AlienApps Roundup - Box, Cloudflare, Palo Alto Networks, Salesforce, ServiceNow, Zscaler, Checkpoint

July 15, 2020 | Rich Langston

Having a detection and response strategy and tools has long been a leading indicator of a mature, well-funded security organization.  The cost of tools, and expertise required to operate them, has long created an uneven playing field in the security industry.

Here at AT&T Cybersecurity, we believe that security, specifically detection and response, is something that should be available to every business, independent of size or the number of security experts working there.  Ever since we launched USM Anywhere, we have endeavored to bring detection and response “to the masses” by simplifying the process as much as possible, including providing integrations with third party tools via “AlienApps”.

These AlienApps are helper applications that collect data from a customers’ environment and cloud services, provide handy consolidated dashboards, and enable customers to take response actions without having to ever leave the USM Anywhere console.  By providing both visibility and response capabilities for your security products in a single place, we save time and provide valuable context.

Over the past few months, we’ve released seven new or significantly updated AlienApp integrations.  These integrations include Salesforce, ServiceNow, Box, Palo Alto Networks, Zscaler, Cloudflare, and Checkpoint. All the recent integrations fall into three broad categories - data collection, notification, and response. Let’s look at how these can help you to find security problems faster and respond more easily.

All the new AlienApps collect logs from their associated cloud services.  This is critical because it extends the reach of your detection and response strategy to your valuable SaaS cloud assets. Once the app is activated and collection begins, USM Anywhere will automatically trigger alarms when dangerous events happen.  A simple example would be if a user logged into a Box account from two places at once, or a user downloaded a very large amount of data from their Salesforce account.

Data from your SaaS apps are also added to individual dashboards in USM Anywhere, making it easy to see your security stance at a glance.  Here are a couple of helpful examples.  On the left, we have a graph showing a breakdown of the connection attempts allowed by the Zscaler infrastructure.  It gives you a quick overview of how much traffic you are blocking.  Big changes here could mean you are under attack.  On the right, we see a list of all the reports downloaded by Salesforce users.  This makes it easy to see trends and spot outliers that are worthy of investigation.  One final example - the Box dashboard includes a pane showing “Top Users with Failed Logins” to quickly show you users who are struggling to login or whose account is under brute force attack.

alienapps eventsAlienapps top reports

Alienapps top users

Our integrations go deeper than just data collection, alarming on dangerous events, and visualizations.  All these apps also contain either notification or response actions.

Response actions are exactly what they sound like.  Say an alarm is triggered because someone on the network is communicating with a known malware command and control (C&C) entity.  The most obvious quick fix for this is blocking access to the C&C so the team can assess the threat posed by the device and take other actions as needed.  This is exactly the kind of action we do with many vendors.  Without leaving the USM Anywhere console or logging into another tool, the operator can simply click a couple of buttons and USM Anywhere will use the correct API and credentials to login to the firewall infrastructure and block the offending IP address.

This handy table gives a high-level view of the response actions available with these new AlienApps: 

App

Action

Use

Box

Disable box user’s account

Stop access to a compromised attack or stop a user from continuing activity that is against policy.

Palo Alto Networks

Tag IP source or destination IP to Dynamic Address Group

 

Block (or permit) activity based on IP address or hostname.  Dynamic address groups allow customers to support each their unique security strategy.

Zscaler

Add IP or hostname to blocklist

Add to allow list

Add to custom category

Block (or permit) activity based on IP address or hostname.  Options such as custom categories exist to support each customer’s unique security strategy.

Cloudflare

Create a firewall action or rule based on source or destination IP address

Block threats by IP address

Checkpoint

Update firewall policy using:

  • URL
  • Domain
  • File hash
  • IP
  • URL

Block threats using a variety of common indicators of compromise.

These actions can be taken in a couple of different ways. As an operator works a security incident, she may identify a site or IP as a bad actor and want to take action to protect the company by blocking all access to/from the problem.  This can be done in a few clicks directly from the related alarms and events.  Alternatively, if a problem is recurring and the solution is straightforward, all of these apps support writing “response rules” which will trigger automatically in response to threats.

The last category of AlienApp capabilities is “notification”.  These apps are designed to fit into your existing security workflows that leverage trouble ticketing systems.  USM Anywhere has its own “investigations” feature that can be used to track security incidents, add evidence and case notes, and even assign and prioritize the investigations.  But many customers prefer to use their own.  To that end, we are adding these capabilities:

App

Action

Box

Create a Box Note for the incident

Salesforce

Create a Salesforce ticket

ServiceNow

Create a ServiceNow ticket

All tickets will be populated with the event or alarm details associated with the investigation.  These tickets can be opened manually or, just like with response actions, they can be created automatically via a response rule the operator configures. Of note, we have a similar integration with Jira already.

All of these applications are available now in the “Integrations” section of the USM Anywhere GUI.   

Try out these new AlienApps

AlienApps are included for all USM Anywhere customers at no extra charge. Try USM Anywhere for yourself and explore the new AlienApps in our online demo environment, or start a Free 14-Day Trial of USM Anywhere today to see how AlienApps can help your organization work more efficiently to reduce the time between threat detection and response.

Rich Langston

About the Author: Rich Langston

Rich Langston is a lifelong veteran of the information security wars. His initial introduction came in the late 1980's when the ARPANET network he was responsible for at his part-time college job was completely down because of an insecure default configuration (/.rhost anyone?). Since then, he has helped create security products as diverse as Network Access Control, Full Disk Encryption, and network security at companies such as Cisco, Extreme Networks, Symantec, and Aruba Networks. When not trying to save the world, or blogging about it, he's an avid road cyclist

Read more posts from Rich Langston ›

TAGS: alienapps

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial