Innovative Minds - On Point - One Group  

MindPoint Group Blog


It’s past time we modernized security hardening procedures


Security baseline automation of STIG and CIS controls with Ansible is improving resource management and compliance

With an ever-growing workload to accommodate, IT is deploying cloud services and automation to help keep pace with its line-of-business demands. A factory-like mentality towards IT infrastructure operations has allowed businesses to improve upon its SLAs while increasing the quality of service delivery.

Photo Credit: Pixababy

Many security practices haven’t yet benefited from modern IT automation practices. Most enterprises continue hardening systems with manual processes fraught with human error and inefficiencies. So why did security get left behind the automation revolution? Like autonomous driving technology, IT security automation is still in its infancy. Up until recently, it was more conceptual than operational. 

Here’s how it typically works. Security teams dictate a policy based on other third party security guidance (FISMA, NIST, DISA, CIS, PCI, HIPAA—the list goes on). After the policy is approved, Security hands it off to IT operations teams who are left to execute in whatever manner they can. While many IT ops teams automate aspects of vulnerability detection and triage, few will attempt to automate the application of security controls through end-to-end automation or CI/CD. To be fair, if applied without tact, automating system security configurations can do more harm than good by causing disruption to production environments and failing to properly secure systems to the standards they were meant to. So instead of trying to automate, teams often play it “safe” with manual steps once a system has been deployed.

The time and money businesses are spending on security hardening indicates that a more cost-effective and capable solution is needed for applying and maintaining security controls. However, current market solutions fail to provide sufficient value and ease of access.

For instance:

  • Cloud Service Providers provide a golden image with security settings already in place. Yes, the image is secure and compliant, but it rarely remains so over the course of its lifecycle. The second an app is installed or the system updated, it’s likely no longer compliant. Of course, this is one of the reasons audits are so painful!
  • Managed Service Providers are capable of delivering secured infrastructure to a client, but many are costly and require the client to relinquish control of their own systems. This relationship sets up a communication divide between client and MSP that many have found to be inefficient, and the market is proving this out with many ending their MSP contracts and taking back control.
  • The do-it-yourself option requires scanning tools to evaluate vulnerabilities within the estate. You’ll then need to write remediation scripts or manually correct vulnerabilities. This is a risky option depending on your exposure, and an expensive cost center to maintain.

Businesses with effective systems security strategy deploy continuous monitoring and remediation toolchains to keep their systems compliant. MindPoint Group’s cybersecurity experts are helping to democratize a pivotal piece of security strategy through a certified content offering that automates hundreds of third party controls. We’ve used our expertise in cybersecurity to automate popular security baselines such as CIS and STIG to infrastructure, operating systems, and applications. The following features are included as part of our annual subscription:

  • Comprehensive and customizable security baseline automation written in Ansible – the most popular and fastest-growing configuration management tool in the world.
  • Testing strategies that can be integrated into any workflow for validation and scoring.
  • Quality assurance, ongoing maintenance, and an SLA to ensure we provide automation that works and keeps up with changes.

Want to learn more? Check out this quick demo on security baseline automation and reach out with any questions.

Additional resources:

 Lockdown Enterprise 

Why Ansible is an awesome execution engine for security controls

Categories: Automation, ISP Blog and tagged , , ,

MindPoint Group Blog


A Tale Of Two Tools: When Splunk met SecurityCenter


Co-Authors:  Keith Rhea and Alex Nanthavong

It was the best of times, it was the worst of times, it was the age of technological advancements, it was the age of attack, it was the epoch of cybercrime, it was the epoch of opportunity, it was the season of Remediation, it was the season of Exploitation, it was the spring of Security, it was the winter of Vulnerability. We had targets and queries before us, with the data all going direct to SecurityCenter, while the queries were all staying in Splunk — in short, the race between attackers’ access to exploits and defenders’ ability to assess, remediate and mitigate them remained a never-ending cycle. The usefulness and identification of new vulnerabilities could no longer rely on either tool operating independently of each other. When Splunk met SecurityCenter, the alerts of outstanding vulnerabilities were received for remediation before compromise and helped to stay ahead of exploitation.[1]

With the integration of security tools, vulnerability management programs can improve the security posture of cloud environments. Tenable Research published a study that measured the difference in time between when an exploit for a vulnerability becomes publicly available (Time to Exploit Availability (TtEA)), and when a vulnerability is first assessed (Time to Assess (TtA)). The delta, negative or positive, indicates the window of opportunity (or lack thereof) for an attacker to exploit an unknown vulnerability. The researchers used a sample set for this analysis based on the 50 most prevalent vulnerabilities from nearly 200,000 unique vulnerability assessment scans over a 3-month period in late 2017, the findings from the researchers below indicate that attackers have a significant advantage over defenders.

As migration to the cloud and adoption of cloud business models increase, the introduction of cloud assets to those environments is constantly increasing and decreasing. Traditional forms of asset tracking are woefully inefficient in highly dynamic cloud environments. This extends to traditional vulnerability management systems and techniques as well. In order to improve the TtA, the implementation of continuous vulnerability assessments can be used. However, that alone is not enough to fully mitigate the nightmare of performing effective vulnerability management in these rapidly changing environments. Analysis of vulnerability scanning behavior for most organizations indicates that just over 25 percent of organizations are conducting vulnerability assessments with a frequency of two days or fewer. Contrary to popular belief, a successful vulnerability management program includes more than just a snapshot in time scan of an environment. While point in time scanning is an achievable first step for most organizations, that will reduce the head start that attackers have for most vulnerabilities, it still leaves a negative delta and exposure gap for many vulnerabilities. The impact of this exposure gap can be significant depending on the vulnerabilities in question. Shortening the window between scans and moving towards continuous or near real-time vulnerability scanning will have the most positive impact on the TtEA vs TtA time delta.

Not only should regular scanning occur, but there needs to be careful analysis of the vulnerabilities identified to determine the risks associated with those vulnerabilities, dependent on any compensating controls available in the environment. This analysis provides the basis behind the determination of the remediation timeframes. Everyone agrees that vulnerability management is a necessary function of an effective security practice, in our experience however this is not enough to combat the speed at which attackers move. We advocate for organizations to shorten the vulnerability scan cycle time as much as possible, while also improving upon traditional, static asset tracking by gathering data dynamically from sources like cloud infrastructure APIs and CMDBs. As Dickens says, as if he were a Security Officer, “Nothing that we do, is done in vain. I believe, with all my soul, that we shall see triumph.”[1]

Achieving Better TtA via Integration of Splunk and SecurityCenter

MindPoint Group security engineers were able to enhance all phases of their vulnerability management program by integrating Splunk and Tenable SecurityCenter. This integration allows the team to gather asset data via the cloud infrastructure API and correlate that data with near real-time vulnerability data. The team is now able to adapt and react more quickly to the rapidly evolving threat landscape in highly dynamic operating environments. The correlation and analysis of vulnerabilities within a highly dynamic cloud environment is made possible by using SecurityCenter to scan, consolidate, and evaluate vulnerability scans across the organization, and Splunk to aggregate vulnerability data, asset data, and other sources of events and log data from various components of a large cloud environment. With all these sources of data ingested real-time into the Splunk environment, reports and alerts can now be generated to provide in-depth, on-demand vulnerability data to address potential threats as they are discovered.

So How Does it Work?

Security tooling is important, and having tools configured and operating correctly is an important first step for a security team. The effectiveness of individual security tools is greatly reduced when they operate independently of each other, and many security teams greatly increase their effectiveness by working to integrate existing tools, processes, and data sources, instead of buying yet another tool. The diagram above  illustrates the vulnerability management process and the components needed to integrate SecurityCenter, and Splunk. This integration is important because it provides security teams with the ability to move beyond the old standards and methods of periodic vulnerability scanning. Integration of these two tools, provides security teams with an enhanced view of their data for improved aggregation, searching, and reporting capabilities. An enhanced vulnerability management approach based on an agile, API driven, DevSecOps model is necessary to decrease the TtA vulnerabilities and ultimately shorten the time delta for defenders. Each tool plays a crucial role in the overall integration of the two and enables security teams to have more actionable information to ensure timely remediation.

Once scan data, cloud asset data, and other data sources have been fed into Splunk we are able to use the following query:

index=tenable* (
    [ search index=tenable!=*DEAD*!=*Security* (* OR*)
    | rename as ScanName
    | convert num(scan_result_info.finishTime) as time
    | eval finish=strftime(time, "%Y-%m-%d %H:%M:%S")
    | dedup ScanName
    | table ScanName finish
    | return 15])
    | lookup aws-instances.csv private_ip_address as ip
    | search tags.ApplicationID=* accountName=* tags.op_env=*
    | stats count

From within Splunk we are then able to produce reports, alerts, and dashboards to provide development, operations, and security teams with in-depth, on-demand vulnerability data to address potential threats as they are discovered. Alerts can be customized so that they are generated using the remediation and prioritization criteria mandated by an organization.

Once security teams are continuously alerted and armed with vulnerability data, they are better able to align operational processes to support rapid response and ad hoc remediation and mitigation requests outside of regular maintenance and patch windows. Those efforts for targeted remediation and prioritization can be better focused on vulnerabilities with publicly available exploits and those actively being targeted by malware, exploit kits and ransomware.

This enables up-to-date situational awareness and threat context to evaluate true risk and exposure as well as to inform and guide decision making. By leveraging the integration of Tenable, Splunk, and AWS, vulnerability, configuration, and asset data can be used to conduct deep security analysis, and achieve the awareness, perspective and information needed to make effective security decisions.


[1] Dickens, C. (1867). A Tale of two cities, and Great expectations (Diamond ed.). Ticknor and Fields, Book 1, Chapter 1: The Period

[2] Dickens, C. (1867). A Tale of two cities, and Great expectations (Diamond ed.). Ticknor and Fields, Book 2, Chapter 16: Still Knitting

Quantifying the Attacker’s First-Mover Advantage. (2018, May 24). Retrieved June 1, 2018, from

Categories: Architecture and Engineering, Cloud, Configuration Management, Cyber Security, Engineering and Architecture, ISP Blog, Qualitative Analysis, Quantitative Analysis, Risk Assessment, Risk Management, Vulnerability Assessment, Vulnerability Management and tagged , , , , , , , , , , , , , , , , ,