The DevOps Way to Continuous Security
•Descargar como PPTX, PDF•
4 recomendaciones•1,836 vistas
CEO of Evident.io, Tim Prendergast, sharing insights into the powerful combination of Cloud Security and DevOps practices at Velocity Conference 2015 in Santa Clara, CA USA. Learn how agility, security, and automation can be combined to perform continuous security assessments, real-time automated defensive measures, and other exciting security capabilities!
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a The DevOps Way to Continuous Security
Similar a The DevOps Way to Continuous Security (20)
Último
Último (20)
The DevOps Way to Continuous Security
- 1. Continuous Security The DevOps Way Tim Prendergast Founder: Evident.io Tweeter: @Auxome @Auxome / @Evidentdotio #devsecops
- 2. @Auxome Why I’m Here THIS IS THE SECURITY ROLLERCOASTER Elation Pain Suffering Winning Losing Failing InnovatingSecOps
- 3. @Auxome Why Do Security? REGULATORY PARTNERS DEMAND ITINDUSTRIAL SELF-IMPOSED IMPOSED UPON YOU CUSTOMERS DEMAND IT PROTECT YOUR IP STEAL THEIR IP >:) REASONS VARY BY ORGANIZATION
- 7. @Auxome We’ve Been Stuck… SECURITY has NOT EVOLVED as rapidly as INFRASTRUCTURE
- 8. @Auxome The Gap is Technical OVERCOMING people-objections is EASY
- 9. @Auxome MSS (Modern Security Sucks) Dependent on presence Doesn’t understand non-TCP/IP stacks Too human-dependent Assumptions that resources are relatively static Attackers use automation, defenders do not Security companies don’t get Cloud & DevOps
- 10. @Auxome DevSecOps > sum(dev,sec,ops) Take the best of Now we can have some fun… Dev, Sec, and Ops
- 11. @Auxome DevSecOps, Rugged DevOps… a rose DevOps.com published a great e-book at RS A: http://devops.com/2015/04/20/the-rugged-de vops-ebook/ Disclaimer: Evident.io was one of the corporate sponsors for the production cost of the book – we believe i n it!
- 12. @Auxome Security Scanning Old & Busted: Run security scans weekly/monthly/quarterly Does this work in dynamic environments?
- 13. @Auxome New & Hot: Continuous scanning for threats Bonus — API-based services, too! Security Scanning
- 14. @Auxome Security analysis at time (T) Scan Node Host NHost NHost NHost N Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A No unexpected results/changes
- 15. @Auxome Security analysis at time (T+1) Scan Node Host NHost NHost NHost N Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A A user identity disabled MFA Identity Chang e
- 16. @Auxome Security analysis at time (T+2) Scan Node Host NHost NHost NHost N Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A A new host running an unapproved image app ears Malicious Hos t
- 17. @Auxome Security analysis at time (T+3) Scan Node Host NHost NHost NHost N Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A Both malicious security events have exited
- 18. @Auxome
- 19. @Auxome Host Integrity Old & Busted: Expensive, Single-purpose tools
- 20. @Auxome New & Hot: Helllooooo, Chef/Puppet/Ansible Host Integrity
- 21. @Auxome Cool security-related CfgMgmt Resources https://github.com/hardening-io/chef-os-hardening https://supermarket.chef.io/cookbooks/aws_security https://supermarket.chef.io/cookbooks/cis_benchmark https://forge.puppetlabs.com/netmanagers/fail2ban https://forge.puppetlabs.com/arusso/iptables … and so many more!!!
- 22. @Auxome Compliance Old & Busted: Quarterly Audits, Manual Reviews
- 23. @Auxome New & Hot: Automated Compliance Audits Compliance “You are in direct violation of PCI DSS 3.0 requirement 3 section 6.1. You have 10 seconds to comply…”
- 24. @Auxome Old & Busted: Manual, Reactive behaviors Enforcement
- 25. @Auxome New & Hot: Automated Defense Enforcement
- 26. @Auxome Automated Defense Toys Best Example that is opensourced: SecuritySquirrel (by Rich Mogull of Securosis) https://github.com/securosis/securitysquirrel
- 27. @Auxome What to Take Away Don’t wait for security to come to you – chase it1 Automate your security behaviors2 Champion the marriage of DevOps & Security3
Notas del editor
- Welcome everybody! I know why all of you are here today… but let me tell you a little bit about why I am here. Security Practitioner for >20 years Working with AWS since 2006ish and other cloud platforms for the past 3-4 years. My favorite part of this industry and my career is rethinking how we apply security concepts and reinventing the way we envision security…and then sharing that with others. SecOps is one of those tragedy industries. Lots of failure, pain, bad publicity, victimization…all of the bad things about tech manifest themselves most fully in this space. It is also, however, one of the most rewarding. It’s a rollercoaster of emotions, technology, and conflict.
- Why bother with it, if it’s such a PITA? Various industries have various reasons… often related to state or federal regulations for their businesses. We see this increasingly so in today’s world full of data breaches and consumer records losses. Customers and Partners are increasingly more security-conscious with their relationships and vendors. They can suffer collateral damage to their reputation if close allies are breached. Courts and Regulatory Bodies can impose security constraints on organizations who have egregiously incurred security breaches. Protecting your IP from attackers is a huge driver, or conversely stealing the IP of targets has become a profitable and nation-sponsored past-time.
- Resilience – the ability of our services and products to degrade gracefully without loss of data, self-heal, and manage loads effectively even under stress. Flexibility – the ability of our platforms and services to easily sway as the winds of business and consumer favor change, all without painful rewrites/rearchitecting Reliability – the service or product always being there when accessed… this means process, technology, and people all behave in reliable manners. Speed – enabling organizations to move quickly to capitalize on opportunity and customer favor, without long cycles of development/deployment. Automation – Wrapping manual processes wherever possible in automation frameworks, scaling humans like we can scale systems.
- Stability – security needs a consistency in environments over periods of time to ensure change entropy does not break functional security implementations/practices Control – IT departments need to ensure that they can manage the danger lurking inside or outside the walls through policy and strategy. Accountability – Ensuring we know who does what, and can always review the audit trail to determine malicious or unintentional security failures. Confidence – The ability to communicate with shareholders, the board, and executive management that the organization is upholding it’s obligation to various bodies of regulation/industry when it comes to security. Risk Aversion – security’s need to mitigate risk through various methods… because they have to respond to do IR/cleanup
- The beauty of what is happening right now is a convergence…. Where these two worlds collide and they have to play together or one sides needs don’t get met. Much like any relationship or marriage, both parties need satisfaction of their needs for the whole to be healthy. Organizations are not healthy when one dominates the other. Historically, security needs dominated the business needs – but increasingly so, we see business needs trumping the security world’s needs. Great anecdotes to share here.
- Fundamentally, we’ve been stuck in the last decade when it comes to security evolution(s). Infrastructure underwent huge gains: configuration management innovations (Chef/Puppet), programmatic infrastructure (AWS & other cloud tech), virtualization popularity has taken off, mobile and SaaS have become the norm… Users have evolved significantly: highly mobile, working from everywhere, using multiple devices, managing credentials to dozens if not hundreds of services they use for work. Applications: programming languages have surged in popularity (go, erlang, haskell, python, etc), application servers are more robust and intelligent (nginx, etc) Security tech: still trying to sell giant firewall appliances and similar lame control methodologies. Disruption failed to reach this corner of the tech industry.
- People tend to not be the problem here… now there will be occasions where there is an old-school holdout who doesn’t acknowledge the world is changing… Thankfully the industry will clean them out in short order. Find me someone who says no to investing in security on today’s apps/services, and I’ll show you tomorrow’s scapegoat when the breach comes. If you get objections to Investing in security, here’s a few quick tips: Ask how much remediation/forensics/lost development time/lost customer confidence/bad press costs your company. Then contrast that with the paltry sum you are often asking for. Ask how much your company spends on insurance. You rarely use that. Security precautions get used on a nearly daily basis. Identify how security investments (smart ones) can accelerate your time to market, and leverage that business multiplier as justification. Ask for a written denial… nobody wants to go on paper saying no, especially in today’s world of litigations and shareholder witchunts. Remember – your job is to protect the company, not be cheap. You can be both, but let’s start with the motivation and then discuss cash logistics on a secondary basis. So now we have to just figure out how we reinvent security approaches for the new era.
- Fundamentally, our traditional security approaches are heavily flawed when applied to cloud infrastructures. Typical security tech depends on: presence…being placed inside the direct path of network traffic, kernel/process calls, being located on a host, etc Network-based stacks (IP scanning, TCP/IP filtering, etc) Humans to start, manage, and stop the entire lifecycle of the product/service Infrequently changing resource pools (servers, networks, storage devices, etc) The challenge is that the cloud provides a huge number of changes to these assumptions that are practically baffling to the incumbent security companies… if you add the agile behaviors that devops orgs demonstrate, now you really confuse them. At the same time, attackers have become smarter and used automation to not only enumerate the target-rich world, but also deliver attack payloads and manage their new resources… so one attacker can often outperform hundreds or thousands of defenders. We’re at a technological disadvantage.
- If we can take the principles of agile patterns in developing, testing, and deploying software… and splice in a little security DNA, we create a powerful new set of capabilities.
- Many teams run quarterly or annual security scans to check a requirement off a list… and some run them more frequently like monthly, or maybe every Friday… But what do you do when attacks happen after your scan is complete? The dead space between scans is horrific from a risk perspective. Scan 1 day of the quarter, leaves 98.81% of the quarter unchecked Scan 1 week of the quarter, leaves 91.77% of the quarter unchecked… it’s frightening
- By continuously scanning for threats, misconfigurations, vulnerabilities, and other security issues, organizations can detect threats as they appear (and disappear) from within their complex environments. The only way to detect transient threats, threats that appear and disappear with resources like in cloud environments, is by continuously monitoring for them. What’s neat about this is you can not only write scripts to continuously monitor IP-layer data, but you can now wrap the control plane of the cloud and leverage that data continuously as well. This means identity changes, policy alterations, resource creation/destruction….all come into clarity.
- There’s a number of tools, especially around controls like File Integrity Management/Monitoring (FIM) that are so specialized they are a burden to maintain… How can we make sure that we have solutions solving multiple purposes of keeping our files consistent and unmodified from a known good state?
- We piggy back on the advanced tech we already use so heavily – CM tools like Chef/Puppet/Ansible are built to keep our infrastructure consistent. How irritated are attackers when our nodes keep self-healing modified files or trojaned binaries? By articulating your desired security configuration state, even that of particular files or directories, you can enforce shifting defenses that keep attackers frustrated and unable to proceed to deeper control/manipulation of your systems. Every time your chef-client or puppet-agent runs, it reverts your system back to desired state, undoing the malicious alteration of key system footholds.
- When it comes to the compliance side of security, it’s a daunting realm. PCI, HIPAA, FedRAMP… there’s more frameworks than any individual can keep track of. As organizations incur incremental technical debt, especially in cloud environments, the effort required to shift an environment back into compliance dramatically increases as time passes. Additionally, over time, we have increasing regulatory and industry pressure to improve the breadth and quality of security controls without regard for the effort involved – labor just isn’t factored in. So we fight this never-ending battle of human-driven reviews, checklists, endless meetings, spreadsheets, and remediations… only to do it again weeks later. This treadmill prevents real security progress from happening in order to maintain a minimum level of status. The gap increases over time, and never decreases as necessary to make real progress.
- So, how do we move forward? First, we apply a core devops principle – automate the tedium. By combining the stateful