Innovative Minds - On Point - One Group  

MindPoint Group Blog

05
Nov
2019

It’s past time we modernized security hardening procedures

By:

Security baseline automation of STIG and CIS controls with Ansible is improving resource management and compliance

With an ever-growing workload to accommodate, IT is deploying cloud services and automation to help keep pace with its line-of-business demands. A factory-like mentality towards IT infrastructure operations has allowed businesses to improve upon its SLAs while increasing the quality of service delivery.

Photo Credit: Pixababy

Many security practices haven’t yet benefited from modern IT automation practices. Most enterprises continue hardening systems with manual processes fraught with human error and inefficiencies. So why did security get left behind the automation revolution? Like autonomous driving technology, IT security automation is still in its infancy. Up until recently, it was more conceptual than operational. 

Here’s how it typically works. Security teams dictate a policy based on other third party security guidance (FISMA, NIST, DISA, CIS, PCI, HIPAA—the list goes on). After the policy is approved, Security hands it off to IT operations teams who are left to execute in whatever manner they can. While many IT ops teams automate aspects of vulnerability detection and triage, few will attempt to automate the application of security controls through end-to-end automation or CI/CD. To be fair, if applied without tact, automating system security configurations can do more harm than good by causing disruption to production environments and failing to properly secure systems to the standards they were meant to. So instead of trying to automate, teams often play it “safe” with manual steps once a system has been deployed.

The time and money businesses are spending on security hardening indicates that a more cost-effective and capable solution is needed for applying and maintaining security controls. However, current market solutions fail to provide sufficient value and ease of access.

For instance:

  • Cloud Service Providers provide a golden image with security settings already in place. Yes, the image is secure and compliant, but it rarely remains so over the course of its lifecycle. The second an app is installed or the system updated, it’s likely no longer compliant. Of course, this is one of the reasons audits are so painful!
  • Managed Service Providers are capable of delivering secured infrastructure to a client, but many are costly and require the client to relinquish control of their own systems. This relationship sets up a communication divide between client and MSP that many have found to be inefficient, and the market is proving this out with many ending their MSP contracts and taking back control.
  • The do-it-yourself option requires scanning tools to evaluate vulnerabilities within the estate. You’ll then need to write remediation scripts or manually correct vulnerabilities. This is a risky option depending on your exposure, and an expensive cost center to maintain.

Businesses with effective systems security strategy deploy continuous monitoring and remediation toolchains to keep their systems compliant. MindPoint Group’s cybersecurity experts are helping to democratize a pivotal piece of security strategy through a certified content offering that automates hundreds of third party controls. We’ve used our expertise in cybersecurity to automate popular security baselines such as CIS and STIG to infrastructure, operating systems, and applications. The following features are included as part of our annual subscription:

  • Comprehensive and customizable security baseline automation written in Ansible – the most popular and fastest-growing configuration management tool in the world.
  • Testing strategies that can be integrated into any workflow for validation and scoring.
  • Quality assurance, ongoing maintenance, and an SLA to ensure we provide automation that works and keeps up with changes.

Want to learn more? Check out this quick demo on security baseline automation and reach out with any questions.

Additional resources:

 Lockdown Enterprise 

Why Ansible is an awesome execution engine for security controls


Categories: Automation, ISP Blog and tagged , , ,
Share:
 

MindPoint Group Blog

15
May
2019

Even with automation, security baselines like STIG or CIS remain a challenge to manage. But there is hope.

By:

Ever ask a sysadmin what they find most tedious about their job? If they’re being honest, keeping up with security patching and compliance causes the most headaches. Surprised? You shouldn’t be. Patching continues to be a labor-intensive job with dire consequences for misconfigurations that could down a system or expose parts of the environment to attack. The process itself frequently takes critical systems offline and disrupts the business, exposing weaknesses and incompatibilities that create rework for other areas of your department (making you VERY unpopular). Unfortunately, this happens because security policies are full of vague and seemingly conflicting requirements that run counter to the broader business objectives of shipping new revenue-generating features to end users and customers as quickly as possible.

Photo by Tim Gouw from Pexels

Automation has become a problem-solving buzzword in IT operations, yet despite the near-ubiquitous use of automated system patching tools for daily IT operations, automating complex security hardening policies has remained largely an unsolved problem. The gap between what is “good enough” vs the recognized industry hardening standard is so wide that it’s become a major contributor to the uptick of security breaches across data-sensitive industries.

Patching perils

Consider, for instance, patching a RHEL (or CentOS, or Ubuntu, or Arch Linux… you get the point) system. How do you ensure the patch has not been tampered with, and is originating from a trusted vendor repository? In the case of RHEL distributions, this requires configuring gpgcheck to equal 1 in the /etc/yum.conf file, otherwise the server will allow installation from any repo without a valid signature. But what about that one repo you need that doesn’t have signed packages? Can you (and your organization) afford to make an exception for that repo while ensuring that everything else is locked down with appropriate signatures? Is this policy able to be translated into effective automation? My point is that there are hundreds of controls and exceptions that need to be implemented for proper security compliance, and that writing these security policies into automation is rarely done well—if at all. Often controls like this are applied painstakingly by hand in production environments after a system or application has been deployed, then manually justified when they cannot be universally applied. It’s a serious problem which has plagued our industry for years.

Applying security policies to complex, bespoke system infrastructure takes more than automation—it takes human ingenuity and logical compromise. Someone (or more likely a team) with the proper expertise, experience, and authority must translate exacting security standards into executable policy that abides by an industry standard, yet is implementable and (ideally) automatable. Arriving at the compromise between policy and procedure is tough, but once you’re there, then you can automate as usual for the productivity and security gains every organization needs.

Real-world ramifications

Imagine how these underlying problems play out in the real world. A developer makes some feature changes to an application. Those new features, once locally tested and approved in pre-production, are pushed to testing and eventually to production. At this point comes the rub, and most operations teams usually have three paths they can take:

  • Deploy the application as-is into the secured production environment. Promptly brick said application since system, app, and network configurations are typically different from that of the pre-production development and test environments. Prepare for a fight.
  • Punt the application back to development with a security assessment report rendering the application unimplementable without some amount of rewrite. Prepare for a fight.
  • Relax the security controls of the production environment to accommodate the application. Prepare for a breach, then a fight.

In this scenario, there’s no path forward that doesn’t end in an acrimonious discussion between the security, development, and operations teams. Faced with this decision, most organizations press the easy button for option 3 again and again, which has long term security implications to all systems, and configuration drift headaches to deal with later on.

There is a better way

At MindPoint Group (MPG), we’ve seen these problems first hand, and although it’s no simple task to apply complex policies to a complex environment, MPG’s expertise in security and engineering is key to the value we provide for our clients. NASA, for instance, has partnered with MPG for over six years in order to modernize and secure their many environments. One of the key accomplishments we’ve helped NASA achieve is a continuous application of custom-made STIG and CIS baselines across a cloud environment. This includes over 300 unique controls across differing versions of 4 major Linux variants – RHEL, AWS Linux, Ubuntu, and CentOS – and hardening rules for over 120 applications. Using Ansible & Packer, MPG organized the sprawl of golden images, secured them according to NASA’s requirements, then wrote policy to accommodate new architecture and cloud services. What once took them 3+ hours per system now takes them 7 minutes.

With regulatory fines being levied against private corporations in Europe, and public awareness of lax data policy affecting brand reputation, the private sector can no longer afford to take system security lightly. Need proof? Just look at all the trouble Facebook is in right now for shipping fast and cutting corners. So if you’d like to fully take advantage of Ansible’s security capabilities, then we’d love to talk. If you’re not an Ansible user (yet) but need assistance ramping up several aspects of your security strategy, then we’re happy to help with that too.

Categories: Automation, Compliance and tagged , , , ,
Share: