Integrate All The Things With Netskope Cloud Exchange

April 17, 2023

In recent past, cybersecurity tools were siloed, didn’t work together, or required a SIEM to attempt to bring data and alerts together. This disjointed approach led security engineering teams to retroactively configure their tools, even from the same vendor, to stop future issues. Cybersecurity vendors eventually changed their approach and allowed tool integration within their own brand ecosystem—albeit usually using lackluster APIs and sometimes charging customers a fee to integrate the products within their portfolio. Integration with third-party tools continued to be a sensitive topic, until customers finally pushed cybersecurity vendors enough to offer better APIs and integration points.

What if there were a tool that had existing integration points with cyber and IT tools, but also allowed you to create your own integration points? Let me introduce you to a tool from Netskope called Cloud Exchange.

Cloud Exchange Basics

The Netskope Cloud Exchange tool allows customers to integrate both Netskope and third-party cybersecurity tools together, without the requirement of being a Netskope customer. Netskope currently offers 60+ prebuilt integrations, but also provides the key functionality of allowing customers to create their own integrations.

Cloud Exchange is a Docker-based solution that can be installed on-premises in a private or public cloud, or can be delivered as a service from Netskope. Cloud Exchange has four modules: Log Shipper, Ticket Orchestrator, Threat Exchange, and Risk Exchange, which enable different integration capabilities and data-sharing endpoints.

Image

Figure 1 – Netskope Cloud Exchange Module Overview

Cloud Exchange Module Deep Dive

Let’s take a deeper look at each of the modules and their features and functionalities.

Cloud Log Shipper
The Cloud Log Shipper (CLS) module is used to connect to the Netskope tenant; retrieve alerts, incidents, and events; and forward them to a logging or SIEM/MDR/XDR platform to be used by security responders. CLS also offers the capability for filtering incidents, alerts, and events from Netskope in order to send relevant data into a SIM/MDR/XDR platform. This capability allows the customer to archive all the logs in a platform like S3 for compliance or audit purposes.

Netskope offers plugins with leading logging solutions such as Elastic, IBM QRadar, and Azure Sentinel. Cloud Log Shipper provides a generic Syslog export for logging platforms with no current native plugin.

Cloud Ticket Orchestrator
The Cloud Ticket Orchestrator (CTO) module allows customers to trigger alerts, emails, or tickets in collaboration or utilize notification tools for response. The CLS and CTO modules are tightly aligned to allow generation of notifications based on data obtained from the Netskope tenant, which may not necessarily be generated by a response platform like a SIEM. CTO is not limited to only generating notifications from Netskope.

Netskope currently offers plugins for common notification platforms such as PagerDuty, Slack, Jira, ServiceNow, Microsoft Teams, and email (SMTP).

Cloud Threat Exchange
Cloud Threat Exchange (CTE) is one of the most interesting and important modules. CTE allows customers to connect preventative tools such as EDR/EPP, email gateways, and threat intel platforms together to share IoC/IoA data. Integrations between these traditionally siloed protection tools strengthens a company’s defense in depth and increases the ROI of all the tools within the environment.

Netskope offers plugins for common prevention tools such as Proofpoint, Palo Alto Networks Panorama, Microsoft Defender, and STIX/TAXII.

Cloud Risk Exchange
The Cloud Risk Exchange (CRE) module is similar to CTE. However, instead of sharing threat data, CTE exchanges risk scores between platforms. CTE historically only shared user risk scores. Traditionally, security tools held their own risk engine—whether from a UEBA capability or based on another scoring algorithm. But users could never share this risk posture out to other tools. This all changed in early 2022, when applications gained the ability to exchange application risk scores within Cloud Exchange. By sharing risk scores, organizations can enable and adopt zero-trust principles across the customer ecosystem.

Netskope offers plugins for common products that have risk engines such as CrowdStrike, Okta, and Google BeyondCorp.

Netskope’s Open Plugin Concept

While the above modules utilize plugins built and supported by Netskope or their technology alliance partner, Netskope allows customers to create and build their own plugin to on-premises or other cloud platforms that offer APIs.

All the currently supported plugins are available on GitHub for reference, and Netskope provides a developer’s guide for those who want to develop their own plugin.

How to Get Cloud Exchange

To get started with Cloud Exchange, follow the installation guides on Netskope’s documentation site or GitHub. If your organization is interested in the Cloud Exchange as a Service, please reach out to your Optiv account team for additional information and pricing.