MI-One Issue #6 - Augustus Edition

We bring you highlights from Black Hat USA, our latest observations in the industry, a couple of tool updates, and integration insights from our factory.

Hello there.

Here we are in August - typically a month filled with great weather and better vacations all across the Northern Hemisphere.

This month earns its name from Augustus, the first emperor of Rome, who was himself something of a great unifier and, might we even say, integrator of the many lands under his rule.

Let's hope our digital realms experience similar unity and protection. After all, in the world of cybersecurity, integration is key to a secure digital empire.

As we keep integrations on our minds, we also see that AI is rapidly becoming the go-to for cybersecurity platforms. From CrowdStrike's Charlotte AI to SentinelOne’s Purple AI, organizations are leveraging AI to detect threats, automate responses, and predict attacks. In other words, it's potentially a new era of digital defense.

For this month’s edition, we bring you highlights from Black Hat USA, our latest observations in the industry, a couple of tool updates, and integration insights from our factory.

Let’s begin!

(and P.S. in case you missed our July edition, you can find the full text here.)

Collaboration over Competition

Before we dive deeper into this month’s details, we wanted to emphasize that while technical integrations are crucial, standing together during challenging times is equally vital.

Nikesh Arora, CEO of Palo Alto Networks, conveyed this sentiment to George Kurtz, CEO of CrowdStrike, highlighting that even amidst fierce competition, it's essential to unite against common threats.

As the recent CrowdStrike outage demonstrated, a crisis can hit even the most widely used tools and platforms. However, at the end of the day, we’re all on the same side, fighting against cyber threats. Banding together in times of crisis makes us all stronger.

Highlights from Black Hat USA

Black Hat USA 2024 recently concluded, showcasing the latest cybersecurity innovations. A central theme this year was addressing emerging threats like AI-driven attacks and data breaches. We spoke to several vendors, ranging from high growth startups to leading security platforms and most of them stated that Integrations are a key gap in many security programs and vendor solutions.

Fortunately, several leading cybersecurity vendors have unveiled new tools and capabilities. Two things we observed were — 1) a focus on introducing or acquiring new cloud offerings; and 2) platform companies bundling products to provide flavors of managed solutions.

Some of the highlights include:
- Fortinet: Fortinet acquired Next DLP, a SASE and data loss prevention offering within the Fortinet Security Fabric. As a Fortinet technology partner, Metron is excited to see how this will unfold and enhance your existing Fortinet integration.
- SentinelOne: Introduced Singularity MDR, a comprehensive, tailored detection and response platform. It combines SentinelOne’s XDR, third-party integrations through Singularity Data Lake, and WatchTower threat hunting offering and DFIR services.
- Check Point: Launched Harmony DLP to protect sensitive data on endpoints and enhanced its Infinity ThreatCloud AI system to combat emerging threats. Additionally, it unveiled tools for detecting and assessing GenAI usage within organizations.
- Tenable: Announced Vulnerability Intelligence and Exposure Response to prioritize and respond to critical vulnerabilities effectively.
- Orca Security: Expanded Cloud Detection and Response capabilities with a focus on user experience and cloud-agnostic classification.
Gartner's 2024 Security Operations Hype Cycle suggests that the hype and popularity around SOAR has cooled down, predicting it will become obsolete before maturity. This was much talked about during Black Hat and we wanted to cover it from an integration standpoint. Gartner highlights several critical limitations of SOAR in the report. The ones that we can connect to are: 1) High ongoing maintenance and support costs, requiring analysts with advanced coding skills; and 2) integration and interoperability challenges with third-party tools and custom connectors.

Having integrated with both legacy SOARs as well as newer “Hyper Automation” tools, we've observed that the latter offers greater ease of use and more streamlined approaches while creating automation workflows. Developing integrations for these newer tools is also simpler—often requiring just basic curl commands instead of extensive coding. However, these tools still struggle with connecting to and creating custom workflows for on-premises systems, which are still widely used by customers.

We’re also noticing that leading platforms are beginning to integrate SOAR capabilities natively as a feature into their SIEM or XDR platform. Regardless of the label, security orchestration and automation remain critical, and these newer tools are likely to offer more user-friendly workflow creation and easier maintenance.

While a lot of newer platforms offer an easier and more intuitive way to perform orchestration, they would still be a SOAR platform at heart. That is, they still offer multiple modular commands that perform a single action, but can easily be stitched together to form complex playbooks.

Under the Lens: Recent Developments in the Industry

CrowdStrike was in conversation to acquire Action1, a cloud-based patch management and vulnerability remediation company. Action1, however, announced today that they have chosen to decline the offer. This decision comes amidst recent challenges faced by CrowdStrike, including a software update error that caused a global Windows outage in late July.
Google recently (June 8, 2024) launched the Coalition for Secure AI (CoSAI) to establish a unified defense strategy for the industry. Founding members include Amazon, Cisco, Chainguard, IBM, Intel, Microsoft, NVIDIA, OpenAI, and Wiz. Secure AI Framework (SAIF), a conceptual framework that leverages Google’s infrastructure security design.

Coalition’s work on standardized frameworks and methodologies may lead to advancements in the development of automation tools to perform security testing and risk assessment. Though the effort is commendable, only time and results will reveal its true effectiveness.
Following up on our previous newsletter, we wanted to provide an update on the retirement of Office 365 connectors within Microsoft Teams. As a reminder, Microsoft is phasing out connectors in favor of Power Automate workflows for integrating information from various services into Teams channels.
- Existing connectors will continue to function until December 2025. However, to ensure uninterrupted service after December 31, 2024, connector owners need to update the URL by which the connector posts information.
- Teams are encouraged to begin migrating their existing connectors to Power Automate workflows by October 1st, 2024, giving ample time to the users to learn the new tool and rebuild integrations if necessary.
Another important announcement made by Microsoft on 12th August, 2024, includes a significant change in Microsoft Defender for Cloud. Namely, the Log Analytics agent, a crucial component for data collection, is being phased out. To ensure uninterrupted security coverage, Microsoft is introducing alternative methods like Defender for Endpoint integration and agentless machine scanning.

This transition focuses on enhancing security capabilities and simplifying management. To migrate, security agents can refer to the official Microsoft documentation.
Elastic has significantly accelerated SIEM implementation with the introduction of Automatic Import. Elastic claims to have over 400+ prebuilt data integrations, a substantial number indeed. Elastic also seems to be going head to head with Splunk and launched their “Express Migration program” at Black Hat USA. We are yet to learn about the Express part ourselves, but we’ll keep everyone posted as we learn more.

Applications and Version Updates

The Open Cybersecurity Schema Framework (OCSF) offers enhanced capabilities for standardized security data management. Recent version updates [v1.3.0], released on 1st August 2024, include the following enhancements:
- OCSF now encompasses a wider range of security events, including detailed remediation activities, software inventory, and specific system activities like Windows services.
- The framework provides deeper insights through the introduction of OSINT data, MITRE ATT&CK mappings, and expanded object definitions.
- OCSF empowers analysts with advanced query capabilities, including OSINT-focused profiles and refined search functionalities.
- The schema has been refined to accommodate a broader spectrum of security data, including data classification, authentication factors, and network-centric details.
- OCSF lays the groundwork for sophisticated analytics by offering structures for vulnerability, compliance, and detection findings.
The new capabilities of OCSF v1.3.0 offer potential for automation and integration. Organizations can leverage the framework to standardize data formats and streamline data ingestion. SIEM, SOAR, TIP, and other cybersecurity platforms can benefit from OCSF by improving correlation, detection, and response capabilities. Additionally, the framework can be used as a foundation for custom security integrations and our team at Metron can help you with the same.
Tenable Core has released several new features in Q2 2024. Some of those include:
- Enhanced OT Security: Increased /tmp space for OT security instances and improved network interface stability.
- Improved User Experience: Remote hosts added in the web UI are now persistent.
- Expanded Compatibility: The ability to install Tenable Core OL8 on existing EL7 virtual machines, providing flexibility for system reuse.
- Note: These updates are available through the offline ISO image.
Elasticsearch 8.15 recently brought in several improvements and new features. Here's a quick rundown of some key updates:
- Storage Efficiency:
  - ZStandard Compression: Stored fields are now compressed using ZStandard, leading to an estimated 10% reduction in storage space compared to previous methods.
- Resilience and Management:
  - Stricter Snapshot Handling: Multi-repository snapshot requests now handle failures more gracefully, ensuring consistency across repositories.
  - Log Index Mode (Tech Preview): This new mode optimizes storage for log data by enabling synthetic source, index sorting, and space-efficient compression.
- Search Enhancements:
  - New Dense Vector Quantization (int4): This option provides an 8x size reduction for dense vectors with a slight trade-off in accuracy.
  - General Availability of Query Rules: Define custom scoring and filtering logic with these now-GA query rules.
  - Bit Vector Support: Utilize bit vectors for efficient storage and retrieval of specific data patterns.
  - Improved ISO-8601 Parsing: A new custom parser offers faster and more accurate handling of ISO-8601 formatted dates.
- Other Improvements:
  - Generally Available Redact Processor: Obscure sensitive data within documents using Grok patterns.
  - Synthetic Source Enhancements: Expanded field type support and compatibility with additional parameters.
  - Index Sorting with Nested Fields: Sort indexes containing nested objects based on top-level fields.
  - Upgrade to Lucene 9.11: Elasticsearch leverages the latest Lucene version, offering memory management improvements and faster search functionalities.

Insights: From Our Integration Factory

Amazon DynamoDB + CAASM: The integration between Amazon DynamoDB and a CAASM platform offers organizations enhanced visibility and security through:
- Comprehensive Asset Discovery: Automatically discover and inventory DynamoDB tables, attributes, and access controls, providing a unified view of DynamoDB resources within the environment.
- Risk Assessment: Identify potential vulnerabilities and misconfigurations in DynamoDB tables, enabling proactive risk mitigation.
- Compliance Enforcement: Track DynamoDB data usage and access patterns to ensure adherence to industry regulations.
- Incident Response Optimization: Leverage detailed DynamoDB information to accelerate incident investigations and remediation.
- Cost Optimization Insights: Analyze DynamoDB usage patterns to identify potential cost-saving opportunities.
Hunters SIEM Replacement (SOC Platform) + BAS: Hunters empowers SOC Analysts to efficiently detect, investigate, and respond to threats across their entire attack surface. By integrating with a BAS platform, Hunters provides real-time data to enhance simulation accuracy. This collaboration leverages Hunters' advanced threat detection capabilities and the proactive breach simulation platform of BAS, strengthening overall security posture and risk mitigation.
SonarQube + CAASM: SonarQube and CAASM integration provides a comprehensive view of code quality and security risks within your asset management ecosystem. By combining SonarQube's code analysis capabilities with the CAASM platform’s asset visualization and risk assessment features, security teams gain a centralized platform to identify, prioritize, and remediate vulnerabilities. This integration empowers you to make data-driven decisions and streamline your security operations, ultimately enhancing overall system resilience.
Trend Micro Apex One + XDR: Integrating an XDR with Trend Micro Apex One aims to enhance threat detection and response capabilities by centralizing endpoint security management within the XDR platform. This integration allows seamless control of Trend Micro agents and comprehensive analysis of endpoint activity through Trend Micro logs.