Security and DevOps are Really Best Friends

Emily Gladstone Cole @unixgeekem BSidesLV 2018
Security and DevOps are
Really Best Friends

Why listen to me talk about Ops and Security?
PAST
CURRENT
CONTACT
2
" UNIX SysAdmin/Operations/DevOps background
" Transitioned to Security Incident Response/Security Research
" Senior Security Engineer at
" Mentor for SANS’ Women’s CyberTalent Immersion Academy
" Twitter: @unixgeekem

Talk Agenda
1. Introduction
2. DevOps/SRE priorities and the CIS Critical Security Controls
3. More About Selling Security
3

Assets. What even are assets?
4

Talk Agenda
1. Introduction
2. DevOps/SRE priorities and the CIS Critical Security Controls
3. More About Selling Security
5

UPDATED Talk Agenda
1. Introduction to DevOps/SRE
2. Assets: let’s redefine them
3. Least Privilege
4. Logging
Standard Disclaimer: The opinions expressed in this talk are my own and do not
represent the views of my employer.
Non-Standard Disclaimer: I hope you like cat photos.
6

Core Principles of DevOps and SRE
7
1. Everybody shares on-call
2. Practice empathy
3. Automate everything
a. Pets vs. Cattle

Core DevOps: On Call
Back in the day, Ops was the only team waking up in the middle of the
night. Devs could say “not our problem” because they weren’t suffering.
Putting everyone on call gave everyone a stake in fixing problems that
came up, whether they’re issues in the code or the OS/infrastructure
running it.
8

Core DevOps: Empathy
Shared experience brings empathy.
If the product is seen as a collaboration between all teams,
everyone’s more invested in its success.
9

Core DevOps: Automation
If you automate it, you only have to
write it once: this is a huge plus for the
lazy Security or Ops person.
10

Pets vs.
Cattle
" Given names
" Cared for individually
" Treated as part of the family
" Not interchangeable
11
" Given numbers and ear tags
" Cared for as a group
" Not treated as family
" Interchangeable
If Ops treat your systems as pets instead of cattle, won’t that improve your
ability to investigate incidents and keep your company secure?

Where to learn more
12

Assets are things you pay for.
Assets should be tracked and monitored.
Assets should be updated.
13

14
Hardware Inventory
Assets are
things you
pay for

Why should we track assets?
How do you know that you’re
" Paying for only the things you use?
" Not using outdated things?
" Doing destructive hacking on staging and not prod?
15

No, this is not an easy problem.
16

How do we help Ops track assets?
17

18

Vulnerability Management
19
Assets should
be tracked and
monitored

Assets: scan to find the current network state
" Discover new assets (remember the person who found 120% of the
assets disclosed to them by the org they were scanning?).
" Did everyone create their asset the right way?
You’re doing these scans anyway, as part of your Red/Blue team work.
Why not share the results with Ops?
20

Assets: scan to find outdated rules
Does everyone get notified every time an asset gets shut down, and
review their firewall or VPC or ELB/ALB rules to make sure they’re still
relevant and necessary?
I thought not.
21

Assets: scan to find vulnerabilities
" Worst: Security has to scan manually or
notify Engineering manually to patch.
" OK: Automate vulnerability notifications to
go directly to Engineering.
" Best: Engineering has designed their
infrastructure so that updates happen
automatically with no intervention needed.
22

23

24
Assets
should be
updated

Asset lifecycles are important
" Hardware gets old and dies
" Yes, it’s time for DevOps to get off of Ubuntu 14.04 as a base for
instances and containers
" Few people think to disable Lambdas when they’re no longer in use
" If a Domain or SSL Cert is an asset, the renewal is a lifecycle issue
25

How to sell patching and lifecycle to Ops
" Tech Debt is bad
" If they keep having to patch,
maybe they can harden the OS/
image/container, or choose less-
buggy software?
" This is something they can
automate!
26

27
Least
Privilege

Admin Privileges and Liability and Auditors
“Men are driven by two principal impulses, either by love or by fear.”
- Niccolò Machiavelli
" People are afraid of legal implications
" People are afraid of auditors
" Reducing/controlling admin privileges can reduce that fear.
" Admin Privileges can/should be regularly audited too.
28

29
Log All
the
Things,
and
Review
the Logs

Log, Log, it’s better than bad, it’s good!
" Help Ops to collect logs from all the things.
○ Systems, security devices, applications, access points
" Collect all your logs somewhere and review them.
○ Review: not all done by hand!
○ Maybe Ops can use the logs too?
" Outbound traffic is always interesting.
30

Data Protection: it’s been in the news a
lot lately
31

Your company’s code in GitHub is an asset too
Please make sure your company’s source repository doesn’t have these:
" Hardcoded passwords
" AWS Keys
" SSH Keys
" PGP Private Keys
" Internal hostnames
32

What if you find sensitive data in GitHub?
So you’ve found some sensitive information?
" If you commit over it, it’s still in your commit
history.
" Remove that commit.
" Rotate those credentials.
" Use TruffleHog to search for any remaining
sensitive data in your old commits.
33

Remember those S3 Buckets
" They are assets too.
" So are their contents.
" AWS now makes it easy to audit bucket permissions and even does it
for you (somewhat).
34

But wait, there’s more...
35
What do (some) Ops people want
from their Security teams?

What Ops wants: Transparency
36
" Does everyone know the
security team members?
" Does everyone know why
security changes are made?
" Does the security team have
a clear mission?

What Ops wants:
Be realistic
37
" Remember productivity needs to win sometimes
" Do your threat models match your industry and data?
" Are you making security easy?

What Ops wants:
Respect
38
" Don’t be the Team of NO: ask why and explain why
" Build allies by making “better” your first goal, not
“perfect”
" Get to know Ops and their priorities and help them

Ops wants to Learn
39
" Security folks are generally curious: Ops folks are too!
" Taking the time to teach will pay off later

40

What Ops wants: 
Jobs
41
Ops, DevOps, and SRE are an excellent path to Security

What Ops wants: shiny things
42
" Everyone likes stickers
" Cube toys are fun too
" Chocolate is a classic
" Booze is tricky if they don’t
drink – check first
(I prefer to call it rewarding good behaviors, not bribery)

TL;DR - Security can work with Ops and help both succeed.
You’re already doing most of the
things I discussed, right? If not,
please consider doing them.
Your DevOps team will thank
you.
43

Thank you
44

Got Questions?
" Now is the time for Q&A
" @unixgeekem on Twitter
" @unixgeekem on Hangops
45

References
" CIS Critical Security Controls: https://www.cisecurity.org/controls/
" Google’s SRE Book: https://landing.google.com/sre/book.html
" https://www.amazon.com/Practice-Cloud-System-Administration-Practices/dp/
032194318X/
" Effective DevOps: http://shop.oreilly.com/product/0636920039846.do
" Rob Joyce at Enigma 2016: https://www.youtube.com/watch?v=bDJb8WOJYdA
" http://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/
" https://medium.com/@jeffsussna/empathy-the-essence-of-devops-572ed2a7f42b
" Dylan Ayrey at BSides SF 2018: https://www.youtube.com/watch?v=TV2hHeKj4-4
" Animal images from pexels.com
46

47

Security and DevOps are Really Best Friends

Security and DevOps are Really Best Friends

Recommended

More Related Content

Similar to Security and DevOps are Really Best Friends

Similar to Security and DevOps are Really Best Friends(20)

Recently uploaded

Recently uploaded(20)

Security and DevOps are Really Best Friends