In this article, we will cover how to deploy Netskope Cloud Exchange: A platform that facilitates the sharing of information between your different security vendors.
What is Cloud Exchange?
Cloud Exchange (CE) is a platform that facilitates the exchange of information between your security and operations platforms.
What can Cloud Exchange do?
Cloud Exchange is comprised of 5 key modules. You don’t have to use every module: only the ones that make sense based on the vendors in your current environment.
The Cloud Threat Exchange (CTE) module automates the sharing of threat indicators between security platforms in your environment.
The Cloud Ticket Orchestrator (CTO) module automatically creates tickets and notifications in 3rd-party ITSM & collaboration systems (eg: ServiceNow, JIRA, Slack) to streamline incident response.
The Cloud Risk Exchange (CRE) module facilitates normalization of both user and SaaS application risk scores between security vendors. CRE is divided into two sub-modules: User Risk Exchange (URE) and Application Risk Exchange (ARE).
The Cloud Log Shipper (CLS) module extracts the raw event, alert, and log data from your Netskope tenant, and streams it to one or more receivers, like Sentinel or Exabeam.
Deploying Cloud Exchange
Cloud Exchange is deployed as a series of Docker containers within your environment.
ℹ️ Heads Up!
Red Hat leverages Podman instead of Docker. Netskope has specific instructions for RHEL/Podman here.
A system capable of supporting Docker, and Docker Compose (or Podman).
Ubuntu 20.04 LTS and RHEL 7.9 & 8.0 are supported by Netskope.
The last configuration step is to pair your Netskope tenant with your Cloud Exchange deployment in order for data to be synchronized. Multiple tenants are supported.
Get an API Key
Log into your Netskope tenant, and navigate to Settings > Tools > REST API v1
Copy the API token displayed. If this is your first time using the API, you may need to generate a new one.
Add your Netskope Tenant(s) in Cloud Exchange
Navigate to Settings > Netskope Tenants and click the Add Tenant button.
Fill in the fields according to the table below:
Enter an easy to remember name for the tenant.
Enter the subdomain of your Netskope tenant - this is everything before the .goskope.com in the URL of your Netskope tenant. Eg: For lightwave.eu.goskope.com, enter lightwave.eu.
V1 API Token
Enter the API token copied from your tenant.
V2 API Token
N/A - Leave blank.
Number of days of historical data to sync with CE. 7 days is good as a default.
Click Save to complete your configuration.
Verify the Netskope Tenant Configuration
Navigate to Logging in the bottom-left corner of the UI.
If your Netskope tenant was successfully added, you will start to see events synchronized.
Cloud Exchange uses the concept of “plugins” to determine where to send and receive data from:
Multiple inputs and outputs are supported.
Navigate to Settings > Plugins
Here you will see a list of supported plugins; tagged according to the CE module the plugin aligns to:
Associated CE Module
Cloud Threat Exchange. Synchronize threat intel, including IOCs, between vendors.
Cloud Risk Exchange. Synchronize risk scores between vendors.
Cloud Ticket Orchestrator. Automatically raise tickets and alerts in apps like Jira, ServiceNow, and Slack.
Cloud Log Shipper. Automatically pull and push logs to SIEM applications like Splunk and Sentinel.
Application Risk Exchange. Send Netskope SaaS app risk information to other security vendors.
To start, you will want to configure the Netskope plugins for the associated modules you wish to use. For example, if you wish to share IOCs between Netskope and Crowdstrike, ensure you configure the Netskope CTE + Crowdstrike CTE plugins.
Vendors could potentially have multiple plugins depending on the CE modules supported. For example, Crowdstrike has both CTE and CRE plugins for sharing both threat and risk intel.
Where to from here? It’s time to start exploring the different plugins across each of the Cloud Exchange modules.