Open Source Security Orchestration
From BruCON 2017
My original question was “How do I share a Fail2ban jail?” But there are many other questions aren’t there? How do we get to threats in time? How do we make sure that the evidence that we need gets captured or that the threat is stopped before it is too late? How do we do all this with a limited staff? We only have so many people. The answer to that is orchestration. Of course, the vendors can offer you something. As long as you want to pay lots of money, setup a complicated product, they got you covered. Seriously! I just want these two boxes talking. If this happens, I want this to happen. Can we just do that without some major operation? Yes. It turns out that we can.
We’ll start with Adaptive Network Protocol (ANP) which was developed so that nodes can share event information with each other. Install an ANP agent, peer it with as many systems as you want so that they can begin sharing, and then add an interface for every action that you would like a system to take when it sees a particular event. It is that easy.
In this session, we’ll show you how ANP works, how to install it, and cover all the use cases from generating your own Threat Intelligence feed, to sharing fail2ban jails across clouds, to automatically NATing threats to honeypots, and many more. To show you how it works, I will even demo some of these scenarios. What's more, you can take ANP home with you so that you too can use it to automate your network defenses. Because when it comes to defending your network, responding quickly can mean all the difference and with ANP you can do that.