Zero Belief helps organizations shrink their assault floor and reply to threats quicker, however many nonetheless wrestle to implement it as a result of their safety instruments do not share alerts reliably. 88% of organizations admit they’ve suffered vital challenges in attempting to implement such approaches, in keeping with Accenture. When merchandise cannot talk, real-time entry choices break down.
The Shared Alerts Framework (SSF) goals to repair this with a standardized option to change safety occasions. But adoption is uneven. For instance, Kolide Machine Belief does not presently help SSF.
Scott Bean, Senior IAM and Safety Engineer at MongoDB, proposed a option to remedy the issue, giving groups a simple and intuitive option to operationalize SSF throughout their setting.
On this information, we’ll share an summary of the workflow, plus step-by-step directions for getting it up and working.
The issue – IAM instruments do not help SSF
A core requirement of Zero Belief is steady, dependable alerts about person and gadget posture. However many instruments do not help SSF for Steady Entry Analysis Protocol (CAEP), making it laborious to share or act on these alerts.
Groups usually face three challenges:
Instruments lack native SSF help
Alerts require enrichment or correlation
Managing SSF endpoints and token dealing with provides overhead
With out this interoperability, organizations wrestle to use constant insurance policies — and in circumstances like Kolide Machine Belief, important gadget occasions by no means attain programs like Okta.
The answer – a SSF transmitter that turns Kolide points into CAEP occasions
As a result of SSF is constructed on HTTPS requests, the OpenID commonplace works with Tines’ HTTP Motion.
Scott developed a brand new workflow integrating Kolide Machine Belief with Tines, enabling it to ship SSF alerts to Okta. If a tool is non-compliant, Kolide sends a message to the workflow by way of webhook. Tines enriches the sign, makes positive it may be linked to a person, builds a Safety Occasion Token (SET), after which sends it to Okta.
On this method, Tines acts because the connective tissue that makes SSF work throughout the distributed IT setting, even when particular person instruments do not natively help the usual.
Tines can:
Obtain alerts from Kolide (and instruments prefer it) by way of webhook when a tool turns into non-compliant
Enrich and correlate these alerts (e.g., map gadget to person)
Generate and signal SETs that meet the SSF specification
Ship them to Okta (and different identification suppliers) to implement Zero Belief
Host required SSF metadata endpoints utilizing API path prefixes, giving consuming programs a standards-compliant place to fetch keys and decrypt tokens
All of which makes Zero Belief enforcement quicker, extra dependable, and far simpler to operationalize. IT groups are empowered with steady, real-time threat evaluation of units, quicker response to threats, and extra versatile coverage orchestration. And finish customers get the advantage of automated remediation, which helps to optimize productiveness and reduce IT intervention.
If you wish to go deeper into identification modernization, the Tines IAM information explores how groups are unifying gadget belief, entry choices, and least-privilege enforcement with automation. Scott’s workflow is one in all a number of real-world patterns inside.
Workflow overview
Required instruments:
Tines – workflow orchestration and AI platform
Kolide – gadget belief and posture monitoring
Okta – identification platform receiving CAEP occasions
Required credentials:
Tines API Key – `Crew` Scoped with the `Editor` function
Kolide API Key – Learn Solely
Kolide Webhook Signing Secret
Required sources:
Okta area, akin to instance.okta.com, instance.oktapreview.com, or a branded area.
The way it works:
The workflow creates a proof-of-concept SSF transmitter that may be registered with Okta and sends gadget compliance change CAEP occasions (despatched as SETs), primarily based on points generated in Kolide. There are three components:
1. Generate and retailer SET signing keys (SETs are signed JSON Internet Tokens):
Creates an RSA key pair and converts it to JWK format.
Publishes the general public key for SSF receivers to validate SET signatures.
Shops the personal JWK keyset as a Tines secret.
2. Expose SSF transmitter API
SSF receivers (like Okta) want:
a .well-known/sse-configuration endpoint describing the transmitter
a JWK endpoint exposing the general public key used to confirm SET signatures
a webhook set off acts because the SSF API floor
logic returns the .well-known config
logic returns the JWKs
As soon as that is dwell, groups can register a brand new SSF receiver in Okta underneath:
Safety → Machine Integrations → Obtain shared alerts
And create a brand new stream utilizing the API’s URL and the brand new `.well-known` endpoint
3. Create, signal and ship of SETs from Kolide occasions
Receives Kolide subject occasions by way of webhook and validates them utilizing the signing secret.
Fetches gadget and person metadata from Kolide.
Builds a SET for a Machine Compliance Change CAEP occasion.
Indicators the SET with the saved personal key utilizing the JWT_SIGN system.
Sends the signed token to Okta’s security-events endpoint.
This delivers real-time device-compliance updates to Okta so entry insurance policies can reply instantly.
Configuring the workflow — a step-by-step information
You’ll be able to construct and run this complete workflow utilizing Tines Group Version.
1. Log into Tines or create a brand new account.
2. Navigate to the pre-built workflow within the library. Choose import. This could take you straight to your new pre-built workflow.
3. Collect the required credentials
Tines API Key (team-scoped with Editor function)
Kolide API Key (read-only)
Kolide Webhook Signing Secret
These guarantee authenticated calls to Kolide and safe webhook validation.
4. Accumulate your required sources
You may want an Okta tenant area, akin to:
instance.oktapreview.com
instance.okta.com
or your customized Okta model area
This area is used when sending signed SETs to Okta’s security-events endpoint.
Be aware: Within the instance offered, Scott arrange as a `push` slightly than a `ballot` supplier as tokens are despatched primarily based off of inbound webhooks, so there is not any have to retailer state.
5. Generate your SET signing keys
Use the Generate JWK keyset motion to create RSA keys
Convert each private and non-private keys to JWK format (two occasion transforms)
Retailer the ensuing keyset utilizing a Tines secret
That is required earlier than Okta will settle for and confirm your SETs.
6. Publish the SSF transmitter API
The SSF API webhook comprises two branches:
.well-known endpoint
Set off: well-known
Occasion remodel: returns the SSF configuration declaring the transmitter’s capabilities
JWKS endpoint
Set off: JWKs
Occasion remodel: returns the general public JWKs so Okta can confirm signatures
As soon as dwell, Okta can register this transmitter as a shared alerts sender.
7. Join Kolide and course of gadget points
The Kolide integration stream follows these steps:
Webhook: Kolide webhook – receives subject opened/resolved occasions
Get gadget particulars – fetches metadata for the gadget concerned
Machine has a person – branching logic to verify a person is related
Get person particulars – search for person metadata for the CAEP payload
Relying on whether or not the problem is new or resolved:
Construct SET – assemble the CAEP device_compliance_change occasion
Signal SET – use the RSA personal key saved earlier to provide an SSF-compliant SET
Ship SET – ship the ultimate signed token to Okta’s security-events endpoint
As quickly as Okta receives and verifies the SET, the related person threat degree updates.
Bringing all of it collectively
SSF exists to assist safety instruments communicate the identical language, delivering steady perception into threat and gadget posture. However when key instruments do not help the usual, gaps open up, and entry insurance policies lag behind real-world adjustments.
Tines bridges these gaps by enabling new clever workflows. They be sure that even instruments that do not help SSF can ship data in the identical standardized method. Through the use of Tines to generate, signal, and ship compliance alerts in actual time, you get the advantages of SSF even when the supply device wasn’t constructed for it.
If you would like to do this workflow your self, you’ll be able to spin it up in minutes with a free Tines account. And if you wish to see how gadget posture suits right into a broader identification technique, this information to trendy IAM workflows presents sensible patterns and real-world workflows like Scott’s you can begin constructing on right this moment.
Discovered this text fascinating? This text is a contributed piece from one in all our valued companions. Comply with us on Google Information, Twitter and LinkedIn to learn extra unique content material we publish.
