goodbye cli, hello api: leveraging network programmability in security incident response
TRANSCRIPT
Copyright © 2016 World Wide Technology, Inc. All rights reserved.
Cybergamut Technical Tuesday
20 September 2016Goodbye CLI, hello API: Leveraging network programmability in security incident response
Joel W. King Engineering and Innovations Network Solutions
AbstractGoodbye CLI, hello API: Leveraging network programmability in security incident response
Automation and Orchestration has been the purview of cloud computing and system administration, but now is increasingly important to security operations and network administration. By automating the data collection and corrective action component of incident response, significant time savings can be realized. Corrective actions often need be applied to multiple assets in the organization and automation improves consistency and time savings as well. This talk describes how security and IT orchestration can be integrated through code reuse and integration with APIs.
We demonstrate how Phantom and Ansible can be integrated to automate the incident response data collection, corrective action, and notification.
whoami
Joel W. King
[email protected]@joel_w_kinggithub.com/joelwkingwww.linkedin.com/in/programmablenetworks
Networking Panel at AnsibleFest NYC 2015
Not here to sell you anything.
Not paid to present.
I talk about software and productswhich I have hands-on experience.
Other products may have similarfunctionality.
Please ask questions and comment.
Disclaimer
Headquartered in St. Louis, Missouri 2015 revenue: $7.4 billion Integration labs in the U.S. and Europe 2 M+ square feet of warehouse, distribution and
integration space 3,000+ professionals 500+ engineers and technical resources
World Wide Technology
Goal Where we were, are, and where we want to be
Tools: Ansible, Phantom, Agents
Use Cases
Remote Trigger Black Hole
Security-Defined Routing
Data Exfiltration Monitoring
Key Take-away
Crux of the Problem
“My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”
Lewis Carroll Alice in Wonderland
Where we were, are, and where we want to be
Challenges and Objectives
Cheese store. Amsterdam, The Netherlands
• Can’t hire your way out of the problem• Lack of programming skills• Organizations resistant to change
The factory of parmesan cheeses, Modena
• Exploit regularity to create patterns, automate patterns
• Automation saves time, increases stability
• Quickly remediate security exposures
1996: You learned to type fast
GUIDE TO COMMUNICATION PROTOCOLS
Programmable InfrastructureInfrastructure as Code (IaC)
Automation is to the network as the assembly line is to the automobile
Infrastructure managed using version controlled, machine readable, configurations.
Physical device configuration no longer the source of truth.
Network Programmability Developer
Time
Interest
Aptitude
Role within Network and Security Operations.
Working proficiency writing code (Python) using REST APIs.
Knowledgeable about the applications and datathat leverage the infrastructure.
Minimum of CCNA level networking knowledge.
Knowledge of security tools, processes.
COMPUTE – NETWORKING – STORAGE – SECURITY – APP DELIVERY - MOBILITY
Automation Maturity Levels
STAND ALONE, BASIC SCRIPTS, PROCEDURAL CODING, NO CODE MODULARITY
CREATING | SHARING COLLECTIONS OF WORKFLOWS
USING AUTOMATION FRAMEWORK
ENTERPRISE ORCHESTRATION
CUSTOM UI
INTERCONNECT ORCHESTRATION
PYTHON
CHROME POSTMAN
ANSIBLE | SALTSTACK
ANSIBLE TOWER | PHANTOM CYBER
SERVICE NOW
AWS
PHANTOM CYBERANSIBLE TOWER
Empowering the Community Extensibility is key for commercial software packages
Network programmability developer extends capability of vendor software
NETWORK INFRASTRUCTURE
VENDOR, COMMUNITY ANDEND USER DEVELOPED APPS
API
API
API
CUSTOM DEVICE APPS
Extensible APIs
1996: Naming Conventions
Tags, GroupsDynamic Inventories
Tools: Ansible, Phantom, Agents
Introduction to Ansible
• Ansible uses SSH instead of agents.
• Python modules run locally or on target systems
SIMPLE AGENTLESS POWERFUL
• Deploy applications
• Configuration management
• Network provisioning
• Playbooks are both human and machine readable.
• Large library of modules.
Ansible is an open source project, Ansible Tower by RedHat is a licensed GUI
Introduction to Phantom Security automation and orchestration platform
Provides “connective tissue” between security devices
Architecture abstracts security product capabilities
Apps implement actions which can be automated
Playbooks and Apps written in Python
Framework implements the UI, apps focus on the assets
Free community edition (developer access)
Phantom Apps
github.com/joelwking/Phantom-Cyber
F5 Firewall PoliciesPlaybooks clean data from security incidents and apply policy to assets via app(s)
Sharing Code
Agents Software monitoring a state or
condition and alerting via an API to the orchestrating system.
IoT: Fog Computing (Networking)
Programmable Networking is not just top down, its also bottom up.
Cisco Open NX-OS supports Linux Containers (LXCs).
Arista EOS supports Docker containers.
SDN/NFV Network Function Virtualization on x86 processors.
INCIDENTAGENT
Remote Trigger Black Hole
Connecting Disparate Technology
PHANTOM2.0.67
ANSIBLETOWER
3.0
github.wwt.com
router bgp 65536……
Connecting Disparate Technology
PHANTOM2.0.67
router bgp 65536……
Security-Defined Routing
Cybergamut: Oct 2014
PhantomFloodlight
Data Exfiltration Monitoring
CODE
github.wwt.com
Nexus 9000ACI
APP MONITORS DYNAMICALLY CONFIGURED
ATOMIC COUNTERS
PLAYBOOK
PLAYBOOK
CODE
CODE
Create Incident as atomic counters exceed threshold
CONFIGURATION TEMPLATE
Agent
Demo
https://youtu.be/neaCPil8c0k
A Landscape in Transition
Application Program Interfaces (APIs) are the new Command Line Interface (CLI).
Use APIs to connect disparate technology.
Structure teams to leverage limited numberof network and security engineers who enjoy coding.
Develop within an established framework,Keep it simple, aka Dumb as a Hammer.
Open Discussion
References Ansible Tower
www.ansible.com/tower
Ansible Tower API Guide v3.0docs.ansible.com/ansible-tower/latest/html/towerapi/
Phantom www.phantom.us/
Phantom Webinarsmy.phantom.us/videos/
Floodlight App: Community Poweredblog.phantom.us/2016/05/11/floodlight-app-community-powered/
Phantom appsgithub.com/joelwking/Phantom-Cyber
References Data Exfiltration Monitoring with Phantom, Ansible, and Cisco ACI
blog.phantom.us/2016/08/22/data-exfiltration-monitoring-with-phantom-ansible-and-cisco-aci/
Cumulus Networks www.slideshare.net/CumulusNetworks/webinar-network-automation-tips-tricks
Network Programmability App Development www.slideshare.net/joelwking/network-programmability-app-development
Automate F5 Initial Setup - iControl & Ansibledevcentral.f5.com/codeshare/automate-f5-initial-setup-icontrol-amp-ansible-930
Security-Defined Routingwww.slideshare.net/joelwking/security-defined-routingcybergamutv11