Breaking the Kubernetes Kill Chain: Host Path Mount
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - Shannon Lietz
1. SESSION ID:SESSION ID:
#RSAC
Shannon Lietz
Culture Hacker: How to Herd CATTs and
Inspire Rebels to Change the World!
PROF-T11
Director, DevSecOps
Intuit
@devsecops
3. #RSAC
How we’ll spend our time today…
3
Educate + Learn = Apply
So that we can achieve safer
software sooner in our
lifetime.
…the next generation of security is ours to ignite!
In hopes of speeding up your
journey and inspiring you to
rebel in your own way…
I have banged my head
against the wall many times
to bring you these lessons…
4. 4
Most say it’s never a good idea to break the rules...
Pixabay @ Pickit
until the forces of change demand it.
5. #RSAC
Software is eating the world!!!
http://www.wsj.com/articles/SB10001424053111903480904576512250915629460
-Mark Andreessen, 2011
6. #RSAC
DevOps is eating the world!!!
Imagine solving the world’s problems
faster by collaborating and taking
responsibility.
In connection with Cloud Computing,
DevOps is the cultural enabler
needed to scale creativity and
innovation.
With the goal of solving customer
problems faster, no wonder DevOps
is taking over. ~1500% increase
In 2 years
7. #RSAC
Cloud is eating the world!!!
Public Cloud adoption is
accelerating at a rapid pace…
Software defined
environments allow scale to
happen and more decisions to
be made daily…
More people can experiment,
learn and fail at a rapid pace to
solve for customer demand….
Creativity is the next frontier…
http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
9. #RSAC
Security is viewed as the
proctologist of the
technology universe… and
we really need
to change this perception!
http://www.flowmotioncafe.com
@petecheslock
11. WE MUST AVOID SECURITY EXTINCTION…
http://donsmaps.com/images22/mutta1200.jpg
Stock Unlimited 1288835 @ Pickit
Security DNA
DevOps
Cloud
Leader
Mobile
IoT
End Users
13. #RSAC
Why is this necessary?
evolution
value
compliance
genesis
customer
custom-
built
product
(+rental)
commodity
(+utility)
devsecops
visible
invisible compute
cloud
compliance as code
informational website
domain names
devops
continuous deployment
continuous integration
transparent
security
rugged software
fewer better
suppliers
security as code
agile
mobile
customer-driven
innovation
traditional
SDLC
traditional
security
web app
search engine
red team
penetration
testing
commodity bound
growth
emerging
Catching up takes
commitment
14. #RSAC
How hard could it be?
Source
Code
CI Server Artifacts MonitoringDeploy
Test &
Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence
15. #RSAC
What type of skills are required?
Dev Sec Ops Dev Sec Ops
15
Dev Sec Ops
Developer Sys Admin Security Engineer
competency
needed skill; functional
16. #RSAC
Is everyone bought in?
Management has some firm
requirements due to financial
commitments and reporting
DevOps and Innovation can
easily live in 3 out of 4 boxes
but hardly like Control
Security practitioners tend to
write policies and distrust
everyone not them; rightfully
so, 1% insider threat is a lot!
CONTROLCOLLABORATION
CULTIVATION COMPETENCE
people company
reality
possibility
17. #RSAC
Who can help?
Forming the C.A.T. Team:
Big bet
10 rare people in 6 months
Hire for passion
Remove barriers (logical and physical)
Mixed skills and levels
17
P. Svangren @ Pickit
C.A.T.T. aka Cyber Attack Tiger Team
Bring big leadership skills if you want to
wrangle big cats…
18. #RSAC
At first, it looked a lot like this…
Offices fostered the wrong
culture
• Break down the walls
• Long flat tables
• Lounge areas
• Continuous Learning
• Increase communication
• Small teams with purpose
• Take a walk
• Difficult discussions
• Dedicated to success
19. #RSAC
How do I avoid being eaten by big CATTs?
FROM
AUTHORITY
STRUCTURED POLICIES
COMMAND & CONTROL
RISK MITIGATED
APPROVALS
TO
INSPIRATION
FIRST PRINCIPLES
VALUE DRIVEN
RISK BALANCED
LESSONS LEARNED
20. #RSAC
Goals matter…
Without a goal you are
neither a great leader
nor a good follower…
20
0 15 years5 10
“Security is done!” J. Ekstam @ Pickit
21. #RSAC
HPO starts with team principles…
• Everyone is learning
• No one left behind
• Don’t hug your code
• Check your ego at the door
• One for all
21
S. Khuntale 1434620403900 @ Pickit
Measure for crunchiness
once a week…
22. #RSAC
Confidence is critical…
Operating model must increase
confidence at all stages
Opt for Coaching vs. Managing
Increase communication
Patience pays off
Keep it blameless
22
confidence
23. #RSAC
Does your team keep score?
Everyone can be a hero!
Keeping score is fun!
Outcomes driven by the team
provide greater value
Understanding how to score is
empowering
Brings us together…
23
http://www.4dxbook.com/blog/people-play-differently-when-theyre-keeping-score/
S. Zahnfee @ Pickit
24. #RSAC
This path gave us DevSecOps…
DevSecOps
Security
Engineering
Experiment,
Automate, Test
Security
Operations
Hunt, Detect,
Contain
Compliance
Operations
Respond,
Manage, Train
Security
Science
Learn, Measure,
Forecast
25. #RSAC
Enabled us to understand the problem space…
Gating processes are not Deming-like
Security is a design constraint
Decisions made by engineering teams
Hard to avoid business catastrophes by applying
one-size-fits-all strategies
Security defects is more like a security “recall”
design build deploy operate
How do I secure
my app?
What component
is secure
enough?
How do I secure
secrets for the
app?
Is my app getting
attacked? How?
Typical gates for
security
checks & balances
Mistakes and drift often happen
after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakes
Happen during design
Faster security feedback loop
26. #RSAC
Gave us the courage to question everything…
Determine defect and feature flows for
Security to funnel to distributed teams
Inventory work processes, guidelines,
policies, experiments, data and tools
Identify groups, roles and skills required to
support processes
Identify friction and measure speed of MTTR
Identify types of decisions
Identify metrics for measuring experiments
and adapting processes
• Implement Code & Infrastructure
Guidelines
• Implement Rules Engineering Processes
• Implement Security Defect Reporting
• Implement Consulting and Requests
Process
• Implement Infrastructure Templates
• Implement Red Team & SOC Processes
• Implement Manual Staging Processes
• Implement a Decisions Process
• Implement an Escalation Process with clear
stakeholders
• All systems should be run with API
inspection available via a Security Fabric.
(Systems without inspection require
manual intervention.)
• Implement Security Portal for feedback
consolidation across security processes
• Implement Case Management for
Requests, Defects, and Incidents
• Implement Testing framework
• Implement Correlation engine
• Implement foundational security controls
• Integrate with core organizational systems
Operating Model Processes Tooling
n number of experiments to refine processes and automate where possible
• Identified opportunities to develop
capacity without increasing risk to too high
a level
• Inventory provides information for
Decisions board to help with risk decisions
outcomes
• Decisions board with clear escalation path
by type of decision
• Ability to Communicate and Train on initial
processes
• Consistent Ins/Outs of Dynamic Work with
standard templates
• SDE helps with reducing manual efforts
• Ability to build up capacity for Stage Two
Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
27. #RSAC
Empowered us to challenge the status quo…
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
28. #RSAC
Got us to communicate with developers like a developer…
29. #RSAC
Made us think about how to shift left…
Everyone knows Maslow…
If you can remember 5 things,
remember these ->
“Apps & data are as safe as where
you put it, what’s in it, how you
inspect it, who talks to it, and how
its protected…”
30. #RSAC
Helped us blaze a trail so others could succeed too…
30
Stock Unlimited 1515599 @ Pickit
32. #RSAC
It is time to change…
32
Get involved.
Write an article.
Give and take feedback.
Contribute to Open Source.
Give feedback.
Volunteer.
Editor's Notes
The hockey stick of change has begun to reach it’s inflection point… no one wants to get hit upside the head with it. So why must we change?
2011
2012
2016
2013 - As security practitioners, there has never been a better time to get involved in transforming what doesn’t work.
2013 – Security DNA exists within a large practitioner base and it is time to consider how to extend it to others… whether by lab manipulation or other means.
That’s a lot of skills to build…. Products aren’t ready… Processes haven’t been developed…. Metrics don’t exist.