SecurityScorecard Plugin for Threat Exchange

SecurityScorecard Plugin for Threat Exchange

This document explains how to configure the SecurityScorecard integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for the pulling of domains from SecurityScorecard as URLs into Netskope.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • Secure Web Gateway subscription for URL sharing.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • SecurityScorecard License (Pro, Business, Enterprise).
  • Connectivity to the following host: https://platform.securityscorecard.io/
SecurityScorecard Plugin Support

Fetched indicator types

URL

Companies having these Issues will be fetched from SecurityScorecard and stored in Netskope as URLs.

web_vuln_host_high

redirect_to_insecure_website

web_vuln_host_low

web_vuln_host_medium

local_file_path_exposed_via_url_scheme

communication_with_server_certificate_issued_by_blacklisted_country

communication_server_with_expired_cert

domain_missing_https_v2

links_to_insecure_website

uses_log4j

website_defacement

ransomware_association

alleged_breach_incident

ransomware_victim

adware_installation

adware_installation_trail

anonymous_proxy

attack_detected

malware_controller

malware_infection

malware_infection_trail

phishing

pva_installation

pva_installation_trail

exploited_product

ransomware_infection

ransomware_infection_trail

suspicious_traffic

threat_actor_hosting_infrastructure

tlscert_expired

tlscert_revoked

tlscert_self_signed

tlscert_excessive_expiration

tlscert_weak_signature

tlscert_no_revocation

product_uses_vulnerable_log4j

ssh_weak_protocol

ssh_weak_cipher

ssh_weak_mac

tls_weak_protocol

tls_weak_cipher

patching_cadence_high

service_vuln_host_high

patching_analysis_high

patching_cadence_low

service_vuln_host_low

patching_analysis_low

patching_cadence_medium

service_vuln_host_medium

patching_analysis_medium

patching_cadence_info

service_vuln_host_info

Workflow

  1. Get your SecurityScorecard API token.
  2. Configure the SecurityScorecard Plugin.
  3. Validate the SecurityScorecard Plugin.

Click play to watch a video.

 

Get your SecurityScorecard API Token

To generate API Token using a Bot User, follow the steps provided in this document. Also store API Token in your secrets as it appears only once.

  1. Log in into your SecurityScorecard platform.
  2. Click User Profile Menu in the top right corner.
  3. Click My Settings.
  4. Click API in the left menu bar.
  5. Click Generate new API Token, and then copy the token and store it in safe location. The API appears only once.

Configure the SecurityScorecard Plugin

  1. Log in to Cloud Exchange.
  2. Go to Settings > Plugins.
  3. Click on the SecurityScorecard plugin tile.
  4. Enter the Basic Information:
    • Configuration Name: Unique name for the plugin configuration.
    • Sync Interval: Interval to fetch data from the plugin source. Recommendation is 24 hours.
    • Aging Criteria: Expiry time of the indicators in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this plugin configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if proxy is required for communication.
  5. Click Next.
  6. Enter the Configuration Parameters:
    • API Token: The API Token you got earlier.
    • Portfolios: Comma-separated Portfolio names for which we need to pull the indicators.
    • Company Grade Threshold: Company grade threshold filter (Options: A, B, C, D, F). IoCs will be generated for URLs with the specified SecurityScorecard grade and lower.
    • Severity: Only the tags of issues for specified severity will be fetched (Options: Positive, Info, Low, Medium, High).
  7. Click Save.

Configure Sharing for the SecurityScorecard Plugin

  1. In Threat Exchange, click Sharing and enter the following field values:
    • Source: Source plugin of which you want to share the data.
    • Business rule: Select a business rule that you want to apply to IoCs.
    • Destination: Destination plugin where you want to push the data.
    • Target: Possible destination or action that use IoCs while pushing the data.
  2. After saving the configuration, click Sync.
  3. Add Time period for that you want to share data, click Fetch, and then click Sync. Check All time to share all the data from source plugin.

Validate the SecurityScorecard Plugin

Pulling of Indicators

  1. Based on the Plugin configuration Indicators will be pulled from the SecurityScorecard. Go to Threat Exchange > Threat IoCs to view the received IoCs.

Sharing of Indicators

  1. Verify sharing indicators from Threat Exchange > Threat IoCs. Expand one of the Source plugin IoCs and check status of Shared with Parameter.
  2. Log in to the Netskope UI. Go to Policies > Web > URL Lists and locate your URL list.
  3. Click on the list and verify the URLs.
  4. For more information, go to Logging in the left panel.
Share this Doc

SecurityScorecard Plugin for Threat Exchange

Or copy link

In this topic ...