Shiny Meets Sustainable: OpenDXL as an Orchestration Platform

By on

This blog was written by Barbara Kay.

Every now and then I get into a debate about what constitutes a platform. To me, it means connecting functions and data easily and as directly as possible, balancing speed and simplicity and safety. While it’s nice to present this as an architectural stack, with open interfaces at the edges, modern software development is more complex. Programmable interfaces, both open and proprietary, sprout around each layer and module as new ideas, “shiny objects,” are brought to market in an increasingly sophisticated, crowded, yet still rapidly evolving, security landscape.

For us to overcome the vulnerabilities of the Second Economy, security teams (and I include endpoint, data center, and network operations in this responsibility) need the ability to adopt “narrow mission” technologies quickly, while those tools remain effective against the attacks or obstacles they were designed to overcome. However, a sustainable security operations function depends on integrating these tools with operational systems, management processes, and people resources. Not only do you want the ability to integrate (think APIs), you want to integrate with minimum effort and cost, so that monitoring, workflows, policies, and reporting can continue without disruption or reinvention. Further, you would prefer to avoid the maintenance cost and dysfunction associated with change on either side of each integration. (See my previous blog for more on the challenge of change.)

The bridging of shiny and sustainable is why the OpenDXL initiative is strategic for McAfee and the industry as a whole. Through a common programming interface and an open orchestration model, security teams can connect shiny objects and operational systems. This connection keeps the focus on critical success factors in the second economy:

  1. Trust: Achieve the visibility and closed loop feedback to enable “trust” amongst the team members who must collaborate across threat operations and IT operations.
  2. Treasure: Gain sufficient transparency about risk and change to understand the impact of events on their “treasure” (corporate assets).
  3. Time: Unified (integrated, automated, and orchestrated) processes drive down the “time to” metrics that are critical to manage as the white hats fight the clock against the black hats.

At FOCUS 2016 today, Steve Grobman demonstrated an example of the new OpenDXL orchestration model—lightweight, effective and oh-so-fast. Leveraging the open source DXL Python client now available on, we built a proof of concept for McAfee Security Innovation Alliance partners Check Point, HP Aruba, and Rapid7 in conjunction with the new McAfee Active Response Endpoint Detection and Response (EDR) product.

In this closed loop threat defense workflow, firewall events from Check Point were published over DXL, triggering an immediate search across endpoints by McAfee Active Response. Next, remediation actions were launched over DXL using HP Aruba (host quarantine) and Rapid7 (vulnerability scan). The demonstration did not require human involvement, proving that key low-risk tasks can be fully automated and performed in seconds, because of the easy integration and high-speed interactions of the DXL.

I usually assume keynote demos involve insider wisdom, special effects, software crutches, and a big dose of luck. While that may be the case in many, with the OpenDXL open source Python client, none of those were required. Attendees at FOCUS were able to talk to the demo author and see for themselves how easy it was by visiting the FOCUS booth. They could also attest to the ease of integration through the DXL DIY demo in the booth, resulting in tweets galore. After the show, we’ll add demo videos and how-tos to the tutorials and examples already live at github. The community discussions there will also help more developers and enterprises kickstart their DXL adoption.

Join the OpenDXL revolution at and

Leave a Comment

Similar articles

This blog was written by Barbara Kay. Security embodies the analogy of fixing a plane in flight. Every company has some variety of security people, process, and technology in place already. So, like a plane in flight, your security infrastructure needs an operational model that can be updated, adapted, repaired, or serviced while it is ...
Read Blog
I’ve been in this industry for over twenty years, and the advancements in cybersecurity over the last few years are unmatched. As an industry, we went from believing in a best-in-breed, siloed approach and now we understand our customers need a connected security architecture that can protect, detect, and correct. While we’ve made impressive advancements, ...
Read Blog
Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will ...
Read Blog