00:00:00:08 - 00:00:01:21
Good morning. I’m Kevin Twibell.

00:00:01:21 - 00:00:04:26
And I'm the chief information
security officer for Platform One.

00:00:04:28 - 00:00:08:10
And I am joined
with Brandt from Defense Unicorns today.

00:00:08:13 - 00:00:11:24
we are going to go over
kind of what Platform One has started

00:00:11:24 - 00:00:15:21
and where Defense Unicorns has taken
it and done wonderful things.

00:00:15:26 - 00:00:18:17
briefly we're going to go over
a little bit of Platform One.

00:00:18:17 - 00:00:19:18
As much as I love selling it.

00:00:19:18 - 00:00:22:16
And I really want to get into the meat
potatoes.

00:00:22:16 - 00:00:23:28
going to hit a few of these points.

00:00:23:28 - 00:00:26:22
mostly it's going to be around OSCAL
and how we're implementing it

00:00:26:22 - 00:00:29:28
and then how Defense Unicorns
is taking it to the next level.

00:00:30:08 - 00:00:31:11
So why Platform One?

00:00:31:11 - 00:00:34:16
I do want to discuss a little bit about us
and what we do and why we do it.

00:00:34:19 - 00:00:35:29
if you're not familiar.

00:00:35:29 - 00:00:39:23
We're a software factory
that's based upon how we bring about agile

00:00:39:23 - 00:00:41:16
concepts to the warfighters.

00:00:41:16 - 00:00:44:19
There's been a lot of over the years delays with trying

00:00:44:19 - 00:00:47:19
to bring products and applications
and systems and different things.

00:00:47:21 - 00:00:48:08
takes time.

00:00:48:08 - 00:00:51:00
It takes effort.
It takes manpower and a lot of time.

00:00:51:00 - 00:00:52:11
There's bureaucracy involved,

00:00:52:11 - 00:00:56:09
and we are trying to pave the way
into better ways of doing that.

00:00:56:12 - 00:01:00:27
not always agreed upon but sometimes it's a great path forward.

00:01:00:27 - 00:01:04:21
And OSCAL definitely leading
in one of those areas,

00:01:04:29 - 00:01:08:02
to give you kind of understanding
of the way Platform One is set up.

00:01:08:02 - 00:01:10:17
is we have seen app which is our boundary,

00:01:10:17 - 00:01:13:08
and we have seen app as a service
which we offer to people.

00:01:13:08 - 00:01:19:06
 iron bank which is a collective repo containers and code and different

00:01:19:06 - 00:01:23:00
sorts of information that's been vetted
and categorized and actually scrutinized.

00:01:23:04 - 00:01:24:03
Cyber team looks at

00:01:24:03 - 00:01:27:28
that along with the  iron bank personnel
and puts a risk based posture against that

00:01:28:02 - 00:01:31:04
Big Bang which we're going to really
highlight is a suite of tools.

00:01:31:10 - 00:01:33:27
it's all open source much like all of our other stuff.

00:01:33:27 - 00:01:38:17
But there is a community around Big Bang
and how it's developed and what it does.

00:01:38:20 - 00:01:42:14
And these are products that we utilize
as well as our partners

00:01:42:14 - 00:01:46:16
and different agencies
and entities across the world.

00:01:46:18 - 00:01:50:16
finally part of us which is our platform which we run these

00:01:50:20 - 00:01:55:06
different aspects on and our pipelines
sits on top of why is that?

00:01:55:06 - 00:01:59:06
that's important
because we have a CATO.

00:01:59:06 - 00:02:03:00
continuous authority to operate for
our pipeline itself and the applications.

00:02:03:00 - 00:02:07:00
But behind that that addresses
all these areas is an ATO.

00:02:07:02 - 00:02:09:20
everybody really kind of cringes
when they hear ATO.

00:02:09:20 - 00:02:11:06
it takes time takes effort.

00:02:11:06 - 00:02:14:05
There's a whole bunch of controls.
it can be arduous.

00:02:14:05 - 00:02:17:04
so just to kind of give to the community we do have both.

00:02:17:04 - 00:02:20:09
And that's kind of how our structured
and how we operate.

00:02:20:14 - 00:02:22:25
So Big Bang why did I talk about that?

00:02:22:25 - 00:02:27:07
Big Bang was developed as a suite of tools
that's all containerized

00:02:27:07 - 00:02:28:26
essentially deployable anywhere.

00:02:28:26 - 00:02:31:07
It's it's open source code.
Anyone has access to it.

00:02:31:07 - 00:02:34:02
You can get you go to GitHub you can download and deploy it yourself.

00:02:34:02 - 00:02:38:08
Defense Unicorns has done wonderful things
with our it's a one click deployment.

00:02:38:09 - 00:02:41:10
You can go through a decline in cloud
provider on prem,

00:02:41:15 - 00:02:45:02
and you have this great set of tools
that's always up to date.

00:02:45:02 - 00:02:46:29
that you can read and understand.

00:02:46:29 - 00:02:49:03
What are the risks what are the vulnerabilities.

00:02:49:03 - 00:02:50:21
And you can do your own homework.

00:02:50:21 - 00:02:54:02
within that you can see
how it's orchestrated what it does,

00:02:54:02 - 00:02:54:21
how it operates.

00:02:54:21 - 00:02:57:19
We have people that deploy it
for production use.

00:02:57:19 - 00:02:59:24
We have people that deploy it
for development.

00:02:59:24 - 00:03:02:18
we deploy it for both. there's
different elements that are in there.

00:03:02:18 - 00:03:07:09
We can help to analyze the system
itself orchestrate the system

00:03:07:09 - 00:03:11:15
using Kubernetes and Istio
and several other applications.

00:03:11:16 - 00:03:14:13
other part of that is it's always
evolving. It's always updating.

00:03:14:13 - 00:03:17:13
that kind of brings us into the
the Big Bang community.

00:03:17:15 - 00:03:19:23
it's a community of people not just us.

00:03:19:23 - 00:03:22:13
at Platform One Defense Unicorns help us.

00:03:22:13 - 00:03:24:17
the partners that are out there help us.

00:03:24:17 - 00:03:25:17
We have people that.

00:03:25:17 - 00:03:27:25
Hey I want to deploy Big Bang on.

00:03:27:25 - 00:03:28:26
Fill in the blank.

00:03:28:26 - 00:03:29:18
And they do.

00:03:29:18 - 00:03:33:00
And we we value that information
coming back to us.

00:03:33:00 - 00:03:35:21
And hey we want to deploy this
on the top of an f 35.

00:03:35:21 - 00:03:38:03
Awesome. Go for it.
let me know how it goes.

00:03:38:03 - 00:03:41:05
And because that helps us
being back into this I will say,

00:03:41:05 - 00:03:44:23
in case anyone is paying
attention to diagram is a little old.

00:03:44:24 - 00:03:49:12
Our Big Bang release is 1.40 I believe So this is a little dated.

00:03:49:22 - 00:03:53:17
apologize for that I really wanted
to highlight that this is a community.

00:03:53:17 - 00:03:54:16
It's always evolving.

00:03:54:16 - 00:03:57:19
They help feed us the information
to help refine the update.

00:03:57:20 - 00:04:00:06
we can in turn feed back up to the community.

00:04:00:06 - 00:04:02:12
As I said before you can deploy it on your own,

00:04:02:12 - 00:04:04:09
keep up to date partake in that way.

00:04:04:09 - 00:04:07:20
Or some agencies connect to us
and they get all of our updates

00:04:07:20 - 00:04:10:16
as as we push them out.
So we laid the foundation.

00:04:10:16 - 00:04:11:16
Why was that important?

00:04:11:16 - 00:04:13:11
So here everyone's understanding

00:04:13:11 - 00:04:17:06
essentially what OSCAL
and why we're trying to get after that.

00:04:17:11 - 00:04:19:09
I've been doing policy for a long time

00:04:19:09 - 00:04:23:12
and when I first looked at the RMF when we flipped from data cap

00:04:23:27 - 00:04:28:20
RMF and I'm looking down the pipe
of 2200 controls that I had answer.

00:04:28:20 - 00:04:34:03
It went from me looking at an Excel sheet
and trying to answer these controls,

00:04:34:03 - 00:04:35:11
and I briefly answered them

00:04:35:11 - 00:04:38:29
and fired them up to the arrow and they tore apart and came back.

00:04:39:04 - 00:04:42:28
took me almost two years
to get one ATO package through,

00:04:42:28 - 00:04:44:17
by the end of two years I forgot about it.

00:04:44:17 - 00:04:47:04
They gave me a three year ATO
and it was gone.

00:04:47:04 - 00:04:48:07
It was it was over with.

00:04:48:07 - 00:04:52:26
at two years six months I realized oh
no I have to do this ATO package again.

00:04:52:28 - 00:04:54:02
And I went through

00:04:54:02 - 00:04:56:12
and I realized that a lot of the controls
were still the same,

00:04:56:12 - 00:04:58:11
and we didn't have a posture change any of them.

00:04:58:11 - 00:05:02:04
But assessors wanted us to show
that we actually looked at them,

00:05:02:04 - 00:05:03:19
that we did something with them.

00:05:03:19 - 00:05:05:01
So the reason I highlight

00:05:05:01 - 00:05:08:29
this is you have multiple elements
when it comes in to anything with RMF.

00:05:08:29 - 00:05:12:09
Next you have AOs
who are trying to understand a story.

00:05:12:09 - 00:05:15:14
You have the
the program owners such as myself

00:05:15:14 - 00:05:17:03
that we're trying to tell a story.

00:05:17:03 - 00:05:18:16
AOs not going to come down.

00:05:18:16 - 00:05:21:13
They're not going to see your system or potentially they're not.

00:05:21:13 - 00:05:24:26
they may not understand fully what you do why you do it.

00:05:24:26 - 00:05:27:18
I've had a lot of discussions
over the years with their staff

00:05:27:18 - 00:05:30:27
and the AOs directly and once I finally get them into a room

00:05:30:27 - 00:05:33:16
and explain the system
and how it's engineered

00:05:33:16 - 00:05:37:01
and why it's doing what it's doing they're like oh the light bulb goes on.

00:05:37:01 - 00:05:40:25
there's never that communication in the
background of what about the controls?

00:05:41:03 - 00:05:43:22
What does it change?
happens or what doesn't?

00:05:43:22 - 00:05:49:05
And so we start the big process of you know ATO RMF is a problem.

00:05:49:05 - 00:05:51:00
And I've heard over and over and over.

00:05:51:00 - 00:05:51:28
RMF is broken.

00:05:51:28 - 00:05:53:17
the RMF hasn’t broken.

00:05:53:17 - 00:05:55:26
It's the the people how we utilize it.

00:05:55:26 - 00:05:57:17
And we're trying to make things better.

00:05:57:17 - 00:05:59:02
So this is where OSCAL comes in.

00:05:59:02 - 00:06:02:26
If I can look at a predefined
set of controls across my infrastructure

00:06:02:26 - 00:06:04:19
and you saw
my infrastructure is quite large

00:06:04:19 - 00:06:08:15
and I have different elements to that if I can pull from each one of those,

00:06:08:15 - 00:06:12:22
my Istio service mesh doesn't change not a whole lot.

00:06:12:22 - 00:06:14:05
It gets better it updates.

00:06:14:05 - 00:06:15:00
We do patch it.

00:06:15:00 - 00:06:16:12
the CNAP as a service. 

00:06:16:12 - 00:06:17:22
it doesn't necessarily change.

00:06:17:22 - 00:06:20:12
We mature it but it doesn't necessarily change.

00:06:20:23 - 00:06:23:23
Iron bank feeds in more stuff but the overall concept

00:06:23:28 - 00:06:26:27
doesn't change party wise. It's platform.

00:06:26:27 - 00:06:28:18
Our pipeline is always pushing

00:06:28:18 - 00:06:32:07
through new applications but there's on a set defined path.

00:06:32:09 - 00:06:36:02
And so the infrastructure
that it has really doesn't change.

00:06:36:10 - 00:06:39:07
So why would I look at 8 to 900 controls

00:06:39:07 - 00:06:43:02
and try to justify a story to my assessors
that these are still good.

00:06:43:02 - 00:06:44:05
They're still in compliance.

00:06:44:05 - 00:06:46:09
This is how I am compliant with them.

00:06:46:09 - 00:06:49:09
Every single time
I want to go back to that versus

00:06:49:09 - 00:06:53:06
can I just do a one button click
and go forward and say poof I'm

00:06:53:06 - 00:06:54:16
still in compliance with these.

00:06:54:16 - 00:06:58:25
Now I only have to focus
on the small amount that's still there.

00:06:59:00 - 00:07:00:09
So those are the two pictures.

00:07:00:12 - 00:07:03:05
OSCAL, unfortunately is compliance by code.

00:07:03:05 - 00:07:04:14
So it's a bunch of code running around.

00:07:04:14 - 00:07:06:24
and not everyone understands. Well what can I do with code?

00:07:06:24 - 00:07:08:24
I can't read code.
Can't do anything with it.

00:07:08:24 - 00:07:09:22
And I understand that.

00:07:09:22 - 00:07:13:22
I have a team of engineers and coders
that work in to hack away at this all day

00:07:13:22 - 00:07:16:11
long and love it.
But how do I display this?

00:07:16:11 - 00:07:21:10
How do I feed this information
back into the AO’s hands, the assessors,

00:07:21:10 - 00:07:24:16
and even myself to figure out
what's in compliant and what's not?

00:07:24:19 - 00:07:28:20
That's where Defense Unicorns has really partnered
with different agencies.

00:07:28:20 - 00:07:31:07
One in particular
you'll see today is as RegScale,

00:07:31:07 - 00:07:34:03
because it takes that code environment that code element,

00:07:34:03 - 00:07:37:03
and gives you that display
so we can smash it all together

00:07:37:03 - 00:07:41:00
and really give you a highlighted picture
at one click go.

00:07:41:05 - 00:07:43:23
Here is how you're compliant
or not compliant.

00:07:43:23 - 00:07:47:05
And the greatest thing of this is
you can do it in a matter of moments.

00:07:47:15 - 00:07:50:17
So looking towards the future
of continuous monitoring,

00:07:50:26 - 00:07:53:28
getting away from hey I got my ATO, I'm good for three years

00:07:53:28 - 00:07:56:28
now we're getting down to instead of fire
and forget.

00:07:56:29 - 00:07:58:11
We are looking at this daily.

00:07:58:11 - 00:07:59:23
We're looking at this monthly

00:07:59:23 - 00:08:01:02
we're always assessing

00:08:01:02 - 00:08:03:08
what's in the background but it's assessed at one click.

00:08:03:08 - 00:08:08:00
And now I only have to focus on the other
stuff that maybe isn't within that clickable range.

00:08:08:00 - 00:08:11:09
That takes me a little bit more time but a lot of the monotony is gone.

00:08:11:19 - 00:08:15:14
So we start to bridge away
from the hurdle of 18 months,

00:08:15:14 - 00:08:19:25
which can reduce our overall ATO time
by significant amounts.

00:08:20:06 - 00:08:23:18
And we can go from the 18 month dark deployment

00:08:23:18 - 00:08:25:00
and we can start to reduce that.

00:08:25:00 - 00:08:28:12
And that's kind of what Platform One
is trying to revolutionize a lot of things

00:08:28:19 - 00:08:31:01
and taking applications
from cradle to grave

00:08:31:01 - 00:08:33:05
in a matter of a month or two months.

00:08:33:05 - 00:08:36:29
Well we're also looking
at the overall posture of ATOs or CATOs

00:08:36:29 - 00:08:38:11
and doing the same thing.

00:08:38:11 - 00:08:41:11
So when we look at Big Bang
and kind of reference back to that,

00:08:41:11 - 00:08:45:08
if I can plant and we have OSCAL
embedded into Big Bang

00:08:45:15 - 00:08:47:22
and anyone out there
in the community deploys it,

00:08:47:22 - 00:08:51:20
whatever you end up utilizing it for how you develop it or how you orchestrate

00:08:51:20 - 00:08:55:05
into your environment you can then start to reap the benefits.

00:08:55:05 - 00:08:59:29
So what we've been playing with over
the couple of years is embedding OSCAL,

00:08:59:29 - 00:09:04:27
having it touch the different elements and then as Big Bang updates so does it.

00:09:04:27 - 00:09:10:06
So if we find predefined areas
or the NIST changes we've got Rev 5

00:09:10:08 - 00:09:15:09
that's out now how that orchestrates
how S-bomb changes all these different

00:09:15:14 - 00:09:18:21
analytics are questions
we feed that directly in.

00:09:18:21 - 00:09:20:21
And then that feeds to the customer
as well.

00:09:20:21 - 00:09:22:18
So goes out to the open community.

00:09:22:18 - 00:09:26:02
So the Big Bang talk community
they are able to see what we are

00:09:26:02 - 00:09:28:08
we have in the pipeline what they can contribute

00:09:28:08 - 00:09:31:11
to that how they deploy things how we can feed back into it.

00:09:31:11 - 00:09:36:03
So you start to see the ecosystem of us
communicating and why we're here today

00:09:36:11 - 00:09:40:09
and trying to revolutionize that but also
looking at all the different ventures.

00:09:40:17 - 00:09:44:20
So with that we have looked at it
from a lot of different angles

00:09:44:20 - 00:09:49:08
and how we can automate what we can what we can't and we're getting there.

00:09:49:08 - 00:09:51:15
there is not a silver bullet for anything.

00:09:51:15 - 00:09:53:11
Unfortunately when it comes to RMF,

00:09:53:11 - 00:09:56:24
we can't just say hey download this one
particular program or app

00:09:56:24 - 00:09:59:24
and I can always know
whether my system is good or not.

00:09:59:24 - 00:10:03:05
And what we can do is chew off
certain elements of it

00:10:03:14 - 00:10:06:17
and we can start to break those down
and make our lives a lot simpler.

00:10:06:17 - 00:10:09:18
So for this for our particular needs
and for

00:10:09:18 - 00:10:12:19
hopefully the community we're able to chew off a large chunk.

00:10:12:22 - 00:10:16:26
And to the AOs and the SCAs
that might be out there in the community

00:10:16:26 - 00:10:19:24
today understand
that we want to give you a great products,

00:10:19:24 - 00:10:21:15
but it's trust but verify.

00:10:21:15 - 00:10:25:20
I always love what my people give me
and how they're feeding the information

00:10:25:20 - 00:10:28:02
of what how we're answering.
But I still want to verify.

00:10:28:02 - 00:10:30:01
I still want to know we're doing
actually what we

00:10:30:01 - 00:10:32:27
what we're saying we're doing and that's
where we're helping to take this,

00:10:32:27 - 00:10:35:03
define it and orchestrate it at hand.

00:10:35:03 - 00:10:36:03
You a great product.

00:10:36:03 - 00:10:37:01
So you know,

00:10:37:01 - 00:10:40:25
we're in compliance all the time
and you can validate that through this.

00:10:40:29 - 00:10:44:17
So with that I will turn it
over to my partner in crime today Brandt,

00:10:44:22 - 00:10:47:20
who is actually going to go into the back
end workings

00:10:47:20 - 00:10:50:09
and show you all the wonderful things
and how it looks.

00:10:50:09 - 00:10:52:06
And then we'll go into some questions.

00:10:52:06 - 00:10:52:23
Wonderful.

00:10:52:23 - 00:10:55:10
Let me share my screen
and get that moving.

00:10:55:10 - 00:10:59:09
From here you should kind of begin to
see we're looking at Big Bang platform.

00:10:59:09 - 00:11:01:07
I want to reiterate a couple components
there.

00:11:01:07 - 00:11:06:02
the platform on top of Kubernetes for
meeting the DevSecOps reference design.

00:11:06:06 - 00:11:09:24
there are elements as part of that that
I think are relevant for this discussion.

00:11:09:24 - 00:11:12:14
And the platform is built
from a number of packages.

00:11:12:14 - 00:11:16:10
Each of those packages is a essentially
a tool that performs some behavior.

00:11:16:10 - 00:11:17:25
for each of those tools,

00:11:17:25 - 00:11:20:25
can start to dive into them and see okay what do they do?

00:11:20:27 - 00:11:23:21
do they provide
as part of the reference design?

00:11:23:21 - 00:11:26:26
What do they provide
as part of compliance for other,

00:11:26:26 - 00:11:28:09
standards definitions?

00:11:28:09 - 00:11:29:28
within each one of these tools,

00:11:29:28 - 00:11:33:09
we have been working
as part of the Big Bang team,

00:11:33:09 - 00:11:35:20
the development team
that works on all of these packages

00:11:35:20 - 00:11:39:15
day in and day out providing the OSCAL
component definition files.

00:11:39:16 - 00:11:43:08
And within each one of these kind of walks
through a universe of controls.

00:11:43:08 - 00:11:47:06
For those who are familiar with OSCAL I'm
what information you are provided here.

00:11:47:06 - 00:11:48:20
It's kind of like pretty straightforward.

00:11:48:20 - 00:11:52:07
But for those who have not kind of walks
through different controls and,

00:11:52:11 - 00:11:56:18
talking about okay well given this control how might this tool,

00:11:56:22 - 00:11:59:28
assist with satisfying a given control

00:11:59:28 - 00:12:04:00
as a part of a given standard document
like 800-53 for reference?

00:12:04:04 - 00:12:07:15
so if we back that up we have one tool
that is implemented is that hey,

00:12:07:15 - 00:12:09:21
you're on the possible controls
that can be met,

00:12:09:21 - 00:12:12:13
as a part of this platform which is a bunch of tools,

00:12:12:13 - 00:12:15:13
orchestrated together
can then abstract and aggregate.

00:12:15:13 - 00:12:19:19
We can say all right well if I deploy all of these tools,

00:12:19:19 - 00:12:23:19
they're each going to be either
providing layers upon the same control

00:12:23:19 - 00:12:27:02
being met which is awesome
for kind of a depth of control measure.

00:12:27:02 - 00:12:30:19
Or they're going to be providing a breadth
one tool satisfies

00:12:30:29 - 00:12:34:28
AC-3 or part of it
and then another tool there's AC-4 etc.

00:12:35:15 - 00:12:38:10
And we can start to consolidate
all that information

00:12:38:10 - 00:12:41:16
and really meaningful ways and it's easy
to track.

00:12:41:16 - 00:12:43:02
Right. This is all version controlled.

00:12:43:02 - 00:12:48:01
easy to get a hold of changes and be
viewed and audited which is wonderful.

00:12:48:04 - 00:12:48:29
I mean I kind of see

00:12:48:29 - 00:12:52:21
this is the first pillar of three I want to talk about today which is,

00:12:52:24 - 00:12:53:21
these controls.

00:12:53:21 - 00:12:56:23
There intimately ingrained
in the development workflow

00:12:56:23 - 00:13:01:02
of the platform of the tool of whatever
intimate information you can get.

00:13:01:02 - 00:13:05:24
And so titrate as provides
a very in-depth,

00:13:05:26 - 00:13:10:09
OSCAL component file to help us with you know what satisfies can SDL

00:13:10:09 - 00:13:13:16
and service mesh assist with satisfying.

00:13:13:16 - 00:13:17:16
but I want to move that over
to is demonstration today we partnered

00:13:17:16 - 00:13:21:12
with RegScale really RegScale
is that GRC governance risk

00:13:21:12 - 00:13:25:04
compliance tool that can help us
with visualizing all this information.

00:13:25:04 - 00:13:28:05
kind of as Kevin was talking about we need to visualize the information

00:13:28:05 - 00:13:32:10
and present it to those who don't want to
look into code base unfamiliar with it.

00:13:32:10 - 00:13:37:15
And so ingest the information with a tool
that's very API driven and allows us

00:13:37:15 - 00:13:41:27
to really work around all of the data
that we want to present and find ways

00:13:41:27 - 00:13:43:20
to present it in meaningful manners.

00:13:43:20 - 00:13:47:13
Looking at a Excel spreadsheet
with all of the thousands of controls

00:13:47:13 - 00:13:49:17
isn't useful to anybody.
It's it's daunting.

00:13:49:17 - 00:13:50:23
It's hard to organize.

00:13:50:23 - 00:13:52:29
And so RegScale can really handle. Okay.

00:13:52:29 - 00:13:57:11
Well if you have OSCAL component
Yaml file then imported into the system.

00:13:57:11 - 00:13:58:25
and then once it's imported in,

00:13:58:25 - 00:14:01:10
the system really would start to drive integrations.

00:14:01:10 - 00:14:04:17
really what we're saying is try
to look to the next step of,

00:14:04:17 - 00:14:08:22
rather than checking a box we can be performing some action and,

00:14:08:24 - 00:14:12:03
updating the system via APIs which is wonderful.

00:14:12:05 - 00:14:12:28
that same document

00:14:12:28 - 00:14:17:05
that we've been looking at over
here was uploaded into RegScale

00:14:17:05 - 00:14:20:18
so that we can start to dive into that component file,

00:14:20:18 - 00:14:23:28
let's look at the scorecard compliance scores and controls etc..

00:14:24:08 - 00:14:26:18
and again it's not the total focus for today,

00:14:26:18 - 00:14:28:00
but I see this is the third pillar.

00:14:28:00 - 00:14:30:06
And bear with me I'm going to talk about number two.

00:14:30:06 - 00:14:32:25
but the first pillar is version controlled.

00:14:32:25 - 00:14:36:28
as close to the source of truth
for the tooling of the system as possible.

00:14:37:01 - 00:14:38:05
that's what we're shooting for.

00:14:38:05 - 00:14:42:02
on the other end of that the third pillar
being kind of this visualization

00:14:42:07 - 00:14:46:07
whoever this is data is going to be most
meaningful for let's you know get it,

00:14:46:07 - 00:14:50:05
visualized in ways that actually provides
a lot of impact and a lot of value.

00:14:50:05 - 00:14:53:08
Let's dive into what's most important
and what's least important find ways

00:14:53:08 - 00:14:54:18
to organize that information.

00:14:54:18 - 00:14:57:15
today we're going to be doing
some integrations with visualization.

00:14:57:15 - 00:15:00:15
really the focus of today's demonstration
is going to be

00:15:00:15 - 00:15:03:19
this idea of a
the middle pillar the second pillar.

00:15:03:19 - 00:15:07:04
And that is universe of controls
that can be satisfied if we visualize

00:15:07:04 - 00:15:11:04
those and say these are essentially
what is available what we can satisfy.

00:15:11:10 - 00:15:14:04
when we need to go
and either a check the system to ensure

00:15:14:04 - 00:15:17:17
that's the case or B audit
the system ensure it's still the case,

00:15:17:17 - 00:15:20:22
we want to remove as much manual labor
as part of that process.

00:15:20:22 - 00:15:24:03
and so we're looking at that second layer
being automated validation.

00:15:24:03 - 00:15:25:23
and that's really
what we're going to demo today.

00:15:25:23 - 00:15:30:21
what I mean by that is you find ways
to automate ability to check and see

00:15:30:21 - 00:15:32:16
if something was misconfigured,

00:15:32:16 - 00:15:35:12
if it's misconfigured maybe a control is no longer satisfied.

00:15:35:12 - 00:15:38:21
it was changed maybe it's no longer
satisfied really gets into this concept

00:15:38:21 - 00:15:42:08
of reciprocity lack of a better word is it's pretty silly.

00:15:42:17 - 00:15:47:04
we shouldn't be you know basing the
security of our system with the intent,

00:15:47:11 - 00:15:50:27
to blame some other entity
in the event that it is misconfigured.

00:15:50:27 - 00:15:52:08
It is deployed incorrectly.

00:15:52:08 - 00:15:55:29
or there is something wrong
with the system at some various layer.

00:15:56:08 - 00:15:58:18
we're going to look at a source of truth document.

00:15:58:18 - 00:16:01:22
This is that same document
that we were viewing on the right side

00:16:01:22 - 00:16:05:26
over here But what we've done is for proof of concept some prefaces,

00:16:05:26 - 00:16:09:27
I want to add that we know
this is not necessarily compliant

00:16:09:27 - 00:16:14:04
with OSCAL schema but we're working
on idea presenting this problem space.

00:16:14:06 - 00:16:17:10
And then we're going to iterate
and continue down the path

00:16:17:12 - 00:16:20:22
of making this compliant
with OSCAL finding the best formats

00:16:20:22 - 00:16:24:16
and models to categorize this information
and data fully on the intent.

00:16:24:16 - 00:16:28:12
But taken that initial OSCAL component definition file,

00:16:28:12 - 00:16:29:22
you see on the right side here,

00:16:29:22 - 00:16:32:12
which really has
a lot of great information by touch rate

00:16:32:12 - 00:16:36:26
for how to ensure that the control
is satisfied by tool Istio.

00:16:36:26 - 00:16:40:00
providing
some kind of rule set definitions for,

00:16:40:02 - 00:16:43:24
I want to actually go and validate
against an environment

00:16:43:24 - 00:16:47:19
today is going to be Kubernetes this configuration is present

00:16:47:19 - 00:16:51:26
and configured appropriately that then I can say good measure

00:16:51:26 - 00:16:56:01
detail that hey it has been satisfied
and we'll feed that into GRC tools.

00:16:56:05 - 00:16:59:03
I'm going to dive into that kind of show
like what this looks like both

00:16:59:03 - 00:17:02:04
the environment
as well as pass and a fail case.

00:17:02:08 - 00:17:06:07
for kind of introspection
into the environment we've got this,

00:17:06:13 - 00:17:11:04
Kubernetes cluster established if we get all the pods in the cluster,

00:17:11:04 - 00:17:12:24
can see it's
running a number of workloads.

00:17:12:24 - 00:17:15:13
This is you a configuration of Big Bang.

00:17:15:13 - 00:17:19:16
It has my service mesh my monitoring
tools my logging tools etc.

00:17:19:17 - 00:17:23:21
there's a lot of tooling for the purpose
of whatever this environment

00:17:23:21 - 00:17:24:29
is looking to accomplish.

00:17:24:29 - 00:17:28:04
is a mock environment to show hey I have many workloads running.

00:17:28:04 - 00:17:31:28
I want to go and still run
some validation against the rule set

00:17:31:28 - 00:17:35:12
that I've defined see
whether or not my control is satisfied.

00:17:35:12 - 00:17:37:10
today we're targeting AC-4

00:17:37:10 - 00:17:40:10
in this document are they talking to each other through,

00:17:40:14 - 00:17:43:18
one encrypted traffic across 
all communication?

00:17:43:23 - 00:17:47:16
service mesh models for those workloads
that are connected

00:17:47:16 - 00:17:48:25
and talking to one another.

00:17:48:25 - 00:17:52:08
We want to kind of ensure that all of the traffic between pods

00:17:52:08 - 00:17:56:18
that is talking to one another is done
via Mpls with Istio.

00:17:56:18 - 00:18:00:01
And with this service mesh concept we have this really this idea.

00:18:00:01 - 00:18:04:07
We're looking to see if each pod
contains a container for Istio proxy.

00:18:04:11 - 00:18:08:02
and we have a good measure of detail there or confidence that,

00:18:08:05 - 00:18:12:22
if that is the case and that is all of
the traffic is set to to as much strict.

00:18:12:26 - 00:18:16:28
Now we could minus our exclusions
or things that don't apply can validate

00:18:16:28 - 00:18:21:03
that MTL is established
as the primary communication mechanism.

00:18:21:09 - 00:18:23:13
so awesome. I have my environment here.

00:18:23:13 - 00:18:26:04
And what I want to do then
is I want to ingest this document

00:18:26:04 - 00:18:27:14
with this tool that we're building.

00:18:27:14 - 00:18:30:09
Is open source tool naming TBD.

00:18:30:09 - 00:18:31:08
I want to execute it.

00:18:31:08 - 00:18:34:14
And so all I'm going to do is use

00:18:34:14 - 00:18:38:25
this compliance order tool execute this OSCAL component definition

00:18:38:25 - 00:18:42:26
file and perform those actions
against a live Kubernetes cluster.

00:18:42:26 - 00:18:44:19
what I'll do here

00:18:44:19 - 00:18:49:03
is target to OSCAL definition component
definition for Istio control plane.

00:18:49:05 - 00:18:51:27
we'll execute that.
We'll start to see a number of things.

00:18:51:27 - 00:18:56:13
you can kind of see here we're given a
initial state for what is going on here.

00:18:56:13 - 00:18:58:28
We see 78
resources are kind of being processed.

00:18:58:28 - 00:19:01:13
They weren't targeted for validating this.

00:19:01:13 - 00:19:03:02
obviously there's some math off here.

00:19:03:02 - 00:19:07:06
of the resources that we're targeted 62 are passing and zero are failing.

00:19:07:07 - 00:19:12:09
so we get into a passed state with an
automatic assessment sent to our GRC tool.

00:19:12:13 - 00:19:14:06
so we're going to come back to RegScale.

00:19:14:06 - 00:19:15:22
again I want to start from the beginning here.

00:19:15:22 - 00:19:19:07
So components these are you know kind of our component definition

00:19:19:07 - 00:19:22:28
that we had uploaded into RegScale previously.

00:19:23:00 - 00:19:24:14
Awesome. Reviewing it.

00:19:24:14 - 00:19:26:19
And as part of the work that we just did

00:19:26:19 - 00:19:29:20
here on the left side we can start to see how things change.

00:19:29:20 - 00:19:33:17
I don't know if you noticed the score
earlier was different now again via

00:19:33:20 - 00:19:35:07
only API interaction.

00:19:35:07 - 00:19:40:26
performed an automated assessment
and those results up to our GRC tool.

00:19:41:01 - 00:19:43:16
So it's changed the scores. Wonderful.

00:19:43:16 - 00:19:45:27
All that information is now tied together.

00:19:46:29 - 00:19:47:17
the component

00:19:47:17 - 00:19:51:15
definition sees that interest me has been performed.

00:19:51:23 - 00:19:53:06
can look through all these controls

00:19:53:06 - 00:19:57:15
and see what information we want to see but for today we're looking at AC-4.

00:19:57:15 - 00:19:57:28
Right.

00:19:57:28 - 00:20:00:27
And really what we did
was we performed an assessment.

00:20:00:27 - 00:20:03:08
head over to assessments we can see. Wonderful.

00:20:03:08 - 00:20:06:14
The last assessed result was
pass is performed today.

00:20:06:15 - 00:20:09:26
If we look at all of these assessments it looks like I've got 28

00:20:09:26 - 00:20:12:26
of them have performed and performed over
the past few days.

00:20:12:29 - 00:20:13:23
you'll see that now.

00:20:13:23 - 00:20:16:19
The latest one this was yesterday this is today.

00:20:16:19 - 00:20:19:03
We see they're passing
a previously failed state.

00:20:19:03 - 00:20:22:14
Now they're passing now what I want to do also is say know,

00:20:22:14 - 00:20:25:19
how could we work through a scenario
that puts our cluster into a state

00:20:25:19 - 00:20:29:21
where control is no longer satisfied we're we're working towards this path,

00:20:29:21 - 00:20:32:12
this problem space really for this the second pillar,

00:20:32:12 - 00:20:35:19
which is automated validation it's kind of continuous compliance.

00:20:35:22 - 00:20:38:12
what we can do
is we're going to inject a workload

00:20:38:12 - 00:20:40:14
that is going to be nonissue to you
injected.

00:20:40:14 - 00:20:44:02
going to violate the rules that we have
established meeting this control.

00:20:44:02 - 00:20:47:05
in doing so we should see a failed state Or our,

00:20:47:05 - 00:20:50:14
control being passed here as well as it's visualized in RegScale.

00:20:50:14 - 00:20:53:07
so if we want to check on that workload
really quick.

00:20:53:07 - 00:20:53:19
awesome.

00:20:53:19 - 00:20:57:14
This this test pod that I just ran it's an edge index image.

00:20:57:16 - 00:20:58:01
It's running.

00:20:58:01 - 00:21:02:00
The workload is running and there we see
one of one containers in that pod.

00:21:02:00 - 00:21:02:14
Ready?

00:21:02:14 - 00:21:05:06
kind of us an idea. Hey that isn't Istio
injected.

00:21:05:06 - 00:21:07:16
It's not going to be able
to communicate over Mpls.

00:21:07:16 - 00:21:11:10
for the the sidecar architecture
that we have this control plane.

00:21:11:13 - 00:21:15:06
and so what we'll do going to rerun
this exact same execution,

00:21:15:06 - 00:21:16:29
is OSCAL component file.

00:21:16:29 - 00:21:18:24
going to tell us pretty quickly that hey,

00:21:18:24 - 00:21:21:23
it's failing now and here's
how many resources are failing.

00:21:21:23 - 00:21:25:22
again we're able to it's that's
performing our core set of logic here,

00:21:25:25 - 00:21:29:21
but what I think is important again is the GRC visualization of that,

00:21:29:21 - 00:21:31:23
is something that we really want
to dig into.

00:21:31:23 - 00:21:32:25
again starting all the way back

00:21:32:25 - 00:21:36:25
from RegScale component homepage we'll view that component definition.

00:21:36:25 - 00:21:37:29
We'll look at our scorecard.

00:21:37:29 - 00:21:39:06
numbers are back down again.

00:21:39:06 - 00:21:41:20
and straight from the home
page here for our controls.

00:21:41:20 - 00:21:43:22
We can already see last assessment.

00:21:43:22 - 00:21:45:04
is not looking too hot.

00:21:45:04 - 00:21:46:04
Let's go take a look at that.

00:21:46:04 - 00:21:48:12
again during assessments all of this failed.

00:21:48:12 - 00:21:52:04
Now we have two executions ran today those are going to quickly

00:21:52:04 - 00:21:52:29
show up as fail.

00:21:52:29 - 00:21:54:09
We can dig into those Really

00:21:54:09 - 00:21:57:21
this underlying concept
of continuous compliance compliance,

00:21:57:22 - 00:22:01:22
this code upstream upstream
being the Istio control plane,

00:22:01:22 - 00:22:05:07
the actual as it exists in a package
in the code base catch rate.

00:22:05:07 - 00:22:08:27
also further allowing an in-depth
knowledge of what's going on

00:22:08:27 - 00:22:12:00
there giving us great documentation
behind those controls,

00:22:12:00 - 00:22:15:23
all the way through from automated validation of the control

00:22:15:23 - 00:22:20:21
to visualization in RegScale or your GRC tooling but having a tool

00:22:20:21 - 00:22:25:04
that we can really interact with via
API is going to be super powerful.

00:22:25:04 - 00:22:28:01
We can relate assessments to components.

00:22:28:01 - 00:22:29:18
We have a component definition.

00:22:29:18 - 00:22:30:15
We have a control.

00:22:30:15 - 00:22:32:20
We have an assessment on that control.

00:22:32:20 - 00:22:36:21
and you know as we start to break out
what this tool can accomplish,

00:22:36:24 - 00:22:41:02
kind of as an automated assessment automated compliance validation,

00:22:41:05 - 00:22:44:17
we can work towards you know what's the next iteration?

00:22:44:20 - 00:22:47:00
separating the responsibility
of what the tool does

00:22:47:00 - 00:22:50:23
versus what information is being passed
in isn't specific to Big Bang.

00:22:50:26 - 00:22:53:27
tool can run on kind of any basic idea

00:22:53:27 - 00:22:57:04
of here's something we want to validate
against Kubernetes environment.

00:22:57:04 - 00:22:59:26
going in ensure
that is the case and produce a report.

00:22:59:26 - 00:23:03:20
but really want to to dig into
what information is going to be great

00:23:03:20 - 00:23:07:09
for consumers of these you know highly regulated environments.

00:23:07:09 - 00:23:09:05
so there's a lot of other details
that I could dive into,

00:23:09:05 - 00:23:12:08
but really I kind of
want to open the floor with enough time to

00:23:12:09 - 00:23:14:00
to walk through
questions if there are any.