SLIDE 1
Michael Brunton-Spall Bruntonspall Ltd
Does agile make us less secure?
Security in a post devops world
YOW! Sydney 2019
Michael Brunton-Spall Bruntonspall Ltd
Does agile make us less secure? Security in a post devops world - - PowerPoint PPT Presentation
Does agile make us less secure? Security in a post devops world - - PowerPoint PPT Presentation
Does agile make us less secure? Security in a post devops world YOW! Sydney 2019 Michael Brunton-Spall Bruntonspall Ltd Michael Brunton-Spall He/His/Him michael@bruntonspall.com Michael Brunton-Spall Bruntonspall Ltd The second most
SLIDE 2
SLIDE 3
Michael Brunton-Spall Bruntonspall Ltd
The second most scariest words in the English language
SLIDE 4
Michael Brunton-Spall Bruntonspall Ltd
The second most scariest words in the English language “Hi, I’m from the Government and I’m here to help”
SLIDE 5
Michael Brunton-Spall Bruntonspall Ltd
The scariest words in the English language?
SLIDE 6
Michael Brunton-Spall Bruntonspall Ltd
The scariest words in the English language? “Hi, I’m from security and I’m here to help”
SLIDE 7
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 8
Michael Brunton-Spall Bruntonspall Ltd
https://cyberweekly.net
SLIDE 9
Michael Brunton-Spall Bruntonspall Ltd
Why is security evolving Where we’ve come from Where we are going
SLIDE 10
Michael Brunton-Spall Bruntonspall Ltd
How to rethink security practices in organisations
SLIDE 11
Michael Brunton-Spall Bruntonspall Ltd
Some Context
SLIDE 12
06/12/2019 12
Michael Brunton-Spall Bruntonspall Ltd
2006
SLIDE 13
06/12/2019 13
Michael Brunton-Spall Bruntonspall Ltd
2010
SLIDE 14
06/12/2019 14
Michael Brunton-Spall Bruntonspall Ltd
2013
SLIDE 15
06/12/2019 15
Michael Brunton-Spall Bruntonspall Ltd
2015
SLIDE 16
06/12/2019 16
Michael Brunton-Spall Bruntonspall Ltd
2019
SLIDE 17
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 18
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 19
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 20
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 21
06/12/2019 21
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 22
06/12/2019 22
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 23
06/12/2019 23
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 24
06/12/2019 24
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 25
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 26
Maginot Line
SLIDE 27
Michael Brunton-Spall Bruntonspall Ltd
1930 France
SLIDE 28
Michael Brunton-Spall Bruntonspall Ltd
“We’d really like Germany not to invade us”
SLIDE 29
Michael Brunton-Spall Bruntonspall Ltd
In WW1, they came slowly
- verland and built trenches
SLIDE 30
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 31
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 32
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 33
Michael Brunton-Spall Bruntonspall Ltd
The Germans had invented Blitzkrieg “Lightning Strike” which simply went around
SLIDE 34
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 35
Michael Brunton-Spall Bruntonspall Ltd
The French were fighting a war from 1920 against an adversary using 1939 techniques
SLIDE 36
Evolution
SLIDE 37
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 38
Michael Brunton-Spall Bruntonspall Ltd
Custom built minicomputer
SLIDE 39
Michael Brunton-Spall Bruntonspall Ltd
Servers in data center
SLIDE 40
Michael Brunton-Spall Bruntonspall Ltd
Colocated servers
SLIDE 41
Michael Brunton-Spall Bruntonspall Ltd
Virtual private servers
SLIDE 42
Michael Brunton-Spall Bruntonspall Ltd
Virtual machines at scale
SLIDE 43
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 44
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 45
Michael Brunton-Spall Bruntonspall Ltd
Why Wardley Maps?
SLIDE 46
Michael Brunton-Spall Bruntonspall Ltd
We can see changing landscapes
SLIDE 47
Michael Brunton-Spall Bruntonspall Ltd
We can discuss strategies
SLIDE 48
Michael Brunton-Spall Bruntonspall Ltd
A map isn’t reality, it’s just an abstraction
SLIDE 49
Michael Brunton-Spall Bruntonspall Ltd
Things evolve
SLIDE 50
Michael Brunton-Spall Bruntonspall Ltd
As servers move from physical to virtual, single to multiple, practice evolves
SLIDE 51
Coevolution of product and practice
SLIDE 52
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 53
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 54
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 55
Michael Brunton-Spall Bruntonspall Ltd
How do we administer servers?
SLIDE 56
Michael Brunton-Spall Bruntonspall Ltd
Worries about hard drives, CPU’s, power etc
SLIDE 57
Michael Brunton-Spall Bruntonspall Ltd
Cloud providers give us abstractions
SLIDE 58
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 59
Michael Brunton-Spall Bruntonspall Ltd
We stop worrying about whether a hard drive fails in a server
SLIDE 60
Michael Brunton-Spall Bruntonspall Ltd
This results in changing
- perations practice
SLIDE 61
Michael Brunton-Spall Bruntonspall Ltd
DevOps, SRE
SLIDE 62
Michael Brunton-Spall Bruntonspall Ltd
This results in different developer consumption of
- perations
SLIDE 63
Michael Brunton-Spall Bruntonspall Ltd
Kubernetes, Serverless
SLIDE 64
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 65
Michael Brunton-Spall Bruntonspall Ltd
What does this mean for security?
SLIDE 66
Michael Brunton-Spall Bruntonspall Ltd
How we think about security has to change
SLIDE 67
Michael Brunton-Spall Bruntonspall Ltd
Security practices have to evolve
SLIDE 68
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 69
Michael Brunton-Spall Bruntonspall Ltd
Traditional security is about assurance
SLIDE 70
Michael Brunton-Spall Bruntonspall Ltd
Where will my data sit
SLIDE 71
Michael Brunton-Spall Bruntonspall Ltd
Where does the data go
SLIDE 72
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 73
Michael Brunton-Spall Bruntonspall Ltd
This works when you have individual servers
SLIDE 74
Michael Brunton-Spall Bruntonspall Ltd
This doesn’t work with modern cloud
SLIDE 75
Michael Brunton-Spall Bruntonspall Ltd
This doesn’t work th
the e same same
with modern cloud
SLIDE 76
Michael Brunton-Spall Bruntonspall Ltd
Security is currently fighting a war from a decade ago
SLIDE 77
Mapping Security
SLIDE 78
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 79
Michael Brunton-Spall Bruntonspall Ltd
“Skate to where the puck is going, not where it has been” Wayne Gretsky
SLIDE 80
Michael Brunton-Spall Bruntonspall Ltd
Where the puck was yesterday
SLIDE 81
Michael Brunton-Spall Bruntonspall Ltd
What are solved problems?
SLIDE 82
Michael Brunton-Spall Bruntonspall Ltd
Commonly solved the same way
SLIDE 83
Michael Brunton-Spall Bruntonspall Ltd
Productionised processes
SLIDE 84
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 85
Michael Brunton-Spall Bruntonspall Ltd
SDLC, Assurance of suppliers, network assurance, hardware assurance
SLIDE 86
Michael Brunton-Spall Bruntonspall Ltd
All cloud customers have similar concerns in this area
SLIDE 87
Michael Brunton-Spall Bruntonspall Ltd
Buy don’t Build
SLIDE 88
Michael Brunton-Spall Bruntonspall Ltd
Compliance via certificates ISO27001, CSA, ISO27017, SOC, FISMA, HIPAA …
SLIDE 89
Michael Brunton-Spall Bruntonspall Ltd
Where the puck is today
SLIDE 90
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 91
Michael Brunton-Spall Bruntonspall Ltd
Continuous Integration, Continuous Deployment, DevOps
SLIDE 92
Michael Brunton-Spall Bruntonspall Ltd
Patching
SLIDE 93
Michael Brunton-Spall Bruntonspall Ltd
How quickly can you patch?
SLIDE 94
Michael Brunton-Spall Bruntonspall Ltd
DevOps
SLIDE 95
Michael Brunton-Spall Bruntonspall Ltd
How secure is your code?
SLIDE 96
Michael Brunton-Spall Bruntonspall Ltd
Code review and Pull requests
SLIDE 97
Michael Brunton-Spall Bruntonspall Ltd
Staff identity and single sign
- n
SLIDE 98
Michael Brunton-Spall Bruntonspall Ltd
Zero Trust Networking
SLIDE 99
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 100
Michael Brunton-Spall Bruntonspall Ltd
But where is the puck going?
SLIDE 101
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 102
Michael Brunton-Spall Bruntonspall Ltd
The unit of delivery is the team
SLIDE 103
Michael Brunton-Spall Bruntonspall Ltd
The unit of decision making is the team
SLIDE 104
Michael Brunton-Spall Bruntonspall Ltd
“Appoint a suitably senior and empowered decision maker”
SLIDE 105
Michael Brunton-Spall Bruntonspall Ltd
Attack Trees
SLIDE 106
Michael Brunton-Spall Bruntonspall Ltd
Workshop with whole team
SLIDE 107
Michael Brunton-Spall Bruntonspall Ltd
Workshop with whole team*
SLIDE 108
06/12/2019 108
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 109
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 110
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 111
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 112
Michael Brunton-Spall Bruntonspall Ltd
Adversary thinking
SLIDE 113
Michael Brunton-Spall Bruntonspall Ltd
ATT&CK Framework
SLIDE 114
Michael Brunton-Spall Bruntonspall Ltd
Goals, Restrictions
SLIDE 115
Michael Brunton-Spall Bruntonspall Ltd
No adversary has unlimited funds, time and energy
SLIDE 116
06/12/2019 116
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 117
Michael Brunton-Spall Bruntonspall Ltd
Anti Personas
SLIDE 118
Michael Brunton-Spall Bruntonspall Ltd
Han Solo
Motivation
Han Solo is motivated primarily by money, but also works with the rebel alliance. Han is capable of using common tools as well as modifying existing tools on the fly Han doesn’t want to be caught and so takes an effort to avoid head on confrontations
Capabilities
Resources: 2/5 Capability: 4/5 Bravery: 2/5 Criminal connections: 3/5
Connections
Rebel Alliance, Hutts
SLIDE 119
Michael Brunton-Spall Bruntonspall Ltd
Red Teams
SLIDE 120
Michael Brunton-Spall Bruntonspall Ltd
Internal pentesting
SLIDE 121
Michael Brunton-Spall Bruntonspall Ltd
Threat Hunting
SLIDE 122
Michael Brunton-Spall Bruntonspall Ltd
DevSecOps
SLIDE 123
Michael Brunton-Spall Bruntonspall Ltd
Security as code
SLIDE 124
Michael Brunton-Spall Bruntonspall Ltd
Misuse cases
SLIDE 125
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 126
06/12/2019 126
Michael Brunton-Spall Bruntonspall Ltd
http://davidecioccia.com/?p=367
SLIDE 127
Michael Brunton-Spall Bruntonspall Ltd
Compliance as Code
SLIDE 128
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 129
Michael Brunton-Spall Bruntonspall Ltd
Cloud configuration as code
SLIDE 130
Michael Brunton-Spall Bruntonspall Ltd
Pull requests = audit trail
SLIDE 131
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 132
Michael Brunton-Spall Bruntonspall Ltd
SLIDE 133
Michael Brunton-Spall Bruntonspall Ltd
AWS System Manager
SLIDE 134
Michael Brunton-Spall Bruntonspall Ltd
Azure Policy
SLIDE 135
Michael Brunton-Spall Bruntonspall Ltd
Final thoughts?
SLIDE 136
Michael Brunton-Spall Bruntonspall Ltd
How to get value from your existing security teams?
SLIDE 137
Michael Brunton-Spall Bruntonspall Ltd
Empathy first
SLIDE 138
Michael Brunton-Spall Bruntonspall Ltd
“Re
Regardless of what we discover, we unde understand and t and and truly be uly belie lieve t tha hat ev everyone did the best job they ey could, giv given w en wha hat t the hey kne y knew a at t the t he time, ime, t their heir sk skills s and abiliti ties, s, th the resou sources s av available, and the situation at hand.”
SLIDE 139
Michael Brunton-Spall Bruntonspall Ltd