DevOpsDay London Ben Hughes Security
-
Upload
beehooze -
Category
Technology
-
view
2.478 -
download
1
description
Transcript of DevOpsDay London Ben Hughes Security
![Page 1: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/1.jpg)
Security and shizzle
Monday, 11 November 13
![Page 2: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/2.jpg)
@benjammingh
Whom be this?
• Ben Hughes, security monkey at Etsy.• Bullet point fanatic.• Terrible at slides.• Shout out to the Etsy security team.
Monday, 11 November 13
![Page 3: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/3.jpg)
@benjammingh
It’s a tale of two halves
• Security, where did it all go wrong?• Don’t go alone, take this!
• Security-devops-maybe-DBAs-too-oh and-QA-sure-who-else?
• I quite like Etsy, here’s why.
Monday, 11 November 13
![Page 4: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/4.jpg)
@benjammingh
Security, where did it all go wrong?
Monday, 11 November 13
![Page 5: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/5.jpg)
@benjammingh
Wait, but we bought a firewall!
Monday, 11 November 13
![Page 6: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/6.jpg)
@benjammingh
They’re coming out of the walls
Monday, 11 November 13
![Page 7: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/7.jpg)
@benjammingh
teh cloudz• AWS logo goes here.• Maybe not in AWS... (other cloudiness
vendors may be available)
Monday, 11 November 13
![Page 8: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/8.jpg)
@benjammingh
But we’re secure, right?
Monday, 11 November 13
![Page 9: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/9.jpg)
@benjammingh
But we’re secure, right?
Monday, 11 November 13
![Page 10: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/10.jpg)
@benjammingh
The Watering hole attacks of Feb
Monday, 11 November 13
![Page 11: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/11.jpg)
@benjammingh
Other than the occasional RCE/SQLi or 0-day, companies just aren’t getting breached directly through their servers like they used to.
Monday, 11 November 13
![Page 12: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/12.jpg)
@benjammingh
I’d buy that for a dollar[laptop:~]% iduid=501(ben) gid=20(staff) groups=20(staff)[laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell.[laptop:~]# iduid=0(root) gid=0(root)
Monday, 11 November 13
![Page 13: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/13.jpg)
@benjammingh
Zero [cool] day• Zero day is bad!
Monday, 11 November 13
![Page 14: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/14.jpg)
@benjammingh
Surprise!• You can’t defend against unknown
attacks.• Clue is in the name.
Monday, 11 November 13
![Page 15: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/15.jpg)
@benjammingh
Rejoice. That mostly doesn’t matter!
Monday, 11 November 13
![Page 16: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/16.jpg)
@benjammingh
Treat the symptoms• Lateral movement can be more
important than how they got in.• You don’t care that they broke a
window, you care that they got in your living room and took your TV.
• (still fix your window)
Monday, 11 November 13
![Page 17: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/17.jpg)
@benjammingh
Hudson hawk reference• Why is /bin/sh running on your
webserver?• Why is your webserver trying to SSH to
other hosts?• Why is the Cold Fusion process reading
arbitrary files off of disk (SE/NSA Linux time)
Monday, 11 November 13
![Page 18: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/18.jpg)
@benjammingh
But still patch• Please, still patch things.• Know that it isn’t a panacea.• Realise that is okay.
Monday, 11 November 13
![Page 19: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/19.jpg)
@benjammingh
Please do patch!
• No really!
Monday, 11 November 13
![Page 20: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/20.jpg)
@benjammingh
Logs are your eyes.
“If it’s not monitored... ...it’s not in production”
Well“If it’s not logged, did it really happen?”
Monday, 11 November 13
![Page 21: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/21.jpg)
@benjammingh
You have a limited number of eyes.
Monday, 11 November 13
![Page 22: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/22.jpg)
@benjammingh
Alerts
Monday, 11 November 13
![Page 23: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/23.jpg)
@benjammingh
Logstash• http://logstash.net/• http://www.elasticsearch.org/overview/
kibana/• http://www.logstashbook.com/• https://github.com/miah/chef_logstash• https://forge.puppetlabs.com/tags/
logstash
Monday, 11 November 13
![Page 24: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/24.jpg)
@benjammingh
Two factor all the things•Duo - https://www.duosecurity.com/•Authy - https://www.authy.com/•Google - http://goo.gl/hvre2D•YubiKey - https://www.yubico.com/
Hat tip to Jan Schaumann (@jschauma),from whom I stole the title of this slide from.
Monday, 11 November 13
![Page 25: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/25.jpg)
@benjammingh
Duo and Yubikeysvvbrc
Monday, 11 November 13
![Page 26: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/26.jpg)
@benjammingh
Pen Testing• Don’t pay someone else to tell you to
patch things.• Don’t pay someone to run Nessus.• Hire more security people before paying
for pen-tests.• Attack simulations are better. http://
bit.ly/attacksims
Monday, 11 November 13
![Page 27: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/27.jpg)
@benjammingh
Attack simulations?• Everything in scope.
Monday, 11 November 13
![Page 28: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/28.jpg)
@benjammingh
Attack simulations?• Everything in scope.• Don’t have security run it.
Monday, 11 November 13
![Page 29: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/29.jpg)
@benjammingh
Attack simulations?• Everything in scope.• Don’t have security run it.• Don’t block on fragility.
Monday, 11 November 13
![Page 30: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/30.jpg)
@benjammingh
Transparency!• Invite people to the brief.• Don’t just expect a PDF.• Treat it as a postmortem.• Come out of it with a set of actions.
Monday, 11 November 13
![Page 31: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/31.jpg)
@benjammingh
Game days.• Ops’ “game day” simulations, but for
security.
Monday, 11 November 13
![Page 32: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/32.jpg)
@benjammingh
Phishing• Who’s stopped phishing?
Monday, 11 November 13
![Page 33: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/33.jpg)
@benjammingh
Phishing• Who’s stopped phishing?• You’re not going to stop phishing.
Monday, 11 November 13
![Page 34: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/34.jpg)
@benjammingh
Phishing• Who’s stopped phishing?• You’re not going to stop phishing.• That doesn’t matter.
Monday, 11 November 13
![Page 35: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/35.jpg)
@benjammingh
Phishing• Who’s stopped phishing?• You’re not going to stop phishing.• That doesn’t matter.• Don’t think you can fully eliminate it, get
it reported instead.
Monday, 11 November 13
![Page 36: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/36.jpg)
@benjammingh
Intermission.
Monday, 11 November 13
![Page 37: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/37.jpg)
@benjammingh
New, Improved Devops
• Silo smashing in to one new larger silo!
Monday, 11 November 13
![Page 38: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/38.jpg)
@benjammingh
DevSecOpsFarmerQueen• Many hats.• Not just dev.• Not just ops.
• Security doesn’t justmagically happen.
Monday, 11 November 13
![Page 39: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/39.jpg)
@benjammingh
Get security involved!• This can be done is all sized
environments!• Small - having someone who has a security background or
interest.
• Large - ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/presentation/chris-eng-ryan-oboyle-from-the-trenches-real-world-agile-sdlc/
Monday, 11 November 13
![Page 40: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/40.jpg)
@benjammingh
Security are people too!
Monday, 11 November 13
![Page 41: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/41.jpg)
@benjammingh
Security are people too!• they just might not always act like it...• security is the only area of technology
with genuine adversaries.
Monday, 11 November 13
![Page 42: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/42.jpg)
@benjammingh
Infosec, this one’s for you• Dev and ops (and everyone else) are
people too.• They made those decisions without
malice in mind.• People don’t go out of their way to
make things insecure!
Monday, 11 November 13
![Page 43: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/43.jpg)
@benjammingh
Primary action items• Don’t just say “did you speak to security
about this?”• Get people involved!• Security has never [succesfully] been a
check box.
Monday, 11 November 13
![Page 44: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/44.jpg)
@benjammingh
Reducing barriers.Having an approachable security team is the most important thing they can do.
The second you lose the ability to talk to them about anything, you effectively lose your security team.
Monday, 11 November 13
![Page 45: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/45.jpg)
@benjammingh
So, that party you mentioned?• Skill sharing.
Monday, 11 November 13
![Page 46: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/46.jpg)
@benjammingh
So, that party you mentioned?• Hack week.
Monday, 11 November 13
![Page 47: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/47.jpg)
@benjammingh
So, that party you mentioned?• Boot camping.
Monday, 11 November 13
![Page 48: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/48.jpg)
@benjammingh
Borrowing from the devops.• Tests!
Monday, 11 November 13
![Page 49: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/49.jpg)
@benjammingh
Borrowing from the devops.• Tests!• Test your code and your infrastructure.
Monday, 11 November 13
![Page 50: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/50.jpg)
@benjammingh
Borrowing from the devops.• Tests!• Test your code and your infrastructure.• Wait, someone already gave this talk:http://www.slideshare.net/nickgsuperstar/devopssec-apply-devops-principles-to-security/32
Monday, 11 November 13
![Page 51: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/51.jpg)
@benjammingh
Borrowing from the devops.So did Gareth!https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
Monday, 11 November 13
![Page 52: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/52.jpg)
@benjammingh
Stop saying “No!”
Monday, 11 November 13
![Page 53: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/53.jpg)
@benjammingh
So finally• The most important thing that we do as
a security team is...• Humility.
Monday, 11 November 13
![Page 54: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/54.jpg)
@benjammingh
So finally• The most important thing that we do as
a security team is...• Humility.• Security isn’t everything. People are rad.
Monday, 11 November 13
![Page 55: DevOpsDay London Ben Hughes Security](https://reader034.fdocuments.in/reader034/viewer/2022051513/54530107af795904308b516b/html5/thumbnails/55.jpg)
@benjammingh
Fin
<golden axe screen shot>
Monday, 11 November 13