Here are the slides from Bill Weiss' PuppetConf 2016 presentation called Puppet as Security Tooling. Watch the videos at https://www.youtube.com/playlist?list=PLV86BgbREluVjwwt-9UL8u2Uy8xnzpIqa

1. Puppet as Security Tooling

2. 2
I’m Bill Weiss
@BillWeiss almost everywhere
bv@puppet.com
Sr. Manager of SREs
Former wearer of monochrome hats

3. Puppet as Security Tooling
Agenda
Housekeeping
Definitions
Building security in
Controlling access
Show that you did the thing
Patch management
Compromises happen
3

4. Housekeeping
4

5. Ask questions whenever
5
Really, please ask

6. This isn’t a tech talk
I’m talking about process, you’ll figure out the code
6

7. Almost all of you know some of this
But I bet most won’t be doing all of it
7

8. Definitions
8

9. 9
Security: things that keep your data safe

10. Compliance: things that keep you running
10

11. Sometimes there’s overlap, sometimes not
You still have to do both
11

12. Building security in
12

13. Get security + compliance involved early
Call your security friends and have them
tell you what they need.
Invite compliance to the party as well.
Input early >> input at the end
13

14. Build a baseline
Common settings/tooling you want everywhere
14

15. Build a baseline
I’m not saying you have to use this module, but they’ve put a bunch of thought into it
15

16. Build a baseline
Logging, auditing, endpoint protection
16

17. Build a baseline
Regulatory requirements and compliance
17

18. NSA STIG with SIMP
I know, that’s a lot of acronym.
NSA: National Security Agency
STIG: Secure Technical Implementation
Guide
SIMP: System Integrity Management
Platform
18
WHITE PAPER
Continuous STIG
Enforcement with
Puppet Enterprise &
the NSA Modules

19. NSA STIG with SIMP
Covers NIST 800-53 and DISA STIG
Optionally enforces FIPS 140-2 mode
19
WHITE PAPER
Continuous STIG
Enforcement with
Puppet Enterprise &
the NSA Modules

20. Build a baseline
Do the things you told customers you do
20

21. Build a baseline
Track changes over time
21

22. Test like it’s production
22
Finding problems late means turning things off

23. Controlling access
23

24. Build access based on role
Not everyone needs to log in everywhere
24

25. Map out who needs to talk to what
Firewalls aren’t just for the edge
25

26. Tie security rules to environments
Enforce controls and permissions at the same time
26

27. Stop knowing passwords
Use a secret management system, please
27

28. Get better at rotating credentials
But don’t start expiring passwords like mad
28

29. Showing that you did the thing
AKA why the compliance folks will like you
29

30. “Here’s when we patched"
In aggregate, per machine, per datacenter…
30

31. “Here’s who can log in to this machine"
And here’s when that changed
31

32. “Here’s evidence that all machines are
logging to our SIEM"
32

33. “Here are the machines in PCI scope”
And here’s how you know that’s the total list
33

34. Patch management
34

35. Seriously, get patching under control
You won’t regret it
35

36. Get fast at triaging and rolling out
ID machines that are behind, get them up to date
36

37. The closer prod and test are, the faster you
can move
You still want to test those patches, I assure you
37

38. I had a bad experience
Well, kind of bad. Turned out well.
38

39. Dealing with compromise
39

40. Detecting badness
Remember that unplanned change demo?
40

41. Detecting badness
The tighter your controls are, the more you can detect problems
41

42. Assessing impact
If only you had a way to detect changes across machines…
42

43. Burn it all down and start over
I take your persistence measure and raise it scorched earth
43

44. Test those backups first
Maybe I should have said this before “burn it all down”
44

45. Quick recap
45

46. 1. Build more robust systems from the beginning.
2. Maintain tighter access controls.
3. Keep compliance happy by being able to show your work.
4. Keep on top of your patches.
5. Gain visibility into your running system.
6. Be able to rebuild quickly without breaking things.
46
Recap

47. 47
I can’t drop the mic, but I’ll close my Hello
Kitty phone.
Thank you