Use Tags to Simplify Endpoint Security Management

This post was written by Ted Pan.

One thing that sets McAfee apart in endpoint security is the ability to manage multiple security technologies for hundreds of thousands of endpoints through a single interface: McAfee ePolicy Orchestrator (ePO). But while our customers appreciate ePO, it’s even more powerful than some realize. In my next few blogs, I’ll discuss some ePO features that you may not be using right now that could save you a ton of time and effort in managing your environment. Let’s start with the concept of tags.

Understanding Tags

With ePO tags, you can mark a system to perform additional automated actions on it, such as pushing new configurations, software deployments, or reporting. You can tag systems in any way you want, effectively creating ad hoc groups of systems for a specific (even temporary) purpose. Once tags are assigned, you can then instruct ePO to apply a particular policy or execute a client task on all systems with that tag, without having to configure each of those systems manually.

Tags are different from the concept of “groups,” which ePO also supports, though tags and groups can work simultaneously in your management environment. Groups involve a more permanent (and often higher-level) classification, such as the line of business or location that an endpoint is associated with. Tags offer an additional, more dynamic and flexible layer of classification.

As an example, say you want to update all of your systems to the latest version of McAfee Endpoint Security (ENS) over the next quarter. You can create a new “Upgrade this System” tag for all endpoints using any version of ENS older than 10.5. Using ePO, you create a query to identify all such systems in your environment and apply that tag. Then, you create a client task to deploy the latest version of ENS to all tagged systems, and ePO handles the rest.

Compare that with the traditional method—running a report to identify all systems with out-of-date software, manually assigning client tasks to update each system, and then manually removing the client task from all those systems afterwards. Tags make the job much faster and easier. And you can assign (and remove) as many tags as you’d like to a system for as many purposes as you need.

Creating Tags

You create tags in ePO’s Tag Catalog. Click it, and you can see a list of all existing tags, create new tags, and create subgroups of tags to organize your systems. You can automatically assign tags to systems based on their properties, such as assigning a “Windows 10” tag to all Windows 10 systems or tagging all servers as “Server.” You can also assign tags based on if a system falls into a specific IP address range. If the system’s IP address changes to a different range, the next time it communicates with ePO, the appropriate tags are automatically applied.

You can assign tags in several ways. You can use an ePO server task to automatically assign tags to systems with specific properties (such as in our “Update this System” example). You can manually assign a tag to a system. You can use a McAfee solution with built-in tag support, such as McAfee Enterprise Security Manager (ESM) or McAfee Network Security Platform (NSP), to assign tags. Or, you can use the McAfee ePO API to allow other solutions, such as a third-party security information and event management (SIEM) systems, to use ePO tags.

For example, you could configure your SIEM to automatically apply a “Quarantine” tag to any system found communicating with a command and control server. ePO can then automatically apply a policy that you’ve defined for quarantined systems, such as blocking all network traffic other than management ports.

Assigning Client Tasks and Policies

ePO can automatically execute client tasks whenever a system is assigned a particular tag. Examples include executing a software deployment or update, executing an on-demand scan, or executing other product-based tasks.

You can also automatically apply policies to tagged systems in the same way to control or change how systems are configured. To assign policy, create a new policy in the Policy Catalog with the configurations you’d like to assign. Then, create the tag that will be assigned to all systems that will receive that policy. Next, create a Policy Assignment Rule. Select “System Based Rule” from the menu, add the policy you created, and then select your tag in the Selection Criteria field. Whenever you (or another system, such as McAfee ESM) assign a tag to a system, that system communicates with ePO and receives the new policy.

For example, you can create a server task to automatically apply a “High Risk” tag to all systems that have detected a threat event. Then, you can execute a client task to automatically perform a deep anti-malware scan for all systems with that tag.

Save Time and Headaches

These are just a few examples, but if you’ve spent any time managing a large endpoint environment, you can probably think of many others. For practically any policy or client task, durable or ad hoc, you can use tags to automate a huge amount of manual effort.

If you’ve never used ePO tags before, give them a try. And check back here soon for my next blog, where we’ll cover another powerful but sometimes-overlooked ePO feature: automating and optimizing McAfee software deployments.

Learn More

McAfee can help you detect and respond to advanced threats more quickly, with less time and effort. Learn more about our Dynamic Endpoint Threat Defense solution.

Leave a Comment

10 + fourteen =