Cloud, DevOps and the New Security

Practitioner 15, June 2016

1:30PM

Adrian SanabriaSenior Security Analyst

451 ResearchTo get a copy of these slides, send an email to sawaba@zip.sh with CSW2016 in the subject line or scan this QR code

Slide 2

Why are we here?

IT changes fast. Attackers change fast. Defenders don’t. IT is changing Attackers are adapting The security discipline is diverging

Slide 3

Understanding security’s role by understanding IT

Traditional approach to security: Security is always a secondary or enabling layer Security must have direct knowledge and experience

with the underlying layer in order to be effective at protecting it or recommending feasible solutions

Direct experience in core technical disciplines goes a long way in earning respect and cooperation

Physical

SecurityOS

LayerNetwork

LayerService Desk

Dev, QA, Test

Web/App Layer Ops

Slide 4

Understanding security’s role by understanding IT

Issues with the traditional approach: Few security teams can ever be ‘well-rounded’ enough Security team isn’t qualified to advise much of IT Adversarial/dysfunctional relationships common IT changes often; attackers adapt quickly Defenders and security tools adapt slowly

Physical

SecurityOS

LayerNetwork

LayerService Desk

Dev, QA, Test

Web/App Layer Ops

Slide 5

Security

Security’s changing role

An example: going ‘cloud-first’ Lower-level IT layers are outsourced Most security practitioner knowledge lies in these layers Infrastructure-heavy security skillsets lose value Concept of bi-modal IT further confuses things As IT changes, so must security

Physical

SecurityOS

LayerNetwork

LayerService Desk

Dev, QA, Test

Web/App Layer Ops

Slide 6

Security’s changing role

Cloud and DevOps – an opportunity to redesign security: Smaller ‘well-rounded’ groups Dev, ops, infrastructure and security roles are shared Everyone working towards a clear, common goal Relationship between security and developers is crucial Security can’t impact delivery schedule

Physical OS Layer

NetworkLayer

Service Desk

Dev, QA, Test;Web/App Layer; Ops

Security

Slide 7

Questions

What should security’s future role be?

Security is redistributed into IT for all operational tasks Dedicated security staff performs

high-level design, design/architectural input monitor changes in risk/attackers/landscape instruct/consult individual SMEs as needed

Physical OS Layer

NetworkLayer

Service Desk

Dev, QA, Test;Web/App Layer; Ops

SecuritySME

Internal Security Team

SecuritySME

SecuritySME

SecuritySME

Slide 8

Increasingly, software resembles these principles

Yesterday, Chef announced Habitat https://www.chef.io/blog/2016/06/14/introducing-habitat/

So… what’s up with the yin/yang visual metaphor?

…and where’s security?

Sec analysts are

too

Slide 9

Chef Habitat, your latest shadow IT problem

Slide 10

New rule: if you own it, own it

“Whomever is responsible for an asset – be it data, infrastructure, code, or

people, must secure it”

Slide 11

Why make asset owners responsible?

No one knows and understands the opportunities, constraints and dependencies of the asset better

Security becomes a bottleneck for performance, progress and often, even security

Little to no time wasted on remediation conflict: what to fix, how to fix it, when and at what priority level

Likely that fewer security issues will occur* Drives the cost of securing systems down, in terms of

labor, efficiency and efficacy*** I’ll explain later

** I’ll explain after that

Slide 12

Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson

Reads like a short version of the

Phoenix Project

Slide 13

Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson

Creating an independent testing group can encourage counterproductive culture

“Don’t do today what you can push off onto someone else’s plate”

Document and address low hanging fruit Schedule time for developers to test and fix bugs To improve code quality, stop the problem at the source Everyone should understand what they’re building and why Get testers involved earlier in the process Bottleneck testing resources and developers are forced to ship

higher quality codehttp://testobsessed.com/wp-content/uploads/2011/04/btwq.pdf

Slide 14

Better Testing, Worse Quality?Study done in 2000 by Elizabeth Hendrickson

Could this apply to InfoSec? Surely not. In fact, it might be quite worse. We’ve convinced everyone not

just that security is our job, but that we’re the only ones that can do it properly.

What if they believed us?

Slide 15

Jobs!

Slide 16

The Enterprise Looked Like This

Slide 17

Then, the Enterprise Looked Like This

Slide 18

Today, the Enterprise Looks Like This

Slide 19

Storage

Database

Networking Enterprise as a

service

AppServices

Mobile

Dev Tools

Slide 20

This is not now.

Your career

Don’t p

anic!

Don’t panic!

Slide 21

So… you want to give away our jobs?

Traditional InfoSec doesn’t have to worry for a while Be aware of the change Learn new things now – don’t wait for later

Currently, new security jobs are often NOT going to security practitioners, and we’ll discuss why…

Slide 22

The Security Practitioner: old versus new Monitoring security alerts Manage network security Manage endpoint security IR/Forensics Pentesting Vulnerability Scanning Policies/Standards Compliance/Regs Log management DR/BCP and SecAware

Influence design, architecture standards, processes

Automate tasks Forensics Security assessments Identify gaps and

recommend fixes JSON, REST, XML, SQL Routing, load balancing,

nw protocols

Slide 23

How common?

6 out of the first 10 jobs I looked at required: coding skills new tech generation experience and/or skills

Slide 24

Like what experience or skills?

“Ability to automate tasks using scripting or other programming language”

“Scripting or general purpose programming languages” REST, JSON, XML (API scripting) “Experience with DevOps, CI/CD, Chef, Puppet” “Experience testing for vulnerabilities in Ruby on Rails

applications” “Experience with various scripting and programming

languages” “Teach secure coding practices to software engineers”

Slide 25

What should I learn?

Scripting (automation) Get familiar with cloud, agile, devops, containers,

microservices, etc. AppSec Data protection Learn to write code

Slide 26

What should I learn?

Cloud – focus on AWS, Azure, Digital Ocean (cheap) Containers – focus on Docker Pick a language - ruby and python are most common Jenkins Ansible, Chef, Puppet, Salt New attack surface Don’t make security worse! Automation Make security better!

Slide 27

How should I learn it?

Good starting point: find a security guy that loves to automate security and plunder his GitHub: https://github.com/averagesecurityguy

And more: https://github.com/krmaxwell https://github.com/nbrownus Slack makes cool stuff Go after AWS Certs just to learn AWS Digital Ocean Tutorials

Slide 28

Resources – efficiency and workflow

Learning to recognize efficiency and workflow issues; challenging ”because we’ve always done it that way” Better Testing, Worse Quality, Elizabeth Hendrickson Four Hour Work Week, Tim Ferris The Phoenix Project, Kevin Behr, George Spafford,

Gene Kim Signal v. Noise 37Signals blogs (on medium) and books ReWork by the Basecamp guys

Slide 29

Resources – new ideas

New ideas – challenge assumptions, push thinking

…also, VIDEOS! Distributed Security Alerting by Ryan Huber (blog) Security Automation by Ryan Huber (video) What Got Us Here Won’t Get Us There Black Hat

keynote by Haroon Meer Cloud Computing – Why IT Matters by Simon Wardley at

OSCON 09

Slide 30

Conclusion

If you want to understand where security is going, stop looking at security, and start

following IT innovation, trends and changes

THANK YOU!Adrian Sanabria

@sawabaAdrian.Sanabria@451Research.co

mTo get a copy of these slides, send an

email to sawaba@zip.sh with CSW2016 in the subject line or scan this QR code