Get My Score

Accelerating Responses to Security Gaps Through Automation

auto-remediation

 

Minimize Risks Due to Change Management Delays 

As DevOps leaders continue to deliver greater agility to the business, SecOps is faced with a widening security gap needing more time to manually work through change requests that ensure appropriate testing is achieved taking into account risk, security, and compliance. This whitepaper is for those looking to minimize the risks due to change management delays and manual processes. It highlights how Cavirin auto-remediates both compute instances and cloud services to minimize the security gap between SecOps and DevOps.

AUTO-REMEDIATE TO MINIMIZE RISKS DUE TO CHANGE MANAGEMENT DELAYS 

Many organizations separate security posture monitoring from change management, leaving them exposed when security alerts monitored by SecOps teams wait for DevOps teams for remediation. Closing this security gap via auto-remediation is a key outcome enabled by Cavirin. In this document, we discuss how Cavirin auto-remediates both compute instances and cloud services, starting with a chart that highlights an organization with and without auto-remediation. 

AUTO-REMEDIATION APPROACH LEVERAGING ANSIBLE 

For compute instances, Configuration Management systems like Puppet Enterprise, Chef Automate, or Red Hat Ansible offer a good foundation. Their cloud counterparts include Microsoft Azure Automation as well as the AWS Elastic Compute Cloud Systems Manager. Cavirin’s approach, below, leverages Ansible to remediate compute instances in AWS, GCP, Azure or on-premise environments. 

First, a SecOps user using the Cavirin system defines a “golden configuration” of operating system parameters for a group of machines using Cavirin’s technical controls (CIS, in the figure below). The system continually assesses the organization’s machines against “golden” technical controls and identifies those assets drifting from it (Step 2 in the figure below). 

Next, the Cavirin system creates the list of drifting machines (“host file”) as well as a list of configuration settings (“variables file”) that require remediation in Ansible’s format. Finally, the Ansible server retrieves the Ansible hosts file, variables file and the Cavirin-supplied Ansible playbook to remediate machines to the golden state. 

The same approach can also be used to create ‘golden’ images during pre-production by assessing candidate images against a golden posture and involving Ansible with Cavirin playbooks to remediate images to a golden state. 

Moving from compute instances to cloud services, here we can use the monitoring, queuing, and remediation services provided by public clouds. Options for remediation include AWS Lambda, Azure Functions and Google Functions. Cavirin monitors cloud services via provider APIs and assessing them for various technical controls. The system then develops a list of the top resources for remediation, and then executes the provider-specific functions. 

Using AWS as an example, Cavirin, via its AWS Network Policy Pack, periodically assesses the status of commonly used TCP ports associated with the Security Groups created within a given AWS account. It then informs the operator of the top 50 ports, which if remediated will positively impact the score (see Figure below). 

Technically, in the figure below, 

  1. The operator issues the remediation command from the Cavirin dashboard 
  2. Which publishes a remediation request to an AWS SNS topic 
  3. …that then invokes the Cavirin-authored Lambda function 
  4. Remediation occurs and confirmation is now posted to Cavirin via SQS 
  5. Cavirin takes this confirmation and modifies the scoring accordingly 

To summarize, auto-remediating compute instances and cloud services as described in the article can help organizations accelerate responses to security gaps, reduce security risks, and eliminate manual processes. 

 

 

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.