Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to be your Security Team's Best Friend

79 views

Published on

A talk I gave at DevOpsDays Silicon Valley in May of 2018. This is a high-level presentation about common security guidelines and how your DevOps team can automate their way to better security.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How to be your Security Team's Best Friend

  1. 1. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 How to be your Security Team’s Best Friend
  2. 2. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Talk Agenda 1. Introduction 2. CIS Critical Security Controls 3. More Security Thoughts Standard Disclaimer: The opinions expressed in this talk are my own and do not represent the views of my employer. Non-Standard Disclaimer: I hope you like cat photos. 2
  3. 3. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 About Me PAST CURRENT CONTACT 3 ● UNIX SysAdmin/Operations background ● Transitioned to Security Incident Response/Security Research ● Senior Security Engineer at ● Mentor for SANS’ Women’s CyberTalent Immersion Academy ● Twitter: @unixgeekem
  4. 4. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 4
  5. 5. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 The CIS Critical Security Controls ● Industry consensus guidelines ● 3 types: Basic, Foundational, and Organizational1 5 1. #TeamOxfordComma
  6. 6. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 6 Not Rocket Science
  7. 7. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 7 Hardware Inventory #1: Hardware / Asset Inventory
  8. 8. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 1: Inventory and Control of Hardware Assets Questions you need to answer about your hardware: ● Network Access Control - how do you know what’s on your network? ● Automation - how do you keep your assets in a known state? ● Asset Management - how do you keep track of assets? ○ No, saying “a spreadsheet” or “a database” doesn’t count 8
  9. 9. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Shadow IT 9
  10. 10. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 10 Software Inventory #2: Software Inventory
  11. 11. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 2: Inventory and Control of Software Assets Questions you need to answer about your software: ● What software is on your systems? ● Who installed the software? ● What does the software do? 11
  12. 12. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Track Expiration Dates Too ● Software Licenses ● Domains ● SSL Certificates Don’t be this site 12
  13. 13. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Vulnerability Management 13 #3: Continuous Vulnerability Management
  14. 14. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 3: Continuous Vulnerability Management: Scanning ● Logos create buzz! ● Scan early, scan often ● Scan from inside and outside your perimeter 14
  15. 15. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 15 A digression: Threat + Vulnerability = Risk
  16. 16. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 3: Continuous Vulnerability Management: Patching ● Understand your risks, and remediate the serious vulnerabilities. ○ Highest risk first is the best practice ● Use your automation to ensure updates are applied everywhere. ○ Though maybe you test first before you upgrade Python/Ruby in your Production environment... 16
  17. 17. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 17 #4: Control Admin Privileges
  18. 18. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 4: Controlled Use of Admin Privileges ● Separate out admin accounts from user accounts if you can. ● Use groups or roles. ● Consider functional names for your groups. ○ “sec-logging-read-only” is more informative than “logging” 18
  19. 19. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 19 #5: Secure Default Configs
  20. 20. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers ● Base your secure configs on a security standard. ● Use Automation/Configuration Management tools to enforce security. ○ Make sure changes are known and tracked (Change Management) ● Regularly evaluate the security of your Gold Images. ● Start with user directives, then automate them as your company evolves. 20
  21. 21. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 21 #6: Log All the Things, and Review the Logs
  22. 22. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs ● Log all the things. ○ Systems, security devices, applications, access points ● Outbound traffic is always interesting. ● Collect all your logs somewhere and review them. ○ Side rant: SIEM, the buzzword 22
  23. 23. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Plus 14 More ● Email and Web Browser Protections ● Malware Defenses ● Limitation and Control of Network Ports, Protocols, and Services ● Data Recovery Capabilities ● Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches ● Boundary Defense ● Data Protection 23 ● Controlled Access Based on the Need to Know ● Wireless Access Control ● Account Monitoring and Control ● Implement a Security Awareness and Training Program ● Application Software Security ● Incident Response and Management ● Penetration Tests and Red Team Exercises
  24. 24. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Data Protection: it’s been in the news a lot lately 24
  25. 25. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Think before you check into GitHub So many interesting things can be found in publicly-available GitHub repositories: ● Hardcoded passwords ● AWS Keys ● SSH Keys ● PGP Private Keys ● Internal hostnames 25
  26. 26. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Think AFTER you check into GitHub So you’ve checked in some sensitive information? ● If you commit over it, it’s still in your commit history. ● Remove that commit. ● Rotate those credentials. ● Use TruffleHog to search for any remaining sensitive data in your old commits. 26 P.S. May 25th is Towel Day
  27. 27. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Remember those S3 Buckets ● AWS now sets S3 Buckets to be private by default. ● Amazon Macie monitors S3 to find insecure buckets. ● Bucket names are important too. ○ S3 bucket names are unique, and it’s easy to enumerate the names. Hackers may guess that important data is stored in buckets whose names start with Prod, or with your company name. 27
  28. 28. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 But Wait, There’s More 28
  29. 29. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Security Mindset In QA, and when you’re trying to think like a user, you say “what would an ignorant user do?” and you click on everything and put in weird inputs. In Security, you say “what would a malicious user do?” and once again you click on everything and put in weird inputs (these may have control characters, encrypted content, or code in them too), and you think about what a hacker might do if she got an odd or inconsistent result, or if she tried to change a form or an input URL. When you try to anticipate all the ways that your software and technologies can be manipulated, that’s an example of the security mindset. 29
  30. 30. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Passwords: please use them (or passphrases) Any resemblance to actual companies, existing or defunct, or actual events, is purely coincidental. What if there was a company that didn’t set a root password for their databases… What if there was a company that didn’t change default credentials to the admin interface of their website… What if there was a company that let everyone ssh in as root… 30
  31. 31. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Security and Technical Debt Like logging, security is harder to do well when you’re adding it on after the fact. “I’ll set up logging later” - will management let you fix that later if they don’t agree it’s important to work on logging now? 31
  32. 32. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Security technical debt is not friendly credit card debt. Security technical debt is the kind where the debt collector mails you a piece of someone precious to you as a reminder when a payment is overdue. --unixorn on Hangops 32
  33. 33. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Some other good Security Practices ● Use secure coding principles (OWASP can help define these). ○ Remember to sanitize those inputs (aka Data Validation) ● Build security tests into your CI/CD pipeline. ● External reviewers can find things you miss. ● Diverse teammates bring different perspectives. ● Everyone clicks on things they shouldn’t. Don’t blame the people. 33
  34. 34. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 TL;DR - Ops probably already is your security team’s best friend. You’re already doing most of the things I discussed, right? If not, please consider doing them. Your security team will thank you. 34
  35. 35. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Thank you 35
  36. 36. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 Got Questions? ● #devopsdays on Twitter ● @unixgeekem on Twitter ● @unixgeekem on Hangops 36
  37. 37. Emily Gladstone Cole @unixgeekem DevOpsDaysSV 2018 References ● CIS Critical Security Controls: https://www.cisecurity.org/controls/ ● NIST 800-53 Framework: https://nvd.nist.gov/800-53 ● https://blog.rapid7.com/2017/04/19/the-cis-critical-security-controls-series/ ● Rob Joyce at Enigma 2016: https://www.youtube.com/watch?v=bDJb8WOJYdA ● Dylan Ayrey at BSides SF 2018: https://www.youtube.com/watch?v=TV2hHeKj4-4 ● truffleHog finds secrets in GitHub repos: https://github.com/dxa4481/truffleHog ● Security Training: https://www.sans.org/ ● GDPR Info: http://gdprandyou.ie/ ● OWASP Developer Guide: https://www.owasp.org/index.php/OWASP_Guide_Project ● Cat images from pexels.com 37

×