Democratizing security intelligence with Forcepoint Dynamic Intelligence Manager

Mattia Maggioli, Senior Manager, Software engineering, at Forcepoint Innovation Labs , elaborates on democratizing security intelligence with Forcepoint Dynamic Intelligence Manager. This blog also announces the launch of their new product.

Arecent survey of cybersecurity and IT professionals uncovered that 78% of organizations use more than 50 different cybersecurity products to address their security goals and protect their resources. Within a few days another survey further highlighted that 86% of organizations rely on up to 20 security vendors. I’m not going to debate if these numbers are too big or just right: every company has a different security posture, a different perception of risk and a unique perimeter made of on-premise and cloud services.

The problem with an ever-growing array of security products and vendors: despite the numerous standards currently available in modern cybersecurity, security findings identified by one product are typically not available across all products, and findings are even less likely exchangeable across solutions from different vendors. This is why organizations buy SIEM tools to receive, aggregate and correlate findings and alerts.

As a result, organizations end up building small ecosystems of great point products that could deliver better protection if only security insights identified by each product were shared automatically and in a timely fashion across all components securing the different layers of the technology stack.

More importantly, it should be possible for developers within the organization to plug into this intelligence stream by integrating further sources, automating the exchange of intelligence with third party products. Ideally this should be done with a clean set of APIs that provides the ability to ingest/export data and perform queries and lookups against the entire intelligence vault.

To help address all these issues, Forcepoint has developed a free and open-source product to help the developer community increase security efficacy of their organizations.

Dynamic Intelligence Manager
Forcepoint Dynamic Intelligence Manager (DIM) is a modular solution that provides automated ingestion of security findings from multiple heterogenous sources and automated export to multiple heterogenous destinations, so that organizations can easily leverage a varied selection of intelligence and make it available across formats and products to their security devices and applications.

In the first release, DIM handles the following elements:

  • IPv4 addresses, single entries and entire ranges.
  • Domain names, wildcard supported (e.g. *.badsite.com)
  • URLs

And it provides several default modules that customers can use to import security intelligence from:

  • any custom source over the network (CSV, TXT formats) or uploading files locally in air-gapped scenarios
  • any TAXII feed serving intelligence in the STIX format (2.0)
  • Amazon GuardDuty

The entire list of elements stored into DIM is made available to:

  • Forcepoint Secure Web Gateway, to protect all users across the organization against web-based threats
  • Forcepoint Next Generation Firewall, to secure the network traffic of users, devices and workloads either on-premise or across cloud providers
  • any 3rd party product, using the DIM Lookup module which provides a secure API endpoint to check against DIM if a given element is known

Let’s look at the cool features!
Dynamic Inteligence Manager was built with modern organizations in mind: it does the job automatically, with minimal resources, in a completely transparent way and with the ability to scale without the usual mix of updates and upgrades.

First of all, DIM runs on any docker host (with just 2GB RAM and 2 vCPU) taking installation complexity out of the equation. The docker image is provided free of charge, with no registration necessary and it’s only 70 MB in size! If you were to use it 24×7 for an entire year on AWS (using an EC2 micro instance) the TCO would only be around $50.

All modules are installed using the UI of DIM itself: you click on the “Marketplace” tab and click to install the module. In a few instants a container for the module is deployed and the module is available for configuration: after that the module is ready to go and will keep working at recurring intervals as set by the user. Anytime Forcepoint creates new modules, they show up automatically in the Marketplace: you don’t need to go through updates and upgrade to add new functionalities.

But did I not mention how DIM is developer friendly? Developers can build custom modules simply following the public DIM documentation. DIM is language agnostic and modules can be written in any language as long as they abide to the API contracts. All modules developed by Forcepoint are written in Go or Python, due to ease of development, performance and reusability and then built into docker images for portability.

Organizations with extremely tight security policies might want to look under the hood before running a new tool in their infrastructure. No problem! Source code of all modules used by DIM is publicly available inside Forcepoint’s GitHub and can be inspected before DIM is deployed. Furthermore, DIM is licensed with an Apache 2.0 license, which allows developers to build on top of our work. More importantly: there is no tracking or telemetry in place so your intelligence and the use you make of it stays private.

Last, if you have been using something similar in the past, you might have witnessed false positives triggered by automated tools that went a bit too far. DIM comes with a Safelist feature which enables users to define known safe elements (e.g. your corporate domains, public IPs of your workloads and resources across geographical locations) and elements in the Safelist will be filtered out before the export takes place, so that no downward product will ever receive false positives.

What’s Next
Forcepoint is actively developing Dynamic Intelligence Manager, so that new intelligence types and modules can be available to users to further enhance their intelligence vault built on DIM. For example, we are working to ingest, store and export SNORT signatures and SHA256 file hashes with the same ease of use currently available for all other intelligence types.

In the meantime, if you want to learn more and try Dynamic Intelligence Manager in your organization, use the following links:

  • Dynamic Intelligence Manager – Product Information
  • Dynamic Intelligence Manager – Documentation on GitHub.io
  • Dynamic Intelligence Manager – Source code repos