Ali Bashivan
Coles Group Limited
Ali Bashivan is a Security Principal in Networks at Coles Group Limited providing network security strategy, development of security policies and security technology research.

This ensures that the right technology and practices are used to meet the information security requirements while enabling the business to move at full speed.

With over 20 years of IT experience, 10 of those dedicated to Information and Network Security, Ali started his carrier as a networks and systems engineer in the telecommunication industry before holding a range of software development, team lead, architect and CTO positions in the telecommunication, financial and retail sector.

Ali is a Certified Information Systems Security Professional (CISSP), holds Cisco and Redhat certifications and is currently studying Master of Information Systems Security at CSU.

Practical Network Security Automation
Technical Level (3 being the highest score): 2

We live in a world that no two days are the same, the rate of change and sheer volume of inputs is so fast paced that everyone struggles to catch up. When you are defending a network and your valuable assets, your protection needs nimble and faster than those who are trying to attack it. The challenge is no longer about, if the bad guys can breach your network, it’s all about how early you would know and how fast you can stop them. Throughout this presentation, I touch on some of the rationale behind the necessity of having automation as a defensive tool and share two practical examples of where automation can be used in network security to deflect and / or slowdown attacks

Why do we need to have automation?
Automation is not a new concept, you can easily find example in almost every industry. Manufacturing, Finance, obviously IT, etc. I go over how automation improves and enhances the way we deliver our work in areas such as: Speed, Reliability, Repeatability, Visibility, Roll-backs and Metrics. In each section I’ll cover the tangible benefit of automation and how you can justify it for senior management next time you want to go up and ask for money.

Why do we need automation in security?
• Stop automated attacks: How automated tools used by the attackers have forced us to build capabilities to respond more quickly and in an automated fashion.
• Deliver security in CI/CD model: Review how CI/CD practices have created the demand for automated security enforcement.
• Make up for the lack of qualified resource: There are not enough qualified resource and it’s not a problem that even money can solve.
• Get around the human nature: we get bored doing repetitive tasks so quickly and our quality diminishes over time. We are not built for this, we have human needs.

The outcome should enable the organisation to more efficiently use the human resource to work on identifying patterns and developing templates than performing mundane activities at volume.

User cases
These are examples of security automation that the security team at Coles have researched and implemented:

Response to automated attacks

In most organisation there is a significant time gap between when a malicious source is identified and when it’s blocked from accessing the network.

The lag is caused by:
• Assessment and escalations between teams: To determine if the attempt has been successful or not and then draw a conclusion of whether blocking the attacker is required
• Implementation scale: The number of devices and environments that the policy needs to be installed on (multi-vendor / multi-location / multi-architecture)

Protection points:
• Block IP addresses on FWs
• Block request patterns on WAFs

Effectiveness and shortcomings of each method is detailed and provide a pros/cons table.

The following topics will be covered:
• Utilise Ansible / Ansible Tower to build automation and orchestration around SIEM, FW and WAF devices
• Human involvement necessary in the process

SOAR (Security Orchestration, Automation and Response)
If you don’t want to build yourself, you could use SOAR tools. It doesn’t completely eliminate the effort required to integrate and implement what you want to achieve. It creates a framework around your tool that in cases could be more limiting than empowering.

Protect Web APIs using WAF
Many organisations have adopted microservices architecture that means developers build internal and external facing APIs faster than before. SecDevOps practice to ensure APIs are published securely is critical and key to success.

In this use case the following will be covered:

• How to utilise RAML and OpenAPI (Swagger)
• How WAF policies are improved and progress through Dev -> QA -> Prod
• How WAF policy is stored as IAC as an artefact beside the code
• Increase developers’ engagement and bridge the gap between developers and security folks

Presentation video can be found HERE