October 12, 2021

How Automation Covers the Australian Cyber Security Centre Essential Eight

Security & Compliance
Infrastructure Automation

It seems that virtually every day, another threat to cybersecurity presents itself. In response to this ongoing concern, the Australian Cyber Security Centre's Essential Eight can help organizations protect themselves against various cyber threats.

Read on for an overview of the Essential Eight and how Puppet IT automation can be used to put each strategy within reach for organizations at scale.

Table of Contents

What Are the Essential Eight in Cyber Security?

The Essential Eight is a framework of eight strategies which organizations can use to mitigate security risks in their systems. The strategies include application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, implementing multi-factor authentication, and making regular backups.

How Puppet Supports Compliance with the Australia Cyber Security Centre's Essential Eight

Puppet Enterprise is able to deliver a large portion of the controls and methods required to support compliance with six of the Essential Eight across all three levels of maturity, and also provides strong supporting functionality for the remaining two mitigation strategies.

Puppet for Application Control

Puppet Enterprise can manage elements of this control for both Windows and *NIX, namely around restricting access to Executables and Folders via ACLs, restricting the ability to read and execute files, and controlling what packages are allowed, such as installing known good and removing the rest. Restricting user access will not allow the user to run specified applications that may have been installed.

This can all be accomplished on a granular basis without the need for complex GPO settings. When ensuring application state, Puppet Enterprise can specify the exact version needed to ensure the application remains in the desired state. This could be as simple as making sure the Apache web server is on a recognized and supported version or that any given application is always kept on the latest version.

Patching Applications with Puppet

Puppet Patching and Package Management modules drive the update process. This provides complete control over the entire process and that the process need only be run once to ensure the application patch is rolled out to all required nodes.

Where a patch is deemed to be a fix for a security vulnerability, testing the patch on a set of “canary” nodes is done first, then the rest of the fleet can be patched at scale with assurance that it will be stopped if errors are detected.

Puppet Enterprise knows “facts” about each node and can determine the difference between a regular operating system or application patch from a security patch. This allows security patches to be easily seen and prioritized.

Even when patches are implemented, secondary phases such as service restart are often ignored, leaving the application with the vulnerability. Once an application is patched, Puppet can manage an automated reboot of the service, operating system, or entire application stack if required.

Need the right motivation to patch more often? Read our blog on why why patching is important.

Puppet Configuration Management

Rather than using the complexity of nested, AD-managed and locally managed group policy, a much simpler and repeatable way to define the settings is at a single central location that handles a continual compliant state. This means that the complexity of managing group policy is removed and an auditable control is in place.

Puppet Enterprise lets the administrators take control of the entire Windows fleet and ensures that the controls are “sticky” ongoing. This not only applies to Office Macros; there are a number of end user workstation controls that can be added around the Office Suite to ensure security.

User Application Hardening with Puppet

Puppet Enterprise can consolidate the configuration and hardening of applications into a single delivery platform. This allows administrators to deliver against these controls in an easy-to-use central location that controls all nodes in the way that they need to be controlled.

The majority of government entities and critical infrastructure providers operate heterogeneous IT environments where there are many operating system types and versions that need to be managed. Managing a wide variation in operating systems can be challenging and is often addressed in a manual way or with traditional toolsets, which lack the ability to manage variation.

Puppet Enterprise allows the entire IT fleet to be managed in a single location with sources for each application mitigation description defined and reused as newer hardening elements are realized.

Restricting Administrative Privileges with Puppet

Puppet Enterprise is able to manage accounts and privileges directly on *NIX, MacOS, Windows, Active Directory, and other connected systems that are granted via Puppet Enterprise module systems.

After a node is taken under management by Puppet Enterprise, it is configured with a known set of credentials (user IDs / passwords). The credentials are sourced from Puppet Enterprise group memberships and a known set of individual permissions if necessary. The credentials for each node can be requested from a secrets vault, which creates the initial set of credentials.

From there, if an administrator (human) needs to utilize the credentials they would request them from the secrets vault. Puppet Enterprise can also control which users are able to gain a higher level of privilege on a node via standard mechanisms such as group membership or being defined in the sudoers file.

Every 30 minutes, the Puppet Agent on the node reports on the configuration of the node, including the administrative accounts. If the configuration of the node including changes to the administrative accounts have drifted from the desired/Puppet Enterprise-defined configuration, it is automatically reverted to its known good state and any unauthorized account changes are removed. These changes could include group membership, sudo rights, remote login rights, and more.

Patching Operating Systems with Puppet

Puppet Enterprise provides a centrally managed and controlled patch management method. Puppet Enterprise stores “facts” about each node, including operating system version, packages installed, and application dependencies. Having a centralized view of all configuration data ensures that decisions around patching can be made efficiently and effectively and target the required nodes within required timeframes.

Once a patch has been approved for release, Puppet Enterprise can be used to automatically apply the patch to test servers. When it comes to production systems, ensure that patches are only applied during approved change windows, and that risk mitigations are in place that will automatically cancel the patch rollout if specified failure thresholds are hit.

Puppet Enterprise's automation capability ensures that approved patches can be rolled out to an entire server fleet regardless of size, within minutes. If a reboot is required, it will be completed as part of the patch process.

Running Multi-Factor Authentication with Puppet

Puppet Enterprise helps to ensure the smooth running of third-party MFA solutions.

There are many parts to MFA solutions and the complexity of ensuring that nodes are configured correctly to work with an MFA solution can be challenging to maintain. With a single source of truth for the configuration of the systems that require MFA, coupled with control of deployment configuration to those nodes, Puppet Enterprise simplifies the deployment and ongoing maintenance of MFA solutions.

Making Regular Backups with Puppet

At its core, Puppet Enterprise is an infrastructure automation platform. As part of its automation process, it stores a backup of the configuration settings for each node.

It also holds audit information of who, when, and why a configuration change has been made. This allows nodes under management to be restored quickly in the event of a catastrophic failure, with the data that was stored on the node requiring restoration from a backup system.

Going Beyond the Australia Cyber Security Centre's Essential Eight

IT security strategies and compliance frameworks like the ACSC Essential Eight can help gauge your preparedness level for cyberattacks, but they can't tell the whole story of your infrastructure security.

The right level of compliance automation for any organization will depend on the rules and regulations to which you're subjected, as well as the specific needs of your organization, like your workflows and capacity. That's what makes infrastructure automation crucial to effective, efficient compliance at scale.

AUTOMATE COMPLIANCE WITH PUPPET

Learn More