cloud, devops and the new security practitioner
TRANSCRIPT
![Page 1: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/1.jpg)
Cloud, DevOps and the New Security
Practitioner 15, June 2016
1:30PM
Adrian SanabriaSenior Security Analyst
451 ResearchTo get a copy of these slides, send an email to [email protected] with CSW2016 in the subject line or scan this QR code
![Page 2: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/2.jpg)
Slide 2
Why are we here?
IT changes fast. Attackers change fast. Defenders don’t. IT is changing Attackers are adapting The security discipline is diverging
![Page 3: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/3.jpg)
Slide 3
Understanding security’s role by understanding IT
Traditional approach to security: Security is always a secondary or enabling layer Security must have direct knowledge and experience
with the underlying layer in order to be effective at protecting it or recommending feasible solutions
Direct experience in core technical disciplines goes a long way in earning respect and cooperation
Physical
SecurityOS
LayerNetwork
LayerService Desk
Dev, QA, Test
Web/App Layer Ops
![Page 4: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/4.jpg)
Slide 4
Understanding security’s role by understanding IT
Issues with the traditional approach: Few security teams can ever be ‘well-rounded’ enough Security team isn’t qualified to advise much of IT Adversarial/dysfunctional relationships common IT changes often; attackers adapt quickly Defenders and security tools adapt slowly
Physical
SecurityOS
LayerNetwork
LayerService Desk
Dev, QA, Test
Web/App Layer Ops
![Page 5: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/5.jpg)
Slide 5
Security
Security’s changing role
An example: going ‘cloud-first’ Lower-level IT layers are outsourced Most security practitioner knowledge lies in these layers Infrastructure-heavy security skillsets lose value Concept of bi-modal IT further confuses things As IT changes, so must security
Physical
SecurityOS
LayerNetwork
LayerService Desk
Dev, QA, Test
Web/App Layer Ops
![Page 6: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/6.jpg)
Slide 6
Security’s changing role
Cloud and DevOps – an opportunity to redesign security: Smaller ‘well-rounded’ groups Dev, ops, infrastructure and security roles are shared Everyone working towards a clear, common goal Relationship between security and developers is crucial Security can’t impact delivery schedule
Physical OS Layer
NetworkLayer
Service Desk
Dev, QA, Test;Web/App Layer; Ops
Security
![Page 7: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/7.jpg)
Slide 7
Questions
What should security’s future role be?
Security is redistributed into IT for all operational tasks Dedicated security staff performs
high-level design, design/architectural input monitor changes in risk/attackers/landscape instruct/consult individual SMEs as needed
Physical OS Layer
NetworkLayer
Service Desk
Dev, QA, Test;Web/App Layer; Ops
SecuritySME
Internal Security Team
SecuritySME
SecuritySME
SecuritySME
![Page 8: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/8.jpg)
Slide 8
Increasingly, software resembles these principles
Yesterday, Chef announced Habitat https://www.chef.io/blog/2016/06/14/introducing-habitat/
So… what’s up with the yin/yang visual metaphor?
…and where’s security?
Sec analysts are
too
![Page 9: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/9.jpg)
Slide 9
Chef Habitat, your latest shadow IT problem
![Page 10: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/10.jpg)
Slide 10
New rule: if you own it, own it
“Whomever is responsible for an asset – be it data, infrastructure, code, or
people, must secure it”
![Page 11: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/11.jpg)
Slide 11
Why make asset owners responsible?
No one knows and understands the opportunities, constraints and dependencies of the asset better
Security becomes a bottleneck for performance, progress and often, even security
Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level
Likely that fewer security issues will occur* Drives the cost of securing systems down, in terms of
labor, efficiency and efficacy*** I’ll explain later
** I’ll explain after that
![Page 12: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/12.jpg)
Slide 12
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
Reads like a short version of the
Phoenix Project
![Page 13: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/13.jpg)
Slide 13
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
Creating an independent testing group can encourage counterproductive culture
“Don’t do today what you can push off onto someone else’s plate”
Document and address low hanging fruit Schedule time for developers to test and fix bugs To improve code quality, stop the problem at the source Everyone should understand what they’re building and why Get testers involved earlier in the process Bottleneck testing resources and developers are forced to ship
higher quality codehttp://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf
![Page 14: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/14.jpg)
Slide 14
Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson
Could this apply to InfoSec? Surely not. In fact, it might be quite worse. We’ve convinced everyone not
just that security is our job, but that we’re the only ones that can do it properly.
What if they believed us?
![Page 15: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/15.jpg)
Slide 15
Jobs!
![Page 16: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/16.jpg)
Slide 16
The Enterprise Looked Like This
![Page 17: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/17.jpg)
Slide 17
Then, the Enterprise Looked Like This
![Page 18: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/18.jpg)
Slide 18
Today, the Enterprise Looks Like This
![Page 19: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/19.jpg)
Slide 19
Storage
Database
Networking Enterprise as a
service
AppServices
Mobile
Dev Tools
![Page 20: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/20.jpg)
Slide 20
This is not now.
Your career
Don’t p
anic!
Don’t panic!
![Page 21: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/21.jpg)
Slide 21
So… you want to give away our jobs?
Traditional InfoSec doesn’t have to worry for a while Be aware of the change Learn new things now – don’t wait for later
Currently, new security jobs are often NOT going to security practitioners, and we’ll discuss why…
![Page 22: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/22.jpg)
Slide 22
The Security Practitioner: old versus new Monitoring security alerts Manage network security Manage endpoint security IR/Forensics Pentesting Vulnerability Scanning Policies/Standards Compliance/Regs Log management DR/BCP and SecAware
Influence design, architecture standards, processes
Automate tasks Forensics Security assessments Identify gaps and
recommend fixes JSON, REST, XML, SQL Routing, load balancing,
nw protocols
![Page 23: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/23.jpg)
Slide 23
How common?
6 out of the first 10 jobs I looked at required: coding skills new tech generation experience and/or skills
![Page 24: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/24.jpg)
Slide 24
Like what experience or skills?
“Ability to automate tasks using scripting or other programming language”
“Scripting or general purpose programming languages” REST, JSON, XML (API scripting) “Experience with DevOps, CI/CD, Chef, Puppet” “Experience testing for vulnerabilities in Ruby on Rails
applications” “Experience with various scripting and programming
languages” “Teach secure coding practices to software engineers”
![Page 25: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/25.jpg)
Slide 25
What should I learn?
Scripting (automation) Get familiar with cloud, agile, devops, containers,
microservices, etc. AppSec Data protection Learn to write code
![Page 26: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/26.jpg)
Slide 26
What should I learn?
Cloud – focus on AWS, Azure, Digital Ocean (cheap) Containers – focus on Docker Pick a language - ruby and python are most common Jenkins Ansible, Chef, Puppet, Salt New attack surface Don’t make security worse! Automation Make security better!
![Page 27: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/27.jpg)
Slide 27
How should I learn it?
Good starting point: find a security guy that loves to automate security and plunder his GitHub: https://github.com/averagesecurityguy
And more: https://github.com/krmaxwell https://github.com/nbrownus Slack makes cool stuff Go after AWS Certs just to learn AWS Digital Ocean Tutorials
![Page 28: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/28.jpg)
Slide 28
Resources – efficiency and workflow
Learning to recognize efficiency and workflow issues; challenging ”because we’ve always done it that way” Better Testing, Worse Quality, Elizabeth Hendrickson Four Hour Work Week, Tim Ferris The Phoenix Project, Kevin Behr, George Spafford,
Gene Kim Signal v. Noise 37Signals blogs (on medium) and books ReWork by the Basecamp guys
![Page 29: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/29.jpg)
Slide 29
Resources – new ideas
New ideas – challenge assumptions, push thinking
…also, VIDEOS! Distributed Security Alerting by Ryan Huber (blog) Security Automation by Ryan Huber (video) What Got Us Here Won’t Get Us There Black Hat
keynote by Haroon Meer Cloud Computing – Why IT Matters by Simon Wardley at
OSCON 09
![Page 30: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/30.jpg)
Slide 30
Conclusion
If you want to understand where security is going, stop looking at security, and start
following IT innovation, trends and changes
![Page 31: Cloud, DevOps and the New Security Practitioner](https://reader033.vdocuments.us/reader033/viewer/2022051520/58efc4041a28abd73c8b45f3/html5/thumbnails/31.jpg)
THANK YOU!Adrian Sanabria
mTo get a copy of these slides, send an
email to [email protected] with CSW2016 in the subject line or scan this QR code