SlideShare a Scribd company logo

PyCon 2019 - A Snake in the Bits: Security Automation with Python

M
Moses Schwartz

PyCon 2019 - A Snake in the Bits: Security Automation with Python

Technology
1 of 29
Download to read offline
A Snake in the Bits Security Automation with Python Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz Andy Culler, Security Automation Engineer aculler@box.com | github.com/aculler PyCon 2019
2A Snake in the Bits Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts User Email Report Other Sources
3A Snake in the Bits Build a search query that matches the condition you want to alert on Splunk Alert development
4A Snake in the Bits Create an alert using your search query Best practice is to create an App to contain all of your custom settings I like to specify a cron schedule for maximum flexibility Ensure your time range matches the schedule Splunk Alert development
5A Snake in the Bits Trigger when Number of Results is greater than 0 Trigger for each result - Splunk webhooks only include the first row of data Add a Webhook Trigger Action and aim it at your server (we’ll build this in the next step) Splunk Alert development
6A Snake in the Bits We will use Flask for super simple API development Always include a status/health endpoint splunk_webhook will write the JSON payload with indentation to a file host=“0.0.0.0” exposes this to the world! automation_server.py Receive Splunk webhook payload
7A Snake in the Bits It’s JSON from our alert! Development tip: modify that alert to run every minute and extend the time range Don’t run it like this in production - there are many tutorials on deploying a Flask app with Nginx or Apache and a WSGI server automation_server.py Run the server and check the output
8A Snake in the Bits Your code should be under version control, but your passwords shouldn’t! A super lightweight approach is to keep your secrets and settings in a Python file that is NOT checked in with code (don’t forget to add this file to your .gitignore) This file can then be pushed as part of configuration management or manually settings.py Keep secrets out of git!
9A Snake in the Bits Let’s create a ticket in Jira Create your authenticated JIRA object using the Python library Use the create_issue method to create the ticket and set fields automation_server.py Round two: ticket creation
10A Snake in the Bits After the next Splunk webhook fires, we’ll have a Jira ticket Right now the description is just a JSON blob of the alert Jira Issue created
11A Snake in the Bits Create a webhook to do enrichments – start by just extracting user and MD5 and commenting on the ticket Point the URL to your automation server with a new endpoint Filter for Issue created events that match our project and alert name Jira Webhook configuration
12A Snake in the Bits automation_server.py Add a comment to Jira
13A Snake in the Bits Returns a dict loaded from JSON: ad_lookup.py Lookup a user in Active Directory {'entries': [{'attributes': { 'cn': 'Moses Schwartz', 'title': 'Staff Security Engineer', 'company': 'Box, Inc', 'department': 'Security Automation', 'employeeID': '1234', 'l': 'Redwood City', 'streetAddress': '900 Jefferson Avenue', # ... tons more fields omitted }}]}
14A Snake in the Bits automation_server.py Active Directory lookup enrichment
15A Snake in the Bits virustotal.py Get a file scan report {'scan_id': 'e3b0c44298fc1c149afbf48996f...', 'sha1': 'da39a3ee5e6b4b0d3255bff9560189...', 'resource': 'd41d8cd98f00b204e980098ecf...', 'scan_date': '2019-03-01 23:35:34', 'permalink': 'https://www.virustotal.com/... 'total': 60, 'positives': 0, 'md5': 'd41d8cd98f00b204e9800998ecf8427e' {'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20190301'} ....
16A Snake in the Bits automation_server.py Now with AD and VT enrichments
17A Snake in the Bits Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts User Email Report Other Sources
18A Snake in the Bits Incident response / security monitoring infrastructure With automation MockScan Splunk Logs Automation server Alerts Jira Create ticket Webhook Active Directory Enrich ticket VirusTotal
19A Snake in the Bits • Search for and link to previous tickets, populate ticket fields, close duplicate tickets • Run a Splunk search • Lookup DNS and WHOIS records • Run Ansible playbooks • Send a sample to a sandbox • Upload files to Box • Quarantine hosts and grab memory • Pull network packet captures (PCAPs) • Flash a light or connect to other smart devices More things we could automate Anything you can write a script to do
20A Snake in the Bits Authentication Logging Documentation Input validation Error handling Asynchronous task execution Status/health monitoring Improve Our Tooling How about a framework?
21A Snake in the Bits Flask extensions such as Flask-RESTPlus can do a lot of work for you Provides consistent API interaction and error messages Automatically generates Swagger docs!! automation_server.py Now using Flask-RESTPlus
22A Snake in the Bits Swagger (OpenAPI) is a framework for documenting and building APIs Swagger UI allows us to interact with our API through the browser Docstrings of your endpoint classes automatically populate the Swagger documentation Swagger Docs Automatically generated from code
23A Snake in the Bits Specify a model for the endpoint’s expected input We don’t need to worry about all of the webhook fields, just the ones we use Enable validation to reject bad requests automation_server.py Input validation
24A Snake in the Bits The model is used to automatically build the example payload Now we can run these endpoints through the web interface Swagger Docs Model specifies payload format
25A Snake in the Bits We weren’t handling errors in our code before, so we got default web server HTML error messages Flask-RESTPlus will return properly formatted JSON message Adding input validation prevents the error in the first place and provides semi- helpful error messages API interaction Error handling / input validation
26A Snake in the Bits • Our in-house framework • We’ll get this open sourced • Logging • Authentication • Pre/post-processing plugins • Code-defined API • Swagger spec generation • Input validation • Exception handling Meet Funnel aka. “Not Invented Here Syndrome”
27A Snake in the Bits Maintaining state is hard: avoid it whenever possible A surprising number of errors can be resolved by waiting and retrying Keep your code modular and small Enrichments and other tasks should be asynchronous: • Individual Jira webhooks for each enrichment • Celery, multiprocessing, asyncio (DIY Python approaches) • StackStorm, Jenkins, Rundeck (DevOps) • AWS Lambda jobs (cloud magic) • Commercial Security Automation Platform (”SOAR”) Done is better than perfect Keep it real and keep it running Everything that can break, will break Source: xkcd.com
28A Snake in the Bits Management loves colorful numbers: track your metrics! This approach is not specific to security – it can be used for anything Security automation isn’t about replacing people, and it’s not a set-it-and-forget-it solution Existing tools that aren't marketed toward security can work great in this space There is so much low hanging fruit Our job is to make the rest of the team more effective (which is pretty awesome) This niche is a great path into security from development Takeaways Security automation is not magic
A Snake in the Bits Security Automation with Python Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz Andy Culler, Security Automation Engineer aculler@box.com | github.com/aculler PyCon 2019 We’re hiring – Bay Area, CA and Austin, TX Come work with us! https://www.box.com/careers

Recommended

Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationJohn Varghese
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017Henry Stamerjohann
 
Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Henry Stamerjohann
 
Zentral macaduk conf 2016
Zentral macaduk conf 2016Zentral macaduk conf 2016
Zentral macaduk conf 2016Henry Stamerjohann
 

Recommended

Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Security Automation Simplified - BSides Austin 2019
Security Automation Simplified - BSides Austin 2019Moses Schwartz
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationJohn Varghese
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureDevSecCon
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoringJohn Varghese
 
Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017Zentral london mac_ad_uk_2017
Zentral london mac_ad_uk_2017Henry Stamerjohann
 
Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Zentral presentation MacAdmins meetup Univ. Utah
Zentral presentation MacAdmins meetup Univ. Utah Henry Stamerjohann
 
Zentral macaduk conf 2016
Zentral macaduk conf 2016Zentral macaduk conf 2016
Zentral macaduk conf 2016Henry Stamerjohann
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...azuredayit
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnShannon Cuthbertson
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comIgor Bulatenko
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationMoses Schwartz
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsDamien Dallimore
 

More Related Content

What's hot

Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating securityJohn Staveley
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentPriyanka Aash
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudCloudVillage
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...azuredayit
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriOWASP Delhi
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnShannon Cuthbertson
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityAvi Shulman
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and ResponseAlert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Alert Logic
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comIgor Bulatenko
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseShannon Cuthbertson
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 

What's hot (20)

Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
 
FIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container DeploymentFIM and System Call Auditing at Scale in a Large Container Deployment
FIM and System Call Auditing at Scale in a Large Container Deployment
 
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
 
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
Azure Day Rome Reloaded 2019 - Azure Sentinel: set up automated threat respon...
 
Cloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit GiriCloud security best practices in AWS by: Ankit Giri
Cloud security best practices in AWS by: Ankit Giri
 
Getting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-OnGetting Started with Splunk Enterprise Hands-On
Getting Started with Splunk Enterprise Hands-On
 
DevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless SecurityDevSecCon Tel Aviv 2018 - Serverless Security
DevSecCon Tel Aviv 2018 - Serverless Security
 
Managed Threat Detection and Response
Managed Threat Detection and ResponseManaged Threat Detection and Response
Managed Threat Detection and Response
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials Extending Amazon GuardDuty with Cloud Insight Essentials
Extending Amazon GuardDuty with Cloud Insight Essentials
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
Vulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.comVulnerability intelligence with vulners.com
Vulnerability intelligence with vulners.com
 
Sumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security AnalyticsSumo Logic Cert Jam - Security Analytics
Sumo Logic Cert Jam - Security Analytics
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless world
 

Similar to PyCon 2019 - A Snake in the Bits: Security Automation with Python

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationMoses Schwartz
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsDamien Dallimore
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...Amazon Web Services
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsSolarWinds
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsMichele Chubirka
 
Adam ochs sentinel
Adam ochs sentinelAdam ochs sentinel
Adam ochs sentinelAdam Ochs
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Sumo Logic
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoDaniel Zivkovic
 
OSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkOSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkNETWAYS
 
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther Labs
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Amazon Web Services
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaRyan Cuprak
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSAmazon Web Services
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxhawkheadtrolley
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server CallsBrandon Hunter
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Amazon Web Services
 

Similar to PyCon 2019 - A Snake in the Bits: Security Automation with Python (20)

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
 
Integrating Splunk into your Spring Applications
Integrating Splunk into your Spring ApplicationsIntegrating Splunk into your Spring Applications
Integrating Splunk into your Spring Applications
 
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
AWS March 2016 Webinar Series - AWS IoT Real Time Stream Processing with AWS ...
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Ending the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security ToolsEnding the Tyranny of Expensive Security Tools
Ending the Tyranny of Expensive Security Tools
 
Adam ochs sentinel
Adam ochs sentinelAdam ochs sentinel
Adam ochs sentinel
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
 
OSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd ErkOSMC 2022 | Current State of icinga by Bernd Erk
OSMC 2022 | Current State of icinga by Bernd Erk
 
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
 
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
Scalable, Automated Anomaly Detection with GuardDuty, CloudTrail, & Amazon Sa...
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Airbnb - StreamAlert
Airbnb - StreamAlertAirbnb - StreamAlert
Airbnb - StreamAlert
 
Containerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS LambdaContainerless in the Cloud with AWS Lambda
Containerless in the Cloud with AWS Lambda
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Building an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWSBuilding an Automated Security Fabric in AWS
Building an Automated Security Fabric in AWS
 
AWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptxAWS_IoT_Device_Management_Workshop.pptx
AWS_IoT_Device_Management_Workshop.pptx
 
(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls(Don't) Go Tracing Server Calls
(Don't) Go Tracing Server Calls
 
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
Using ML with Amazon SageMaker & GuardDuty to identify anomalous traffic - SE...
 

Recently uploaded

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

PyCon 2019 - A Snake in the Bits: Security Automation with Python

  • 1. A Snake in the Bits Security Automation with Python Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz Andy Culler, Security Automation Engineer aculler@box.com | github.com/aculler PyCon 2019
  • 2. 2A Snake in the Bits Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts User Email Report Other Sources
  • 3. 3A Snake in the Bits Build a search query that matches the condition you want to alert on Splunk Alert development
  • 4. 4A Snake in the Bits Create an alert using your search query Best practice is to create an App to contain all of your custom settings I like to specify a cron schedule for maximum flexibility Ensure your time range matches the schedule Splunk Alert development
  • 5. 5A Snake in the Bits Trigger when Number of Results is greater than 0 Trigger for each result - Splunk webhooks only include the first row of data Add a Webhook Trigger Action and aim it at your server (we’ll build this in the next step) Splunk Alert development
  • 6. 6A Snake in the Bits We will use Flask for super simple API development Always include a status/health endpoint splunk_webhook will write the JSON payload with indentation to a file host=“0.0.0.0” exposes this to the world! automation_server.py Receive Splunk webhook payload
  • 7. 7A Snake in the Bits It’s JSON from our alert! Development tip: modify that alert to run every minute and extend the time range Don’t run it like this in production - there are many tutorials on deploying a Flask app with Nginx or Apache and a WSGI server automation_server.py Run the server and check the output
  • 8. 8A Snake in the Bits Your code should be under version control, but your passwords shouldn’t! A super lightweight approach is to keep your secrets and settings in a Python file that is NOT checked in with code (don’t forget to add this file to your .gitignore) This file can then be pushed as part of configuration management or manually settings.py Keep secrets out of git!
  • 9. 9A Snake in the Bits Let’s create a ticket in Jira Create your authenticated JIRA object using the Python library Use the create_issue method to create the ticket and set fields automation_server.py Round two: ticket creation
  • 10. 10A Snake in the Bits After the next Splunk webhook fires, we’ll have a Jira ticket Right now the description is just a JSON blob of the alert Jira Issue created
  • 11. 11A Snake in the Bits Create a webhook to do enrichments – start by just extracting user and MD5 and commenting on the ticket Point the URL to your automation server with a new endpoint Filter for Issue created events that match our project and alert name Jira Webhook configuration
  • 12. 12A Snake in the Bits automation_server.py Add a comment to Jira
  • 13. 13A Snake in the Bits Returns a dict loaded from JSON: ad_lookup.py Lookup a user in Active Directory {'entries': [{'attributes': { 'cn': 'Moses Schwartz', 'title': 'Staff Security Engineer', 'company': 'Box, Inc', 'department': 'Security Automation', 'employeeID': '1234', 'l': 'Redwood City', 'streetAddress': '900 Jefferson Avenue', # ... tons more fields omitted }}]}
  • 14. 14A Snake in the Bits automation_server.py Active Directory lookup enrichment
  • 15. 15A Snake in the Bits virustotal.py Get a file scan report {'scan_id': 'e3b0c44298fc1c149afbf48996f...', 'sha1': 'da39a3ee5e6b4b0d3255bff9560189...', 'resource': 'd41d8cd98f00b204e980098ecf...', 'scan_date': '2019-03-01 23:35:34', 'permalink': 'https://www.virustotal.com/... 'total': 60, 'positives': 0, 'md5': 'd41d8cd98f00b204e9800998ecf8427e' {'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20190301'} ....
  • 16. 16A Snake in the Bits automation_server.py Now with AD and VT enrichments
  • 17. 17A Snake in the Bits Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts User Email Report Other Sources
  • 18. 18A Snake in the Bits Incident response / security monitoring infrastructure With automation MockScan Splunk Logs Automation server Alerts Jira Create ticket Webhook Active Directory Enrich ticket VirusTotal
  • 19. 19A Snake in the Bits • Search for and link to previous tickets, populate ticket fields, close duplicate tickets • Run a Splunk search • Lookup DNS and WHOIS records • Run Ansible playbooks • Send a sample to a sandbox • Upload files to Box • Quarantine hosts and grab memory • Pull network packet captures (PCAPs) • Flash a light or connect to other smart devices More things we could automate Anything you can write a script to do
  • 20. 20A Snake in the Bits Authentication Logging Documentation Input validation Error handling Asynchronous task execution Status/health monitoring Improve Our Tooling How about a framework?
  • 21. 21A Snake in the Bits Flask extensions such as Flask-RESTPlus can do a lot of work for you Provides consistent API interaction and error messages Automatically generates Swagger docs!! automation_server.py Now using Flask-RESTPlus
  • 22. 22A Snake in the Bits Swagger (OpenAPI) is a framework for documenting and building APIs Swagger UI allows us to interact with our API through the browser Docstrings of your endpoint classes automatically populate the Swagger documentation Swagger Docs Automatically generated from code
  • 23. 23A Snake in the Bits Specify a model for the endpoint’s expected input We don’t need to worry about all of the webhook fields, just the ones we use Enable validation to reject bad requests automation_server.py Input validation
  • 24. 24A Snake in the Bits The model is used to automatically build the example payload Now we can run these endpoints through the web interface Swagger Docs Model specifies payload format
  • 25. 25A Snake in the Bits We weren’t handling errors in our code before, so we got default web server HTML error messages Flask-RESTPlus will return properly formatted JSON message Adding input validation prevents the error in the first place and provides semi- helpful error messages API interaction Error handling / input validation
  • 26. 26A Snake in the Bits • Our in-house framework • We’ll get this open sourced • Logging • Authentication • Pre/post-processing plugins • Code-defined API • Swagger spec generation • Input validation • Exception handling Meet Funnel aka. “Not Invented Here Syndrome”
  • 27. 27A Snake in the Bits Maintaining state is hard: avoid it whenever possible A surprising number of errors can be resolved by waiting and retrying Keep your code modular and small Enrichments and other tasks should be asynchronous: • Individual Jira webhooks for each enrichment • Celery, multiprocessing, asyncio (DIY Python approaches) • StackStorm, Jenkins, Rundeck (DevOps) • AWS Lambda jobs (cloud magic) • Commercial Security Automation Platform (”SOAR”) Done is better than perfect Keep it real and keep it running Everything that can break, will break Source: xkcd.com
  • 28. 28A Snake in the Bits Management loves colorful numbers: track your metrics! This approach is not specific to security – it can be used for anything Security automation isn’t about replacing people, and it’s not a set-it-and-forget-it solution Existing tools that aren't marketed toward security can work great in this space There is so much low hanging fruit Our job is to make the rest of the team more effective (which is pretty awesome) This niche is a great path into security from development Takeaways Security automation is not magic
  • 29. A Snake in the Bits Security Automation with Python Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz Andy Culler, Security Automation Engineer aculler@box.com | github.com/aculler PyCon 2019 We’re hiring – Bay Area, CA and Austin, TX Come work with us! https://www.box.com/careers