SecurityScorecard Plugin for Threat Exchange
SecurityScorecard Plugin for Threat Exchange
This document explains how to configure the SecurityScorecard integration with the Threat Exchange module of the Netskope Cloud Exchange platform. This integration allows for the pulling of domains from SecurityScorecard as URLs into Netskope.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- Secure Web Gateway subscription for URL sharing.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- SecurityScorecard License (Pro, Business, Enterprise).
- Connectivity to the following host: https://platform.securityscorecard.io/
SecurityScorecard Plugin Support
Fetched indicator types | URL |
Companies having these Issues will be fetched from SecurityScorecard and stored in Netskope as URLs.
web_vuln_host_high |
redirect_to_insecure_website |
web_vuln_host_low |
web_vuln_host_medium |
local_file_path_exposed_via_url_scheme |
communication_with_server_certificate_issued_by_blacklisted_country |
communication_server_with_expired_cert |
domain_missing_https_v2 |
links_to_insecure_website |
uses_log4j |
website_defacement |
ransomware_association |
alleged_breach_incident |
ransomware_victim |
adware_installation |
adware_installation_trail |
anonymous_proxy |
attack_detected |
malware_controller |
malware_infection |
malware_infection_trail |
phishing |
pva_installation |
pva_installation_trail |
exploited_product |
ransomware_infection |
ransomware_infection_trail |
suspicious_traffic |
threat_actor_hosting_infrastructure |
tlscert_expired |
tlscert_revoked |
tlscert_self_signed |
tlscert_excessive_expiration |
tlscert_weak_signature |
tlscert_no_revocation |
product_uses_vulnerable_log4j |
ssh_weak_protocol |
ssh_weak_cipher |
ssh_weak_mac |
tls_weak_protocol |
tls_weak_cipher |
patching_cadence_high |
service_vuln_host_high |
patching_analysis_high |
patching_cadence_low |
service_vuln_host_low |
patching_analysis_low |
patching_cadence_medium |
service_vuln_host_medium |
patching_analysis_medium |
patching_cadence_info |
service_vuln_host_info |
Workflow
- Get your SecurityScorecard API token.
- Configure the SecurityScorecard Plugin.
- Validate the SecurityScorecard Plugin.
Click play to watch a video.
Get your SecurityScorecard API Token
To generate API Token using a Bot User, follow the steps provided in this document. Also store API Token in your secrets as it appears only once.
- Log in into your SecurityScorecard platform.
- Click User Profile Menu in the top right corner.
- Click My Settings.
- Click API in the left menu bar.
- Click Generate new API Token, and then copy the token and store it in safe location. The API appears only once.
Configure the SecurityScorecard Plugin
- Log in to Cloud Exchange.
- Go to Settings > Plugins.
- Click on the SecurityScorecard plugin tile.
- Enter the Basic Information:
- Configuration Name: Unique name for the plugin configuration.
- Sync Interval: Interval to fetch data from the plugin source. Recommendation is 24 hours.
- Aging Criteria: Expiry time of the indicators in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this plugin configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if proxy is required for communication.
- Click Next.
- Enter the Configuration Parameters:
- API Token: The API Token you got earlier.
- Portfolios: Comma-separated Portfolio names for which we need to pull the indicators.
- Company Grade Threshold: Company grade threshold filter (Options: A, B, C, D, F). IoCs will be generated for URLs with the specified SecurityScorecard grade and lower.
- Severity: Only the tags of issues for specified severity will be fetched (Options: Positive, Info, Low, Medium, High).
- Click Save.
Configure Sharing for the SecurityScorecard Plugin
- In Threat Exchange, click Sharing and enter the following field values:
- Source: Source plugin of which you want to share the data.
- Business rule: Select a business rule that you want to apply to IoCs.
- Destination: Destination plugin where you want to push the data.
- Target: Possible destination or action that use IoCs while pushing the data.
- After saving the configuration, click Sync.
- Add Time period for that you want to share data, click Fetch, and then click Sync. Check All time to share all the data from source plugin.
Validate the SecurityScorecard Plugin
Pulling of Indicators
- Based on the Plugin configuration Indicators will be pulled from the SecurityScorecard. Go to Threat Exchange > Threat IoCs to view the received IoCs.
Sharing of Indicators
- Verify sharing indicators from Threat Exchange > Threat IoCs. Expand one of the Source plugin IoCs and check status of Shared with Parameter.
- Log in to the Netskope UI. Go to Policies > Web > URL Lists and locate your URL list.
- Click on the list and verify the URLs.
- For more information, go to Logging in the left panel.