MI—One: Issue #9 - Novembris Edition

In this newsletter, we focus on developments with SOAR, upcoming industry events, and security application updates.

Hello there,

November is here, and with it comes the crisp autumn air and the anticipation of Thanksgiving. As we settle into the quieter months, it’s a perfect time to reflect on the year gone by and plan for the future.

But while we're enjoying the festivities, the digital world remains as dynamic and challenging as ever. Cyber threats continue to evolve, and staying informed about the latest vulnerabilities and attacks is crucial - especially as the holiday season keeps many of us away from the workplace.

In this edition of MI-One, we'll be taking a closer look into the latest trends in security integration and automation, noting how emerging technologies like AI and machine learning are shaping the future of cybersecurity, along with the role of third-party integrations in securing complex IT environments.

So, let’s dive in!

Under the Lens: Recent Developments in the Industry

This section covers the recent updates in the security integration and automation ecosystem — overall industry trends, announcements, and how they may impact your security and IT Ops platforms’ third-party integrations — improving automation and interoperability. Some of the recent highlights that stood out for us include:

Automation, including Hyperautomation, continues to be a strategic focus for CISOs and security leaders as they drive efficiency and scalability in security operations. Hence SOAR solutions remain strong and relevant in the cybersecurity landscape, and continue to evolve with more desirable emerging features. GigaOm published their SOAR report outlining the latest trends and innovations. The report indicates a continued preference for standalone and vendor-agnostic solutions, even though most SIEM and XDR providers now offer integrated SOAR features. This highlights the demand for flexibility and the ability to integrate tools from multiple vendors to suit specific security requirements.

The GigaOm report also suggests specific recommendations for Developing Partner Ecosystems, i.e., third-party integrations are the key to maximizing SOAR platform effectiveness. A few key insights stand out based on our hands-on experience in the trenches.
- Integrating with LLMs like GPT4, OpenAI’s GPT4, or Anthropic’s Claud, SOAR tools can enhance user interactions with natural language commands.
- Integrating with security data lakes like Amazon Security Lake to enrich investigations, and identify correlations.
- DevSecOps and security-as-code to enable analysts to manage and configure systems using code repositories, version control, and automated deployment.
Speaking of SOAR platforms, ServiceNow Security Incident Response is emerging as a major challenger, with strong third-party integration capabilities that are becoming essential for security vendors. Its orchestration tools streamline IT and security operations, making it a key platform in the evolving cybersecurity ecosystem. ServiceNow continues to expand its footprint in the industrial sector through strategic acquisitions and partnerships. The recent acquisition of Mission Secure and the ongoing collaboration with Siemens are prime examples of this strategy in the OT security space. For a deeper technical perspective on how OT platforms integrate with IT systems like ServiceNow's CMDB and Vulnerability Response, feel free to refer to one of our blogs — OT Platform’s Journey with ServiceNow: A Technical Deep Dive. This post explores the key considerations for seamless OT and IT integrations with ServiceNow platforms, helping organizations optimize both security and efficiency.
Consolidation continues to be a major theme for this year — Sophos' recent announcement to acquire SecureWorks and the merger between Trustwave and Cybereason. The mergers and acquisitions involving Secureworks and Sophos, as well as Cybereason and Trustwave, signal a strategic shift towards creating more comprehensive and integrated cybersecurity solutions. It will enhance their integrated cybersecurity offerings by expanding MDR, EDR, and XDR capabilities. These integrations will lead to increased automation, better API support for third-party tools, and more seamless connectivity across platforms.
Palo Alto Networks Prisma Cloud has enhanced its integration with Google Cloud Marketplace to streamline cloud security management. This integration allows seamless purchasing, unified billing, and faster deployment of Palo Alto’s solutions, simplifying adoption for enterprises. Prisma Cloud’s updates include tools like AppDNA, which provides structured, application-centric visibility, and Infinity Graph, offering deep contextual analysis of risks across misconfigurations, vulnerabilities, and exposure paths. These advancements ensure robust security workflows from code to cloud, while the integration with Google Cloud enhances scalability and operational efficiency for customers.

Are you looking to build out your integration roadmap with security or IT Ops platform? Ping us at connect@metronlabs.com to start the conversation.

Highlights from Industry Events

October was a busy month for most folks —juggling back-to-back conferences in Vegas, fueled by coffee and security talks. Still not sure if we learned more new security acronyms or how to navigate the Vegas maze just to get to the next meeting. A few ones we covered:

Highlights from SentinelOne OneCon 2024 — OneCon 2024 highlighted SentinelOne's vision for a future where security is integrated, automated, and intelligent. Key highlights — Enhancements to the Singularity Platform and demonstrate its integration of endpoint, cloud, and IoT security, focusing on a unified approach across the attack surface. Singularity Hyperautomation and Singularity AI SIEM’s automation capabilities were emphasized. In addition, Purple AI and the Ultraviolet Family of Security Models received significant updates. Purple AI introduced advanced automation for alert triage, investigation, and hunting, reducing manual workload in SOCs.
Highlights from Oktane 2024 — Okta has unveiled a new industry standard, IPSIE (Interoperability Profile for Secure Identity in the Enterprise), aimed at enhancing the security of SaaS products. This standard could help streamline development and integration across products, enabling organizations to focus on critical security tasks. IPSIE offers organizations real-time visibility and action capabilities, such as Universal Logout, with reduced effort. This enhances response times, minimizes security risks, and simplifies identity security management across platforms like Google, Office 365, Slack, and Atlassian.

Security Application and Version Updates

Stay ahead of the curve with the latest application and version updates. In this section, we highlight key updates, new features, and critical bug fixes that are shaping the cybersecurity landscape and may have an impact on your third-party integration.

The latest release of Palo Alto Network’s Cortex XDR — Cortex XDR 3.12 and Cortex XDR Agent 8.6; brings significant enhancements to security posture and incident response capabilities. Features and enhancement — Export/Import Configuration, Advanced Analytics, Improved XDR Collectors, Streamlined Email Ingestion, and Powerful XQL Capabilities. For a more detailed understanding of the modifications and enhancements of these features, you can refer to the official documentation by Palo Alto Networks.
Secureworks Taegis XDR continues to evolve with exciting new features and enhancements. Recent updates (Secureworks Taegis XDR v3.6.5), released on 8th November 2024. Key enhancements include:
- Expanded Third-Party Integrations: Support for a wide range of data sources such as Honey (Scadafence), Skyhigh Secure Web Gateway, and Sophos XG Firewall, enabling broader security coverage and improved interoperability with other security solutions.
- Automation and Playbooks: Updated GraphQL APIs for creating custom playbooks and connectors, allowing security teams to streamline workflows and integrate tailored automation into their processes.
- Improved Endpoint Management: Updates to the Taegis Endpoint Agent bring reduced system impact, enhanced telemetry, and seamless auto-updates for Windows, macOS, and Linux environments.
These developments underscore Secureworks’ emphasis on delivering a cohesive, and integrated security ecosystem. For more detailed information, please refer to the official Taegis XDR release notes.

Insights: From Our Integration Factory

CAASM + Infoblox NIOS: This integration leverages the capabilities of the Infoblox NIOS DDI Portal and the CAASM portal to provide a comprehensive view of network infrastructure data. This integration allows users to:
- Fetch relevant data from the Infoblox NIOS DDI Portal.
- Process and transform the data for optimal visualization.
- Send the prepared data to the CAASM Portal.
TIP + Sumo Logic: The integration of Sumo Logic with a TIP offers a robust solution for comprehensive digital risk protection. By combining the analytics capabilities of Sumo Logic with the real-time threat intelligence of the TIP, organizations can gain visibility into their security posture.

The key benefits of this integration are as follows:
- Enhanced Threat Detection: The integration enables the identification of advanced threats and zero-day vulnerabilities by correlating TIP alerts with log data.
- Accelerated Incident Response: By automating the ingestion and analysis of TIP alerts, security teams can respond to incidents more quickly and efficiently.
- Improved Security Posture: Proactive monitoring and analysis of security metrics allow organizations to identify and address potential threats before they can cause harm.
- Data-Driven Decision Making: This integration between Sumo Logic and a TIP platform provides valuable insights into security trends, enabling data-driven decision-making for risk mitigation and strategic planning.
By leveraging this integration, organizations can significantly improve their security posture, reduce the risk of breaches, and protect their critical assets.

CPS Protection Platform + Google SecOps: This integration automates the import process of security alerts, triggers appropriate security responses, and provides a centralized view of the network's security posture within the Google SecOps portal.

Key features of this integration:
- Automated Alert Import: The SecOps application will periodically fetch security alerts from the CPS protection platform.
- Response Orchestration: Imported alerts will be processed to generate tailored security responses.
- Centralized Security Visibility: Created responses will be analyzed within the Google SecOps portal, offering a comprehensive overview of the network's security status.
Benefits:
- Enhanced Efficiency: Automates manual processes, reducing human error and improving response times.
- Improved Security Posture: Proactive identification and mitigation of security threats.
- Simplified Operations: User-friendly interface for easy management and monitoring.
- Increased Visibility: Centralized view of security alerts and responses.

Before you go…

Well, it’s a wrap on most of the conferences for the year. We've got one last one coming up:

AWS re:Invent, Las Vegas, 2-6 December

Looking forward to seeing you in Las Vegas if you can make it! After that, it’s onward to the New Year.

Unlock the full potential of AWS for your cybersecurity needs with Metron’s tailored integrations. Ready to enhance your AWS ecosystem? Let’s connect at connect@metronlabs.com.

What to Expect at AWS re:Invent 2024

At AWS re:Invent 2024, several sessions will focus on automation, integration, and security applications. A few that we expect to be key highlights of the conference include:

Security Insights and Innovation with AWS: AWS CISO Chris Betz will share his insights into how security innovations and generative AI can drive secure innovation. The session aims to highlight strategies to integrate and automate security processes.
SEC219 – Uncovering sophisticated cloud threats with Amazon GuardDuty: Learn how GuardDuty enhances security automation through threat detection and automated responses, helping streamline security operations.
SEC343 – Identify a prioritization strategy for security response & remediation: This session discusses automating response and remediation using AWS Security Hub, which integrates with other tools for more efficient security management.
SEC401 – Inspect and secure your application with generative AI: Explore how generative AI and Amazon Inspector help automate application security assessments.
SEC314 – Accelerate your DevOps pipeline and remain secure with policy as code: This session focuses on integrating security policies into CI/CD pipelines, ensuring automated compliance and risk management.

Metron specializes in building robust and scalable AWS integrations for diverse cybersecurity platforms, including AWS Security Lake + OT, Amazon GuardDuty + SIEM, Amazon Security Lake + IoT, Amazon CloudWatch + CNAPP, AWS Network Firewall + CAASM, and more.

As Thanksgiving approaches, we’re beyond grateful for our customers and ecosystem partners—your trust lets us build connected security ecosystems that keep the bad actors on their toes. Huge thanks to our team of champions — working hard in the trenches to make security smarter, faster, and more seamless. Together, we’re doing our part, one integration at a time!

P.S. If any of these caught your eye, don’t hesitate to contact us for more details at connect@metronlabs.com.