MI-One Issue #5 - Julius Edition

Alexander Nachaj -

Hello there.


In our May edition, we observed a few activities in the Cloud Security space. Here we are in July - an interesting month, let me assure you. This summer, not only is the temperature rising, but the heat is also intensifying in the Cloud Security space — there's loads of CNAPP-ing snapping happening.


As we see more platformization and consolidation in the cloud security space, in our MI-One’s Issue #5, we'll offer our insights on how you can navigate and ensure that your third-party integration doesn't impact your end customers. We'll provide further insights into what we're seeing.


In case you missed June’s edition, you can find the full text here.


For this month’s edition, we bring you news from across the industry, with an emphasis on surface and endpoint security management - particularly where CAASM platforms and XDR approaches are concerned, including a big announcement from Microsoft.


Let’s begin!

Under the Lens: Recent Developments in the Industry

  • Cloud Security has been one of the dominant forces driving this year’s security space, starting with SentinelOne’s expansion of its Cloud Security capabilities through the acquisition of PingSafe in January, followed by Wiz acquiring Gem Security and CrowdStrike acquiring Flow Security in March, and Tenable acquiring Eureka and Fortinet acquiring CNAPP Lacework In June. To top it off, in July, there was an announcement that Wiz could be acquired by Alphabet (Google) - even if it remains unconfirmed. We also covered Orca and Aqua’s partnership in our April edition.


    So, what does all this mean for your integrations? Well, there’s one point of caution. In our experience, cloud-to-cloud integrations can be easily disrupted if you are using any custom APIs that might not be supported by the new product roadmap. Similarly, if you are using a custom middleware for your on-prem app e.g. forwarder. As such, big changes like cloud adoption typically take time to reflect down to the user level. Nevertheless, we recommend you perform a quick hygiene check to determine if your natively built integration is actively used by customers.

    Here’s a quick checklist:

    • Authentication: Confirm proper authentication (e.g., OAuth, SSO) and user permissions.

    • Compatibility: Verify version compatibility and required updates.

    • API Accessibility: Test API endpoints, keys, and tokens.

    • Data Synchronization: Ensure correct and timely data flow.

    • Performance: Measure API response times and monitor for bottlenecks

  • Hunters Adoption of OCSF: The Open Cybersecurity Schema Framework (OCSF) is continually gaining traction, and Hunters is also joining the burgeoning ecosystem. Their recent announcement for full OCSF adoption with OCSF-native search capability validates their dedication to fostering a more collaborative and efficient security landscape. You can hear more about it from Yuval Itzchakov, CTO at Hunters here. Furthermore, the OCSF-native search functionality empowers analysts to query across different platforms through a single interface. We agree — unlocking data interoperability among security applications makes SOC analysts' lives—and everyone else's—easier!

  • ServiceNow continues to be one of the most popular platforms for integrations. Here’s a tip from our ServiceNow experts: To ensure that your ServiceNow Service Graph Connector is compatible with the most recent version (Washington) and the upcoming version (Xanadu) of ServiceNow, you will now need to leverage the Common Connection Framework.

    • Prerequisites:

      • Install Integration Commons version 2.9 or greater.

      • Set up an app dependency to CCF v2.9 or greater (refer to community article for instructions).

    • Reasons to Leverage CCF:

      • Standardized method for testing and debugging connections.

      • Consolidated view of all properties, data sources, and scheduled imports.

    • CCF adoption is mandatory for the upcoming Xanadu release (Q3 2024).

    • Updating your SGC app involves migrating connection information and logic to leverage CCF.

  • CrowdStrike and Hewlett Packard Enterprise (HPE) announced that they have joined forces to bolster security for artificial intelligence (AI) advancements, especially large language models (LLMs). This collaboration integrates CrowdStrike's Falcon platform with HPE's GreenLake cloud services and OpsRamp AIOps, offering a streamlined process for securing AI initiatives.

    • The partnership aims to identify and address security vulnerabilities in AI pipelines, ensuring the integrity of AI solutions.

    • It extends to securing AI workloads and LLMs, leveraging HPE and NVIDIA's joint AI solutions.

    This partnership empowers organizations to confidently adopt AI across various environments, accelerating secure AI adoption.

  • A recent decision by Microsoft has caused quite a stir among various users: the company announced its decision to retire Office 365 connectors within Teams, which have been used to deliver updates directly from various services into channels.

    • Impact of Microsoft Dropping Office 365 Connectors:

      • Lack of familiarity: Users accustomed to the straightforward Office 365 connector interface will need to adapt to a new system.

      • Loss of workflow continuity: During migration, there could be a period where users miss critical updates due to the switch.

      • Time commitment for migration: Teams will need to migrate existing connectors to Power Automate workflows by October 1st, 2024. This requires learning a new tool and potentially rebuilding integrations, adding to their workload.

    • Limitations of Power Automate:

      • The 3-month migration window could be unrealistic for many users.

      • While Microsoft promotes Power Automate as a more secure and scalable solution, it currently has limitations compared to the retired Office 365 connectors including:

        • Limited group chat selection: Power Automate can only access the 50 most recent group chats, making it difficult to target specific groups, especially for larger organizations.

        • Restricted @mention functionality: Power Automate's @mention feature only works for users, not channels or teams. This can limit communication workflows.

        • Private channel incompatibility: Sending messages to private channels is not supported by Power Automate workflows currently.

Applications and Version Updates

  • Microsoft Defender XDR's recent version updates include multiple advances:

    • Incidents and Alerts Queues:

      • Customize columns in the Incidents and Alerts queues in Microsoft Defender’s portal.

      • Critical assets have become a part of the tags in the queues. Whenever a critical asset is involved in an incident or alert, its tag is displayed in the queues.

      • Incidents are arranged as per the latest updates made to them.

    • Multitenant Management Enhancements:

      • Content Distribution: Manage security policies (detection rules) efficiently across multiple tenants.

      • Alert Filtering by Subscription ID: Simplify investigation by filtering Defender for Cloud alerts based on subscription IDs.

    • General Availability (GA):

      • Endpoint Security Policies: Create and manage endpoint security policies for your tenants' devices within XDR.

      • Alert Tuning with Severity and Title: Reduce alert fatigue by creating rules to hide or resolve alerts based on severity and title automatically.

    • Microsoft 365 Defender Integration:

      • Unified Preview Settings: Manage all Microsoft 365 Defender preview features from a single location.

      • SOC Optimizations: Integrate XDR with Microsoft Sentinel for streamlined security operations workflows.

    • Advanced Hunting Improvements:

      • Search Across XDR and Sentinel: Search for incidents, alerts, and data across both XDR and Sentinel from the XDR search bar.

      • Cloud Audit Events: Investigate cloud activity through advanced hunting of Microsoft Defender for Cloud audit events.

      • Custom Detections with Sentinel Data: Create custom detections leveraging data from both XDR and Sentinel.

      • Advanced Hunting Query API: Query Sentinel data using the advanced hunting query API for extended data retention.

    • To read in detail about these recent feature enhancements, be sure to peruse the official Microsoft Defender XDR documentation.

  • The latest upgrades and feature enhancements of Cisco Firepower Threat Defense (FTD) version 7.4.x are out and looking as follows:

    • Management Center Features:

      • Reintroduced Features: Several features and bug fixes from previous even-numbered releases (7.0.x, 7.2.x) are available again, including access control performance improvements and reduced high availability failovers.

      • New Management Center Appliances: Cisco introduced new Management Center models (1700, 2700, 4700) supporting up to 300 devices and Management Center Virtual for Microsoft Hyper-V (up to 25 devices).

      • Platform Support: This release reintroduces support for threat defense on all device platforms supported in Version 7.3 and adds the Firepower 1010E (last supported in 7.2).

    • General Features:

      • Snort 3: Snort 3 is now the default inspection engine, offering improved detection and performance.

      • Multi-Instance Mode for Secure Firewall 3100: You can now deploy the Secure Firewall 3100 as multiple independent container instances on a single chassis.

    • Other Features:

      • Upgraded web analytics provider.

      • Management of DHCP relay trusted interfaces from the web interface.

      • Improved health monitoring for disk space usage, NTP sync issues, and memory usage.

      • New upgrade wizard for the management center.

      • Target failover for clustered threat defense virtual devices for AWS.

      • Zero trust access enhancements: source NAT for applications, diagnostics tool, and telemetry data collection.

      • CIP detection and safety detection.

      • Captive portal support for multiple Active Directory realms.

      • Chassis-level health alerts for Firepower 4100/9300.

      • Automatic generation of configuration change reports after management center upgrade.

      • Ability to erase hard drives on a hardware management center.

    • Deprecated Features:

      • Frequent drain of events health alerts (replaced by improved Disk Usage monitoring).

      • VPN Tunnel Status health module (use VPN dashboards instead).

      • Merging downloadable ACL with Cisco attribute-value pair ACL for RADIUS identity sources using FlexConfig (now supported in the web interface).

    • Note:

      • Upgrading to 7.4.0 is only supported on Secure Firewall Management Center and Secure Firewall 4200. Support for all other devices resumes in Version 7.4.1.

      • Upgrading may require configuration changes or impact system behavior.

Insights: From Our Integration Factory

  • Kubernetes + CAASM: Here's what this integration offers:

    • Effortless Security: CAASM automates security tasks within Kubernetes, freeing you to focus on core functionalities.

    • Proactive Protection: Continuous monitoring identifies vulnerabilities, misconfigurations, and suspicious activity, allowing you to address threats before they become breaches.

    • Streamlined Workflows: Security policies are automatically enforced throughout the Kubernetes lifecycle, simplifying security management.


  • Okta Workforce Identity + CAASM: The integration between Okta Workforce Identity and a CAASM platform offers organizations an enhanced security posture through:

    • Streamlined User Provisioning: Automate user provisioning across all your cloud applications, ensuring consistent access controls managed by Okta. This eliminates the risk of having a user account that exists in Okta without a corresponding account in the connected cloud application (managed by the CAASM platform) and simplifies access governance within the CAASM platform.

    • Centralized Identity Management: Okta acts as a central repository that holds the definitive and most up-to-date information about user identities. This includes details like usernames, passwords (securely hashed), group memberships, access privileges, and any other relevant user attributes. The CAASM platform leverages this to enforce consistent access policies and security measures for all users.

    • Adaptive Multi-Factor Authentication (MFA): Okta's MFA capabilities can be extended to the CAASM platform, adding an extra layer of security for accessing critical cloud resources.

  • Microsoft Defender XDR + XSOAR + IoT: In this integration, the data is fetched from MS Defender while the XSOAR platform maps the data based on the requirements of the IoT platform. This integration offers several advantages for improved device context and risk management:

    • Enhanced Device Attributes: Fills in missing or inaccurate details like OS, version, MAC/IP, and hostname within IoT Security, leading to more complete device profiles.

    • Improved Risk Identification: Leverages risk information from Microsoft endpoints within Defender XDR for a comprehensive risk assessment. This allows for better prioritization of security threats.

  • Microsoft Entra ID + XSOAR + IoT: Entra ID (formerly Azure AD) plays a vital role in managing IT infrastructure, including user access and device authentication. However, bridging the gap between Entra ID and IoT security devices requires an integration platform. This is where XSOAR comes in.

    The XSOAR platform acts as the bridge between Entra ID and the IoT platform. It facilitates the seamless flow of device data from Entra ID to the IoT devices. This data, including user identities and device details, can be used to:

    • Enhance security policies: XSOAR can leverage Entra ID data to create more granular security policies specifically for IoT devices.

    • Implement granular access controls: By understanding user and device identities, XSOAR can enforce strict access controls for IoT devices, ensuring only authorized users can interact with them.

Before you go…

We'll be on the road once again in the coming months and would love to catch up if you're attending any!

We will be at Black Hat USA, from 3—8 August at Mandalay Bay Convention Center, Las Vegas. Let’s meet up, email us at connect@metronlabs.com.

If you’re not attending Black Hat, we hope to catch up on one of our road trips:

  • Fal.Con, Las Vegas, 16-19 September

  • Recorded Future PREDICT2024, Washington DC, 8-9 October

  • OneCon, Las Vegas, 15-17 October

  • AWS re:Invent, Las Vegas, 2-6 December


We’re also wishing all our valued newsletter readers in the ecosystem a delightful and productive summer! Whether you're enhancing your skills at industry conferences, collaborating on new projects, or taking a well-deserved break, summer can be many things to many people.


However, one old adage does bind us together:


Why do programmers prefer dark mode? Because light attracts bugs!


Okay, but in all seriousness, enjoy the sunny days ahead with bug-free integrations!

If any of these caught your eye, don’t hesitate to reach out to us for more details at connect@metronlabs.com.