MI-One Issue #8 - Oktober Edition

Hello there,

Here we are in the first full month of Fall. If you’re in the Northern Hemisphere, there’s a good chance you’ll get to experience the Autumn leaves turning gold and even the Orionid meteor showers filling up the night sky later this month.

Nature’s not the only eventful thing taking place this month, it’s the Halloween season too! So, we're in the most frightening time of the year and as you all know, there’s a frightening side to the digital world too. If you had your doubts, the recently revealed?XZ Utils compromise?from Linux might have tipped you off!

Fortunately, October is also?National Cybersecurity Awareness Month. While it’s primarily a US-based initiative aimed at promoting cybersecurity awareness and best practices, we think it’s something people everywhere can get behind.

Announcements

• Metron Partners with Google to support Google SecOps Certified Integrations and Automation:?In this partnership, we will support integration development with Google’s SIEM product and also support automation services for its SOAR platform. To read more on the Google SecOps platform, you can check out their?official documentation.
• Recent Coverage:?We were recently featured on?HPE's podcast, where they provided deep insights into architecting scalable integrations, ?deployment, and driving automation in the cybersecurity space. The discussion provides an overview of our development philosophy, the company’s mission, and our technical approach to supporting the customer and partner ecosystem.

Harness the power of Google SecOps and streamline your integrations with cutting-edge automation. If you're interested in building similar integrations, feel free to reach out to us at?[email protected]!

Palo Alto Completes its Acquisition of IBM QRadar SAAS

Following up on a topic we discussed in a?previous newsletter,?Palo Alto Networks has completed its acquisition of IBM's QRadar Software as a Service (SaaS) assets. This move should strengthen Palo Alto Networks' cybersecurity offerings by integrating QRadar's capabilities with their Cortex XSIAM platform powered by Precision AI.

What it means for QRadar customers:

• Simplified Security Operations:?The combined platform integrates SIEM, SOAR, ASM, and XDR functionalities, streamlining threat detection and response processes.
• Enhanced Threat Prevention:?Real-time analytics and AI-powered automation improve threat accuracy and reduce manual workloads for security teams.
• Continued Support:?IBM will continue to support existing QRadar on-premises customers and even implement Cortex XSIAM for their internal security operations.

QRadar SaaS customers should be able to benefit from a seamless transition to Cortex XSIAM through the free migration services offered by IBM Consulting. For QRadar integrations, our team at Metron will both develop new ones and migrate existing QRadar integrations from QRadar SaaS to their on-prem instances. We may also end up developing integrations for Cortex XSIAM if they choose to do so rather than migrating over to the existing PAN XSIAM platform. In any event, the PANW team will provide support for the QRadar SaaS to XSIAM migration.

Highlights from Fal.Con 2024

We were fortunate to attend this year’s Fal.Con in Las Vegas back in September. Below are some of the top announcements from this yearly conference:

CrowdStrike unveiled Falcon Identity Protection?at Fal.Con 2024. Some of the key highlights of this platform include:

• Unified Identity Security Solution:?Falcon Identity Protection helps address identity security challenges by offering comprehensive protection for endpoints, applications, and data.
• Enhanced Entra ID Protection:?New capabilities that should provide real-time threat prevention, dynamic access decisions, and hybrid risk-based conditional access for Microsoft Entra ID.
• Falcon Privileged Access:?Just-in-time access for privileged administrator roles will likely help reduce the attack surface and enhance overall security.
• Leverages Falcon Platform:?The solution will utilize and integrate with the existing Falcon platform.

For existing Entra ID users, this platform offers:

• Real-time Protection:?Falcon Identity Protection should sit in line with Entra ID authentication flows, providing more-or-less immediate protection against identity-based attacks.
• Advanced Threat Detection:?Leveraging user behavior analytics and risk-based access decisions, Falcon Identity Protection can likely detect and prevent sophisticated attacks that may evade traditional security measures.

CrowdStrike announced significant advancements in Falcon Cloud Security?at Fal.Con 2024. These innovations appear to be aimed at uplifting their cloud security offering by providing a more unified security posture management (USPM) solution across cloud infrastructure, applications, data, and AI.

Key highlights:

• Unified Security Posture Management:?Falcon Cloud Security now integrates data security posture management (DSPM), application security posture management (ASPM), and AI security posture management (AI-SPM) to deliver a more comprehensive protection across all layers of the cloud environment. ?
• Enhanced Visibility and Control:?Real-time asset inventory, asset history, and direct cloud log access can provide security teams with a deeper understanding and control over their cloud infrastructure.
• Smarter Threat Detection and Response:?Attack path analysis and improved threat-hunting capabilities come with this addition, along with streamlined detection and response processes. This should enable teams to more rapidly identify and neutralize threats.
• AI-Driven Protection:?Falcon Cloud Security is moving further into AI adoption as it now leverages AI to protect AI models and detect potential threats in real time. It’s aimed to better ensure the security and compliance of AI systems.

CrowdStrike?is strategically expanding its reach within the cybersecurity space landscape by forming partnerships with a diverse array of platforms. From identity and access management (IAM) solutions like?1Password?to network detection and response (NDR) platforms like?ExtraHop, and additional platforms such as?Zscaler,?Nagomi,?Plurilock, and?Obsidian, CrowdStrike is demonstrating its commitment to providing a comprehensive security solution.

CrowdStrike's partnerships seem aimed at creating synergistic ecosystems where different security technologies work in harmony, enhancing overall protection. Moreover,?CrowdStrike's involvement in initiatives such as the?Cybersecurity Startup Accelerator?program?highlights its ongoing drive towards innovation that we’ve been witnessing lately.

By integrating with various platforms, CrowdStrike is providing a more unified and streamlined security posture. This can lead to reduced playbook complexity, improved visibility, and enhanced protection against emerging threats.

The success of these integrations will hinge on their ability to deliver value to customers, address emerging threats effectively, and maintain compatibility with future security technologies.

Under the Lens: Recent Developments in the Industry

Apple's?release of macOS 15 (Sequoia) in September introduced a significant compatibility issue with several cybersecurity products. Tools from vendors like CrowdStrike and Microsoft were adversely affected, rendering them inoperable or significantly hindered. This issue was attributed to a bug within the macOS 15 framework, causing disruptions in network functionality and interfering with the seamless integration of third-party security solutions.

Recognizing the critical nature of this problem,?Apple swiftly responded with the release of macOS 15.0.1. This update specifically addressed the compatibility issues, restoring the functionality of affected cybersecurity tools. The underlying bug that caused the initial problems was successfully resolved, ensuring that users could once again rely on their chosen security solutions without interruption.

Beyond the resolution of compatibility issues, macOS 15.0.1 also addressed other network-related concerns, providing users with a more stable and reliable network experience.

This update provided a much-needed solution for users who had been impacted by the initial compatibility problems, allowing them to continue utilizing their preferred cybersecurity tools without hindrance.

In 2024, third-party integrations in OT security focus on several key areas, including?Zero Trust Architecture?to safeguard both IT and OT systems, cloud-native security tools for remote monitoring, and API security to protect communication between legacy OT protocols and modern platforms. By focusing on these key areas, you can enhance your IT-OT integration capabilities and strengthen your security posture. AI-driven threat detection is being increasingly integrated to detect anomalies in OT environments, while supply chain risk management tools monitor third-party vendor risks. Additionally,?XDR platforms?are being adapted to unify IT and OT security layers for enhanced threat correlation and response.

While the integration of these two domains offers numerous benefits, such as improved efficiency, enhanced security, data-driven decision-making, and centralized view, it also presents significant challenges.

One of the primary hurdles in IT-OT integration is the inherent differences between the two systems. IT systems are typically designed for data processing, analysis, and communication, often operating in a controlled environment while OT systems are optimized for real-time control and automation of physical processes, requiring immediate response times and robustness to harsh conditions.

Another challenge arises from the diverse protocols and data formats used by IT and OT systems. This can hinder communication and data exchange, leading to potential errors. To overcome these challenges, you can:

To overcome these challenges, you can:

• Establish a unified security framework:?A comprehensive security strategy that addresses the unique vulnerabilities of both IT and OT systems is crucial.
• Invest in advanced technologies:?Technologies like the Industrial Internet of Things (IIoT) and edge computing can facilitate seamless data exchange and real-time analytics.
• Prioritize data quality and standardization:?Ensuring data consistency and accuracy is crucial for meaningful analysis and decision-making. Implementing data governance practices and standardizing data formats can help achieve these goals.

If this is of interest to you, Metron's expertise in developing integrations with various IT Ops platforms, such as Jira, ServiceNow, Splunk OT, Tanium - Threat Response, and others, can help you achieve these goals. Example of IT Ops + OT integrations by Metron: ServiceNow CMDB + IoT platforms.

Cloudflare One's acquisition of Kivera?is a great move to extend its SASE portfolio adding capabilities for preventative security controls. Here's a breakdown:

• Enhanced Cloud Security:?Cloudflare One will integrate Kivera's technology, offering proactive controls to prevent misconfigurations and human errors in cloud deployments. This can potentially reduce security risks and data breaches. For Example: A hospital using multiple cloud platforms to store patient data could accidentally leave a database publicly accessible. Kivera's integration with Cloudflare One would detect and prevent this, protecting sensitive patient information.
• Simplified Security Management:?Cloudflare aims for a unified platform with Kivera, simplifying security management across various cloud providers. This aims to save time and resources. For Example: A bank using multiple cloud providers for different services might need help managing security policies across each platform. Cloudflare One with Kivera could provide a centralized dashboard to oversee security configurations

We would like to give a special shout-out to Neil, Vernon, Joe, and the Kivera team. ??

Palo Alto Networks?has also been on a similar path as CrowdStrike when it comes to enhancing its security offerings as of late. The company’s partnerships and integrations with industry-leading companies like?Veeam,?Red Canary,?Team Cymru Scout,?Cognizant, and now?Deloitte, are all clearly aimed to provide comprehensive and effective security solutions.

These collaborations offer several advantages for users of the Palo Alto Networks platform. First, they provide access to a wider range of security tools and technologies, enabling organizations to better protect their networks and data. Second, they streamline security operations by integrating various security functions into a cohesive platform. And lastly, they enhance threat detection and response capabilities, allowing organizations to identify and mitigate threats more quickly and effectively.

These partnerships are driving the adoption of PANW Cortex XSIAM and XSOAR platforms by partners like Cognizant and Veeam. This suggests that PAN is actively expanding its market reach and customer base with these platforms. While the integration process may not differ much, this highlights the growing significance of XSIAM and XSOAR solutions and their potential to increase market share. Metron has expertise in SOAR platforms and we have built and delivered integrations for multiple customers. For example: Analyst1 + BAS, IBM SOAR + TIP, ?and Palo Alto Networks - Cortex XSOAR + IoT.

Application and Version Updates

The latest version of?Google SecOps?was released on 6th October 2024, and the update included:

• Enhanced search functionality:?The SOAR search page now supports the "Equals" condition for more precise results.

Some of the earlier updates are as follows:

September 30, 2024:

• Case report improvement:?The case report now includes all information written on the case wall.
• Case merging:?Cases can now be merged even if the requester and assignee are different.

September 16, 2024:

• Updated supported default parsers:?Google SecOps has expanded its list of supported default parsers for various products and log types.

Other recent updates:

• Direct ingestion:?Customers can now directly ingest Google Cloud data without using a one-time access code.
• Playbook creation:?Gemini now supports creating new playbooks using prompts.
• Gemini for investigation assistance:?Enhanced capabilities for Gemini include search, search summaries, rule generation, security questions, and incident remediation.
• Cloud Identity integration:?Google SecOps can now be configured with Cloud Identity or Google Workspace as an identity provider.
• Access Transparency support:?Google SecOps integrates with Access Transparency for increased visibility into user access.
• Data RBAC:?Data-based access control is now supported in Google SecOps.
• Placeholder syntax update:?The syntax for placeholders in UDM saved searches has been updated.

To get more information on the version updates, refer to?Google SecOps release notes.

Recently, IBM released a few changes related to?signing certificates for QRadar apps?published on the IBM App Exchange:

Minimum QRadar Version:?As of August 2024 (Update Pack 9), the minimum supported version for QRadar app development is 7.5 UP9

Signing Certificate Changes:

• Old certificates (Old_ca) can still be used until they expire, but new ones are issued with a different folder (CA_new).
• Apps developed for versions earlier than 7.5 UP9 will not be marked as "IBM Validated" on the App Exchange.

Verifying Integration Signing:

• Look for the presence of “IBMCCS / VALIDATE rsa/sf” files. These indicate IBM team countersignature.
• Use this?link?for further validation.

Action Required:

• Update your development environment to QRadar 7.5 UP9.
• Review your existing apps and consider updating them for compatibility with the new signing requirements.

To know more about these changes, refer to?IBM’s community blog.

JupiterOne?had its latest version released in September 2024. This update brings several improvements to JupiterOne, including new features, enhanced functionality, and bug fixes. Here's a quick rundown of the key highlights:

• EPSS:?Exploit Prediction Scoring System (EPSS) is a new feature of JupiterOne. It is a data-driven model that uses machine learning to predict the probability of a software vulnerability being exploited in the wild within a specific timeframe. It leverages historical exploit data, vulnerability characteristics, and metadata, to calculate a score between 0 and 1. A higher score indicates a greater likelihood of exploitation. This aims to help you prioritize your remediation efforts by focusing on vulnerabilities with the highest EPSS scores.
• Smart Classes:?Allows operators to organize and categorize your assets with additional business and technical context. This should help improve IT management and security practices.
• Graph Upgrade:?Completed in July, this upgrade improves query response speed and data availability.
• Enhanced Query API:?Variable result size queries are now the default, improving performance and eliminating pagination issues. Additionally, error handling has been improved with proper HTTP status codes.
• Python SDK Ownership Transfer:?JupiterOne now actively maintains the Python SDK, offering significant improvements.
• Terraform Provider Enhancements:?Configure Insights dashboards and widgets, and be warned about potential overwriting of non-Terraform changes.
• J1QL Query Editor:?Block quoting lines in your queries is now easier with keyboard shortcuts.
• Alerts & Rule Improvements:?Download rule evaluation results as JSON and process larger, longer-running queries.
• Insights Dashboards:?Create rules directly from widgets to turn insights into actionable alerts.
• Integration Updates:?Improved documentation for several integrations and added support for ManageEngine Endpoint Central via the JupiterOne Collector. Additionally, more AWS services are now integrated.
• New Rule Packs:?Leverage pre-configured Mitre ATT&CK rule packs for privilege escalation, execution, and initial access scenarios.
• For detailed information and documentation on these updates, refer to the?JupiterOne release notes.

Insights: From Our Integration Factory

EDR + Google SecOps:?Combining an endpoint detection and response (EDR) platform’s capabilities with SecOps’ advanced threat analytics allows security teams to gain valuable insights and respond more effectively to cyber threats. This integration provides a comprehensive and efficient solution for threat detection, response, and investigation helping organizations protect their valuable assets and mitigate the risks associated with cyberattacks.

Some of the benefits of this integration are mentioned below:

• Enhanced Threat Detection:?The EDR identifies suspicious activities on endpoints, while Google SecOps’ analytics correlates this data with broader security trends, enabling earlier detection of potential attacks.
• Improved Incident Response:?When a threat is identified, the integration allows for rapid data sharing between Google SecOps and the EDR platform. This enables security teams to quickly gather evidence, understand the scope of the attack, and take appropriate containment and remediation actions.
• Centralized Visibility:?The integration provides a centralized view of security events across the organization, making it easier to identify patterns and trends that may indicate a larger threat.
• Efficient Investigation:?Google SecOps' investigation tools allow security teams to delve deeper into suspicious activities, analyze artifacts, and uncover the root cause of incidents.

CAASM + SecureWorks Taegis XDR:?This integration between CAASM and Taegis XDR provides a robust solution for organizations seeking to enhance their cybersecurity posture through advanced asset management and threat detection capabilities.

Key Technical Aspects:

• Data Exchange:?The integration involves the exchange of data between CAASM and Taegis, allowing CAASM to collect and analyze asset information from Taegis's threat detection platform.
• API Integration:?The integration is typically achieved through APIs, enabling seamless communication and data transfer between the two systems.
• Asset Discovery and Inventory:?CAASM leverages Taegis's data to discover and inventory assets, including endpoints, network devices, and cloud resources.
• Asset Classification and Prioritization:?CAASM can classify assets based on their criticality and sensitivity, allowing organizations to prioritize their security efforts accordingly.
• Threat Correlation:?By combining CAASM's asset data with Taegis's threat intelligence, organizations can correlate security events and identify potential threats more effectively.
• Security Orchestration and Automation:?The integration can enable automated security workflows, such as incident response and remediation actions, based on the information gathered from CAASM and Taegis.

Benefits:

• Improved Asset Visibility:?The integration provides a comprehensive view of an organization's assets, enabling better risk management and compliance.
• Enhanced Threat Detection:?By combining asset data with threat intelligence, organizations can detect and respond to threats more effectively.
• Efficient Security Operations:?Automation and orchestration capabilities streamline security workflows, reducing the burden on security teams.

This CAASM-XDR integration offers a powerful solution for organizations seeking to improve their cybersecurity posture through advanced asset management and threat detection capabilities.

TIP + Splunk SIEM:?TIP’s integration with Splunk offers a solution for centralized monitoring and threat detection. This integration offers:

• Ingest alerts into Splunk:?Seamlessly import alerts into Splunk for comprehensive visibility and analysis.
• Correlate customer data with other data:?Combine alerts with data from other security sources in Splunk to identify trends and patterns.
• Enrich alerts with additional context:?Add context to customer alerts using Splunk’s data source, such as asset details and system status.
• Leverage Splunk's analytics:?Use Splunk's advanced analytics to visualize alert trends, monitor performance, and track resolution status effectively.
• Normalise Data as per Splunk CIM model:?Normalize the incoming data into the standard Data Models specified in CIM (Common Information Model). As the data is normalized, it will be automatically populated in the dashboard provided with standard apps, like Splunk Enterprise Security.

BAS + ProofPoint TAP:?This Proofpoint Targeted Attack Protection (TAP) and a Breach and Attack Simulation (BAS) platform integration offers a comprehensive solution for organizations to enhance their cybersecurity posture by combining advanced threat detection and prevention capabilities with realistic attack simulation.

By integrating Proofpoint TAP and a BAS platform, organizations can achieve the following benefits:

• Comprehensive Threat Detection and Prevention:?TAP's advanced threat detection capabilities, combined with BAS's ability to simulate realistic attacks, provide a robust solution for identifying and mitigating potential threats.
• Enhanced Security Posture:?This integration allows organizations to continuously test and improve their security controls, ensuring that they are prepared to defend against the latest threats.

Before you go…

The conference season is starting to cool down as we approach the last quarter of the year. We’ve currently got one more conference lined up - hope to catch you there if you’re also planning on attending!

• AWS re:Invent, Las Vegas, 2-6 December

P.S. If any of these caught your eye, don’t hesitate to reach out to us for more details at?[email protected].