McAfee OpenDXL and Integration Questions

  • Can you please provide some of the Pros and Cons (if any) of implementing the OpenDXL solutions and Rapid7 integration listed below? I


    1. Solution: OpenDXL-WildFireTIE 1.0.0


    Description: The Wildfire TIE DXL Python application polls the Wildfire analysis data and updates TIE over the DXL fabric.


    Website:


    1. Solution: OpenDXL-ATD-PANFW 1.0.0


    Description: Take the fun out of combing through your ATD reports searching for IoCs to populate your PaloAlto Firewall security policy with OpenDXL-ATD-PANFW integration.


    Website:


    1. McAfee+Rapid7: ePolicy Orchestrator (ePO) & InsightVM


    Website: https://www.rapid7.com/partner…nge-layer-dxl--insightvm/


    Thank you,

  • Sure, I can speak to the PaloAlto Integrations.


    The firewall integration has the following:


    Pros

    -----

    Reduces time to implement FW rules to milliseconds

    Easy to implement using ATD and Palo's dynamic block lists (setup in under an hour)


    Cons

    -----

    Palo does not recognize if there are repeat rules (ie has the IP address already been blocked in other rules?)

    Palo does not understand FQDNs in rules and requires IP addresses. Otherwise, the fqdn would be a valid indicator as well



    The WildFire integration has the following:


    Pros

    ----

    Reduces time to implement controls around malicious convictions from Wildfire into your ENS endpoint (milliseconds)

    Adds visibility into the WildFire detection in your McAfee/DXL ecosystems


    Cons

    ---

    Wildfire uses a static analysis image

    Wildfire cloud provides ALL convictions in the last 24 hours, not just your tenant's. This is a bug I filed with Palo Alto almost 2 years ago. Not sure where it is now. Maybe it's considered a feature?


    Anyway, hope this helps.


    -Jesse

    Jesse Netz, CISSP, C|EH, ITIL

    McAfee Systems Engineer, Pre-Sales Engineering East

    M: 302.608.4758

  • My customer was very happy with the response you had provided, but had this follow up question. :)


    "Any feedback on McAfee + Rapid7 and are there still plans/updates on the McAfee + Proofpoint integration (been waiting on this one for a while and hope it’s still in the works)?"