Slides from Alexandre BRIANCEAU's talk at #OSSPARIS19 (Open Source Summit Paris 2019). Security is everyone's business, an exploited breach is enough. Teams are aware of this and yet it is still as difficult as ever to be able to ensure, be confident, and reassure others (prove) that at least one party is under control. And when it comes to server infrastructure, especially at the OS / middleware level, everything gets complicated. Even with an operational security team, it is difficult to ensure that the Information System Security Policy and security recommendations are properly implemented on all servers. How can we be sure that our security policies are properly applied on all our servers other than through a massive and costly audit? Even if they were when they were created, how do you know if they remain perfectly compliant after a few days / weeks / months? Let's discover together RUDDER, an open-source solution for continuous compliance based on configuration management to automatically audit and/or correct our systems.

1. 10 & 11
DÉCEMBRE
2019
Servers compliance: audit,
remediation, proof
Alexandre BRIANCEAU

2. Abstract
>
>
>

3. ● Everyone has authority over their activities and carries
responsibilities: security is a cross-cutting concern
● A team dedicated to security is not enough,
the attacker will know how to find
weak points: it is a question of
security hygiene, as for healthcare.
Cybersecurity and business

4. Cybersecurity and IT infrastructure
DEV QA PRODUCTION RECOVERY
DEV SEC OPSMGMT EXTERN
Multiple teams, diluted expertise, harder reporting
Heterogeneous systems, reduced visibility, ease of use and understanding

5. ● Cyber posture
Security status (network, information, IT…) with mananing capabilities to react
on any change.
● Cyber Risk Management
Actions and process to maintain an cyber posture
● Cyber exposure
Holistic and dynamic risk visibility to obtain meaningful data
● Cyber Bullshit
Vendors telling you that their magical software solve everything
Cyber <put here what you want>
Cyber Bullsh*t

6. ● Main issues:
○ Systems complexity and heterogeneous infrastructures
○ Lack visibility and have blind spots
○ Difficulties in having enough qualified people
○ Collaboration between security and IT operational teams is difficult:
■ non-aligned objectives
■ different processes and technologies
■ significant delays increasing reaction time
SecOps is a collaborative effort to align needs, objectives, values and
technologies to effectively support Cyber Risk Management.
SecOps: team collaboration for cybersecurity

7. 52% of organizations admit to cutting back on security measures to
meet a business deadline or objective
SecOps: easy to say, hard to do
Half companies find that coordination between security and IT
operations teams is challenging.
Half of organizations cited that the absence of effective
orchestration and automation is barrier

8. Automation makes it possible to make SecOps goals real by allowing:
○ To act quickly across all infrastructures by speeding up workflows
○ To be 100% predictable and therefore reliable
○ To centralize information, allow effective communication and
ensure knowledge transfer
○ To trace and log all events, report meaningful data and context to
the teams with holistic and detailed informations
○ To free up teams so that human intervention is valuable: analysis,
decision-making, design, sharing
Automation & SecOps

9. ● Perimeter is huge: from servers to network or IOT…
● Two main actions:
○ Proactive: risk identification and mitigation (incident prevention)
○ Reactive: incident response (that limit the loss)
Risk management is proactive, but mapping and identifying
risks is useless if they cannot be easily addressed!
IT systems & SecOps
>

10. Open-source and French continuous configuration
management solution for IT compliance
➔ Are my systems in compliance with our
security policy?
➔ Which DMZ servers are vulnerable to
this CVE?
➔ How do I prove my compliance to the
auditor?

11. RUDDER & IT Ops landscape
Business needs
Operating System
Versioned source code
Applicative binaries
Middleware
App App App
Server
Agile methodology
Continuous integration
Continuous deployment
Provisioning
RUNDEV
Installation & Configuration
Updating & Patch Management
Security & Risk Management
Running & Incident resolution
SECURITY

12. Ensure that the rules are applied

13. Ensure that the risks are managed

14. Give context to your team

15. Rudder: running principle
2. Configuration
download
1. Target state definition
3. Continuous local verification
(+ Automatic fixing)
4. Continuous reporting Server
App version XX.XX

16. Collaboration to define compliance state

17. Ensure that all your IT is compliant

18. Fit to your workflows
Sec
Production
Interns
OpsDev
Externals
audit - sudoers / logs
validation workflow
DMZ
Compliance
reporting

19. IT automation & compliance for SecOps
RUDDER in a nutshell
● Automate and ensure that your IT systems are under control
● Beyond auditing: act and remediate!
● Give your teams quick feedbacks and contexts
● Allow Sec & Ops team to collaborate in autonomy
● Integrate with your workflows and your ecosystem:

20. Manage OS, middleware and software level
Team oriented (WebUI, CLI, API)
Audit only or automatic drift remediation
Continuous reporting and dashboarding
IT automation & compliance for SecOps
RUDDER in a nutshell

21. Project website:
Documentation:
Online Chat:
To contact me:
More details on RUDDER with...
www.rudder.io
docs.rudder.io
chat.rudder.io
alexandre@rudder.io

22. 10 & 11
DÉCEMBRE
2019
Servers compliance: audit,
remediation, proof
Alexandre BRIANCEAU