Development Architecture QA Operations
Lack of business agility Slow to onboard new customers Hard to practice true DevOps Outpaced by disruptors Rogue dev projects Lack of SecOps agility Slow threat assessments Can t patch fast enough Reactive security posture
DevOps is the combination of cultural philosophies, practices, and tools that increases an organization s ability to deliver applications and services at high velocity
DevOps is not a process change, nor a tool, it s a culture change
1 Cloud Birth 2 Cloud Chaos 3 Hybrid Groove Security Decision Making Security & Compliance Posture Operational Cost
Dev User interface design Code development Help file construction Staffing Architecture review Standards Resource consumption conformance metrics Walkthroughs Budget PII Footprinting System test compliance Code validation Design SDLC Documentation review Mobile Unit test readiness Scalability Test case development Skills development Function/component test Performance Installation guidelines verification Buffer overflow risk assessment Load and stress test Webreadiness Ops Run stuff Break stuff Lock out users How Development Sees Operations
How developers click Job 1 is Deploying code Quickly use new technologies Ability to deploy regardless of platform Freedom!
Ops Dev Write code Test some Organizational design Patching Network bandwidth forecasting Cloud migration strategy Legacy environment support Skills Virtual machine Budget and funding development management Containers Fallback/roll forward Intrusion prevention/detection ITIL Compliance Service Level Change Review Board Backup/recovery Agreements Power Equipment upgrade/retirement strategy consumption Acquisition and Site security IT Service Desk procurement Vendor Metrics Space planning certification Network COBIT configuration Web security Alignment BYOD Security ITIL Compliance Identity and Access Management High availability Cost recovery/chargeback Third-party risk management Business Continuity Storage Planning consumption How Operations Sees Development
What makes security teams sleep Reduce Surprises Standards and control everywhere Controlled changes Less regulatory pressure
It s even getting more interesting
Hybrid Datacenter is here Public Cloud Containers Serverless One Year of Container Usage 67% 53% Virtual Desktops 31% Evaluating 42% Evaluating Physical Servers Virtual Servers 22% Using 2016 25% Using 2017
VMware Cloud on AWS Runs on AWS Bare metal Infrastructure Move on-premise Workloads to AWS Integrated with Vmware APIs (NSX,vSphere) Maintain the Existing Skills Retain Existing Architecture and Investment
Wouldn t be nice if we can use one tool for security?
Let s use DevOps for Security
Identify your crown jewel and protect first Security built-in not bolt-on Focus on building continuous, automated and agile security architecture Over-invested in preventive measure vs proactive detection-response Where do we start?
Source: Gartner (June 2018) Privileged account management Active antiphishing Micro segmentation and flow visibility Cloud security posture management Cloud access security broker CARTA-inspired vulnerability management Application control on server workloads Detection and response Automated security scanning Software-defined perimeter Gartner Top 10 Security Projects for 2018
Security Events in Monitoring: Influencing Design Automatic Remediation Automatic Isolation Heal configuration Drift Automated Auditing
Securing Code and using Code Secure Coding Practices Proactive controls enforce by code Using code to build infrastructure
Build Checking Scan for Vulnerabilities or Malware Enable Secrets Management Configuration Scrubbing
Deployment Security Continuous Vulnerability Scanning Automated deployment of Approved Images Just in time server access
Example: Securing Docker Images
Challenge: How can you verify that containers deployed in production do not contain any known malware or vulnerabilities?
Jenkins
Completed Build
Failed Build.. But why?
Malware Found in the APIs
Check Smart Check
Check Scans
Scan Details
Vulnerable Package Installed Find where Vulnerability was introduced
Malware Copied Find where malware was introduced
Vulnerable Package Installed Malware Copied Easily Reference in Dockerfile
Example: Virtual Patching
Challenge: Average Patching time for customers is 176 Days, How would you protect your containers when zero day strikes
Apache Struts Vulnerability CVE-2018-11776
Unprotected Struts Website
Protected Protected Struts Website
Runs on Docker Rules Applied Virtual Patching applied
Event Summary Multiple Events
Event View Attack type and CVE
Details of the Attack Attack String
Alerts on Slack
Visibility regardless of Server Location
Continue to leverage current investments
Container virtual patching
Key Takeaways Start Small Plan Ahead Security team has to code Look for Open Security APIs Don t be afraid ~ integrate
Nothing is Permanent and Nothing is Perfect
THANK YOU Paul Hidalgo Trend Micro linkedin.com/in/peeweeh/ Feedback: paul_hidalgo@trendmicro.com