Enterprise Cloud Security via DevSecOps Who are we?

Transcription

Enterprise Cloud Security via DevSecOps Who are we?
Enterprise Cloud Security via
DevSecOps
Shannon Lietz
Cloud Sec. Eng. Leader
Intuit
Shrikant Raman
Engagement Mgr
FireEye
Who are we?



We’ve developed and operated some of
the largest Security Operations Centers
We’ve led crisis management for some of
the world’s largest breaches
We’ve worked in the Cloud before it was a
Cloud (and cool), anyone remember utility
computing…circa 2002?
2
What is DevSecOps?
Problem Statement
 DevOps requires continuous deployments

Fast decision making is critical to DevOps success

Traditional Security just doesn’t scale…
Welcome DevSecOps…

Customer focused mindset

Scale, Scale, Scale

Objective Criteria

Proactive Hunting

Continuous Detection & Response
3
How did we discover DevSecOps?





Pain
Trial & Error
Blood, sweat & tears
Ouch, my head hurts!
It would have been great
to hear this speech a
couple years ago….
Bang
Head
Here
4
Speaking from experience…
DevSecOps is NOT…

Application Security on Steroids

an embedded resource model

always saying yes to the business

a one-size-fits all program

a continuance of the Culture of “No”

Compliance Gone Wild

a Complex set of requirements

Security for security’s sake

SecDevOps, DevOpsSec, RuggedOps, other...
DOH!!
5
Cloud huh? What the heck is a software
defined environment?
Migrating into the cloud…
−
−
−
−
Compliance didn’t take us far
before we stopped scaling…
We couldn’t keep up with
deployments without
automation…
Standard Security Operations
did not work…
And we needed far more data
than we expected to help the
business make decisions…
Security
Engineering
Compliance
Ops
DevSecOps
Security
Ops
Security
Science
6
The Art of DevSecOps
DevSecOps
Security
Engineering
Security
Operations
Security
Science
Compliance
Operations
Experiment,
Automate,
Test
Hunt,
Detect,
Contain
Learn,
Measure,
Forecast
Respond,
Manage,
Train
7
Tools of the Trade

Start coding…
−
−

Find solutions and integrate…
−
−
−
−

DevSecOps Toolkit
Security Services & APIs
Filtering & Intelligence
Big Data
Threat Analytics
Case Management
Hold people accountable
−
Metrics & Reporting
8
Tools of the Trade

Code in development :
- Use cloudwatch / TAP to detect DoS attacks
 >X concurrent sessions
 Monitor and determine if need to scale elastically or cut off access
−
Use TAP APIs to look for AWS credential usage and scour the
interweb for leaked credentials.
 Automatically cycle AWS credentials and issue new credentials,
assuming the old credentials were compromised
−
Use TAP APIs to identify S3 bucketfinder activity
 Automatically block further searches
−
Use internal data and data mining to predict attacks before they
happen ala OpenDNS’ Security Graph
9
DevSecOps Toolkit
DEMO
10
TAPping into Detection & Response
DEMO
11
What have we learned?




Not much within the industry that can be re-used
Cloud context requires details and is difficult to obtain
It’s important for us to use the same platforms and tools as
the teams and applications we are helping to defend
Our job is to translate security information into the actions
we need from other teams
12
Q&A
DevSecOps Manifesto at:
http://www.devsecops.org
DevSecOps Toolkit at:
https://github.com/devsecops
shannon lietz -> shannon@devsecops.org
shrikant raman -> shrikant.raman@mandiant.com
13

Similar documents