Improving Security Through Automation - A Primer

[Applause] so I get to be the last one so I'm between you and the weekend so let's see how I'll fast I can go through this so I'm gonna cover automation very much automation focus but gonna try and talk a lot about security in this in my opinion automation is kind of the next step when you're talking security so you know automation is is it's coming it's we're seeing it with self-driving cars we're seeing it with you know pretty well everything is is getting automated robotics has been out there forever so you know a little bit of a cartoon on everything being automated including panhandling so this is kind of the overall agenda just gonna cover

automation orchestration DevOps kind of the differences between the three we hear all three terms well Trent French shade as much as I can between three some of the challenges and trends that we see so what's actually driving automation and then we're going to talk a bit about automating human driven workflows but more than that we're gonna talk about event-driven work workflows and then why automation is definitely a part of your security posture or why it just makes everything more secure then a little bit will touch on getting started so a thing about me and powerpoints and agendas I'm probably going to end up saying all over the place oh they're just guidelines so let's talk about

automation orchestration and demos so what is the difference we're hearing these terms so automation is you know it's a single task or procedure that you're you're putting some sort of a script around so you know in this example if you're if you're changing like an SNMP community for changing passwords across devices so you're automating a task so you're putting a script around a task and then you're pushing that that script out to do what you used to do manually and now you're you're automating it no we have we actually have a lot of tools they'll already do this right so one of the things is though that we have tools that might do this so you might have tools

that do this for your you know your UNIX environment you might have tools that do this for your Windows environment you might have tools that do this for your network environment so you have you probably have tools already do this for you one of the things that that having in the next step of automation in this and especially in a holistically secure environment is you're gonna have tools and you want to have tools that cover a large gamut of your infrastructure whether it's it's Unix Linux Windows routers switches you know that the more list or even applications the more we can do in a centralized location and give us more control that gives you a

little bit of a better security posture the next thing we hear a lot about is orchestration so what's the difference between all automation or registration so orchestration takes this idea of automating a task and now we take multiple tasks and you automate a workflow so you know the example I put here is if you want to if you have if you want to enable and and connectivity three through switches and routers and etc furro for an application that would be an orchestration so you know if you roll out a say container and you want to enable ant and for your users the orchestration portion would be to you know set up the VNA interface for the VX

LAN to enable any firewall rules you need to set up any virtualized ports all of that would be the orchestration part of it where does devops come in so Dell office is kind of the next step now this is where your developer when they push out a version of their application and they push out an instance of that application the operational portion that needs to happen everything that happens in the orchestration that workflow takes care of itself so no longer does your developer need to call you and say can you do this for me can you do enable this access you create this firewall the rule can you give these users access that's all a

part of your your DevOps environment so there's one one of the things that we're seeing a lot now is the cloud what do you guys think is pushing people to the club sorry okay that's actually true yeah so accounting it's it's the it's it gives you a cost reduction according to you know what the cloud providers say where does that cost reduction come from when they go and you plug in an instance at Amazon AWS alright as your Google and you spin up your your you know your ec2 instance for example you don't have to worry about any of the backend that happened to get that ec2 instance where all of that's all done for you

that's all automated and the reason the account that matters to accounts is because Amazon can do that way cheaper than most of us are doing it because we're not automating them you know we haven't automated that so it costs less and that's the value of the cloud and then they you can also do the DevOps in the cloud right so you've got your developers when they push something in the cloud via the DevOps portion you know that all can be taken care of too if you if you how if you have the the services that purchased from the cloud you got to pay for it but you know it only gets done so that's where the value

of the cloud comes in is the savings and the security that they you know have around that is it you know if if company a spins up an instance and Company B spins up an instance they are separate from each other so there's inherent security built into that automated environment so automation is not about taking away people's jobs right it's not about you know we want to reduce workforce that's always a fear when when when people hear automation is is what's going to happen to me as a network administrator or what's gonna happen to me as a firewall guy and the reality is automation is about changing the way we think so it's about the system's the people the

organization it's about a change of on the way you do things rather than you know reducing headcount so these are some of the efficiencies that you know this is this was done by IDC so before automation you're spending you know they're 64% of your time essentially just doing what we call busy work nobody likes busy work now after automation that gets reduced to 45 percent and this is this was actually just with Network automation if you are the more automation you do in your environment the less busy work there is what does that free you guys up to do as security people as Network people as server people it gets to do the cool stuff it gets you to improve your

environment it gets you to take your environment where it is today to where you want it to be tomorrow you're you're not busy doing the administration stuff there really nobody we do it nobody likes to do that you want to do the new stuff you don't do the cool stuff right so that's what automation isn't meant to do so this is an interesting graph because where is the inflection point where automation becomes valuable to you if you've got a very small environment you're not going to invest very much in automation once you grow to the point where you need automation and if you and you don't have it you can know things can quickly spiral out of control where suddenly you

don't have enough resources we hear so much about we don't have enough security people it's hard to find security people you know the reality is is that we need to learn to use the tools that we have better we need to learn how to take the day-to-day and and make that more of a of an automated process so that were not we're not killing our guys are doing firewall changing some things along that lines you know hunting the security threats on their own so this is why because I'm it done and everything's kind of in its own little silo you've got all these fragmented little things you've got you know multiple teams you've got all these

applications you've got all this to different types of connectivity everybody has their ideas around what goes where and who can access what and what kind of security everybody needs you've got multiple sources of truth so really there's there's so much pregnant ation one of the things that we do really well is is we're all specialized a lot of us in certain things maybe we might be we may be very focused in our area so as as overall security people we need to come together and understand that security takes needs to take a more overall view so your desktop guys your firewall guys your database guys you all kind of need you they all need to come

together and make it a more of a you know what goes in what silo from a perspective of Technology culture and processes which are the three kind of what I would what I call them or what we call the you know the pillars of automation because you need to build around these three to make automation as a party or your company culture so where's automation going and where is it today well so they zero Mikkel Singh's is the human driven stuff so this is the stuff that's really easy to automate so this is the things like password changes you know listen P string changes stuff that you do you know you log into a box

manually and you change it and then you log into another box and you change it you know we've got a system now almost everybody has those they can do that LR skill day one and this is really where security starts to play so this is event-driven automation event-driven automation is when you have something that is outside of what a human does so for example security incident is a perfect example and that security incident now drives a script or a change in the environment that is essentially event-driven automation the next one is the the machine driven machine learning automation we this is this is where things are interesting and things will get more interesting so that a couple of

gentlemen one was talking about baselining baselining in network another talked about threat hunting so you kind of bring that together and he starts thinking well should we do that as human driven should we do that as people and try and baseline it or you know do we grab our baselines you know we throw it into a big data system and let our machines determine what our baselines are and then let the Machine learn when you deviate from those baselines and not just network based lines but processors on the machine on a PC so if you know the pro system normally averages you know 25 to 30 percent a day and suddenly sitting at 55 percent you know there is

above your baseline but as individuals as people we probably can't do that but if you have a machine doing that for you now it can learn that this is happening and then you know at some point you know it'll it'll send you hate is this normal you go look at it not normal and then you act upon it now it's learn next time it sees that you know it'll take it'll take the appropriate action and as it learns it'll start to understand you know what's normal it's not normal and then the only time you'll need human intervention is where the machine is kind of like oh I don't know what to do with this but the more we're able to

learn what's normal and what's abnormal and the machine is able to and we put that into the system and the system is able to learn that the less we have to do as administrators and the and automation takes care for you so and and that's really the panacea of where automation can take us from a security perspective is that we're no longer having to the threat hunt we're no longer having to look for Evelynn abilities ourselves we're no longer having to go through our logs and look for problems it's all done cannibal on the backend so human driven workflows always the easiest automate so if you've got human driven workflows that you're still doing manually this is really the

low-hanging fruit so how do you find what should I automate if you're doing it over and over again if you're something that you're you know every six months you know you get a bunch of people and they go through a process it's repeatable it's requires several steps needs more than a couple of users time-sensitive an error-prone I've done you know in past lives where you have to go through and change passwords on you know 30 40 devices done and manually and there were four or five of us doing it that's a couple hundred devices how many of those do you think we accidentally typed in the wrong password quite a few it's like you know one in 110 which is

like 10% we would have to go back and so that's the type of work in the cost on doing that manually so if you're doing anything in your environment the fit CDs you know whether it's on Windows servers whether it's in Linux whether it's it's switching routing firewalls these type of manual processes start looking at these and say how can we take these things and now make them into an automotive process and here's why so on the bottom of this it's all about time so if you are doing if you do something like this manually in this example I'm using L you've got an administrator that leaves and you know every device has generally a root

password I mean we're trying to get away from that but still you need to have a back door if you get locked to odor if know what their authentication works so say that guide leads my god I do this manually you're talking depending on the number of devices it could be hours days could even weeks if you did it manually if you have an automated system it's probably gonna take you a few minutes right the reality is you go you decide on a new password or you generate a password throw into your system and it's done so minutes from a security perspective you know this guy's gruntled he's got all disgruntled he's got all that time to possibly come in and do

damage to you in this he probably won't be able to do any damage rate so there is from a security perspective why this matters event-driven so you know non user driven workflows so things like security incidents network outages things that happen because of something non human driven so you know power outage or for a reboot or something that is unexpected on the that's an event but the other thing to think about is is when when I walk into you know Nate with my phone and I connect to the Wi-Fi that is also an event and bringing onboarding me making sure I'm on the right VLAN I'm making sure I'm not you know that I'm not connected into like for example in

network I shouldn't be that's also an event so you know that managing that access is also automation and you know a lot of that's all often handled by a network access control system that is an automation system we call them different things but we have some of these systems around the important thing is to get these guys working together so events you guys remember back in the days when SMB type of viruses were a big deal they'd get a virus and the first thing you would try and do is find open shares now it's read somewhere where you know the rats and where it tries to go out and lock down as many machines as

possible and infect so again minused hours if you catch that and try and resolve it manually you know you go you get some sort of a nerd alert you know some sort of a ticket goes out and then people run around time try and finally the person may be there on a Wi-Fi and they're moving from access point to access point or boardroom to boardroom they're not even from your environment you know that can take a long time you automate that that's good that's that seconds that your automate your system your firewall whatever you have that's going to detect that threat it's gonna take that and neutralize that threat almost immediately so again time is a factor time is the

number one thing when it comes to when it comes to security and and threats and that's what automation buys you so just get into a little bit of automate when you're automating security events it's actually as simple as if-then right if this happens then take this action you know so for example you know if an infection is detected then assign to quarantine VLAN so you know obviously we you know as IT people we've all seen pseudocode how this looks in your environment will vary you know whether it's some sort of a system that you've purchased or it's a system that you've developed this is essentially what you're going to be doing and what goes under that if will grow right so you

know a couple if you see a port scan if I see you know infected file if and then you know you can just add to it and that if statement can grow well you get you know you kind of get the picture so time is your enemy you can't mention this so automation of both human driven events that's it's all about reducing the time it's all about the time to recover find that event act don't let that infection spread and keep yourself safe so you know what does it all look like you know I'm I'm a to have a pretty solid Network background so I'm gonna go on the network side of things so you're

gonna have a bunch of switches probably you know you have some sort of an NG FW firewall of some sort you probably take some sort of scans off your switches for like a flow data office which is put that into some sort of Sam and logging then you'll have what we call you know I've called it an analytics engine some sort of telemetry some sort of intelligence what that is you know there's there's products available there's there's things that are kind of coming is anything kind of ready you know there's there's probably a few things you can plug into to work on these stats but really the reality is that that analytics engine whatever you

use it has to be customized for your environment right so for example if you have a SCADA environment and you know you're gonna see a certain you know skiddo skiddo traffic generally is very very low low bandwidth so you know that's it's gonna maybe your analytics engine now must be programmed for that very low bandwidth an attack on a SCADA environment is something we call low and slow so it could just be instead of 16k of traffic you know you're seeing 18 K of traffic so now ya understand that so whatever I'll it extends and you use whatever telemetry you're going to use whatever intelligence you're going to use to create your do the intelligence

behind your automation then that's going to go into your automation tool so hey go take this action on my my firewall or my switches you know block that MAC address or move down MAC address to quarantine or what you there's some very large environments that I'm aware of where people there are thousands and thousands and thousands of switches and there are less than 10 network administrator's what they do to make changes if you remember that statement if it's happened before it's gonna happen again generally if you're making a change once you're probably gonna make it again so they all they do is they log into their automation tool they don't have access to their firewall they don't have

access to their switches they can only go into their automation tool write scripts write program it do some programming on there and then that gets reviewed and then pushed out so once that one is written once now you go and you change some variables and then you do it again for your next change or what have you

so you know how do you get started this is a bit of a nightshirt ago step back here so really it's all about what are you looking to get out of it you got to have a strategy and you gotta dig into the why why am I gonna do this is it just to reduce costs that's honestly not gonna that's that's not a that's not a good driver to automate because the way things are getting complicated if you want to do anything in a black box someone talked about outsourcing yesterday both sourcing to an extent is like let me try and try everything about this black box and not worry about it the work still has to happen so

determine what you want why are you automating are you looking for what kind of efficiencies are you looking for dig into the why why am i why do I want my switches to the automate why do I want my my UNIX guys to not be able to Darryl aughh directly into my UNIX box the other one so dig into the why you want to do this lay that out as a very robust strategy on on automation understand the skill sets that are required so this is something that's that's really changed in the past three to four years right a lot of guys that are maybe network admins or UNIX admins or whatever some of us hadn't

written code in 15 20 years now we gotta go and learn Python yeah go learn how to script how to write code so coding skills are now becoming more and more valuable again we say there's not a lot of security people out there mate graduates a lot of coders every year you have a you see you know sait so coders are out there you gotta maybe teach them a little bit of security and then some or protocols so understand the skill sets that are out there so I understand the automation capabilities of your platforms or air platforms what kind of api's do they have what can they do from an automation perspective what can automation they support are they are the

automation of verse you know there are platforms out there that are really closed and so understand that capability and then you're gonna look at tool sets and tool sets is where you really want to look at something that automates not just one subset of your environment and we talked earlier about teams you want to bring all your teams together to decide any tool set because you don't want a tool set that just does one type of hard one type of infrastructure in Europe you don't want something just as servers you don't want something just as virtualization you want something that does as broad as possible so you decide on your tool sets and then from there

it's you know you've got to start small you start with you you start with the with the easy the low-hanging fruit first you automate the New York astrayed and then you move DevOps and honestly I mean unless you're actually writing code and deploying code into an environment there's a lot of a lot of us that will never even move into DevOps so again you know so it this means kind of breaking some of those walls this means your firewall guys and I gotta go talk to your windows guy we need to have those cross-functional teams people that can collaborate with each other we need the you need your goals clearly laid out it's time to an

approach to everything essentially you know understanding what you're trying to get at and you want to evangelize the benefits of audit not everybody's gonna understand like we talked earlier some there's gonna be resistance some folks are gonna think you're gonna take their jobs you know that's that's not really how it works it just it's a it's a gonna be a change in the way folks do their jobs it's not hard to go out and learn Python it's couple of weeks to be honest so you know a lot of people to make mistakes no anybody here never made a mistake I've taken down some very large environments I'm not gonna say which and how but it's

you know we've all done when you put instead of putting the IP address and two instead of putting your default gateway in the default gateway you put in the IP address and now you've duplicated the default gateway for an entire organization of 10,000 people and killed everybody's internet access Automation would've fixed problems so a lot of tools out there I mean it's a bit of an eye chart there's a lot of people doing this but if you look at this list there's some does they're gonna stand out python is has taken over as really the de-facto language for automation and there's a few here that need agents there's a few that work for with certain

platforms with some work better with others interestingly enough a lot of these automation tools talk to each other so let's say you want to go and start saying okay I will have I want to go and start playing or whether what is this automation thing long so ansible I mean it's is dead easy easy to install I work for juniper I don't work for ansible I'm just gonna put out there and so there's a free word version which you can use CLI base it really gives you an idea of how what automation looks like and I think it can do things like Linux automation it can do raesha flood network devices and Malad networking devices are right - for

automation and I thought so code Kadim II anybody use it Kotick Adam II is good got a pretty good course on Python of course you know Python you can learn it I've made and fade in all those places Coursera as information on Python Python so if you want to learn kind of where do I go from here automation is coming it's gonna you know how do I enable myself to be at the forefront of being a leader you know Python is a good place to start and that's it so you know I'll let you guys get to the Ricoh thank you [Applause]