Cooking Us Security for the Modern macOS Fleet

Video in TIB AV-Portal: Cooking Us Security for the Modern macOS Fleet

Formal Metadata

Cooking Us Security for the Modern macOS Fleet
Title of Series
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
The risks faced by corporate IT teams have been rapidly changing in recent years, causing us to forego many of our previous assumptions about security, perimeters, and endpoint management in particular. To lay a foundation, we will discuss our assessment of the organization's corporate IT attack surface, as well as our corporate IT threat model and technology stack. We will delve into the processes and technologies we rely on to mitigate these known and unknown risks, with a focus on how we are utilizing Chef for securing our macOS-based fleet.
Axiom of choice Context awareness Multiplication sign Process modeling Sheaf (mathematics) Water vapor Stack (abstract data type) Mereology Computer programming Heegaard splitting Mathematics Bit rate Computer configuration Hypermedia Different (Kate Ryan album) Information security Point cloud Area Scripting language Enterprise architecture Service (economics) Adaptive behavior Cloud computing Control flow Process modeling Type theory Order (biology) Self-organization Right angle Information security Asynchronous Transfer Mode Spacetime Point (geometry) Laptop Game controller Server (computing) Enterprise architecture Service (economics) Data recovery Power (physics) Wave packet Number Term (mathematics) Internetworking Boundary value problem Form (programming) Dependent and independent variables Axiom of choice Chemical equation Cellular automaton Analytic set Plastikkarte Feasibility study Power (physics) Mathematics Integrated development environment Personal digital assistant Boundary value problem
Axiom of choice Context awareness Discounts and allowances Computer programming Direct numerical simulation Mechanism design Blog Different (Kate Ryan album) Forest Office suite Information security Multiplication Physical system Enterprise architecture Arm Constraint (mathematics) Regulator gene Block (periodic table) Adaptive behavior GUI widget Electronic mailing list Bit Lattice (order) Instance (computer science) Control flow Process modeling Product (business) Latent heat Data management Arithmetic mean Ring (mathematics) Order (biology) Moving average Figurate number Cycle (graph theory) Boiling point Reading (process) Spacetime Point (geometry) Computer-generated imagery Online help Element (mathematics) Product (business) Number Mixture model Goodness of fit Ring (mathematics) Computer hardware Boundary value problem Energy level Configuration space Router (computing) Form (programming) Focus (optics) Distribution (mathematics) Graph (mathematics) Server (computing) Surface Interface (computing) Weight Usability Computer network Cartesian coordinate system System call Symbol table Mathematics Integrated development environment Software Data center Video game Window Building Multiplication sign Process modeling Sheaf (mathematics) Mereology Public key certificate Facebook Mathematics Graphical user interface Virtuelles privates Netzwerk Analogy Query language Diagram Vertex (graph theory) Series (mathematics) Position operator Point cloud Covering space Area Scripting language Concentric Physicalism Cloud computing Perturbation theory Flow separation Discounts and allowances Data mining Vector space Configuration space output Information security Physical system Laptop Surface Game controller Functional (mathematics) Server (computing) Enterprise architecture Service (economics) Video game Virtual machine Login Field (computer science) Revision control Telecommunication Internetworking Operator (mathematics) Integrated development environment Addition Dependent and independent variables Shift operator Axiom of choice Stack (abstract data type) Incidence algebra Configuration management Corporate Network Antivirus software Bootstrap aggregating Point cloud Boundary value problem Extension (kinesiology)
Group action INTEGRAL Multiplication sign Decision theory Process modeling 1 (number) Design by contract Set (mathematics) Open set Mereology Software bug Mathematics Bit rate Different (Kate Ryan album) Hypermedia File system Software framework Aerodynamics Extension (kinesiology) Information security Error message Multiplication Descriptive statistics Physical system Predictability Source code Web portal Touchscreen Mapping File format Cross-platform Block (periodic table) Structural load Digitizing Shared memory Electronic mailing list Bit Instance (computer science) Flow separation Order (biology) Buffer solution Configuration space Right angle Quicksort Information security Writing Spacetime Laptop Point (geometry) Color confinement Game controller Open source Computer file Control flow Web browser Event horizon MacOS X Product (business) Writing Frequency Telecommunication Natural number Term (mathematics) String (computer science) Addition Standard deviation Server (computing) Projective plane Core dump Directory service Software maintenance Cartesian coordinate system Antivirus software Word Software Query language Video game Window Freezing Library (computing) Gradient descent
Point (geometry) Complex (psychology) Divisor Open source Code Multiplication sign Process modeling Set (mathematics) Mereology Food energy 2 (number) Mathematics Profil (magazine) Different (Kate Ryan album) Automation Software testing Scripting language Boss Corporation Theory of relativity Touchscreen Block (periodic table) Line (geometry) Type theory Word Integrated development environment output Quicksort
Domain name Laptop System administrator Multiplication sign Process modeling Sampling (statistics) Planning Set (mathematics) Instance (computer science) Login Public key certificate Product (business) Word Term (mathematics) Operator (mathematics) Office suite Object (grammar)
so thank you everyone for coming and we are going to talk today about its the overlap between security and bold if they have you know as an organization is utilizing shaft as part of its security tax stack and why that makes sense so we'll talk about some of our philosophies around around all that are just a reference my name is Robert would this is made up we both work at as an internet company called neuter where healthcare analytics company based out of those sentences Korea in terms we're going die so are times in the split into 2 main sections the 1st section that covers these couple of areas and basically we're gonna talk about some of the the bigger broader problems around wide shaft is relevant in so in our particular case so it's not just just for context for using its and on laptops and points are not servers in US server or some other cloud-based infrastructure and so surviving picture around why why this is important why that matters and then we're going and or kind of dovetail into exactly how we're using shaft and summer workflows in our in our particular tool in text and such and so the 1st thing that we need that we need to do is clarified or that start to explore the warts and what the new were newer types of businesses look like so the enterprises without borders so in the days of the days of all the old days we we use to be able to just build up big walls and make everything very very restrictive in our environment we could firewall the hell out of everything and it was really easy to just tell employees you come to work you do your work you leave your work there and we're gonna keep threats out we're gonna keep data in and that was that was kind of how things worked and now the script is kind of flips and we've got lots of power and control more in the hands of employees and consumers are in the sense that you know any employee can likely walk into your place of business or a place of business and just stand up some you know had put the credit card in some form of water some new cloud services and away they are using some new UN sanctions service in the context of their day-to-day work and they're probably also bring some kind of personal device whether it's their their mobile phone whether it's a laptop this this uh you know this concept y 0 dear bring their own devices to work in they're doing things where there's just you know the slack or whether it's bigger and so we went from something like this in in the old days where we had our most valued assets tucked away behind many many layers of walls of security and in this new age and it's if we try to embrace and in control things like we did here against threats that are more like this they can easily hop over those borders that can transcend those walls were that were those walls don't really exist and they're more just just figment of our imagination then we're gonna be in a really hard situation a really hot spot as as security and the security practitioners trying to safeguard our assets is they're moving all over the place and so in order to in order to you know effectively protect things we need to adapt and we need to evolve the way that we think about security in this world and so given that I've given a lot of organizations are go so I can actually see with the world and talk about now and so we have to move away from our previous assumptions we have to we have to get away from this this concept where everything can be controlled and monitored and we can respond to things in a really strict fashion but to do that we have to figure out where and what we can control and wife and you know in the spirit of love why the chef community is important why a lot of these open-source communities are important we have to security teams orienta cells very much around the needs and the benefits of working styles of the people were trying to safeguard because we don't do that they're just going to end up being our biggest enemy and August circumvent everything that we're trying to do anyways and so what we have what we're doing has to be transparent has to work with what they're you know with their working style with their process etc. has so in in in in that like bringing in like the users and the rate of the community in trying to figure out what needs to happen and what was still need his security steps we need to look at what those things are that needed control thing right column here it's so what is the thing what is the risk around that thing and how much do we actually need to control it actually control to have control at where's the and the compliance issues in in that's why we're controlling anything any media that controls through different policies change is accepted and we use a lot of shaft for some of us are controlled by but without actual without having any like you now as as I have said we don't have control over everything and when you don't have that kind of control in a way we have to rethink of what we're focusing on where the rest what is the most important thing it so again we need a balance that control and on a with with forcing the traditional boundaries and I know that even recently in recent years I worked at companies where they are on this like you know hard everything is to be controlled and it actually cause things to be the last year and the because we do have is the way the devices people are going around the security controls if they feel like they don't make any sense I mean who in this room has done that kind of thing whether you like why is this here why do we have to do this exactly is the number of people in and so do you need to work with the about uh and so on so really what this what this kind of environment and up at least for us we were now we're creating this culture of employee driven choice and freedom in in devices and services being used and things like that so we had the problem we were beginning to build our security program and I was 1 of 1 of the early hires that we had we had started to ask ourselves like what are what are we going to do what kind of program do we want to make and we don't think that were alone at least not in the cell Francisco-area we know we're not alone but even bigger broader than that we don't think we're alone in asking ourselves this question of when we're not in control of every little thing and where everything is at all times what are we really going to do and so this was 1 option for us so and if anyone doesn't remember the atrocious movie that was Spiderman 3 to 1 you know we could have taken this approach and maybe salvage things but as that would be turned out it would have been probably a train wreck and but now instead we know that taking a look at what we ended up adapting and so we 1st started by recognizing that we couldn't we couldn't exert are control over every little thing such as where employees are at all times were laptops are all times what services are being used etc. etc. and if you if every anyone has ever taken a stroll through our say the vendor flaw any of those other security conferences you've probably seen a whole lot of love coming into this this detection and response mode so there's a million vendors popping up in the threat intelligence spaces of million vendors popping up saying you know what control is dead you're already it's all over go with us and even though it's all over spend money with us and we're going to make it all better for you were going to give you more insight we're gonna give you more abilities to respond to a breach but the big problem there is that with this very dynamic and evolving environment that many organizations are these
days it's very very hard to actually figure out that like if we don't have controller we don't even attempt to get our arms around things where you start to layer and put your detection response controls you can't Ashokan and everywhere but unless you're your Facebook enough which a Google and you have next to an unlimited security budget it can be very very inefficient and even those very big programs taking control of focused approach and so so what we wanna will focus on here is that by starting with control and then moving your way out you can actually very similar to the if you think about the way that I what so the president moves the out I think he's over Rome right now meeting with a meeting with the pope in the Vatican the president is a very high value assets any has to be controlled and he's moving all over the place and the Secret Service has to find ways to control the environment in which he's in and then they they work their way out they will they will control what's most close to him whose closest them and was able to come into a venue and C. and shake hands with them etc. etc. and the detection responsibilities work their way out they they use control to make detection response to more efficient and more effective and so to start this so we actually have to take a step back and understand what you once we kind of embrace those concepts that we can get our arms around everything we don't have unlimited money especially as a newer company and I'm sure many other companies operating in the real world and you know that is can that is a real constraints and so we have to do things intelligently and so on in order to figure out how to be intelligent we have to 1st figure out what our threat model looks like and what whatever where attack surfaces so I know there's many there's many moving parts of the of tax surface they all fit together in some form or fashion and will walk through the next but and as I mentioned with the president analogy you could think about these things as concentric rings around what is most important and then they of course move their way out so this graph for this very simple diagram is an outline of nude the taxes so we fall into this this category of of what some call quot native so we don't actually all the only hardware we own our laptops really and some routers and stuff at the office and are officers basically like a glorified starbucks we free copy we have snacks and then we have laptop around connect the Internet doing work and so this boundary over here are these are the physical things that we actually have some element of control over so we do fully manager office network you see that's tucked away in their we research physical office space so we have some controller but not a lot of our and points we do we do own them would you give them to employees we do provision and as we'll talk about later on in this talk with about which effort of a a myriad of other security agents but the they do leave the office employees take them home they taken the coffee shops they take the modification etc. I've taken mine to the conference here they leave control they lever office of boundary here of the things that we really have a R and around and their users of course our you know we we already you know the myriad of stories were where user to the users are gonna do what users do we can ever control what people are you know how people are going to react to a policy on how people are going to you know they're not scripts unfortunately so they're going to do what they're going to and their product infrastructure is all a series of use assets or by 8 of US removal cloud platform and the we build all of our product infrastructure in managed cloud environments and so while we have some form of control it's not so you know the shared responsibility model differs between those different cloud deployment models and all we can really do is configure things and layer things and put things together In the it you know using the building blocks that they provide us we can really dig in and so you know say here's how we want your physical data center to be we have to trust that they're doing a certain amount of things right with the trust order and governance functions and things like that and so if we think about our attack service now we've got a few areas for but we we broken things down into things that don't really matter to us things that do matter to us but the like a layer of separation removed and then things that really really matter to stand for us working in the health care space that is things like that are controlling PHI controlling health data of course and so those really really hot-button topics are the users and the product infrastructure of those of those blurbs colored in red and the things that a 1 step removed that interface with those really hot hot high risk areas are the endpoints and these assets as you can see and then the things that are more in way it it doesn't really matter if something happens there the the ultimate risk to the business is very very small at you quantify dollar values and so were not gonna put a lot of detection and control and response mechanisms there because this is not a very good return on investment and so but the rest of our talk is really a focus on how we married users and points and really started to build the concentric rings of controls and which security controls in this distributed world that were operating and so I you know we wanted to provide this diagram here as a as a mechanism for anybody else who wants to or who is struggling with this kind of program roll of where to where to divvy up their efforts because many vendors that I walk in and tell you that they've got the silver bullet for all your problems but if you're if you're in a position where you're fielding requests or read from them and so you know if you really sit down and think about where a particular vendor solution fits in this bigger picture oftentimes they will solve a very specific problem may be on and point or enough physical environment assessed that something like that and if you just look at the big picture of attack surface if they're promising promising you a silver bullet and something that doesn't really matter yet to really ask yourself is that thing worth spending all that money so now we jump over to I the the the end points by end user side of things so we focus on those 2 little blurbs that were in the out of In 1st I'm going to cover how we bring in those ideas from the but no security and risk assessment side things into the side and so the main thing that we need to do and that we have done is again we can't discount what the user is by means ends and it desires are in in that expected this freedom and it's increasingly becoming so you know we can bring a the Y D devices to work we can do all of these things we can carry a laptop surrounded has not changed that's of and we needed time all the choices that were making in this section back to those concepts and back to security and compliance and because those are very important to forget about the um but we also can be causal about so the 1st thing that we wanna cover in this particular section is is a little bit more about our particular text at and so regarding the distributed and points that are running all over the place and are largely composed of Mac OS the really thing when I walk out certain given that we are using shaft fights probably self-evident that we are we we do try to really embrace the idea of applying configuration to those endpoints of course and 1 of the big things that let us the chef is worse that we can codify the configuration we also need to make sure that we as as was specified the threat model where you
can see the from all we don't have the far and points not necessarily married to the office network so that in endpoint can operates in a in space and time the of tapping I'll try to talk loudly but an endpoint and operate in a space and time that is separate were decoupled from the office work and so we needed to take that traditional security controls and turn them into agents they go with the user wherever there are going to go around and then as you also saw the attack surface we try to keep our product infrastructure very much separate from the users and the end points and so that way there's a few layers of separation for a VPN is certificate checks to vector of occasion and things like that so you have to work your way through regardless of where you are we don't necessarily grant any particular element of trust or upper around you know roles based on where that person is whether there the officer working for coffee shop and the things that are really driving us in this way our just several of the more context of course we do have a regulatory requirements here and since we are dealing with the healthcare data we gotta worry about things like it but I trust our customers we work a lot of enterprises so the demanding things like nested 153 they arrest ISO 27 thousand so we have a lot of regulatory governance requirements so we have to operate under a lot of those things that you've ever read through those very arduous painful documents a lot of them will specify that end points and the you have certain security controls in place and so we had to basically boil those security controls into something that just went with the user i I think we've covered all this other stuff and so this is just a little snapshot into some of the tool that when you use the ideal see Shep bolded there because we're using chapter instrument and configure and deploy and manage all of these things once it hits the but once it hits the end point and it's it's running an operating so so I know that moving on for that how and what is our shift work for us and I know that a lot of it many people who use Shaffer using server management and in the virtual machines and want to find the same techniques as everyone else's which is doing it on points with security in mind and with the knowledge that are endpoints are not going to all be this way and we want to provide a nice good baseline for them but people need to be elements things on their machines they needed only customize the machine especially engineers and no and it ends up your they they're all different they're all special value means and we need to make it so that that's you and just like slight caveat there for like that no other point add on those those other snowflake style changes then that getting married we want them to be governed by forced by the baseline changes that we end up applying so so for instance if somebody's applying for installing some some random at or they're doing some some random browsing we want that browsing or that application installation to be controlled through and check by like antivirus programs or DNS filtering things like that so we don't want them to be able to do anything but do things within the constraints that were that we're giving them through this this configuration agent-based not based on the exact same thing so our workflow the phrase symbol on nodes are nodes life cycle is that of the 2nd before we give it to the user it checks just servers 4 times an hour and and so the every 15 minutes it's double checking the mixture having sent anything out and has anything changed you know how they changed configuration at what's changed back so when we recommend laptop from the user we move from shaft and we like been really really really and throughout this whole process that we keep in mind are security requirements because again for both of the care I and were working with and management as well all I we want mixture that we can trace nodes back to a specific user to an asset tags in our inventory system and we want alerts for nodes that are checking in have the set up of and we also want to have a lot of and checks that compare a user is in chef nodes and all this is built around his compliance ideas of the we wanna make sure that everything is culture in our in our environment the so moving on so how do we actually have that security like we talked about some of like there the higher level concepts and but where we actually doing what can cookbooks books are we running and so what would you think Shaq forest for deploying a security agents the endpoints were using it for applying hardening configurations you can find lists of hardening configurations on the internet incidents and taking those and having to manually given that we have about the book that we created which I'll talk about in a little bit of that automatically applies a number of these meaning basic hardening configurations for so we also use it to add to deploy foreigner to these nodes that can grab logs and a lot of the security agents that we use require larger than any of the use of IT provisioning no let's install viscosity let's install this or that and the other thing all the security agents as well and so not only are not only like the initial node bootstrapping and and set up but no want something is out deployed to the fleet on IT will oftentimes need to like help troubleshoot something to push us a new version of an application the standard IT functions by you chef enables us to not only be very audit friendly with our codified configuration security agent distribution but also given the capabilities that they need to know how to manage and report on and have visibility into points when they're running around of the of the world and those quick you know every couple of every couple of minutes checkins help them you make sure that users don't some big lag time between when they have additional lending support exactly exactly and then we have this inadequate book everyone can get within a very short amount of time or changed to something so we're going to going next into wiring shaft some of the issues that we have but that come up with a with doing this this is kind of a nonconventional thing at least it feels like within the community and trying to make it more conventional but currently there's and then going to go into the cookbooks a field the of books and I heard that were part of so why shocked when the biggest reasons as moles IOS support we're mainly enacts shop right now but if we need to move on to Windows what you want to Linux if we need to move on anything else and allow that flexibility we need to have something that can do that so a lot of these mak uh it uh and weight management configuration management tools are not only and so we need something different but is also extremely extensible I changes are ordered friendly this is the big 1 we can point to encode say OK they we we need I mean we're subjects is like these these compliance regulations for like had by and everything else we can point to encode this is where we're saying that this is where we're doing that and that's extremely important since you brought a family and and then it'll and 1 other thing is that that the shaft an agent to server security were very happy that I had an but 1 of the other big thing is is that this is
a stellar community everyone is here to support everyone else and if someone is using no chef in this new way people getting excited about and people get involved and and that's in all something about and 1 1 or the really quick thing to know about the the order from the aspect of it so so because of because we have everything codified in terms of what agents are deployed configurations are applied things like that we're going through some of our customers better governance processes or we're going to ordered so we just we just went through a couple of stages formative assessment and they sought to the sought to take 2 honored with that the cardinality firm all we can do is basically takes the cookbook and descent along to whoever's auditing us then to say here on this like you will answer your questions but here instead of say answer the questions scheduled times were granted access to like a Caspar of web portal or something like that because I like you guys but we were not really comfortable with having some externally validated party have access to something that could control our entire fleet or you know that potentially break something more is all sorts of things to go wrong in a situation so we can give them I give them access to the Cookbook or point them to the URL since our no us 1 is open source and to say like have have fun if you go look at it so sometimes considerations and and the things that we've had difficulties with and it seems like there is quite a bit less less support in the media is currently she reminded books are often geared toward windows were of different list let Linux distros and the and there's little use my shoes and that working fear and that return and get x and it in some way some these because these are the issues that we need a framework of ourselves we can just pull out a supermarket and a lot of my back and then we're trying to contribute some of those back slowly and and then we also need to reinvent her the books that was that are already there again it's it's there and we fix it we will push it back out we're still having to reinvent of but again the whole thing better like I did my 1st chef event was shot summit in things about me extremely mukluk's so much better even from the time and that wasn't that long ago the so how do we write article books are written for enforcement we are not saying 0 here's the here's a laptop and it has the security configurations change everyone's you want again it changes them back and so we need to be able to enforce these things in order to said to go with that who did what yes a complaint so Our main goal with our cookbooks is to create as nice base where you can build off of that the base is a secure base and ending it has all of our our security agents and everything else and those things will always be there so there are also written to the dynamic the written to account for these different initially is different needs of users again we just did a base you can no longer it's OK it's OK for users will do things on their mission of and we also right in the future I want to make them so that we can reuse them in the future that is using the updated using pain so 1 of these which is I mean this 1st open source by project actually notice news 1st open-source book we released a couple months ago of trying to get it rolling it is now available on the market as of today and yeah I know hide that out that is some these baseline security configuration you know it doesn't have everything with a lot of people to get involved if you think that it here here concerned about you know X Y a z think you don't see they're less no work contributed back itself like we have a lot of changes we have a lot of things we want to do with this but it's a good baseline it's a good place to start and so basically what it does is we take some of those ideas that are out in the security community about what it means to have a secure lot wouldn't have a secure America last system and we've taken and we put them into the cookbook we've made it pretty simple we have them all i in there like we have separate libraries to help you distribute some of these things you can actually find them and and then we put it onto our laptops in order to have the security and have this life and 1 1 really useful thing for us has been like an improvement we are we will end up making is that and I think that that does that creditors to make that we know who she has a part here and ideas and so that I have but 1 thing we read that that we 1 end up doing is sound is making some improvements for i for load a lot of separation so we have certain requirements that were subject to per they arrests and and some customer contracts that if we have somebody traveling internationally taking alone a laptop with them not to do any kind of work of the going there for extended periods of time we need to be able to we need to apply an additional set of controls are a little bit more restrictive sandbox like to them like but we also want stuff out and make sure that all very similar to what you would find like the see IQ or any kind of global compliance controls nature to west say all the changes that are made from here the particular controls that are being matched reference and by guidelines things like that so in order to just go through that they don't necessarily have to understand share our your customers whoever but instead they could just read through the comments and see that you know these these 10 controls of actually looking for per these regulatory standards are met and what I can move on to is going on in 1 of the other things I want to point out why is i that this is you just so if you know that now suggest is a group within the shaft clearly by the confines of some of the communities lack and there's a lot of these cookbooks that maybe are out there for America last that haven't been maintained a long time and and it suggest takes over a lot these not maintained cookbooks not just OS that takes over a lot of these finds maintainers and gets a lot seats that we can continue using them in the community benefits and 1 of these example works as the Mac OS X cookbook which a lot of people in the medieval rely upon for editing killings files from which is how you do mostly configuration and that her life and so taken that over time you get some work on on on that and there's a bunch of other 2 books out there that we also want to get work done on so if anyone wants to give back to the community will come in and help in in you maybe 1 day if you're not managing your maps with chapter can be so let's make this the community better in hell everyone here at which you to work for a wage increases over time user just use it on your home like a bunch of this stuff on your own laptop checking their eyes right now so leave your laptop is here and so that is that is the end of our of our current and the new we 1 person thank you enter you know folks when something anything any questions we will be a around the few yeah but get the microphones that are converted to out and the and weather like this the How did so
ironically enough I'm actually thinking of this kind application for managing my Weiss laptop and my own but and as a lawyer of course she's very concerned about security and up so I'm curious to know uh if she can more details on what kinds of the endpoint protection the software using a you know it would take the intifada suffer using the using a lessons little snitch for network monitoring or block walk for file access monitoring itself sure so so right now that the agents that word deploying are a little bit more like enterprise-centric you might end up without reference them somewhere they're buffer anti-virus freezing silence currently on file integrity monitoring and monitoring reusing open OS query which you could of course also uses it is an open-source project of network monitoring were not currently doing any act like host-based network monitoring but instead relying on like DNS filtering and other more browser centric which we have a deal the solution places a lot of our controls are with 1 or more next network-centric controls are the deployed and managed over the product infrastructure space but like I I see people deployed bro for instance as a click on a on a particular host and use that for network monitoring and there's there's a few other things you could you could do just for managing a single act of 1 of and by magic you could pretty easily extend or use this just install something like a clamor in know whatever other of the solution of the as far as hot and hardening configurations for doing things like by turning on file-sharing turn-around prediction all these basic things that the vectors for for a lot of these risks that most people don't use those those things were turning off taking is that your screen marks for making it so that you know go to salute description digital string of features Wi-Fi yes and that you only turning up who attended people do not have a bluetooth paired if you have a Bluetooth device paired it does not turn up the pollution but if you don't in not using 1 it just turned off it doesn't like detail as you just remove the ability for you to do just that unlikely that opening cannot reasonably it so make use of curiosity why silence as opposed to something like say BitDefender which is a bit more cost under Christopher so the decision was made a while ago were actually in the process of re-evaluating with no stick with silence and so if anyone else wants a shot of knowledge that we have some there are a few others give high ratings as well in Italy dissenters user you want the best ones this is multiplatform yeah yeah we want their dad so that that is on the shortlist that we looked at someone 1 is on a short list that I can't black stack is on a short list yeah like the Mack Mack security stuff in general is just very much lacking and silences in very different from everything else so only very day that anything else yet and of course like any time that goes through makes a major update to their are less like the change in the eyes of debt-servicing breaks OK silence sending months out they pretend that well after 10 of ways yeah I don't think Mac PGP has still been updated yet missing error that have yet to cope with the beginning this right right in the original in the and the ASEAN with the issues with with Kauchak and are that we notice so 2 of the things that I've noticed and I could be wrong mediates fixed sound but as a couple months ago and file and directory Ressourcen if you're trying at late user local it looks down at user and says that protected minimalism and so it won't let you use those resources in those directories in Canada that are contained in directing and so the this is the same as part of the course of the peripheral view for between yes it was more like and it was like at the research and stand it was more like a little weird faceted bugs that we've the had like spend way too much time thinking up to get through them all as a had we test our
changes and we are using by that test kitchen we have a 10 .
12 blocks that we've created using Bento and 10 seconds of scripts so basically you have to use 10 2nd stuff for the 1st part don't use that from for Packard that the 2nd part you just take what you've cracked input intervento and then back into them right contributed that 10 . 12 December backed up and so that's there it works I'm and I was telling us that this suggests bond were hoping to get up some instructions for people actually says this is when which this is what you do and these are things you might need about inter-class the but you have that compliance profiles we use word you just use or me we just did her name but by are actually yesterday we started getting really interested in in fact on some of our concerns in the past had been Mac OS supports and and so I think we were were hoping that maybe that sort of works the by now but we don't know that I should we work you know the the energy of the CIS has been church the because of the potential 12 and I'm happy he has recently we we did all the z ies CIS is 1 of the 1 of the things that we call that we call those of that the NSA had had an older stage so I think that was released but you know it's some other stuff goes away some of it is still relevant ZnO and then we pulled from much of like customer requirements and stuff they get very specific about the types of tool weighing or or other like specific screen walk out of to for forecaster complexity requirements and like that so in other words all contextual to the next day year and to the and the problem was part of the search the what and the the pressure on and so you're asking if we are planning on and releasing anymore cookbooks into open source that we have other than the 1 and then what else within the shaft little parties and so the 1st question I we have a few things that we're hoping to contribute the nothing actively there we want to see what the community and put time into those things but so that's around on that and then the 2nd question and we are in the recent past the chance and we use hostage we don't use alternate we don't use and in fact that we don't use a lot the tools work just baseline and you have posted yet and 1 of the things that are the lowest stuff like let us away from from ship automate originally as we wanna keep as as you possible deployment models in place even though and points somewhat of a unique beast and within our particular environment sure within than yours so we didn't like a lot of our deployment for an hour driven through like code so singular CI happens in Jenkinson to point out that for that so we want to see if we can basically relies on the same kind of pipeline and tool set but not introduce something else that is completely separate that requires more of like a completely different mental model completely different set of skills to maintain a you basically they increase our boss factor around so who knows how to deal with that thing over there and what we want we want more people view relativity Brigida outages about movements things then that's also lines Ted tension hosted is the that affects the and here we might able to get
it working in like of the rest of our planet models so it was like this is not word like having a completely different the plan this 1 thing the and so as we had a which is a social hosted in were quite happy that yeah the were the the and so the question was how we manage our that you know the people who are operating inward low-capacity working remotely so I'm in terms of accessing product infrastructure
but even if they're working in the office they still have to go through VPN certificate Jackson all that to get into anything sensors but most of the stuff that runs our corporate operations are the the the Internet-facing web-accessible anyways there just behind a sample of the possible coral so we got there for that domain login and based on a role you're given access to a set of resources but with regards to the actual provisioning such and so we don't we don't provision people remotely we provision and of locally at our office that they get their laptops so for instance a lot of its host and were but they're getting their initial set up like they come to us for their like 1st weaker onboarding things like that and then administration past that is just have it happens through a cookbook updates them when they're lot objects in the you know you would wouldn't do that stipulates that they applied locally and after races that's how we that's how we handle it but I'm sure mother in the the future so I where I think gradually over time it I know I already happened where it over here and so that is people when don't don't feel bad about getting up but you can only ask questions in research and I don't want you to know that I wanted to say to him that for all of you who weren't the and she is solely responsible for making everything regarding knows that Austin at summit and I'm so glad I stuck with that we have a the ton of fun at the summit and it's great to see the movement is going so they you personally for everything you do and few