Integrating SecurityIQ With Endpoint Protection Systems

It’s surprisingly easy to integrate SecurityIQ with your existing protection systems. Some systems already have turnkeys built for them, while most others can be integrated with a little simple code.

Symantec Endpoint Protection Cloud (SEPC)

SecurityIQ already provides a turnkey integration for Symantec Endpoint Protection Cloud (SEPC) that runs on all modern Microsoft Windows environments. It’s built with PowerShell and open source. You can find out more about integrating SEPC with SecurityIQ here.

Writing Your Own Integration

If you are not currently using an endpoint-protection vendor that we have a built-in integration with, you can still use our REST API to accomplish the same functionality.

Before you begin, there are three prerequisites that need to be met:

  1. Request an API token from your account manager or customer support
  2. Make sure your endpoint protection software provides programmatic access to security events, including the email address of the end user (learner)
  3. Pick your favorite programming or scripting language

This write-up covers version 1.0 of the SecurityIQ API, the documentation for which can be found here.

The basic architecture of this integration is very simple. Your code will periodically query the endpoint protection software for new security events and, when new events are found, use the SecurityIQ API to enroll the affected learners into the appropriate Just-in-Time Awareness Campaigns. This flow can be broken down into individual API calls:

Querying Security Events

Each endpoint protection system will have a different API with its own quirks and features, but virtually all of them provide a mechanism for querying security events (e.g. the user tried to open a piece of dangerous malware and was protected from being infected). These events are what you will pair with campaigns in SecurityIQ.

How exactly you query these events will depend on the endpoint protection vendor you (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by InfoSec Resources. Read the original post at: