Development. Architecture QA. Operations

Transcription

1

2 Development Architecture QA Operations

3 Lack of business agility Slow to onboard new customers Hard to practice true DevOps Outpaced by disruptors Rogue dev projects Lack of SecOps agility Slow threat assessments Can t patch fast enough Reactive security posture

4

5 DevOps is the combination of cultural philosophies, practices, and tools that increases an organization s ability to deliver applications and services at high velocity

6 DevOps is not a process change, nor a tool, it s a culture change

7 1 Cloud Birth 2 Cloud Chaos 3 Hybrid Groove Security Decision Making Security & Compliance Posture Operational Cost

8 Dev User interface design Code development Help file construction Staffing Architecture review Standards Resource consumption conformance metrics Walkthroughs Budget PII Footprinting System test compliance Code validation Design SDLC Documentation review Mobile Unit test readiness Scalability Test case development Skills development Function/component test Performance Installation guidelines verification Buffer overflow risk assessment Load and stress test Webreadiness Ops Run stuff Break stuff Lock out users How Development Sees Operations

9 How developers click Job 1 is Deploying code Quickly use new technologies Ability to deploy regardless of platform Freedom!

10 Ops Dev Write code Test some Organizational design Patching Network bandwidth forecasting Cloud migration strategy Legacy environment support Skills Virtual machine Budget and funding development management Containers Fallback/roll forward Intrusion prevention/detection ITIL Compliance Service Level Change Review Board Backup/recovery Agreements Power Equipment upgrade/retirement strategy consumption Acquisition and Site security IT Service Desk procurement Vendor Metrics Space planning certification Network COBIT configuration Web security Alignment BYOD Security ITIL Compliance Identity and Access Management High availability Cost recovery/chargeback Third-party risk management Business Continuity Storage Planning consumption How Operations Sees Development

11 What makes security teams sleep Reduce Surprises Standards and control everywhere Controlled changes Less regulatory pressure

12 It s even getting more interesting

13 Hybrid Datacenter is here Public Cloud Containers Serverless One Year of Container Usage 67% 53% Virtual Desktops 31% Evaluating 42% Evaluating Physical Servers Virtual Servers 22% Using % Using 2017

14 VMware Cloud on AWS Runs on AWS Bare metal Infrastructure Move on-premise Workloads to AWS Integrated with Vmware APIs (NSX,vSphere) Maintain the Existing Skills Retain Existing Architecture and Investment

15 Wouldn t be nice if we can use one tool for security?

16 Let s use DevOps for Security

17 Identify your crown jewel and protect first Security built-in not bolt-on Focus on building continuous, automated and agile security architecture Over-invested in preventive measure vs proactive detection-response Where do we start?

18 Source: Gartner (June 2018) Privileged account management Active antiphishing Micro segmentation and flow visibility Cloud security posture management Cloud access security broker CARTA-inspired vulnerability management Application control on server workloads Detection and response Automated security scanning Software-defined perimeter Gartner Top 10 Security Projects for 2018

19

20 Security Events in Monitoring: Influencing Design Automatic Remediation Automatic Isolation Heal configuration Drift Automated Auditing

21 Securing Code and using Code Secure Coding Practices Proactive controls enforce by code Using code to build infrastructure

22 Build Checking Scan for Vulnerabilities or Malware Enable Secrets Management Configuration Scrubbing

23 Deployment Security Continuous Vulnerability Scanning Automated deployment of Approved Images Just in time server access

24 Example: Securing Docker Images

25 Challenge: How can you verify that containers deployed in production do not contain any known malware or vulnerabilities?

26 Jenkins

27 Completed Build

28 Failed Build.. But why?

29 Malware Found in the APIs

30 Check Smart Check

31 Check Scans

32 Scan Details

33 Vulnerable Package Installed Find where Vulnerability was introduced

34 Malware Copied Find where malware was introduced

35 Vulnerable Package Installed Malware Copied Easily Reference in Dockerfile

36

37 Example: Virtual Patching

38 Challenge: Average Patching time for customers is 176 Days, How would you protect your containers when zero day strikes

39 Apache Struts Vulnerability CVE

40 Unprotected Struts Website

41

42

43

44 Protected Protected Struts Website

45 Runs on Docker Rules Applied Virtual Patching applied

46

47 Event Summary Multiple Events

48 Event View Attack type and CVE

49 Details of the Attack Attack String

50 Alerts on Slack

51 Visibility regardless of Server Location

52 Continue to leverage current investments

53 Container virtual patching

54

55 Key Takeaways Start Small Plan Ahead Security team has to code Look for Open Security APIs Don t be afraid ~ integrate

56 Nothing is Permanent and Nothing is Perfect

57 THANK YOU Paul Hidalgo Trend Micro linkedin.com/in/peeweeh/ Feedback: