SlideShare a Scribd company logo

Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]

Download as PPTX, PDF
RootedCON
RootedCON

New architectures and procedures to make security software development more secure at Check Point

Technology
1 of 28
1©2018 Check Point Software Technologies Ltd. SECURITY AT THE SPEED OF DEVOPS • Ori Kuyumgiski | DevOps Team Leader • Javier Hijas | Cloud Security Engineer
2©2018 Check Point Software Technologies Ltd. ONE COMPANY HAS THE VISION AND THE EXECUTION TO DELIVER CHECK POINT
3©2018 Check Point Software Technologies Ltd. 3©2018 Check Point Software Technologies Ltd. CHECK POINT SOLUTIONS
4©2018 Check Point Software Technologies Ltd. WE SECURE THE MOST COMPLEX AND SENSITIVE ENVIRONMENTS WE HAVE THE EXPERIENCE DEEP SECURITY EXPERIENCE GLOBAL PRESENCE THE MOST DEMANDING ENVIRONMENTS 88 Offices100,000 Customers 22 Years
5©2018 Check Point Software Technologies Ltd. WE HAVE THE EXPERTISE THE WORLD’S LARGEST DEDICATED SECURITY VENDOR 3000SECURITY EXPERTS THREAT INTELLIGENCE ANALYSTS MOBILE SECURITY RESEARCHERS THREAT PREVENTION RESEARCHERS SECURITY ARCHITECTS CYBERSECURITY INVESTIGATORS REVERSE ENGINEERS COMPUTER INCIDENT RESPONSE TEAM (CIRT)
6©2018 Check Point Software Technologies Ltd. THE ERA OF DIGITAL TRANSFORMATION CONNECTING TO THE CLOUD AND MOBILE
7©2018 Check Point Software Technologies Ltd.
PROTECTING MOBILE DEVICES
11©2018 Check Point Software Technologies Ltd. • AWS Classic (No VPC) 2012 • AWS security groups – allow any (sg cannot be replaced on running instance) • IPTABLES – dynamically configure from puppet. • Suricata in detect mode • Fail2ban • PSAD – log based IPS • Developers directly access machines (Alcatraz) • Deployments using puppet (static versioning) Startup emerge
12©2018 Check Point Software Technologies Ltd. • Flat one AZ • One NGINX handles the traffic • One application server one DB instance one detection server • Tight budget • A few POCs Startup emerge
13©2018 Check Point Software Technologies Ltd. Startup emerge
14©2018 Check Point Software Technologies Ltd. • AWS VPC (2013) • AWS security groups – allow any (it was better managing it in puppet) • IPTABLES – dynamically configure from puppet. • Suricata – didn’t have any added value without SOC • Still using Fail2ban, PSAD – log based IPS • Started collecting logs to ELK stack • Deployments enhanced ̶ puppet delivered(static versions) ̶ centralized execution via mcollective Startup evolve
15©2018 Check Point Software Technologies Ltd. • VPC, one region. • Two AZ, one segment each • TWO NGINX upfront • TWO application servers • DB Active/standby • A few detection servers Startup evolve
16©2018 Check Point Software Technologies Ltd. Startup evolve
17©2018 Check Point Software Technologies Ltd. • Getting ready for larger scale • Dockerizing apps to allow monolithic image from testing to production • Self provisioning tool development • Integrating with checkpoint products • Justifying cloud infrastructure VS on premise DC Startup acquired by Check Point 2015
18©2018 Check Point Software Technologies Ltd. • Two regions, two NGINX upfront in each region • Three AZ in each region, one subnet per AZ • Multiple application servers, services are divided into smaller services • Multiple DB instances active/standby/24H lag per DB instance • Many detection server manual scale up and down Startup acquired by Check Point
19©2018 Check Point Software Technologies Ltd. • Customers/POC dashboards are automatically provisioned • Devices are added daily • Features are being continuously deployed • Mobile Security Detection is constantly being tested • Infrastructure under strict SLA, no downtime policy Challenges DevOpsing large scale SaaS Security
20©2018 Check Point Software Technologies Ltd. • What is the best orchestration to run Dockerized (micro) services? • What is the best way to deploy new services? • How do you control/debug dynamic infrastructure that changes a few times a day? • How do you keep it all secured? Where do we go from here?
21©2018 Check Point Software Technologies Ltd. • Cross platform • Vast community • Industry standard • Big sponsor Infrastructure using Kubernetes why?
22©2018 Check Point Software Technologies Ltd. • CloudGuard – Access control, NAT gateway, IPS, AntiBOT, AV • Kubernetes infrastructure • Deployments from CI (Jenkins pipeline) Matured SaaS
23©2018 Check Point Software Technologies Ltd. • Two regions, Three AZ each, Three NGINX upfront • Two Kubernetes clusters fully redundant each on three AZ • Auto scaled worker nodes, auto scaled pods. Matured SaaS
24©2018 Check Point Software Technologies Ltd. Startup acquired by Check Point
25©2018 Check Point Software Technologies Ltd. inspection
26©2018 Check Point Software Technologies Ltd.
27©2018 Check Point Software Technologies Ltd. K8s
28©2018 Check Point Software Technologies Ltd. • Moving all cloud product to kubernetes • Orchestrating new service deploy so developers can do it Challenges looking forward
29©2018 Check Point Software Technologies Ltd. LESSONS LEARNED 4. DEVOPS FOR SECURITY Automating and integrating devops culture into security creates better security 2. DEVOPS TOOLS SOLVE PROBLEMS There is usually an initial identified driver for implmenting them 3. SECURITY FOR DEVOPS Agile and automated architectures still require the highest security level 1. DEVOPS IS NOT ONLY FOR STARTUPS The new IT culture can be enjoyed by enterprises of any size

Recommended

José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
Black Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 

Recommended

José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]José Vila - ¿Otro parche más? No, por favor. [rooted2018]
José Vila - ¿Otro parche más? No, por favor. [rooted2018]
RootedCON
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
Priyanka Aash
 
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CDPKI in DevOps: How to Deploy Certificate Automation within CI/CD
PKI in DevOps: How to Deploy Certificate Automation within CI/CD
DevOps.com
 
Integrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps EnvironmentIntegrating Black Duck into your Agile DevOps Environment
Integrating Black Duck into your Agile DevOps Environment
Black Duck by Synopsys
 
The How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability ManagementThe How and Why of Container Vulnerability Management
The How and Why of Container Vulnerability Management
Tim Mackey
 
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Sumo Logic
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
Synopsys Software Integrity Group
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
DevOps.com
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
DevSecCon
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
Eric Smalling
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
Yusuf Hadiwinata Sutandar
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
Eric Smalling
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat Security Conference
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
abend_cve_9999_0001
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
Peter Lamar
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
DevSecCon
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
Wouter Bloeyaert
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
Security as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionSecurity as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud Adoption
MarketingArrowECS_CZ
 
Check Point and Accenture Webinar
Check Point and Accenture Webinar Check Point and Accenture Webinar
Check Point and Accenture Webinar
Check Point Software Technologies
 

More Related Content

What's hot

Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
DevOps.com
 

What's hot (20)

Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic WebinarMaking the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Flight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at DocusignFlight East 2018 Presentation–Black Duck at Docusign
Flight East 2018 Presentation–Black Duck at Docusign
 
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud EnvironmentSafe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
Safe and Secure Applications: Deploying in a Cloud or Multi-Cloud Environment
 
Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security Myths and Misperceptions of Open Source Security
Myths and Misperceptions of Open Source Security
 
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
Ernesto Bethencourt & Javier Sanz - OFRECIENDO SEGURIDAD DE AUTOCONSUMO A LOS...
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
AWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWSAWS live hack: Docker + Snyk Container on AWS
AWS live hack: Docker + Snyk Container on AWS
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps EngineersSecurity in CI/CD Pipelines: Tips for DevOps Engineers
Security in CI/CD Pipelines: Tips for DevOps Engineers
 
Devops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source WayDevops Indonesia - DevSecOps - The Open Source Way
Devops Indonesia - DevSecOps - The Open Source Way
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 
Application Security Logging with Splunk using Java
Application Security Logging with Splunk using JavaApplication Security Logging with Splunk using Java
Application Security Logging with Splunk using Java
 
Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)Bypassing Windows Security Functions(en)
Bypassing Windows Security Functions(en)
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
SecDevOps
SecDevOpsSecDevOps
SecDevOps
 
Dev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment securityDev seccon london 2016 intelliment security
Dev seccon london 2016 intelliment security
 
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
How Aporeto Secures Cloud-native Across Public, Private, & Hybrid Clouds with...
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 

Similar to Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]

End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
eG Innovations
 
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
COMAQA.BY
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
XebiaLabs
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
QAware GmbH
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
DevOps.com
 
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
eG Innovations
 
Supercharge Continuous Delivery for Kubernetes with Spinnaker
Supercharge Continuous Delivery for Kubernetes with SpinnakerSupercharge Continuous Delivery for Kubernetes with Spinnaker
Supercharge Continuous Delivery for Kubernetes with Spinnaker
DevOps.com
 

Similar to Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018] (20)

Security as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud AdoptionSecurity as an Accelerator for Cloud Adoption
Security as an Accelerator for Cloud Adoption
 
Check Point and Accenture Webinar
Check Point and Accenture Webinar Check Point and Accenture Webinar
Check Point and Accenture Webinar
 
Check Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private CloudCheck Point and Cisco: Securing the Private Cloud
Check Point and Cisco: Securing the Private Cloud
 
70% Improvement in Service and Product Delivery on Implementing DevOps
70% Improvement in Service and Product Delivery on Implementing DevOps70% Improvement in Service and Product Delivery on Implementing DevOps
70% Improvement in Service and Product Delivery on Implementing DevOps
 
Integration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob DaviesIntegration in the Cloud, by Rob Davies
Integration in the Cloud, by Rob Davies
 
CCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptxCCSA Treinamento_CheckPoint.pptx
CCSA Treinamento_CheckPoint.pptx
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
 
Production-Ready Kubernetes: It's Not About Technology
Production-Ready Kubernetes: It's Not About TechnologyProduction-Ready Kubernetes: It's Not About Technology
Production-Ready Kubernetes: It's Not About Technology
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application Security
 
Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019Wavefront-by-VMware-April-2019
Wavefront-by-VMware-April-2019
 
Why does Citrix use eG Enterprise for End-to-End Monitoring at Citrix Summit ...
Why does Citrix use eG Enterprise for End-to-End Monitoring at Citrix Summit ...Why does Citrix use eG Enterprise for End-to-End Monitoring at Citrix Summit ...
Why does Citrix use eG Enterprise for End-to-End Monitoring at Citrix Summit ...
 
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
Kimmo Hakala. Comaqa Spring 2018. Challenges and good QA practices in softwar...
 
Infrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale OrganizationsInfrastructure as Code in Large Scale Organizations
Infrastructure as Code in Large Scale Organizations
 
Continuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8sContinuous (Non-)Functional Testing of Microservices on K8s
Continuous (Non-)Functional Testing of Microservices on K8s
 
Challenges In Modern Application
Challenges In Modern ApplicationChallenges In Modern Application
Challenges In Modern Application
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
 
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
NUS-ISS Learning Day 2018- Designing software to make the most of cloud platf...
 
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
The "One Monitor": Tranform MS SCOM into an End-to-End Monitoring & Diagnosis...
 
Supercharge Continuous Delivery for Kubernetes with Spinnaker
Supercharge Continuous Delivery for Kubernetes with SpinnakerSupercharge Continuous Delivery for Kubernetes with Spinnaker
Supercharge Continuous Delivery for Kubernetes with Spinnaker
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 

More from RootedCON

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Javier Hijas & Ori Kuyumgiski - Security at the speed of DevOps [rooted2018]

  • 1. 1©2018 Check Point Software Technologies Ltd. SECURITY AT THE SPEED OF DEVOPS • Ori Kuyumgiski | DevOps Team Leader • Javier Hijas | Cloud Security Engineer
  • 2. 2©2018 Check Point Software Technologies Ltd. ONE COMPANY HAS THE VISION AND THE EXECUTION TO DELIVER CHECK POINT
  • 3. 3©2018 Check Point Software Technologies Ltd. 3©2018 Check Point Software Technologies Ltd. CHECK POINT SOLUTIONS
  • 4. 4©2018 Check Point Software Technologies Ltd. WE SECURE THE MOST COMPLEX AND SENSITIVE ENVIRONMENTS WE HAVE THE EXPERIENCE DEEP SECURITY EXPERIENCE GLOBAL PRESENCE THE MOST DEMANDING ENVIRONMENTS 88 Offices100,000 Customers 22 Years
  • 5. 5©2018 Check Point Software Technologies Ltd. WE HAVE THE EXPERTISE THE WORLD’S LARGEST DEDICATED SECURITY VENDOR 3000SECURITY EXPERTS THREAT INTELLIGENCE ANALYSTS MOBILE SECURITY RESEARCHERS THREAT PREVENTION RESEARCHERS SECURITY ARCHITECTS CYBERSECURITY INVESTIGATORS REVERSE ENGINEERS COMPUTER INCIDENT RESPONSE TEAM (CIRT)
  • 6. 6©2018 Check Point Software Technologies Ltd. THE ERA OF DIGITAL TRANSFORMATION CONNECTING TO THE CLOUD AND MOBILE
  • 7. 7©2018 Check Point Software Technologies Ltd.
  • 9.
  • 10. 11©2018 Check Point Software Technologies Ltd. • AWS Classic (No VPC) 2012 • AWS security groups – allow any (sg cannot be replaced on running instance) • IPTABLES – dynamically configure from puppet. • Suricata in detect mode • Fail2ban • PSAD – log based IPS • Developers directly access machines (Alcatraz) • Deployments using puppet (static versioning) Startup emerge
  • 11. 12©2018 Check Point Software Technologies Ltd. • Flat one AZ • One NGINX handles the traffic • One application server one DB instance one detection server • Tight budget • A few POCs Startup emerge
  • 12. 13©2018 Check Point Software Technologies Ltd. Startup emerge
  • 13. 14©2018 Check Point Software Technologies Ltd. • AWS VPC (2013) • AWS security groups – allow any (it was better managing it in puppet) • IPTABLES – dynamically configure from puppet. • Suricata – didn’t have any added value without SOC • Still using Fail2ban, PSAD – log based IPS • Started collecting logs to ELK stack • Deployments enhanced ̶ puppet delivered(static versions) ̶ centralized execution via mcollective Startup evolve
  • 14. 15©2018 Check Point Software Technologies Ltd. • VPC, one region. • Two AZ, one segment each • TWO NGINX upfront • TWO application servers • DB Active/standby • A few detection servers Startup evolve
  • 15. 16©2018 Check Point Software Technologies Ltd. Startup evolve
  • 16. 17©2018 Check Point Software Technologies Ltd. • Getting ready for larger scale • Dockerizing apps to allow monolithic image from testing to production • Self provisioning tool development • Integrating with checkpoint products • Justifying cloud infrastructure VS on premise DC Startup acquired by Check Point 2015
  • 17. 18©2018 Check Point Software Technologies Ltd. • Two regions, two NGINX upfront in each region • Three AZ in each region, one subnet per AZ • Multiple application servers, services are divided into smaller services • Multiple DB instances active/standby/24H lag per DB instance • Many detection server manual scale up and down Startup acquired by Check Point
  • 18. 19©2018 Check Point Software Technologies Ltd. • Customers/POC dashboards are automatically provisioned • Devices are added daily • Features are being continuously deployed • Mobile Security Detection is constantly being tested • Infrastructure under strict SLA, no downtime policy Challenges DevOpsing large scale SaaS Security
  • 19. 20©2018 Check Point Software Technologies Ltd. • What is the best orchestration to run Dockerized (micro) services? • What is the best way to deploy new services? • How do you control/debug dynamic infrastructure that changes a few times a day? • How do you keep it all secured? Where do we go from here?
  • 20. 21©2018 Check Point Software Technologies Ltd. • Cross platform • Vast community • Industry standard • Big sponsor Infrastructure using Kubernetes why?
  • 21. 22©2018 Check Point Software Technologies Ltd. • CloudGuard – Access control, NAT gateway, IPS, AntiBOT, AV • Kubernetes infrastructure • Deployments from CI (Jenkins pipeline) Matured SaaS
  • 22. 23©2018 Check Point Software Technologies Ltd. • Two regions, Three AZ each, Three NGINX upfront • Two Kubernetes clusters fully redundant each on three AZ • Auto scaled worker nodes, auto scaled pods. Matured SaaS
  • 23. 24©2018 Check Point Software Technologies Ltd. Startup acquired by Check Point
  • 24. 25©2018 Check Point Software Technologies Ltd. inspection
  • 25. 26©2018 Check Point Software Technologies Ltd.
  • 26. 27©2018 Check Point Software Technologies Ltd. K8s
  • 27. 28©2018 Check Point Software Technologies Ltd. • Moving all cloud product to kubernetes • Orchestrating new service deploy so developers can do it Challenges looking forward
  • 28. 29©2018 Check Point Software Technologies Ltd. LESSONS LEARNED 4. DEVOPS FOR SECURITY Automating and integrating devops culture into security creates better security 2. DEVOPS TOOLS SOLVE PROBLEMS There is usually an initial identified driver for implmenting them 3. SECURITY FOR DEVOPS Agile and automated architectures still require the highest security level 1. DEVOPS IS NOT ONLY FOR STARTUPS The new IT culture can be enjoyed by enterprises of any size

Editor's Notes

  1. We live in the era of digital transformation. In addition to end-point computers and networks, we now have our mobile devices and the cloud computing as part of our daily connected lives.
  2. Lets talk about mobile. Most of you have a smartphone. If you receive work emails or connect to your company's intranet, your smartphone is mixing your private data and business data. Your smartphone goes everywhere with you and has a GPS that knows where you are. It has microphone that can listen to your conversations. The company and personal information on your smartphone and the connections to your business network are available to you and anyone else who can take control of your phone. Your smartphone must be secure. Check Point offers very innovative protection for smartphones and tablets. We do this by sending your metadata, applications and networking behavior to the cloud. We analyze your mobile device's activity in the cloud and give you an immediate alert for any malware or breach. Suggested anecdote: Want to be a hacker? Here’s how to conduct a man-in-the-middle attack. Simply connect to free airport Wi-Fi and change your phone settings to broadcast “free airport Wi-Fi.” In a instant, you’ll have a hundred users connected to your phone. You can harvest every password or login on their phones: corporate and personal.
  3. Lacoon was founded in 2011, POCs started at 2012
  4. Lean infrastructure, no real need for redundancy
  5. Puppet story, if we started with puppet at 2012 what would have been the major event we have experienced a few month ago? A bit about mcollective, transport based on message queue, identity based on client certificate, very granular control over who can run what, allows for parallel execution on many servers
  6. Big moment, you have done an exit…after the excitement fades away….