CEO of Evident.io, Tim Prendergast, sharing insights into the powerful combination of Cloud Security and DevOps practices at Velocity Conference 2015 in Santa Clara, CA USA. Learn how agility, security, and automation can be combined to perform continuous security assessments, real-time automated defensive measures, and other exciting security capabilities!
1. Continuous Security
The DevOps Way
Tim Prendergast
Founder: Evident.io
Tweeter: @Auxome
@Auxome / @Evidentdotio
#devsecops
2. @Auxome
Why I’m Here
THIS IS THE SECURITY ROLLERCOASTER
Elation Pain Suffering Winning Losing Failing InnovatingSecOps
3. @Auxome
Why Do Security?
REGULATORY
PARTNERS DEMAND ITINDUSTRIAL
SELF-IMPOSED
IMPOSED UPON YOU
CUSTOMERS DEMAND IT
PROTECT YOUR IP
STEAL THEIR IP >:)
REASONS VARY BY ORGANIZATION
9. @Auxome
MSS (Modern Security Sucks)
Dependent on presence
Doesn’t understand non-TCP/IP stacks
Too human-dependent
Assumptions that resources are relatively static
Attackers use automation, defenders do not
Security companies don’t get Cloud & DevOps
11. @Auxome
DevSecOps, Rugged DevOps… a rose
DevOps.com published a great e-book at RS
A:
http://devops.com/2015/04/20/the-rugged-de
vops-ebook/
Disclaimer: Evident.io was one of the corporate sponsors for the production cost of the book – we believe i
n it!
14. @Auxome
Security analysis at time (T)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
No unexpected results/changes
15. @Auxome
Security analysis at time (T+1)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
A user identity disabled MFA
Identity
Chang
e
16. @Auxome
Security analysis at time (T+2)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
A new host running an unapproved image app
ears
Malicious Hos
t
17. @Auxome
Security analysis at time (T+3)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
Both malicious security events have exited
23. @Auxome
New & Hot:
Automated Compliance Audits
Compliance
“You are in direct violation of PCI DSS 3.0 requirement 3 section 6.1.
You have 10 seconds to comply…”
26. @Auxome
Automated Defense Toys
Best Example that is opensourced:
SecuritySquirrel (by Rich Mogull of Securosis)
https://github.com/securosis/securitysquirrel
27. @Auxome
What to Take Away
Don’t wait for security to come to you – chase it1
Automate your security behaviors2
Champion the marriage of DevOps & Security3
Welcome everybody! I know why all of you are here today… but let me tell you a little bit about why I am here.
Security Practitioner for >20 years
Working with AWS since 2006ish and other cloud platforms for the past 3-4 years.
My favorite part of this industry and my career is rethinking how we apply security concepts and reinventing the way we envision security…and then sharing that with others.
SecOps is one of those tragedy industries. Lots of failure, pain, bad publicity, victimization…all of the bad things about tech manifest themselves most fully in this space.
It is also, however, one of the most rewarding. It’s a rollercoaster of emotions, technology, and conflict.
Why bother with it, if it’s such a PITA?
Various industries have various reasons… often related to state or federal regulations for their businesses. We see this increasingly so in today’s world full of data breaches and consumer records losses.
Customers and Partners are increasingly more security-conscious with their relationships and vendors. They can suffer collateral damage to their reputation if close allies are breached.
Courts and Regulatory Bodies can impose security constraints on organizations who have egregiously incurred security breaches.
Protecting your IP from attackers is a huge driver, or conversely stealing the IP of targets has become a profitable and nation-sponsored past-time.
Resilience – the ability of our services and products to degrade gracefully without loss of data, self-heal, and manage loads effectively even under stress.
Flexibility – the ability of our platforms and services to easily sway as the winds of business and consumer favor change, all without painful rewrites/rearchitecting
Reliability – the service or product always being there when accessed… this means process, technology, and people all behave in reliable manners.
Speed – enabling organizations to move quickly to capitalize on opportunity and customer favor, without long cycles of development/deployment.
Automation – Wrapping manual processes wherever possible in automation frameworks, scaling humans like we can scale systems.
Stability – security needs a consistency in environments over periods of time to ensure change entropy does not break functional security implementations/practices
Control – IT departments need to ensure that they can manage the danger lurking inside or outside the walls through policy and strategy.
Accountability – Ensuring we know who does what, and can always review the audit trail to determine malicious or unintentional security failures.
Confidence – The ability to communicate with shareholders, the board, and executive management that the organization is upholding it’s obligation to various bodies of regulation/industry when it comes to security.
Risk Aversion – security’s need to mitigate risk through various methods… because they have to respond to do IR/cleanup
The beauty of what is happening right now is a convergence…. Where these two worlds collide and they have to play together or one sides needs don’t get met.
Much like any relationship or marriage, both parties need satisfaction of their needs for the whole to be healthy. Organizations are not healthy when one dominates the other.
Historically, security needs dominated the business needs – but increasingly so, we see business needs trumping the security world’s needs. Great anecdotes to share here.
Fundamentally, we’ve been stuck in the last decade when it comes to security evolution(s).
Infrastructure underwent huge gains: configuration management innovations (Chef/Puppet), programmatic infrastructure (AWS & other cloud tech), virtualization popularity has taken off, mobile and SaaS have become the norm…
Users have evolved significantly: highly mobile, working from everywhere, using multiple devices, managing credentials to dozens if not hundreds of services they use for work.
Applications: programming languages have surged in popularity (go, erlang, haskell, python, etc), application servers are more robust and intelligent (nginx, etc)
Security tech: still trying to sell giant firewall appliances and similar lame control methodologies. Disruption failed to reach this corner of the tech industry.
People tend to not be the problem here… now there will be occasions where there is an old-school holdout who doesn’t acknowledge the world is changing…
Thankfully the industry will clean them out in short order.
Find me someone who says no to investing in security on today’s apps/services, and I’ll show you tomorrow’s scapegoat when the breach comes. If you get objections to
Investing in security, here’s a few quick tips:
Ask how much remediation/forensics/lost development time/lost customer confidence/bad press costs your company. Then contrast that with the paltry sum you are often asking for.
Ask how much your company spends on insurance. You rarely use that. Security precautions get used on a nearly daily basis.
Identify how security investments (smart ones) can accelerate your time to market, and leverage that business multiplier as justification.
Ask for a written denial… nobody wants to go on paper saying no, especially in today’s world of litigations and shareholder witchunts.
Remember – your job is to protect the company, not be cheap. You can be both, but let’s start with the motivation and then discuss cash logistics on a secondary basis.
So now we have to just figure out how we reinvent security approaches for the new era.
Fundamentally, our traditional security approaches are heavily flawed when applied to cloud infrastructures.
Typical security tech depends on:
presence…being placed inside the direct path of network traffic, kernel/process calls, being located on a host, etc
Network-based stacks (IP scanning, TCP/IP filtering, etc)
Humans to start, manage, and stop the entire lifecycle of the product/service
Infrequently changing resource pools (servers, networks, storage devices, etc)
The challenge is that the cloud provides a huge number of changes to these assumptions that are practically baffling to the incumbent security companies… if you add the agile behaviors that devops orgs
demonstrate, now you really confuse them.
At the same time, attackers have become smarter and used automation to not only enumerate the target-rich world, but also deliver attack payloads and manage their new resources… so one attacker can often outperform hundreds or thousands of defenders. We’re at a technological disadvantage.
If we can take the principles of agile patterns in developing, testing, and deploying software… and splice in a little security DNA, we create a powerful new set of capabilities.
Many teams run quarterly or annual security scans to check a requirement off a list… and some run them more frequently like monthly, or maybe every Friday…
But what do you do when attacks happen after your scan is complete? The dead space between scans is horrific from a risk perspective.
Scan 1 day of the quarter, leaves 98.81% of the quarter unchecked
Scan 1 week of the quarter, leaves 91.77% of the quarter unchecked… it’s frightening
By continuously scanning for threats, misconfigurations, vulnerabilities, and other security issues, organizations can detect threats as they appear (and disappear) from within their complex environments. The only way to detect transient threats, threats that appear and disappear with resources like in cloud environments, is by continuously monitoring for them.
What’s neat about this is you can not only write scripts to continuously monitor IP-layer data, but you can now wrap the control plane of the cloud and leverage that data continuously as well. This means identity changes, policy alterations, resource creation/destruction….all come into clarity.
There’s a number of tools, especially around controls like File Integrity Management/Monitoring (FIM) that are so specialized they are a burden to maintain…
How can we make sure that we have solutions solving multiple purposes of keeping our files consistent and unmodified from a known good state?
We piggy back on the advanced tech we already use so heavily – CM tools like Chef/Puppet/Ansible are built to keep our infrastructure consistent. How irritated are attackers when our nodes keep self-healing modified files or trojaned binaries?
By articulating your desired security configuration state, even that of particular files or directories, you can enforce shifting defenses that keep attackers frustrated and unable to proceed to deeper control/manipulation of your systems. Every time your chef-client or puppet-agent runs, it reverts your system back to desired state, undoing the malicious alteration of key system footholds.
When it comes to the compliance side of security, it’s a daunting realm. PCI, HIPAA, FedRAMP… there’s more frameworks than any individual can keep track of.
As organizations incur incremental technical debt, especially in cloud environments, the effort required to shift an environment back into compliance dramatically increases as time passes. Additionally, over time, we have increasing regulatory and industry pressure to improve the breadth and quality of security controls without regard for the effort involved – labor just isn’t factored in.
So we fight this never-ending battle of human-driven reviews, checklists, endless meetings, spreadsheets, and remediations… only to do it again weeks later. This treadmill prevents real security progress from happening in order to maintain a minimum level of status. The gap increases over time, and never decreases as necessary to make real progress.
So, how do we move forward?
First, we apply a core devops principle – automate the tedium. By combining the stateful