Professional Documents
Culture Documents
Faz Sadeghi
Specialist Solution Architect
WHY SECURITY AUTOMATION
2
FreeImages.com/kovik
INFO SEC AREAS
Application Security
Network Security
Forensics
Incident Response
Penetration Testing
Fraud Detection and Prevention
Governance, Risk, Compliance
3
FreeImages.com/kovik
STORY OF MARKO
4
SEC OPS SILOS
WALL OF SEPARATION
SECurity OPerationS
https://www.niceideas.ch/roller2/badtrash/entry/devops-explained
5
FreeImages.com/kovik
RUNBOOK ITEMS
6
PLANNING THE IMPLEMENTATION
DC1
7
THE MELTDOWN
8
TROUBLESHOOTING
9 https://www.buzzfeed.com/kellyoakes/no-a-computer-did-not-just-pass-the-turing-test?utm_term=.xvMJQM8LxQ#.xf7Dn8rW0
n
SYSTEM MELTDOWN
10
SYSTEM MELTDOWN
11
WE NEED A SOLUTION
12
DEVOPS AND AUTOMATION
Look, I found
Ansible!
Automate security
13
http://www.devops-transformations.com/devops-wallpapers
WHY ANSIBLE FOR SECURITY AUTOMATION?
● Agentless
● SSH/WinRM
● Desired State
● Idempotent
● Easy to learn
● Extensible and modular
● Push-based architecture
● Easy targeting based on facts
14
NOT ZERO SUM
+ != 0
15
MORE SECURITY
16
LET’S GET AUTOMATING
17
LET’S GET AUTOMATING
https://www.niceideas.ch/roller2/badtrash/entry/devops-explained
18
SECURITY POLICY - LINUX
19
SECURITY POLICY - NETWORK
- hosts: ios
The network element must only connection: local
allow management connections for
administrative access from hosts residing in tasks:
to the management network. - name: Create management ACL
ios_config:
parents: ip access-list mgmnt
Configure an ACL or filter to restrict before: no ip access-list mgmnt
ACL or filter
management access to the device from only lines:
the management network. - 10 permit ip host 192.168.1.99 log
management network - 20 permit ip host 192.168.1.121 log
tasks:
Configure the policy value for
- name: Restrict enumeration of shares
Computer Configuration -> Windows Settings
-> Security Settings -> Local Policies -> win_regedit:
Security Options -> "Network access: Do not key:
allow anonymous enumeration of SAM
'HKLM:\System\CurrentControlSet\Control\Lsa'
accounts and shares" to "Enabled".
value: RestrictAnonymous
data: 1
datatype: dword
21
PCI DSS
23
REMEDIATION
Protect against CVE-2016-5696
tasks:
- name: CVE-2016-5696 | Limit TCP challenge ACK limit
sysctl:
name: net.ipv4.tcp_challenge_ack_limit
value: 999999999
sysctl_set: yes
24
REMEDIATION
Fix and test shellshock
26
THE END
27
GET INVOLVED
Ansible Lockdown
Ansible Hardening
Mailing List
Ansible Galaxy
https://github.com/samdoran/demo-playbooks
28