Security Policy ChallengesAs organizations scale, coordinating security policy across heterogenous systems and environments becomes tough. Managers face challenges in unifying security policy actions across disparate networks and tying in these actions with incident response and other security measures.
Using Demisto’s integration with McAfee ePolicy Orchestrator (ePO), you can bring policy management under the umbrella of security orchestration and automation. From running diagnostic playbooks for endpoint connectivity and compliance to automating security policy changes that may arise within the ambit of incident response, this integration enables you to leverage the full power of ePO while increasing efficiency and culling redundant manual tasks.
The Use Case: Endpoint Diagnostics
The playbook example we’ll study today automates endpoint connectivity checks. The basic flow is given below:
This playbook conducts two checks: it first checks for any endpoints that are listed as unmanaged on ePO, and then checks if any agents have been unresponsive with ePO for the past three days. For both checks, the playbook automates enrichment and remediation actions, and lays out some manual actions that analysts can run remotely.
This playbook highlights the interweaving of automated and manual tasks as the ideal balance for a playbook, allowing analysts to eschew repetitive tasks and codify manual operating procedures.
Let’s look at the playbook in detail:
Stage 1: Check for unmanaged endpoints
The playbook will start by running a conditional task to check for unmanaged endpoints listed in ePO. If it finds any such endpoints, the analyst must first check if these endpoints are part of excluded lists (like legacy OS), which is a manual task. While going through this list, the analyst can enter comments for endpoints that need action.
Note: Analysts can also get the excluded list via an API command in the War Room. By using the [detectedsystem.find] command with modifiers such as Ignored, Exception, Rogue Action, Rogue State, and Inactive, this otherwise laborious task distills into a one-step quickie.
The task can include descriptive text to give new analysts an idea about their function. The description of the aforementioned manual task is given below:
The next task uses the commentsToContext command to take all the analyst-entered comments from the previous task and store them in the incident context. The screenshot below shows how the task stores comments in the epoUnmanagedEndpoint key.
The next task uses the servicenow-incident-create command to create a new ticket in ServiceNow.
These tasks standardize and quicken initial enrichment and remediation while orchestrating among multiple products without leaving the Demisto console.
Stage 2: Check for unresponsive agents
After the first check is completed, the playbook will check if there are any agents that haven’t communicated with ePO in the past three days. For any such agents found, the first enrichment task is the same: the playbook will take analyst-entered comments for the agents and store them in incident context.
Now the playbook interweaves both automated and manual tasks to kickstart connectivity with these agents.
The playbook first uses the Ping command to check connectivity for each endpoint.
The next task instructs the analyst to remotely check wither McAfee Agent is installed and running on these endpoints. The analyst is also advised to remotely execute the cmdagent command line utility to force communication with ePO, and to retrieve McAfee Agent logs from non-communicating endpoints.
Note: Analysts can also try an Agent Wakeup Call first to see if that restores communication. This can be done via the CLI in the War Room as well.
As with the first check, this section of the playbook combines automated and manual tasks to standardize and quicken response procedures in the event of faulty endpoint connectivity with ePO.
To explore more use cases and features of Demisto's integration with McAfee ePO and other McAfee products, download our joint solution brief.