Red Hat has announced it plans to extend the open source Ansible framework for automating IT operations into the realm of cybersecurity.
Announced this month at the AnsibleFest 2018 conference, Red Hat showcased a preview of a declarative approach to automating IT that is used widely within IT organizations to include support for enterprise firewalls, intrusion detection systems (IDS) and security information and event management (SIEM) platforms.
Red Hat showed how Ansible can automatically configure logging across enterprise firewalls and IDS to enrich the alerts received by a SIEM solution to simplify event triage by, for example, enabling logging or increasing log verbosity. Ansible can also automatically create new IDS rules to investigate the origin of a firewall rule violation and whitelist those IP addresses recognized as non-threats. Finally, Red Hat showed how Ansible can be employed to automatically validate a threat by verifying an IDS rule, trigger a remediation defined by a SIEM platform and then create the appropriate firewall rules to blacklist the source of an attack.
Justin Nemmers, general manager for Ansible at Red Hat, said that approach will advance DevSecOps across the enterprise because Ansible will provide a security orchestration and automated response (SOAR) capability that doesn’t require cybersecurity professionals to know how to program.
Moreover, each cybersecurity professional will be able to manage security applications and infrastructure at an unprecedented level of scale, which Nemmers predicts will play a significant role in helping alleviate the current chronic shortage of cybersecurity professionals.
Scheduled to be available in early 2019, the cybersecurity extensions for Red Hat Ansible include support for next-generation firewalls from Check Point, cybersecurity analytics software from Splunk and the open source Snort IDS.
Via this initiative, Red Hat is extending an automation framework that already spans servers, storage and networking into IT security. Rather than buy, deploy and manage a SOAR capability for each platform, Red Hat is making the case for what is becoming an uber framework for automation that leverages open application programming interfaces (APIs) and a set of tools that enable IT administrators to enforce a set of policies using declarative tools. In effect, Nemmers said, rather than trying to learn how to automate in a programming class, the Ansible frameworks makes it easier to learn how to automate by doing at the exact moment there is a real-world problem to solve.
Just as significantly, the Ansible framework also promises to eliminate many of the silos of cybersecurity automation that already are starting to pop up across the enterprise, says Nemmers.
Of course, existence of all those automation frameworks is at the core of the next tectonic battle for control of the enterprise. Every networking, server and application vendor is, to one degree or another, trying to extend the reach of its automation framework into cybersecurity. At the same time, many cybersecurity vendors are starting to extend the reach of their SOAR frameworks into the realms of infrastructure and applications. It remains to be seen to what degree any one class of vendors will be able to usurp control over cybersecurity from any other. But as responsibility for cybersecurity continues to shift left toward developers, nothing in the enterprise hierarchy of management can be taken for granted anymore.