SlideShare a Scribd company logo

AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months

Download as PPTX, PDF
Ernest Mueller
Ernest Mueller

AlienVault launched USM Anywhere, a security information and event management (SIEM) software-as-a-service, in just six months by building it entirely on Amazon Web Services (AWS). The new SaaS used services across AWS including EC2, S3, Lambda, RDS, and more. While most of the components ran in AWS, some sensors integrated with Azure, VMware, and other platforms. The product was developed using DevOps practices like infrastructure as code with Terraform, configuration management with Puppet, continuous integration with Bitbucket and Bamboo, and orchestration with Rundeck. Security measures included multi-factor authentication, separate VPCs and security groups, encryption of data at

Technology
1 of 25
1 1 AlienVault USM Anywhere: Building a Security SaaS In AWS In Six Months Ernest Mueller
2 The Story
3 3 AlienVault ● OSSIM (2003, pre-AV) ● USM (2007, virtual/physical appliances) ● Open Threat Exchange (2012) ● Me (2015) ● USM Anywhere (2016, SaaS) ● Being acquired by AT&T (2018)
4 4 USM Anywhere ● Unified Security Management ● SIEM (security log aggregator) ● Asset discovery ● Vulnerability assessment ● Intrusion detection ● Behavioral monitoring (coming) ● Bajillions of integrations ● SC Magazine 4.75/5, starts $650/mo
5 5 USM “v6” ● Working on new version of (virtual) appliance product ● Cancelled SaaS false start ● Quick pilot go-to-market as marketplace AMI ● “We’re going all SaaS! We launch in 6 months! Go!”
6 6
7 Making the Sausage
8 8 All AWS ● EC2 ● EBS ● KMS ● Lambda ● SQS ● SNS ● SES ● S3 ● RDS ● Cloudtrail ● Route53 ● ECS ● DynamoDB ● CloudFormation ● VPC, IAM, and a partridge in a pear tree
9 9 Well, Mostly ● Azure for Azure and Hyper/V sensors ● A VM host (in Germany) for VMWare sensors ● Datadog ● Runscope ● Artifactory ● Atlassian Cloud ● StatusPage ● VictorOps ● And so on
10 10
11 11 Components ● Product is Java, Postgres, Elasticsearch, Angular.js - single tenant (one “control node” and an Elasticsearch farm per customer) ● Rundeck and rerun for orchestration ● Terraform for provisioning ● Puppet for system config ● All Ubuntu ● A little docker and Lambda (zappa)
12 12 Doing the DevOps ● All provisioning automated - initially CloudFormation, now Terraform ● Orchestration code in bash, using rerun framework for structure and unit tests, turned into runbooks in Rundeck ● Bitbucket/bamboo/Artifactory CI pipeline - everything’s an artifact, all automated testing (no manual QA)
13 All The Security
14
15 15 MFA Console and API $ aws sts get-caller-identity { "Account": "641575277437", "UserId": "AROAI5Q65RFRWKRK6FU7S:botocore-session-1530204633", "Arn": "arn:aws:sts::641575277437:assumed-role/admin-mfa-cli/botocore-session- 1530204633" } $ aws ec2 describe-instances --profile develop Enter MFA code for arn:aws:iam::641575277437:mfa/msoares-testing-mfa: { "Reservations": [ { "Instances": [ ...
16 16 Network ● Separate security groups with defined ingress and egress for everything ● Separate your VPCs ● MFA’ed bastion logins ● Workspace servers in each region to maintain data locality
17 17
18 18 System Configuration ● Feed all new patches into CI pipeline ● Build AMIs for immutable deployments ● Terraform detaches EBSes - replaces servers - attaches EBSes
19 19 Encryption and Access Control ● Encrypt all the EBSes and S3 buckets ● Encrypt files with KMS ● We have a bundle of customer info - per instance SSH keys, terraform state, etc. - all KMS encrypted and then put in an encrypted S3 bucket
20 20 Process... ● Change management: Pull requests with peer review and release approvals. ● Incident management: Use incident command system base ● Tag everything for monitoring, finance ● Giant wiki lists of everything ● Giant network diagrams of everything
21 21 Monitoring
22 Pain Points
23 23 Things That Are Terrible ● AWS Reservations ● AWS Limits ● AWS Console ● Complexity ● Audits
24
25 Q&A

Recommended

Building your own PaaS using Apache Stratos
Building your own PaaS using Apache Stratos Building your own PaaS using Apache Stratos
Building your own PaaS using Apache Stratos WSO2
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
DevStack
DevStackDevStack
DevStack
維泰 蔡
 
THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORK
Sukesh Shetty
 
우아한 모노리스
우아한 모노리스우아한 모노리스
우아한 모노리스
Arawn Park
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Mistral and StackStorm
Mistral and StackStormMistral and StackStorm
Mistral and StackStorm
Dmitri Zimine
 

Recommended

Building your own PaaS using Apache Stratos
Building your own PaaS using Apache Stratos Building your own PaaS using Apache Stratos
Building your own PaaS using Apache Stratos WSO2
 
Hug #9 who's keeping your secrets
Hug #9 who's keeping your secretsHug #9 who's keeping your secrets
Hug #9 who's keeping your secrets
Cameron More
 
DevStack
DevStackDevStack
DevStack
維泰 蔡
 
THE VEIL FRAMEWORK
THE VEIL FRAMEWORKTHE VEIL FRAMEWORK
THE VEIL FRAMEWORK
Sukesh Shetty
 
우아한 모노리스
우아한 모노리스우아한 모노리스
우아한 모노리스
Arawn Park
 
London HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vaultLondon HUG 19/5 - Kubernetes and vault
London HUG 19/5 - Kubernetes and vault
London HashiCorp User Group
 
Web Application firewall-Mod security
Web Application firewall-Mod securityWeb Application firewall-Mod security
Web Application firewall-Mod security
Romansh Yadav
 
Mistral and StackStorm
Mistral and StackStormMistral and StackStorm
Mistral and StackStorm
Dmitri Zimine
 
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
NETWAYS
 
Openstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_introOpenstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_introMicrosoft
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
Introduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStackIntroduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStack
Abderrahmane TEKFI
 
Serverless code components azure
Serverless code components azureServerless code components azure
Serverless code components azure
Shimon Tolts
 
Tokyo meetup 20160224
Tokyo meetup 20160224Tokyo meetup 20160224
Tokyo meetup 20160224
Takao Setaka
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
DoiT International
 
Awx
AwxAwx
Awx
Scott van Kalken
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Raul Leite
 
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivSelf Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Amazon Web Services
 
A Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - JimdoA Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - Jimdo
Johann Paulus Almeida
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
Amazon Web Services
 
Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021
Akash Askoolum
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 

More Related Content

What's hot

OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
NETWAYS
 
Openstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_introOpenstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_introMicrosoft
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
London HashiCorp User Group
 
Introduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStackIntroduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStack
Abderrahmane TEKFI
 
Serverless code components azure
Serverless code components azureServerless code components azure
Serverless code components azure
Shimon Tolts
 
Tokyo meetup 20160224
Tokyo meetup 20160224Tokyo meetup 20160224
Tokyo meetup 20160224
Takao Setaka
 

What's hot (6)

OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
OSMC 2018 | Scaling Icinga2 with many heterogeneous projects – and still pres...
 
Openstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_introOpenstack usergroupamsterdam 3rdmeetup_intro
Openstack usergroupamsterdam 3rdmeetup_intro
 
London Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using ConsulLondon Hug 20/6 - Clustering RabbitMQ using Consul
London Hug 20/6 - Clustering RabbitMQ using Consul
 
Introduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStackIntroduction to Orchestration and DevOps with OpenStack
Introduction to Orchestration and DevOps with OpenStack
 
Serverless code components azure
Serverless code components azureServerless code components azure
Serverless code components azure
 
Tokyo meetup 20160224
Tokyo meetup 20160224Tokyo meetup 20160224
Tokyo meetup 20160224
 

Similar to AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months

AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
Amazon Web Services
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
DoiT International
 
Awx
AwxAwx
Awx
Scott van Kalken
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Raul Leite
 
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivSelf Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Amazon Web Services
 
A Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - JimdoA Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - Jimdo
Johann Paulus Almeida
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
Sanjeev Kumar Jaiswal
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
Amazon Web Services
 
Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021
Akash Askoolum
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
Kristana Kane
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
Amazon Web Services
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAmazon Web Services
 
Cloud stack vs openstack vs eucalyptus
Cloud stack vs openstack vs eucalyptusCloud stack vs openstack vs eucalyptus
Cloud stack vs openstack vs eucalyptus
Ashok Kumar
 
Chef and Apache CloudStack (ChefConf 2014)
Chef and Apache CloudStack (ChefConf 2014)Chef and Apache CloudStack (ChefConf 2014)
Chef and Apache CloudStack (ChefConf 2014)Jeff Moody
 
murakumo Cloud Controller
murakumo Cloud Controllermurakumo Cloud Controller
murakumo Cloud Controller
Shingo Kawano
 

Similar to AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months (20)

AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
AWS Cyber Security Best Practices
AWS Cyber Security Best PracticesAWS Cyber Security Best Practices
AWS Cyber Security Best Practices
 
Awx
AwxAwx
Awx
 
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
Visão Técnica - RHOS (Red Hat Enterprise Linux OpenStack)
 
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel AvivSelf Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
Self Service Agile Infrastructure for Product Teams - Pop-up Loft Tel Aviv
 
A Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - JimdoA Jouney Through Wonderland - Jimdo
A Jouney Through Wonderland - Jimdo
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWS
 
Security and Advanced Automation in the Enterprise
Security and Advanced Automation in the EnterpriseSecurity and Advanced Automation in the Enterprise
Security and Advanced Automation in the Enterprise
 
Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021Developer Experience at the Guardian, Equal Experts Sept 2021
Developer Experience at the Guardian, Equal Experts Sept 2021
 
Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps Automating Security in Cloud Workloads with DevSecOps
Automating Security in Cloud Workloads with DevSecOps
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure(ARC401) Cloud First: New Architecture for New Infrastructure
(ARC401) Cloud First: New Architecture for New Infrastructure
 
AWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWSAWS Startup Webinar | Developing on AWS
AWS Startup Webinar | Developing on AWS
 
Cloud stack vs openstack vs eucalyptus
Cloud stack vs openstack vs eucalyptusCloud stack vs openstack vs eucalyptus
Cloud stack vs openstack vs eucalyptus
 
Chef and Apache CloudStack (ChefConf 2014)
Chef and Apache CloudStack (ChefConf 2014)Chef and Apache CloudStack (ChefConf 2014)
Chef and Apache CloudStack (ChefConf 2014)
 
murakumo Cloud Controller
murakumo Cloud Controllermurakumo Cloud Controller
murakumo Cloud Controller
 

More from Ernest Mueller

DevOps at a Distance
DevOps at a DistanceDevOps at a Distance
DevOps at a Distance
Ernest Mueller
 
Intro to DevOps
Intro to DevOpsIntro to DevOps
Intro to DevOps
Ernest Mueller
 
The DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD SummitThe DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD Summit
Ernest Mueller
 
Lean Security - LASCON 2016
Lean Security - LASCON 2016Lean Security - LASCON 2016
Lean Security - LASCON 2016
Ernest Mueller
 
Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016
Ernest Mueller
 
Lean Security - RSA 2016
Lean Security - RSA 2016Lean Security - RSA 2016
Lean Security - RSA 2016
Ernest Mueller
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
Ernest Mueller
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015
Ernest Mueller
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
Ernest Mueller
 
App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments Reloaded
Ernest Mueller
 
Metrics Driven Development and DevOps - Agile 2014
Metrics Driven Development and DevOps - Agile 2014Metrics Driven Development and DevOps - Agile 2014
Metrics Driven Development and DevOps - Agile 2014
Ernest Mueller
 
The DevOps Centipede
The DevOps CentipedeThe DevOps Centipede
The DevOps Centipede
Ernest Mueller
 
2012 - A Release Odyssey
2012 - A Release Odyssey2012 - A Release Odyssey
2012 - A Release Odyssey
Ernest Mueller
 
Mobile and the Cloud
Mobile and the CloudMobile and the Cloud
Mobile and the Cloud
Ernest Mueller
 
CloudAustin Black Friday 2013
CloudAustin Black Friday 2013CloudAustin Black Friday 2013
CloudAustin Black Friday 2013
Ernest Mueller
 
Cloud Monitoring
Cloud MonitoringCloud Monitoring
Cloud Monitoring
Ernest Mueller
 
DevOps and Cloud at NI
DevOps and Cloud at NIDevOps and Cloud at NI
DevOps and Cloud at NI
Ernest Mueller
 
Business model driven cloud adoption - what NI is doing in the cloud
Business model driven cloud adoption - what NI is doing in the cloudBusiness model driven cloud adoption - what NI is doing in the cloud
Business model driven cloud adoption - what NI is doing in the cloud
Ernest Mueller
 
Inside Microsoft Azure
Inside Microsoft AzureInside Microsoft Azure
Inside Microsoft Azure
Ernest Mueller
 
PIE - The Programmable Infrastructure Environment
PIE - The Programmable Infrastructure EnvironmentPIE - The Programmable Infrastructure Environment
PIE - The Programmable Infrastructure Environment
Ernest Mueller
 

More from Ernest Mueller (20)

DevOps at a Distance
DevOps at a DistanceDevOps at a Distance
DevOps at a Distance
 
Intro to DevOps
Intro to DevOpsIntro to DevOps
Intro to DevOps
 
The DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD SummitThe DevOps Panel - Innotech Austin CD Summit
The DevOps Panel - Innotech Austin CD Summit
 
Lean Security - LASCON 2016
Lean Security - LASCON 2016Lean Security - LASCON 2016
Lean Security - LASCON 2016
 
Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016Lean Security - OWASP Austin March 2016
Lean Security - OWASP Austin March 2016
 
Lean Security - RSA 2016
Lean Security - RSA 2016Lean Security - RSA 2016
Lean Security - RSA 2016
 
DevOps Transformations
DevOps TransformationsDevOps Transformations
DevOps Transformations
 
DevOps State of the Union 2015
DevOps State of the Union 2015DevOps State of the Union 2015
DevOps State of the Union 2015
 
DevOps 101
DevOps 101DevOps 101
DevOps 101
 
App Assessments Reloaded
App Assessments ReloadedApp Assessments Reloaded
App Assessments Reloaded
 
Metrics Driven Development and DevOps - Agile 2014
Metrics Driven Development and DevOps - Agile 2014Metrics Driven Development and DevOps - Agile 2014
Metrics Driven Development and DevOps - Agile 2014
 
The DevOps Centipede
The DevOps CentipedeThe DevOps Centipede
The DevOps Centipede
 
2012 - A Release Odyssey
2012 - A Release Odyssey2012 - A Release Odyssey
2012 - A Release Odyssey
 
Mobile and the Cloud
Mobile and the CloudMobile and the Cloud
Mobile and the Cloud
 
CloudAustin Black Friday 2013
CloudAustin Black Friday 2013CloudAustin Black Friday 2013
CloudAustin Black Friday 2013
 
Cloud Monitoring
Cloud MonitoringCloud Monitoring
Cloud Monitoring
 
DevOps and Cloud at NI
DevOps and Cloud at NIDevOps and Cloud at NI
DevOps and Cloud at NI
 
Business model driven cloud adoption - what NI is doing in the cloud
Business model driven cloud adoption - what NI is doing in the cloudBusiness model driven cloud adoption - what NI is doing in the cloud
Business model driven cloud adoption - what NI is doing in the cloud
 
Inside Microsoft Azure
Inside Microsoft AzureInside Microsoft Azure
Inside Microsoft Azure
 
PIE - The Programmable Infrastructure Environment
PIE - The Programmable Infrastructure EnvironmentPIE - The Programmable Infrastructure Environment
PIE - The Programmable Infrastructure Environment
 

Recently uploaded

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 

Recently uploaded (20)

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 

AlienVault USM Anywhere: Building a Security SaaS in AWS in Six Months

  • 1. 1 1 AlienVault USM Anywhere: Building a Security SaaS In AWS In Six Months Ernest Mueller
  • 3. 3 3 AlienVault ● OSSIM (2003, pre-AV) ● USM (2007, virtual/physical appliances) ● Open Threat Exchange (2012) ● Me (2015) ● USM Anywhere (2016, SaaS) ● Being acquired by AT&T (2018)
  • 4. 4 4 USM Anywhere ● Unified Security Management ● SIEM (security log aggregator) ● Asset discovery ● Vulnerability assessment ● Intrusion detection ● Behavioral monitoring (coming) ● Bajillions of integrations ● SC Magazine 4.75/5, starts $650/mo
  • 5. 5 5 USM “v6” ● Working on new version of (virtual) appliance product ● Cancelled SaaS false start ● Quick pilot go-to-market as marketplace AMI ● “We’re going all SaaS! We launch in 6 months! Go!”
  • 6. 6 6
  • 8. 8 8 All AWS ● EC2 ● EBS ● KMS ● Lambda ● SQS ● SNS ● SES ● S3 ● RDS ● Cloudtrail ● Route53 ● ECS ● DynamoDB ● CloudFormation ● VPC, IAM, and a partridge in a pear tree
  • 9. 9 9 Well, Mostly ● Azure for Azure and Hyper/V sensors ● A VM host (in Germany) for VMWare sensors ● Datadog ● Runscope ● Artifactory ● Atlassian Cloud ● StatusPage ● VictorOps ● And so on
  • 10. 10 10
  • 11. 11 11 Components ● Product is Java, Postgres, Elasticsearch, Angular.js - single tenant (one “control node” and an Elasticsearch farm per customer) ● Rundeck and rerun for orchestration ● Terraform for provisioning ● Puppet for system config ● All Ubuntu ● A little docker and Lambda (zappa)
  • 12. 12 12 Doing the DevOps ● All provisioning automated - initially CloudFormation, now Terraform ● Orchestration code in bash, using rerun framework for structure and unit tests, turned into runbooks in Rundeck ● Bitbucket/bamboo/Artifactory CI pipeline - everything’s an artifact, all automated testing (no manual QA)
  • 14. 14
  • 15. 15 15 MFA Console and API $ aws sts get-caller-identity { "Account": "641575277437", "UserId": "AROAI5Q65RFRWKRK6FU7S:botocore-session-1530204633", "Arn": "arn:aws:sts::641575277437:assumed-role/admin-mfa-cli/botocore-session- 1530204633" } $ aws ec2 describe-instances --profile develop Enter MFA code for arn:aws:iam::641575277437:mfa/msoares-testing-mfa: { "Reservations": [ { "Instances": [ ...
  • 16. 16 16 Network ● Separate security groups with defined ingress and egress for everything ● Separate your VPCs ● MFA’ed bastion logins ● Workspace servers in each region to maintain data locality
  • 17. 17 17
  • 18. 18 18 System Configuration ● Feed all new patches into CI pipeline ● Build AMIs for immutable deployments ● Terraform detaches EBSes - replaces servers - attaches EBSes
  • 19. 19 19 Encryption and Access Control ● Encrypt all the EBSes and S3 buckets ● Encrypt files with KMS ● We have a bundle of customer info - per instance SSH keys, terraform state, etc. - all KMS encrypted and then put in an encrypted S3 bucket
  • 20. 20 20 Process... ● Change management: Pull requests with peer review and release approvals. ● Incident management: Use incident command system base ● Tag everything for monitoring, finance ● Giant wiki lists of everything ● Giant network diagrams of everything
  • 23. 23 23 Things That Are Terrible ● AWS Reservations ● AWS Limits ● AWS Console ● Complexity ● Audits
  • 24. 24