$30 off During Our Annual Pro Sale. View Details »

2016 BSidesLV OWASP Assimilation talk

2016 BSidesLV OWASP Assimilation talk

IT shops have trouble reliably doing the basics well:
- 30% of all break-ins come through systems not in inventory
- 30% of servers are doing nothing useful
- getting systems hardened is difficult
- 70% of people who get into compliance with PCI-DSS aren’t in compliance a year later
- remediation of known serious patches happens slowly if at all
- 90% of all sites have suffered from outages of services which aren’t monitored
- keeping a suite of helpful tools correctly configured over time is time-consuming and expensive

Then of course, there’s the problem of demonstrating to upper management that you’re actually making progress against a formidable task. These are the problems the OWASP Assimilation project addresses.

It compares security configuration against best practices, keeps network-facing checksums up to date, provides attack surface visualization, alerts on many kinds of events, and also improves availability through monitoring systems and services.

This talk gave an overview of the project and a live demo.
Video from this talk can be found here: http://assimilationsystems.com/videos/2016-bsides-las-vegas-automating-security-owasp-assimilation-project/

Alan Robertson

July 31, 2016

More Decks by Alan Robertson

Other Decks in Technology


  1. Automating Security with the OWASP
    Automating Security with the OWASP
    Assimilation Project
    Assimilation Project
    #AssimProj @OSSAlanR
    Alan Robertson
    Assimilation Systems Limited

    View Slide

  2. 2/29

    35+ years in IT/development – 10 years in system
    management (SysAdmin)

    Founded Linux-HA project - led 1998-2007 – aka “Heartbeat” -
    now called Pacemaker

    Founded Assimilation Project in 2010

    Founded Assimilation Systems Limited in 2013

    Alumnus of Bell Labs, SuSE, IBM

    View Slide

  3. © 2015 Assimilation Systems Limited
    Security questions
    Security questions

    Do you think good security staff is easily available?

    Do you think security is going to get better soon?

    Do you think you have enough staff for security to keep up
    with changes at DevOps / Agile rates?

    View Slide

  4. © 2015 Assimilation Systems Limited
    Disturbing Trends...
    Disturbing Trends...
    30% of break-ins come through “lost” systems (Verizon)
    90% have had failures of unmonitored services (Turnbull)
    71% are unable to stay in compliance (Verizon)
    30% only start monitoring only after a problem (Turnbull)
    30% of systems doing nothing useful (Koomey)

    View Slide

  5. 6/29
    OWASP Assimilation Use Cases
    OWASP Assimilation Use Cases

    Tracking IP and MAC addresses

    Continuous validation of configuration against compliance rules

    Tracking software versions
    – (OS packages, GEMs, pip packages, etc)

    Tracking checksums of network-facing files

    Tracking services offered - ports, binaries, arguments, etc

    Tracking security configuration, permissions

    Monitoring status of servers and services (working correctly?)

    Scoring of security issues with triage tools

    Includes Docker containers

    Alerting on changes in configuration or status (any of the above)

    Near-zero configuration

    No pings or port scans

    View Slide

  6. Highly S
    Highly Scalable Discovery-Driven
    calable Discovery-Driven
    Continuous Discovery drives everything

    Continuous extensible discovery (CMDB)
    – systems, switches, services, dependencies, system settings

    zero network footprint discovery process (using agents)

    Discovery eliminates most configuration

    Discovery Drives Best Practice Security Analyses

    All data goes into central graph CMDB (Config Mgmt Data Base)

    System naturally scales to ≈ 100K servers

    View Slide

  7. © 2015 Assimilation Systems Limited
    This all sounds unreasonable...
    This all sounds unreasonable...

    Huge scalability without complexity?

    Discovery without pings or port scans?

    View Slide

  8. © 2015 Assimilation Systems Limited
    Simple Scalability
    Simple Scalability
    I can explain how we scale so your
    grandmother would understand...

    View Slide

  9. © 2015 Assimilation Systems Limited
    Assimilation Architecture
    Assimilation Architecture

    Central Collective Management Authority (CMA)
    – written in Python
    – directs and delegates most work to nanoprobes – does nothing as much as possible
    – Doing nothing scales really well – should scale into the 100K system range
    – Near-zero configuration – discovery drives everything

    Fully distributed “nanoprobe” agents
    – Simple, lightweight, policy-free – directions come from CMA
    – Written in 'C'
    – Run scripts for monitoring or discovery
    – Send/receive heartbeats
    – Listen for ARP, LLDP, CDP packets

    Neo4j graph database

    View Slide

  10. © 2015 Assimilation Systems Limited
    Assimilation Analysis / Reports
    Assimilation Analysis / Reports

    Comparison (“auditing”) against best practice hardening
    rules – default rules from IT Best Practices Project

    Risk scoring – for triage and mitigation management

    Unknown IP Addresses

    Automatic service monitoring

    Unmonitored services

    Triage related risk scores

    View Slide

  11. © 2015 Assimilation Systems Limited
    Best Practice (hardening) Analyses
    est Practice (hardening) Analyses

    Triggered by Discovery Updates
    – Analysis occurs within seconds of change
    – No change => No analysis

    We can analyze anything discovered

    You can easily discover anything you want

    Alerts and Reports available

    View Slide

  12. © 2015 Assimilation Systems Limited
    Future Security Work
    Future Security Work

    Coordinate with vendor security updates
    – “Listen” to vendor security update announcements
    – Update scores when vulnerable packages found, fixed

    Do interesting things with checksums
    – Whitelists
    – Blacklists
    – “Minority Report” – 99 copies the same, one different...

    More discovery (firewall rules, etc)

    Integrate with SIEMs

    Add RBAC filtering

    What else should we be doing?

    View Slide

  13. © 2015 Assimilation Systems Limited
    Everything is discovered – nothing is configured manually

    What needs hardening

    How to Triage your hardening issues

    How to Demonstrate and Track Progress

    How to keep them in compliance (hardened)

    Visualizing Your Attack Surface

    Who has what package+version
    – Docker package discovery too!

    View Slide

  14. © 2015 Assimilation Systems Limited
    Summary of what’s cool...
    Summary of what’s cool...

    System knows more about your environment than you do

    Can discover anything you’d like to know

    Discovery keeps everything up to date (quasi-real-time)

    Best practice auditing/hardening check is continuous

    Scoring system helps manage mitigation process

    System has near-zero configuration

    Discovery includes Docker containers

    System also monitors servers, services

    Event API supports immediate notification of changes

    System scales unusually well

    View Slide

  15. © 2015 Assimilation Systems Limited
    Where to find this Information online?
    Where to find this Information online?
    1. 15 Minutes To Better Security
    2. An Hour To Better Security
    3. A Half-Day To Better Security
    Where to See Similar Demos



    View Slide

  16. © 2015 Assimilation Systems Limited
    Get Involved!
    Get Involved!

    Get Assimilated!

    – Users – give it a try
    – Security best practice experts
    – Testers, System Management, Continuous Integration
    – Designers
    – Developers (C,Python, Shell, PowerShell, JavaScript)
    – Porters (esp Windows)
    – Promoters, Publicists, Packagers, etc.

    View Slide

  17. © 2015 Assimilation Systems Limited
    Resistance Is Futile!
    Resistance Is Futile!
    These slides: bit.ly/BsidesLV16
    Mailing List: bit.ly/AssimML
    #assimilation on irc.freenode.net
    Project Web Site: assimproj.org
    Company Web Site: assimilationsystems.com
    Download: assimilationsystems.com/download

    View Slide

  18. © 2015 Assimilation Systems Limited
    Current discovery scripts
    Current discovery scripts

    auditd_conf - discovers settings in /etc/auditd.conf

    checksums - discovers checksums of network-facing binaries, libraries and JARs

    commands - discovers what commands are installed in standard directories

    cpu - discovers CPU information

    docker - discovers Docker instances and attributes

    fileattrs - discovers file attributes (permissions) of whatever files its asked to check out

    findmnt - mount table related discovery

    login_defs - /etc/login.defs discovery

    mdadm - Linux RAID configuration

    monitoringagents - discovery of installed monitoring agents

    netconfig - network configuration - similar to ifconfig

    nsswitch - discovery of /etc/nsswitch

    os – discovery information - basically uname -a

    packages - discovery of all installed RPM, DEB, pip (python), Ruby GEMs and node.js NPM packages

    pam - discovery of PAM configuration

    partitions - Discovery of partition information

    proc_sys - Discovery of Linux /proc/sys settings - basically everything

    sshd - Discovery of sshd settings

    sudoers - Discovery of /etc/sudoers settings

    tcpdiscovery - Discovery of services used and services provided (there were two slides on this subject)

    ulimit - root's default ulimit settings

    vagrant - Discovery of vagrant VMs and settings

    View Slide

  19. Switch Discovery Graph from
    Switch Discovery Graph from
    LLDP / CDP
    LLDP / CDP

    View Slide

  20. © 2015 Assimilation Systems Limited
    Why a graph database? (Neo4j)
    Why a graph database? (Neo4j)

    Humans describe systems as graphs

    Dependency & Discovery information: graph

    Speed of graph traversals depends on size of subgraph,
    not total graph size

    Root cause queries  graph traversals – notoriously slow in
    relational databases

    Visualization is Natural

    Schema-less design: good for constantly changing
    heterogeneous environment

    Graph Model === Object Model

    View Slide

  21. © 2015 Assimilation Systems Limited
    Monitoring Pros and Cons
    Monitoring Pros and Cons
    Simple & Scalable
    Uniform work distribution
    No single point of failure
    Distinguishes switch vs
    host failure
    Easy on LAN, WAN
    Multi-tenant approach
    Active agents
    Potential slowness
    at power-on

    View Slide

  22. "sshd": {
    "exe": "/usr/sbin/sshd",
    "cmdline": [ "/usr/sbin/sshd", "-D" ],
    "uid": "root",
    "gid": "root",
    "cwd": "/",
    "listenaddrs": {
    "": {
    "proto": "tcp",
    "addr": "",
    "port": 22 },
    sshd Service JSON Snippet
    sshd Service JSON Snippet
    (from netstat and /proc)
    (from netstat and /proc)

    View Slide

  23. "ssh": {
    "exe": "/usr/sbin/ssh",
    "cmdline": [ "ssh", "servidor" ],
    "uid": "alanr",
    "gid": "alanr",
    "cwd": "/home/alanr/monitor/src",
    "clientaddrs": {
    "": {
    "proto": "tcp",
    "addr": "",
    "port": 22 },
    ssh Client JSON Snippet
    ssh Client JSON Snippet
    (from netstat and /proc)
    (from netstat and /proc)

    View Slide

  24. © 2015 Assimilation Systems Limited
    Service Monitoring based on HA Technologies
    Service Monitoring based on HA Technologies

    Well-proven architecture:
    – reliable “no news is good news”

    Implements Open Cluster Framework
    standard (LSB and others – Nagios coming!)

    Each system monitors own services

    Can also start, stop, migrate services

    View Slide

  25. © 2015 Assimilation Systems Limited
    How does discovery work?
    How does discovery work?
    Nanoprobe scripts perform discovery

    Each discovers one kind of information

    Can take arguments from environment

    Output JSON
    CMA stores Discovery Information

    JSON stored in Neo4j database

    CMA discovery plugins => graph nodes and relationships

    View Slide

  26. © 2015 Assimilation Systems Limited
    A Few Canned Queries
    A Few Canned Queries
    allipports get all port/ip/service/hosts
    allswitchports get switch connections
    crashed get crashed servers
    shutdown get gracefully shutdown servers
    downservices get nonworking services
    findip get system owning IP
    findmac get system owning MAC
    unknownips get unknown IP addresses
    unmonitored get unmonitored services

    View Slide

  27. © 2015 Assimilation Systems Limited
    OS discovery JSON Snippet
    OS discovery JSON Snippet
    { "nodename": "alanr-1225B",
    "operating-system": "GNU/Linux",
    "machine": "x86_64",
    "processor": "x86_64",
    "hardware-platform": "x86_64",
    "kernel-name": "Linux",
    "kernel-release": "3.8.0-31-generic",
    "kernel-version": "#46-Ubuntu SMP ...",
    "Distributor ID": "Ubuntu",
    "Description": "Ubuntu 13.04",
    "Release": "13.04",
    "Codename": "raring" }

    View Slide

  28. Massive Scalability –
    Massive Scalability – or
    “I see dead servers in
    “I see dead servers in O
    O(1) time”
    (1) time”

    Adding systems does not increase the monitoring work on any system

    Each server monitors 2 (or 4) neighbors

    Each server monitors and discovers its own services

    Ring repair and alerting is O(n)
    – but a very small amount of work
    Current Implementation

    View Slide

  29. © 2015 Assimilation Systems Limited
    Minimizing Network Footprint
    Minimizing Network Footprint
    (in roadmap)
    (in roadmap)

    Support diagnosing switch issues

    Minimize network traffic

    Ideal for multi-site arrangements

    View Slide