isaca ireland keynote 2015
TRANSCRIPT
Embracing DevSecOps to support Rugged Innovation at
Speed and Scale
Shannon LietzINTUIT
Who am I?
• 25+ yrs Technology & Security Experience
• Background in Security R&D• Working with the Cloud before it was
called the “Cloud”• Manage teams using DevOps, Agile &
Scrum• Incident Response & Crisis Management
-- FOUNDER --
Are you ready for the end of Security & Compliance as we know it?
The Race for Competitive Advantage…
Indicators that demonstrate change:• Tailoring business to the needs of customers to
achieve large-scale business returns is driving Cloud & DevOps adoption
• Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises
• High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.
Startups on the Rise in 2015…From 1996 to 2015:• Increase in Startups in 2015,
shows rebound• Entrepreneurs over 55 has
nearly doubled• Significant Rise in Immigrant
Entrepreneurs• New Entrepreneurs are on
the rise again• More men than women are
becoming first time Entrepreneurs
kauffman.org
DevOps Growth…Google Trends• DevOps.com was bought in
2004• Google searches for “DevOps”
started to rise in 2010• Major influences:
– Saving your Infrastructure from DevOps / Chicago Tribune
– DevOps: A Culture Shift, Not a Technology / Information Week
– DevOps: A Sharder’s Tale from Etsy
– DevOps.com articles
• RuggedSoftware.org was bought in 2010
https://www.google.com/trends/
Cloud Security Boom…• Cloud Platform security
features are on the rise the last few years
• Security in the Cloud is becoming the norm
• Default configurations are still not quite there but will become the focus with growing thought leadership
• Cloud Provider’s must solve for providing security features that scale
• Security teams need to learn to use these features quickly
2007 2008 2009 2010 2011 2012 2013 2014 2015
48 61 82159
280
514
?
AWS re:Invent 2015
Big Data?• Reflecting on this 2013
Utilities article• Devices & IoT drive
bigger data• Instrumentation <-
Security needs this• Asset management &
monitoring• Service Support
http://www.enterprisecioforum.com/big-data-case-study-utilities/
DevOps increases speed & scale…
This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.
http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security
So what hinders “secure” innovation @ speed & scale?
1. Friction for friction’s sake2. Manual processes & meeting culture3. Point in time assessments4. Decisions being made outside of value creation5. Contextual misunderstandings6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10.Management and political interference (approvals, exceptions)
And then there’s … the brand of Security & Compliance!
• The discipline is very complex• Thousands of Controls• Majority of the Security
Industry is Vendor dependent• Requires Meetings,
Appointments, and Point in Time evaluations with low context
• Requirements are dependent on what is developed
• The art of “No” has become its own science
Isn’t DevOps in the best Interest of Security & Compliance?
https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf
What’s the DevSecOps Mission?
…creating targeted customer value
through secure iterative innovation
at speed & scale …
Security is Everyone’s
Job!
What should we value to evolve Security for DevOps?
Leaning in over Always Saying “No”Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only RequirementsConsumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp SecurityRed & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an IncidentShared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
In essence, don’t waste people’s time withFear -> Uncertainty -> Doubt
devsecops.org
Now - Imagine adding Security into the DevOps pipeline…
Security Self-Service
skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training
Software & Infrastructure Platforms
Software Components & Resources
YOUR APP STACK GOES HERE
Operational Tools & Monitoring
collaboration, partnership, value creation, self-service[DevOps, Agile, Scrum, Cloud]
The Art of DevSecOps (Security View)
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
Can we make it simple? Yes!
• Smaller Teams• Smaller Services• Smaller Failures• Rest APIs drive culture• Customer focus• Deep problem understanding throughout org• Deliberate dedication to solving and simplifying tech challenges• Products and Services have security built-in along the supply chain• Security removes barriers and roadblocks as self-service for DevOps• Managers map, magnify and multiply to create culture• Measurement is built-in to support culture of Continuous Improvement
blast radius
How can we get started?Small Project Migration Big Project
Approach is tailored to small experiments and pipeline testing.
Pros:• Requires DevOps Approach• Fast failures• Team learns to collaborate• Higher Productivity, Less
waste
Cons:• Skill shortages• Team needs vision to avoid
micro-focus churn
Approach allows organization to map and adjust for what they already know.
Pros:• Allows companies to keep
operating while teams figure out what’s needed
Cons:• Overload• Can be slower to accomplish
completion• Failures can become complex
Approach is “all-in” and used to transform an organization as a whole.
Pros:• Firm commitment alleviates
political back and forth• Focus & All-in Speed
Cons:• Bigger Failures• Difficult for everyone to learn
from mistakes and experiments
Small Project -> The ProvocationHow can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale?Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer:
1. How can baseline components be shared and extended?2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained?5. How can we report across a full-stack?6. What tools can assist?
FW ?
Web ?
Compliance at Velocity (https://medium.com/compliance-at-velocity)
Migrations -> One foot in… One foot out...
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps + DevSecOps
FW/IDS FW/IDS
ELB
App
ELB
DBAAS
App
DBAAS
Big Project -> The Hail Mary
Web
App
Web
DB
App
DB
Traditional IT & Security DevOps? + DevSecOps?
FW/IDS FW/IDS
Web
App
Web
DB
App
DB
FW/IDS FW/IDS
What is this?
Why is approach so important?
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
So let’s recap before we move on to examples…
DevSecOps needs:• Active Collaboration• High Engagement• Smaller Projects• Smaller Blast Radius• Experimentation• Open Contribution • Fail Fast Culture• Ability to adapt and learn• DevOps Understanding• Focusing on Simplicity
Not this one…
This one!!
Perimeter TestingTHEN
PCI DSS1.1.1 – Approve/Test/Detect firewall changes
NOW
Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec
Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management
Labor: 40 hours/First Year, 8 hours per yr maintainTools: APIs, Logs, Open Source, Commercial
Measure: Certify annuallyImpact: High
Measure: Mean time to Detection, Mean time to ResolveImpact: Depends on Resource
Configuration Management/BaselinesTHEN
PCI DSS2.2 - Develop & Assure configuration standards for all system components.
NOWTrack known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys
Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management
Labor: 40 hours/First Year, 1 hour per yr maintain/PerComponentTools: APIs, Logs, Open Source, Commercial
Measure: Certify annuallyImpact: High
Measure: Mean time to Detection, Mean time to ResolveImpact: High
Encrypting Sensitive DataTHEN
HIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information.
NOWEnforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection.
Labor: 1 FTE minimum per 3 DevOps TeamsTools: Commercial, Open Source
Labor: 8 hoursTools: APIs, Logs, Open Source, Commercial
Measure: Certify annuallyImpact: High
Measure: Mean time to Detection, Mean time to ResolveImpact: High
Access ManagementTHEN
NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts.
NOWCloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers
Labor: 1 FTE minimum Tools: Commercial, Open Source
Labor: 40 hours Dev, 8 hours MaintainTools: APIs, Logs, Open Source, Commercial
Measure: Certify quarterly, annuallyImpact: High
Measure: Mean time to Detection, Mean time to ResolveImpact: High
Multi-Factor AuthenticationTHEN
NIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users
NOWMFA built into APIs and Cloud Platforms can be exposed for authorization decisions
Labor: 1 FTE minimumTools: Commercial, Open Source
Labor: 1 hour per weekTools: APIs, Logs, Open Source, Commercial
Measure: Certify annuallyImpact: High
Measure: Mean time to ResolveImpact: High
Global Call to Action 2015
Are you ready to make decisions easier?
Or translate security like this?
In the end, isn’t this what we are ALL trying to avoid?
Get Involved and Join the Community
• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity• Join Us !!!• Spread the word!!!