Avatar

SecureX serverless relay modules?… Right. What?! 

Yes! SecureX serverless relay modules integrate third-party systems into SecureX. This tool enables SecureX Threat Response to observedeliberaterefer, and respond to observables from third-party solutions. What does this all mean? Read on, You’ll find out in this blog post. And you can learn more, and ask questions, at our upcoming webinar on April 13th

You can even do a guided workshop of the new DevNet learning module. It will teach you how to integrate the not-yet-integrated! 

Why third-party integrations?

For most, I won’t have to explain why it is of great importance to integrate as many sources of information as possible into a security platform like SecureX. It is very important nowadays to stay up to date with all of the cyber threats that are posing all over the world. It is widely known that there are not enough resources to be found to fill up every Security Operation Center (SOC).

Therefore, many organizations struggle with coping with the massive amount of new types of attacks and generated alerts from their tooling. This is where SecureX, and integrations with SecureX come in to play: now your incident responders can levarage a single tool, SecureX, to respond to potential threats. This saves time, and also many errors.

So, how do I integrate third party systems into SecureX?

There are a couple of ways to do this. First, let me explain a little bit about Cisco Threat Intelligence Model (CTIM).

Cisco Threat Intelligence Model (CTIM)

For SecureX, CTIM is the data model – an abstract model that organizes data and defines data relationships. CTIM is of utmost importance for SecureX because it provides a common representation of threat information, regardless of whether its source is Cisco or a third party. Think of each of these processes as part of a data refining pipeline. The data refining pipeline gathers raw data, such as information about how computer software behaves in a variety of contexts. It then progressively refines that data by decomposing and structuring it, enriching it by placing it in context with data from other origins, with its own varying levels of refinement. Refining it in this way enables us to isolate the parts of the data that we can use for informed decisions. The end result is what we call actionable intelligence. This is what SecureX offers to its users to act quickly and without errors.

SecureX CTIM graphicCisco Threat Intelligence Model (CTIM) 

Now back to the integration methods. There are basically three methods: 

  1. Pre-built third-party integrations (created and maintained by Cisco); 
  2. API based integrations (simple integrations that only perform a single task); 
  3. Custom serverless relay module integrations. 

Custom serverless relay module integrations 

The serverless relay can be deployed anywhere: on the application, on bare metal server, on VM, or in cloud-based systems such as AWS Lambda, Azure Functions, or Google Cloud Functions. In the earlier mentioned DevNet learning module, we will deploy the serverless relay module in AWS. The function of this relay is to translate between CTIM and whatever the third-party solution “speaks.” This makes it possible for a third-party solution to insert valuable data into SecureX, which can be leveraged to create actionable intelligence. Also, SecureX is able to give certain response actions back to that third-party solution for remediation. 

New DevNet learning lab 

We will talk more about the SecureX serverless relay modules learning lab, and how it will help you learn this yourself, at the April 13th webinar. For now, know that when you complete the learning labs, you will have learned: 

  • What the SecureX serverless relay is and how it works
    • An overview of SecureX and Threat Response
    • A reference architecture of the serverless relay infrastructure and its components
  • The Cisco Threat Intelligence Model (CTIM)
    • What CTIM is and how it is used
    • All the CTIM components and their relationships
    • Interacting with CTIM using SecureX Threat Response, Swagger API explorer, and Python
  • Application Programming Interfaces
    • What APIs are and how we use them in the serverless relay
    • HTTP Request Methods and Request Items
    • Building applications using Python Flask
    • Building APIs using routes and functions
  • Building custom third-party relay modules
    • How to deploy the serverless relay Module template
    • Modifying the Python Flask application to interact with third-party solutions
    • Creating and managing JSON Web Tokens (JWT) for authentication
    • Running the relay module on your laptop to test your integration
    • Integrating the relay module into SecureX
  • Deployment of the serverless relay into AWS
    • Setting up AWS with appropriate policies, roles, and users
    • Installing needed libraries and dependencies to build and apply your application
    • Uploading the serverless relay to AWS using Zappa
    • Configuring the SecureX Integration Module
    • Testing the serverless relay using Postman and SecureX Threat Response

Register for the April 13th webinar

There are also several Cisco Live 2021 sessions that talk about this (e.g. DLBLDR-11BRKSEC-2005BRKDEV-2010 and HOLSEC-3003).

A big thank you to Brennan Buchard, Ed McNicholas, Håkan Nohre, Ian Gyte, Oxana Sannikova, and Patrick Cardot for creating this awesome content together!


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

 Twitter @CiscoDevNet | Facebook | LinkedIn

Visit the new Developer Video Channel 



Authors

Christopher Van Der Made

Product Management Leader

Cisco XDR