 So Because we don't have much people here today But we can do it in the interactive mode Feel free to ask questions So questions at the end Is that clear? Cool next time. All right, let's get started Yep, so my name is a dentella. I'm a security engineer at Red Hat Australia and I've been doing information security Stuff for about a decade. I are DevSecOps development of some cool stuff as well as ethical hacking on some of Australia's largest companies and Currently at Red Hat, we are part of the information security department Focusing on internal security. So this is internal security, not Red Hat customers And within that team, it's a very large team globally We are Managing vulnerabilities security vulnerabilities And this is a new team we have established. We have new processes new technologies As well as new challenges and within that challenges dealing with a lot of information at once We today I will show you how we managed to overcome some of them by creating a single automation script Which then evolved into an asset mapping tool and Together once we had these two we decided let's take it to the next step and create an an entire Asset hybrid cloud security solution which is similar to an attack surface mapping tool This is our vision with what we have now All right, so our initial mission as a team was to get assets at Red Hat systems servers and virtual machines Into our security tools so we can see vulnerabilities Specifically operating systems third-party software vulnerabilities things that are installed in the systems for my infrastructure perspective Well, it really like similar to large companies Finding owners and Systems is a big challenge. We have inventories CMDB is but often it's very hard to get the exact data you need and Getting in touch with teams is a it's a big deal by itself and the assets themselves just keep changing all the time, right? So we're looking for alternatives We're looking for options To get that mapping things sorted so we started looking at different solutions that exist open source commercial tools and They just require a lot of customizations to get the exact mapping of owners and assets at Red Hat to our needs and Some that did sort of fit just didn't have the exact features we needed and still required a lot of work So that didn't really make sense at that time. So we decided, you know, let's put some scripts together to get it Okay, and Jennifer today will be discussing what my team does From a higher level perspective We'll go through some demos. We'll have some screenshots of the asset mapping tool Finally vision of what we like to achieve and we can do some type of Q&A Okay, so we are the vulnerability management team we deal with security vulnerabilities internally at Red Hat This is an ongoing process. We have it's a new process a new team Where we on a daily basis handle a large amount of vulnerabilities from assets The main goal here is that we need to discover Vulnerabilities affecting assets at Red Hat and tell the team a you know There's a serious thing go and patch it quickly before it poses a risk for the company Main vulnerabilities we look at as I mentioned before our planning systems third party We have future on our roadmap to look at more container vulnerabilities and applications and etc A bit more on our high-level process for the team We really on board systems or tools once the data is loaded in the security tools We have visibility on the vulnerabilities and we assess the data for the further risks and we just engage the teams Hey, go ahead and you know patch that thing. It's a critical for the company so with that Challenges we had the objectives or one of them at least was to get the assets into our security tools That how the process initially we had looked like We had to contact the business owner usually a manager at Red Hat Then he referred us to other technical owners Well, they usually knew where the assets are and their state That time we had to change more technical requirements specs with the technical owners Tell them hey, we need to install security tools to get visibility and etc Then we exchange some more agreements and finally we managed to on board Some of the assets in top security tools There was a lot of manual work for us to achieve and Obviously in such a lot company as reddit That's very time-consuming and not scalable Assets just keep changing all the times teams keep changing all the times We really started just with a spreadsheet to track that information We had who we contacted when how many assets they had and we just put it in each spreadsheet like that We start coloring that and that's not very scalable. It's a lot of hard work for our team to get all the teams at reddit There was a lot a lot of work so There was a definitely need for automation No doubt and we started looking at how we can really put that in scripting So what you've seen one of you here Is our design of the current system the architectural view of how our system is designed On the right hand side is where we collecting data from different sources So we have different environments AWS Azure different cloud different infrastructure. You name it pretty much everything reddit heads as We also have been collecting information from internal services I'm naming a few there and some other third-party such as security tools that we use at reddit all that information Partially some of it is being collected to a dedicated server here where we have different containers running as even business Logics or functions The way we design that is this complainers act as plugins to scale the system So the more services reddit increases the more our services we We create we can kind of plug in per debt to pull that information And then data there's a bit of logic here. We then push to the destinations here on the What it says in blue marked for Google sheets and Splunk at this stage In addition, we also scan external perimeter with the pool So what we have here is that we match we have rules that we match different ideas And to find owners and their assets Because there are so many services at reddit. It's a big challenge To find out and the way we managed to get some of that mapping is There were cases with just ideas were very straightforward other cases. We had to scrape Name some tags labels or even combine multiple services together just to get a map in who owns what and where I prepared a quick demo and whether some screen shots if I could run that What is the mouse? Here we go. So this is our Python script And in this example specifically we are getting data from AWS Pushing it to Google sheets and here in the middle. There's a tool called qualis It's a security tool and we just obtained all that information to get a mapping that Here you can see the account in this and all the assets and that is being pushed into Google Sheets, let me push post that Here we go. So what you see in front of you is pretty straightforward Accounts and their assets from AWS but we can see Which account has how many assets at a given time and a state so with this information we started engaging the teams Right. Hey, we can see we have you have 20 assets, right? Let's start getting them to our security tools That was just a starting point then With the information already had assets Owners and their assets we've mapped that for our existing security tool and here in this case we can see How many systems are registered in our tools? Compared to the ones we've been told they have So in this example, specifically, let's say there was an owner here Was he telling us he's got 20 systems in AWS. We saw he's got more And he's also told us that all the systems already been registered in our tools Well, we saw some are missing, right? Now Why is that really important that no systems are registered in our tools? well if any of this system Who is potentially with any security vulnerability a serious security vulnerability and We don't have this ability in our tools. That's a big risk for Reddit But now with that we're about to see and tell him a dude, you know, not all systems are register going to fix this once as well So we managed to increase the coverage of systems in our tools with that further further With the same map information We started scanning the external perimeter of Reddit and As you can see here some systems we found to be exposed to the internet We found systems which are exposed to the internet The ones the two rows at the top highlight in red is our systems that are exposed to the internet But are connected to the internal networks of reddit So that's a higher risk for the company and we wanted to find a few of these Finally with all that map information we had We also had the actual security vulnerabilities from our tools and in this case So we could see owner How many assets he has where the states additional metadata if the system is exposed to the internet If it contains a security vulnerability, so we have that all map information together in one view. All right So what is all gave us really In this chart for a period of one year The number of assets that we managed to register to our tools So one by month one month by one spaces in the first six months a lot of this manual work We didn't achieve a lot But once we had that tool in place you can see the assets been registered So What is totally gave us two main things we mentioned increase the assets to our tools and secondly greater visibility and coverage to our risk profile for reddit and Finally just before we wrap up Our vision to expand the existing asset mapping tool Into an attack surface Solution so this is the interesting part We take it into the next stage to the next level. We want to get more visibility We want to see exactly the witness points the tool this tool can detect on the existing data. We have collected In this example specifically Once we have all this map data in our records System ABC is found to be exposed to the internet. There's been a developer. He's been doing some work on that You open the ports and that system is exposed We can also see that system has a vulnerability XYZ in this case And we can also see who owns it at that given time an additional metadata Now that system that we have Automatically find that as a weakness Something flex that it's an important thing System is exposed with a vulnerability and that's a high risk So this is where we'd like to achieve a system that automatically detects this kind of weaknesses for a company. All right So just to conclude what you've seen today The last slide was a vision of what we have and we did manage to accomplish few things here with a lot of hard work and data and We did manage to find and we're still in process to find risks associated with internet-facing systems at reddit We're further likely to have a simplified view to find these witnesses and to end What an attacker could exploit the entire thing and finally Reduce the entire risk for reddit and our customers Well, thank you very much That's the last slide for today And yeah any questions Okay, so the question is how do we detect an internal IP for a system right? What's the mechanism behind it? What the logic we do? There's so many systems. There's so many environments each one has its own case. It's case by case There's not one particular for all system at reddit. We get the IP For several environments We managed to find our from the actual network devices themselves. They contend it. There's another service at reddit It's a complete net Solution which has that mapping so we get it from there in other more modern environments such as AWS It's very straightforward. You can just get the IP Yeah For the some other ones it's just a lot of work to scribe that and find that and even once you find the IP It's to find the other Values associated with that to do the complete to get the complete complete time mapping information Yeah, good question Yep, any other questions? All right, I hope you enjoyed the presentation