SlideShare a Scribd company logo

Security Automation Simplified - BSides Austin 2019

M
Moses Schwartz

The document provides an introduction to DIY security automation. It discusses building automation solutions for incident response, security monitoring, and other tasks. It covers approaches like centralized vs distributed automation, using tools like Splunk for alerts and webhooks, and building an automation server with Flask. The document also discusses enriching data, creating tickets, testing APIs, deployment, and other tips for developing a security automation solution.

Technology
1 of 34
Download to read offline
Security automation simplified An intro to DIY security automation Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz BSides Austin 2019
2Security automation simplified Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts
3Security automation simplified Automation approaches Building an automation/orchestration solution for every environment is a huge undertaking Building one for your environment is a much more tractable problem Centralized Logic mostly in one place, often with some sort of workflow or orchestration engine • Examples: Most commercial offerings, building everything in a single platform, this DIY approach • Downsides: single point of failure, major effort to build out, major learning curve Distributed / ad hoc Bits of automation from many different tools to make your life better • Examples: 1:1 pairings using web hooks between tool APIs • Downsides: gets complicated, hard to debug, hard to piece together complex workflows, tribal knowledge
4Security automation simplified Build a search query that matches the condition you want to alert on Splunk Alert development
5Security automation simplified Create an alert using your search query Best practice is to create an App to contain all of your custom settings I like to specify a cron schedule for maximum flexibility Ensure your time range matches the schedule Splunk Alert development
6Security automation simplified Trigger when Number of Results is greater than 0 Trigger for each result - Splunk webhooks only include the first row of data Add a Webhook Trigger Action and aim it at your server (we’ll build this in the next step) Splunk Alert development
7Security automation simplified We will use Flask for super simple API development Always include a status/health endpoint splunk_webhook will write the JSON payload with indentation to a file host=“0.0.0.0” exposes this to the world! automation_server.py Receive Splunk webhook payload
8Security automation simplified It’s JSON from our alert! Development tip: modify that alert to run every minute and extend the time range Don’t run it like this in production - there are many tutorials on deploying a Flask app with Nginx or Apache and a WSGI server automation_server.py Run the server and check the output
9Security automation simplified Your code should be under version control, but your passwords shouldn’t! A super lightweight approach is to keep your secrets and settings in a Python file that is NOT checked in with code (don’t forget to add this file to your .gitignore) This file can then be pushed as part of configuration management or manually settings.py Keep secrets out of git!
10Security automation simplified Let’s create a ticket in Jira Create your authenticated JIRA object using the Python library Use the create_issue method to create the ticket and set fields automation_server.py Round two: ticket creation
11Security automation simplified After the next Splunk webhook fires, we’ll have a Jira ticket Right now the description is just a JSON blob of the alert Jira Issue created
12Security automation simplified Create a webhook to do enrichments – start by just extracting user and MD5 and commenting on the ticket Point the URL to your automation server with a new endpoint Filter for Issue created events that match our project and alert name Jira Webhook configuration
13Security automation simplified automation_server.py Add a comment to Jira
14Security automation simplified Returns a JSON object: ad_lookup.py Lookup a user in Active Directory {'entries': [{'attributes': { 'cn': 'Moses Schwartz', 'title': 'Staff Security Engineer', 'company': 'Box, Inc', 'department': 'Security Automation', 'employeeID': '1234', 'l': 'Redwood City', 'streetAddress': '900 Jefferson Avenue', # ... tons more fields omitted }}]}
15Security automation simplified automation_server.py Active Directory lookup enrichment
16Security automation simplified virustotal.py Get a file scan report {'scan_id': 'e3b0c44298fc1c149afbf48996f...', 'sha1': 'da39a3ee5e6b4b0d3255bff9560189...', 'resource': 'd41d8cd98f00b204e980098ecf...', 'scan_date': '2019-03-01 23:35:34', 'permalink': 'https://www.virustotal.com/... 'total': 60, 'positives': 0, 'md5': 'd41d8cd98f00b204e9800998ecf8427e' {'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20190301'} ....
17Security automation simplified automation_server.py Now with AD and VT enrichments
18Security automation simplified Incident response / security monitoring infrastructure With automation MockScan Splunk Logs Automation server Alerts Jira Create ticket Webhook Active Directory Enrich ticket VirusTotal
19Security automation simplified • Search for and link to previous tickets, populate ticket fields, close duplicate tickets • Run a Splunk search • Lookup DNS and WHOIS records • Run Ansible playbooks • Send a sample to a sandbox • Upload files to Box • Isolate hosts and grab memory • Pull PCAPs • Flash a light or connect to other smart devices More things we could automate Anything you can write a script to do
20Security automation simplified Input validation, error messages, API documentation Error handling If one task fails, they all fail Authentication Deployment Health/status monitoring Moving toward production Everything that can break, will break 500 Internal Server Error
21Security automation simplified Flask extensions such as Flask-RESTPlus can do a lot of work for you Provides consistent API interaction and error messages Automatically generates Swagger docs!! automation_server.py Now using Flask-RESTPlus
22Security automation simplified Swagger is a framework for documenting and building APIs Swagger UI allows us to interact with our API through the browser We’ll have to add model/schema definitions to complete the Swagger documentation Swagger Docs Automatically generated from code
23Security automation simplified Specify a model for the endpoint’s expected input We don’t need to worry about all of the webhook fields, just the ones we use Enable validation to reject bad requests automation_server.py Input validation
24Security automation simplified The model is used to automatically build the example payload Now we can run these endpoints through the web interface Swagger Docs Model specifies payload format
25Security automation simplified We weren’t handling errors in our code before, so we got default web server HTML error messages Flask-RESTPlus will return properly formatted JSON message Adding input validation prevents the error in the first places and provides semi-helpful error messages API interaction Error handling / input validation
26Security automation simplified Enrichments and other tasks should be asynchronous to avoid the scenario where if one fails, they all fail Our example was synchronous, some other options to run jobs asynchronously are: • Individual Jira webhooks for each enrichment • Celery, multiprocessing, asyncio (DIY Python approaches) • StackStorm, Jenkins, Rundeck (DevOps tools that fit this use case) • AWS Lambda jobs (hey, we could build this whole thing out of Lambdas) Add a retry capability to each task: just trying again fixes a surprising number of problems Error handling, retrying, task execution
27Security automation simplified Options: • Include a “secret” in your webhook receiver URL • Don’t worry and restrict access by IP • Store access tokens in settings.py • Rely on .htaccess or similar from your webserver • Use an extension like Flask-Login • Roll your own solution Authentication is nearly meaningless without encryption Authentication Almost as complicated as secret management
28Security automation simplified Get a domain and SSL cert • IP addresses and HTTP are fine for development, but are not so cool for production use Use configuration management • Ansible, Salt, Puppet, Chef, etc. Consider deployment options • Containers (Docker) • Package builders (Pex, Omnibus) Strive for continuous integration/continuous deployment (CI/CD) • Automated, repeatable builds / deployments are the dream Deployment DevOps for SecOps
29Security automation simplified Exception logging and alerting are critical: even if our code is perfect, external API lookups will fail Use a status monitoring tool like Nagios, Icinga, Sensu, Datadog (that’s what the /status endpoint is for) Forward your server logs to Splunk, and set up alerts on error messages Monitor for skipped searches in Splunk: index=_internal source=*scheduler.log status=skipped Build some status dashboards to monitor API usage and errors Status and health monitoring What could go wrong? Splunk. Splunk could go wrong.
30Security automation simplified Maintaining state is hard: avoid it whenever possible Try, try again: a surprising number of errors can be resolved by waiting and retrying Deploy your code from your git repo even if you don’t have CI/CD: this minimizes the temptation to make in-place hotfixes Consider writing tests: sometimes they’re really handy Keep your code modular and small Done is better than perfect Development tips and lessons learned Let me be a cautionary tale… Source: xkcd.com
31Security automation simplified Management loves colorful numbers Assign a number of minutes saved per enrichment or action and calculate the total from your logs Security automation isn’t about replacing people, and it’s not a set-it-and-forget-it solution • Security automation is different from factory automation – you can’t replace human incident responders • Automation should become a core part of your process – continually improve Target 25% effort spent automating Metrics Quantify your impact
32Security automation simplified Security automation is not black magic Existing tools that aren't marketed toward security can work great in this space There is so much low hanging fruit Our job is to make the rest of the team more effective (which is pretty awesome) This niche is a great path into security from development or into development from security Takeaways
33Security automation simplified Join the Austin DFIR Slack group! https://atx-dfir.herokuapp.com Meetups every ~quarter, next one scheduled for week of April 22 Come work with us! https://www.box.com/careers Austin: Security automation, threat analyst, security analyst, red team Redwood City: Security automation interns, application security, security engineering And finally…
Security automation simplified An intro to DIY security automation Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz BSides Austin 2019

Recommended

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
Moses Schwartz
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with Python
Moses Schwartz
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
EC-Council
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
John Staveley
 
Security War Games
Security War GamesSecurity War Games
Security War Games
SeniorStoryteller
 

Recommended

Security automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automationSecurity automation simplified: an intro to DIY security automation
Security automation simplified: an intro to DIY security automation
Moses Schwartz
 
PyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with PythonPyCon 2019 - A Snake in the Bits: Security Automation with Python
PyCon 2019 - A Snake in the Bits: Security Automation with Python
Moses Schwartz
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
EC-Council
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
Priyanka Aash
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
SeniorStoryteller
 
DevSecOps - automating security
DevSecOps - automating securityDevSecOps - automating security
DevSecOps - automating security
John Staveley
 
Security War Games
Security War GamesSecurity War Games
Security War Games
SeniorStoryteller
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Leveling the playing field
Leveling the playing fieldLeveling the playing field
Leveling the playing field
Aaron Bedra
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
Samik Roy
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Michael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Michael Gough
 
Security For Humans
Security For HumansSecurity For Humans
Security For Humans
conjur_inc
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 

More Related Content

What's hot

Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
Teri Radichel
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
Andy Hoernecke
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
Alert Logic
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
jtmelton
 
Leveling the playing field
Leveling the playing fieldLeveling the playing field
Leveling the playing field
Aaron Bedra
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
Andy Hoernecke
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
Samik Roy
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
Steve Poole
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Michael Gough
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Michael Gough
 
Security For Humans
Security For HumansSecurity For Humans
Security For Humans
conjur_inc
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 

What's hot (20)

Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Automated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
 
Overcoming Security Challenges in DevOps
Overcoming Security Challenges in DevOpsOvercoming Security Challenges in DevOps
Overcoming Security Challenges in DevOps
 
AllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensorAllDayDevOps 2019 AppSensor
AllDayDevOps 2019 AppSensor
 
Leveling the playing field
Leveling the playing fieldLeveling the playing field
Leveling the playing field
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
SecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot ArmySecDevOps 2.0 - Managing Your Robot Army
SecDevOps 2.0 - Managing Your Robot Army
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeologyWindows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
Windows Registry Auditing Cheat Sheet ver Oct 2016 - MalwareArchaeology
 
Security For Humans
Security For HumansSecurity For Humans
Security For Humans
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 

Similar to Security Automation Simplified - BSides Austin 2019

Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
Amazon Web Services
 
Advanced Security Automation Made Simple
Advanced Security Automation Made SimpleAdvanced Security Automation Made Simple
Advanced Security Automation Made Simple
Mark Nunnikhoven
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
Amazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
Amazon Web Services
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
Ravishankar Somasundaram
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Sumo Logic
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
Yevgeniy Brikman
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
Amazon Web Services
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
Mikhail Prudnikov
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
Jason Chan
 
Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
Tamas K Lengyel
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
Amazon Web Services
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Moshe Ferber
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
Felipe Prado
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security Automation
CloudVillage
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
Daniel Zivkovic
 

Similar to Security Automation Simplified - BSides Austin 2019 (20)

Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Advanced Security Automation Made Simple
Advanced Security Automation Made SimpleAdvanced Security Automation Made Simple
Advanced Security Automation Made Simple
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
Us 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimesUs 17-krug-hacking-severless-runtimes
Us 17-krug-hacking-severless-runtimes
 
Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018Security Certification: Security Analytics using Sumo Logic - Oct 2018
Security Certification: Security Analytics using Sumo Logic - Oct 2018
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Agility Requires Safety
Agility Requires SafetyAgility Requires Safety
Agility Requires Safety
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
DevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous DeliveryDevOps On AWS - Deep Dive on Continuous Delivery
DevOps On AWS - Deep Dive on Continuous Delivery
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
AWS re:Invent 2016: 5 Security Automation Improvements You Can Make by Using ...
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
Pragmatic Cloud Security Automation
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security Automation
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
 

Recently uploaded

“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 

Security Automation Simplified - BSides Austin 2019

  • 1. Security automation simplified An intro to DIY security automation Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz BSides Austin 2019
  • 2. 2Security automation simplified Incident response / security monitoring infrastructure Before automation Network Devices User Laptops Servers Security Tools SIEM Logs Ticketing System Active Directory Asset Mgmt VirusTotal Playbook Docs ???? ???? Alerts
  • 3. 3Security automation simplified Automation approaches Building an automation/orchestration solution for every environment is a huge undertaking Building one for your environment is a much more tractable problem Centralized Logic mostly in one place, often with some sort of workflow or orchestration engine • Examples: Most commercial offerings, building everything in a single platform, this DIY approach • Downsides: single point of failure, major effort to build out, major learning curve Distributed / ad hoc Bits of automation from many different tools to make your life better • Examples: 1:1 pairings using web hooks between tool APIs • Downsides: gets complicated, hard to debug, hard to piece together complex workflows, tribal knowledge
  • 4. 4Security automation simplified Build a search query that matches the condition you want to alert on Splunk Alert development
  • 5. 5Security automation simplified Create an alert using your search query Best practice is to create an App to contain all of your custom settings I like to specify a cron schedule for maximum flexibility Ensure your time range matches the schedule Splunk Alert development
  • 6. 6Security automation simplified Trigger when Number of Results is greater than 0 Trigger for each result - Splunk webhooks only include the first row of data Add a Webhook Trigger Action and aim it at your server (we’ll build this in the next step) Splunk Alert development
  • 7. 7Security automation simplified We will use Flask for super simple API development Always include a status/health endpoint splunk_webhook will write the JSON payload with indentation to a file host=“0.0.0.0” exposes this to the world! automation_server.py Receive Splunk webhook payload
  • 8. 8Security automation simplified It’s JSON from our alert! Development tip: modify that alert to run every minute and extend the time range Don’t run it like this in production - there are many tutorials on deploying a Flask app with Nginx or Apache and a WSGI server automation_server.py Run the server and check the output
  • 9. 9Security automation simplified Your code should be under version control, but your passwords shouldn’t! A super lightweight approach is to keep your secrets and settings in a Python file that is NOT checked in with code (don’t forget to add this file to your .gitignore) This file can then be pushed as part of configuration management or manually settings.py Keep secrets out of git!
  • 10. 10Security automation simplified Let’s create a ticket in Jira Create your authenticated JIRA object using the Python library Use the create_issue method to create the ticket and set fields automation_server.py Round two: ticket creation
  • 11. 11Security automation simplified After the next Splunk webhook fires, we’ll have a Jira ticket Right now the description is just a JSON blob of the alert Jira Issue created
  • 12. 12Security automation simplified Create a webhook to do enrichments – start by just extracting user and MD5 and commenting on the ticket Point the URL to your automation server with a new endpoint Filter for Issue created events that match our project and alert name Jira Webhook configuration
  • 14. 14Security automation simplified Returns a JSON object: ad_lookup.py Lookup a user in Active Directory {'entries': [{'attributes': { 'cn': 'Moses Schwartz', 'title': 'Staff Security Engineer', 'company': 'Box, Inc', 'department': 'Security Automation', 'employeeID': '1234', 'l': 'Redwood City', 'streetAddress': '900 Jefferson Avenue', # ... tons more fields omitted }}]}
  • 16. 16Security automation simplified virustotal.py Get a file scan report {'scan_id': 'e3b0c44298fc1c149afbf48996f...', 'sha1': 'da39a3ee5e6b4b0d3255bff9560189...', 'resource': 'd41d8cd98f00b204e980098ecf...', 'scan_date': '2019-03-01 23:35:34', 'permalink': 'https://www.virustotal.com/... 'total': 60, 'positives': 0, 'md5': 'd41d8cd98f00b204e9800998ecf8427e' {'scans': {'Bkav': {'detected': False, 'version': '1.3.0.9899', 'result': None, 'update': '20190301'} ....
  • 18. 18Security automation simplified Incident response / security monitoring infrastructure With automation MockScan Splunk Logs Automation server Alerts Jira Create ticket Webhook Active Directory Enrich ticket VirusTotal
  • 19. 19Security automation simplified • Search for and link to previous tickets, populate ticket fields, close duplicate tickets • Run a Splunk search • Lookup DNS and WHOIS records • Run Ansible playbooks • Send a sample to a sandbox • Upload files to Box • Isolate hosts and grab memory • Pull PCAPs • Flash a light or connect to other smart devices More things we could automate Anything you can write a script to do
  • 20. 20Security automation simplified Input validation, error messages, API documentation Error handling If one task fails, they all fail Authentication Deployment Health/status monitoring Moving toward production Everything that can break, will break 500 Internal Server Error
  • 21. 21Security automation simplified Flask extensions such as Flask-RESTPlus can do a lot of work for you Provides consistent API interaction and error messages Automatically generates Swagger docs!! automation_server.py Now using Flask-RESTPlus
  • 22. 22Security automation simplified Swagger is a framework for documenting and building APIs Swagger UI allows us to interact with our API through the browser We’ll have to add model/schema definitions to complete the Swagger documentation Swagger Docs Automatically generated from code
  • 23. 23Security automation simplified Specify a model for the endpoint’s expected input We don’t need to worry about all of the webhook fields, just the ones we use Enable validation to reject bad requests automation_server.py Input validation
  • 24. 24Security automation simplified The model is used to automatically build the example payload Now we can run these endpoints through the web interface Swagger Docs Model specifies payload format
  • 25. 25Security automation simplified We weren’t handling errors in our code before, so we got default web server HTML error messages Flask-RESTPlus will return properly formatted JSON message Adding input validation prevents the error in the first places and provides semi-helpful error messages API interaction Error handling / input validation
  • 26. 26Security automation simplified Enrichments and other tasks should be asynchronous to avoid the scenario where if one fails, they all fail Our example was synchronous, some other options to run jobs asynchronously are: • Individual Jira webhooks for each enrichment • Celery, multiprocessing, asyncio (DIY Python approaches) • StackStorm, Jenkins, Rundeck (DevOps tools that fit this use case) • AWS Lambda jobs (hey, we could build this whole thing out of Lambdas) Add a retry capability to each task: just trying again fixes a surprising number of problems Error handling, retrying, task execution
  • 27. 27Security automation simplified Options: • Include a “secret” in your webhook receiver URL • Don’t worry and restrict access by IP • Store access tokens in settings.py • Rely on .htaccess or similar from your webserver • Use an extension like Flask-Login • Roll your own solution Authentication is nearly meaningless without encryption Authentication Almost as complicated as secret management
  • 28. 28Security automation simplified Get a domain and SSL cert • IP addresses and HTTP are fine for development, but are not so cool for production use Use configuration management • Ansible, Salt, Puppet, Chef, etc. Consider deployment options • Containers (Docker) • Package builders (Pex, Omnibus) Strive for continuous integration/continuous deployment (CI/CD) • Automated, repeatable builds / deployments are the dream Deployment DevOps for SecOps
  • 29. 29Security automation simplified Exception logging and alerting are critical: even if our code is perfect, external API lookups will fail Use a status monitoring tool like Nagios, Icinga, Sensu, Datadog (that’s what the /status endpoint is for) Forward your server logs to Splunk, and set up alerts on error messages Monitor for skipped searches in Splunk: index=_internal source=*scheduler.log status=skipped Build some status dashboards to monitor API usage and errors Status and health monitoring What could go wrong? Splunk. Splunk could go wrong.
  • 30. 30Security automation simplified Maintaining state is hard: avoid it whenever possible Try, try again: a surprising number of errors can be resolved by waiting and retrying Deploy your code from your git repo even if you don’t have CI/CD: this minimizes the temptation to make in-place hotfixes Consider writing tests: sometimes they’re really handy Keep your code modular and small Done is better than perfect Development tips and lessons learned Let me be a cautionary tale… Source: xkcd.com
  • 31. 31Security automation simplified Management loves colorful numbers Assign a number of minutes saved per enrichment or action and calculate the total from your logs Security automation isn’t about replacing people, and it’s not a set-it-and-forget-it solution • Security automation is different from factory automation – you can’t replace human incident responders • Automation should become a core part of your process – continually improve Target 25% effort spent automating Metrics Quantify your impact
  • 32. 32Security automation simplified Security automation is not black magic Existing tools that aren't marketed toward security can work great in this space There is so much low hanging fruit Our job is to make the rest of the team more effective (which is pretty awesome) This niche is a great path into security from development or into development from security Takeaways
  • 33. 33Security automation simplified Join the Austin DFIR Slack group! https://atx-dfir.herokuapp.com Meetups every ~quarter, next one scheduled for week of April 22 Come work with us! https://www.box.com/careers Austin: Security automation, threat analyst, security analyst, red team Redwood City: Security automation interns, application security, security engineering And finally…
  • 34. Security automation simplified An intro to DIY security automation Moses Schwartz, Security Automation Engineer moses@box.com | @mosesschwartz | github.com/mosesschwartz BSides Austin 2019