Incident Response Automation @ Netflix Q12019

•

20 likes•4,585 views

Automation is key to enable our incident responders to focus on high leverage decisions, provide a consistent experience to our internal customers, and ensure our team meets the needs of a rapidly growing Netflix. The SIRT team is investing a lot of engineering resources in automating Crisis Management, Incident Response, and Digital Forensics. The following slides summarize the reasons why we have decided to invest in these areas, the technologies that we’re using to automate and orchestrate decisions that don’t matter, and showcase some of the workflows that we have successfully automated.

Technology

Incident Response
Automation
@ Netflix
copypaste

Us.
Members of the Security
Incident Response Team
(SIRT)
Kevin Glisson
Senior Security Engineer
kglisson@netflix.com
Marc Vilanova
Senior Security Engineer
mvilanova@netflix.com

About Netflix.
Teams and individual contributors are given a high degree of freedom
● Ownership of entire of stack
● Central teams provide “paved roads”
A lot of everything
● Environments
● Technologies

Automation.
Focus on high leverage decisions
● Aggressively eliminate decisions that don’t
matter
Consistency is key
● Builds confidence (for everyone)
● Breeds familiarity

People Resolve Incidents.
We need help; quickly
● Who do I contact? How do I contact them?
Provide known communication channels
● What is this new message, can ignore it? Should I pull the car over?
Set clear expectations
● Why am I here? What do you need me to do?

Incident Ramp.
Getting people engaged and oriented
● Similar to other product based approaches
Leverage existing knowledge and workflows (go to where your customers are)
● In stressful situations, muscle memory is key

Tech.
Piecing it all together.
Slack and Email
Google Docs
Demisto
+ Many More

Technologies
● Python + Boto3 + AWS Systems Manager (SSM) + AWS Simple Storage Service (S3)
Open Source Forensic Artifacts
● ForensicArtifacts Definitions (e.g. ConfigFiles, UnixCommon, Linux, etc.)
● Others (e.g. /usr/bin/ec2metadata, /usr/bin/printenv, /usr/bin/dpkg -l, etc.)
Orchestration
● Demisto
Work-in-progress / Future work
● Explore Osquery
● Molehill: Ability to search unstructured data collected during an incident
○ Evaluating AWS Elasticsearch, AWS Glue + Athena, AWS CloudSearch
Forensic Artifacts Collection

Forensic Artifacts Collection
App Forensic Acquisition Playbook

Technologies
● Python + Boto3 + AWS SSM + LiME kernel module + AWS EBS
Orchestration
● Demisto
Memory Forensics
Acquisition

● Spinnaker pipeline that builds and publishes LiME modules to our artifactory
● Triggers on every unstable foundation AMI build
Memory Forensics
Acquisition

Technologies
● Python + Volatility Framework (as a library) = sirt-mem-analysis
○ Allows us to run a set of plugins 6x faster than via command line
Work-in-progress / Future work
● Explore Rekall as an alternative to Volatility
● Explore Titus¹ for parallelizing analysis
Memory Forensics
Analysis
¹ Netflix Cloud Container Runtime Platform

Technologies
● Python + Volatility Framework (as a library)
○ Allows us to run a set of plugins 6x faster than via command line
Work-in-progress / Future work
● Explore Rekall as an alternative to Volatility
● Explore Titus¹ for parallelizing analysis
Memory Forensics
Analysis
¹ Netflix Cloud Container Runtime Platform

● Container Forensics
● Process Forensics
○ Extended Core File Snapshot (ECFS)
Future Work

● Delegation wins the day
○ Through communication with peers/SMEs
○ Through automation
● There is no one “solution”
○ Organizations are radically different; remove decisions empower people.
Key Takeaways

What's hot

In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.

Threat Hunting - Moving from the ad hoc to the formal

Priyanka Aash

These are the slides from the webinar broadcast on April 1st 2020, presented by Philipp Drieger. Content covers: - Introduction to AI and ML Features in Splunk - Customer Use Case Examples - Live Demo of Machine Learning Toolkit, with examples for: Methods for Anomaly Detection, Predictive Analytics and Forecasting, and Clustering - Custom Machine Learning, incl.: Advanced Containerization and Expansion with MLSPL API

Splunk Artificial Intelligence & Machine Learning Webinar

Splunk

Nmap Basics

amiable_indian

Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.

Building a Next-Generation Security Operation Center Based on IBM QRadar and ...

IBM Security

Cyber Threat Intelligence

mohamed nasri

You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model. Learning Objectives: 1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm? 2: What are the pros and cons of in-house, fully managed and hybrid security? 3: What considerations go into deciding whether to employ a hybrid strategy? (Source: RSA Conference USA 2018)

From SIEM to SOC: Crossing the Cybersecurity Chasm

Priyanka Aash

Threat Hunting

Splunk

Security and Compliance Initial Roadmap

Anshu Gupta

The presentation provides the following: - McAfee Company Overview - McAfee Strategy - McAfee Portfolio Overview - Endpoint Security Challenges - McAfee Endpoint Protection Platform - McAfee Active Response Overview - McAfee Active Response Features - McAfee Active Response Architecture - McAfee Active Response Workflow - McAfee Active Response Licenses & Packaging Please note all the information is based prior to Aug 2019.

McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)

Iftikhar Ali Iqbal

Cyber Security Trends Business Concerns Cyber Threats The Solutions Security Operation Center requirement SOC Architecture model SOC Implementation SOC & NOC SOC & CSIRT SIEM & Correlation ----------------------------------------------------------- Definition Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC. A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however. A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC. Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC. Services that often reside in a SOC are: • Cyber security incident response • Malware analysis • Forensic analysis • Threat intelligence analysis • Risk analytics and attack path modeling • Countermeasure implementation • Vulnerability assessment • Vulnerability analysis • Penetration testing • Remediation prioritization and coordination • Security intelligence collection and fusion • Security architecture design • Security consulting • Security awareness training • Security audit data collection and distribution Alternative names for SOC : Security defense center (SDC) Security intelligence center Cyber security center Threat defense center security intelligence and operations center (SIOC) Infrastructure Protection Centre (IPC) مرکز عملیات امنیت

Security operations center-SOC Presentation-مرکز عملیات امنیت

ReZa AdineH

INCIDENT RESPONSE CONCEPTS

Sylvain Martinez

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

Sharpening your Threat-Hunting Program with ATTACK Framework

MITRE - ATT&CKcon

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Adam Pennington

This presentation showcased live during the DNIF KONNECT meetup on 19th December 2019. We have our presenter: Ruchir Shah- Account Manager at DNIF, walk us through the importance of SOAR Some key points discussed during the meetup: -Understand, what is SOAR. -The problems a SOAR solution solves. -Real-time demo by DNIF expert on SOAR. Watch the full presentation here: https://www.youtube.com/watch?v=bCp-WAs6w5I

Insight into SOAR

DNIF

Enterprise Cybersecurity: From Strategy to Operating Model

Eryk Budi Pratama

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation. Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.

Leveraging MITRE ATT&CK - Speaking the Common Language

Erik Van Buggenhout

So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations. Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc

Building a Next-Generation Security Operations Center (SOC)

Sqrrl

Threat hunting for Beginners

SKMohamedKasim

Building a modern monitoring environment is more than just using the latest awesome tools, collecting all of the data, displaying numerous graphs and knowing when things go wrong. A modern monitoring environment is more than tools and infrastructure. It's a service. A service you provide to your whole team: developers, operations, security, and the business. This talk is about how you can build monitoring environments (or extend your existing environment) that are customer-focussed rather than infrastructure focussed. We'll see how you can treat your needs and the needs of your organization as customer requirements and build monitoring that is consumable and configurable on demand. Building a modern monitoring environment is more than just using the latest awesome tools, collecting all of the data, displaying numerous graphs and knowing when things go wrong. A modern monitoring environment is more than tools and infrastructure. It's a service. A service you provide to your whole team: developers, operations, security, and the business. This talk is about how you can build monitoring environments (or extend your existing environment) that are customer-focussed rather than infrastructure focussed. We'll see how you can treat your needs and the needs of your organization as customer requirements and build monitoring that is consumable and configurable on demand.

Monitoring As a Service

James Turnbull

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

ATT&CKING Containers in The Cloud

MITRE ATT&CK

What's hot (20)

Threat Hunting - Moving from the ad hoc to the formal

Splunk Artificial Intelligence & Machine Learning Webinar

Nmap Basics

Building a Next-Generation Security Operation Center Based on IBM QRadar and ...

Cyber Threat Intelligence

From SIEM to SOC: Crossing the Cybersecurity Chasm

Threat Hunting

Security and Compliance Initial Roadmap

McAfee - McAfee Active Response (MAR) - Endpoint Detection & Response (EDR)

Security operations center-SOC Presentation-مرکز عملیات امنیت

INCIDENT RESPONSE CONCEPTS

Sharpening your Threat-Hunting Program with ATTACK Framework

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Insight into SOAR

Enterprise Cybersecurity: From Strategy to Operating Model

Leveraging MITRE ATT&CK - Speaking the Common Language

Building a Next-Generation Security Operations Center (SOC)

Threat hunting for Beginners

Monitoring As a Service

ATT&CKING Containers in The Cloud

Similar to Incident Response Automation @ Netflix Q12019

Functional programming finds its roots in mathematics - the pursuit of purity and completeness. We functional programmers look to formalize system behaviors in an algebraic and total manner. Despite this, when it comes time to deploy ones beautiful monadic ivory towers to production, most organizations cast caution to the wind and use a myriad of bash scripts and sticky tape to get the job done. In this talk, the speaker will introduce you to Nelson, an open-source project from Verizon that looks to provide rigor to your large distributed system, whilst offering best-in-class security, runtime traffic shifting and a fully immutable approach to application lifecycle. Nelson itself is entirely composed of free algebras and coproducts, and the speaker will show not only how this has enabled development, but also how it provided a frame with which to reason about solutions to fundamental operational problems.

Nelson: Rigorous Deployment for a Functional World

Timothy Perrett

Machine learning in cybersecutiry

Vishwas N

Netflix Open Source Meetup Season 3 Episode 2

aspyker

NetflixOSS Meetup season 3 episode 2

Ruslan Meshenberg

Native cloud security monitoring

John Varghese

Netflix has been using and contributing to open source for several years. Over the years, Netflix has released over one hundred Netflix Open Source (aka NetflixOSS) libraries, servers, and technologies. Netflix engineers benefit by accepting contributions and gathering feedback with key collaborators around the world. Users of NetflixOSS from many industries benefit from our solutions including Big Data, Build and Delivery Tools, Runtime Services and Libraries, Data Persistence, Insight, Reliability and Performance, Security and User Interface. With such a large and mature open source program, Netflix has worked on approaches and tools that help manage and improve the NetflixOSS source offerings and communities. Netflix has taken a different approach to building support for open source as compared to other Internet scale companies. Come to this session to learn about the unique approaches Netflix has taken to both distribute and automate the responsibilities of building a world-class open source program.

Netflix Open Source: Building a Distributed and Automated Open Source Program

aspyker

Building a Distributed & Automated Open Source Program at Netflix

All Things Open

Automate or die! Rootedcon 2017

Toni de la Fuente

Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...

RootedCON

Disenchantment is a Netflix show following the medieval misadventures of a hard-drinking princess, her feisty elf, and her personal demon. In this talk, we will follow the story of Netflix’s container management platform, Titus, which powers critical aspects of the Netflix business (video encoding & streaming, big data, recommendations & machine learning, and other workloads). We’ll cover the challenges growing Titus from 10’s to 1000’s of workloads. We’ll talk about our feisty team’s work across container runtimes, scheduling & control plane, and cloud infrastructure integration. We’ll talk about the demons we’ve found on this journey covering operability, security, reliability and performance.

QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons

aspyker

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Chris Gates

NetflixOSS Meetup season 3 episode 1

Ruslan Meshenberg

Triangle Devops Meetup 10/2015

aspyker

In this talk Kim-Norman Sahm and Alexander Trost dive into the challenges of storage for containerized applications on Kubernetes. We'll see how the current state is and how Rook can help with that. We are going to especially look at Ceph run through Rook here, but nonetheless trying not to lose sight of the whole picture. There is a lot to keep in mind storage as is, but everything gets more complex with storage for containers. From what type of storage to how much and how "safe" it should, all questions that should be asked and most of them which should be answered as well. Rook's project site https://rook.io/ Kim-Norman Sahm is CTO of Cloudical. He also works as Executive Cloud Architect at Cloudical. Previously, he was OpenStack Cloud Architect at T-Systems (operational services GmbH) and noris network AG. He is an expert of the technologies OpenStack, Ceph and Kubernetes (CKA). Alexander Trost works as a DevOps Engineer at Cloudical Deutschlang GmbH and is a Certified Kubernetes Administrator (CKA). He is one of four maintainers of the Rook.io Project and is engaged in several more open source projects, for example a Prometheus exporter for Dell Hardware (Dell OMSA Metrics), k8s-vagrant-multi-node an easy local multi node Kubernetes environment, and others. Besides Containers and Kubernetes he is expert on Software Defined Storage, Golang and Continuous Integration (with GitLab CI). He passionately enjoys working on open source projects, such as Rook, Ancientt and other projects.

Rook: Storage for Containers in Containers – data://disrupted® 2020

data://disrupted®

The DreamPort Splunk Project; How We Use AWS, Terraform, and Ansible to Automate Everything About a Splunk Cluster At DreamPort, we use cloud platforms, infrastructure-as-code tooling, configuration tools, automation software, and container technologies to very quickly design, develop, and prototype projects. This particular talk focuses on the tools used to deploy and configure a Splunk cluster for a particular project we recently ran. We will cover the deployment, configuration, and orchestration of a large 16 node Splunk cluster using tools that are a core set to DreamPort's cloud infrastructure toolbox; AWS, Terraform, Ansible, and Docker. It is recommended that attendees have a general understanding of AWS, Linux, Splunk, and Docker, and know about automation tools such as Terraform and Ansible. Attendees will learn how to use AWS, Terraform, Ansible, and Docker to deploy a large Splunk cluster, how to use Ansible to orchestrate and manage the Splunk cluster, and how to use Ansible to orchestrate and manage the Splunk cluster. ------------------------------------------------- Bill Cawthra is a Principal Cloud Infrastructure Architect for CyberPoint, managing project-related cloud systems and platforms. He works primarily on the AWS platform, using various automation tools to rapidly deploy and manage infrastructure. Bill has over 18 years of experience in computers and technology, working in a range of fields, including construction, DoD, health care, and social media.

Using AWS, Terraform, and Ansible to Automate Splunk at Scale

Data Works MD

Modern deployment and hosting environments have created a new dynamism to application, network, and development architectures. Compute resources are ephemeral, networks are instantiated and configured with API calls, and new versions of applications are deployed in seconds... security has not met this challenge gracefully. In this talk, we explore some new and interesting ways to make security reactive within cloud environments by dynamically changing the environment in response to and in preparation for security incidents, baby steps toward an architecture that can protect itself.

Reactive Cloud Security | AWS Public Sector Summit 2016

Amazon Web Services

Event sourcing and CQRS: Lessons from the trenches

David Jiménez Martínez

ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...

DynamicInfraDays

OpenStack Security Project

Travis McPeak

Microsoft Dryad

Colin Clark

Similar to Incident Response Automation @ Netflix Q12019 (20)

Nelson: Rigorous Deployment for a Functional World

Machine learning in cybersecutiry

Netflix Open Source Meetup Season 3 Episode 2

NetflixOSS Meetup season 3 episode 2

Native cloud security monitoring

Netflix Open Source: Building a Distributed and Automated Open Source Program

Building a Distributed & Automated Open Source Program at Netflix

Automate or die! Rootedcon 2017

Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...

QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

NetflixOSS Meetup season 3 episode 1

Triangle Devops Meetup 10/2015

Rook: Storage for Containers in Containers – data://disrupted® 2020

Using AWS, Terraform, and Ansible to Automate Splunk at Scale

Reactive Cloud Security | AWS Public Sector Summit 2016

Event sourcing and CQRS: Lessons from the trenches

ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...

OpenStack Security Project

Microsoft Dryad

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Vector Search -An Introduction in Oracle Database 23ai.pptx

Remote DBA Services

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

ICT role in 21st century education and its challenges

rafiqahmad00786416

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Exploring Multimodal Embeddings with Milvus

Zilliz

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Following the popularity of "Cloud Revolution: Exploring the New Wave of Serverless Spatial Data," we're thrilled to announce this much-anticipated encore webinar. In this sequel, we'll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you're building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Architecting Cloud Native Applications

WSO2

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Vector Search -An Introduction in Oracle Database 23ai.pptx

Corporate and higher education May webinar.pptx

ICT role in 21st century education and its challenges

Apidays New York 2024 - The value of a flexible API Management solution for O...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Exploring Multimodal Embeddings with Milvus

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Six Myths about Ontologies: The Basics of Formal Ontology

CNIC Information System with Pakdata Cf In Pakistan

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Architecting Cloud Native Applications

Incident Response Automation @ Netflix Q12019

1. Incident Response Automation @ Netflix copypaste

2. Us. Members of the Security Incident Response Team (SIRT) Kevin Glisson Senior Security Engineer kglisson@netflix.com Marc Vilanova Senior Security Engineer mvilanova@netflix.com

3. About Netflix. Teams and individual contributors are given a high degree of freedom ● Ownership of entire of stack ● Central teams provide “paved roads” A lot of everything ● Environments ● Technologies

4. Automation. Focus on high leverage decisions ● Aggressively eliminate decisions that don’t matter Consistency is key ● Builds confidence (for everyone) ● Breeds familiarity

5. Crisis Management

6. People Resolve Incidents. We need help; quickly ● Who do I contact? How do I contact them? Provide known communication channels ● What is this new message, can ignore it? Should I pull the car over? Set clear expectations ● Why am I here? What do you need me to do?

7. Incident Ramp. Getting people engaged and oriented ● Similar to other product based approaches Leverage existing knowledge and workflows (go to where your customers are) ● In stressful situations, muscle memory is key

8. Tech. Piecing it all together. Slack and Email Google Docs Demisto + Many More

9. Hi.

10. Tech. Piecing it all together. Slack and Email Google Docs Demisto + Many More

11. Enter text here.

12. Tech. Piecing it all together. Slack and Email Google Docs Demisto + Many More

13. Go with the flow.

14. Digital Forensics and Incident Response

15. Technologies ● Python + Boto3 + AWS Systems Manager (SSM) + AWS Simple Storage Service (S3) Open Source Forensic Artifacts ● ForensicArtifacts Definitions (e.g. ConfigFiles, UnixCommon, Linux, etc.) ● Others (e.g. /usr/bin/ec2metadata, /usr/bin/printenv, /usr/bin/dpkg -l, etc.) Orchestration ● Demisto Work-in-progress / Future work ● Explore Osquery ● Molehill: Ability to search unstructured data collected during an incident ○ Evaluating AWS Elasticsearch, AWS Glue + Athena, AWS CloudSearch Forensic Artifacts Collection

16. Technologies ● Python + Boto3 + AWS Systems Manager (SSM) + AWS Simple Storage Service (S3) Open Source Forensic Artifacts ● ForensicArtifacts Definitions (e.g. ConfigFiles, UnixCommon, Linux, etc.) ● Others (e.g. /usr/bin/ec2metadata, /usr/bin/printenv, /usr/bin/dpkg -l, etc.) Orchestration ● Demisto Work-in-progress / Future work ● Explore Osquery ● Molehill: Ability to search unstructured data collected during an incident ○ Evaluating AWS Elasticsearch, AWS Glue + Athena, AWS CloudSearch Forensic Artifacts Collection

17. Technologies ● Python + Boto3 + AWS Systems Manager (SSM) + AWS Simple Storage Service (S3) Open Source Forensic Artifacts ● ForensicArtifacts Definitions (e.g. ConfigFiles, UnixCommon, Linux, etc.) ● Others (e.g. /usr/bin/ec2metadata, /usr/bin/printenv, /usr/bin/dpkg -l, etc.) Orchestration ● Demisto Work-in-progress / Future work ● Explore Osquery ● Molehill: Ability to search unstructured data collected during an incident ○ Evaluating AWS Elasticsearch, AWS Glue + Athena, AWS CloudSearch Forensic Artifacts Collection

18. Forensic Artifacts Collection App Forensic Acquisition Playbook

19. Technologies ● Python + Boto3 + AWS Systems Manager (SSM) + AWS Simple Storage Service (S3) Open Source Forensic Artifacts ● ForensicArtifacts Definitions (e.g. ConfigFiles, UnixCommon, Linux, etc.) ● Others (e.g. /usr/bin/ec2metadata, /usr/bin/printenv, /usr/bin/dpkg -l, etc.) Orchestration ● Demisto Work-in-progress / Future work ● Explore Osquery ● Molehill: Ability to search unstructured data collected during an incident ○ Evaluating AWS Elasticsearch, AWS Glue + Athena, AWS CloudSearch Forensic Artifacts Collection

20. Technologies ● Python + Boto3 + AWS SSM + LiME kernel module + AWS EBS Orchestration ● Demisto Memory Forensics Acquisition

21. ● Spinnaker pipeline that builds and publishes LiME modules to our artifactory ● Triggers on every unstable foundation AMI build Memory Forensics Acquisition

22. Technologies ● Python + Boto3 + AWS SSM + LiME kernel module + AWS EBS Orchestration ● Demisto Memory Forensics Acquisition

23. Memory Forensics Acquisition Playbook

24. Memory Forensics Acquisition Playbook

25. Technologies ● Python + Volatility Framework (as a library) = sirt-mem-analysis ○ Allows us to run a set of plugins 6x faster than via command line Work-in-progress / Future work ● Explore Rekall as an alternative to Volatility ● Explore Titus¹ for parallelizing analysis Memory Forensics Analysis ¹ Netflix Cloud Container Runtime Platform

26. Technologies ● Python + Volatility Framework (as a library) ○ Allows us to run a set of plugins 6x faster than via command line Work-in-progress / Future work ● Explore Rekall as an alternative to Volatility ● Explore Titus¹ for parallelizing analysis Memory Forensics Analysis ¹ Netflix Cloud Container Runtime Platform

27. ● Container Forensics ● Process Forensics ○ Extended Core File Snapshot (ECFS) Future Work

28. ● Delegation wins the day ○ Through communication with peers/SMEs ○ Through automation ● There is no one “solution” ○ Organizations are radically different; remove decisions empower people. Key Takeaways

Incident Response Automation @ Netflix Q12019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Incident Response Automation @ Netflix Q12019

Similar to Incident Response Automation @ Netflix Q12019 (20)

Recently uploaded

Recently uploaded (20)

Incident Response Automation @ Netflix Q12019