Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security and DevOps are Really Best Friends

110 views

Published on

Presented at BSides Las Vegas, August 8th, 2018

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Security and DevOps are Really Best Friends

  1. 1. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Security and DevOps are Really Best Friends
  2. 2. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Why listen to me talk about Ops and Security? PAST CURRENT CONTACT 2 " UNIX SysAdmin/Operations/DevOps background " Transitioned to Security Incident Response/Security Research " Senior Security Engineer at " Mentor for SANS’ Women’s CyberTalent Immersion Academy " Twitter: @unixgeekem
  3. 3. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Talk Agenda 1. Introduction 2. DevOps/SRE priorities and the CIS Critical Security Controls 3. More About Selling Security 3
  4. 4. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets. What even are assets? 4
  5. 5. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Talk Agenda 1. Introduction 2. DevOps/SRE priorities and the CIS Critical Security Controls 3. More About Selling Security 5
  6. 6. Emily Gladstone Cole @unixgeekem BSidesLV 2018 UPDATED Talk Agenda 1. Introduction to DevOps/SRE 2. Assets: let’s redefine them 3. Least Privilege 4. Logging Standard Disclaimer: The opinions expressed in this talk are my own and do not represent the views of my employer. Non-Standard Disclaimer: I hope you like cat photos. 6
  7. 7. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Core Principles of DevOps and SRE 7 1. Everybody shares on-call 2. Practice empathy 3. Automate everything a. Pets vs. Cattle
  8. 8. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Core DevOps: On Call Back in the day, Ops was the only team waking up in the middle of the night. Devs could say “not our problem” because they weren’t suffering. Putting everyone on call gave everyone a stake in fixing problems that came up, whether they’re issues in the code or the OS/infrastructure running it. 8
  9. 9. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Core DevOps: Empathy Shared experience brings empathy. If the product is seen as a collaboration between all teams, everyone’s more invested in its success. 9
  10. 10. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Core DevOps: Automation If you automate it, you only have to write it once: this is a huge plus for the lazy Security or Ops person. 10
  11. 11. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Pets vs. Cattle " Given names " Cared for individually " Treated as part of the family " Not interchangeable 11 " Given numbers and ear tags " Cared for as a group " Not treated as family " Interchangeable If Ops treat your systems as pets instead of cattle, won’t that improve your ability to investigate incidents and keep your company secure?
  12. 12. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Where to learn more 12
  13. 13. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets. What even are assets? Assets are things you pay for. Assets should be tracked and monitored. Assets should be updated. 13
  14. 14. Emily Gladstone Cole @unixgeekem BSidesLV 2018 14 Hardware Inventory Assets are things you pay for
  15. 15. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Why should we track assets? How do you know that you’re " Paying for only the things you use? " Not using outdated things? " Doing destructive hacking on staging and not prod? 15
  16. 16. Emily Gladstone Cole @unixgeekem BSidesLV 2018 No, this is not an easy problem. 16
  17. 17. Emily Gladstone Cole @unixgeekem BSidesLV 2018 How do we help Ops track assets? 17
  18. 18. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets. What even are assets? Assets are things you pay for. Assets should be tracked and monitored. Assets should be updated. 18
  19. 19. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Vulnerability Management 19 Assets should be tracked and monitored
  20. 20. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets: scan to find the current network state " Discover new assets (remember the person who found 120% of the assets disclosed to them by the org they were scanning?). " Did everyone create their asset the right way? You’re doing these scans anyway, as part of your Red/Blue team work. Why not share the results with Ops? 20
  21. 21. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets: scan to find outdated rules Does everyone get notified every time an asset gets shut down, and review their firewall or VPC or ELB/ALB rules to make sure they’re still relevant and necessary? I thought not. 21
  22. 22. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets: scan to find vulnerabilities " Worst: Security has to scan manually or notify Engineering manually to patch. " OK: Automate vulnerability notifications to go directly to Engineering. " Best: Engineering has designed their infrastructure so that updates happen automatically with no intervention needed. 22
  23. 23. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Assets. What even are assets? Assets are things you pay for. Assets should be tracked and monitored. Assets should be updated. 23
  24. 24. Emily Gladstone Cole @unixgeekem BSidesLV 2018 24 Assets should be updated
  25. 25. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Asset lifecycles are important " Hardware gets old and dies " Yes, it’s time for DevOps to get off of Ubuntu 14.04 as a base for instances and containers " Few people think to disable Lambdas when they’re no longer in use " If a Domain or SSL Cert is an asset, the renewal is a lifecycle issue 25
  26. 26. Emily Gladstone Cole @unixgeekem BSidesLV 2018 How to sell patching and lifecycle to Ops " Tech Debt is bad " If they keep having to patch, maybe they can harden the OS/ image/container, or choose less- buggy software? " This is something they can automate! 26
  27. 27. Emily Gladstone Cole @unixgeekem BSidesLV 2018 27 Least Privilege
  28. 28. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Admin Privileges and Liability and Auditors “Men are driven by two principal impulses, either by love or by fear.” - Niccolò Machiavelli " People are afraid of legal implications " People are afraid of auditors " Reducing/controlling admin privileges can reduce that fear. " Admin Privileges can/should be regularly audited too. 28
  29. 29. Emily Gladstone Cole @unixgeekem BSidesLV 2018 29 Log All the Things, and Review the Logs
  30. 30. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Log, Log, it’s better than bad, it’s good! " Help Ops to collect logs from all the things. ○ Systems, security devices, applications, access points " Collect all your logs somewhere and review them. ○ Review: not all done by hand! ○ Maybe Ops can use the logs too? " Outbound traffic is always interesting. 30
  31. 31. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Data Protection: it’s been in the news a lot lately 31
  32. 32. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Your company’s code in GitHub is an asset too Please make sure your company’s source repository doesn’t have these: " Hardcoded passwords " AWS Keys " SSH Keys " PGP Private Keys " Internal hostnames 32
  33. 33. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What if you find sensitive data in GitHub? So you’ve found some sensitive information? " If you commit over it, it’s still in your commit history. " Remove that commit. " Rotate those credentials. " Use TruffleHog to search for any remaining sensitive data in your old commits. 33
  34. 34. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Remember those S3 Buckets " They are assets too. " So are their contents. " AWS now makes it easy to audit bucket permissions and even does it for you (somewhat). 34
  35. 35. Emily Gladstone Cole @unixgeekem BSidesLV 2018 But wait, there’s more... 35 What do (some) Ops people want from their Security teams?
  36. 36. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What Ops wants: Transparency 36 " Does everyone know the security team members? " Does everyone know why security changes are made? " Does the security team have a clear mission?
  37. 37. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What Ops wants: Be realistic 37 " Remember productivity needs to win sometimes " Do your threat models match your industry and data? " Are you making security easy?
  38. 38. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What Ops wants: Respect 38 " Don’t be the Team of NO: ask why and explain why " Build allies by making “better” your first goal, not “perfect” " Get to know Ops and their priorities and help them
  39. 39. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Ops wants to Learn 39 " Security folks are generally curious: Ops folks are too! " Taking the time to teach will pay off later
  40. 40. Emily Gladstone Cole @unixgeekem BSidesLV 2018 40
  41. 41. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What Ops wants:
 Jobs 41 Ops, DevOps, and SRE are an excellent path to Security
  42. 42. Emily Gladstone Cole @unixgeekem BSidesLV 2018 What Ops wants: shiny things 42 " Everyone likes stickers " Cube toys are fun too " Chocolate is a classic " Booze is tricky if they don’t drink – check first (I prefer to call it rewarding good behaviors, not bribery)
  43. 43. Emily Gladstone Cole @unixgeekem BSidesLV 2018 TL;DR - Security can work with Ops and help both succeed. You’re already doing most of the things I discussed, right? If not, please consider doing them. Your DevOps team will thank you. 43
  44. 44. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Thank you 44
  45. 45. Emily Gladstone Cole @unixgeekem BSidesLV 2018 Got Questions? " Now is the time for Q&A " @unixgeekem on Twitter " @unixgeekem on Hangops 45
  46. 46. Emily Gladstone Cole @unixgeekem BSidesLV 2018 References " CIS Critical Security Controls: https://www.cisecurity.org/controls/ " Google’s SRE Book: https://landing.google.com/sre/book.html " https://www.amazon.com/Practice-Cloud-System-Administration-Practices/dp/ 032194318X/ " Effective DevOps: http://shop.oreilly.com/product/0636920039846.do " Rob Joyce at Enigma 2016: https://www.youtube.com/watch?v=bDJb8WOJYdA " http://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/ " https://medium.com/@jeffsussna/empathy-the-essence-of-devops-572ed2a7f42b " Dylan Ayrey at BSides SF 2018: https://www.youtube.com/watch?v=TV2hHeKj4-4 " Animal images from pexels.com 46
  47. 47. Emily Gladstone Cole @unixgeekem BSidesLV 2018 47

×