With the growing complexity of critical distributed systems, protection needs to be designed but also managed during its operation. Given the complexity of such interconnected systems, protection needs to be orchestrated and automated. Security Orchestration, Automation and Response (SOAR) is a popular approach to maintain the level of protection during operation.
Vacsine is an open-source SOAR tool that provides adaptive security for distributed systems. It relies on continuous monitoring of Cloud and Edge systems to define, evaluate and apply automated countermeasures such as firewalls, intrusion detection systems, honeypots or quarantining. The automated response is triggered by changes to security requirements, indicators of compromise, incidents and vulnerabilities. The efficiency and speed of countermeasures deployment is evaluated in automatically provisioned sandbox environments that shadow the target Cloud/Edge systems. Those sandboxes provide observability and scalability for the training and maintenance of security response strategies.
- Enforce security policies on cloud/edge infrastructures based on certification criteria
- Continuous security self-assessment based on DevSecOps practices
- Input: security policy, target system description
- Output: verified remediation execution
- create a test sandbox containing a clone of the target system
- analyse the security policy and deduce a remediation workflow
- apply remediation to the test sandbox
- check security requirements against test sandbox
- apply remediation to the target system
- check security requirements against target system
- Input: remediation workflow, target system description
- Output: remediation logs
- apply remediation workflow to the system
- check remediation workflow execution status: execution logs for each remediation step should contain details on the execution for tracability (start time, duration, informative, error messages, ...)
Vacsine is composed of several modules that are deployed in Cloud and Edges infrastructures:
- management of the security remediation on the target system
- consolidated view of the remediations history and states across the various edges and clouds
- registry of the security policies of the system
- contains templates and workflows of security remediations
- remediation execution logs,
- results of vulnerability scans,
- threat indicators, etc.
- deployed on each edge and cloud
- provides security remediations based on the detection of various events and the matching of those events to remediation workflows, those are triggered by:
- changes to security requirements,
- threat indicators,
- incidents,
- vulnerabilities
- can operate in autonomous mode to provide quicker response time to events happening in the edge they are deployed on, and continued operation in case the edge-cloud connexion is degraded. The edge datastore contains a local version of the security policies, remediations catalog and security monitoring information.
- Vulnerability remediation in the form of security services:
- firewalls,
- penetration tests,
- intrusion detection systems,
- honeypots, etc.
- test remediation workflows in a dedicated environment before applying them
- training of new remediation strategies
The orchestration of the security services is provided by VaCSIne, it is written as Python microservices. The Security Agent orchestrates the deployment and configuration of the security services (firewalls, vulnerability scanners, honeypots, etc.) using Ansible playbooks and Helm charts.
Security services orchestration and execution produce traces that can be monitored. VaCSIne produces logs of the orchestration, for instance when a new service is deployed or reconfigured. Security services will also output traces, for example a vulnerability scan with OpenSCAP will produce execution logs and a vulnerability scan report. Grafana Loki provides management and visualisation of the logs and security events in the system.
The software is implemented and deployable as follows:
- A Private Cloud infrastructure managed by the Proxmox Virtual Environment open-source server management platform. Kubernetes provides container orchestration, clusters are managed using the Rancher solution. The cloud is connected to the Edge nodes devices using the KubeEdge system, which provides container orchestration at the Edge,
- Edge devices can be composed for example of of SBC's (Single Board Computers), they provide advanced compute capabilities (GPU) for edge security services.
This infrastructure offers scalable on-demand compute resources to support load variations and disruptions. The continuous integration, deployment and assessment processes are supported by the GitLab and Foreman platforms.