csv w02r protecting the cloud with the power of cloud

2020-03-01 55浏览

  • 1.SESSIONID:CSV-W02 Protecting the Cloud with the Power of Cloud Jay Kelath Pranav Patel Head of Product Security Lead Security Engineer #RSAC
  • 2.What are we going to talk about...? DevSecOps - How we “SaaS-ified” our on-prem security tools with Docker and DevSecOps Scaling security with help of Cloud enables Security automation. Self-healing Cloud Insecurities - Discuss various insecurities in Cloud environments How our Cloud based tooling helps reduce risk How Automation and Self-healing works in our Cloud environment Open Source Technologies : [Takeaway] -- start your DevSecOps journey from Day 1 - Open source tools enables security - Dow Jones Hammer Embedding into Pipeline - Project Bravos #RSAC
  • 3.#RSAC Quick Flashback…. - Traditional Security tools - Manual Reviews - Lack of visibility and scalability
  • 4.#RSAC Challenges Technology Sprawl Legacy People Process
  • 5.#RSAC Traditional Security
  • 6.“Don't Let a Good Crisis Go to Waste”
  • 7.#RSAC DevSecOps Solve a specific problem in an automated manner with well defined People, Process, Technology actions and extensive, actionable reporting
  • 8.Setting priorities right... Risk vs Reward EndGoal:Reduce Risk #RSAC
  • 9.#RSAC Think about…. Technology Process People API Driven Use Existing Process Support Model Scalable, Tunable Feedback Loop Build Trust False Positives High Quality Report Developer support KISS Optimize
  • 10.#RSAC Continuous Securityhttps://memegenerator.net/instance/82149927/saltbae-roast-security
  • 11.#RSAC DevSecOps way….
  • 12.Dow Jones Hammer Open Sourced :https://github.com/dowjones/hammer
  • 13.#RSAC Cloud migration journey ● Agile ● Success story out of migration ● “Lift & Shift” applications ● Cost management ● “Fail forward fast...” ● “Act now, apologize later….” ● “Move Fast Break Things….”https://memegenerator.net/instance/80795081
  • 14.#RSAC Security ?? • Legacy cloud (....already?) “While moving fast and breaking things, We forget to fix things!!!” • Traditional security tools do not measure up • Multi-Account visibility and controls • Shared Responsibility Model • Change in Landscapehttps://memegenerator.net/instance/80794879
  • 15.Multi-account sprawl #RSAC
  • 16.Multi-account sprawl • Lack of visibility • Scalability • “Someone is looking into it…” #RSAC
  • 17.Multi-account growth : Ideal State #RSAC
  • 18.Security:Defense-in-depth Detective Controls Proactive Controls Reactive Controls #RSAC
  • 19.Our Solution • Automate • Scalable • Self-service • Auditable #RSAC
  • 20.Hammer… why? • Cloud Infrastructure visibility • Easily pinpoint MY product’s security issues • Tailored reporting, save analysis time • “Auto-fix” misconfigurations with ability to rollback #RSAC
  • 21.Consumer • Multi-account customers • Decentralized development organizations • Multiple business units #RSAC
  • 22.#RSACHammer:What Does it Solve? Public Instances with Admin IAM Policies Exposed EC2 Instances Docker on EC2 ECS Public S3 buckets Unencrypted S3 buckets Public S3 bucket Policy Exposed RDS instances Unencrypted RDS Public RDS Snapshots Unused IAM Keys Stale IAM Keys (not rotated)
  • 23.#RSAC Hammer Lifecycle Identify Remediate Analyze Report
  • 24.Architecture #RSAC
  • 25.#RSAC Hammer - how does it work?
  • 26.#RSAC Hammer - /auto-fix
  • 27.#RSAC Case Study 1: Protection from bitcoin miners….. - Stale & Exposed keys in Code Stale & Exposed keys in public bucket “Exes” with Keys Action :: Just Deactivate unused Keys aws
  • 28.#RSAC Case Study 2: Exposed Instances Action : Lock down Non-Web Ports to Private DMZ www.acme.com Static Files 0.0.0.0 80/443 0.0.0.0 22resource:'>resource: