Post on 14-Feb-2017
Jonathan CLARKE
Continuous auditingfor effective compliance
jcl@normation.com@jooooooon42
Co-founder &Chief Product Officer @
Normation – CC-BY-SAnormation.com 2
It’s a continuous world
Continuous *
Normation – CC-BY-SAnormation.com 3
It’s a continuous world
Integration Delivery
Improvement(agile, devops)
Continuous *
Normation – CC-BY-SAnormation.com 4
It’s a continuous world
adjective1. without interruption2. progressive
Synonyms: sustained, round-the-clock, relentless
Continuous
Normation – CC-BY-SAnormation.com 5
Continuous everything
Continuous *
Normation – CC-BY-SAnormation.com
Continuous everything
ContinuousGrowth
Continuous *
Normation – CC-BY-SAnormation.com
Continuous everything
ContinuousGrowth
ContinuouslyConnected
Continuous *
Normation – CC-BY-SAnormation.com
Continuous everything
ContinuousGrowth
ContinuousThreats
ContinuouslyConnected
Continuous *
Normation – CC-BY-SAnormation.com
Continuous everything
We need a continuous response
ContinuousGrowth
ContinuousThreats
ContinuouslyConnected
Continuous *
Normation – CC-BY-SAnormation.com
Continuous auditingfor effective compliance
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Industryregulations
Bestpractices
CorporateregulationsLaws
Rules come from different levels
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Industryregulations
Bestpractices
CorporateregulationsLaws
Organisationalprocess
Technicaldirectives
Rules come from different levels
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Industryregulations
Bestpractices
CorporateregulationsLaws
Rules come from different levels
Organisationalprocess
Technicaldirectives
We can’t automatehumans!
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Industryregulations
Bestpractices
CorporateregulationsLaws
Organisationalprocess
Technicaldirectives
Rules come from different levels
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
4. Warning message onserver remote access
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
4. Warning message onserver remote access
5. Patch vulnerablesoftware package
Normation – CC-BY-SAnormation.com
Security policies: what and how?
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
4. Warning message onserver remote access
5. Patch vulnerablesoftware package
GOAL
Harden access
Harden access
Avoid potentialexploits
Obey the law
Avoid knownexploits
Normation – CC-BY-SAnormation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply onnew servers
OKRegular audits(3-12 months)
REMEDIATION
Normation – CC-BY-SAnormation.com
Security policies: traditional lifecycle
Typical lifecycle of security policy
Policy Apply onnew servers
OKRegular audits(3-12 months)?
REMEDIATION
DRIFT
Normation – CC-BY-SAnormation.com
Introducing Rudder
Rudder: nounPiece used for steering a ship.
Used to correct heading when trajectory drifts off course.
Normation – CC-BY-SAnormation.com
Introducing Rudder
Define desired state
Target
Imperative Declarative Install package xvs
Package x should be installed
Restart service zvs
Service z should be running
Copy file template y.tplvs
File y should contain line abc=def
Normation – CC-BY-SAnormation.com
Introducing Rudder
Rudder’s lifecycle
Definedesired
stateDistribute to
agents
OK
NOK
Check statelocally
OS-SpecificImplementations
Report
Normation – CC-BY-SAnormation.com
Introducing Rudder
Rudder’s continuous lifecycle
Definedesired
stateDistribute to
agents
OK
NOK
Check statelocally
OS-SpecificImplementations
Report
REPEAT
Normation – CC-BY-SAnormation.com
Introducing Rudder
High-level overview
Normation – CC-BY-SAnormation.com
Introducing Rudder
Drill-down to each individual state
Compliant
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
4. Warning message onserver remote access
5. Patch vulnerablesoftware package
GOAL
Harden access
Harden access
Obey the law
Avoid potentialexploits
Avoid knownexploits
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after aperiod of inactivity
2. Password policy(strength, duration, ...)
3. No compilers onproduction servers
4. Warning message onserver remote access
5. Patch vulnerablesoftware packages
GOAL
Harden access
Harden access
Obey the law
IMPLEMENTATION
File/Registryedit
File/Registryedit
Packageremove
File/Registryedit
Packageinstall/update
Avoid potentialexploits
Avoid knownexploits
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Photo CC BY-NC-SA 2.0 from https://www.flickr.com/photos/dillpixel/
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Examples of security technical directives
1. Auto logout after aperiod of inactivity
GOAL
Harden access
IMPLEMENTATION
File/Registryedit
Normation – CC-BY-SAnormation.com
Avoid localexploits
Packageremove
Building blocks can be used to check anything
Examples of security technical directives
3. No compilers onproduction servers
GOAL IMPLEMENTATION
Normation – CC-BY-SAnormation.com
Building blocks in Rudder (aka generic methods)
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Packageabsent
Packageabsent
Security directive #2
Fileenforce
Servicerunning
Security directive #3
Packagepresent
Fileedit
Security directive #1
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Packageabsent
Packageabsent
Security directive #2
Fileenforce
Servicerunning
Security directive #3
Packagepresent
Fileedit
Security directive #1
RULERULE
Corporate security policy Security best practices
Normation – CC-BY-SAnormation.com
Building blocks can be used to check anything
Packageabsent
Packageabsent
Security directive #2
Fileenforce
Servicerunning
Security directive #3
Packagepresent
Fileedit
Security directive #1
Corporate security policy Security best practices
RULERULE
Normation – CC-BY-SAnormation.com
From continuous auditing to continuous remediation
Continuous auditing
Continuous remediation
Normation – CC-BY-SAnormation.com
From continuous auditing to continuous remediation
Rudder’s continuous lifecycle
Definedesired
stateDistribute to
agents
OK
NOK
Check statelocally
OS-SpecificImplementations
Report
REPEAT
Normation – CC-BY-SAnormation.com
From continuous auditing to continuous remediation
Node by node Policy by policy
Normation – CC-BY-SAnormation.com
From continuous auditing to continuous remediation
Rudder’s lifecycle with remediation
Definedesired
stateDistribute to
agents
OK
NOK
Check statelocally
OS-SpecificImplementations
Report
Remediate
REPEAT
Normation – CC-BY-SAnormation.com
RudderOpen source
Automation & Compliance
www.rudder-project.org@RudderProject
Normation – CC-BY-SAnormation.com
A bit more about Rudder
CloudServers
Desktop Embedded/IoT
Mobile
Any scaleTypical deployments
100s-1000s of servers.Biggest known today is 7000.
2→
> 10 000
Multi-platformMetal, virtual, cloud, …
Multi-OSC agent on UNIX/Linux,
DSC on Windows
Platform support
Normation – CC-BY-SAnormation.com
A bit more about Rudder
APIAutomate new nodes, policy,
extract compliance
CLI / CodeCreate new configuration templates,
everyday management tasks
WebUse existing configuration
patterns, observe compliance
Separation of roles
Normation – CC-BY-SAnormation.com
Summary
Continuous IT
Continuous auditing
Continuous remediation
Normation – CC-BY-SAnormation.com
Summary
Fire & Forget
Worry about next thing
Continuous improvement
Thanks for listening!Any questions?
This presentation is shared under a FLOSS licence, CC-BY-SA,and available on http://www.slideshare.net/normation/.
Jonathan CLARKEjcl@normation.com
@jooooooon42Co-founder &
Chief Product Officer @