building a modern security engineering team
play

Building a Modern Security Engineering Team zane@signalsciences.com - PowerPoint PPT Presentation

Mar 13, 2023 •104 likes •814 views

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy anyway? Built and led the Etsy Security Team Spoiler alert: what this presentation is about Co-founded Signal Sciences This talk is

  1. Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey

  2. Who is this guy anyway? • Built and led the Etsy Security Team – Spoiler alert: what this presentation is about • Co-founded Signal Sciences

  3. This talk is about lessons learned being at the forefront of the shift to agile/continuous deployment/DevOps

  4. For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous

  5. For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous – Merging of development and operations means more people with production access

  6. For security teams, the world has changed in fundamental ways: – Code deployment is now near-instantaneous – Merging of development and operations means more people with production access – Cost of attack has significantly dropped

  7. Near-instantaneous deployment?

  8. An example: Etsy pushes to production 50 times a day on average

  9. Constant iteration in production via feature flags, ramp ups, A/B testing

  10. But doesn’t the rapid rate of change mean things are less secure?!

  11. Actually, the opposite is true

  12. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of-band patch in continuous deployment

  13. They key to realize is vulnerabilities occur in all development methodologies …But there’s no such thing as an out-of-band patch in continuous deployment

  14. Compared to: “We’ll rush that security fix. It will go out … in about 6 weeks.” - Former vendor at Etsy

  15. What makes continuous deployment safe?

  16. What makes continuous deployment safe? Visibility

  20. Source: http://www.slideshare.net/mikebrittain/advanced-topics-in-continuous-deployment

  21. The same hard lessons are slowly shifting to security

  22. Ex: Which of these is a quicker way to spot an attack?

  25. Surface security info for everyone , not just the security team

  27. “Don’t treat security as a binary event” - @ngalbreath

  28. Building a rad culture *Mullets sold separately

  29. In the shift to continuous deployment, speed increases by removing organizational blockers

  30. Trying to make security a blocker means you get routed around

  31. Instead, the focus becomes on incentivizing teams to reach out to security

  32. Keys to incentivizing conversation: – Don’t be a jerk . This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture.

  33. Keys to incentivizing conversation: – Don’t be a jerk . This should be obvious, but empathy needs to be explicitly set as a core part of your teams culture. – Make realistic tradeoffs . Don’t fall in to the trap of thinking every issue is critical. • Ex: Letting low risk issues ship with a reasonable remediation window buys you credibility for when things actually do need to be addressed immediately.

  34. Keys to incentivizing conversation: – Coherently explain impact . “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not.

  35. Keys to incentivizing conversation: – Coherently explain impact . “This would allow all our user data to be compromised if the attacker did X & Y” paints a clear picture, where “The input validation in this function is weak” does not. – Reward communication with security team . T- Shirts, gift cards, and high fives all work (shockingly) well.

  36. Keys to incentivizing conversation: – Take the false positive hit yourself . Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads . Build relationships with technical leads from other teams so they make security part of their teams culture.

  37. Keys to incentivizing conversation: – Take the false positive hit yourself . Don’t send unverified issues to dev and ops teams. When issues come in, have the secteam verify and make first attempt at patch. – Scale via team leads . Build relationships with technical leads from other teams so they make security part of their teams culture.

  38. Access restrictions

  39. Startups begin with a simple access control policy: Everyone can access everything

  40. As organization grow there will be more pressure to institute access policies

  41. The key to remember is don’t take away capabilities

  42. Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way

  43. Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way

  44. Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way

  45. Methodology: 1. Figure out what capability is needed 2. Build an alternate way to perform the needed function in a safe way 3. Transition the organization over to the safe way 4. Alert on any usage of the old unsafe way

  46. EX: SSH access to production systems

  47. Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs – Build alternate approach: Send the logs to central logging service (ex: elasticsearch, splunk, etc) – Publicize the new tooling to the organization – After majority of transition, alert on any logins to production systems by non-sysops

  48. Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs – Build alternate approach: Send the logs to central logging service (ex: logstash, splunk, etc) – Publicize the new tooling to the organization – After majority of transition, alert on any logins to production systems by non-sysops

  49. Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs – Build alternate approach: Send the logs to central logging service (ex: logstash, splunk, etc) – Publicize the new tooling to the organization – After majority of transition, alert on any logins to production systems by non-sysops

  50. Security policy goal: Eliminate unneeded access to production systems – Why do developers do it? Ex: To view error logs – Build alternate approach: Send the logs to central logging service (ex: logstash, splunk, etc) – Publicize the new tooling to the organization – After majority of transition, alert on any logins to production systems by non-sysops

  51. Increasing attacker cost

  52. Bug bounties/disclosure programs are tremendously useful. If you’re not working towards launching one, strongly consider it.

  53. Common concerns about launching a bounty: 1. Budgetary concerns . Money is almost never the main motivation for researchers, you can launch a bounty with just a hall of fame and still get great submissions. 1. Risk of inviting attacks . You’re already getting attacked continuously, you’re just not getting the results.

  54. Common concerns about launching a bounty: 1. Budgetary concerns . Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 1. Risk of inviting attacks . You’re already getting attacked continuously, you’re just not getting the results.

  55. Common concerns about launching a bounty: 1. Budgetary concerns . Money is rarely the main motivation for participants, you can launch a bounty with just a hall of fame and still get great submissions. 1. Risk of inviting attacks . It’s the Internet. You’re already getting pentested continuously, you’re just not receiving the report.

  56. The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of if your security program is working (or not)

  57. The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of if your security program is working (or not)

  58. The ultimate goals of a bug bounty are threefold: 1. Incentivize people to report issues to you in the first place 2. Drive up cost of vulnerability discovery and exploitation for attackers 3. Provide an external validation of where your security program is working (and where it’s not)

  59. Before you launch, record what vulnerability classes you expect to see and what you don’t. Compare this against the issues actually reported.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BUILDING A TEAM Process description TEAM BUILDING TEAM CONSOLIDATION (The process of

BUILDING A TEAM Process description TEAM BUILDING TEAM CONSOLIDATION (The process of

BUILDING A TEAM Process description TEAM BUILDING TEAM CONSOLIDATION (The process of building an efficient team) TEAM A team building exercise can help in creating a unit with a strong cohesion: - it has a purpose - approach.

467 views • 11 slides
Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team

Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team

Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team Chris Maenner Ryan Van Antwerp Will Weber Principal Security Developer Principal Security Developer Senior Security Developer 2 Agenda

179 views • 17 slides
Designing and Building Efficient HPC Cloud with Modern Networking Technologies on Heterogeneous

Designing and Building Efficient HPC Cloud with Modern Networking Technologies on Heterogeneous

Designing and Building Efficient HPC Cloud with Modern Networking Technologies on Heterogeneous HPC Clusters Jie Zhang Dr. Dhabaleswar K. Panda (Advisor) Department of Computer Science & Engineering The Ohio State University Outline

283 views • 25 slides
Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security Founded in 2006 Technical security services, MDR Me Ron Schlecht German word for BAD Ron.Schlecht@btbsecurity.com

432 views • 8 slides
Security 1 To read more This days papers: Smith and Weingart, Building a

Security 1 To read more This days papers: Smith and Weingart, Building a

Security 1 To read more This days papers: Smith and Weingart, Building a high-performance, programmable secure coprocessor, 1998, Sections 1-6, 10 Supplementary reading: Anderson, Security Engineering , Chapter 16.

1.08k views • 69 slides
Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department

Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department

Security Engineering Security Engineering Wallace Hopp Industrial Engineering Department McCormick School of Engineering A Flat World is an exciting but dangerous world Technology Opportunity Advances Reduced Risk Political Barriers

449 views • 17 slides
TEAM Engineering & TEAM Group 1. COMPANY PRESENTATION 1.1 Origins TEAM Engineering S.p.A.

TEAM Engineering & TEAM Group 1. COMPANY PRESENTATION 1.1 Origins TEAM Engineering S.p.A.

TEAM Engineering & TEAM Group 1. COMPANY PRESENTATION 1.1 Origins TEAM Engineering S.p.A. is part of the TEAM Group. TEAM Group , through equity participation in local engineering companies, established in different parts of the world,

344 views • 23 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc

How to Spot the Blue Team? Red Team Infrastructure Security R.A.H. Lahaye Supervisors: Marc Smeets and Mark Bergman Outflank Research Project 2 System and Network Engineering University of Amsterdam February 5, 2018 R.A.H. Lahaye How to

375 views • 26 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Sumo Bot Competition 5:30 P.M. , March 7, 2017 , Engineering Building room 224 Team 21 Rene

Sumo Bot Competition 5:30 P.M. , March 7, 2017 , Engineering Building room 224 Team 21 Rene

Sumo Bot Competition 5:30 P.M. , March 7, 2017 , Engineering Building room 224 Team 21 Rene Diyarza - Project Manager David Feetterer - Budget Liaison Jose Villegas - Website Developer Yousef Alghareeb - Client Contact Project

475 views • 10 slides
BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION Mr. S pea k e r , wish to dedicate this sectoral presentation to the hardworking, devoted and uncompromising I members of Jamaicas security

478 views • 21 slides
Building the Perfect Team Definition of a Team A team is a relatively sm all number of people

Building the Perfect Team Definition of a Team A team is a relatively sm all number of people

Building the Perfect Team Definition of a Team A team is a relatively sm all number of people (from three to tw elve) w ho m eet on a regular basis and are collectively responsible for results. The team members share common goals as well as the

678 views • 8 slides
Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security Labs National Cybersecurity Agency of France (ANSSI) DIENS, ENS, CNRS, PSL University Workshop SILM 21 November 2019 Who am I? Me Expert in

1.18k views • 80 slides
Objectives Goals of Cryptography Security Services Security Mechanisms Relationship

Objectives Goals of Cryptography Security Services Security Mechanisms Relationship

Overview on Modern Cryptography Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Goals of Cryptography Security Services

658 views • 16 slides
BUILDING A CAREGIVING TEAM Lessons Learned Team Structure Team Member Team Coordinator Team

BUILDING A CAREGIVING TEAM Lessons Learned Team Structure Team Member Team Coordinator Team

BUILDING A CAREGIVING TEAM Lessons Learned Team Structure Team Member Team Coordinator Team Member Care Recipient Primary Team Member Caregiver(s) Team Coordinator Qualities Well-organized Proficient with tech/tools Genuine

559 views • 12 slides
Will the Semantic Web scale? New York Sheraton May 19th, 2004 Proposers: Panelists:

Will the Semantic Web scale? New York Sheraton May 19th, 2004 Proposers: Panelists:

Panel Discussion P3: Will the Semantic Web scale? New York Sheraton May 19th, 2004 Proposers: Panelists: Organizers: - Raphael Volz - Dr. Cathy Marshall - Raphael Volz - Carole Goble - Prof. Dr. Alon Y. Halevy - Daniel Oberle - Rudi

393 views • 23 slides
Visual Design Visual Design Objectives Gestalt Principles Creating Organization and Structure

Visual Design Visual Design Objectives Gestalt Principles Creating Organization and Structure

Visual Design Visual Design Objectives Gestalt Principles Creating Organization and Structure Typography UI Visual Design Objectives What are the goals of an effective interface? Information communication 1. - enforce desired relationships

1.16k views • 36 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 8 & 9 Visual

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 8 & 9 Visual

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 8 & 9 Visual Design, Colors, Fitts Law, Gulfs Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished & TEDx Speaker Linkedin/in/ponguru/ 1

1.11k views • 59 slides
Feasibility of polyculture of blue shrimp Litopenaeus stylirostris with fish - goldline

Feasibility of polyculture of blue shrimp Litopenaeus stylirostris with fish - goldline

Feasibility of polyculture of blue shrimp Litopenaeus stylirostris with fish - goldline rabbitfish Siganus lineatus or mullet Mugil sp. - in a closed culture system: a mesocosm study 1 / 23 00001 - 00:00:01 Feasibility of polyculture of blue

551 views • 23 slides
Style in design Or how to create aesthetically pleasant graphic design for user Stig Kjr

Style in design Or how to create aesthetically pleasant graphic design for user Stig Kjr

HCI MMI 8 Style in design Or how to create aesthetically pleasant graphic design for user Stig Kjr Andersen (HST) interfaces Spring 2006 Stig Kjr Andesen/Spring 2006 ska@miba.auc.dk What is style.. telephone Enhanced

479 views • 11 slides
What is it, and how can we make it work for both teachers and students? Nikki Booth Institute

What is it, and how can we make it work for both teachers and students? Nikki Booth Institute

Formative assessment in MFL: What is it, and how can we make it work for both teachers and students? Nikki Booth Institute of Modern Languages Research, London, June 2018. Email: nikki-booth@hotmail.com Twitter: @nbooth2506 Nikki Booth 2

1.07k views • 47 slides
J. Vega Asociacin EURATOM/CIEMAT para Fusin jesus.vega@ciemat.es Concepts

J. Vega Asociacin EURATOM/CIEMAT para Fusin jesus.vega@ciemat.es Concepts

J. Vega Asociacin EURATOM/CIEMAT para Fusin jesus.vega@ciemat.es Concepts Classification Regression Advanced methods 7th FDPVA. Frascati (March 26-28, 2012) 2 Technology: it gives stereotyped solutions to stereotyped

740 views • 36 slides
CHAPTER 5: Direct Manipulation and Virtual Environments Examples of Direct-Manipulation Systems:

CHAPTER 5: Direct Manipulation and Virtual Environments Examples of Direct-Manipulation Systems:

CHAPTER 5: Direct Manipulation and Virtual Environments Examples of Direct-Manipulation Systems: Command line vs. display editors and word processors WYSIWYG: what you see is what you get. The advances of WYSIWYG word processors: Display a

120 views • 9 slides

More recommend