© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Shannon Lietz – Intuit – Sr. Manager, Cloud Security Engineering

Matt Bretan – AWS Professional Services – Senior Consultant

October 2015

SEC402

Enterprise Cloud Security via DevSecOps 2.0Crawl. Walk. Run.

What to expect from this session

• Are you ready to adopt security so compelling it

changes how your company operates???

• Learn from our lessons and war stories.

• Gain knowledge about how to do DevSecOps at your

organization.

• Discover what we are doing to learn more!

…DevSecOps is an evolving storyCopyright © 2009 José-Manuel Benitos

2007 2008 2009 2010 2011 2012 2013 2014 2015

48 6182

159

280

514

?

Security, compliance, governance, and audit related launches and updates

AWS constantly innovating – driven by your needs

Cloud security Then and Now

From: To:

Human

InteractionsRecon Operations

Security

Intelligence

UX API

Security Intelligence

Recon Tools Agents

Operations

Human Interactions

Where are we today?

• DevSecOps is different and

addictive.

• Cloud attacks and

compromises are faster.

• Investing in native cloud

solutions.

• Doubling down on educating

security on AWS services.

• Focusing on attack modeling

and operationalizing security.

Since 2014:

+ 37 DevSecOps worldwide

+ 2k cloud security

+ 3 open-source projects underway

+ Full day of SecDevOps @RSA

+ Dedicated track for security in

Rugged DevOps @ Goto

How can I catch up? Quick recap?

Problem statement

• DevOps requires continuous deployments

• Fast decision making is critical to DevOps

success

• Traditional security just doesn’t scale or move

fast enough

Welcome, DevSecOps!

• Customer focused mindset

• Scale, scale, scale

• Objective criteria

• Proactive hunting

• Continuous detection and response

Bang

Head

Here

DevSecOps

Security

Engineering

Security

Operations

Compliance

Operations

Security

Science

Experiment,

Automate,

Test

Hunt,

Detect,

Contain

Respond,

Manage,

Train

Learn,

Measure,

Forecast

Why is this so important? The Case for Change

• DevOps, Agile, and Scrum on the rise…

• Workload migrations to software defined environments…

• Mass adoption of the public cloud…

• Talent migration to progressive cloud companies…

• Startups have game-changing tech at their disposal…

• Competitive landscape is becoming fierce…

• The perimeter is no longer an option…

• Security, now more than ever, is an arms race…

The DevSecOps mindset

• Customer focus

• Open and transparent

• Iteration over perfection

• Hunting over reaction

• Hmmm → Wait a minute, this sounds like a

manifesto…insert shameless plug here:

http://www.devsecops.org

OK → Ready, Set, Crawl?

Where to start?

• Pontificate?

• Checklists?

• 1-pagers? 6-pagers?

Documents?

Page 3 of 433

Security as code

Security as code is easy with AWS

AWS provides all the APIs!

• Programmatically test environments

• Determine state of environment at a

specific point in time

• Repeatable processes

• Scalable operations

How can we learn DevSecOps?

Security as

Code?

Security as

Operations?

Compliance

Operations?Science?

Experiment:

Automate

Policy

Governance

Experiment:

Detection

via Security

Operations

Experiment:

Compliance

via

DevSecOps

Toolkit

Experiment:

Science via

Profiling

DevOps

+

Security

Start

Here?

DevOps

+

DevSecOps

Crawl demo

Lessons learned

• One and done does not work.

• Documenting decisions is useful but not enough.

• Traditional security tools make operating a cloud

environment challenging.

• Need to suspend disbelief.

• Enterprise cloud security is a big-data problem.

The “who” matters

Operations

Red team

Blue team

Developer

Security

The “who” matters

Copyright © 2012 Martin Patten

The “who” matters

Can I skip walking?

Why walking is important…

Imagine that you will need to support all of the facets of

security inline with development and operations at speed.

• Were your crawl experiments enough to generate DevSecOps

experts?

• Have you got the right level of operational maturity?

• Do you have an All Star Team or a Team of All Stars?

• Is your organization listening, participating, and fully engaged?

• Is collaboration and communication working well?

• Do you have it all figured out?

Are you ready to make these decisions?

On-PremisesPartial

On-Premises

Outsourced w/ No

Indemnification

Outsourced w/

Partial

Indemnification

Outsourced w/ Full

Indemnification

Who is

responsible?

I

N

T

E

R

N

A

L

You You You You + Partner Partner

P

A

R

T

N

E

R

S

Which minimal

controls are

needed?

Physical Security,

Secure Handling,

Disposal

File Or Object

Encryption For

Sensitive Data,

Physical Security,

Secure Handling,

Disposal

File Or Object Encryption For

Sensitive Data, Partner

Security, SOC Attestation

File Or Object

Encryption For

Sensitive Data,

Partner Security, SOC

Attestation

Partner Security, SOC

Attestation

Where does

data transit

and get

stored?

Company “Owned”

Data Center Or Co-

location

Any Compute &

Transit, Data Store On

Premises

Public Cloud, Free Services

SaaS, Private Cloud,

Public Cloud, Free

Services,

Managed Services,

SaaS, Private Cloud

What are the

innovation

benefits?

Reduced Latency,

Search Sensitive Data

Speed, Reduced

Friction, Search

Sensitive Data

Speed, Reduced Friction,

Evolving Patterns, Community

Speed, Reduced

Friction, Evolving

Patterns, Community

Speed, Reduced

Friction, Indemnification

What are the

potential risks?

SQL Injection, Internal

Threats, Mistakes,

Phishing, Increased

Friction, Slow

Latency, SQL Injection,

Internal Threats,

Mistakes, Phishing,

Increased Friction,

Slow

Inability to Search Sensitive

Data, SQL Injection, Internal

Threats, Mistakes, Phishing,

Unknown Gov’t Requests,

Reduced Financial

Responsibility

Inability to Search

Sensitive Data, SQL

Injection, Internal

Threats, Mistakes,

Phishing, Unknown

Gov’t Requests

Inability to Search

Sensitive Data, SQL

Injection, Internal

Threats, Mistakes,

Phishing, Unknown

Gov’t Requests

Or govern these policies?

{“Version”: “2015-05-09”,“Statement”: {

“Effect”: “Allow”,“Action”: [

“iam:ChangePassword”,“iam:GetAccountPasswordPolicy”

],“Resource”: “*”

}}

Or hunt full stack security issues?

Or communicate simply and quickly?

Discover Evaluate Control Communicate

Or translate security like this?

Begin(iam.client.list_role_policies(:role_name => role_)[:policy_names]\

-roldedb.list_policies(role)).each do |policy|log.warn("Deleting Policy\"#{policy}\", which is not part of the approved baseline.")if policydiff("{}",

URI.decode(iam.client.get_role_policy(\:role_name => role,:policy_name => policy

)[:policy_document]),{:argv => ARGV, :diff => options.diff})

end options.dryrun ? nil : \iam.client.delete_role_policy(

:role_name => role,:policy_name => policy

)

Account Grade:

BHeal Account?

Walk demo

Lessons learned

• A lot of this is not new.

• It’s hard work and ever evolving.

• Enterprise cloud security is a bigger big-data problem than

we originally thought…petabytes!!!!

• Keys to success:

• Detect and resolve security issues quickly.

• Use native security capabilities as much as possible.

• Enlist and enable the organization.

• Educate inline and break it into bite-size chunks.

Up and running in 2 weeks

Guiding principles

• DevSecOps is a journey, not a destination.

• Small security teams can make a profound impact.

• Organize around self-service and enablement.

• Translate security for the layperson.

• Perfection is the enemy…get rugged.

What does Running look like?

• Operating model and process

• Open contribution

• Tools and rules

Operating model and process

• Empower everyone to participate.

• Enlighten decision makers with insights.

• Don’t reinvent the wheel—use organizational tools.

• Lightweight process.

• Pivot! Pivot! Pivot!

• Iterate.

Open contribution

• Use source control and collaboration features to

ensure the right rules are being created.

• Engage everyone in your organization.

• Track and resolve defects transparently.

Ready to build your DevSecOps platform?

insights

security

sciencesecurity

tools & data

AWS

accounts

S3

Glacier

EC2

CloudTrail

ingestion

threat intel

Demo:

Enterprise cloud security in AWS

What Next?

• Take the DevSecOps Survey at devsecops.org.

• Join the DevSecOps LinkedIn group and get involved.

• Follow us on Twitter @devsecops.

• Give us feedback on the Enterprise Cloud Security How-

To.

• Write an article for the DevSecOps community.

• Become a DevSecOps engineer.

• Spread the word!!!

Remember to complete

your evaluations!

Thank you!

@devsecops

Related sessions

SEC326 – Security Science Using Big Data

SEC312 – Reliable Design and Deployment of Security

and Compliance

SEC316 – Harden Your Architecture with Security Incident

Response Simulations (SIRS)

SEC308 – Wrangling Security Events in the Cloud