Automating Endpoint Protection with Ansible

April 19, 2021 by Roland Wolters

Screenshot from 2021-04-30 16-08-39

Enterprise security isn’t a homogeneous entity; it’s a portfolio of multi-vendor solutions run by disparate and often siloed teams. With so many different layers, automation proved to be effective in helping security operations teams to integrate and share accountability.

Automated processes and workflows simplify and accelerate shared processes, like investigation & response and, if enabled with a platform with the right characteristics, encourage a more open culture of collaboration.

Red Hat Ansible Automation Platform caters to this growing importance of security with Ansible security automation: our answer to the lack of integration across the IT security industry. If you are new to the topic, a good place to start is our investigation enrichment blog. A good follow up is our blog post about threat hunting, extending the application of Ansible security automation to multiple teams across the IT department.

The Ansible security automation initiative grew significantly over the last two years, adding more partners and covering additional domains and use cases. If you want to know more about what is available, have a look at the supported Collections that can be accessed via for more details. The most recent addition to our security automation initiative was announced at AnsibleFest 2020: the extension to support endpoint protection use cases.


Endpoint protection - what and why?

Endpoint protection is about the elements in IT that are most vulnerable to the human element of security. The details of each implementation can vary, but the general approach is to target devices that are either operated by employees or are exposed to public access. As part of endpoint protection, those devices are continuously monitored to detect suspicious behavior.

An endpoint protection platform (EPP) is a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.


The deployment of an EPP is often done with the help of agents on target nodes to collect data and enforce actions. Thus the device itself, but also the installed applications, dynamically loaded code and user behavior are monitored and telemetry data are gathered for long term analysis. Additionally, policies like mandatory device encryption, password rules or user and group rights are enforced. If necessary, response actions can be performed to stop applications, close ports, deny user access or even wipe entire systems.


Endpoint protection in the larger scope of security

With a growing and more diversifying landscape of security solutions, the question remains why we picked endpoint protection as the next larger integration to pursue. The answer is simple: malware is a serious threat to today’s security teams:

According to Incident Response teams, malware is the root cause of 68% of the incidents they investigate. Nearly 15% of US security budgets go to remediating active compromises.

Source: SANS

For example, ransomware has gained a lot of attention recently: A successful infection leads to the encryption of data on corporate file shares or database servers. Recent publicly known cases like ISS World show that affected companies can suffer serious damage in business operations.

Another perspective to look at is the internal malicious actor: 34% of data breaches involved internal actors, according to Verizon. This means a tight control and consistent monitoring of crucial components is pivotal to a successful security strategy.

This makes it especially compelling to embed endpoint protection into typical security automation use cases. In investigation enrichment, it can be crucial to gather information not only from systems inside the data center, but also from the endpoints that are associated with certain users. A use case for security automation is to automatically set the log verbosity across all corresponding devices and configure the reporting to forward the data to the SIEM.

During threat hunting, vital steps are to roll out new rules across all possible affected systems. In the threat hunting blog post, we already showed how to do this on an IDPS - with an endpoint protection platform, we can extend the set of actions by automatically deploying custom scans on all possibly related endpoints.

In the final incident response as part of a security workflow, endpoint protection platforms can be configured to deploy and enforce new policies to prevent access or to quarantine endpoints. Automation can scale such actions from a one endpoint or one set of similar endpoints to many endpoints of various types.


How the automation of endpoint protection works

By adding endpoint protection to Ansible security automation, we enable our customers and users to embed these technologies into security workflows with the help of Ansible content. Currently there are Collections for two platforms that are in the process of becoming certified: Symantec Endpoint and TrendMicro DeepSecurity.

Let’s take the use case investigation enrichment and the endpoint protection platform TrendMicro DeepSecurity as examples. As part of the use case, we want to forward the logs from TrendMicro towards the SIEM. Since this is a platform support by Ansible security automation, the code is rather simple:

- name: Forward TrendMicro DeepSecurity logs to SIEM
  hosts: trendmicro
    - trendmicro.deepsec
    - include_role:
        name: log_manager
        tasks_from: forward_logs_to_syslog
        trendmicro_syslog_config_name: test
        firewall_provider: trendmicro

Here we load the Collection and the roles and modules it contains, which automatically reconfigures the platform to forward the logs to the SIEM. We only have to provide the SIEM URL and the syslog config name as well as the log provider.

Let’s take a look at another use case: threat hunting. As the endpoint protection platform of choice, we will look at Symantec endpoint. Imagine that we have to trigger a dedicated scan on an endpoint as part of our threat hunting procedures. Again, using the Ansible Collection for Symantec, this requires only a few lines of YAML code:

- name: Create a Symantec Endpoint Scan
  hosts: symantec
    - symantec.epm
    - name: Get all groups
      register: groups_info_out
    - name: Scan Endpoints in Registered Groups
        groups: "{{ groups_info_out['id_list'] }}"

Here we only trigger two tasks, thus two modules inside the Collection. First, we acquire the list of endpoints, and second, we enforce the scan on them.


Takeaways and where to go next

As you can see endpoint protection can often be a vital part of the enterprise security strategy. With the help of automation, it can be connected more closely with other aspects of enterprise security, enabling more streamlined processes. The collections mentioned above give a first idea into the capabilities Ansible can provide in this field. In fact, the most powerful aspect of this approach is the ability to chain multiple security technologies together and easily describe all those processes that security teams still perform manually.

If you want to know more about how Ansible can help you achieve this level of integration and automation check these resources:


Security Automation, Ansible Automation Platform


Roland Wolters

Roland is a Senior Product Marketing Manager EMEA at Red Hat

rss-icon  RSS Feed