the case for continuous security

28
THE CASE FOR CONTINUOUS SECURITY By Pete Cheslock Senior Director of Ops and Support at Threat Stack @petecheslock

Upload: threat-stack

Post on 18-Nov-2014

332 views

Category:

Technology


4 download

DESCRIPTION

One of the core tenets of what people consider to be “DevOps” is to shorten the feedback loop in your development cycles. This tenet ties in directly with Agile methodologies utilized by software engineering teams. With the advent of easily accessible cloud infrastructure, and with the various operational tooling around those new infrastructure providers reaching a new level of maturity, we are now seeing a world where “DevOps” is mainstream. For companies starting new product development initiatives, using some form of Configuration Management is now table stakes to iterate quickly. Continuous Integration. Continuous Deployment. But who (or what) is continually monitoring the state of your operational security? This is where SecDevOps, or SecOps, comes into play. The SecDevOps methodology allows you to improve your security monitoring and response time, while maintaining your ability to continually deploy changes.

TRANSCRIPT

Page 1: The Case For Continuous Security

THE CASE FOR CONTINUOUS SECURITY

By Pete Cheslock Senior Director of Ops and Support at Threat Stack

@petecheslock

Page 2: The Case For Continuous Security

DevOps is a term that has absolutely blown up in the last 5 years.

Page 3: The Case For Continuous Security

However, many had an immediate adverse reaction towards Yet Another Buzzword

Page 4: The Case For Continuous Security

…especially when the core concepts of “DevOps” were things people had been doing for YEARS!

Page 5: The Case For Continuous Security
Page 6: The Case For Continuous Security

To shorten the feedback loop in development cycles,

allowing teams to iterate quickly on changes and ship features to customer sooner.

The Core Tenant of DevOps

Page 7: The Case For Continuous Security

Mainstream DevOps =

Easily accessible cloud infrastructure+

Maturity of operational tooling

Page 8: The Case For Continuous Security

For companies starting new product development initiatives,

using Configuration Management is table stakes to iterate quickly!

Page 9: The Case For Continuous Security

IaaS providers today make it as easy as possible to provision systems

to meet infrastructure needs — and quickly.

Page 10: The Case For Continuous Security

Physical Data Center

Public Compute Resources

for flexibility and accessibility provided by Amazon, Google, Microsoft

Page 11: The Case For Continuous Security

Companies leverage Infrastructure as Code for major speed to market benefits

The Competitive Advantage

Page 12: The Case For Continuous Security

Companies can now provision hundreds (or thousands) of compute

instances in mere minutes. !

This is an every day activity!

Page 13: The Case For Continuous Security

Continuous Integration

Continuous Deployment

But who (or what) is continually monitoring the state of your

operational security?!

Page 14: The Case For Continuous Security
Page 15: The Case For Continuous Security

Junior sysadmins can now make changes to:!

• a Chef Recipe• a Puppet Manifest• an Ansible Playbook

!

!

…and deploy it to production — in minutes…

Today…

Page 16: The Case For Continuous Security

What is the scope of that change?

Page 17: The Case For Continuous Security

to be slowed down by the security team!

or !

configuration management changes to be passed through a Change Control Board

Sysadmins DON’T Want:

Page 18: The Case For Continuous Security

to change a variable, open a pull request, and once merged, their operational tooling to do the rest!!

They want their change to hit production servers ASAP.

Sysadmins Want:

Page 19: The Case For Continuous Security

This is where SecDevOps (or SecOps) comes in.

(ignore the fact that it’s a silly buzzword just like DevOps…)

Page 20: The Case For Continuous Security

If DevOps seeks to value empathy between these two teams that traditionally had different incentives for their positions…

Developers Operations

value constant change value stability

Page 21: The Case For Continuous Security

…then SecDevOps seeks to evoke the SAME outcome with Security teams

(and the rest of the business)

Page 22: The Case For Continuous Security

If you’re continually deploying changes,you must be continually monitoring

security implications for operational changes.

Page 23: The Case For Continuous Security

Often times there is no single person that is able to say with absolute certainty which changes to infrastructure have additional risks towards your security posture.

Page 24: The Case For Continuous Security

And, if you have a traditional network security organization

that manually reviews and approves changes to production… !

!

You’ve introduced the newest bottleneck in your organization. !

!

!

!

!

!

Page 25: The Case For Continuous Security

A SecDevOps methodology allows you to improve your security monitoring

and response times, while maintaining your ability to continually

deploy changes

SecDevOps is the answer to this discussion.

Page 26: The Case For Continuous Security

This is the most important (and exciting!) problem to solve in many organizations!

Page 27: The Case For Continuous Security

But it is also one of the hardest problems to solve. !

This is why at Threat Stack, we’re all excited to be in a unique position to actively

help companies solve this.

Page 28: The Case For Continuous Security

Start Implementing Continuous Security Today!

!

threatstack.com