The Power Of Open Source Security Automation With Dave Egts, Chief Technologist, Red Hat U.S. Public Sector
The Power Of Open Source Security Automation With Dave Egts, Chief Technologist, Red Hat U.S. Public Sector
Dave Egts, Chief Technologist for Red Hat, discusses the power of open source security automation. Dive into the benefits of removing human error and slowness to respond to the advent of short-lived ephemeral cloud workloads that spin up very quickly and the attackers that are eager to take them over.
Don’t forget to sign up for upcoming episode alerts!
Episode Table of Contents
- [2:35] Innovation Does You No Good If You Can't Secure It
- [3:53] Automate: Get the Human Out of the Loop
- [6:41] We Need to Think As One
- [9:51] How Do We Drive Automation?
- [11:09] Looking Into the Future
- About Dave Egts
Welcoming Our Guest, David Egts
Arika: We have a great guest. We have David Egts from Red Hat. He's the Chief Technologist of their public sector organization. Hi David, how are you doing?
Dave: Hey, glad to be here.
Arika: Excellent, excellent. Well, we're excited to have you here. David, let's start here. I was given a quote that I think just, it's very simple, to the point. I believe you said, and I would love just to have you expand on it. You said,
Innovation does no good if you can't secure it.
That makes a lot of sense, but tell us more about what you mean by that.
Dave: Yeah, at Red Hat, everything we do is inside the open-source world. However, inside the open-source world, there's so much innovation happening, where you have these communities that are out there doing all kinds of innovation, but they end up scratching their own itch in terms of what they're passionate about from a technology or a feature function standpoint.
The challenge becomes, okay, how do you take these open-source projects and turn them into commercially supportive products, that can be consumed in the enterprise, consumed by the government, meets standards, and things like that? And that's what we do. We work with those communities. Aside from this, we also talk a lot with our customers to make sure that whatever the technologies are that we're involved with, that they're actually consumable by our government customers.
Innovation Does You No Good If You Can't Secure It
Eric: David, the "Innovation does you no good if you can't secure it", you could sum up the security industry, the cybersecurity industry in that manner, but I think I've also heard you talking about innovation outpacing the ability to secure it. I'm certainly seeing that.
Dave: Oh yeah, absolutely. If you start thinking about DevOps, and DevSecOps, and SecDev, SecOpsSec, and all that stuff that's out there, of the innovation is happening, the technology is moving faster than the processes that are out there, as people move from Waterfall to Agile, and move into DevOps, you need to change your processes to keep up with that tempo, because if you're applying the technologies, these newfangled technologies to your old processes, you're going to get behind.
The other reality is that our adversaries aren't. You think about the old processes in the government of doing once a year checkups to make sure you're secure. Well, our adversaries attack us more than once a year, and so being able to continuously monitor our systems and to make sure that they haven't drifted from our configuration baselines is so critical.
Eric: What's your recommendation then?
Automate: Get the Human Out of the Loop
Dave: First and foremost, you got to get the human out of the loop, especially as you think about cloud computing, where you're moving more and more towards ephemeral workloads that spin up and down, putting a human in the loop will cause you to...
Humans are fallible. They also take time, they also get sick, they want to go on vacation.
And so the more you could automate, you could free up a lot of that drudgery into something that's mathematically verifiable, that you haven't drifted from your position, and then that frees up your staff to work on more mission-related things.
Arika: David, do you believe, because we've heard I would say two points of thought on this, do you believe that we will get to a place where you can completely pull the human out of the loop, or do you think there will always have to be some level of human interaction or capability, or do you envision everything could be fully automated?
Dave: Yeah. Well, yeah, we'll have the robots fixing the robots.
Dave: But I think what's going to happen is the human is going to be more focused on the process end of it, and focused on the automation. In the government speak, we talk about the authority to operate, to get a workload into production.
Automate the Process and Make It Repeatable
I look at it as the ATO today is blessing the artifact of what's being deployed, and what really needs to happen is the authority to operate, and that that government scrutiny and the auditing needs to be applied to the processes. So you approve the processes as opposed to the artifacts that get generated because if it's automated and it's repeatable, the art of hack should be identical every single time.
Eric: Amen. How do we do it?
Eric: That's really the question, right? How do we do it? If you think about being a mid-level IT manager in the DOD or a government civilian agency, what would you do?
Eric: How do you?
Dave: That's what's funny is years ago, so it'll be 13 years in February that I've been at Red Hat. Even early I would have government customers come up to me and saying, "Hey, do you have lock down scripts for Red Hat Enterprise Linux?" I'm like, yeah, well we don't really for like the DISA STIG or something and there'll be like, "Yeah, we have some scripts, but they're not that good". And I said, well, give them to me. We'll open source them.
Let's put it out there to the community and show how we could use that as a point of departure. To get people to make it stronger and stronger. What would happen is the gummies would be like, "Oh, I don't know if I'm allowed to do open source". Or a government system integrator would be like, "No, that's my company's intellectual property. I'll get fired."
We Need to Think As One
Dave: What happened was, we created ... we work with folks in the government, the NSA, DISA, and NIST and a whole bunch of other groups to come up with an open source baseline. And then that spurred off as Compliance as Code.
Well the SCAP security guide, which eventually got turned into Compliance as Code because it's bigger than SCAP, but we went from the old way of your DISA STIG or your security baseline being in a three ring binder to embracing, to make it machinery to bolt as well as human readable using SCAP technology, the security content automation protocol. And that's a NIST standard that if you publish that all the NIST certified scanners could use, speak that language and that really made things take off.
Dave: And it was to the point where if you go back in time and look at Red Hat Enterprise Linux 7, the largest contributor to the SCAP security guide, now Compliance as Code, the largest contributor was not Red Hat, it was not the government, it was Northrop Grumman. To me it's phenomenal as far as like, let the best ideas win and let's put stuff out there and beat it up. It's like, oh, my password complexity is better than yours and it's top secret and everything. That doesn't play anymore.
We've got to get the best ideas out there because our adversaries are attacking us and we need to think as one.
The Importance of Remediation Content
Eric: Have we made progress with SCAP? Version one came out, I think and I want to say it was 2010-ish plus or minus a year or two. I did a lot of work up at the fort around SCAP and vulnerability assessment. I used to sell a scanner. It was a good bit of the way towards automation, but it certainly wasn't the Holy Grail. Do you think we've made a lot of progress there?
Dave: Oh yeah. Yeah. At first when we got started with SCAP it was more on doing the checks as opposed to the remediation. We would do SCAP to get all the checks and then we would get a report back saying, okay human, go ahead and fix all these things, edit these files or anything, rerun the script, rerun the SCAP scan and then until you get all green lights and a clean bill of health to go into production. Over time, being able to have, not just the checking content but the remediation content, was really important.
Dave: At first we started doing it with Bash scripts because every Linux system has Bash on it. We've actually extended that to also include Ansible, which the cool thing about Ansible is that you could manage anything as long as you could SSH into it or WinRM into it. You could lock down network switches and your filers, your storage devices, your Windows systems, anything that's out there. If you could log into it, you could manage it and lock it down.
Eric: If Arika and I took over government agency X tomorrow, the security component there, and let's say we've got a FISMA grade of, I don't know a D, whatever it would be, right?
How Do We Drive Automation?
Eric: What's your guidance? How do we drive automation? Where do we start? What do we do?
Dave: Well, first I would look at ... a lot of times people will be like, "Oh man, I don't have enough security tools that are out there". And the first thing I would do is-
Eric: Go buy some more. Right, Arika?
Dave: Yeah, right. Let's add-
Arika: Yeah, no. That's what I said.
Dave: Let's add some more belts and suspenders and I'm all for defense in depth. But the first thing I would do is let's take a look at what we have and are we using everything that we have, where it's like the security tooling that is built into the operating systems like Windows, they have SCAP scanners and management tools for that.
You can do that with Red Hat. And it's a very well kept secret, sadly, that a lot of our government customers don't even know that talking about like Linux, where if you go into our installer with Red Hat Enterprise Linux, there's actually a button in the installer that says compliance baseline. You click that and then you could pick DISA STIG, US government configuration baseline, PCI, HIPAA, CJIS baseline. Before it even boots up for the very first time, it's already locked down according to the security policy that you want.
Looking Into the Future
Arika: David, when we look towards the future, just kind of piggybacking on the question Eric just asked, do you see government agencies really taking advantage of these tools moving forward? And what ... If you had ... We always ask people if, when you look into the crystal ball, what do you see in terms of progress, but as well as just the future?
Dave: Yeah, I think what's funny is it people think about automation, right? And they say, "Oh my gosh, that's going to automate me out of a job".
Dave: "Robots are going to take over and everything." But still, when I talk to gummies, I would say, okay, you're concerned about automation, but realistically speaking, do you have too much to do? And I would do a poll of an audience when I'm giving talks. It's like, okay, how many people have too much to do? And everybody's raising their hand and there's so much going on. And then they're distracted from focusing on the mission because they're just running around with their hair on fire to apply patches and everything and they're not automating as much as they could.
Creating an Inclusive Environment
Dave: The thing I would be doing is asking, it's like, okay, are we automating as much as we could? As much as we can? It's almost like that Toyota 5 Why sort of thing where he keep asking why and you keep asking why and you keep asking why. I would be asking, did you automate enough? Did you automate enough? Did you automate enough? You keep going to the point where ... I was on a panel with DHS a couple of weeks ago, at Red Hat Government Symposium and this person said that it's like, wow, thanks to automation, I could actually take sick leave and the building didn't burn down.
Dave: He was actually really happy that things were automated and he could go off and be sick and not have to worry about checking his pager or logging in to make sure that they didn't get hacked or anything like that. I think that's really a goal that we should all aim towards.
Arika: Just want to switch gears for a second as we start to wrap up. David, can you tell us a little more about Avi? You talked about robots quite a few times, but tell us a little bit more about Daddy's Computer Camp and the fact that your daughter gave you a robot when she, I believe when she was 13 or so for-
Arika: Valentine's Day, which is an unusual ... with Bash code on the front. We spent a lot of time on this podcast also talking about just how to get the younger generations more involved and excited about the cybersecurity workforce. We know that that's been a challenge. It's been a focus, especially of government. But obviously you've been, you were successful in getting your daughter interested in it.
Getting Women Involved
Eric: How did you do that?
Dave: Yeah. Well it's, I have a picture of her and in her bouncy chair from when she was like one year old with an unplugged keyboard. She would sit next to me and bang on the keyboard while I'm working or doing stuff. Just from that very first time it's like including her in these things.
Ever since I found out we were having a daughter, it really opened my eyes up in terms of having that awareness of women in the computer world is, especially in the cybersecurity world where I think it's even more rare, open source as well, and trying to create environments that are inclusive and welcoming. You go back to like, I would be involved with Akron Linux User Group.
Dave: I live here in Ohio and we would go in and she would have pigtails and we would go in and for her it was a dinner meeting and somebody would give a presentation. But for her it was, she loved it because they had a turkey dinner with mashed potatoes. She was all about the mashed potatoes. Then she's started to absorb all the technical stuff.
Getting Women Involved
Dave: You have these folks in the Linux User Group that are at least grandfatherly-type people that are really cheering her on. Over time it's like the Valentine episode that we had was over Christmas break, we would be shut down at Red Hat, between Christmas and New Year's, so we would have what's called, my daughter I would call it Daddy's Computer Camp where it's like, Oh, we're going to take a computer apart and we're going to install Linux, we're going to put a new hard drive in.
Dave: She would get her static strap on and she totally-
Dave: Get all wound up. We would do it and she ... there is ... and I'm like, all right, I'm ready to teach you how to program. What program are we going to do? Okay, what language? I'm like, okay, we'll do Bash.
We did some Bash scripting and stuff like that and I taught her how to properly comment her code and everything and then that was over the Christmas break. And then come Valentine's Day, I get this Valentine from her that was this cardboard robot and everything and on the front of it, it was a Bash script that basically said, "Daddy, will you be my Valentine?" But it was all written in Bash with variables-
The Biggest Revelation
Dave: And comments and everything. She did that all from memory and I'm like, wow, that's really great. For me, I'm all about getting women into STEM and creating inclusive environments to have them get involved and that goes up to, even today where she's in college at Rochester Institute of Technology and making sure she's not with all the alpha males that are out there and it's making sure she's participating and making sure she's asking questions and if she doesn't understand something, she'll hound the professor until she gets an answer. I'm very proud of her, as you could tell.
Eric: You should be. She's a four-time Ohio Affiliate of the National Center for Women in Information Technology award winner. She won the Intel's Excellence in Computer Science award for her work at NASA. You should be massively proud.
Dave: Oh, I am. I am.
Eric: Unfortunately, it's too late for me. My kids are all older and I didn't start with that keyboard in their hands banging at one.
Dave: Yeah, yeah. Well soon enough, yeah. Next generation you'll be able to do it.
Eric: Grandkids. We're working with the grandkids, Arika. I've got the secret now.
Dave: Grandpa's Computer Camp.
Arika: Yeah, I think you've got to start these days while they're in the womb. Yeah.
Eric: Unfortunately I don't program either. Dave as we're wrapping up here, I've got a question for you. You've got a long illustrious career in the IT world, dealing with security IT, what's the biggest surprise you've seen? Biggest thing you missed or surprise, something you didn't expect over your career?
Dave: For me, the biggest revelation was finding out that we were having a daughter and that's where I went from the 20 year old-
Diversity of Thought Leads to Better Outcomes
Dave: Guy being surrounded ... In meetings, I was totally blind to ... and it's not like I had biases, it was these unconscious biases that I would have of making sure that people with diverse backgrounds are included. Now I go out of my way to sort of change that and be much more self-aware. The other thing I've found out too is still the percentage of women in computer science programs is very low and it's not good enough yet. When we did the college tours, we went to RIT and that's where my daughter went.
Dave: But they actually did a presentation. What really sold me on RIT was that they're giving a presentation and they said that, "Well, 85% of the CS students are boys, 15% are girls. That's the national average." And the person that was giving the presentation said, "That's not good enough and we're out to change that." And to me it's like wow, they have that welcoming environment to get women and diverse folks from all across the spectrum involved in computer science. Because I think when you have that diversity of thought, it's going to lead to better outcomes.
Eric: Absolutely. It's amazing to hear that they get it. And I love the fact that your daughter picked up on that.
Arika: Now, that's fantastic.
Eric: They were leaving-
Arika: Great job. Great job to you. Hats off to you because I think that's also an important piece of this.
To The Point - Cybersecurity Named as One of the Top 30 Federal IT Influencers
Dave: Yeah, no, it was great. She's had great mentors along the way with like Herb Schilling at NASA Glenn and the folks at think[box], Ian Charnas, at Case Western and so many good mentors along the way that it wasn't all me. It's, they're giving her these at-bats where I have pictures of her doing selfies with Steve Wozniak.
Dave: Yeah. That's a whole other story that. We can save that for another episode.
Arika: Well thank you, David, so much for being on. This has been a great episode. Thank you to all of our listeners that tune in every week. The podcast, I'm going to toot our own horn for a second. Eric, we were recently named one of the top 30 Federal IT Influencers and I think that means that people are listening and they're enjoying the podcast every week. We thank all of the listeners and appreciate that you all are finding what we have to say with our little podcast that could.
Dave: When I was doing the prep for this, for the interview with you all, I noticed that I checked that list of the 30 and you are the only podcast listed.
Dave: The other way you could say is you're the number one podcast in the 30 as well.
Eric: Oh, I like that much better.
Arika: I like it. Okay. I like that too. Yeah.
Eric: And while we're on the topic of a podcast, Dave, I know you do the Dave and Gunnar Show. I don't think it's quite weekly, but it's a fascinating podcast to listen to.
Dave: Yeah, your son loves it, right?
Let Us Know What You Want Us to Talk About
Eric: The only podcast he says that's more boring than that. This is Michael, my 12 year old. Is, Arika, our podcast Arika.
Eric: Talk about maybe I should have given him that keyboard at one.
Dave: But yeah, no, I've been doing ... That's a whole other episode story too if do this podcast with Gunnar Hellekson, he's a good friend of mine that actually hired me into Red Hat years ago. We just ... it's just ... if you like nerdy sarcasm with a big technical bent to it of weird things we see on the internet, it's all for you. It's not a Red Hat sanctioned podcast at all. It's totally independent. If you like strange internet things with a high dose of sarcasm, we got the podcast for you.
Eric: Yeah, he loved the fact that you mentioned Google and then you lost a few points when you were talking about our Chromebooks at one point.
Eric: But that's what kept you ahead of us. Tough grader, trust me.
Arika: Yeah, he is. He's tough. We'll have to have him on the podcast. He has some notes for us it sounds like. All right, guys, well thanks so much and again, thank you to all of the listeners. We truly appreciate you tuning in each week. Please continue to subscribe and share with your friends and colleagues and also you've got to send us a note and let us know what you want us to talk about. Until next week. This has been To the Point Cybersecurity. Thank you. Thanks, guys.
About Dave Egts
David Egts is the Chief Technologist of Red Hat's Public Sector organization. As the intersection between public sector customers and Red Hat engineering and product management, his customer interactions and domain expertise blend customer needs with industry trends to help Red Hat define open source computing in the enterprise. He has achieved Red Hat's highest level of certification as a Red Hat Certified Architect (RHCA) and has received Red Hat's highest employee honor as a Red Hat Chairman's Award recipient.
Dave & Melissa Egts Endowed Computer Science Scholarship – parents of an RIT female computer science student, will provide scholarship support specifically for undergraduate computer science students with a preference for females. The fund was just created this month and marks the college’s first endowed scholarship of its kind to benefit women in computer science.
Listen and subscribe on your favorite platform