SlideShare a Scribd company logo

Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017

Amazon Web Services
Amazon Web Services

In this session, you learn pragmatic steps to integrate security controls into DevOps processes in your AWS environment at scale. Cyber security expert and founder of Alert Logic Misha Govshteyn shares insights from high performing teams who are embracing the reality that an agile security program can enable faster and more secure workload deployments. Joining Misha is Joey Peloquin, Director of Cloud Security Operations at Citrix, who discusses Citrix’s DevOps experiences and how they manage their cyber security posture within the AWS Cloud. Session sponsored by Alert Logic

Related slideshows

Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
Continuous Compliance on AWS at Scale - SID313 - re:Invent 2017
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
 
1 of 26
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security and DevOps: Agility and Teamwork
Introductions Director, Cloud Security Operations Founder & SVP Products
Summary 1. DevOps implications on security 2. Developing a blueprint approach to cloud security 3. Lessons from the Citrix cloud journey
What Drives Cloud Adoption? • Developers are the driving force behind cloud adoption • Main reason developers are using cloud services? Innovation ability to move fast deploy infrastructure without IT overhead ship code without delays
Software Drives Business Innovation
Developer Perspective 2013 2017 89% of developers use public cloud * RightScale Survey 2016
The Innovation Power Shift ITSECURITY COMPLIANCE SOFTWARE DEVELOPERS
DevOps Drives Security Agility Sonatype 72 % NO
Aligning DevOps with Security Critical questions to answer: 1. What are we protecting? 2. What controls must be in place? 3. How do you integrate security into your daily workflow?
Reshaping the Security/Dev/Ops Relationship old school classic IT new school sec/dev/ops
Rules of the Road No Yes 1 Random opinions Everyone works from same security blueprint 2 General set of controls Controls specific to your cloud blueprint 3 Security gateways and overlays Security is part of immutable infrastructure 4 Periodic audits Security testing part of regression framework 5 Vulnerabilities are escalated and negotiated for resolution Vulnerabilities are bugs Critical vulnerabilities are critical bugs
Perception versus Reality Our ability to accurately estimate attack surface is compromised by our weak sense of perception More reliable approach: 1. Identify your cloud assets 2. Measure your exposure 3. Implement controls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Blueprint Model for Security
Enumerate Your Cloud Footprint Generalize common workloads into infrastructure—“blueprints” Blueprint-Driven Approach Key target assets Across the Full Stack 1. Magento application and plugins 2. PHP 3. Apache 4. Nginx 5. Redis 6. Maria DB, Elasticsearch 7. Linux OS and system tools 8. AWS services EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB MariaDB MariaDB AvailabilityzoneAAvailabilityzoneB Auto scaling group Apache PHP Auto scaling group EC2 instances EC2 instances FPM S3
Threat Model Blueprint Threat Model Blueprint Threat Model Exposure analysis Post-compromise analysis Configuration and Vulnerability Coverage Required Threat Coverage (pre-compromise) Required Threat Coverage (post-compromise) Required threat analytics pre-compromise post-compromise Required incident analytics Required data sources Pre-compromise analysis Identify Most Relevant Threats Create a threat model for these blueprints
Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform/ library attacks App/ System misconfig attacks Web Apps Server-Side Apps App Frameworks Dev Platforms Server OS Hypervisor Infrastructure The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from third- party development tools 4. Extreme shortage of cloud and application security expertise
Attack Surface Factors Factor Impact Technology Triggers Custom-built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors Three-tier architecture with relational databases Increased risk of SQL injection—number one web attack method in volume and impact Open and interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk of compromise Hybrid environments Risk of a breach is compounded when cloud and on- premises datacenters are linked
Integrated Alert Logic Controls for Broad Coverage Build Coverage Model Blueprint Three-Tier Classic Web Micro- service E-Com Blueprint CMS Blueprint Magento Blueprint WordPress Blueprint Drupal Blueprint OWASP Top 10 SQL-injection attacks LAMP target coverage Critical application coverage Deep HTTP inspection with anomaly detection Supervised machine learning Data-driven intrusion defense Coverage for key app components
Full Stack Security Coverage Pre-compromise Compromise Lateral Movement Incident Investigation System Visual | Context | Hunt Collect web, host, network data Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics SECURITY EXPERTS Assess Exposure Block Critical Attacks
Cloud Security Maturity Model Basic Cloud Security Tooling 2 2. Basic Cloud Security • Agile development team, coupled to immature security program • Minimal use of cloud provider and OSS security tools Traditional Security 1. Non-Cloud Native • Lift & Ship infrastructure migration • Traditional on-premises security tools and processes • Limited agility 1 DevOps Integration 3 3. Cloud Native Security • Security infrastructure part of deployment pipeline • Full stack protection across networks, systems, and applications • Security does not slow down innovation SecDevOps Integration D 4. Cloud Security Lifecycle • Security process part of continuous integration pipeline • Mature security assessment and testing program part of code deployment process • Maximum agility and security
Announcing Cloud Insight Essentials $49 per account/month Configuration Exposure ManagementIncident Response Support for Amazon GuardDuty • Explains threats • Shows context • Recommends action • Manages incidents • Tracks progress RES TAPI Simple. Affordable. Essential. RES TAPI
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Citrix Security DevOps Journey
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. misha@alertlogic.com joey.peloquin@citrix.com

More Related Content

Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017

  • 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security and DevOps: Agility and Teamwork
  • 3. Summary 1. DevOps implications on security 2. Developing a blueprint approach to cloud security 3. Lessons from the Citrix cloud journey
  • 4. What Drives Cloud Adoption? • Developers are the driving force behind cloud adoption • Main reason developers are using cloud services? Innovation ability to move fast deploy infrastructure without IT overhead ship code without delays
  • 6. Developer Perspective 2013 2017 89% of developers use public cloud * RightScale Survey 2016
  • 7. The Innovation Power Shift ITSECURITY COMPLIANCE SOFTWARE DEVELOPERS
  • 8. DevOps Drives Security Agility Sonatype 72 % NO
  • 9. Aligning DevOps with Security Critical questions to answer: 1. What are we protecting? 2. What controls must be in place? 3. How do you integrate security into your daily workflow?
  • 10. Reshaping the Security/Dev/Ops Relationship old school classic IT new school sec/dev/ops
  • 11. Rules of the Road No Yes 1 Random opinions Everyone works from same security blueprint 2 General set of controls Controls specific to your cloud blueprint 3 Security gateways and overlays Security is part of immutable infrastructure 4 Periodic audits Security testing part of regression framework 5 Vulnerabilities are escalated and negotiated for resolution Vulnerabilities are bugs Critical vulnerabilities are critical bugs
  • 12. Perception versus Reality Our ability to accurately estimate attack surface is compromised by our weak sense of perception More reliable approach: 1. Identify your cloud assets 2. Measure your exposure 3. Implement controls
  • 13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Blueprint Model for Security
  • 14. Enumerate Your Cloud Footprint Generalize common workloads into infrastructure—“blueprints” Blueprint-Driven Approach Key target assets Across the Full Stack 1. Magento application and plugins 2. PHP 3. Apache 4. Nginx 5. Redis 6. Maria DB, Elasticsearch 7. Linux OS and system tools 8. AWS services EC2 instances EC2 instances VPC Route 53 Users Internet gateway ELB MariaDB MariaDB AvailabilityzoneAAvailabilityzoneB Auto scaling group Apache PHP Auto scaling group EC2 instances EC2 instances FPM S3
  • 15. Threat Model Blueprint Threat Model Blueprint Threat Model Exposure analysis Post-compromise analysis Configuration and Vulnerability Coverage Required Threat Coverage (pre-compromise) Required Threat Coverage (post-compromise) Required threat analytics pre-compromise post-compromise Required incident analytics Required data sources Pre-compromise analysis Identify Most Relevant Threats Create a threat model for these blueprints
  • 16. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform/ library attacks App/ System misconfig attacks Web Apps Server-Side Apps App Frameworks Dev Platforms Server OS Hypervisor Infrastructure The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from third- party development tools 4. Extreme shortage of cloud and application security expertise
  • 17. Attack Surface Factors Factor Impact Technology Triggers Custom-built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors Three-tier architecture with relational databases Increased risk of SQL injection—number one web attack method in volume and impact Open and interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk of compromise Hybrid environments Risk of a breach is compounded when cloud and on- premises datacenters are linked
  • 18. Integrated Alert Logic Controls for Broad Coverage Build Coverage Model Blueprint Three-Tier Classic Web Micro- service E-Com Blueprint CMS Blueprint Magento Blueprint WordPress Blueprint Drupal Blueprint OWASP Top 10 SQL-injection attacks LAMP target coverage Critical application coverage Deep HTTP inspection with anomaly detection Supervised machine learning Data-driven intrusion defense Coverage for key app components
  • 19. Full Stack Security Coverage Pre-compromise Compromise Lateral Movement Incident Investigation System Visual | Context | Hunt Collect web, host, network data Automatic Detection Block | Alert | Log ML Algorithms Rules & Analytics SECURITY EXPERTS Assess Exposure Block Critical Attacks
  • 20. Cloud Security Maturity Model Basic Cloud Security Tooling 2 2. Basic Cloud Security • Agile development team, coupled to immature security program • Minimal use of cloud provider and OSS security tools Traditional Security 1. Non-Cloud Native • Lift & Ship infrastructure migration • Traditional on-premises security tools and processes • Limited agility 1 DevOps Integration 3 3. Cloud Native Security • Security infrastructure part of deployment pipeline • Full stack protection across networks, systems, and applications • Security does not slow down innovation SecDevOps Integration D 4. Cloud Security Lifecycle • Security process part of continuous integration pipeline • Mature security assessment and testing program part of code deployment process • Maximum agility and security
  • 21. Announcing Cloud Insight Essentials $49 per account/month Configuration Exposure ManagementIncident Response Support for Amazon GuardDuty • Explains threats • Shows context • Recommends action • Manages incidents • Tracks progress RES TAPI Simple. Affordable. Essential. RES TAPI
  • 22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Citrix Security DevOps Journey
  • 23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. misha@alertlogic.com joey.peloquin@citrix.com