Goodbye CLI, hello API: Leveraging network programmability in security incident response

Post on 13-Jan-2017

109 views 0 download

Transcript of Goodbye CLI, hello API: Leveraging network programmability in security incident response

Copyright © 2016 World Wide Technology, Inc. All rights reserved.

Cybergamut Technical Tuesday

20 September 2016Goodbye CLI, hello API: Leveraging network programmability in security incident response

Joel W. King Engineering and Innovations Network Solutions

AbstractGoodbye CLI, hello API: Leveraging network programmability in security incident response

Automation and Orchestration has been the purview of cloud computing and system administration, but now is increasingly important to security operations and network administration. By automating the data collection and corrective action component of incident response, significant time savings can be realized. Corrective actions often need be applied to multiple assets in the organization and automation improves consistency and time savings as well. This talk describes how security and IT orchestration can be integrated through code reuse and integration with APIs.

We demonstrate how Phantom and Ansible can be integrated to automate the incident response data collection, corrective action, and notification.

whoami

Joel W. King

joel.king@wwt.com@joel_w_kinggithub.com/joelwkingwww.linkedin.com/in/programmablenetworks

Networking Panel at AnsibleFest NYC 2015

Not here to sell you anything.

Not paid to present.

I talk about software and productswhich I have hands-on experience.

Other products may have similarfunctionality.

Please ask questions and comment.

Disclaimer

Headquartered in St. Louis, Missouri 2015 revenue: $7.4 billion Integration labs in the U.S. and Europe 2 M+ square feet of warehouse, distribution and

integration space 3,000+ professionals 500+ engineers and technical resources

World Wide Technology

Goal Where we were, are, and where we want to be

Tools: Ansible, Phantom, Agents

Use Cases

Remote Trigger Black Hole

Security-Defined Routing

Data Exfiltration Monitoring

Key Take-away

Crux of the Problem

“My dear, here we must run as fast as we can, just to stay in place. And if you wish to go anywhere you must run twice as fast as that.”

Lewis Carroll Alice in Wonderland

Where we were, are, and where we want to be

Challenges and Objectives

Cheese store. Amsterdam, The Netherlands

• Can’t hire your way out of the problem• Lack of programming skills• Organizations resistant to change

The factory of parmesan cheeses, Modena

• Exploit regularity to create patterns, automate patterns

• Automation saves time, increases stability

• Quickly remediate security exposures

1996: You learned to type fast

GUIDE TO COMMUNICATION PROTOCOLS

Programmable InfrastructureInfrastructure as Code (IaC)

Automation is to the network as the assembly line is to the automobile

Infrastructure managed using version controlled, machine readable, configurations.

Physical device configuration no longer the source of truth.

Network Programmability Developer

Time

Interest

Aptitude

Role within Network and Security Operations.

Working proficiency writing code (Python) using REST APIs.

Knowledgeable about the applications and datathat leverage the infrastructure.

Minimum of CCNA level networking knowledge.

Knowledge of security tools, processes.

COMPUTE – NETWORKING – STORAGE – SECURITY – APP DELIVERY - MOBILITY

Automation Maturity Levels

STAND ALONE, BASIC SCRIPTS, PROCEDURAL CODING, NO CODE MODULARITY

CREATING | SHARING COLLECTIONS OF WORKFLOWS

USING AUTOMATION FRAMEWORK

ENTERPRISE ORCHESTRATION

CUSTOM UI

INTERCONNECT ORCHESTRATION

PYTHON

CHROME POSTMAN

ANSIBLE | SALTSTACK

ANSIBLE TOWER | PHANTOM CYBER

SERVICE NOW

AWS

PHANTOM CYBERANSIBLE TOWER

Empowering the Community Extensibility is key for commercial software packages

Network programmability developer extends capability of vendor software

NETWORK INFRASTRUCTURE

VENDOR, COMMUNITY ANDEND USER DEVELOPED APPS

API

API

API

CUSTOM DEVICE APPS

Extensible APIs

1996: Naming Conventions

Tags, GroupsDynamic Inventories

Tools: Ansible, Phantom, Agents

Introduction to Ansible

• Ansible uses SSH instead of agents.

• Python modules run locally or on target systems

SIMPLE AGENTLESS POWERFUL

• Deploy applications

• Configuration management

• Network provisioning

• Playbooks are both human and machine readable.

• Large library of modules.

Ansible is an open source project, Ansible Tower by RedHat is a licensed GUI

Introduction to Phantom Security automation and orchestration platform

Provides “connective tissue” between security devices

Architecture abstracts security product capabilities

Apps implement actions which can be automated

Playbooks and Apps written in Python

Framework implements the UI, apps focus on the assets

Free community edition (developer access)

Phantom Apps

github.com/joelwking/Phantom-Cyber

F5 Firewall PoliciesPlaybooks clean data from security incidents and apply policy to assets via app(s)

Sharing Code

Agents Software monitoring a state or

condition and alerting via an API to the orchestrating system.

IoT: Fog Computing (Networking)

Programmable Networking is not just top down, its also bottom up.

Cisco Open NX-OS supports Linux Containers (LXCs).

Arista EOS supports Docker containers.

SDN/NFV Network Function Virtualization on x86 processors.

INCIDENTAGENT

Remote Trigger Black Hole

Connecting Disparate Technology

PHANTOM2.0.67

ANSIBLETOWER

3.0

github.wwt.com

router bgp 65536……

Connecting Disparate Technology

PHANTOM2.0.67

router bgp 65536……

Security-Defined Routing

Cybergamut: Oct 2014

PhantomFloodlight

Data Exfiltration Monitoring

CODE

github.wwt.com

Nexus 9000ACI

APP MONITORS DYNAMICALLY CONFIGURED

ATOMIC COUNTERS

PLAYBOOK

PLAYBOOK

CODE

CODE

Create Incident as atomic counters exceed threshold

CONFIGURATION TEMPLATE

Agent

Demo

https://youtu.be/neaCPil8c0k

A Landscape in Transition

Application Program Interfaces (APIs) are the new Command Line Interface (CLI).

Use APIs to connect disparate technology.

Structure teams to leverage limited numberof network and security engineers who enjoy coding.

Develop within an established framework,Keep it simple, aka Dumb as a Hammer.

Open Discussion

References Ansible Tower

www.ansible.com/tower

Ansible Tower API Guide v3.0docs.ansible.com/ansible-tower/latest/html/towerapi/

Phantom www.phantom.us/

Phantom Webinarsmy.phantom.us/videos/

Floodlight App: Community Poweredblog.phantom.us/2016/05/11/floodlight-app-community-powered/

Phantom appsgithub.com/joelwking/Phantom-Cyber

References Data Exfiltration Monitoring with Phantom, Ansible, and Cisco ACI

blog.phantom.us/2016/08/22/data-exfiltration-monitoring-with-phantom-ansible-and-cisco-aci/

Cumulus Networks www.slideshare.net/CumulusNetworks/webinar-network-automation-tips-tricks

Network Programmability App Development www.slideshare.net/joelwking/network-programmability-app-development

Automate F5 Initial Setup - iControl & Ansibledevcentral.f5.com/codeshare/automate-f5-initial-setup-icontrol-amp-ansible-930

Security-Defined Routingwww.slideshare.net/joelwking/security-defined-routingcybergamutv11