Threat Detection and Response - WatchGuard · AboutThreatDetectionandResponse ThreatDetectionandResponse(TDR)isacloud-basedsubscriptionservicethatintegrateswithyourFireboxtominimize

Threat Detection and Response

Deployment Guide

Threat Detection and Response Deployment Guide ii

About This GuideThe Threat Detection and ResponseGetting Started Guide is a guide to help you set up the Threat Detection and Responsesubscription service.Information in this guide is subject to change without notice. Companies, names, and data used in examples herein arefictitious unless otherwise noted. No part of this guidemay be reproduced or transmitted in any form or by any means,electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.Guide revised: 3/26/2018

Copyright, Trademark, and Patent InformationCopyright © 1998–2018WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein,if any, are the property of their respective owners.Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide,available online at https://www.watchguard.com/wgrd-help/documentation/overview.

About WatchGuardWatchGuard® Technologies, Inc. is a global leader in network security,providing best-in-class Unified Threat Management, Next Generation Firewall,secure Wi-Fi, and network intelligence products and services to more than75,000 customers worldwide. The company’s mission is to make enterprise-grade security accessible to companies of all types and sizes throughsimplicity, making WatchGuard an ideal solution for Distributed Enterprisesand SMBs. WatchGuard is headquartered in Seattle, Washington, with officesthroughout North America, Europe, Asia Pacific, and Latin America. To learnmore, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard onTwitter, @WatchGuard on Facebook, or on the LinkedIn Company page. Also,visit our InfoSec blog, Secplicity, for real-time information about the latestthreats and how to cope with them at www.secplicity.org.

Address505 Fifth Avenue SouthSuite 500Seattle, WA 98104

Supportwww.watchguard.com/supportU.S. and Canada +877.232.3531All Other Countries +1.206.521.3575

SalesU.S. and Canada +1.800.734.9905All Other Countries +1.206.613.0895

https://www.watchguard.com/wgrd-help/documentation/overview

Threat Detection and Response Deployment Guide iii

Contents

About Threat Detection and Response 1

Components 1

Quick Start — Set Up Threat Detection and Response 2

Step 1 — Activate a TDR Subscription 3

Step 2 — Set up aManaged Customer Account (WatchGuard Partners Only) 4

Step 3 — Enable TDR on the Firebox 7

Step 4 — Add an HTTPS Policy on the Firebox 10

Step 5 — Install a Host Sensor 11

TDR Deployment Best Practices 12

Phased Host Sensor Deployment 12

Add Exclusions for Desktop AV 13

Configure Desktop AV Software to Exclude TDR File Paths 13

Configure TDR to Exclude Desktop AV File Paths 13

Configure Host Groups 14

Configure Host Sensor Settings for Host Groups 14

Recommended Host Sensor Settings for Servers 15

Recommended Host Sensor Settings forWindows 7 16

Recommended Host Sensor Settings for Most Other Hosts 16

Configure Policies for Host Groups 17

Recommended TDR Policies 18

Default TDR Policies 18

Set the Cybercon Level 19

UseGroups as Policy Targets 20

Policy Tips 21

Next Steps 22

Monitor Threat Detection and Response 22

Threat Detection and Response Deployment Guide iv

Set Up Active Directory Helper 23

Configure Proxy Policies for TDR 27

TDR Account Types 28

TDR User Roles and Permissions 29

Administrator 29

Operator 30

TDR Service Provider Accounts 31

Multi-Tier Management 31

Service Provider User Roles 32

Administrator (SP) 32

Operator (SP) 32

More Information 33

About Threat Detection and Response

Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox tominimizethe consequences of data breaches and penetrations through early detection and automated remediation of security threats.TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect andrespond to security threats. ThreatSync analytics enable TDR to assign threat level scores based on heuristics, threatfeeds, and a cloud-basedmalware verification service.

Threat Detection and Response is supported for Firebox and XTMv devicemodels only and requires Fireware v11.12 orhigher.

ComponentsThe Threat Detection and Response subscription service has several components:

Threat Detection and Response AccountThreat Detection and Response is a cloud-based service hosted by WatchGuard. Your Threat Detection andResponse account in the cloud collects and analyzes forensic data received from Fireboxes and Host Sensors onyour network. You log into your TDR account on theWatchGuard Portal to configure account settings, Host Sensorsettings, and tomonitor andmanage security threats.

Because your login credentials for TDR are yourWatchGuard Portal credentials, when you log in to theWatchGuardPortal, single sign-on enables you to also be automatically logged in to your TDR account.

Firebox or XTMv DeviceThreat Detection and Response is a security subscription that you activate for your Firebox. In the Fireboxconfiguration, you enable the Firebox to send data to your TDR account, and you configure policies, services, and logsettings to enable the Firebox and Host Sensors to send information to your TDR account.

Host SensorsYou install Host Sensors on the computers on your network. Each Host Sensor collects forensic data from the hostand sends it to the Threat Detection and Response cloud for analysis. Forensic data includes information related tofiles, processes, network connections, and registry keys on the host. You can configure Host Sensors to simplyreport security threats or to take action to fix certain types of security threats.

AD HelperAD Helper is an application that you can install to deploy Host Sensors on your network. AD Helper uses yourexistingWindows Active Directory infrastructure to assist with distributed installation of Host Sensors on yournetwork.

For information about how to get started with TDR, see:

n Quick Start — Set Up Threat Detection and Responsen TDR Deployment Best Practices

Threat Detection and Response Deployment Guide 1

Quick Start — Set Up Threat Detection and Response

Before you can use Threat Detection and Response (TDR), youmust activate the TDR subscription for a Firebox in yourWatchGuard Portal account. When you activate the first TDR subscription for a Firebox in your account, your TDR accountis automatically created and Host Sensor licenses are added to your TDR account. The number of Host Sensor licensesincluded with your TDR subscription depends on the Firebox model. You can purchase additional Host Sensor licenses asan upgrade.

Some steps to set up TDR require that you log in with a specific user role. The first user in a newTDR account has both the Administrator andOperator user roles. All other users have the Operator userrole by default. A user with Administrator credentials can change the roles assigned to any user account.

To get started with TDR, complete these steps:

n Step 1 — Activate a TDR Subscriptionn Step 2 — Set up aManaged Customer Account (WatchGuard Partners Only)n Step 3 — Enable TDR on the Fireboxn Step 4 — Add an HTTPS Policy on the Fireboxn Step 5 — Install a Host Sensor



3 WatchGuard Technologies, Inc.

Step 1 — Activate a TDR Subscription

Threat Detection and Response is included in the Total Security Suite subscription. When you activate a Total SecuritySuite subscription, Host Sensor licenses are added to your TDR account. After you activate your TDR subscription, youmust update the feature key on your Firebox.

To update the feature key on the Firebox, from FirewareWebUI:

1. Log in to FirewareWebUI as a user with Device Administrator credentials.

2. Select System > Feature Key.

3. Click Get Feature Key.The Feature Keypage appears.

4. Verify that the Threat Detection & Response feature is enabled in the feature key.

To update the feature key on the Firebox, from Firebox SystemManager:

1. Start Firebox SystemManager for your Firebox.

2. Select Tools > Synchronize Feature Key.

3. Type the credentials for a user with Device Administrator credentials.

4. Select View > Feature Keys.The Feature Keydialog boxappears.

5. Verify that the Threat Detection & Response feature is enabled in the feature key.



Step 2 — Set up a Managed Customer Account (WatchGuard Partners Only)

If you are not aWatchGuard partner, skip this step and continue to Step 3.

If you are aWatchGuard Partner, your TDR account is a Service Provider account. In your TDR Service Provideraccount, youmust add a separate customer account for each business or organization for which youmanage TDR. Toconfigure TDR to run on your own network, youmust also add a customer account for your own internal network. Youconfigure andmanage TDR separately for eachmanaged customer account.

To create amanaged customer account in your TDR Service Provider account:

1. Go to theWatchGuard Portal at www.watchguard.com and log in to yourWatchGuard Portal account as a userwith Administrator credentials.

2. In the Partner Portal, click Support Center.

3. Select My WatchGuard > Manage TDR.The Threat Detection &Response webUI appears.

4. In the TDR web UI, click Accounts.

5. Click Add Account.The Add Account dialog boxappears.

6. In the Name text box, type business or organization name of themanaged customer account.

7. Click Save & Close.The Account is added to the Accounts list and is also added to the drop-down list in the top navigation bar.

Youmust assign Host Sensor licenses to each customer account youmanage. The number of Host Sensor licenses youassign to amanaged customer account controls themaximum number of Host Sensors you can install on computers forthat customer.

https://www.watchguard.com/



To assign Host Sensor licenses to amanaged customer account:

1. From the TDR web UI left navigationmenu, select Licenses.The Licensespage appears and shows the Host Sensor licenses in your account.

2. In the Licenses list, find an unassigned license.

3. On the line of the unassigned license, at the far right side, click .Adrop-down list with the available optionsappears.

4. Select Assign License.The Assign License dialog boxappears.

5. In the Account text box, begin to type the name of themanaged customer account.Account names that contain the letters you type appear below the text box.

6. Select the customer account name from the list.

7. In the Number of Hosts to Assign text box, type the number of Host Sensor licenses to assign to this account.By default, the Number of Hosts to Assign is set to the total number of unassigned Host Sensor licenses in thelicense you selected. You can change this to a lower number if you plan to install Host Sensors on fewercomputers for this customer.

8. Click Assign License.The specified number of Host Sensor licensesare assigned to themanaged customer account you selected.



Tomanage TDR for a customer, youmust select the customer account to manage. The drop-down list at the top of thepage has the name of your service provider account, and the names of each customer account you added.

To select a customer account to manage:

1. From the drop-down list at the top of the page, select the customer account.

2. To see a summary of status for this customer, select Dashboard in the left navigationmenu.

After you select amanaged customer account, the options available in the left navigationmenu depend on the user roleassigned to you in the Service Provider account. Your user account can be assigned one or both of these roles:

n If you have the Administrator (SP) user role, you are an Administrator of your managed customer accounts.

n If you have theOperator (SP) user role in your service provider account, you are anOperator of your managedcustomer accounts.

The first user in a TDR Service Provider account has both the Administrator (SP) andOperator (SP) user roles. All otherusers have the Operator (SP) user role by default.

After you select amanaged customer account, complete the procedures to set up Host Sensors and Fireboxes for eachmanaged customer.

To go back to your Service Provider account to manage accounts and licenses, select the name ofyour service provider account from the drop-down list at the top of the page.



Step 3 — Enable TDR on the Firebox

If your Firebox does not run Fireware v11.12, upgrade the Firebox OS to v11.12 or higher.

For more information, see Upgrade Fireware OS orWatchGuard SystemManager.

Next, enable Threat Detection and Response on your Firebox. To enable TDR on the Firebox, youmust get the UUIDfrom your TDR account and add it to the Firebox configuration.

To find your TDR Account UUID:

1. Go to theWatchGuard Portal at www.watchguard.com and log in to yourWatchGuard partner or customeraccount as a user with Operator credentials.

2. If you are aWatchGuard partner, in the Partner Portal click Support Center.

3. Select My WatchGuard > Manage TDR.

4. (Partners only) Select themanaged customer account.

5. Select Devices > Firebox.The Account UUID appears at the top of the page.

6. Copy the Account UUID.

https://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/installation/version_upgrade_new_c.html




To add the Account UUID to the Firebox:

1. Open the Firebox configuration in Policy Manager or FirewareWebUI.

2. Select Subscription Services > Threat Detection.

3. Select the Enable Threat Detection & Response check box.

4. In the Account UUID and Confirm text boxes, paste the Account UUID.

5. Save the configuration to the Firebox.

To verify the connection from your Firebox to your TDR account:

n To see the Firebox connection status to Threat Detection and Response in FirewareWebUI, select Dashboard> Front Panel.



n To see the Firebox connection status to Threat Detection and Response in Firebox SystemManager, select theStatus Report tab and search for TDR.

n To see the Firebox connection status in the TDR web UI, select Devices > Firebox and verify that your Fireboxappears in the Fireboxes list.



Step 4 — Add an HTTPS Policy on the Firebox

When you enable TDR on your Firebox, the Firebox configurationmust include a policy to allow Host Sensors on yournetwork to connect to your TDR account. If your Firebox runs Fireware v11.12.1 or higher, when you enable TDR, theWatchGuard Threat Detection and Response policy to allow Host Sensor connections is automatically added.

When you enable TDR in Fireware v11.12.1 and higher, theWatchGuard Threat Detection andResponse policy is automatically added to the Firebox configuration.

If your Firebox runs Fireware v11.12.0, youmust manually add an HTTPS packet filter policy with these settings:

n Connections are — Allowed

n From — Any-Trusted, Any-Optional (or the locations where your Host Sensors are installed)

n To — FQDNs tdr-hsc-na.watchguard.com and tdr-hsc-eu.watchguard.com

If your Firebox configuration includes an HTTPS proxy policy with content inspection and certificate validation enabled,add these FQDNs as destinations to theWatchGuard Threat Detection and Response policy or to the HTTPS policyyoumanually added:

tdr-frontline-eu.watchguard.com

tdr-frontline-na.watchguard.com

tdr-adhh-na.watchguard.com

tdr-adhh-eu.watchguard.com

These additional FQDNs allow Host Sensors to upload files for APT Blocker analysis, and allow Active Directory Helperto synchronize data with your TDR account.



Step 5 — Install a Host Sensor

Next, install a Host Sensor on the computer to protect. The information you need to install the Host Sensor appears on theTDR web UI page where you download the software. You canmanually install a Host Sensor forWindows or Red HatLinux.

For information about TDR Host Sensor OS compatibility, see the Threat Detection & Response Release Notes on theFireware Release Notes page.

To install a Host Sensor forWindows or Mac:

1. Go to theWatchGuard Portal at www.watchguard.com and log in to yourWatchGuard account as a user withOperator credentials.

2. If you are aWatchGuard partner, in the Partner Portal click Support Center.

3. Select My WatchGuard > Manage TDR.

4. (Partners only) Select themanaged customer account.

5. Select Configuration > Host Sensor.

6. Click the Download button for theMicrosoft Windows Host Sensor or theMac Host Sensor.

7. On the Host Sensor page, find the Account ID and Controller Address.

8. To run the installer, double-click the downloadedMSI or PKG file.The Threat Detection and Response Setup dialog boxappears.

9. Copy and paste the Account ID from the TDR Host Sensor page to the Account ID text box in the installer.

10. Copy and paste the Controller Address from the TDR Host Sensor page to the Controller Address text box in theinstaller.

To verify the connection from the Host Sensor to your TDR account:

1. In the TDR webUI, select Devices > Hosts.

2. Verify the host appears in the list and that the Host Sensor is operational ( ).

You can also use AD Helper for automated installation of Windows Host Sensors. For more information, see Next Steps.

https://www.watchguard.com/wgrd-help/documentation/release-notes/fireware


TDR Deployment Best Practices

A TDR Host Sensor can automatically quarantine files, stop processes, and delete registry entries if it identifies a file orprocess as ransomware or another type of threat. Because the Host Sensor takes actions that could affect other applicationsinstalled on your hosts, we recommend you consider these best practices for your TDR deployment.

To complete the procedures described in this topic youmust log in to TDR as a user with Operatorprivileges.

Phased Host Sensor DeploymentIf the Host Sensor identifies a file or process as a threat, and active TDR policies allow remediation action, the Host Sensorautomatically takes action to disable it. To identify potential interactions with other installed software that you trust, werecommend that you first deploy and test Host Sensors on a small set of hosts that run applications commonly used on yournetwork. A small pilot deployment can enable you to identify any interactions between the Host Sensor and otherapplications, so that you can add exceptions to resolve any interoperability or performance issues before wider deployment.

Youmust decide how many and what types of hosts to include in your pilot deployment. For each host, install the HostSensor, and then use other software on the host. Monitor the indicators in your TDR account to see threats and actionsreported by the Host Sensors.

If a Host Sensor identifies a threat, you can look at the details in the indicator to see the name of the file or process and why itwas considered a threat.

To see indicators for a host:

1. Select ThreatSync > Indicators.The Indicators page appears.

2. Clear all filters and then filter or search by the host name.

3. To seemore information about an indicator, in the Indicator column, click Additional Information.

For more information about the Indicators page, seeManage TDR Indicators in Fireware Help.

If the Host Sensor identifies a trusted application as a threat, you can add theMD5 value to the Signature Overrides as aWhitelist item. TDR does not generate indicators for files you add to theWhitelist.

To add a file to theWhitelist:

1. On the Indicators page, find the indicator for the application you want to add to theWhitelist.

2. Select the check box adjacent to the indicator.

3. From the Actions drop-down list, select Whitelist.TheConfirm Action dialog boxappears.

4. Click Execute Action.


https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_indicators_c.html



If the Host Sensor causes performance issues or conflicts with other software that cause the Host Sensor or other softwareto not function, you can add an exclusion for the installation path of the software. An exclusion causes the Host Sensor toignore the files in the specified path.

To add an exclusion:

1. Select Configure > Exclusion.

2. Click Add.

3. Specify the path to exclude.

For more information about how to add an exclusion, see Configure TDR Exclusions in Fireware Help.

If the Host Sensor quarantines a file, it encrypts the file and stores it in the quarantine directory on the host. To remove a filefrom quarantine:

1. On the Indicators page, find the indicator. For an indicator with a successful Quarantine action, the threat score is 1.

2. Select the indicator.

3. Select the Unquarantine file or Unquarantine HRP action. The available action depends on whether the file wasquarantined by Host Ransomware Prevention (HRP) or as the result of the Quarantine File action.

For more information about how to remove a file from quarantine, see Remove a File from Quarantine in Fireware Help.

Add Exclusions for Desktop AVThe TDR Host Sensor and desktop antivirus both detect and prevent threats. To prevent conflicts between the Host Sensorand desktop antivirus software, we recommend that you add exclusions in TDR and your desktop AV software.

Configure Desktop AV Software to Exclude TDR File PathsIn the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list orwhitelist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or whitelist.

Configure TDR to Exclude Desktop AV File PathsIn TDR, add exclusions for the locations where your antivirus software is installed. The paths to exclude are different foreach desktop AV vendor andmight be different for eachOS or AV software version. Test the Host Sensor with your desktopAV solution tomake sure you have excluded all necessary paths.

For links to integration guides for TDR and popular desktop AV vendors, see Integration Guides, inWatchGuard HelpCenter.

For more information about how to add a TDR exclusion, see Host Sensors and AV Software Exclusions in Fireware Help.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_exclusions_c.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_quarantine_remove_c.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/_intro/integration-guides_front.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_and_desktop_av_c.html



Configure Host GroupsBy default, the global Host Sensor settings and default TDR policies apply to all deployed Host Sensors. We recommendthat you configure Host Groups so that you can easily configure different Host Sensor settings and policies for each group.You can use Host Groups to group together hosts that have a similar OS version, hardware, applications or user type. Forexample, you could create groups for Servers, Windows 7 Desktops, Laptops, Sales, Finance, Support, and so on. After youconfigure Host Groups you can change the Host Sensor settings for each group, and you can use the groups names in yourTDR policies. We recommend that you test a few hosts in each group as part of your initial deployment phase.

You canmanage host groupmembership from the Hosts page or the Groups page. From the Hosts page you can selectmultiple hosts from a list to add them to a new or existing Host Group.

To change the Host Group for one or more Hosts:

1. Select Devices > Hosts.

2. Select the check box adjacent to one or more hosts in the list.

3. From the Actions drop-down list, select Change Host Group.TheChange Host Group dialog boxappears.

4. Start to type the name of the group. This can be an existing group or a new group.Asyou type. the namesof existing groupsand the option to add a new group appear below the text box.

5. Select the group, or select the option to add the new group with the name you typed.The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.

To remove one or more Host Sensors from aHost Group.

1. Select the check box adjacent to one or more hosts in the list.

2. From the Actions drop-down list, select Change Host Group.TheChange Host Group dialog boxappears.

3. Select No Group.Each selected host is removed from the Host Group it waspreviously amember of.

For more information about the Hosts page, seeManage TDR Hosts and Host Sensors in Fireware Help.

Configure Host Sensor Settings for Host GroupsFor each Host Group you can configure the Host Sensor settings to use for hosts in that group. In the Host Groupconfiguration, you can override the global Host Sensor settings, and specify different Host Sensor settings for the group.

To configure Host Sensor settings for a Host Group:

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_devices_hosts_c.html



1. Select Configuration > Groups.

2. Adjacent to the group name, click .

3. Select the Host Sensor Configuration tab.

4. Click the Override Host Sensor settings for this group switch.

5. Configure the Host Sensor settings for the group.

WatchGuard provides recommended Host Sensor configuration settings for some types of hosts as a guideline. Werecommend you test these settings with a small set of hosts first, to identify any issues.

The best Host Sensor settings to use for your hosts might be different based on the installed OS andapplications, physical or virtual hardware, and other aspects of your host environment.

Recommended Host Sensor Settings for ServersTo avoid conflicts with server software, we recommend that you disable Host Ransomware Prevention and do not enabledriver configuration settings.



Host Sensor Settings

n Allow Events on Host Sensors: ON

n Host Ransomware PreventionMode: OFF

n Allow Heuristics on Host Sensors ON

n Allow LoadedModules on Host Sensors: OFF

n Allow Baselines on Host Sensors: OFF

Host Sensor Driver Configuration Settings:

n All driver configuration settings: OFF

Recommended Host Sensor Settings for Windows 7On someWindows 7 computers, particularly those with older hardware, the Host Sensor performs better without HostSensor driver configuration settings enabled.

Host Sensor Settings:


n Host Ransomware PreventionMode: PREVENT





n All driver configuration settings: OFF

Recommended Host Sensor Settings for Most Other HostsHost Sensor driver configuration settings control whether someHost Sensor actions occur in user space or kernel space.For the best Host Sensor performance onmost hosts, we recommend that you enable and test Host Sensor driverconfiguration settings. These settings are not enabled by default in the global Host Sensor settings, to avoid problems withHost Sensors deployed on servers.

Host Sensor Settings:


n Host Ransomware PreventionMode: PREVENT





n All driver configuration settings: ON

Formore information about Host Sensor Settings, see Configure TDR Host Sensor Settings in Fireware Help.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_host_sensor_settings_c.html



Configure Policies for Host GroupsEach TDR account has default policies enabled by default. These policies enable Host Sensors to take automatedremediation actions for different levels of threats based on the Cybercon level you set in your TDR account. The defaultTDR policies apply to the built-in All Hosts group and define automated actions that the Host Sensor can perform for allhosts. For more granular control over automated actions, you can add policies for specific Host Groups or even specifichosts to change the actions Host Sensors can perform.

For example, if you have a Servers group, and do not want the Host Sensors on servers in that group tomake changes to theregistry, you can add a policy for the Servers group that specifies that Host Sensors cannot perform the Delete RegistryValue action. Or, if you do not want Host Sensors for a group to take any automated remediation action, add a policy for thatgroup which specifies Host Sensors cannot perform theQuarantine File, Kill Process, or Delete Registry Value actions.

If you add a policy for a Host Group, make sure that policy has a higher priority in the policy list than otherpolicies that apply to All Hosts.

For more information about policy configuration, see Configure TDR Policies in Fireware Help.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_config_policies_c.html

Recommended TDR Policies

To enable Host Sensors to automatically take action against high severity threats, youmust configure TDR policies.Recommended policies are enabled in your TDR account by default. You canmodify these policies or add new ones, basedon the host groups and the requirements of your network.

For TDR accounts activated prior to 7 August 2017, the default TDR policies are configured, but are notenabled by default.

Default TDR PoliciesEach TDR account has three default remediation policies. If you have enabled the APT Blocker feature, a defaultAPT Blocker Policy is also enabled by default.

The three default remediation policies allow Host Sensors to take remediation actions for indicators with different threatscores at Cybercon thresholds of 4, 3, and 2. With the default policies enabled, you can change the Cybercon level (from 3 to2 for example) to immediately allow Host Sensors to take action on threats with a lower threat score.

The default APT Blocker policy allows Host Sensors to send suspicious files that do not match a known threat to thesandbox for APT Blocker analysis.

WatchGuard Default APT Blocker Policy for Cybercon 4

n Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, and 1)

n Allow: the Sandbox File action

n Target: "All Hosts"

WatchGuard Default Remediation Policy for Cybercon 2

n Cybercon Threshold: 2 (applies to Cybercon 2 and 1)

n Threat Score Threshold: 7 (applies to Threat Scores 7 and higher)

n Allow: all remediation actions (Quarantine File, Kill Process, Delete Registry Value)



n Cybercon Threshold: 3 (applies to Cybercon 3, 2, 1)








n Cybercon Threshold: 4 (applies to Cybercon 4, 3, 2, 1)




The default APT Blocker policy is available only if you enable the APT Blocker feature on the GeneralSettings page.

When APT Blocker is enabled, the four default TDR policies look like this:

With these default policies, all Host Sensors take these actions:

When the Cybercon level is 4:

n Host Sensors automatically take remediation actions for indicators with a Threat Score of 9 or higher.

n Host Sensors automatically upload suspicious files for analysis in a secure sandbox environment.

When the Cybercon level is 3:



When the Cybercon level is 2 or 1:



Set the Cybercon LevelWhen you use the default TDR policies you can set the Cybercon level so that the Host Sensors can take automated actionto remediate threats based on the active policies at each Cybercon threshold.

n Formost deployments, we recommend you set the Cybercon level to 3.

n For amore conservative stance, with less automated remediation, set the Cybercon level to 4.

n For amore aggressive stance, with more automated remediation, set the Cybercon level to 2.

For more information about Cyberon levels, see About TDR Cybercon Levels in Fireware Help.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_cybercon_levels_c.html



Use Groups as Policy TargetsThe default TDR policies are a good place to start for a new TDR account. But it is likely that youmight want to configuredifferent policies for different hosts on your network. To create different policies for different groups of hosts, you can specifygroups as targets in your policies. You can synchronize groups from your active directory server or you can defineTDR groups based on host names or IP addresses. Tip! To add hosts to a group, on the Hosts page select the hosts selectthe Change Host Group action.

For more information about how to configure Groups, seeManage TDR Groups in Fireware Help.

The default group All Hosts includes all hosts that have a Host Sensor installed. We recommend that you create separategroups for clients and servers so that you can create policies specific to these groups.

For example you could add these groups:

n All Clients — Includes all client computers with a Host Sensor installed; does not include servers

n All Servers — Includes all servers with a Host Sensor installed

With these groups, you can configure remediation policies to take automated action for clients at a different threat level thanfor servers. At the highest threat levels (lowest Cybercon threshold) you can use the All Hosts group so policies to apply toall hosts.

Example Policy NameCyberconThreshold

ThreatScoreThreshold

PolicyTarget(Group) Automated Actions

(no policy) Cybercon 5 None

C4 Threat 8 - Clients Only Cybercon 4 8 All Clients - Kill Process- Quarantine Files- Delete Registry Value

C4 - Sandbox All Cybercon 4 N/A All Hosts - Sandbox File

C3 Threat 8 - Servers and Clients Cybercon 3 8 All ServersAll Clients

- Kill Process- Quarantine Files- Delete Registry Value

C2 Threat 4 - All Hosts Cybercon 2 4 All Hosts - Kill Process- Quarantine Files- Delete Registry Value

C1 - Threat 2 - All Hosts Cybercon 1 2 All Hosts - Kill Process- Quarantine Files- Delete Registry Value

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_config_groups_c.html



Policy TipsAs you configure additional policies, keep these tips in mind:

Use the Cybercon Threshold to activate policies quickly

n With the default policies active, set the Cybercon level to 3.

n Configure no policies for Cybercon 5.

n Add policies for the higher severity (lower number) Cybercon levels.o You set the Cybercon Threshold for your policies.o You decide when to change the Cybercon level based on the current activity and risks on your network to activate

policies for each Cybercon Threshold.

Use groups for policy targets:

n Configure groups for hosts that have similar requirements; for example, create a group for servers

n Create policies that target that each group

Next Steps

The TDR Deployment Guide describes the steps to set up your first Firebox and Host Sensor in your Threat Detection andResponse account. To complete your installation, we recommend you complete these additional steps:

n Monitor Threat Detection and Response

n Set Up Active Directory Helper

n Configure Proxy Policies for TDR

These steps are summarized in the next three sections. For amore detailed description, see Fireware Help.

Monitor Threat Detection and ResponseAfter you configure Threat Detection and Response, to monitor andmanage network threats, log in as a user with Operatorcredentials:

n Select Dashboard tomonitor indicators and incidents for your network

n Select ThreatSync > Indicators to see reported threat indicators and take recommended actions to respond to threatindicators on hosts

n Select Configuration > Policies to configure policies to automatically take action to respond to threats on hosts

n At the top of the left navigation bar, use the arrows to change the CYBERCON level to determine which policies areactive

n Select Reports > Generate to create reports of threats and remediation actions


Next Steps


Set Up Active Directory HelperIf your network has an Active Directory server, you can install AD Helper to enable automated installation of Host Sensorson your network. You can install AD Helper on any Windows server or computer in your network domain.

You can also use AD Group Policy Objects (GPO) to deploy Host Sensors on your network. For moreinformation, see TDR Host Sensor CLI andGPO Installation in Fireware Help.

Prerequisites:

n Youmust install Java 8 on the computer where you install AD Helper

n Youmust run the AD Helper MSI installer as an administrator

To install AD Helper:

1. From the computer where you want to install AD Helper, log in to your TDR account as a user with Operator credentials.

2. Select Devices > AD Helper.The AD Helper Configuration page appears.

3. Click Download to download theMSI installer file.

4. Copy the Account UUID from the AD Helper Configuration page.You use the Account UUID tin the next procedure to configure the AD Helper.

5. Run the downloaded file as an administrator.

Next, configure AD Helper to connect to your Active Directory domain controller and your TDR account. To configureAD Helper, you connect to a local web server on port 8080.

To configure AD Helper, you connect to a local web server on port 8080.

1. On the computer where you installed AD Helper, connect to the AD Helper web UI at http://localhost:8080. Tip! Ifyou use Internet Explorer, youmust type http://localhost:8080/app.The Active DirectoryHelper web UI appears.

2. In AD Helper, select Configuration > Properties.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_host_sensor_install_cli.html

Next Steps


3. In the Account UUID text box, paste your Account UUID.You can copy the Account UUID from the page where you downloaded the .MSI installer.

4. The Cloud URL is automatically configured with the URL for your TDR account. If WatchGuard instructs you to changethe URL, type or paste the Cloud URL provided by WatchGuard.

5. Click Save.The account properties are saved and the connection to your TDR account is tested automatically.

6. To test the connection to your TDR account again, click Test URL.The test result appears in a banner at the top of the page.

7. Select Configuration > Domains.TheDomainspage appears.

8. Click Add Domain.

9. To add the domain controller, click Add.The Add Server dialog boxappears.

Next Steps


10. In the Domain Controller text box, type the name of your Active Directory domain controller.

11. In the Port text box, specify the port you use for connections to the domain controller. Port, 389, is specified by default.

12. From the Protocol drop-down list, select the protocol to use for the connection to the domain controller.

13. Click Save.TheDomain Controller is added to the list. of servers

14. In the Name text box, type the name of your Active Directory domain.

15. In the Fully Qualified Name text box, type the FQDN (fully qualified domain name) of your Active Directory domain.

16. In the Logon Domain text box, type the domain name that youmust specify to log in to the Active Directory domaincontroller.

17. In the Username and Password text boxes, type the account credentials that AD Helper must use to log in to yourActive Directory domain controller.

18. Click Save.AD Helper connects to your Active Directory domain controller and sends the list of hosts and domains to your TDR account.

Active Directory synchronization does not happen instantly. It can take up to two hours for AD Helper tofully synchronize all host, group, and domain information to your TDR account.

After you set up AD Helper, you can install Host Sensors on the hosts in your Active Directory domain from yourTDR account.

1. Log in to the TDR webUI as a user with Operator credentials.

2. Select Devices > Hosts.A list of hosts on your network appears. The Install State column indicateswhether a Host Sensor is installed.

3. To install a Host Sensor on one host, in the Install State column for that host, click .The Install State changes to Pending Install. AD Helper receivesa request to install the Host Sensor.

Next Steps


4. To install a Host Sensor onmore than one host:a. Select the check box for each host on which to install a Host Sensor.

b. From the Actions drop-down list, select Install Sensor.The Install State for the selected hosts changes to Pending Install. AD Helper receivesa request to install the host sensor on the selectedhosts.

5. To see the installation status for each host, review the Sensor Status column .

Configure Proxy Policies for TDRFor TDR to effectively correlate network events with host sensor events, we recommend that you enable proxy policies andservices on the Firebox.

Because the Firebox sends logmessages about your network events to your TDR account, it isimportant to configure the Firebox to send a logmessage when it blocks, drops, or denies a connection.

When you enable Threat Detection and Response on your Firebox, we recommend that you configure policies to:

n Inspect network traffic, and do not allow traffic that is considered a threat

n Enable Gateway AV, IPS, APT Blocker, WebBlocker, and Reputation Enabled Defense

n Generate logmessages for Deny, Drop, and Block actions

For the Firebox to inspect connections and take action when a threat is identified, youmust configure proxy policies andservices. When you configure the proxy actions, make sure to enable logging and specify that a logmessage is generated forany Deny, Block or Drop action. For example, to examine outbound HTTP, SMTP, and DNS connections, add these policiesto your Firebox configuration:

HTTP-proxyProxy action — HTTP-Client.Standard or Default-HTTP-Client

Enable Gateway AV, APT Blocker, WebBlocker and Reputation Enabled Defense in the proxy action

Enable logging for any Deny, Block, or Drop action in the proxy action

HTTPS-proxyProxy action — HTTPS-Client.Standard or Default-HTTPS-Client

Enable Content Inspection, with the HTTP-Client.Standard or Default-HTTP-Client proxy action

Enable Gateway AV, APT Blocker, WebBlocker, and Reputation Enabled Defense in the proxy action


SMTP-proxyProxy action — SMTP-Client.Standard

Enable Gateway AV and APT Blocker in the proxy action


If your Firebox allows incoming connections to servers or other resources on your network, make sure to configure a proxypolicy to inspect the incoming traffic and enable services and logging for any Deny, Block, or Drop action in the proxy action.


TDR Account Types

There are two types of Threat Detection and Response (TDR) accounts, each with different privileges. Your account typedepends on whether you are aWatchGuard partner.

Customer AccountIf you are aWatchGuard customer, but not aWatchGuard partner, your TDR account is a Customer account. Withyour TDR account, you canmanage andmonitor all Fireboxes and Host Sensors deployed on your network.

Customer accounts can have these user roles: Administrator, Operator, Analyst, andObserver. In a TDR Customeraccount, the first user account has the Administrator andOperator user roles. All other users have the Operator role.

Service Provider AccountIf you are aWatchGuard partner, your TDR account is a Service Provider account. With your TDR Service Provideraccount, you canmanage andmonitor Fireboxes and Host Sensors for all customer accounts that youmanage. Fromyour account, you can allocate TDR Host Sensor licenses tomanaged customer accounts.

Service Provider accounts can have these user roles: Administrator (SP) andOperator (SP). In a TDR ServiceProvider account, the first user has the Administrator (SP) andOperator (SP) user roles. All other user have theOperator (SP) role.


TDR User Roles and PermissionsIn your Threat Detection and Response account, user roles determine what information a user can see, and what actions auser can complete. If a user account has more than one user role, the user has the privileges from all of the assigned roles.All configuration tasks must be performed by a user with the Administrator or Operator user role.

AdministratorA user assigned the Administrator role canmanage user accounts and global Host Sensor settings. A user with theAdministrator role has limited visibility into the status of the system, but cannot see the Dashboard or information aboutcurrent incidents.

Administrators can:

n Manage user accounts and user roles

n Change their own user roles

n Change Host Sensor settings

n See the CYBERCON level

n See the status of Firebox and Host Sensor licenses

n Generate and schedule reports

n See the Audit Log



OperatorA user assigned theOperator role can completemost actions, but cannot manage user accounts or change global HostSensor settings.

Operators can:

n Change the CYBERCON level

n See the Dashboard

n Take action on incidents and indicators

n Add policies and exclusions

n Generate and schedule reports

n Set up AD Helper, Host Sensors, and Fireboxes

n See information about hosts and network events

n See domain and group information

n Add signature overrides

n See the Audit Log

TDR Service Provider AccountsIf you are aWatchGuard Partner, your Threat Detection and Response account is automatically a Service Provider account.As a Service Provider, you create andmanage separate TDR accounts for multiple customers. From your Service Provideraccount, youmanage the Threat Detection and Response subscription service for multiple managed customer accounts,and the subordinate Service Provider accounts.

For eachmanaged customer account, a Service Provider can:

n Activate, allocate, and renew Host Sensor licenses

n Monitor deployed Fireboxes and Host Sensors

n Configure Threat Detection and Response policies

n Take threat mediation actions

The actions available to each user in a service provider account are based on the user role, as described in the next section.

Multi-Tier ManagementThreat Detection and Response is amulti-tenant, multi-tier system. Each Service Provider account canmanagemanycustomer accounts. Eachmanaged customer account has a separate UUID that uniquely identifies the account. TheService Provider deploys Host Sensors and Fireboxes, andmanages policies, actions, and reports separately for eachmanaged account. Data is not shared betweenmanaged accounts.

As a Service Provider, you create accounts for each of your customers in your TDR service provider account.

After you create anmanaged customer account, you can assign Host Sensors to each account.



Service Provider User RolesService Provider accounts have two user roles: Administrator (SP) andOperator (SP). The first user who activates TDR for aFirebox in aWatchGuard Partner Portal account is assigned both user roles. Additional users in the same partner accountwho log in to TDR are assigned theOperator (SP) role.

Administrator (SP)

A user assigned the Administrator (SP) user role in a Service Provider account can createmanaged customer accounts forthe Service Provider account, and can assign Host Sensor licenses tomanaged customer accounts. A user with theAdministrator (SP) user role can also complete the same actions for amanaged account as a user with the Administratorrole.

Administrators can:

n Manage user account roles of other users in the Service Provider account

n Addmanaged customer accounts

n Assign host sensor licenses tomanaged accounts

n Configure the global Host Sensor settings in eachmanaged account

n Manage all customer accounts with the same privileges as a user assigned the Administrator role

Operator (SP)

A user assigned theOperator (SP) role is the Operator for all accounts managed from the Service Provider account. TheOperator canmanage all managed customer accounts with the same privileges as a user assigned theOperator role.

More Information

Complete documentation for Threat Detection and Response is available in Fireware Help.


https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/_intro/fireware_help_front.html

Threat Detection and Response - WatchGuard · AboutThreatDetectionandResponse ThreatDetectionandResponse(TDR)isacloud-basedsubscriptionservicethatintegrateswithyourFireboxtominimize

Documents