Hello there.

Welcome to the 3rd edition of MI-One, your exclusive monthly peek into the inner world of security system integrations and automation from Metron. (In case you missed out on the previous one, don’t worry! You can browse through our April / Aperire edition here).

Here we are in May. Did you know the month gets its name from the Old English word Maius, which comes from the Greek name for the goddess Maia?

For those who haven't been reading their classics lately, she was a mythological figure associated with growth and increase - two things that are easily associated with spring.

Of course, growth and increase are also things that come to mind quite often when discussing our industry. Since we are just back from the RSA Conference, we will share a few things that are shaping the 3rd party integration space, mainly in cloud security options, new connectors, and even ways of parsing and storing our data.

Special Announcement and RSA Recap

1. Metron Security partnered with HPE to build 3rd integrations and automation for HPE partners and customers. We are now part of the HPE Aruba Networking 360 Security Exchange. You can read more about it in our blog — Metron’s Partnership with HPE.

2. Like every year, RSA remains one of the most anticipated events, setting the tone for the direction the security industry will take. Here are a few of our takes from this year’s conference:

1. Integrations: Best of Breed vs Platform approach is a perennial discussion in our space. The best way forward for maximizing the potential of consolidated tools for customers, we would argue, is by building integrations. In this regard, many vendors would seem to agree too — while AI took center stage for most of the show, we could not help but notice how many booths were increasingly allocating monitor space to show off their breadth of available integrations.

   About integrations, Kyle Alspach, Senior Editor at CRN summed things up very well in his article, A ‘Mindset Shift’ In Cybersecurity Industry As Vendors Prioritize Integrations.

   Our favorite quote of the event is also about integrations and comes from Proofpoint’s CEO Sumit Dhawan, “Major cybersecurity vendors are now doing integrations to deliver the best customer value — which is different than doing integrations for convenience, for adding capabilities into your product — a shift in the industry that I'm seeing.”

   
   

2. Cloud: Wiz’s $1B raise at a $12B valuation was a validation that Cloud Security is poised for meteoric growth. A $1 billion bet on consolidating cloud security is certainly driving integrations to improve visibility, detection, and response in the cloud environment, which is more challenging. Within cloud security, we can foresee a convergence of Continuous Threat Exposure Management (CTEM) and Application Security Posture Management (ASPM), and Dazz seems to be in the leader category at the moment.  

   
   

3. OCSF: We attended the OCSF breakfast and it's evident that the community is thriving, with an increasing number of stakeholders, vendors, and customers coming together to address data interoperability challenges.
   The discussion there was led by Paul Agbabian, Co-chair of OCSF and VP of Engineering at Splunk. We particularly enjoyed Keith Gilbert, Co-Chair at OCSF, taking on the roadmap — update on OCSF v1.1 to v1.2 with 28 new event classes, 3 additional profiles: Network Proxy, Load Balancer, and Data Classification, and continued expansion of coverage.
   We also enjoyed listening to Troy Wilkinson, CISO of Interpublic Group (IPG), give his perspective on why he is driving OCSF within IPG and actively advocating vendors for the adoption of a common schema to ensure seamless data interoperability across platforms. This again drives the point that customer-driven adoption is always critical.
   Also, Michelle Abraham, IDC’s Analyst, shared her insightful OCSF survey validating that OCSF adoption is expected to continue to increase over time.
   We also heard from Matt Eberhart, CEO, and Jeremy Fisher, founders of Query.ai describing how OCSF has been a critical component of their federated search.

Hot off the press: Palo Alto Networks + IBM QRadar

On May 15th, Palo Alto Networks and IBM announced a partnership to deliver AI-powered outcomes to customers. In a nutshell, IBM will facilitate migrating their QRadar SaaS clients to the industry-leading Cortex XSIAM SOC platform. Palo Alto Networks will incorporate IBM’s watsonx large language models (LLMs) in Cortex XSIAM, leveraging IBM’s decades of expertise with Watson.

We are excited about this development, as this means our customers can lean on our experience with multiple product lines across both Palo Alto Networks and IBM Security.

Under the Lens: Recent Developments in the Industry

Back in April, we were able to shine a spotlight on how many large enterprises were pushing towards “unified platforms” - combined stacks of their in-house tools and apps.

This time around, we want to highlight a couple of major developments that took place in the cloud.

• Earlier this month, at the RSA Conference, Google reaffirmed its commitment to making inroads in cloud security. The tech giant unveiled its Google Threat Intelligence, a new offering from their Google Cloud security portfolio. Within the offering, Google bundled its Gemini AI inside to deliver insights and help drive operations. It's only currently available through contacting a Google Cloud sales specialist, so we'll have to see if it takes to wider adoption and what possibilities it brings in wider security playbooks.

• Microsoft showcased the integration of Microsoft Entra Permissions Management with Microsoft Defender for Cloud (MDC), expected to be GA’ed in May. The integration simplifies access and permission insights across various cloud environments, providing a unified interface. Here are more details on enabling the integration.

• Leading cloud security providers, Aqua Security and Orca Security, announced a new partnership to deliver a comprehensive cloud-native security solution through integration between their platforms. This collaboration aims to address customer needs for proactive and preventative cloud security. Orca's agentless approach provides multi-cloud visibility and continuous security across various cloud assets. This powerful foundation is bolstered by Aqua's advanced runtime protection for cloud-native workloads, providing real-time threat detection and prevention.

• Cisco has announced a significant advancement in cloud security with the introduction of Hypershield. This AI-powered addition to their Security Cloud platform automates vulnerability patching and streamlines response times, addressing numerous longstanding challenges faced by security teams. Hypershield utilizes artificial intelligence to proactively deploy temporary controls for newly discovered vulnerabilities until permanent fixes are developed and finalized. Additionally, it automates the testing and deployment of patches, alleviating the burden of security personnel having to do so manually. This comprehensive solution is anticipated to be available for Linux environments by late July/early August, further solidifying Cisco's commitment to providing cutting-edge security solutions for the cloud.

Our Thoughts: 2024 is shaping up to be a major year for developments in the cloud. As more centralized tools adapt and expand their cloud functionality and/or adopt standardized frameworks, such as OCSF, this actively encourages streamlining essential workflows and processes through integration.

Applications and Version Updates

• Palo Alto Networks Prisma Cloud 24.5.1 update, released in May 2024, offers the following security and management enhancements:

  • Enhanced Security Visibility:

    • Amazon Security Lake Integration: Gain a more comprehensive view of cloud security issues by integrating with Amazon Security Lake. This lets your analysts leverage a broader context for better decision-making.

  • Streamlined Login Experience:

    • Universal Authentication Support: Log in seamlessly using any available authentication option (excluding IdP-initiated SAML SSO).

    • Clearer SSO Options: OIDC SSO login receives a clearer designation, and Palo Alto Networks SSO login is now supported.

  • Advanced Vulnerability Assessment:

    • "Running On/With" Configuration Integration: Achieve more precise vulnerability assessments with the inclusion of "Running On/With" configurations. This ensures vulnerabilities are only flagged if they impact your specific environment.

  • Expanded Runtime Security Features:

    • Java 17 & 21 Support for Serverless Defender: Users can deploy Serverless Defender on the latest Java runtimes for enhanced protection.

    • Kubernetes cri-o Container Blocking: Block Kubernetes cri-o containers based on your defined vulnerability and compliance rules.

    • OS-Aware Go Package Evaluation: Vulnerability assessments in Go packages are now OS-specific, ensuring only relevant vulnerabilities are reported for your systems.

    • System Load Management: Manage system load associated with TAS applications and Defender using the new REFRESH_INTERVAL_SECONDS environment variable.

    • Google Registry Scanning: Scan Google Container Registry (GCR) and Google Artifact Registry (GAR) during GCP cloud account onboarding.

  • Improved Cloud Account Management:

    • Account Import Status Filter: Easily manage locally created, manually imported, and auto-imported cloud accounts with the new filter on the Cloud Accounts page.

  • You can read in-depth on Prisma Cloud’s latest feature enhancements here.

• Trend Micro Cloud One latest updates as of May 2024:

  • New Rules and Standards:

    • New Azure rule ensures API Management gateways use HTTP/2.

    • Updated PCI DSS v4 compliance report reflects the latest AWS, Azure, and GCP rules.

  • Account Permissions:

    • Updated lists for GCP and Azure.

  • Template Scanner Improvements:

    • Added support for Terraform ELBv2 resources.

    • Fixed Lambda function VPC access check.

  • Other Updates:

    • Workload Security: Deep Security Agent version 20.0.1-7380 and later now supports most features for SUSE Linux Enterprise Server 12 SP5 (PowerPC little-endian), excluding Integrity Monitoring, Application Control, and Trend Vision One (XDR).

    • GCP Project API & Account Permissions: Added Apigee API and related permissions.

• Microsoft Defender for Cloud, May 2024 updates offer:

  • Enhanced Cloud Security:

    • Improved IaC Scanning: Integrate Checkov for infrastructure as code (IaC) scanning within Defender for Cloud, boosting the quality and quantity of checks.

    • Permissions Management Now Generally Available (GA): Gain granular control and manage permissions more effectively within Defender for Cloud.

    • AI Multicloud Security Posture Management: Utilize AI for security posture management across both Azure and AWS environments.

    • Open-source Database Protection: Preview program has been launched for using Defender for open-source databases on AWS for Amazon instances.

  • Streamlined Management:

    • Simplified Policy Management: Benefit from an updated security policy management experience in Defender for Cloud, enabling consistent policy management across clouds and offering new features like a unified interface and regulatory compliance management.

  • Threat Protection Advancements:

    • Early Access for AI Workloads: Participate in the limited public preview of threat protection specifically designed for AI workloads in Azure. This provides contextual insights and integrates with Responsible AI and Microsoft Threat Intelligence.

Insights: From Our Integration Factory

We’ve been busy since the start of the year (is anyone ever honestly not busy?). Here are a couple of the most recent integrations our team recently rolled out:

1. CAASM + Trend Micro Cloud One: CAASM integrates with Trend Micro Cloud One. This integration enhances organizational cloud security posture through:

   • Unified Asset View: Here, CAASM centralizes asset data from Trend Micro Cloud One, giving you a complete picture of your cloud environment.

   • Deeper Security Analysis: CAASM combines Trend Micro Cloud One data with its own asset management capabilities, enabling more comprehensive security analysis.

   • Improved Threat Detection: And finally, consolidated data lets you identify potential threats across your cloud infrastructure more efficiently.

2. Amazon GuardDuty + CNAPP: Integrating GuardDuty with a CNAPP provides broader cloud security. GuardDuty's external threat detection complements the CNAPP's focus, offering a unified view and richer threat context for better incident response.

3. IBM QRadar + CSPM: Our team has recently integrated the QRadar Suite with a Cloud Security Posture Management (CSPM) platform. This innovative integration streamlines security management by consolidating tools and automating tasks. IBM encourages building all new integrations using Universal Cloud Rest API  Protocol since it allows end users to configure data ingestion from REST APIs using a simple XML workflow file. The advantage of taking this approach is that the ingest code resides within QRadar and has been battle-tested, while integrations can focus on the API calls required to fetch events.

Before you go…

As we move into Summer, the conference season keeps on going! One of the upcoming events in our calendar includes:

• AWS re:Inforce in Philadelphia, PA from June 10-12.

We’re always happy to spare a few minutes catching up or chatting about all things integration and automation. So don’t be shy - we’ll even buy you a coffee!

Also, Metron is hiring! If you are looking to advance your cybersecurity career in a developer-centric environment, don’t hesitate to apply.

If any of these caught your eye, don’t hesitate to reach out to us for more details at connect@metronlabs.com.