MI-One Issue #8 - Oktober Edition

In this newsletter, we are talking about our partnership with Google SecOps, key takeaways from Fal.Con 2024, industry insights, and recent application and version updates.

MI-One Issue #8 - Oktober Edition

Hello there,


Here we are in the first full month of Fall. If you’re in the Northern Hemisphere, there’s a good chance you’ll get to experience the Autumn leaves turning gold and even the Orionid meteor showers filling up the night sky later this month.


Nature’s not the only eventful thing taking place this month, it’s the Halloween season too! So, we're in the most frightening time of the year and as you all know, there’s a frightening side to the digital world too. If you had your doubts, the recently revealed XZ Utils compromise from Linux might have tipped you off!


Fortunately, October is also National Cybersecurity Awareness Month. While it’s primarily a US-based initiative aimed at promoting cybersecurity awareness and best practices, we think it’s something people everywhere can get behind.

Announcements

  • Metron Partners with Google to support Google SecOps Certified Integrations and Automation: In this partnership, we will support integration development with Google’s SIEM product and also support automation services for its SOAR platform. To read more on the Google SecOps platform, you can check out their official documentation.

  • Recent Coverage: We were recently featured on HPE's podcast, where they provided deep insights into architecting scalable integrations,  deployment, and driving automation in the cybersecurity space. The discussion provides an overview of our development philosophy, the company’s mission, and our technical approach to supporting the customer and partner ecosystem.

Harness the power of Google SecOps and streamline your integrations with cutting-edge automation. If you're interested in building similar integrations, feel free to reach out to us at connect@metronlabs.com!

Palo Alto Completes its Acquisition of IBM QRadar SAAS


Following up on a topic we discussed in a previous newsletter, Palo Alto Networks has completed its acquisition of IBM's QRadar Software as a Service (SaaS) assets. This move should strengthen Palo Alto Networks' cybersecurity offerings by integrating QRadar's capabilities with their Cortex XSIAM platform powered by Precision AI.


What it means for QRadar customers:

  • Simplified Security Operations: The combined platform integrates SIEM, SOAR, ASM, and XDR functionalities, streamlining threat detection and response processes.

  • Enhanced Threat Prevention: Real-time analytics and AI-powered automation improve threat accuracy and reduce manual workloads for security teams.

  • Continued Support: IBM will continue to support existing QRadar on-premises customers and even implement Cortex XSIAM for their internal security operations.


QRadar SaaS customers should be able to benefit from a seamless transition to Cortex XSIAM through the free migration services offered by IBM Consulting.

For QRadar integrations, our team at Metron will both develop new ones and migrate existing QRadar integrations from QRadar SaaS to their on-prem instances. We may also end up developing integrations for Cortex XSIAM if they choose to do so rather than migrating over to the existing PAN XSIAM platform. In any event, the PANW team will provide support for the QRadar SaaS to XSIAM migration.

Highlights from Fal.Con 2024


We were fortunate to attend this year’s Fal.Con in Las Vegas back in September. Below are some of the top announcements from this yearly conference:

  • CrowdStrike unveiled Falcon Identity Protection at Fal.Con 2024. Some of the key highlights of this platform include:

    • Unified Identity Security Solution: Falcon Identity Protection helps address identity security challenges by offering comprehensive protection for endpoints, applications, and data.

    • Enhanced Entra ID Protection: New capabilities that should provide real-time threat prevention, dynamic access decisions, and hybrid risk-based conditional access for Microsoft Entra ID.

    • Falcon Privileged Access: Just-in-time access for privileged administrator roles will likely help reduce the attack surface and enhance overall security.

    • Leverages Falcon Platform: The solution will utilize and integrate with the existing Falcon platform.


    For existing Entra ID users, this platform offers:

    • Real-time Protection: Falcon Identity Protection should sit in line with Entra ID authentication flows, providing more-or-less immediate protection against identity-based attacks.

    • Advanced Threat Detection: Leveraging user behavior analytics and risk-based access decisions, Falcon Identity Protection can likely detect and prevent sophisticated attacks that may evade traditional security measures.


  • CrowdStrike announced significant advancements in Falcon Cloud Security at Fal.Con 2024. These innovations appear to be aimed at uplifting their cloud security offering by providing a more unified security posture management (USPM) solution across cloud infrastructure, applications, data, and AI.


    Key highlights:

    • Unified Security Posture Management: Falcon Cloud Security now integrates data security posture management (DSPM), application security posture management (ASPM), and AI security posture management (AI-SPM) to deliver a more comprehensive protection across all layers of the cloud environment.  

    • Enhanced Visibility and Control: Real-time asset inventory, asset history, and direct cloud log access can provide security teams with a deeper understanding and control over their cloud infrastructure.

    • Smarter Threat Detection and Response: Attack path analysis and improved threat-hunting capabilities come with this addition, along with streamlined detection and response processes. This should enable teams to more rapidly identify and neutralize threats.

    • AI-Driven Protection: Falcon Cloud Security is moving further into AI adoption as it now leverages AI to protect AI models and detect potential threats in real time. It’s aimed to better ensure the security and compliance of AI systems.


  • CrowdStrike is strategically expanding its reach within the cybersecurity space landscape by forming partnerships with a diverse array of platforms. From identity and access management (IAM) solutions like 1Password to network detection and response (NDR) platforms like ExtraHop, and additional platforms such as Zscaler, Nagomi, Plurilock, and Obsidian, CrowdStrike is demonstrating its commitment to providing a comprehensive security solution.


    CrowdStrike's partnerships seem aimed at creating synergistic ecosystems where different security technologies work in harmony, enhancing overall protection. Moreover, CrowdStrike's involvement in initiatives such as the Cybersecurity Startup Accelerator program highlights its ongoing drive towards innovation that we’ve been witnessing lately.


    By integrating with various platforms, CrowdStrike is providing a more unified and streamlined security posture. This can lead to reduced playbook complexity, improved visibility, and enhanced protection against emerging threats.


    The success of these integrations will hinge on their ability to deliver value to customers, address emerging threats effectively, and maintain compatibility with future security technologies.

Under the Lens: Recent Developments in the Industry

  • Apple's release of macOS 15 (Sequoia) in September introduced a significant compatibility issue with several cybersecurity products. Tools from vendors like CrowdStrike and Microsoft were adversely affected, rendering them inoperable or significantly hindered. This issue was attributed to a bug within the macOS 15 framework, causing disruptions in network functionality and interfering with the seamless integration of third-party security solutions.


    Recognizing the critical nature of this problem, Apple swiftly responded with the release of macOS 15.0.1. This update specifically addressed the compatibility issues, restoring the functionality of affected cybersecurity tools. The underlying bug that caused the initial problems was successfully resolved, ensuring that users could once again rely on their chosen security solutions without interruption.


    Beyond the resolution of compatibility issues, macOS 15.0.1 also addressed other network-related concerns, providing users with a more stable and reliable network experience.


    This update provided a much-needed solution for users who had been impacted by the initial compatibility problems, allowing them to continue utilizing their preferred cybersecurity tools without hindrance.


  • In 2024, third-party integrations in OT security focus on several key areas, including Zero Trust Architecture to safeguard both IT and OT systems, cloud-native security tools for remote monitoring, and API security to protect communication between legacy OT protocols and modern platforms. By focusing on these key areas, you can enhance your IT-OT integration capabilities and strengthen your security posture.

    AI-driven threat detection is being increasingly integrated to detect anomalies in OT environments, while supply chain risk management tools monitor third-party vendor risks. Additionally, XDR platforms are being adapted to unify IT and OT security layers for enhanced threat correlation and response.


    While the integration of these two domains offers numerous benefits, such as improved efficiency, enhanced security, data-driven decision-making, and centralized view, it also presents significant challenges.


    One of the primary hurdles in IT-OT integration is the inherent differences between the two systems. IT systems are typically designed for data processing, analysis, and communication, often operating in a controlled environment while OT systems are optimized for real-time control and automation of physical processes, requiring immediate response times and robustness to harsh conditions.


    Another challenge arises from the diverse protocols and data formats used by IT and OT systems. This can hinder communication and data exchange, leading to potential errors.

    To overcome these challenges, you can:

    • Establish a unified security framework: A comprehensive security strategy that addresses the unique vulnerabilities of both IT and OT systems is crucial.

    • Invest in advanced technologies: Technologies like the Industrial Internet of Things (IIoT) and edge computing can facilitate seamless data exchange and real-time analytics.

    • Prioritize data quality and standardization: Ensuring data consistency and accuracy is crucial for meaningful analysis and decision-making. Implementing data governance practices and standardizing data formats can help achieve these goals.


    If this is of interest to you, Metron's expertise in developing integrations with various IT Ops platforms, such as Jira, ServiceNow, Splunk OT, Tanium - Threat Response, and others, can help you achieve these goals.

    Example of IT Ops + OT integrations by Metron: ServiceNow CMDB + IoT platforms.


  • Cloudflare One's acquisition of Kivera is a great move to extend its SASE portfolio adding capabilities for preventative security controls. Here's a breakdown:

    • Enhanced Cloud Security: Cloudflare One will integrate Kivera's technology, offering proactive controls to prevent misconfigurations and human errors in cloud deployments. This can potentially reduce security risks and data breaches. For Example: A hospital using multiple cloud platforms to store patient data could accidentally leave a database publicly accessible. Kivera's integration with Cloudflare One would detect and prevent this, protecting sensitive patient information.

    • Simplified Security Management: Cloudflare aims for a unified platform with Kivera, simplifying security management across various cloud providers. This aims to save time and resources. For Example: A bank using multiple cloud providers for different services might need help managing security policies across each platform. Cloudflare One with Kivera could provide a centralized dashboard to oversee security configurations.


      We would like to give a special shout-out to Neil, Vernon, Joe, and the Kivera team. 🎉


  • Palo Alto Networks has also been on a similar path as CrowdStrike when it comes to enhancing its security offerings as of late. The company’s partnerships and integrations with industry-leading companies like Veeam, Red Canary, Team Cymru Scout, Cognizant, and now Deloitte, are all clearly aimed to provide comprehensive and effective security solutions.

    These collaborations offer several advantages for users of the Palo Alto Networks platform. First, they provide access to a wider range of security tools and technologies, enabling organizations to better protect their networks and data. Second, they streamline security operations by integrating various security functions into a cohesive platform. And lastly, they enhance threat detection and response capabilities, allowing organizations to identify and mitigate threats more quickly and effectively.


    These partnerships are driving the adoption of PANW Cortex XSIAM and XSOAR platforms by partners like Cognizant and Veeam. This suggests that PAN is actively expanding its market reach and customer base with these platforms. While the integration process may not differ much, this highlights the growing significance of XSIAM and XSOAR solutions and their potential to increase market share.

    Metron has expertise in SOAR platforms and we have built and delivered integrations for multiple customers. For example: Analyst1 + BAS, IBM SOAR + TIP,  and Palo Alto Networks - Cortex XSOAR + IoT.

Application and Version Updates

  • The latest version of Google SecOps was released on 6th October 2024, and the update included:

    • Enhanced search functionality: The SOAR search page now supports the "Equals" condition for more precise results.


    Some of the earlier updates are as follows:

    • September 30, 2024:

      • Case report improvement: The case report now includes all information written on the case wall.

      • Case merging: Cases can now be merged even if the requester and assignee are different.

    • September 16, 2024:

      • Updated supported default parsers: Google SecOps has expanded its list of supported default parsers for various products and log types.

    • Other recent updates:

      • Direct ingestion: Customers can now directly ingest Google Cloud data without using a one-time access code.

      • Playbook creation: Gemini now supports creating new playbooks using prompts.

      • Gemini for investigation assistance: Enhanced capabilities for Gemini include search, search summaries, rule generation, security questions, and incident remediation.

      • Cloud Identity integration: Google SecOps can now be configured with Cloud Identity or Google Workspace as an identity provider.

      • Access Transparency support: Google SecOps integrates with Access Transparency for increased visibility into user access.

      • Data RBAC: Data-based access control is now supported in Google SecOps.

      • Placeholder syntax update: The syntax for placeholders in UDM saved searches has been updated.

    • To get more information on the version updates, refer to Google SecOps release notes.

  • Recently, IBM released a few changes related to signing certificates for QRadar apps published on the IBM App Exchange:

    • Minimum QRadar Version: As of August 2024 (Update Pack 9), the minimum supported version for QRadar app development is 7.5 UP9.

    • Signing Certificate Changes:

      • Old certificates (Old_ca) can still be used until they expire, but new ones are issued with a different folder (CA_new).

      • Apps developed for versions earlier than 7.5 UP9 will not be marked as "IBM Validated" on the App Exchange.

    • Verifying Integration Signing:

      • Look for the presence of “IBMCCS / VALIDATE rsa/sf” files. These indicate IBM team countersignature.

      • Use this link for further validation.

    • Action Required:

      • Update your development environment to QRadar 7.5 UP9.

      • Review your existing apps and consider updating them for compatibility with the new signing requirements.

    • To know more about these changes, refer to IBM’s community blog.


  • JupiterOne had its latest version released in September 2024. This update brings several improvements to JupiterOne, including new features, enhanced functionality, and bug fixes. Here's a quick rundown of the key highlights:

    • EPSS: Exploit Prediction Scoring System (EPSS) is a new feature of JupiterOne. It is a data-driven model that uses machine learning to predict the probability of a software vulnerability being exploited in the wild within a specific timeframe. It leverages historical exploit data, vulnerability characteristics, and metadata, to calculate a score between 0 and 1. A higher score indicates a greater likelihood of exploitation. This aims to help you prioritize your remediation efforts by focusing on vulnerabilities with the highest EPSS scores.

    • Smart Classes: Allows operators to organize and categorize your assets with additional business and technical context. This should help improve IT management and security practices.

    • Graph Upgrade: Completed in July, this upgrade improves query response speed and data availability.

    • Enhanced Query API: Variable result size queries are now the default, improving performance and eliminating pagination issues. Additionally, error handling has been improved with proper HTTP status codes.

    • Python SDK Ownership Transfer: JupiterOne now actively maintains the Python SDK, offering significant improvements.

    • Terraform Provider Enhancements: Configure Insights dashboards and widgets, and be warned about potential overwriting of non-Terraform changes.

    • J1QL Query Editor: Block quoting lines in your queries is now easier with keyboard shortcuts.

    • Alerts & Rule Improvements: Download rule evaluation results as JSON and process larger, longer-running queries.

    • Insights Dashboards: Create rules directly from widgets to turn insights into actionable alerts.

    • Integration Updates: Improved documentation for several integrations and added support for ManageEngine Endpoint Central via the JupiterOne Collector. Additionally, more AWS services are now integrated.

    • New Rule Packs: Leverage pre-configured Mitre ATT&CK rule packs for privilege escalation, execution, and initial access scenarios.

    • For detailed information and documentation on these updates, refer to the JupiterOne release notes.

Before you go…

The conference season is starting to cool down as we approach the last quarter of the year. We’ve currently got one more conference lined up - hope to catch you there if you’re also planning on attending!

  • AWS re:Invent, Las Vegas, 2-6 December