SecOps Automation And Orchestration

so hello everybody hello so I understand and the the barrier between you and the free wings so I will be quick I'm here today to talk about a security operation and automation and orchestration this is a cops just a few information or of me quick introduction I'm a security detail since ten years and since the three three years ago I've started a company which is today a big company of one person and I'm independent a constituent and I'm working in final major financial institution in the inference so untrained sorry for my from my French so just before to go on the the presentation I have to talk about security operations we have many many definition of obvious I I do have mine

and I just wanted to share it with you just for this presentation so when I will talk about secret SEC ops I will talk about these activities so penetration testing code review security compliance and incidents French films CGI and and so on so just keep in mind this is activities and I will talk about that for but all is an open source for a framework that I've started to I've started the development since one years ago and it's an open source framework for automating and orchestration orchestrating task addressing security operations so we are looking for making these processes more efficient and the solution lets you to define your assets assets could be an IP the domain on a

subdomain a URL or a git repo and and so on you define your you assets the scans policies and the scans you want to do to perform the the scans give you findings and then findings are then collected analyzed it and aggregated within a unique database we develop several engines and recruit and connect all place you do it to assess risk and various tax on every domain the the idea behind the this tool is to have a risk overview on every stacks some from the IP to to to data we we try to do this this can could be started one time so on the moon one shot all on a regular basis to to have a continuous monitoring of

our security posture on our stacks so while making a tool to like this not because I have the time because I also that's then something is changing when when I have to describe the the current evolution of the ITA landscape I think we can summarize it in two words which are acceleration and diversification and this concept applied to D has set the threats and by the way the security incidents regarding the the assets thanks to the digital program we saw an explosion of IT project in in company so the information systems are more and more open to to the world and then one more exposed to austerities we also see changes in technology we so new

technology that pops every every day and we also see changes in the the software delivery process I remember a few few years ago when it was about four to five moves to production per per application and per year in the company today just another figure let pigs deployed more than 500-thousand container birthday so something container with an application and the system and bedded so there is we are making IT in a different way today so maybe we have to make information security and cyber security and also in another way and the strides are going to the number of CVE is only growing year after year the attacker there is more and more attacker thanks to the ease of exploitation of of

vulnerability and I think today as a as a pen tester I think it's easier today to pound a random system that been done before because of of this I'd seen targeted attacks are also the same but if you want to just want to have I just want to hack a system there is it's very easier today that than 10 years ago so from a different point of view I think we have to cover a quickly changing excellence gap and and at the end of the day is very it's increasingly hard to have a realistic and sufficiently updated view of our security posture so keep in mind is to world acceleration and diversification to do our jobs we

have to manage security incident security incidents are elevated by Ananta fide vulnerability on our assets before attackers to and identify indicator of compromise on which could lead to past attack current or maybe future attack and one of the key challenge of our jobs is to keep us updated and of information security knowledge by the database to keep us updated of values news and blog post and and so on and the spectrum of threat scenario is changing everyday so we have to manage the lots of feeds of our information and we have to face the do continues confirmation of our assets and finally just monitoring our assets is not sufficient in us we have to monitor we have to monitor also

resources just to find some data leaks to try to find out that addicts and to understand also third parties see our security posture and the other problem we have to face today is the the windows of exposure we have to discover to find form a difference if one of you we have to find a vulnerability as soon as possible because today we know that attacker will attack us and new gravity pops every day so it's increasing the likelihood of attack scenario so we have it's a range against the against the clock and we we should we should try to to to win it so to help us we we found that automation and orchestration maybe could help us

for me automation it's setting up a single test run and orchestration it's about coordination out of automated tasks the food the first the first picture revealed that attacker do this at occurred in automation and maybe better than better than us so let's share a personal and through experience so to to last we have set up a Cuban s this cluster to to to host the the future flood version of off platform I've deployed it with the default configuration with unfiltered access and exposed to internet so I was doing something wrong and I was finished because it's only 24 hour later I was hacked and a crypto minor was installed in my in my Cuban it is cluster so I've

done a quick foreign seek on this nice server and I've discovered that and I definitely think that it was not a tactic targeted I think is that a scanner just scan over the Internet just finding an unsecure service exposed on the internet and automatically upon my and my my server so [ __ ] but it's the its lay like this I was finished so I think I do automation and we have to think if you want to fly back to to fight this this kind of attack we have to automate our process too and I found some some advantages of this this kind of process design the first thing is to do more checks and to cover a larger

range of off asset and make more control or not more control on each stacks the second one is to do it more often to discover as soon as possible vulnerabilities of suspicious changes in our our systems and to in order to reduce the the windows of exposure to do it more efficiently because it's a it's try to tackle another problem in security I work in a in a set and we have to face talent shortage so in in our job we have to manage we we have to perform a lot of relative repetitive tasks which has a low valuating and it's just getting us unmotivated and just to keep them motivated we can try to automate something to focus on more

complex cases and automation can help us to do compliance and benchmark and benchmark the test so to perform the same checks on on a regular basis that young give us strength of the the level of maturity in our system so I think everything is convinc'd by my automation aiyo are you convincing or not yeah no no no no bub-bub is not done I'm sorry for him but there are several downside of we have to discuss so just do you do you think about limits of automation and orchestration yeah what kind of limits sorry when you have something that changes or relies on interpretation of data for example you have something going in and needs to be interpreted

based on state or something else and your automation needs something else to give in to in order to for you to extract some logic behind that yes Adi so I've found so some that the first thing is that automation does not cover every every risk and don't don't think it's we replace our our job so it's it doesn't really replace all human security analyst it's increasing the number of eyelids of true positive and false positive so we have to manage this dis over red and it's completely inefficient for detection of functional vulnerabilities it lonely detect easy easy technical vulnerabilities and there is a TCO that our cost of ownership it's an additional system to where we

have to do to manage intuitive to exploit by the way maybe the downside but we we build password for automation and orchestration we don't care about the don't sighs I mean well the three pillar of our application is to to base our work on on automation and orchestration concept by the way and to rely on best opera tooth we tools exist today there are great tools and they perform a great job like knee level misuse and Qualis they do a great job in their field and they are very efficient to scan vulnerability at the infrastructure level but they if you already use this the the web application scanner the container the container security assessment and the anti-malware

modules are not so so efficient we just have to use also tool to to perform this job in a better way so we found a way to benefit from the the best part of security as have several security tool and making his year to to define the scan policy so how it works it's writing in bitten and Python sorry and yes I'm French [Music] in in this language and it's supported by the by django Django framework and we have the de manager which is the different end application in which we define the asset scan policy the engine and it will be is a unique cockpit to define the scan tool to define the scan together the findings and to to have

magical mix to to show you real result its it's available using the web UI and recipe.i and it discuss with engines when engines are micro application it's a very stateless application which is enough to perform the the scan to analyze the the result and format every findings in unique and prepay piloting formats the the engine path on the scan in your internal networks or internet assets it can also be used to communicate with external sales service and organza really spread information from any other service you can define alerts in a way when new findings might new criteria you can generate or an automatic alert so there is a bit of functionality when you you you can define an alert which is

automatically sent to see hype as an event and when you are when you are you are in the sea I've school screen you see that's and this event arriving and you can create a new case it's the same using your JIRA and all slack also on or you can also extract the findings in and put it on yo see em as today we developed multiple range of we we support of all of this need this application so from the network scan the vulnerability management SSL management DNS all DNS is just a tool we we have released to perform a lot of checks on on the DNS genocide malware and replication data leaks and secure application when I write in this p this

slide I said there is no there is no no sense between nmap and always with dependency check so on so on and that's the the idea behind the tool it's a framework so you you it's maybe you you don't need every everything but you you just need one to add the capacity to to quickly put in place sc/st process so yeah you can use paper for tool to perform this every every engine in the is docker ready so you if you want you to install every of this tool it's just as simple as a doc appalled and we plan to to to create new new new engines to to support the quite the same thing it's

about if you want to develop an engine it's about two to three days to develop and test it so it could be could be easy to do this and we plan on hello a lot of things and when you when we see the face of foodie maybe we'll plan a lot so it's a colorful for help you have if you are interested in the project contribute what's real because we we found that this tool could be could be used in the values you use cases regarding data leaks rehabilitation tracking in a management plan personal test securing the the CI CD pipeline so it could be a framework to to enable new capacities in in in your company so if I have to sell

this product to you today but it not is not the object of the presentation I will insist on this rabbit but no just remember that for big companies the the big companies are already more or less the tool that proved provided by a bi platform that's it's it's provide a unique cockpit to to define a unique strategy and together findings from these different tools and in gasoline and managing the the risk at the in a single point and for new canals or a smaller company it bring them capacity to quickly improve their security maturity when it's open source we are currently work on one integration with the Ivan cortex which are security incident response tools and with 90

automation and continuous con configuration tool which is rather we are testing values use cases we are trying to make a secure Cuba neck this cluster to two hosted in the cloud where the cloud version and we are try to to today began document so here we are I can propose you a toy so if you have question if you want to demo or if you want to grab the free beer it's up to you a demo okay she insists just to you have just to understand the model behind this you have user which a user group on the user you can define a lot of assets or in a massive group a group of asset

you you can define several engines so you can have an instance of of an nmap and well you can have a lot of instances on the same engine you can think we can deploy an nmap or missus sky scan on your internal networks on your administrative networks and on the internet so everything can be managed in the indeed in the application on an engine you define a scan policy a scan definition is the the selection of the asset you want to scan and the the policies you want to apply you can run the the disk and definition you have a scan this can give you raw findings and because we we have a duplicate of row

row findings we just try to identify unique file findings it's easier to do to manage behind and you can define other rules and even some Sprint's quickly dashboard with with the big figures on your own but what are you looking are you managing on assets and great you're looking for the most vulnerable assets and most critical for finding by the way as today is its tactical but we are working to to make it more dynamic not today but as today we we can we can we have to define every every asset you want to do to test yes but we also provide a future to to import it in the using a CV see CSV file

so charging in in part but well we are looking for connectors with GL P P high or on also one on cmdbs to dynamically choose you you are set and then the pothole would be able to do you know it's not really if you define IP ranges then discovers the the assets and then you can define IP range or IP subnets with rework and the platform discovers the assets on on that range if you it's just in in in mind in the disk use case if you perform this if you set a new IP range maybe you will do an nmap scan scan to discover every yost up and in and so services on this this will create

a new new assets and an asset group so you will have the opportunity to have the the risk assessment of one asset one new asset which is nominally created and on the ethernet or the range view you define okay but the characteristics of the assets will only be the ones that nmap can get from the asset from sorry the character is of the asset yes we'll only the ones that nmap is capable of getting yes further in always version at open ports etc yes yeah okay thank you I'll fall for each asset or I said root you you can have this the Indy screen just to remind the defined encounter and finding our cataract categorized by thread the

domains so if you want to assess you level of maturity on SSL of SSL certificate you just have to click on the on the ID category and it will filter findings and risk on this you can it spot result on using on HTML CSV or autism you can manage lots of engines you could be it could be installed in the same on the same server or anywhere on the on earth we for each type of engine we provide policy you can create you your own policy but we provide templates to just do to help you to use the the application so the full term plan for listing openly open port of honor service would be available I think

I will create a template to just to focus on Cuban a test well it's a secure port just to have a clear the scan policy to to assess this could be useful here is the the plan is the the page for creating new scan so the title is definition you can stop you you scan on demand or periodical you can start it now later now or at the time you you define you can search for multiple assets or asset group and then you have to choose scan policy as a you know the the tool that we perform this the despot EC or you can filter by category so you just want to assess something on at the on a

reputation so it will be happy the selection of policy will be will be filtered and we will propose the the policy you want and then you have to select the engine you can perform a scan continuously and there is a way to to compare the the findings from in for in in each each piece can if you perform the same scans to twice you can find you can you can have a comparison between between the two scans for each scan you have a more and more information so you can also after the view of the old scan perform every day on on I've I still the the it map from from the from github to

replace this so if you click on the square you just go to all scans the perform in in in the hower so we can quickly go to to to scan period every finding of a little title definition and solution in if it's if there is a solution purple you can export it using the decision or the s62 format to be compliant with the mist and you can also compare to to finally be you can compare scans the balance again between scan and to to findings to just to see the difference and you can create rule - - to automatically send a message to a log file and send an email to see hype 2.0 or to slack today so my last

message is here if you are interested or not just give us a few feedbacks and if you want to contribute do this and if you want to join the local team everything is open so certainly thank you very much