Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder

2,098 views

Published on

Security policies are increasingly complex and demanding on the operations teams must implement them. How can you be sure that your security policy is really correct everywhere, apart from an expensive yearly audit? How can you know that what was OK a few weeks ago is still OK?

Rudder is open source IT compliance automation technology that comes from the DevOps world, where automatic configuration management is already the norm. With a focus on continuously checking configurations and centralizing real-time status data, Rudder can show a high-level summary (“ISO 27001 rules are at 100%!”) and break down noncompliance issues to a deep technical level (“Host prod-web-03: SSH server configuration allows root logins”).

Jonathan Clarke offers an overview of Rudder and demonstrates how to input the technical rules of a security policy into Rudder, watch it check them every 5 minutes on each and every one of your servers, and report back a global summary to you, allowing you to drill down to any issues that need remediating. Jonathan also explains how a successfully deployed policy can be enforced by the same tool, moving one step further from automatic auditing to automatic remediation. Along the way, Jonathan shares lessons learned from companies that have gone from asking whether their security policy was really applied to receiving near real-time alerts about noncompliance issues as they arise.

In particular, Jonathan explores the specific features in Rudder that have made it successful in compliance projects:
- A simple framework allows you to extend the built-in rules to implement specific low-level configuration patterns, however complex they may be, using simple building blocks (“ensure package installed in version X,” “ensure file content,” “ensure line in file,” etc.). A graphical builder lowers the technical level required to use this.
- Each policy can be independently set to be automatically checked or enforced on a policy or host level. In Enforce mode, each remediation action is recorded, showing the value of these invisible fixes.
- Rudder works on almost every kind of device, so you’ll be managing physical and virtual servers in the data center, cloud instances, and embedded IoT devices in the same way.
- Rudder is designed for critical environments where a security breach can mean more than a blip in the sales stats. Built-in features include change requests, audit logs, and strong authentication.
- Rudder relies on an agent that needs to be installed on all hosts to audit. The agent is very lightweight (10 to 20 MB of RAM at peak) and blazingly fast (it’s written in C and takes less than 10 seconds to verify 100 rules). Installation is self-contained, via a single package, and can auto-update to limit agent management burden.

Published in: Software
  • Be the first to comment

  • Be the first to like this

O'Reilly Security - Continuous Auditing For Effective Compliance with Rudder

  1. 1. Jonathan CLARKE Continuous auditing for effective compliance jcl@normation.com @jooooooon42 Co-founder & Chief Product Officer @
  2. 2. Normation – CC-BY-SA normation.com 2 It’s a continuous world Continuous *
  3. 3. Normation – CC-BY-SA normation.com 3 It’s a continuous world Integration Delivery Improvement (agile, devops) Continuous *
  4. 4. Normation – CC-BY-SA normation.com 4 It’s a continuous world adjective 1. without interruption 2. progressive Synonyms: sustained, round-the-clock, relentless Continuous
  5. 5. Normation – CC-BY-SA normation.com 5 Continuous everything Continuous *
  6. 6. Normation – CC-BY-SA normation.com Continuous everything Continuous Growth Continuous *
  7. 7. Normation – CC-BY-SA normation.com Continuous everything Continuous Growth Continuously Connected Continuous *
  8. 8. Normation – CC-BY-SA normation.com Continuous everything Continuous Growth Continuous Threats Continuously Connected Continuous *
  9. 9. Normation – CC-BY-SA normation.com Continuous everything We need a continuous response Continuous Growth Continuous Threats Continuously Connected Continuous *
  10. 10. Normation – CC-BY-SA normation.com Continuous auditing for effective compliance
  11. 11. Normation – CC-BY-SA normation.com Security policies: what and how? Industry regulations Best practices Corporate regulations Laws Rules come from different levels
  12. 12. Normation – CC-BY-SA normation.com Security policies: what and how? Industry regulations Best practices Corporate regulations Laws Organisational process Technical directives Rules come from different levels
  13. 13. Normation – CC-BY-SA normation.com Security policies: what and how? Industry regulations Best practices Corporate regulations Laws Rules come from different levels Organisational process Technical directives We can’t automate humans!
  14. 14. Normation – CC-BY-SA normation.com Security policies: what and how? Industry regulations Best practices Corporate regulations Laws Organisational process Technical directives Rules come from different levels
  15. 15. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity
  16. 16. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...)
  17. 17. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers
  18. 18. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers 4. Warning message on server remote access
  19. 19. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers 4. Warning message on server remote access 5. Patch vulnerable software package
  20. 20. Normation – CC-BY-SA normation.com Security policies: what and how? Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers 4. Warning message on server remote access 5. Patch vulnerable software package GOAL Harden access Harden access Avoid potential exploits Obey the law Avoid known exploits
  21. 21. Normation – CC-BY-SA normation.com Security policies: traditional lifecycle Typical lifecycle of security policy Policy Apply on new servers OK Regular audits (3-12 months) REMEDIATION
  22. 22. Normation – CC-BY-SA normation.com Security policies: traditional lifecycle Typical lifecycle of security policy Policy Apply on new servers OK Regular audits (3-12 months) ? REMEDIATION DRIFT
  23. 23. Normation – CC-BY-SA normation.com Introducing Rudder Rudder: noun Piece used for steering a ship. Used to correct heading when trajectory drifts off course.
  24. 24. Normation – CC-BY-SA normation.com Introducing Rudder Define desired state Target Imperative Declarative Install package x vs Package x should be installed Restart service z vs Service z should be running Copy file template y.tpl vs File y should contain line abc=def
  25. 25. Normation – CC-BY-SA normation.com Introducing Rudder Rudder’s lifecycle Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report
  26. 26. Normation – CC-BY-SA normation.com Introducing Rudder Rudder’s continuous lifecycle Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report REPEAT
  27. 27. Normation – CC-BY-SA normation.com Introducing Rudder High-level overview
  28. 28. Normation – CC-BY-SA normation.com Introducing Rudder Drill-down to each individual state Compliant
  29. 29. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers 4. Warning message on server remote access 5. Patch vulnerable software package GOAL Harden access Harden access Obey the law Avoid potential exploits Avoid known exploits
  30. 30. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Examples of security technical directives 1. Auto logout after a period of inactivity 2. Password policy (strength, duration, ...) 3. No compilers on production servers 4. Warning message on server remote access 5. Patch vulnerable software packages GOAL Harden access Harden access Obey the law IMPLEMENTATION File/Registry edit File/Registry edit Package remove File/Registry edit Package install/update Avoid potential exploits Avoid known exploits
  31. 31. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Photo CC BY-NC-SA 2.0 from https://www.flickr.com/photos/dillpixel/
  32. 32. Normation – CC-BY-SA normation.com Building blocks can be used to check anything
  33. 33. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Examples of security technical directives 1. Auto logout after a period of inactivity GOAL Harden access IMPLEMENTATION File/Registry edit
  34. 34. Normation – CC-BY-SA normation.com Avoid local exploits Package remove Building blocks can be used to check anything Examples of security technical directives 3. No compilers on production servers GOAL IMPLEMENTATION
  35. 35. Normation – CC-BY-SA normation.com Building blocks in Rudder (aka generic methods)
  36. 36. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Package absent Package absent Security directive #2 File enforce Service running Security directive #3 Package present File edit Security directive #1
  37. 37. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Package absent Package absent Security directive #2 File enforce Service running Security directive #3 Package present File edit Security directive #1 RULERULE Corporate security policy Security best practices
  38. 38. Normation – CC-BY-SA normation.com Building blocks can be used to check anything Package absent Package absent Security directive #2 File enforce Service running Security directive #3 Package present File edit Security directive #1 Corporate security policy Security best practices RULERULE
  39. 39. Normation – CC-BY-SA normation.com From continuous auditing to continuous remediation Continuous auditing Continuous remediation
  40. 40. Normation – CC-BY-SA normation.com From continuous auditing to continuous remediation Rudder’s continuous lifecycle Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report REPEAT
  41. 41. Normation – CC-BY-SA normation.com From continuous auditing to continuous remediation Node by node Policy by policy
  42. 42. Normation – CC-BY-SA normation.com From continuous auditing to continuous remediation Rudder’s lifecycle with remediation Define desired state Distribute to agents OK NOK Check state locally OS-Specific Implementations Report Remediate REPEAT
  43. 43. Normation – CC-BY-SA normation.com Rudder Open source Automation & Compliance www.rudder-project.org @RudderProject
  44. 44. Normation – CC-BY-SA normation.com A bit more about Rudder CloudServers Desktop Embedded/IoT Mobile Any scale Typical deployments 100s-1000s of servers. Biggest known today is 7000. 2 → > 10 000 Multi-platform Metal, virtual, cloud, … Multi-OS C agent on UNIX/Linux, DSC on Windows Platform support
  45. 45. Normation – CC-BY-SA normation.com A bit more about Rudder API Automate new nodes, policy, extract compliance CLI / Code Create new configuration templates, everyday management tasks Web Use existing configuration patterns, observe compliance Separation of roles
  46. 46. Normation – CC-BY-SA normation.com Summary Continuous IT Continuous auditing Continuous remediation
  47. 47. Normation – CC-BY-SA normation.com Summary Fire & Forget Worry about next thing Continuous improvement
  48. 48. Thanks for listening! Any questions? This presentation is shared under a FLOSS licence, CC-BY-SA, and available on http://www.slideshare.net/normation/. Jonathan CLARKE jcl@normation.com @jooooooon42 Co-founder & Chief Product Officer @

×