Year over year, cyber attacks are more and more common, causing potentially dramatic damage, depending on the target. In 2022, no less than 831 proven cyber attacks were reported to the French National Cybersecurity Agency (ANSSI). And this is just the tip of the iceberg.
Some of these malicious attacks could be avoided. Or, more specifically, rather rendered inoffensive by implementing hardening practices on IT systems and, above all, maintaining and monitoring them throughout the systems’ full lifecycles. System hardening consists in reducing the data present on a system (applications, libraries, etc.) and the permissions granted to users to the strict minimum. The attack surface is therefore reduced.
This practice is a pretty basic recommendation in standard security guidelines, but its implementation and regular monitoring can be tedious. Servers nowadays are being used to build increasingly sophisticated IT systems, and have a tendency to “drift” over time, as a result of manual changes relating to service outages, system and application updates.
Tools now exist that automate most of operational security: setting up servers according to your organization’s security policy, patch management, preventing “drift” and enabling continuous compliance monitoring. Welcome to the era of “continuous security”.
The simplicity of DevOps tools vs. the complexity of managing IT infrastructure
The use of deployment, orchestration and configuration management tools is now widespread, a happy consequence of the DevOps movement. Including Ops specialists into Dev teams has made application deployment significantly smoother thanks to better collaboration. But here’s the thing: maintaining and updating infrastructure over time is still too often neglected. Little by little, the finer details, the overall understanding of the infrastructure as a whole and the ability to take a step back to notice cross-platform issues – all skills once held by system administrators – have gradually melted away.
But is there a more complex human construction than continuously evolving IT architecture that is constrained by past choices? At the end of the day, most infrastructures look a lot like a bunch of heterogeneous systems that inherited considerable technical debt, a catalogue of interdependencies and constraints that grows denser with each passing day.
Streamlining this complexity, which naturally keeps increasing, is a widely underestimated responsibility. However, it is an essential lever for securing an infrastructure. And this is where hardening comes in, but also system updates and vulnerability assessment.
When these processes are not implemented upstream, you end up “firefighting”, adding potential flaws to each emergency operation you carry out. This is because in the event of a security incident, everything must be done to extinguish the fire, even if it means breaking doors and windows. And although temporary patches are not designed to last, they do remain in the same way as workarounds ; thereby exposing new loopholes and weaknesses that are particularly hard to identify, and of course can end up being exploited by an attacker sooner or later…
Hardening and patch management, two cornerstones of security-in-depth
While you need dedicated teams, like SOC (security operations centre), to react to security incidents, should we not also be doing everything we can upstream to avoid them or at least anticipate them?
This is why the concept of defense-in-depth, or security-in-depth, is emerging. This tactic involves layering security checks and is inherited from the NSA. Why? To provide redundancy in the event of a control failure or an exploit. Although vulnerabilities are obviously not always the point of entry for an attack, they can allow intruders to bounce from one machine to another until they find a point of entry granting access to systems.
Going back to the firefighting analogy, the idea of hardening and patch management is to install as many fire doors as possible when everything is going well, to discourage attacks and limit the need for emergency interventions. Nothing is more eﬀective than integrating security into everyday operations, starting with the deployment of new machines.
This is precisely what tools such as Rudder offer: implement hardening and patch management effectively and efficiently, track vulnerabilities affecting your systems, etc. And above all, control drift over time.
Sustaining the benefits of audits - or how to avoid drift
All organizations have a security policy nowadays. It may range from compliance with basic IT sanity rules, as described by governments, SecNumCloud or CIS Benchmarks, to more advanced security standards such as ISO 27001 or PCI-DSS certifications for payment data or HDS for health data. Regular audits carried out to validate infrastructure compliance require a review of the IT infrastructure to correct, update and optimize system security. Weeks of work to look perfect on the day. But the results of these eﬀorts quickly vanish due to the natural entropy of IT systems that are constantly evolving and undergoing manual operations, most often untracked. This is what we call “drift”.
The security tactics explained ensure compliance through automated deployment and continuous monitoring of an organization’s security policy. And this is a game changer: audits become a non-event because you’re continuously and automatically auditing every day. Any differences between your desired configuration and the actual state of your machine are identified and corrected. Not only does this allow you to control drift and maintain security at many levels, in keeping with the security-in-depth concept, you also gain full visibility over your systems and the ability to generate reports in just a few clicks.
Rudder was designed from this concept of compliance by design. It works by using lightweight agents, deployed on each machine, which collect and provide real time feedback for automatic server configuration. In turn, this enables Rudder to grant visibility (via a graphic web interface) on the overall security state of IT infrastructure and to manage drift.
Security and compliance: two sides of the same coin?
While compliance and security have always been closely linked, they are now more than ever complementary and intrinsically linked in running modern infrastructures. So much so that configuration management tools are now adopting compliance monitoring capabilities, and vice versa.
In order to make good security practices more accessible, Rudder proposes predefined and adaptable rules;. to which you can of course add your own speciﬁc rules for your infrastructure and business constraints. In short, everything that makes your business unique and your experience valuable.
Rudder is also a useful right hand for strengthening the security of your systems. You automatically get detailed information about updates and vulnerabilities that aﬀect your systems, based on their OS and the applications installed on them. This enables you to remedy vulnerabilities before they are exploited and limit the risks. Including legal risks, since the supervisory authorities have already considered that software obsolescence opens up a significant gap for attacks and therefore constitutes negligence.
A tool like Rudder is not a silver bullet. You’ll still need your security team’s expertise. You’ll still need to make decisions regarding, for example, detected vulnerabilities when patches are not yet available. But by automating security and compliance, Rudder increases the effectiveness of dedicated infrastructure teams and makes their operations much more reliable. You will be rid of chores that can be automated and used to require regular, manual checks. This will enable you to focus your eﬀorts on specific cases and more advanced threats. Your enemies automate everything they can too, in order to increase the efficiency of their attacks, to industrialize them. Nowadays, to stay competitive you can not do any less.