Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security at velocity ny and dc


Published on

Presented by Julian Dunn and Dominik Richter in NY and Julian Dunn, Dominik Rickter and Alex Ethier in Washington DC.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Security at velocity ny and dc

  1. 1. Security at Velocity Julian Dunn, Dominik Richter and Alex Ethier
  2. 2. Key Findings • 10,000 companies surveyed • 4 in 5 fail at interim assessment Non-compliant breached companies: • 45% due to patch management and dev security • 72% due to log management and configuration • 73% due to firewall configuration
  3. 3. KeyTrends • While individual rule compliance is up, testing of security systems is down • Sustainability is low. Fewer than a third of companies were found to be still fully compliant less than a year after successful validation.
  4. 4. Ecosystem Drivers • Inability to keep up with a moving target Requirements change by an average of 18% over a year Line-of-business initiated changes • Inability to continuously monitor environments for changes
  5. 5. Bleeds talent Bleeds innovation
  6. 6. Security != Compliance
  7. 7. Compliant
  8. 8. Developing theTools
  9. 9. Regulatory Compliance Frameworks OFAC USA PATRIOTAct Gramm-Leach-BlileyAct Red Flags Rule Bank SecrecyAct Sarbanes-Oxley Regulation E Dodd-Frank False ClaimsAct HIPAA European Central Bank Regulations Prudential RegulationAuthority Financial ConductAuthority HITECH PCI DSS What are the commonalities?
  10. 10. Compliance RuleTypes Now Later How What Sequence • Authentication before action • Authentication in AD and ITSM • Security review before production deployment State • Customer data and Form data not logically co-resident • NTP installed • SELinux enforcingAND Centrify Agent • Digital Guardian and NOT sudo Supervision • Audit trail of changes and approval Scope • Third party access via named accounts. • Splunk access to global logs only.
  11. 11. A Simple Example control '1.4.1 Enable SELinux in /etc/grub.conf' do expect(grub_conf.param 'selinux').to_not eq '0' expect(grub_conf.param 'enforcing').to_not eq '0' end
  12. 12. A Simple Example $ sudo chef-client --audit-mode enabled Starting Chef Client, version 12.4.1 ... Starting audit phase 1 Install Updates, Patches and Additional Security Software 1.1 Filesystem Configuration Level 1 1.1.1 Create Separate Partition for /tmp (FAILED - 1) 1.1.2 Set nodev option for /tmp Partition (FAILED - 2) 1.1.3 Set nosuid option for /tmp Partition (FAILED - 3) 1.1.4 Set noexec option for /tmp Partition (FAILED - 4) 1.1.5 Create Separate Partition for /var (FAILED - 5)
  13. 13. A Simple Example ... Audit phase exception: Audit phase found failures - 104/214 controls failed Running handlers: Running handlers complete Chef Client finished, 1/31 resources updated in 17.294089532 seconds 110/214 controls succeeded
  14. 14. Example – PCI Compliance • PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools. rules ’PCI 2.3 – Confirm telnet port not available' rule on run_control when name = 'should be listening' resource_type = 'port' resource_name = '23' status != 'success' then audit:error("PCI 2.3 - Encrypt all non-console administrative access such as browser/Web-based management tools.") notify("", "A machine is listening for connections on port 23/telnet!") end end RuleControl controls 'port compliance' do control port(23) do it "has nothing listening" expect(port(23)).to_not be_listening end end end
  15. 15. Example - SOX Compliance • SOX Section 302.4.B – Establish verifiable controls to track data access. rules 'force key based auth' rule on run_control when name = ‘should be “yes”' resource_type = ‘sshd_config.param' resource_name = 'PasswordAuthentication' status = 'failed' then audit:error("SOX Section 302.4.B – Establish verifiable controls to track data access.") notify(‘’, "A machine has password login enabled!") end end RuleControl controls 'password authentication' do control file('/etc/ssh/sshd_config') do it "is disabled" expect(file('/etc/ssh/sshd_config')) .to_not match(/^s*PasswordAuthentications+yes/i) end end end
  16. 16. Safety atVelocity Risk reduction when constantly changing your systems: Test for quality Test for compliance As part of the workflow. Not after, not later.
  17. 17. Continuous Audit Workflow Build & Test Locally Scan for Compliance Build & Test CI / CD Remediate Verify
  18. 18. End-to-End Workflow
  19. 19. Proven Workflow in Delivery • Customers are moving from CI to CD • Existing CI tools are ill-suited to CD • We've identified a proven pipeline • And validated it with enterprise and big web customers Steps Create a New Change1 Test Change Locally2 VerificationTests Submit Change3 Review Change4 BuildArtifacts AcceptanceTests Approve Change5 Release Process Deliver Change6 manual automated
  20. 20. Unified Pipeline Shape • The stages are fixed • Each stage has a fixed set of phases Steps manual automated Verify Lint Syntax Unit Build Provision Deploy Smoke Functional Compliance Acceptance Union Provision Deploy Smoke Functional Compliance Rehearsal Provision Deploy Smoke Functional Compliance Delivered Provision Deploy Smoke Functional Compliance Stages customizable Verify Build Acceptance Union Rehearsal Delivered Submit Change3 Review Change4 Approve Change5 Deliver Change6 Chef Delivery Create a New Change1 Test Change Locally2 Workstation
  21. 21. Breaking the Regulated Industry Death Spiral
  22. 22. FixingThe Compliance Cycle