MI-One: Issue #2 Aperire Edition

We’re back with the sophomore edition of MI-One, your exclusive monthly peek into the inner world of security system integrations and automation.

MI-One: Issue #2 Aperire Edition

👋 Hello there.

We’re back with the sophomore edition of MI-One, your exclusive monthly peek into the inner world of security system integrations and automation from Metron.

(In case you missed our inaugural edition, you can find it here to catch up on any missed integration and automation trends in the security ecosystem).

April already?

Did you know that April gets its name from the Latin term aperire - meaning “to open,” typically as a way to signal the start of Spring and the return of vegetation?

New openings also point to new beginnings and opportunities alike, and there have been plenty of those going on in security ecosystems these days.

Special Announcement

Metron was recently awarded the Palo Alto Networks Supplier Appreciation Award in the area of R&D Services Excellence.

We are proud and honored, and always looking forward to ongoing collaboration with Palo Alto Networks and its ecosystem partners.

Under the Lens: Recent Developments in the Industry

In our previous newsletter, we highlighted Palo Alto Networks’ Platform consolidation approach which continues to be the trend. On the whole, 2024 is predicted to be the year of recalibration and consolidation of platforms: 27 cybersecurity-related mergers and acquisition (M&A) deals were announced in March 2024 alone!

One major trend we've observed first-hand this time around is the push from large enterprises towards "unified platforms." These typically combine the stack of their in-house proprietary tools, as well as those from acquisitions, while integrating all applications with leading-edge AI engines.

  • In a major deal that was first announced last year, Cisco just completed its $28 billion purchase of Splunk. This means we'll see Cisco's Talos threat intelligence integrating directly into Splunk, as well as a more unified experience when using their AI assistants for security matters. We can also expect to see Splunk leverage more cloud, network, and endpoint analytics. For a deeper read, you can look into Cisco's Full-Stack observability plans for Splunk.

  • Integration with third-party AI tools is becoming increasingly important. Notably, Microsoft put a stake in the ground and is growing its foothold in the security space thanks to the launch of Copilot for Security GA’ed on April 1 (seriously, not an April Fool’s joke).
    Microsoft also seems to be on track with its Unified Security Operations Platform, leveraging the Defender portal for Defender XDR, Microsoft Sentinel data, Entra (formerly, Active Directory), Intune, and Azure stack. By integrating with Copilot, SOC teams can utilize AI and advanced queries to detect and eliminate security blind spots. For more on how to integrate with Copilot, here’s some useful information (and alternatively, you can reach out to us for help integrating anything from the Microsoft Security Stack).  

  • On April 8th, SentinelOne announced the general release of Purple AI, an AI powered security analyst. Your SOC team can now investigate threats by asking simple, natural language questions without having to memorize event schemas across multiple partner event types, or write complex queries. Purple AI also provides Guided Investigations to suggest the next set of queries for any open investigation. Purple AI is built on top of SentinelOne’s Singularity Data Lake (SDL) and the Open Cybersecurity Schema Framework (OCSF). For more information, check out their release article.

  • There is a burgeoning adoption of DevSecOps, as part of Shift Left principles. According to Gartner’s survey, “50% of organizations have implemented DevSecOps. 31% say their organizations are in the implementation process, while 11% plan to implement DevSecOps.” From a 3rd party integration standpoint, we are also seeing more security applications being integrated with their CI/CD pipeline and automating as many security processes as possible.

  • Common integration tools include a soup bowl of acronyms to integrate with and the movement is looking serious. Among them: Static Application Security Testing (SAST), Software Composition Analysis (SCA), Dynamic Application Security Testing (DAST), Runtime Application Self-Protection (RASP), Web Application Firewalls (WAF), Container image scanning tools and Cloud Security Posture Management. Popular DevSecOps integration and workflow applications also include Jira, Azure DevOps, GitHub, GitLab, Snyk, Semgrep, OWASP ZAP, Aqua Security, Checkmarx, Prisma Cloud, and SonarQube.

Our Thoughts: Many tools are designed for a single specific user - especially security technologies - while DevSecOps tools are leveraged by security and engineering professionals, seamlessly fitting them into their existing workflows. As such, an integration-first approach is critical to ensuring DevSecOps tools provide the right data to the right end-user in the right manner.

Tools and Tips

There’s plenty to consider when it comes to automated software release pipelines. Here is how you can leverage CI/CD tools to build, test, deploy, and secure your releases:

  • Always test the latest commit and create a ticket in Jira if there is a build failure.

  • Remember that release artifacts (installers, zip files, etc.) must be created via build scripts with no human intervention. You can leverage your CI/CD tools (GitHub, GitLab, Jenkins, etc) to make sure the release is created from a freshly cloned repository in an isolated container. For more info, release notes can be generated from Jira using the Jira APIs.

  • Did you know that GitHub actions can be configured to perform a static analysis of the source code for each commit or each pull request? This ensures the source code in the main branch follows the standards set by the organization.

  • GitHub actions can also be configured for scanning the source code for any secrets in the committed code.

Applications and Version Updates

What's new in the industry? Latest update breakdown:

  • Splunk updated its Cloud Vetting standards in March 2024 which will be applied to all apps published to Splunkbase. It is essential to comply with the new standards since Splunk will begin revoking apps after May 8, 2024, that fail to comply with the checks. You can find the official information on the vetting process here. Splunk Enterprise 9.2 released in January 2024 with a minor update in February, introduces a range of significant enhancements:

    • Deployment Server enhancements: Improved scalability, manageability, and high availability with features like deployment server clusters.

    • Dashboard Studio upgrades: New functionalities include enhanced visualizations, a more powerful code editor, and a tool to convert Classic dashboards to Studio format.

    • General improvements: Support for OS certificate trust store and certificate management API, the ability to abort rolling restarts of indexer clusters, and bug fixes in the Universal Forwarder.

  • ServiceNow's latest update, dubbed Washington DC, arrived in March 2024, bringing a wave of innovation to your fingertips. Here's what you can expect:

    • Workflow Studio: Unify your automation efforts with a single platform for building and managing workflows.

    • Now Assist: Leverage AI-powered assistance to streamline tasks and boost productivity across your business.

    • Platform Analytics: Gain valuable insights and surface data across your entire platform, fostering smarter decision-making.

  • QRadar Update - 7.5.0, Update Pack 8 Interim Fix 1, released on 9 April 2024, offers the following feature enhancements:

    • Enforce Secure App Images with Minimum Permitted Setting: It allows admins to disable potentially vulnerable app base image streams via a new "Minimum Permitted" setting.

    • Read-only Configuration: This update refines "Read-only Configuration" to allow viewing users but not creating/editing them.

    • SSH extraction enhancements: This enhances SSH inspection in Network Insights, extracting more data and including "Hash" fingerprints for secure connection verification.

    • Improved Tunneling Support: QRadar Network Insights now supports GRE and ERSPAN network traffic, along with enhanced features for all tunneled traffic (including VXLAN).

    • Smoother RHEL Upgrades: A Leapp pretest has been made mandatory before migrating from RHEL 7.9 to 8.8 to ensure compatibility and prevent upgrade failures.

  • Jira version 9.15.0, released in March 2024, introduces several improvements:

    • Security Enhancements:

      • Software Bill of Materials (SBOMs): You can track the software components used in projects for better vulnerability management.

      • Restrict File Uploads: You can block specific file types from being uploaded to Jira to prevent malware infiltration.

      • Websudo Allowlist: Jira now allows superuser websudo operations  to pre-approved IP addresses for enhanced security.

    • New Feature:

      • Confluence Page Viewer: Jira replaces the Confluence Page Gadget with a modern and more secure Confluence Page Viewer for better dashboard experience.

Insights: From our Integration Factory

We’ve been busy since the start of the year (is anyone ever honestly not busy?). Here are a couple of the most recent integrations our team recently rolled out:

  1. NVD CVE App published in Splunkbase by Metron: The NVD CVE app helps developers and users by providing a way to download and maintain the National Vulnerability Database (NVD) dataset. This dataset includes information about known vulnerabilities in software products. By using the NVD CVE app, developers can stay up-to-date on the latest vulnerabilities and take steps to fix them in their products. Users can also use the app to find information about vulnerabilities in the software they use. Read more about its use cases here!

  2. XDR integration with Snyk: With this integration, the XDR platform ingests data, correlates threat detections identified with vulnerabilities found by Snyk in container images, and addresses container security risks. It helps streamline the analysis of runtime threats and solve vulnerabilities at the source code level.

  3. Microsoft Defender XDR + Leading IoT Security: This integration connects Microsoft Defender XDR with an IoT platform to gain a deeper understanding of IoT devices. Leverage Defender XDR's rich data on device attributes, SBOM (Software Bill of Materials), vulnerabilities, and patching recommendations. This integration enables Comprehensive Risk Profiling, Enhanced Threat Detection, and Improved Patch Management.

Before you go…

A few items for your attention:

  • Product Manager / Technology Alliance partners, if you would like to broadcast modifications and improvements in your platform that affect 3rd party integrations, please email us at connect@metronlabs.com.

  • Elevate your cybersecurity career in a company that puts developers at the forefront. Apply here for available roles!

We'll be attending several conferences this spring, and we'd love to see you there too if you happen to attend. Some of the upcoming events in our calendar include:

  • Black Hat Asia in Singapore April 16-19

  • Schedule a meeting at the RSA Conference, San Francisco May 6-9.

We’d love the chance to trade hellos, enjoy a coffee together, or even take a few minutes to discuss all things integration-related.

If you’re there, don’t be shy to catch up with us!

If any of these caught your eye, don’t hesitate to reach out to us for more details at connect@metronlabs.com.