Red Hat Drives Security Orchestration and Automation with New Ansible Capabilities
October 2018 by Marc Jacob
Red Hat, Inc. previewed new Ansible Automation integrations to help customers automate and orchestrate enterprise security solutions, further extending Red Hat’s leadership across the IT security landscape. By automating security capabilities like enterprise firewalls, intrusion detection systems (IDS) and security information and event management (SIEM), organizations can better unify responses to cyberattacks through the coordination of multiple, disparate security solutions, helping these technologies to act as one in the face of an IT security event.
Automation is an important component of digital transformation, helping to drive efficiency, deliver value faster, and solve IT and business workflow challenges. Starting with networks, Red Hat has been driving Ansible Automation into IT domains beyond operations, enabling users to more easily automate more tasks in more ways, including security tasks. Beyond the intent to enable security solution automation, Red Hat also announced certified content to help improve the reliability, consistency and veracity of content.
As IT environments become more complex, so do the security events facing enterprise IT teams. To help organizations better assess risks, remediate issues and develop compliance workflows, Ansible security automation will offer new modules to integrate and orchestrate security tasks and processes. These capabilities are designed to enable IT security teams to innovate and implement better controls that can encompass security technologies that enterprises are using with Red Hat Ansible Automation.
According to Gartner, "Security teams are suffering from staff shortages, an increase in the volume of alerts and threats, and the ever-present need to do more with less. Existing tools, such as firewalls, endpoint protection platforms (EPPs), security information and event management (SIEM), secure web gateways (SWGs) and identity proofing services (IDPSs), have not been improving the breadth and depth of their APIs. This hinders security teams from getting their tools working in concert with each other to solve problems. The "tool silo" problem is still the norm for most security teams. Threat intelligence (TI) has matured significantly and is now a front-and-center requirement to improve the context security practitioners need. It is also making many tools and processes smarter and more efficient." (Gartner, Preparing Your Security Operations for Orchestration and Automation Tools, Anton Chuvakin, Augusto Barros, February 22, 2018)
Through Ansible security automation, security teams can better address multiple use cases, including:
• Detection and triage of suspicious activities - Ansible can automatically configure logging across enterprise firewalls and IDS to enrich the alerts received by a SIEM solution for easier event triage; for example, enabling logging or increasing log verbosity.
• Threat hunting - Ansible can automatically create new IDS rules to investigate the origin of a firewall rule violation and whitelist those IP addresses recognized as non-threats.
• Incident response - Ansible can automatically validate a threat by verifying an IDS rule, trigger a remediation from the SIEM solution and create new enterprise firewall rules to blacklist the source of an attack.
As part of this preview, Red Hat’s Ansible security automation platform provides support for:
• Check Point – Next Generation Firewall (NGFW);
• Splunk – Splunk Enterprise Security (ES);
Support for automating enterprise security solutions in Ansible is currently in tech preview and is slated to be generally available via Ansible Galaxy in early 2019.