IT operations are still very manual today. Customers are always challenged to maintain system health and improve online security. This workflow demonstrates how Cisco SecureX orchestration can be leveraged to automate vulnerability management.
This workflow periodically checks SecureX incidents for Threat Detected Events from Cisco Secure Endpoint. When an incident is returned, the workflow collects all observations from it and reaches to Kenna Security for vulnerabilities information related to executed malware. If information is returned, the workflow updates the incident in SecureX to document the findings. This workflow is designed to run every 5 minutes on a schedule.
Note: Please test this properly before implementing in a production environment. This is a sample workflow!
In order to leverage Kenna Security malware intelligence for detected vulnerabilities, Kenna Security VI+ License is required.
[] Fetch incidents from SecureX
[] For each incident:
[]> Extract the observations and target
[]> Search for the asset in Kenna by IP and fetch its asset ID
[]> Fetch asset risk score, priority and vulnerabilities by asset ID
[]> Find all malware associated with open vulnerabilities matching criteria: malware exploitable, has active new breaches and popular targets. (Kenna Security VI+ License required)
[]> Compare with malware in the SecureX incident. If match found, update the incident with Kenna information. Add tags and notes to Kenna asset to link with the incident.
Target Group: Default TargetGroup
Targets: CTR_For_Access_Token, Private_CTIA_Target, Kenna_Target
In the left hand menu, select Variables.
Click New Variable. Data Type - Secure String. Name Kenna - Token.
Provide your Kenna API token.
Note: For more information on Kenna Security APIs, check out API Reference.
In the left pane menu, select Workflows. Click on IMPORT to import the workflow.
Click on Browse and copy paste the content of the Kenna-SecureXIncidentsEnrichmentWF file inside of the text window. Select IMPORT AS A NEW WORKFLOW (CLONE) and click on IMPORT.
Go to My Workflows and open the main workflow Kenna - SecureX Incidents Enrichment. In the properties on the right hand-side, find section Triggers. You will see that the status is - Disabled. Click on the name of the Trigger and change the status to Enabled.
IT operations are still very manual today. Customers are always challenged to maintain system health and improve online security. This workflow demonstrates how Cisco SecureX orchestration can be leveraged to automate vulnerability management.
This workflow periodically checks SecureX incidents for Threat Detected Events from Cisco Secure Endpoint. When an incident is returned, the workflow collects all observations from it and reaches to Kenna Security for vulnerabilities information related to executed malware. If information is returned, the workflow updates the incident in SecureX to document the findings. This workflow is designed to run every 5 minutes on a schedule.
Service-oriented orchestration provides the agility to model and act on IT services. These features make creating orchestration active and dynamic, and allow for:
Please continue your reading in this SecureX white paper.
Currently there is no DevNet sandbox yet, however you can find all options to try out SecureX orchestration here!
Please check out related solutions on DevNet Ecosystem Exchange.
Owner
Contributors
Categories
Products
Secure EndpointProgramming Languages
License
Code Exchange Community
Get help, share code, and collaborate with other developers in the Code Exchange community.View Community