Section 18: Orchestration and Automation

Automation

• Reduces the risk of human error

• Speeds up repetitive tasks

• Frees up network adminstrators

Orchestration

• Coordinates automated tasks across interconnected systems

• Runs tasks on multiple servers/devices simultaneously, increasing efficiency and security

Infrastructure as Code (IaC)

• Manages and provisions infrastructure through code rather than manual processes

• Refers to:

  • Virtual Machines

  • Servers

  • Clients

  • Switches

  • Routers

  • Firewalls

  • Security Appliances

Scripted Automation and Orchestration

• Used in cloud computing for rapid deployment

• DevSecOps (Development, Security, and Operations) teams can deploy routers, switches, networks, servers, and security devices

• Benefits of Scripted Automation

  • Less error prone

  • Faster deployment

  • Reusable scripts can reduce mistakes

Key Areas of IAC Implementation (3)

• Scripting

  • Perform actions in a sequence with basic logic

• Security Templates

  • Configuration files for network settings, access control, etc.

• Policies

  • Define rules and permissions for deployments

Snowflakes and Standardization

• Snowflake system

  • Systems different from the standard configuration template within the organization’s IaC architecture

  • Adds risk to security and long-term supportability

• Standardization and scripting aim to eliminate special snowflakes for consistency and efficiency

Importance of Standardization

• Ensures consistency in large environments with thousands of VMs

• Reduces support and security issues

Automation and Orchestration

• Critical for secure operations in modern IT and cybersecurity environments

  • Streamlines complex processes

  • Enhances security

  • Improves operational efficiencies

Factors to consider BEFORE Automation and Operation (5)

• Complexity

• Cost

• Single points of failure

• Technical debt

• Ongoing supportability

B4 A and O: Complexity

• Assessing the complexity of the process as well as the resource commitment needed

B4 A and O: Cost

• Cost of development, implementation, and maintenance

  • Upfront investment for development and implementation

  • Long-term cost savings due to increased efficiency

  • Conduct a comprehensive cost-benefit analysis

B4 A and O: Single points of failure

• Mitigating Single Points of Failure

  • Implement backup systems or manual processes as redundancy measures

  • Ensure continuity of essential business processes if automation or orchestration fails

B4 A and O: Technical Debt

• Cost and complexity of poorly implemented software needing future adjustments

• Managing Technical Debt

  • Regular reviews and updates of automation and orchestration systems

  • Refactoring outdated systems to maintain efficiency and security

B4 A and O: Ongoing supportability

• Ensuring Ongoing Supportability

  • Develop necessary skills within your team

  • Update systems to adapt to changing technology landscapes

  • Consider both technical and manual redundancy measures

Determining Whether to Automate or Orchestrate

• Automate

  • For simple, routine tasks like server backups

• Orchestrate

  • For complex tasks with multiple steps, like incident response

Choosing what to Automate or Orchestra

• Focus on tasks and workflows that are repeatable and stable

• Identify consistent processes that can yield significant time and resource savings

• Should be informed by the specific needs, resources, and circumstances in an organization

Continuous Monitoring and Adaption

• Conduct continuous monitoring and adaption of orchestration systems to remain effective

• Align systems with organization goals over time

Benefits of Automation and Orchestration (7)

• Increased Efficiency and Time Savings

• Enforcement of Baselines

• Implementation of Standard Infrastructure Configurations

• Scaling in a More Secure Manner

• Increased Employee Retention

• Faster Reaction Time

• Workforce Multiplier

Benefits of A and O: Increased Efficiency and Time Savings

• Reduces manual tasks such as system patching, software deployments, and data backups

• Frees up human resources and reduces the risk of human errors

• Ensures reliable and consistent outcomes

Benefits of A and O: Enforcement of Baselines

• Enables consistent enforcement of security and compliance baselines across the enterprise network

• Defines standardized configurations and policies aligned with industry best practices and regulatory requirements

• Minimizes vulnerabilities and reduces the likelihood of security breaches

Benefits of A and O: Implementation of Standard Infrastructure Configurations

• Increases security and operational stability by maintaining standardized configurations

• Facilitates the creation and enforcement of standard configurations for consistent system setups

• Triggers automated corrective actions for deviations from established standards

Benefits of A and O: Scaling in a More Secure Manner

• Enables dynamic scaling of resources while adhering to security protocols

• Provides secure provisioning of new virtual machines, network resources, and access control

• Ensures scalability without compromising security, especially in cloud environments

Benefits of A and O: Increased Employee Retention

• Empowers employees to focus on strategic and creative aspects of their roles

• Leads to higher job fulfillment, engagement, and reduced burnout

• Improves overall satisfaction and retention levels

Benefits of A and O: Faster Reaction Time

• Enables rapid response to security incidents and anomalies

• Automates intrusion detection, threat analysis, and incident response

• Provides real-time alerts and executes predefined response actions

Benefits of A and O: Workforce Multiplier

• Augments the capabilities of existing staff, allowing a smaller team to manage a larger infrastructure

• Reduces the need for extensive staffing and optimizes resource allocation

• Saves costs over time compared to manual processes

Incident Response Playbook

• Used to describe the specific actions taken in response to emergency scenarios of different types

Playbook

• A checklist of actions to detect and respond to specific types of incidents, ensuring that teams are ready to respond when an incident occurs

• Most organizations have incident response plans documented for each major type of incident

  • The playbook serves as a guide for junior analysts and incident handlers in response to different situations

Triage and Handling

• When a triage analyst identifies a suspicious or malicious activity, they categorize it and assign it to an incident handler for remediation based on the organization’s procedures

Creation of Playbooks

• Each type of incident (e.g., DDoS attack, virus, worm, phishing attack, data exfiltration) should have a playbook with specific responses and procedures

Resources for Playbooks

• If an organization doesn’t have incident response playbooks, they can find examples online and tailor them to their organization’s needs (e.g., incidentresponse.com/playbooks)

• Example playbooks provide detailed steps for incident response phases (preparation, detection, analysis, containment, eradication, recovery, post-incident activity)

Automation with SOAR

• Security Orchestration, Automation, and Response (SOAR)

  • A class of security tools that facilitate incident response, threat hunting, and security configurations without any human assistance

• Runbook

  • An automated version of playbook that can partially or fully automate the incident response process

• By using both, organizations can gain efficiencies and allow analysts to focus on higher-level work

Common Threats (3)

• Ransomware

• Data exfiltration

• Social engineering

Ransomware

• Ransomware Playbook

  • Stress the need to isolate and disconnect networks and systems quickly to prevent the ransomware from spreading WITHOUT powering off systems to preserve evidence

Data Exfiltration

• Data Exfiltration Playbook

  • Describe tasks needed to stop or mitigate an ongoing exfiltration attack, including forensic analysis to determine data access and transmission

Social engineering attacks

• Phishing Playbook

  • Include responses to identifying phishing emails, determining user actions, and conducting dynamic analysis to identify indicators of compromise

Automation and Orchestration in Networking

• Crucial tool to facilitate efficiency and accuracy in upgrades across large scale networks

• Need to consider in high-velocity and high-availability environments

Role of A and O in Upgrades (5)

• Streamlining Processes

• Reducing Human Error

• Ensuring Consistency

• Version Control and Consistency

• Automated Testing and Validation

Role of A and O in Upgrades: Streamlining Processes

• Helps in upgrading network components efficiently

Role of A and O in Upgrades: Reducing Human Eror

• Minimizes the chances of errors during upgrades

Role of A and O in Upgrades: Ensuring Consistency

• Maintains uniformity across the network

Role of A and O in Upgrades: Version Control and Consistency

• Conducts regular scans to verify software versions against standards

• Automatically updates devices not meeting baseline requirements

Role of A and O in Upgrades: Automated Testing and Validation

• Performs systematic testing of network functionalities post-upgrade

• Checks routing tables, ARP caches, DNS caches, etc., for issues

Role of A and O in Compliance (3)

• Continuous Monitoring

• Policy Enforcement

• Log and Evidence Management

Role of A and O in Compliance: Continuous Monitoring

• Compares network configs against compliance standards

• Identifies and rectifies any deviations promptly

Role of A and O in Compliance: Policy Enforcement

• Implements security policies uniformly across all systems

• Automatically quarantines non-compliant devices

Role of A and O in Compliance: Log and Evidence Management

• Generates and preserves logs of network activities and compliance measures

• Presents logs during compliance audits to ensure compliance

Real-World Use Cases of A and O in Upgrades/Compliance

• Automated Patch Management

  • Ensures all systems are patched and maintained at the appropriate level

  • Saves time and effort, especially in large networks

• Compliance Monitoring

  • Provides continuous monitoring and management of network configs

    • Chef

    • Puppet

    • DNA Center

  • Enforces standard configs and corrects deviations automatically

Importance of Automated Network Inventories

• Crucial for modern networks due to virtualization

• Essential for tracking devices, users, and software

• Helps manage scalability

  • Horizontal scaling

  • Vertical scaling

Dynamic Inventory Approach

• Transforms static, manually managed lists into real-time, automatically updating repositories

• Provides a comprehensive view of network assets

Benefits of Automated Inventories

• Real-time updates on device connections and network risks

• Integration with management tools for automated configuration

  • Ansible

  • Chef

  • Puppet

• Reduces human error and improves efficiency

Using Nmap for Network Scans

• Conducts IP and port scans to identify devices and services

• Helps visualize network topology and identify vulnerabilities

• Enables impact analysis to protect against single points of failure

Security and Compliance

• Supports security and compliance programs (e.g., PCI DSS)

• Can be configured to block unauthorized access and quarantine devices

Integration

• Combining different subsystems or components into one comprehensive system to ensure they function properly together

Application Programming Interface (API)

• A set of rules and protocols used for building and integrating application software

• Allows products or services to communicate in a controlled environment using a specific data exchange format

API Usage

• Enables software developers to access functions or features of another application programmatically

• Facilitates automation of administration, management, and monitoring of services and infrastructures

API Types (2)

• Representational State Transfer (REST)

• Simple Object Access Protocol (SOAP)

Representational State Transfer (REST)

• Uses standard HTTP protocols, status codes, uniform resource identifiers (URIs), and MIME types for interaction

• Relies on JSON for data transfer, making it lightweight and easily integrable with existing websites

• Generally more straightforward and adaptable

Simple Object Access Protocol (SOAP)

• Defines a strict standard for message structure, usually in XML format

• Known for robustness, security features, and transaction compliance

• Provides higher levels of security and transactional integrity

API Benefits

• Drive efficiency, innovation, and scalability in modern systems

• Allow direct integration of third-party applications into web-based applications

  • APIs enable integration between various services, especially cloud-based services like SaaS or PaaS

• Allow for seamless experiences and interconnections between different services to enhance their capabilities

Git

• A distributed version control system for managing different versions of code

• Developed in 2005 by the creator of Linux

• Used by a vast number of software projects for version control

Source Control Core Concepts

• Git Repository

  • Storage area for code and related files

• Package Installation

  • Use package manager to install Git

Major Subcommands (12)

• config

• init

• clone

• add

• commit

• status

• branch

• merge

• pull

• push

• log

• checkout

config

• Set up repository or user options

init

• Create or reinitialize a Git repository

clone

• Create a working copy of an existing repository

add

• Add files to be tracked by the Git repository

commit

• Update the Git repository with changes, creating a snapshot

status

• Display the status of the repository

branch

• Manage branches or pointers to specific repository snapshots

merge

• Integrate changes from one branch into a master branch

pull

• Acquire and merge changes that were made to other repositories and branches into the local working copy

push

• Upload a local working copy of a repository to a remote repository

log

• Display the changes made to a local repository

checkout

• Switch to a specific branch

Repository Creation Process Flow

1. Configure global settings including username

2. Create a directory where the project will reside

3. Change into the created directory and then initialize it with Git to designate it as a Git repository

4. Add project files to the repository

5. Commit the changes and take a snapshot of the project

Branching

• Creating a new branch for feature development or bug fixes

Merging

• Merge changes from a branch back into the master branch

Collaboration Workflow

• Pull changes from remote repository, make local changes, and push changes back to remote repository

Additional Concepts

• .gitignore

  • File to identify files to be ignored during commit

  • *.git/

    • Directory containing Git’s version control files