Shiny Meets Sustainable: OpenDXL as an Orchestration Platform

Every now and then I get into a debate about what constitutes a platform. To me, it means connecting functions and data easily and as directly as possible, balancing speed and simplicity and safety. While it’s nice to present this as an architectural stack, with open interfaces at the edges, modern software development is more complex. Programmable interfaces, both open and proprietary, sprout around each layer and module as new ideas, “shiny objects,” are brought to market in an increasingly sophisticated, crowded, yet still rapidly evolving, security landscape.

For us to overcome the vulnerabilities of the Second Economy, security teams (and I include endpoint, data center, and network operations in this responsibility) need the ability to adopt “narrow mission” technologies quickly, while those tools remain effective against the attacks or obstacles they were designed to overcome. However, a sustainable security operations function depends on integrating these tools with operational systems, management processes, and people resources. Not only do you want the ability to integrate (think APIs), you want to integrate with minimum effort and cost, so that monitoring, workflows, policies, and reporting can continue without disruption or reinvention. Further, you would prefer to avoid the maintenance cost and dysfunction associated with change on either side of each integration. (See my previous blog for more on the challenge of change.)

The bridging of shiny and sustainable is why the OpenDXL initiative is strategic for McAfee and the industry as a whole. Through a common programming interface and an open orchestration model, security teams can connect shiny objects and operational systems. This connection keeps the focus on critical success factors in the second economy:

  1. Trust: Achieve the visibility and closed loop feedback to enable “trust” amongst the team members who must collaborate across threat operations and IT operations.
  2. Treasure: Gain sufficient transparency about risk and change to understand the impact of events on their “treasure” (corporate assets).
  3. Time: Unified (integrated, automated, and orchestrated) processes drive down the “time to” metrics that are critical to manage as the white hats fight the clock against the black hats.

At FOCUS 2016 today, Steve Grobman demonstrated an example of the new OpenDXL orchestration model—lightweight, effective and oh-so-fast. Leveraging the open source DXL Python client now available on, we built a proof of concept for McAfee Innovation Alliance partners Check Point, HP Aruba, and Rapid7 in conjunction with the new McAfee Active Response Endpoint Detection and Response (EDR) product.

In this closed loop threat defense workflow, firewall events from Check Point were published over DXL, triggering an immediate search across endpoints by McAfee Active Response. Next, remediation actions were launched over DXL using HP Aruba (host quarantine) and Rapid7 (vulnerability scan). The demonstration did not require human involvement, proving that key low-risk tasks can be fully automated and performed in seconds, because of the easy integration and high-speed interactions of the DXL.

I usually assume keynote demos involve insider wisdom, special effects, software crutches, and a big dose of luck. While that may be the case in many, with the OpenDXL open source Python client, none of those were required. Attendees at FOCUS were able to talk to the demo author and see for themselves how easy it was by visiting the FOCUS booth. They could also attest to the ease of integration through the DXL DIY demo in the booth, resulting in tweets galore. After the show, we’ll add demo videos and how-tos to the tutorials and examples already live at github. The community discussions there will also help more developers and enterprises kickstart their DXL adoption.

Join the OpenDXL revolution at and