPECIAL CASES AND CONSIDERATIONS
Please detail any special considerations for the engagement regarding review of the target systems.
Examples might include time of day restrictions for data collection, bandwidth utilization constraints,
sensitive applications or high-risk areas that may require special treatment (e.g. corporate mail servers,
sensitive data repositories, applications with high uptime requirements, etc):
10. PORTS, PROTOCOLS AND SERVICES
Please refer to the following for required network connectivity between solution components. Listener
can be any port but is UDP 514 by default, the standard for syslog
Network traffic between the Comm Broker Sender in your environment and the Comm Broker Receiver
in your TAP Virtual Private Cloud (VPC) is encrypted with Twofish and access keys are public/private
as specified in the TAP architecture.
Internally the listener can be any port, UDP 514 by default, the standard for syslog. Additional ports
may be required depending on the configuration of the client’s environment and the components being
used to collect and transmit event data.
The Cloud Collector and/or Comm Broker are not proxy aware and require the following:

Direct access to the IP address of your dedicated TAP Virtual Private Cloud (VPC) on the
specified port (TCP 443 by default). Receiver IP will be provided once TAP instance is
approved and provisioned.

Direct access to the IP address to the Cloud Collector management device on TCP 4505, 4506,
and 80. Management Device IP will be provided once TAP instance is approved and
provisioned.
FireEye, Inc., 1440 McCarthy Blvd., Milpitas, CA 95035 | +1 408.321.6300 | +1 877.FIREEYE (347.3393) | info@FireEye.com www.FireEye.com
09/2015 3.0
© 2014 MANDIANT. Proprietary and Confidential.
Page 14
Related documents
E-mail Setup Guide
E-mail Setup Guide
The Space Invaders
The Space Invaders
Mary D. Coghill School Aisha M. Jones Principal - OPEN-NOLA
Mary D. Coghill School Aisha M. Jones Principal - OPEN-NOLA
Paired Reading
Paired Reading
progress report GCARD 2 Pre-Conference Meeting Punta del Este
progress report GCARD 2 Pre-Conference Meeting Punta del Este
Illinois Test of Basic Skills: Language Arts
Illinois Test of Basic Skills: Language Arts
Download
advertisement