SlideShare a Scribd company logo

Automating security hardening

U
Ugljesa Novak, CISSP

A brief overview of the challenges of establishing and automating security hardening measures.

Technology
1 of 22
Integrating solutions for the digital energy system Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Automating security hardening
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. What is security hardening?
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. The process of reducing the attack surface and ensuring resilience to known vulnerabilities
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Why is hardening important?  Locking down delivered functionality reduces the risk of attackers exploiting vulnerabilities i.e. implementation bugs  Enforcing strict security policies reduces the risk of attackers exploiting misconfiguration issues i.e. back-doors  Employing layered defense reduces the risk of attackers exploiting design flaws Software products are usually delivered with a general use configuration that emphasizes features and ease of use, at the expense of security
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. How to implement hardening? Measures are derived from knowledge of potential threats and known exploits that realize those threats  Best-practice security configuration guides  CIS Benchmarks  DISA Security Technical Implementation Guides (STIGs)  NIST National Checklist Program  Publically available dictionaries of security recommendations and vulnerabilities  NIST National Vulnerability Database  Vendor’s proposed configurations and security advisories
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Why automate hardening?  Security hardening is critical for achieving a cyber resilient and compliant solution  Once a system is hardened and deployed into an environment, it’s critical to maintain its level of security through continuous assessments  Automating compliance checks reduces administrative costs Compliance must be continuous, which requires automation Monitor Implement Verify
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. If you don’t know where to start, use standards!
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Security Content Automation Protocol  CVE – Common Vulnerabilities and Exposures  Identifies vulnerabilities  CVSS – Common Vulnerability Scoring System  Vulnerability severity scores  CCE – Common Configuration Exposure  Identifies configuration controls  CPE – Common Platform Enumeration  Identifies packages and platforms  OVAL – Open Vulnerability and Assessment Language  Criteria to check presence of vulnerabilities, configuration, assets  XCCDF – Extensible Configuration Checklist Description Format  Language to express configuration guidance for both automatic and manual vetting CVE CVSS OVAL CCE XCCDF CPE Software vulnerability management Configuration management Asset management Compliance management PCI, CIS, …
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening guide example 1/2  XCCDF is a XML document that represents a structured collection of rules
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening guide example 2/2  OVAL is a XML document that represents a structured collection of checks
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. OVAL content repositories  Non-profit and government  Center for Internet Security (CIS)  DISA STIG  Vendor  Cisco Systems  Debian Project  Red Hat  SUSE  Subscription  Altex-Soft  SecPod Technologies  SECURITY-DATABASE https://oval.mitre.org/repository/
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. SCAP validated products  Rapid7 Nexpose  SCAP Extensions for Microsoft System Center Configuration Manager  Tenable Nessus  RedHat OpenSCAP  CIS-CAT Pro Assessor  Qualys SCAP Auditor
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening measures should be evaluated within the context of the target environment
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Security hardening lifecycle https://insights.sei.cmu.edu/devops/2017/07/incremental-security-hardening-the-devops-way.html
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Let’s put this into practice
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. SCAP Security Guide checks oval cpe fixes ansible bash profiles templates csv xccdf Open source project to create custom SCAP content hosted on GitHub
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Example: Identify exceptions ../profiles/cis.xml ../xccdf/services/nfs.xml
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Example: Add new rules template_OVAL_services_disabled create_services_disabled.py service_disabled.csv template_BASH_services_disabled service_%SERVICENAME%_disabled.sh service_%SERVICENAME%_disabled.xml
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Evaluate, fix and report with OpenSCAP # oscap xccdf eval --profile CIS --results ssg-rhel7-CIS-result.xml ssg-rhel7-xccdf.xml # oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_CIS --template urn:xccdf:fix:script:sh --output CIS_remediation.sh ssg-rhel7-CIS-result.xml # oscap xccdf generate report --result-id xccdf_org.open-scap_testresult_CIS --output CIS_report.html ssg-rhel7-CIS-result.xml
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Choose your automation tool
Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Summary  Finding an authoritative hardening list  Customizing rules based on the specifics of the target system  Automating hardening checks to achieve compliance Key challenges  Start with either CIS or STIG  Use the SCAP Security Guide to tailor the checklists  Use your default deployment tool to run OpenSCAP Guide to moving forward
OMNETRIC Group is dedicated to helping energy providers reap the benefits of the digital energy system by integrating their energy operations with IT to support their business goals. Our global team of engineering, IT, security and data experts brings extensive industry experience to help customers discover and exploit data intelligence to capitalize on industry change, and realize new business models. Helping customers since 2014, we are an inventive, technology services company and a joint venture between Siemens AG and Accenture. For more, visit www.omnetric.com. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information.  Engineering and energy technology  Smart grid applications  Grid control experience  Dedicated to utilities  OT-IT integration specialist  Integrated smart grid solutions for a digital grid  Systems integration and services  Proven delivery methodologies  Industry-specific technologies, assets and processes About the presenter Ugljesa Novak is a Security Architect at OMNETRIC Group and a Certified Information Systems Security Professional. With almost nine years of experience in IT security, Ugljesa has designed and developed security controls for grid control systems on many smart grid projects. His experience ranges across multiple vendors, working with project teams for vendors such as Schneider Electric and Siemens. ugljesa.novak@omnetric.com

Recommended

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 

Recommended

Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptxSandeepK707540
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nistNaveen Koyi
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYPriyanshu Ratnakar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptxInfosec
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityANGIEPAEZ304
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 

More Related Content

What's hot

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYPriyanshu Ratnakar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptxInfosec
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsToño Herrera
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 

What's hot (20)

Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Ssdf nist
Ssdf nistSsdf nist
Ssdf nist
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
HOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITYHOW AI CAN HELP IN CYBERSECURITY
HOW AI CAN HELP IN CYBERSECURITY
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
2023.06 - CompTIA Security+ Everything you need to know about the new exam .pptx
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 

Similar to Automating security hardening

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소GE코리아
 
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergenceCe hv6 module 66 security convergence
Ce hv6 module 66 security convergenceVi Tính Hoàng Nam
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsDATA SECURITY SOLUTIONS
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectivessombat nirund
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...Cristian Garcia G.
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCPankaj Singh
 
Plan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certificationPlan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certificationMassimo Talia
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareMike Rizzo
 
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]akquinet enterprise solutions GmbH
 
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...Andrei Kholodnyi
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessMicrosoft Tech Community
 
Open Source Software for Industry 4.0
Open Source Software for Industry 4.0Open Source Software for Industry 4.0
Open Source Software for Industry 4.0Ian Skerrett
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoringElasticsearch
 

Similar to Automating security hardening (20)

Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
 
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergenceCe hv6 module 66 security convergence
Ce hv6 module 66 security convergence
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
How to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systemsHow to discover vulnerabilities in business and mission critical systems
How to discover vulnerabilities in business and mission critical systems
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
CompTIA CASP Objectives
CompTIA CASP ObjectivesCompTIA CASP Objectives
CompTIA CASP Objectives
 
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight LoggerCIP IT Governance 5.0 Solution Guide for ArcSight Logger
CIP IT Governance 5.0 Solution Guide for ArcSight Logger
 
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
 
Safety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoCSafety Verification and Software aspects of Automotive SoC
Safety Verification and Software aspects of Automotive SoC
 
Plan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certificationPlan with confidence: Route to a successful Do178c multicore certification
Plan with confidence: Route to a successful Do178c multicore certification
 
BMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/MalwareBMC - Response to the SolarWinds Breach/Malware
BMC - Response to the SolarWinds Breach/Malware
 
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
Cyber attacks on your SAP S/4HANA systems? So you can stay relaxed. [Webinar]
 
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...
Developing safety autonomous driving solutions based on the adaptive AUTOSAR ...
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Open Source Software for Industry 4.0
Open Source Software for Industry 4.0Open Source Software for Industry 4.0
Open Source Software for Industry 4.0
 
Free and open cloud security posture monitoring
Free and open cloud security posture monitoringFree and open cloud security posture monitoring
Free and open cloud security posture monitoring
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

Automating security hardening

  • 1. Integrating solutions for the digital energy system Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Automating security hardening
  • 2. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. What is security hardening?
  • 3. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. The process of reducing the attack surface and ensuring resilience to known vulnerabilities
  • 4. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Why is hardening important?  Locking down delivered functionality reduces the risk of attackers exploiting vulnerabilities i.e. implementation bugs  Enforcing strict security policies reduces the risk of attackers exploiting misconfiguration issues i.e. back-doors  Employing layered defense reduces the risk of attackers exploiting design flaws Software products are usually delivered with a general use configuration that emphasizes features and ease of use, at the expense of security
  • 5. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. How to implement hardening? Measures are derived from knowledge of potential threats and known exploits that realize those threats  Best-practice security configuration guides  CIS Benchmarks  DISA Security Technical Implementation Guides (STIGs)  NIST National Checklist Program  Publically available dictionaries of security recommendations and vulnerabilities  NIST National Vulnerability Database  Vendor’s proposed configurations and security advisories
  • 6. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Why automate hardening?  Security hardening is critical for achieving a cyber resilient and compliant solution  Once a system is hardened and deployed into an environment, it’s critical to maintain its level of security through continuous assessments  Automating compliance checks reduces administrative costs Compliance must be continuous, which requires automation Monitor Implement Verify
  • 7. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. If you don’t know where to start, use standards!
  • 8. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Security Content Automation Protocol  CVE – Common Vulnerabilities and Exposures  Identifies vulnerabilities  CVSS – Common Vulnerability Scoring System  Vulnerability severity scores  CCE – Common Configuration Exposure  Identifies configuration controls  CPE – Common Platform Enumeration  Identifies packages and platforms  OVAL – Open Vulnerability and Assessment Language  Criteria to check presence of vulnerabilities, configuration, assets  XCCDF – Extensible Configuration Checklist Description Format  Language to express configuration guidance for both automatic and manual vetting CVE CVSS OVAL CCE XCCDF CPE Software vulnerability management Configuration management Asset management Compliance management PCI, CIS, …
  • 9. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening guide example 1/2  XCCDF is a XML document that represents a structured collection of rules
  • 10. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening guide example 2/2  OVAL is a XML document that represents a structured collection of checks
  • 11. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. OVAL content repositories  Non-profit and government  Center for Internet Security (CIS)  DISA STIG  Vendor  Cisco Systems  Debian Project  Red Hat  SUSE  Subscription  Altex-Soft  SecPod Technologies  SECURITY-DATABASE https://oval.mitre.org/repository/
  • 12. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. SCAP validated products  Rapid7 Nexpose  SCAP Extensions for Microsoft System Center Configuration Manager  Tenable Nessus  RedHat OpenSCAP  CIS-CAT Pro Assessor  Qualys SCAP Auditor
  • 13. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Hardening measures should be evaluated within the context of the target environment
  • 14. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Security hardening lifecycle https://insights.sei.cmu.edu/devops/2017/07/incremental-security-hardening-the-devops-way.html
  • 15. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Let’s put this into practice
  • 16. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. SCAP Security Guide checks oval cpe fixes ansible bash profiles templates csv xccdf Open source project to create custom SCAP content hosted on GitHub
  • 17. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Example: Identify exceptions ../profiles/cis.xml ../xccdf/services/nfs.xml
  • 18. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Example: Add new rules template_OVAL_services_disabled create_services_disabled.py service_disabled.csv template_BASH_services_disabled service_%SERVICENAME%_disabled.sh service_%SERVICENAME%_disabled.xml
  • 19. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Evaluate, fix and report with OpenSCAP # oscap xccdf eval --profile CIS --results ssg-rhel7-CIS-result.xml ssg-rhel7-xccdf.xml # oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_CIS --template urn:xccdf:fix:script:sh --output CIS_remediation.sh ssg-rhel7-CIS-result.xml # oscap xccdf generate report --result-id xccdf_org.open-scap_testresult_CIS --output CIS_report.html ssg-rhel7-CIS-result.xml
  • 20. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Choose your automation tool
  • 21. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information. Summary  Finding an authoritative hardening list  Customizing rules based on the specifics of the target system  Automating hardening checks to achieve compliance Key challenges  Start with either CIS or STIG  Use the SCAP Security Guide to tailor the checklists  Use your default deployment tool to run OpenSCAP Guide to moving forward
  • 22. OMNETRIC Group is dedicated to helping energy providers reap the benefits of the digital energy system by integrating their energy operations with IT to support their business goals. Our global team of engineering, IT, security and data experts brings extensive industry experience to help customers discover and exploit data intelligence to capitalize on industry change, and realize new business models. Helping customers since 2014, we are an inventive, technology services company and a joint venture between Siemens AG and Accenture. For more, visit www.omnetric.com. Copyright ©2018 OMNETRIC. All rights reserved. OMNETRIC Group Unrestricted Information.  Engineering and energy technology  Smart grid applications  Grid control experience  Dedicated to utilities  OT-IT integration specialist  Integrated smart grid solutions for a digital grid  Systems integration and services  Proven delivery methodologies  Industry-specific technologies, assets and processes About the presenter Ugljesa Novak is a Security Architect at OMNETRIC Group and a Certified Information Systems Security Professional. With almost nine years of experience in IT security, Ugljesa has designed and developed security controls for grid control systems on many smart grid projects. His experience ranges across multiple vendors, working with project teams for vendors such as Schneider Electric and Siemens. ugljesa.novak@omnetric.com