How OCA Empowers Your XDR Journey

By on Dec 15, 2020

eXtended Detection & Response (XDR) has become an industry buzzword promising to take detection and response to new heights and improving security operations effectiveness. Not only are customers and vendors behind this but industry groups like Open Cybersecurity Alliance (OCA) share this same goal and there are some open projects to leverage for this effort.

XDR Promise

Let’s start with an understanding of XDR. There is a range of XDR definitions but at the end of day there are core desired capabilities and outcomes.

  • Go beyond the endpoint with advanced and automated detection and response capabilities, and cover all vectors—endpoints, networks, cloud, etc. automatically aggregating and correlating insights in a unified view.

Benefit: Remove the siloes and reduce complexity.  Empower security operations to respond and protect more quickly.

  • Enable security functions to work together to share intelligence and insights, and coordinate actions.

Benefit: Deliver faster and better security outcomes.

This requires security functions to be connected to create a shared data lake of insights and to synchronize detection and response capabilities across the enterprise.  The Open Cybersecurity Alliance (OCA) shares this vision to easily bring interoperability between security products and simplify integration across the threat lifecycle.   OCA enables this with several open source projects available to the industry.

OCA Projects Enabling XDR

Create a Simple Pathway for Security to Work Together

In order to connect security solutions a consistent and easy to use pathway is needed. Contributed by McAfee OpenDXL Ontology is a common messaging format to enable real time data exchange and allow disparate security functions to coordinate and orchestrate actions.  It builds up on other common open standards for message content (OpenC2, STIX, etc.) Vendors and organizations can use the categorized set of messages to perform actions on cybersecurity products and notifications used to signal when significant security-related events occur.  There are multiple communications modes, one to one or one to many.  In addition, there is a centralized authentication and authorization model between security functions. Some examples include but are not limited to:

  • Endpoint solution alerts all network security solutions to block a verified malicious IP and URL addresses.
  • Both endpoint and web security solutions detect suspicious behavior on certain devices calling out to a URL address. Investigation is desired but more time is needed to do so. A ticket is automatically created on the IT service desk and select devices are temporarily quarantined from the main network to minimize risk.

Sample code on OCA site demonstrates how to integrate the ontology into existing security products and related solutions. The whole mantra here is to integrate once and be able to share information with all the tools/products that are leveraging OpenDXL Ontology.

OpenDXL is the open initiative from which OpenDXL Ontology was initially derived.  The Data Exchange Layer (DXL) technology developed by McAfee is being used by 3000 organizations today and is the transport layer used to share information in near real time.  OpenDXL technology is also the foundation to McAfee’s MVISION Marketplace where organizations may easily compose their security actions and fulfill the XDR promise of working together.

One who has followed DXL may ask what makes OpenDXL onotology different from DXL.  DXL is communication bus.  OpenDXL ontology is the common language to enable easy and consistent sharing and collaboration between many different tools on the DXL pathway.

Normalize Cyber Threat Data for a Better Exchange

To optimize threat intelligence between security tools easier, one needs to homogenize the data so it may be easily read and analyzed. Contributed by IBM, STIX -Shifter is an open-source Python patterning library to normalize data across domains.  Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). Many organizations have adopted STIX to make better sense of cyber threat intelligence.

STIX enables organizations to share CTI with one another in a consistent and machine-readable manner represented with objects and relationships stored in JavaScript Object Notation (JSON).  STIX-Shifter uses STIX Patterning to return results as STIX Observations.  This allows security communities to better understand what computer-based attacks they are most likely to see, anticipate and/or respond to those attacks faster and more effectively.  What is unique is STIX-Shifter’s ability to search for all three data types—network, file, and log.  This allows you to create complex queries and analytics across many domains like Security Information and Event Management (SIEM), endpoint, network and file levels.

STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.  Here is a great Introduction to STIX-Shifter video (just under 7 minutes) to watch.

Achieve Compliance with Critical Interoperable Communication

Security Content Automation Protocol Version 2 (SCAP v2) is a data collection architecture to allow continuous real time monitoring for configuration compliance and to detect the presence of vulnerable versions of software on cyber assets.  It offers transport protocols to enable secure interoperable communication of security automation information allowing more active responses to the security postures changes as they occur.  SCAP v2 was derived from the National Institute of Standards Technology (NIST.)

To fully realize the benefits of an evolving XDR strategy, enterprises must ensure the platform they select is built atop an open and flexible architecture with a broad ecosystem of integrated security vendors. McAfee’s innovation and leadership in the Open Cybersecurity Alliance provides customers the confidence that as their security environment evolves, so too will their ability to effectively integrate all relevant technologies, the telemetry they generate and the security outcomes they provide.

If your organization aspires to XDR, the OCA projects bring the technologies to help unite your security functions.  Many vendors are leveraging the OCA in their XDR ecosystems. Leverage the projects and join OCA if you want to influence and contribute to open security working together with ease.

About the Author

Kathy Trahan

Senior Solution and Product Marketing Manager, Kathy Trahan has been in the cybersecurity industry for over 15 years working on network security, device security, threat intelligence, IOT security and cloud security with companies like Check Point Software, Cisco, Netapp, Trend Micro & Tripwire. She is responsible for content for McAfee’s management and collaboration story. She ...

Read more posts from Kathy Trahan

Categories: Security Operations

Subscribe to McAfee Securing Tomorrow Blogs