A Programmatic Approach to Using Cisco’s Security Intelligence Feed
If you’re an end-user or manager of software that has publicly known security vulnerabilities, wouldn’t you want to know about it? If you’re a software developer, wouldn’t you want to know if there are third-party software vulnerabilities that may impact your applications or products? Do you have a patch management compliance requirement for managing software vulnerabilities? I presume the answer is a resounding “Yes” to each question that applies to you. Anything we, as cyber security professionals, can do to help automate the vulnerability management process, while integrating security intelligence into that process from both an end-user and developer perspective, is a good thing. In this post, I will discuss Cisco’s Application Programming Interface (API) that exposes security intelligence as a direct data feed into applications or portals. The API is known as the IntelliShield Security Information Service (ISIS) and has proven effective to answering these leading questions.
“Continuous improvement in vulnerability management practices is imperative to keeping pace with the changing security environment as a result of evolving threats as well as new products and technologies” Russell Smoak, Cisco Systems, Cisco 2013 Annual Security Report
The above quote underscores the importance of striving to raise the bar in protecting against vulnerabilities, which may be exploited in your environment, or in the case of a developer, the products you provide to your customers. Cisco uses ISIS several ways, both internally and externally. Internally, Cisco takes advantage of custom-built tooling that uses vulnerability data from Cisco IntelliShield to notify the product development teams when a security issue originating in third-party software may impact a Cisco product. This tool has greatly increased the ability to manage security issues that originate in non-Cisco code. Externally, ISIS is used to provide the content to several sections accessible through the Cisco SIO portal. A couple of examples include:
- IOS Software Checker: this tool is used to query Cisco IOS Software Releases against published Cisco Security Advisories.
- Security Alerts: this tool provides an “At-A-Glance” type of view of security events such as vulnerability exposures.
Technically, ISIS provides a set of services that support application-to-application interaction using SOAP over the HTTPS protocol, allowing clients to develop ISIS-dependent applications that are not dependent on the technologies used to implement ISIS. The only dependency is for the client to have the ability to produce a SOAP message, send it to ISIS over HTTPS, and ultimately decompose the SOAP response. These services also allow clients to filter the security intelligence based on various inputs, enabling clients to align IntelliShield security intelligence with the unique business needs of their environment.
Rather than provide an example of the application of ISIS for a specific programming language, I will demonstrate ISIS through the use of a tool I use for prototyping called SOAP UI.
WSDL: Web Services Description Language
A WSDL is an XML-based document that contains elements that describe how to locate and connect to a service. In addition, it describes all the operations a service provides, along with parameters and data types. The WSDL also defines the XML schema that is used to validate the service’s SOAP request and response. ISIS provides a variety of WSDL-based services that enable access to specific types of data. For example, a security engineer might be interested in information that can be accessed through Alert Service, which provides information about threats and vulnerabilities that may affect their environment.
SOAP: Simple Object Access Protocol
SOAP is an XML-based protocol that is structured to exchange information between a web service and its clients. The body of the SOAP request contains the service operation for which the request is intended and the parameters that are passed to that operation. The rest of the SOAP message can contain customizable header information and attachments. The SOAP response contains the output from the service operation specified in the request. ISIS includes SOAP request/response messages in each of ISIS’s WSDL-based services. For example, getAlert is a method available through the Alert Service (described above) that has a SOAP request message comprised of specific parameters, such as IntelliShield alert IDs. The getAlert’s SOAP response message is XML-based and contains the results of the corresponding SOAP request message.
Below is a brief video which illustrates the above ISIS example:
Let’s say you are interested in the vulnerability state for Cisco security advisories based on one or more IOS release branches. The searchAdvisoriesByIosReleaseBranchNames method also allows an application to pass multiple release branch requests through the tag per the example below. To pass multiple requests, the user must pass those request through multiple tags, and not a comma separated list. A properly formatted multiple request would appear as follows:
The SOAP response to the above SOAP request would look similar to the following. Note: output is truncated for demonstration purposes.
Your actual program code could parse the above SOAP response for information such as release name, status, and advisory information and then turn around and pass it to a security dashboard type of application for further processing, integration or correlation, depending on your specific requirements.
Hopefully by now you have more insight into how ISIS can be used to deliver a direct data feed of security intelligence in a programmatic fashion to your applications and systems. ISIS is available from Cisco on a subscription basis through the standard Cisco service channels. Let me know if you’re interested in ISIS and if it would be useful or applicable to your own particular use cases or products. I welcome your comments and questions and look forward to hearing from you.