SlideShare a Scribd company logo

Dev Ops & Secops & Bears, oh my!

Dwolla
Dwolla

This document discusses principles for DevOps and security teams to collaborate effectively. It recommends building a detection network using services like AWS GuardDuty and canary tokens to monitor for anomalies. It also advocates automating configurations ruthlessly using infrastructure as code and consulting across organizational boundaries between security and engineering teams. The presenters provide examples from their company of how these principles have been applied.

Technology
1 of 33
Download to read offline
DevOps and SecOps and Bears, oh my! A safe way to move fast
2 This is a picture of a bear
Agenda 5 min Our Story 10 min Building a Detection Network 10 min Automate Ruthlessly 10 min Consult Up, Down and Across 10 min Q/A 3
Who are we? ● We work @ Dwolla ● Information Security + Engineering leaders: we collaborate every day ● We are hiring! (Information Security and Engineering) dwolla.com/careers 4
Our Story ● We began in a hosted environment ● We chose to move to a cloud provider ● Agile software development practices and test driven development ● The move required close collaboration between Engineering and Information Security teams ● Path was forged based on trust, automation, detection and continuous improvement 5
Why should you listen to us? ● Winning businesses utilize these practices ● It is not cost effective to pay humans to configure things ● The human emotions of stress and pressure do not change the outcome of a computer running a program ● It’s simple to configure something once manually; it’s not simple to do it 2000 times ○ API deployed 1200 times, 3 instances per deployment 3600 instances (one system) 6
This isn’t theoretical… ...it is actually another picture of a bear. 7
This isn’t theoretical... 8
This isn’t theoretical... 9
This isn’t theoretical... 10
This isn’t theoretical... 11
● Your platform is a detection network ● Ruthless automation provides you scalability, availability, and recoverability ● Your team should consult up, down, and across the organization 12 These are principles you can apply now...
Building a Detection Network Rationale: Prevention will eventually fail. ● When prevention fails, detection is imperative. ● You need alarms that should never go off. 13
Building a Detection Network Rationale: Adversaries have evolved ● If employees use reports and GUIs, adversaries seek raw data stores, CLIs and APIs. ● Adversaries seek to move inside an environment without detection. ● Example: Lateral Movement is a key indicator of a security event. 14
● You already know a lot about yourself ○ When are customers active? ○ What network things talk to other network things? ○ Which machines talk to the internet? ● We should be alerted if something outside our normal activity occurs ● Unexpected activity is detectable Building a Detection Network: AWS GuardDuty 15
● AWS Alerting Service based on synthesis and analysis of: ○ Network traffic flows ○ DNS traffic activity ○ AWS API/IAM usage ● Alerts for persistence, backdoors, recon/scanning, resource consumption, cryptocurrency mining, etc. ● Very cost effective Building a Detection Network: AWS GuardDuty 16
Building a Detection Network: AWS GuardDuty 17
Nobody should touch these instances, files, tokens. We know this, but our adversaries don’t. Building a Detection Network: Thinkst Canaries 18
Here’s a QR code canary token: Here’s a link to a canary token: https://bit.ly/2O5w5V1 [default] aws_access_key_id=AKIAJCPBXSIQ6RTWY7QA aws_secret_access_key=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 19 Building a Detection Network: Thinkst Canaries
20 Building a Detection Network: Thinkst Canaries
Automate Ruthlessly Write code and build systems to save time. It is a safe way to move fast. 21
Automate Ruthlessly: DNS Management at Cloudflare ● You have source control, continuous integration, and continuous delivery tools ● The metadata about maintaining a healthy codebase can answer lot of the questions we have about configuration (in this example, DNS). ○ Is it in production? Who made this change? Who approved? When did we do this? ● This is release management and change advisory board build into the core software engineering process 22
Automate Ruthlessly: DNS Management at Cloudflare ● DNS is just one piece of configuration at your edge, you also probably have ○ Certs ○ Firewall ○ Rate limiting ● What can possibly remember all the configuration we made? Computers. ● Changes not made via code are rogue - great signal/noise ratio. 23
Consult Up, Down and Across Find out what others are building and help them ● Don’t just sit in the corner and audit ● Learn the company, how things are being used 24
Consult Up, Down and Across: Duo Security ● We have to protect our assets. ● Removing single factor authentication is an important objective. ○ We seek to devalue passwords. ● Installing Duo requires a PAM configuration (Linux) or an installer to augment the Windows Credential Provider. 25
Consult Up, Down and Across: Duo Security 26
27
28
Consult Up, Down and Across: Training and Standards ● Engineering team is trained on the proper implementation of cryptography, OWASP, etc. ● Security team is trained and expected to follow engineering standards. ● We hold each other accountable and challenge ideas. 29
Consult Up, Down and Across: Not in the Corner ● Security is seated with Engineering ● Throwing problems/reports/bugs over the wall is not acceptable ● Examples of collaboration: ○ Token protection schemes at a whiteboard to find performance/security balance 30
● Your platform is a detection network ● Ruthless automation provides you scalability, availability, and recoverability ● Your team should consult up, down, and across the organization 31 Three Principles
Other Talks We Like ● Enterprise Security - A New Hope ● Security Automation - Duo Tech Talk ● Preventing Attacks At Scale - Dino Dai Zovi 32
Questions? Thanks for coming! We are hiring! dwolla.com/careers 33

Recommended

Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscapeMotiv
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoringMona Arkhipova
 
QIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyQIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyMona Arkhipova
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...DevOps.com
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineSagi Brody
 

Recommended

Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 
Evolving threat landscape
Evolving threat landscapeEvolving threat landscape
Evolving threat landscapeMotiv
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016Qrator Labs
 
Chaos monitoring
Chaos monitoringChaos monitoring
Chaos monitoringMona Arkhipova
 
QIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyQIWI SOC benchmarking: Blue Team story
QIWI SOC benchmarking: Blue Team storyMona Arkhipova
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...Digital Bond
 
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...
Enforcing Immutability and Least Privilege to Secure Containerized Applicatio...DevOps.com
 
Troubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineTroubleshooting: A High-Value Asset For The Service-Provider Discipline
Troubleshooting: A High-Value Asset For The Service-Provider DisciplineSagi Brody
 
Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriDemi Ben-Ari
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
01
01 01
01 Jadavsejal
 
Last Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons LearntLast Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons LearntMark Grebler
 
Cloud computing
Cloud computingCloud computing
Cloud computingjhoejoe
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing AppAndreas Schranzhofer
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodePanther Labs
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAladdin Dandis
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...GetInData
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

More Related Content

Similar to Dev Ops & Secops & Bears, oh my!

Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at DecisivTeleport
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriDemi Ben-Ari
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
 
Last Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons LearntLast Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons LearntMark Grebler
 
Cloud computing
Cloud computingCloud computing
Cloud computingjhoejoe
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Securitygjdevos
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSPuppet
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodePanther Labs
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source B.A.
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureYshay Yaacobi
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAladdin Dandis
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...GetInData
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 

Similar to Dev Ops & Secops & Bears, oh my! (20)

Secure Developer Access at Decisiv
Secure Developer Access at DecisivSecure Developer Access at Decisiv
Secure Developer Access at Decisiv
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
 
Blockade.io : One Click Browser Defense
Blockade.io : One Click Browser DefenseBlockade.io : One Click Browser Defense
Blockade.io : One Click Browser Defense
 
01
01 01
01
 
Last Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons LearntLast Conference 2017: Big Data in a Production Environment: Lessons Learnt
Last Conference 2017: Big Data in a Production Environment: Lessons Learnt
 
Cloud computing
Cloud computingCloud computing
Cloud computing
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
 
Controlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWSControlled Evolution with Puppet and AWS
Controlled Evolution with Puppet and AWS
 
App Security and Securing App
App Security and Securing AppApp Security and Securing App
App Security and Securing App
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
 
Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source Proactive monitoring tools or services - Open Source
Proactive monitoring tools or services - Open Source
 
Not my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructureNot my problem - Delegating responsibility to infrastructure
Not my problem - Delegating responsibility to infrastructure
 
Assessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber securityAssessing a cloud based approach to cyber security
Assessing a cloud based approach to cyber security
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
NLP for videos: Understanding customers' feelings in videos - Albert Lewandow...
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

Dev Ops & Secops & Bears, oh my!

  • 1. DevOps and SecOps and Bears, oh my! A safe way to move fast
  • 2. 2 This is a picture of a bear
  • 3. Agenda 5 min Our Story 10 min Building a Detection Network 10 min Automate Ruthlessly 10 min Consult Up, Down and Across 10 min Q/A 3
  • 4. Who are we? ● We work @ Dwolla ● Information Security + Engineering leaders: we collaborate every day ● We are hiring! (Information Security and Engineering) dwolla.com/careers 4
  • 5. Our Story ● We began in a hosted environment ● We chose to move to a cloud provider ● Agile software development practices and test driven development ● The move required close collaboration between Engineering and Information Security teams ● Path was forged based on trust, automation, detection and continuous improvement 5
  • 6. Why should you listen to us? ● Winning businesses utilize these practices ● It is not cost effective to pay humans to configure things ● The human emotions of stress and pressure do not change the outcome of a computer running a program ● It’s simple to configure something once manually; it’s not simple to do it 2000 times ○ API deployed 1200 times, 3 instances per deployment 3600 instances (one system) 6
  • 7. This isn’t theoretical… ...it is actually another picture of a bear. 7
  • 12. ● Your platform is a detection network ● Ruthless automation provides you scalability, availability, and recoverability ● Your team should consult up, down, and across the organization 12 These are principles you can apply now...
  • 13. Building a Detection Network Rationale: Prevention will eventually fail. ● When prevention fails, detection is imperative. ● You need alarms that should never go off. 13
  • 14. Building a Detection Network Rationale: Adversaries have evolved ● If employees use reports and GUIs, adversaries seek raw data stores, CLIs and APIs. ● Adversaries seek to move inside an environment without detection. ● Example: Lateral Movement is a key indicator of a security event. 14
  • 15. ● You already know a lot about yourself ○ When are customers active? ○ What network things talk to other network things? ○ Which machines talk to the internet? ● We should be alerted if something outside our normal activity occurs ● Unexpected activity is detectable Building a Detection Network: AWS GuardDuty 15
  • 16. ● AWS Alerting Service based on synthesis and analysis of: ○ Network traffic flows ○ DNS traffic activity ○ AWS API/IAM usage ● Alerts for persistence, backdoors, recon/scanning, resource consumption, cryptocurrency mining, etc. ● Very cost effective Building a Detection Network: AWS GuardDuty 16
  • 17. Building a Detection Network: AWS GuardDuty 17
  • 18. Nobody should touch these instances, files, tokens. We know this, but our adversaries don’t. Building a Detection Network: Thinkst Canaries 18
  • 19. Here’s a QR code canary token: Here’s a link to a canary token: https://bit.ly/2O5w5V1 [default] aws_access_key_id=AKIAJCPBXSIQ6RTWY7QA aws_secret_access_key=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 19 Building a Detection Network: Thinkst Canaries
  • 20. 20 Building a Detection Network: Thinkst Canaries
  • 21. Automate Ruthlessly Write code and build systems to save time. It is a safe way to move fast. 21
  • 22. Automate Ruthlessly: DNS Management at Cloudflare ● You have source control, continuous integration, and continuous delivery tools ● The metadata about maintaining a healthy codebase can answer lot of the questions we have about configuration (in this example, DNS). ○ Is it in production? Who made this change? Who approved? When did we do this? ● This is release management and change advisory board build into the core software engineering process 22
  • 23. Automate Ruthlessly: DNS Management at Cloudflare ● DNS is just one piece of configuration at your edge, you also probably have ○ Certs ○ Firewall ○ Rate limiting ● What can possibly remember all the configuration we made? Computers. ● Changes not made via code are rogue - great signal/noise ratio. 23
  • 24. Consult Up, Down and Across Find out what others are building and help them ● Don’t just sit in the corner and audit ● Learn the company, how things are being used 24
  • 25. Consult Up, Down and Across: Duo Security ● We have to protect our assets. ● Removing single factor authentication is an important objective. ○ We seek to devalue passwords. ● Installing Duo requires a PAM configuration (Linux) or an installer to augment the Windows Credential Provider. 25
  • 26. Consult Up, Down and Across: Duo Security 26
  • 27. 27
  • 28. 28
  • 29. Consult Up, Down and Across: Training and Standards ● Engineering team is trained on the proper implementation of cryptography, OWASP, etc. ● Security team is trained and expected to follow engineering standards. ● We hold each other accountable and challenge ideas. 29
  • 30. Consult Up, Down and Across: Not in the Corner ● Security is seated with Engineering ● Throwing problems/reports/bugs over the wall is not acceptable ● Examples of collaboration: ○ Token protection schemes at a whiteboard to find performance/security balance 30
  • 31. ● Your platform is a detection network ● Ruthless automation provides you scalability, availability, and recoverability ● Your team should consult up, down, and across the organization 31 Three Principles
  • 32. Other Talks We Like ● Enterprise Security - A New Hope ● Security Automation - Duo Tech Talk ● Preventing Attacks At Scale - Dino Dai Zovi 32
  • 33. Questions? Thanks for coming! We are hiring! dwolla.com/careers 33