Alone in the Dark: DevOps Primer for Infosec

A presentation at Fermilab Conference in October 2015 in Batavia, IL, USA by Shawn Wells

Slide 1

Slide 1

Alone in the Dark DevOps Primer for INFOSEC

Slide 2

Slide 2

WE’VE HEARD THE STORIES … . • Mean time between deployments: 11.6s (310/hour) • Max number of deployments in an hour: 1,079 • Mean number of hosts receiving a deployment: 10,000

Slide 3

Slide 3

WE’VE HEARD THE STORIES … . • 2013: • March 2014: • April 2014: 30+ deploys/day 50+ deploys/day 80-90+/day

Slide 4

Slide 4

WE’VE HEARD DEV/OPS PROCESS …

Slide 5

Slide 5

Meanwhile, in Government …

Slide 6

Slide 6

MEANWHILE, IN GOVERNMENT …

Slide 7

Slide 7

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60)

Slide 8

Slide 8

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53)

Slide 9

Slide 9

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70)

Slide 10

Slide 10

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

Slide 11

Slide 11

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

Slide 12

Slide 12

MEANWHILE, IN GOVERNMENT … CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLEMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A)

Slide 13

Slide 13

Slide 14

Slide 14

INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES INITIATIVE #2: AUTOMATE ASSESSMENT

Slide 15

Slide 15

INITIATIVE #1: STANDARDIZE CONTROLS + CONFIGURATION BASELINES - Common Criteria modernization, driven by NSA and NIST

Consolidate DoD STIG, USGCB into one baseline

Operating System controls >500 (RHEL6), now ~20 (RHEL7)

Slide 16

Slide 16

INITIATIVE #2: AUTOMATE ASSESSMENT

Slide 17

Slide 17

Everyone knows that SCAP is a suite of XML standards for creating automated checklists for configuration and vulnerability scans!

Slide 18

Slide 18

Community created portfolio of tools and content to make attestations about known vulnerabilities https://github.com/OpenSCAP

Slide 19

Slide 19

Slide 20

Slide 20

Slide 21

Slide 21

Slide 22

Slide 22

Slide 23

Slide 23

Slide 24

Slide 24

Slide 25

Slide 25

HOW TO ENGAGE OpenSCAP GitHub: https://github.com/OpenSCAP NIST SCAP Website: https://scap.nist.gov OpenSCAP References & Docs: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References SCAP Content Mailing List: https://fedorahosted.org/mailman/listinfo/scap-security-guide Ansible-SCAP (+ Vagrant) demo. See how it all works - painlessly: https://github.com/openprivacy/ansible-scap

Slide 26

Slide 26

CONTACT INFO Shawn Wells Director, Innovation Programs Red Hat Public Sector shawn@redhat.com 443-534-0130