Ansible for Incident Response

Similar documents
S Automating security compliance for physical, virtual, cloud, and container environments

CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud

The Road to Digital Transformation: Increase Agility Building and Managing Cloud Infrastructure. Albert Law Solution Architect Manager

Automating, Securing, and Managing Cox Automotive's (AutoTrader) Big Data Infrastructure

FISMA COMPLIANCE FOR CONTAINERIZED APPS

RED HAT CLOUDFORMS. Chris Saunders Cloud Solutions

Maximizing IT Security with Configuration Management WHITE PAPER

Public Cloud - Azure workshop

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Overview of the. Computer Security Incident Response Plan. Process Resource Center

Automating Security and Compliance for Hybrid Environments

NEXT GENERATION CLOUD SECURITY

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

TEN LAYERS OF CONTAINER SECURITY

Container Deployment and Security Best Practices

HOW TO MAKE THE CASE TO MANAGEMENT: PAYING FOR OPEN SOURCE

Analyzing Performance of OpenStack with Grafana Dashboards

Cyber Security For Business

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Information Technology Procedure IT 3.4 IT Configuration Management

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

CyberPosture Intelligence for Your Hybrid Infrastructure

Gujarat Forensic Sciences University

DEPLOYING NFV: BEST PRACTICES

SYMANTEC DATA CENTER SECURITY

Automate the Lifecycle of IT

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

FROM LEGACY TO MICROSERVICES Lessons learned on the road to success by Miles & More

Network Configuration Manager

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Automating the Top 20 CIS Critical Security Controls

Identity Management and Compliance in OpenShift

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

The Global Information Security Compliance Packet (GISCP): The World's most In-Depth set of professionally researched and developed information

Red Hat Container Catalog Consuming Container Images from Red Hat and its Ecosystem. Dirk Herrmann Product Owner Container Catalog May 2nd 2017

Chapter 4 After Incident Detection

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Click to edit Master title style. DIY vs. Managed SIEM

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

Red Hat HyperConverged Infrastructure. RHUG Q Marc Skinner Principal Solutions Architect 8/23/2017

MIS Week 9 Host Hardening

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

MOBILIZING AND SECURING RED HAT JBOSS BPM SUITE & BRMS

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Carbon Black PCI Compliance Mapping Checklist

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Total Security Management PCI DSS Compliance Guide

Cyber Defense Operations Center

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

IBM BigFix Compliance

Altius IT Policy Collection Compliance and Standards Matrix

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

The Common Controls Framework BY ADOBE

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

Security+ SY0-501 Study Guide Table of Contents

Cyber Resilience. Think18. Felicity March IBM Corporation

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Altius IT Policy Collection Compliance and Standards Matrix

CYBERSECURITY MATURITY ASSESSMENT

NEN The Education Network

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Heavy Vehicle Cyber Security Bulletin

Database Engineering. Percona Live, Amsterdam, September, 2015

Meeting RMF Requirements around Compliance Monitoring

THE TRIPWIRE NERC SOLUTION SUITE

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Goal 1: Maintain Security of ITS Enterprise Systems

the SWIFT Customer Security

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

CoreMax Consulting s Cyber Security Roadmap

Practical OpenSCAP Security Standard Compliance and Reporting. Robin Price II Senior Solutions Architect Martin Preisler Senior Software Engineer

Accelerating the HCLS Industry Through Cloud Computing

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Red Hat Roadmap for Containers and DevOps

IASM Support for FISMA

We have very limited time Won t cover extensive theory Won t cover writing SCAP policies - out of scope

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

External Supplier Control Obligations. Cyber Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Orchestrate JBoss Middleware with Ansible Tower Red Hat Summit San Francisco

Automated Out-of-Band management with Ansible and Redfish

Sirius Security Overview

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Transcription:

Ansible for Incident Response Brad Sollar Sr. Solutions Architect Jun 2018

Intro With the high rate of turnover inherent in military organizations, institutional knowledge can be easily lost such as network configurations and organizational processes. Additionally, Security teams within these organizations normally have multiple tool sets with complex configurations that can be difficult to duplicate the exact setup or share with other team members. Open source automation tools make it easy codify and automate processes and configurations. This can be especially helpful to security teams to have repeatable and shareable configurations for their architecture and tooling. Open source infrastructure(s) can help to scale automation, manage complex deployments and speed productivity. By standardizing workflows and process through automation will help teams to enhance mission capabilities. 2

Automation A general tool capable of supporting the entire stack with minimal expertise and coding experience required. A general-purpose automation capability that is core to lowering the barrier to entry for cyber warriors Operators need to focus on the mission instead of having to know what tools fit where. Operators do not need to know how to configure each tool, the automation would take care of setting everything up for conducting a mission. Automate complex actions such as; Forensics collections Offensive actions Incident response 3

Automation: Intro to Ansible Agentless SSH/WinRM Desired State (no unnecessary changes) Extensible and Modular (1600+ modules) Push-Based Architecture Easy Targeting Based on Facts 4

Automation: Intro to Ansible Ansible for Security Uses Security Technical Implementation Guides (STIG) Payment Card Industry Data Security Standard (PCI DSS) Network device hardening Remediation Internal standards System tracking with (Ansible Tower) Incident response 5

Automation: Incident Response NIST SP 800-61 Computer Security Incident Handling Guide 6

Automation: Incident Response Automate Response Actions After a analyst find signs of compromise and a incident has been declared organizations will start to proceed to the Containment, Eradication, and Recovery phase. 7

Automation: Incident Response Containment strategies vary based on the type of incident. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decisionmaking. Email malware Infection APT Network based DDoS Web & DB Compromise 8

Incident Response Web & DB Compromise Things to Automate image drives Choose a Containment Strategy network connections memory dump command history Evidence Collection/Preservation system hashes label evidence Eradication and Recovery disable compromised accounts patch vulnerabilities restore from backups rebuild systems 9

Network Switches Incident Response Automate your Response Dump Configs Create IP Blocks Create Port Blocks Control Node Compromised Hosts Inventory Playbook SSH SSH, API Disconnect Volumes Image Drive Memory Dump Command History etc... Newly Provisioned Hosts Modules SSH, API 10 Patch new systems Add application data Add new signatures Return to service

11 Sample IR Playbook:

Automation: Incident Response Sample Playbook 12

Security Automation Automation is used to audit and configure Operating Systems and applications to secure baselines using Ansible Playbooks. These Playbooks can help to secure against common baselines such as; DISA STIG NIST 800 Series CIS Benchmarks 13

Security Automation Links openshift-compliance-guide.readthedocs.io/en/latest/ https://galaxy.ansible.com/mindpointgroup/rhel7-stig/ https://galaxy.ansible.com/redhatgov/800-53/ 14

Thank You! plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback