MI-One: Issue #4 Juno Edition

👋 Hello there.


June already? Where did the first half of the year go?


In any event, we’re back for another dive into all things security integration and automation in the latest edition of MI-One. (If you missed May's edition, you can still access it here.)


To begin, we’d like to highlight some big changes and recent shifts in the SIEM space. Notably, as the on-premises solutions are consolidating, native cloud SIEMs are on the rise.


Simply take a look at Microsoft’s Azure Sentinel, Crowdstrike’s Falcon Next-Gen SIEM, and perhaps more SIEM’ilar (sorry for the pun, couldn’t help it) offerings by the other usual suspects in the security space.


We’re integration and automation experts and not the only industry analysts to give you insights into where the space is headed, either. Allie Mellen and her team at Forrester have covered the topic in detail over at Forrester’s Blog.


With that in mind, in this edition, we’ll take a closer look at how SIEM consolidation may impact your integrations. We'll explore innovative cloud security options, and exciting new connector possibilities, and even cover data parsing and storage methods.


Let’s begin!

Special Announcement

Big news from within Metron: we’re excited to announce the initial beta release of our Metron Integration Exchange is now available.


This platform acts as a one-stop solution for integrating your product/ecosystem to hundreds of third-party security applications, hosted on-prem or cloud with a single API.

0:00
/0:15

Sign up for a PoC to better manage your third-party integrations. If interested, please reach out to us at connect@metronlabs.com.

IBM and Palo Alto Networks Have Partnered Up

IBM and global cybersecurity leader Palo Alto Networks have announced a broad-reaching partnership to deliver AI-powered security outcomes for clients. As part of this expanded partnership, Palo Alto Networks has agreed to acquire IBM’s QRadar Software as a Service (SaaS) assets, including QRadar intellectual property rights, subject to customary closing conditions.


So, what does this mean, if you are an existing QRadar user? Here are a few meaningful updates for customers and partners:

  1. As an on-prem / software QRadar client — no change. QRadar on-prem will continue to receive IBM features, support, updates, and scalability improvements. Therefore, as long as you are running the latest app version (QRadar 7.5.0), third-party integration will not be impacted.

  2. If customers/partners are moving to the Cloud, IBM recommends Palo Alto Networks’ Cortex XSIAM as the next-gen platform. Your QRadar integrations will likely be addressed by the Palo Alto Networks XSIAM team or reach out to us if you need a head start with XSIAM integration.

Under the Lens: Recent Developments in the Industry

  • While we’re looking into SIEMs, we wanted to include a few highlights from CardinalOps’s State of SIEM Detection Risk 2024 released last week. A few highlights and our take:

    • SIEMs are alive and kickin’ — According to Forrester Research, SIEMs continue to be the central “operating system of the Security Operations Center.” Even advanced XDR players are launching SIEMs — let’s not forget that CrowdStrike introduced their next Gen-SIEM at RSAC 2024.

    • Multiple SIEM environments are on the rise — 43% of organizations are using 2 or more SIEMs in production. Therefore, it is critical to ensure that data mapping is accurate, integration with all dependent 3rd apps, and automated workflows are aligned to fill your gaps with multiple SIEMs.  

    • Well-defined integrations are critical: 18% of their rules will never trigger alerts due to issues like misconfigured data sources, missing fields, and parsing errors. Therefore, it is critical to ensure integrations are well-defined to serve the organization’s objectives.


  • The recent AWS re:Inforce conference highlighted advancements in Governance, Risk, and Compliance (GRC) for the cloud. A key takeaway focused on how organizations can extend their GRC capabilities by seamlessly integrating third-party applications and services with AWS to achieve a more comprehensive and unified approach to cloud security and compliance. Some of the highlights from this conference include:

    • Automating Risk Management: The conference highlighted how automation tools (such as AWS Systems Manager and AWS CloudFormation) can improve cloud security. These tools, leveraging techniques like infrastructure and policy as code alongside security automation, can continuously assess security risks, enforce security policies, and even respond to threats automatically.

    • Generative AI Compliance: The discussion also explored how cloud services can automate compliance audits for generative AI applications. This helps ensure the responsible use of AI and simplifies meeting regulatory requirements.

    • Centralized Logs with Granular Access: One of the sessions at the conference also discussed the integration of AWS CloudTrail Lake and AWS Lake Formation. This integration simplifies CloudTrail log analysis while prioritizing security through granular access control. Grant users access only to the logs relevant to their role, ensuring both data security and accessibility.

  • This year's Splunk .conf conference marked the convergence of Splunk with Cisco. Several initiatives and roadmaps were presented to integrate Splunk more closely with the broader Cisco ecosystem. One notable advancement is Splunk's development of Splunk Enterprise 8.0 and Federated Analytics, which performs data analysis directly at its storage source to improve threat detection and security operations across multiple data sources. For example, Amazon Security Lake centralizes security data from various AWS environments into a data lake for threat detection with Splunk.


    Splunk Enterprise 8.0 offers a unified work surface for security analysts and integrates automation with Splunk SOAR for faster alert triage and investigations.


    Additionally, Cisco Talos will be integrated with Splunk Security products to streamline threat detection and response processes. This integration with Cisco will allow security teams to improve workflows, threat detection capabilities, and faster incident response.

Applications and Version Updates

  • GA of Amazon GuardDuty Malware Protection for Amazon S3, released on 11th June 2024: Amazon GuardDuty Malware Protection for Amazon S3 is a new feature that helps you detect malicious files uploaded to your S3 buckets. It uses multiple scanning engines to scan files for malware without impacting the performance of S3.

    Features of GuardDuty Malware Protection for Amazon S3:

    • It can scan files up to 5 GB in size, including archive files.

    • It supports synchronous storage classes including S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 One Zone-IA, and Amazon S3 Glacier Instant Retrieval.

    • You can configure GuardDuty to tag objects after they are scanned or send scan results to Amazon EventBridge to trigger further actions.

    • GuardDuty Malware Protection for Amazon S3 is available in all AWS Regions except China and GovCloud (US) Regions.

      For detailed information, visit the AWS blog.


  • Splunk Cloud version 9.2.2403: This update for the Splunk Cloud Platform includes new features, enhancements, and bug fixes. Here are the feature updates:

    • Data Management Experience: A new way to filter, mask, and route data using SPL2 pipelines.

    • Security Enhancements: Upgrade to Python 3.9 for improved security by default. Field filters can now target multiple indexes/hosts/sources for better data protection.

    • Federated Search Improvements: Improved performance and functionality for federated searches, including Amazon S3 and Splunk.

    • Home Page Personalization: Admins can share bookmarks with users, and users can manage their search history and view knowledge objects more easily.

    • Other Updates:

      • Upgrade Readiness App compatibility with Python 3.9.

      • Automated forwarder certificate rotation.

      • Deprecation of the spawn_process parameter in the REST API.

      • Improved email recipient validation for notifications.


  • Splunk Enterprise Security 7.3.2 was released on June 11, 2024. Here's a summary of the feature upgrades :

    • New Feature:

      • Compatibility with Python 3.9.0. Splunk Enterprise Security 7.3.2 and higher now supports Python version 3.9.0.

    • Limitations:

      • Upgrading to this version might affect the visibility of contributing risk events for risk notables under certain conditions.

    • Deprecated Features:

      • Sending notable events from Splunk ES to Splunk UBA (use Splunk ES Notables data source or Splunk Direct instead).

      • Internet Explorer browser support.

      • Glass tables (use Dashboard Studio instead).

      • Option to search with Google.

    • End of support schedule:

      • Refer to Splunk Support Policy for your specific version.

    • Add-ons:

      • Several technology-specific add-ons are no longer included in the package but are still supported for download from Splunkbase. Some are deprecated and will reach the end of support soon. Common Information Model Add-on is updated to version 5.3.2.


  • Palo Alto's team-up with IBM QRadar was a major cybersecurity news story. Now that things have calmed down a bit, let's revisit the latest updates on QRadar! Although we've mentioned it in one of our previous editions, here are the latest feature updates of QRadar based on the latest package (version 7.5.0 Update Package 8 SFS):

    • Minimum Permitted App Base Image Stream: You can now disable older base image streams to improve security.

    • Read-only Configuration: The "Read-only Configuration" permission allows viewing user information without editing rights.

    • Enhanced SSH extraction: QRadar Network Insights offers improved extraction of data from SSH connections.

    • Tunneling enhancements: Upgraded support for GRE and ERSPAN network traffic and new common features for all tunneled traffic.

    • Leapp pretest for RHEL-8 migration: This pretest helps reduce the risk of failures during migration from Red Hat Enterprise Linux V7.9 to v8.8.

Insights: From Our Integration Factory

  • Amazon GuardDuty + CNAPP: This integration allows a CNAPP platform to leverage Amazon GuardDuty's threat detection capabilities. GuardDuty continuously monitors AWS accounts and workloads, delivering security findings for investigation and remediation. By integrating with CNAPP, these findings are collected and analyzed within the CNAPP platform, providing a centralized view of security posture across the cloud environment. This streamlined approach simplifies security management and strengthens the overall cloud security posture of the organization.


  • AWS ELB + CNAPP: Here's how AWS Elastic Load Balancing (ELB) works after integration with a Cloud-Native Application Protection Platform (CNAPP):

    • Deep Visibility with Configuration Change Tracking: ELB maintains a detailed inventory of your resources, capturing snapshots of configurations like instance types and security groups. This data can be ingested into a powerful investigative tool.

    • CNAPP Integration Potential: The CNAPP platform can leverage the configuration data from ELB to gain deeper insights into your infrastructure. This includes:

      • Application Load Balancer (ALB) and Network Load Balancer (NLB) Access Logs: These logs can provide valuable details about application traffic patterns and potential security anomalies. A CNAPP solution can analyze these logs for suspicious activity, aiding in threat detection and response.

      • Configuration Change Tracking: The CNAPP platform can analyze configuration changes captured by ELB. This allows you to:

        • Identify the timing of changes: Understand when configurations were modified.

        • Determine who made the changes: Track user activity to ensure authorized modifications.

        • Pinpoint-Specific Modifications: Identify the exact changes made to configurations.

This combined approach empowers you to maintain a secure and compliant cloud environment.

  • SecureWorks Taegis XDR + BAS: Secureworks Taegis’ extended detection and response (XDR) platform offers seamless integration with a Breach and Attack Simulation (BAS) platform. This integration allows organizations to continuously test their security posture by simulating real-world attacks. This combination allows organizations to continuously assess their security posture by simulating real-world attacks.


    How it Works:

    The BAS platform simulates attacks, and Taegis responds accordingly:

    • Blocked Attacks: If Taegis successfully blocks the attack, security events are generated, along with alerts notifying security teams.

    • Missed Attacks: If the attack bypasses defenses, events are still generated, but alerts may not be triggered. This helps identify areas where security controls need improvement.


    Investigation Flexibility:

    Post-attack investigation can be tailored to organizational needs:

    • Manual Investigation: Security analysts can delve deeper into events for a comprehensive understanding.

    • Automated Investigation: For faster response, automated workflows can be configured to handle specific attack types.


    Benefits:

    • Proactive Security Posture: Regular BAS testing helps proactively identify and address vulnerabilities before a real attack occurs.

    • Enhanced Threat Detection: Simulations validate the effectiveness of existing security controls, pinpointing areas for improvement.

This integration strengthens SecureWorks' ability to provide a comprehensive security solution by adding a proactive approach to threat detection and prevention.


Before you go…

We'll be on the road once again in the coming months and would love to catch up if you're attending any! Here's a glimpse of our upcoming schedule:

  • Black Hat USA, Mandalay Bay Convention Center, Las Vegas, 3-8 August.

If any of these caught your eye, don’t hesitate to reach out to us for more details at connect@metronlabs.com.