Hey Everyone,
New here. Glad to be here! Love the ideas and conversations on this forum.
Context:
Thought I’d start with something I’ve been working on. From what I’ve noticed over the years in the field (especially during the course of an audit or an external assessment), I end up having quite a few discussions around SecOps in the context of automation . Automation with tangible benefits. For example, answers to questions such as
- How do you monitor your TLS endpoints? How often? And how do you enforce a particular version of TLS?
- Do you automate pen-tests? If yes, how often do you run them?
- What sort of alerts do we get in the SOC? How do we act on them? Etc.
I’ve been exploring (started off as toying with) the idea of leveraging a serverless architecture for SecOps. To demo a few practical applications of a serverless architecture in the SecOps world, I’ve put together a couple of (lightweight) examples attempting to address the above questions.
Here’s a link to my personal GitHub repo: https://github.com/nihalpasham/secautomation, where I’ve built connectors for a few Cloud service APIs. These are just some of the ideas for what I think is possible with serverless SecOps (and I think we are just scratching the surface.)
• Serverless TLS health reporting infrastructure via SSL labs API
• Serverless automation of periodic pentests: a DNS tunneling example
• Serverless SOC tooling basics: Bad IP and domain checks via apility API
This repo contains serverless functions for all of the above i.e. we can pick one and quickly have it deployed atop say AWS lambda or Azure functions. Here is a working link for the TLS Health reporting function - https://bit.ly/2pWqfeF. Add the query parameters ‘hostname={domain name}’ and optionally ‘checkcache=cache’
The benefits:
- You set this up once and it can run periodically or in an event-driven manner. No manual intervention needed.
- We don’t have to manage or secure the infra. So you’re running security infra that isn’t adding to our existing attack surface i.e. comes with layers of security built-in
- You could pretty much automate (and validate) any SecOps related activity.
- This complements all of the toolings we’re bringing into the SecOps pipeline.
- Quite cheap for the kind of work we need it for.
Possibilities:
- Uhh … pretty much everything I can think of
- For starters - we can build an automated risk analysis system designed for something like a microservices architecture. Theory of operation - we can passively and continually analyze system dimensions and make decisions.
-
Ex: For each microservice, we could have the following app risk metrics. Develop a risk scoring system for each metric and expose this to developers so they have an idea
-
Instance count Does your app auto scaling group have 3 instances or 300 instances
-
Dependencies Lots of dependencies – more risk
-
Connectivity to sensitive systems connect to say PKI systems
-
Internet-accessibility Direct or Proxied
-
Azure account location some of them can be sensitive accounts
Let me know what you think. Do you think there’s merit or potential in something like this … thoughts/ideas/comments/feedback are welcome.
PS: This only took about 3 hours to put together but I presume there’s (obviously) a lot of ways to improve the example code by a Nodejs/Go expert. Feel free.