Download - The Case For Continuous Security
![Page 1: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/1.jpg)
THE CASE FOR CONTINUOUS SECURITY
By Pete Cheslock Senior Director of Ops and Support at Threat Stack
@petecheslock
![Page 2: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/2.jpg)
DevOps is a term that has absolutely blown up in the last 5 years.
![Page 3: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/3.jpg)
However, many had an immediate adverse reaction towards Yet Another Buzzword
![Page 4: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/4.jpg)
…especially when the core concepts of “DevOps” were things people had been doing for YEARS!
![Page 5: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/5.jpg)
![Page 6: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/6.jpg)
To shorten the feedback loop in development cycles,
allowing teams to iterate quickly on changes and ship features to customer sooner.
The Core Tenant of DevOps
![Page 7: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/7.jpg)
Mainstream DevOps =
Easily accessible cloud infrastructure+
Maturity of operational tooling
![Page 8: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/8.jpg)
For companies starting new product development initiatives,
using Configuration Management is table stakes to iterate quickly!
![Page 9: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/9.jpg)
IaaS providers today make it as easy as possible to provision systems
to meet infrastructure needs — and quickly.
![Page 10: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/10.jpg)
Physical Data Center
Public Compute Resources
for flexibility and accessibility provided by Amazon, Google, Microsoft
![Page 11: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/11.jpg)
Companies leverage Infrastructure as Code for major speed to market benefits
The Competitive Advantage
![Page 12: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/12.jpg)
Companies can now provision hundreds (or thousands) of compute
instances in mere minutes. !
This is an every day activity!
![Page 13: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/13.jpg)
Continuous Integration
Continuous Deployment
But who (or what) is continually monitoring the state of your
operational security?!
![Page 14: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/14.jpg)
![Page 15: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/15.jpg)
Junior sysadmins can now make changes to:!
• a Chef Recipe• a Puppet Manifest• an Ansible Playbook
!
!
…and deploy it to production — in minutes…
Today…
![Page 16: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/16.jpg)
What is the scope of that change?
![Page 17: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/17.jpg)
to be slowed down by the security team!
or !
configuration management changes to be passed through a Change Control Board
Sysadmins DON’T Want:
![Page 18: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/18.jpg)
to change a variable, open a pull request, and once merged, their operational tooling to do the rest!!
They want their change to hit production servers ASAP.
Sysadmins Want:
![Page 19: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/19.jpg)
This is where SecDevOps (or SecOps) comes in.
(ignore the fact that it’s a silly buzzword just like DevOps…)
![Page 20: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/20.jpg)
If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions…
Developers Operations
value constant change value stability
![Page 21: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/21.jpg)
…then SecDevOps seeks to evoke the SAME outcome with Security teams
(and the rest of the business)
![Page 22: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/22.jpg)
If you’re continually deploying changes,you must be continually monitoring
security implications for operational changes.
![Page 23: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/23.jpg)
Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.
![Page 24: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/24.jpg)
And, if you have a traditional network security organization
that manually reviews and approves changes to production… !
!
You’ve introduced the newest bottleneck in your organization. !
!
!
!
!
!
![Page 25: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/25.jpg)
A SecDevOps methodology allows you to improve your security monitoring
and response times, while maintaining your ability to continually
deploy changes
SecDevOps is the answer to this discussion.
![Page 26: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/26.jpg)
This is the most important (and exciting!) problem to solve in many organizations!
![Page 27: The Case For Continuous Security](https://reader034.vdocuments.us/reader034/viewer/2022051208/546e9d29af795958298b58ec/html5/thumbnails/27.jpg)
But it is also one of the hardest problems to solve. !
This is why at Threat Stack, we’re all excited to be in a unique position to actively
help companies solve this.