In this article, we will cover how to deploy Netskope Cloud Exchange: A platform that facilitates the sharing of information (such as IOCs, risk scores, and logs) between different security vendors; reducing operational overhead.
What is Cloud Exchange?
Cloud Exchange (CE) is a platform that facilitates the exchange of information between your various security and operations platforms.
What can Cloud Exchange do?
4 modules make up the Cloud Exchange platform; each with a particular area of focus. You don’t have to use every module: only the ones that make sense based on the vendors in your current environment.
The Cloud Threat Exchange (CTE) module is designed to streamline and automate the sharing of threat indicators between security platforms in use in your environment, to reduce the likelihood of a successful attack.
For incidents and alerts generated in the Netskope platform, the Cloud Ticket Orchestrator (CTO) module will automatically create tickets and/or notifications in 3rd-party ITSM/collaboration systems (like ServiceNow, JIRA, Slack, etc) to streamline incident response.
The Cloud Risk Exchange (CRE) module takes the risk scores generated by other security platforms (like Crowdstrike) and factors them into the Netskope Risk Score generated for each user as part of Behavioral Analytics.
The Cloud Log Shipper (CLS) module extracts the raw event, alert, and log data from your Netskope tenant, and streams it to one or more receivers, such as a SIEM like Splunk, Sentinel, Exabeam, and so on.
Deploying Cloud Exchange
Cloud Exchange is deployed as a series of Docker containers within your environment - hence as long as your system can run Docker, it can also run Cloud Exchange!
This guide will focus on using Ubuntu 20.04 LTS as the host OS, but in an enterprise environment, you may also wish to use Red Hat Enterprise Linux (RHEL).
You will need the following to install Cloud Exchange:
Linux system capable of supporting Docker, and Docker Compose. We recommend Ubuntu 20.04 LTS.
A virtual machine with the following minimum config:
mkdir netskope && cd netskope
git clone https://github.com/netskopeoss/ta_cloud_exchange
The scripts in this repository will pull the containers from Docker Hub and perform the initial setup of Cloud Exchange.
Secure Cloud Exchange with an SSL Certificate
When you run the setup script in the next step, you will be prompted to create a self-signed SSL certificate.
An SSL certificate is important as it will secure the communication between your device and the Cloud Exchange Web UI. You have 2 options when it comes to securing the UI with an SSL certificate:
Use the self-signed certificate generated by the setup script.
BYO SSL Certificate
Option 1 is easiest but will cause your browser to display an untrusted SSL certificate warning (unless you whitelist the host).
To BYO cert, type y to the SSL prompt when you run the setup script in the section below. When the setup completes, BEFORE starting Cloud Exchange, overwrite the self-signed certificate files generated under data/ssl_certs/ with your own public and private key:
nathan1@ce:~/netskope/ta_cloud_exchange$ ls data/ssl_certs/
cte_cert.crt cte_cert_key.key seed
WARNING: Ensure that you rename your public and private key to cte_cert.crt and cte_cert_key.key respectively, or your certificate will not be used!
Installing Cloud Exchange
Install Cloud Exchange:
Type y to create a self-signed SSL certificate
Enter 443 when prompted for a port.
For security reasons, do not use the default JWT_SECRET: you should type your own value, eg: netskopeiscool
nathan1@ce:~/netskope/ta_cloud_exchange$ sudo ./setup
Setting permission for data/mongo-data folder...
Setting permission for data/custom_plugins folder...
Do you want to create self signed certificate? y
Generating self signed certificate...
writing new private key to 'data/ssl_certs/cte_cert_key.key'
Type in 'yes' to opt-in for beta.
> Enter BETA_OPT_IN (Default: "No"):
> Enter UI_PORT (Default: "80"): 443
> Enter JWT_SECRET (Default: "secret"): netskopeiscool
Setup completed successfully.
You can change your selected values at any time by running the setup.
REMINDER: If you plan to use your own SSL certificate, be sure that you overwrite the current private and public keys under data/ssl_certs/ BEFORE continuing!
Launching Cloud Exchange
To start Cloud Exchange:
To stop Cloud Exchange:
On first run, the CE containers will be pulled from Docker Hub:
When complete, you will be able to access the Cloud Exchange UI in your browser:
https://<host ip address>
If you can’t access the UI, make sure that any firewalls (eg: ufw) and/or Network Security Group (NSG) permits port 443 inbound towards the host IP address. Inbound exposure should be local only: We do not recommend exposing Cloud Exchange to the internet.
If you want to be able to access CE from a domain name, you can create a CNAME record in your DNS or hosting provider pointing towards the IP address of your Cloud Exchange host.
Configure Cloud Exchange
Now that you have deployed Cloud Exchange, we need to perform some initial configuration steps.
Logging into Cloud Exchange
The default username/password for the Super Administrator for Cloud Exchange is admin/admin
Enabling Cloud Exchange Modules & Updates
Once you are logged in, CE will place you into the Settings > General menu.
You should enable all 4 of the CE modules under the General tab. Only the Super Administrator (the admin user) can turn these modules on/off. Regular admins are not able to see the settings to enable/disable these modules.
Under System Updates, toggle ON Periodically check for updates.
(Optional) Setting a Proxy
If you require Cloud Exchange to communicate through a proxy, you can configure this under the Proxy tab under Settings > General.
Adding Users & Configuring SSO
By default, Cloud Exchange uses a local login mechanism where users sign into CE directly.
User Management is located under Settings > Users
To create a user, click the plus button on the top right-hand side of the Users table.
There are two roles available for assignment: Admin and Read-Only. Currently, it is not possible to create additional roles in CE.
The Super Administrator role is only assigned to the default admin user. Only the default admin user can add/remove users, add/remove CE modules, and change CE module-specific config.
To configure Single-Sign-On, click the SSO tab under Settings > Users, and enable the SSO checkbox.
The last configuration step is to pair your Netskope tenant with your Cloud Exchange deployment in order for data to be synchronized. Multiple tenants are supported.
Get an API Key
You will need to get an API key from within your Netskope tenant. For this guide, we will use API v1.
Log into your Netskope tenant, and navigate to Settings (bottom-left corner) > Tools > REST API v1
Copy the API token displayed. If this is your first time using the API, you may need to generate a new one.
Add your Netskope Tenant(s) in Cloud Exchange
Navigate to Settings > Netskope Tenants and click the Add Tenant button.
Fill in the fields according to the table below:
Enter an easy to remember name for the tenant.
Enter the subdomain of your Netskope tenant - this is everything before the .goskope.com in the URL of your Netskope tenant. Eg: For lightwave.goskope.com, enter lightwave. For lightwave.eu.goskope.com, enter lightwave.eu.
V1 API Token
Enter the API token copied from your tenant.
V2 API Token
N/A - Leave blank.
Number of days of historical data to sync with CE. 7 days is good as a default.
Click Save to complete your configuration.
Verify the Netskope Tenant Configuration
Navigate to Logging in the bottom-left corner of the UI.
If your Netskope tenant was successfully added, you will start to see events synchronized.
Configure Your Plugins
Cloud Exchange uses the concept of “plugins” to determine where to send and receive data from.
You can have multiple inputs and multiple outputs: Naturally, you will want to sync data to and from your Netskope tenant(s) in addition to your other vendors.
Navigate to Settings > Plugins
Here you will see a list of supported plugins; tagged according to the CE module the plugin aligns to data-wise:
Associated CE Module
Cloud Threat Exchange. Synchronize threat intel, including IOCs, between vendors.
Cloud Risk Exchange. Synchronize risk scores between vendors.
Cloud Ticket Orchestrator. Automatically raise tickets and alerts in apps like Jira, ServiceNow, and Slack.
Cloud Log Shipper. Automatically pull and push logs to SIEM and data lake applications like Splunk and Sentinel.
To start, you will want to configure the Netskope plugins for the associated modules you wish to use. For example, if you wish to share IOCs between Netskope and Crowdstrike, ensure you configure the Netskope CTE + Crowdstrike CTE plugins.
Vendors could potentially have multiple plugins depending on the CE modules supported. For example, Crowdstrike has both CTE and CRE plugins for sharing both threat and risk intel.
Congratulations! You’ve just deployed Cloud Exchange! Where to from here? It’s time to start exploring the different plugins across each of the Cloud Exchange modules.