In September 2023, the Sekoia.io team embarked on a new intake development to integrate Zscaler ZIA logs into our SOC platform. After implementing Zscaler integration with a wide range of supported logs, events, and related built-in rules, our team shifted the focus to a new playbook for streamlining incident response processes. Since this playbook to disseminate Cyber Threat Intelligence and block threats is on the horizon, we want to guide you through the Zscaler integration.
Zscaler is a cloud-based Zero Trust platform that securely connects users, devices, and applications over the internet. It operates as a Security-as-a-Service model and helps businesses move from the traditional hardware-based castle and moat security to a modern and scalable zero trust security architecture delivered via the largest security cloud in the world. The concept of Zero Trust is integral to today’s security landscape as it operates on the principle of least privilege access.
Additionally, Zscaler’s SSL inspection capability acts as a critical line of defense allowing organizations to decrypt and inspect all web traffic, uncovering potential threats that may be hiding within SSL/TLS connections thereby ensuring comprehensive security across the network.
Our team concluded that by integrating Zscaler with Sekoia.io, we can equip organizations with comprehensive visibility, streamlined incident response, and robust security controls that are essential for protecting against the evolving threat landscape. However, acting as a cyber control tower and enforcing a Zero Trust security posture required much effort. Initially, we needed to ensure that sending Zscaler events to Sekoia.io was as simple as possible.
Sending Zscaler events to Sekoia.io through NSS
Logs are detailed records of user transactions within the Zscaler cloud. They provide insights into web traffic, cloud application usage, security threats, and compliance data.
Forwarding Zscaler events can be configured through NSS or Cloud NSS feeds. As a prerequisite, you need an internal log concentrator to apply the NSS feed.
Alternatively, you may use a Cloud NSS feed with a suitable license. You don’t need an internal concentrator for a Cloud NSS feed.
Investigate our public documentation to find out how to send Zscaler’s events to Sekoia.io.
Enhanced capabilities with Sekoia.io’s detection engines
Integrating Zscaler logs into Sekoia.io significantly enhances detection capabilities. The analysis is then conducted with a behavioral detection engine (based on Sigma pattern detection), anomaly detection engine (based on Machine Learning), and threat detection leveraging our Cyber Threat Intelligence database with more than 6 million IoC. Each engine improves detection capabilities on Zscaler’s events with more than 750 available rules:
- Behavioral detection engine accurately detects complex threat patterns and suspicious behaviors in network traffic. The engine leverages Sigma standard rule language and Sigma Correlation to correlate logs. New Sigma rules are constantly developed in response to evolving threats, leveraging the latest insights from Zscaler’s logs. These rules can be used across different types of log data, making Sigma particularly effective in environments where diverse data sources are integrated, such as the logs from Zscaler.
- Anomaly detection engine uses ML to analyze patterns in the extensive log data, identifying deviations that may indicate a security threat, leading to early and accurate threat detection.
- CTI detection engine complements indicators integrated natively in Zscaler ZIA and equips you with an automatic retro-hunt for each new IoC (raises an alert if this new IoC has been seen in your past events).
The integration of Zscaler logs provides the necessary data richness to fuel Sekoia.io’s advanced detection mechanisms. This integration leads to a significantly improved security posture, with an enhanced ability to detect, analyze, and respond to sophisticated cyber threats.
Disseminate Sekoia.io’s Indicators of Compromise to proactively block threats
Sekoia.io provides the Zscaler Cloud Platform with detailed and verified intelligence on cyber threats. This includes information on dubious domains, IP addresses, and URLs actively used in real-world cyber-attacks. Sekoia.io identifies and confirms these threat indicators and can then automatically transfer them to Zscaler. This facilitates a smooth integration and allows you to continuously implement security policies and safeguard users, regardless of whether they are connected to the corporate network.
The Sekoia.io team is currently developing playbook actions to automate this dissemination based on the platform’s automation capabilities. We plan to enable users to:
- Block an IP/domain/URL in Zscaler upon its detection in the platform triggered by an alert.
- Remove an IP/domain/URL from blacklist in Zscaler.
The limitation (25k IoC) imposed by Zscaler API doesn’t allow the platform to send all its active IoC, so they must be filtered.
Control all the power of Zscaler through its API from Sekoia.io
When integrated with Sekoia.io and its playbooks, Zscaler’s API offers a versatile and powerful toolkit for cybersecurity operations. This integration allows users to automate various actions and streamline security workflows. For example, users can update security policies and manage access controls using Sekoia.io’s “HTTP request URL” module.
Automation and centralization are not only limited to Zscaler but can also be extended to other technologies. By leveraging the “HTTP request URL” module, users can trigger custom scripts, modify network configurations, or even integrate with other security solutions to enhance overall security posture.
This integration highlights the capability of Sekoia.io to centralize actions and manage multiple security platforms efficiently, thereby reducing response times and increasing operational efficiency in the face of evolving cyber threats.
For more details, get acquainted with Zscaler and Sekoia.io solution brief.