![Page 1: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/1.jpg)
Puppet as Security Tooling
![Page 2: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/2.jpg)
2
I’m Bill Weiss@BillWeiss almost everywhere [email protected] Sr. Manager of SREs Former wearer of monochrome hats
![Page 3: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/3.jpg)
Puppet as Security Tooling
Agenda
Housekeeping
Definitions Building security in
Controlling access Show that you did the thing
Patch management Compromises happen
3
![Page 4: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/4.jpg)
Housekeeping
4
![Page 5: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/5.jpg)
Ask questions whenever
5
Really, please ask
![Page 6: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/6.jpg)
This isn’t a tech talkI’m talking about process, you’ll figure out the code
6
![Page 7: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/7.jpg)
Almost all of you know some of thisBut I bet most won’t be doing all of it
7
![Page 8: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/8.jpg)
Definitions
8
![Page 9: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/9.jpg)
9
Security: things that keep your data safe
![Page 10: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/10.jpg)
Compliance: things that keep you running
10
![Page 11: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/11.jpg)
Sometimes there’s overlap, sometimes notYou still have to do both
11
![Page 12: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/12.jpg)
Building security in
12
![Page 13: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/13.jpg)
Get security + compliance involved early
Call your security friends and have them tell you what they need.
Invite compliance to the party as well.
Input early >> input at the end
13
![Page 14: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/14.jpg)
Build a baselineCommon settings/tooling you want everywhere
14
![Page 15: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/15.jpg)
Build a baselineI’m not saying you have to use this module, but they’ve put a bunch of thought into it
15
![Page 16: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/16.jpg)
Build a baselineLogging, auditing, endpoint protection
16
![Page 17: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/17.jpg)
Build a baselineRegulatory requirements and compliance
17
![Page 18: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/18.jpg)
NSA STIG with SIMP
I know, that’s a lot of acronym.
NSA: National Security Agency
STIG: Secure Technical Implementation Guide
SIMP: System Integrity Management Platform
18
WHITE PAPER
Continuous STIG Enforcement with Puppet Enterprise & the NSA Modules
![Page 19: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/19.jpg)
NSA STIG with SIMP
Covers NIST 800-53 and DISA STIG
Optionally enforces FIPS 140-2 mode
19
WHITE PAPER
Continuous STIG Enforcement with Puppet Enterprise & the NSA Modules
![Page 20: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/20.jpg)
Build a baselineDo the things you told customers you do
20
![Page 21: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/21.jpg)
Build a baselineTrack changes over time
21
![Page 22: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/22.jpg)
Test like it’s production
22
Finding problems late means turning things off
![Page 23: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/23.jpg)
Controlling access
23
![Page 24: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/24.jpg)
Build access based on roleNot everyone needs to log in everywhere
24
![Page 25: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/25.jpg)
Map out who needs to talk to whatFirewalls aren’t just for the edge
25
![Page 26: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/26.jpg)
Tie security rules to environmentsEnforce controls and permissions at the same time
26
![Page 27: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/27.jpg)
Stop knowing passwordsUse a secret management system, please
27
![Page 28: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/28.jpg)
Get better at rotating credentialsBut don’t start expiring passwords like mad
28
![Page 29: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/29.jpg)
Showing that you did the thingAKA why the compliance folks will like you
29
![Page 30: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/30.jpg)
“Here’s when we patched"In aggregate, per machine, per datacenter…
30
![Page 31: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/31.jpg)
“Here’s who can log in to this machine"And here’s when that changed
31
![Page 32: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/32.jpg)
“Here’s evidence that all machines are logging to our SIEM"
32
![Page 33: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/33.jpg)
“Here are the machines in PCI scope”And here’s how you know that’s the total list
33
![Page 34: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/34.jpg)
Patch management
34
![Page 35: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/35.jpg)
Seriously, get patching under controlYou won’t regret it
35
![Page 36: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/36.jpg)
Get fast at triaging and rolling outID machines that are behind, get them up to date
36
![Page 37: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/37.jpg)
The closer prod and test are, the faster you can move
You still want to test those patches, I assure you
37
![Page 38: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/38.jpg)
I had a bad experienceWell, kind of bad. Turned out well.
38
![Page 39: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/39.jpg)
Dealing with compromise
39
![Page 40: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/40.jpg)
Detecting badnessRemember that unplanned change demo?
40
![Page 41: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/41.jpg)
Detecting badnessThe tighter your controls are, the more you can detect problems
41
![Page 42: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/42.jpg)
Assessing impactIf only you had a way to detect changes across machines…
42
![Page 43: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/43.jpg)
Burn it all down and start overI take your persistence measure and raise it scorched earth
43
![Page 44: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/44.jpg)
Test those backups firstMaybe I should have said this before “burn it all down”
44
![Page 45: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/45.jpg)
Quick recap
45
![Page 46: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/46.jpg)
1. Build more robust systems from the beginning.
2. Maintain tighter access controls.
3. Keep compliance happy by being able to show your work.
4. Keep on top of your patches.
5. Gain visibility into your running system.
6. Be able to rebuild quickly without breaking things.
46
Recap
![Page 47: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/47.jpg)
47
I can’t drop the mic, but I’ll close my Hello Kitty phone.
Thank you
![Page 48: PuppetConf 2016: Puppet as Security Tooling – Bill Weiss, Puppet](https://reader031.vdocument.in/reader031/viewer/2022022414/587495601a28abc62f8ba899/html5/thumbnails/48.jpg)