28
Continuous Security The DevOps Way Tim Prendergast Founder: Evident.io Tweeter: @Auxome @Auxome / @Evidentdotio #devsecops
Continuous SecurityThe DevOps Way
Tim PrendergastFounder: Evident.io
Tweeter: @Auxome
@Auxome / @Evidentdotio
#devsecops
@Auxome
Why I’m Here
THIS IS THE SECURITY ROLLERCOASTER
Elation Pain Suffering Winning Losing Failing InnovatingSecOps
@Auxome
Why Do Security?
REGULATORY
PARTNERS DEMAND ITINDUSTRIAL
SELF-IMPOSED
IMPOSED UPON YOU
CUSTOMERS DEMAND IT
PROTECT YOUR IP
STEAL THEIR IP >:)
REASONS VARY BY ORGANIZATION
@Auxome
Needs of DevOps
SPEEDRELIABILITY
RESILIENCE
FLEXIBILITY
AUTOMATION
@Auxome
Needs of Security
ACCOUNTABILITY
CONFIDENCE
STABILITYCONTROL
RISK AVERSION
@Auxome
A Converged World…
ACCOUNTABILITYCONFIDENCE
STABILITYCONTROL
RISK AVERSIONSPEED
RELIABILITY
RESILIENCEFLEXIBILITY
AUTOMATION
&&&&
&SPEED
RELIABILITY
RESILIENCEFLEXIBILITY
AUTOMATION
ACCOUNTABILITYCONFIDENCE
STABILITYCONTROL
RISK AVERSION
@Auxome
We’ve Been Stuck…
SECURITYhas NOT
EVOLVEDas rapidly as
INFRASTRUCTURE
@Auxome
The Gap is Technical
OVERCOMINGpeople-objections
is EASY
@Auxome
MSS (Modern Security Sucks)
Dependent on presence
Doesn’t understand non-TCP/IP stacks
Too human-dependent
Assumptions that resources are relatively static
Attackers use automation, defenders do not
Security companies don’t get Cloud & DevOps
@Auxome
DevSecOps > sum(dev,sec,ops)
Take the best of
Now we can have some fun…Dev , Sec , and Ops
@Auxome
DevSecOps, Rugged DevOps… a rose
DevOps.com published a great e-book at RSA:
http://devops.com/2015/04/20/the-rugged-devops-ebook
/
Disclaimer: Evident.io was one of the corporate sponsors for the production cost of the book – we believe in it!
@Auxome
Security Scanning
Old & Busted: Run security scans weekly/monthly/quarterly
Does this work in dynamic environments?
@Auxome
New & Hot: Continuous scanning for threats
Bonus — API-based services, too!
Security Scanning
@Auxome
Security analysis at time (T)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
IP Scans
API Scans
No unexpected results/changes
@Auxome
Security analysis at time (T+1)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
IP Scans
API Scans
A user identity disabled MFA
Iden-tity
Change
@Auxome
Security analysis at time (T+2)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
IP Scans
API Scans
A new host running an unapproved im-age appears
Malicious Host
@Auxome
Security analysis at time (T+3)
Scan Node
Host NHost NHost NHost N
Cloud API Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc N
Svc NSvc NSvc NSvc NSvc NSvc NSvc NSvc NSvc A
IP Scans
API Scans
Both malicious security events have exited
@Auxome
@Auxome
Host Integrity
Old & Busted:Expensive, Single-purpose tools
@Auxome
New & Hot:Helllooooo, Chef/Puppet/Ansible
Host Integrity
@Auxome
Cool security-related CfgMgmt Resourceshttps://github.com/hardening-io/chef-os-
hardeninghttps://supermarket.chef.io/cookbooks/
aws_securityhttps://supermarket.chef.io/cookbooks/
cis_benchmarkhttps://forge.puppetlabs.com/netmanagers/
fail2banhttps://forge.puppetlabs.com/arusso/iptables
… and so many more!!!
@Auxome
Compliance
Old & Busted:Quarterly Audits, Manual Reviews
@Auxome
New & Hot: Automated Compliance Audits
Compliance
“You are in direct violation of PCI DSS 3.0 requirement 3 section 6.1. You have 10 seconds to comply…”
@Auxome
Old & Busted:Manual, Reactive behaviors
Enforcement
@Auxome
New & Hot:Automated Defense
Enforcement
@Auxome
Automated Defense Toys
Best Example that is opensourced:SecuritySquirrel (by Rich Mogull of Securosis)https://github.com/securosis/securitysquirrel
@Auxome
What to Take Away
Don’t wait for security to come to you – chase it1
Automate your security behaviors2
Champion the marriage of DevOps & Security3
@Auxome
Any questions?
@Auxomehttps://www.eviden-
t.io
