1. Intuit uses security science and big data analytics to improve their cloud security operations. They aggregate logs from AWS accounts and services into a single platform for detection and investigation.
2. Intuit profiles account usage and detects drift from standards to identify misuse early. They use threat intelligence and egress monitoring to detect external attacks and unauthorized access.
3. Intuit is developing tools and scoring to help product development teams understand how their decisions impact security and compliance. This aims to reduce security friction and guide more secure choices.
2. What to Expect from the Session
• Get introduced to DevSecOps
• Learn about security science
• See how Intuit is using security science & big data
3. Our Mission at Work…
The Cloud Security Team (CST) will deliver transparent security
oversight and monitoring that enables safe use of cloud
resources without friction for our online business, by:
• Becoming the team to follow by establishing a DevSecOps
function that solves for secure use of cloud services.
• Automating our processes and solutions to ensure scaled
global delivery.
• Partnering across Intuit to ensure speed & ease for our
innovation.
5. What is DevSecOps
• Agile discipline
• Best of each security specialty in one framework
• Value provided as security services
• Make it easy for business to take the right risks
• Reduce friction and disruptions
• Continuous improvement mindset
… Requires profiling, testing, and an ability to put
security in perspective
6. Drivers for DevSecOps
Embedding into DevOps was a disaster…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Traditional security operations did not work…
• And we needed far more data than we expected to help
the business make decisions…
8. The Art of DevSecOps
DevSecOps
Security
Engineering
Experiment,
Automate, Test
Security
Operations
Hunt, Detect,
Contain
Compliance
Operations
Respond,
Manage, Train
Security
Science
Learn, Measure,
Forecast
9. Security Science?
• Need to change the conversation from F.U.D. to facts
• Science is a fact-based examination
• Theories established
• Testable against real data
• Revised and retested as the landscape changes…
• Question -> Hypotheses -> Experiment -> Analyze -> Repeat
• Answers simple questions
10. Examples of Security Science
• What is your password policy?
• Why?
• How frequently should you restack your hosts?
• Can you make choices beforehand to improve this?
11. Ways Intuit is using Security Science
• Advocacy
• Education
• Threat reduction
12. Enhance Ability to “Detect & Contain”
Use big data analytics to improve detection methods
• Looking for the slow & steady attacker
• Find the one-packet-only attacks
• Find coordinated spread spectrum scans
• Detect AWS misuse cases before incidents occur
Use data visualization to uncover unseen existing issues
• Hunt the wumpus
13. It’s Log! It’s Big! It’s Heavy! It’s Wood!
• As of 9/2015, we have 990+ separate AWS accounts
• We use Splunk™ as our logging platform
• Partner with 3rd party to add value
• Operate a 24/7 SOC to trigger on AWS incidents
• Compliance
• Security
• Ingest CloudTrail/S3/ELB/etc. into unified logs
• Send all logs into TAP for further aggregation and alerts
• Looking to migrate to Hunk/EMR as future directions?
14. Using Logs to Profile Drift from Standards
Insights
Security
scienceSecurity
tools & data
AWS
accounts
Amazon S3
Amazon
Glacier
Amazon
EC2
AWS
CloudTrail
Ingestion
Threat intel
15. Benefits of Unified Logs
• Single pane of glass to see everything
• Allows complex queries and lookups
18. Diving Through the Unified Views
Using combined views of data to find underlying patterns
19. Steer PD to “Ensure Apps are Secure”
• Develop insights to illustrate the rationale behind CST
• Win over the PD teams to use the CST model
• Increase overall security posture by illuminating security gaps
• Help PD teams overcome friction on security issues
• Create tooling to allow PD teams to self educate
• Guide them to right decisions via scoring
• Allow them to model scoring impacts before implementation
20. Portal – Gateway to Success in Cloud Adoption
• Displays account details
• Education access
• Tools to help scale
22. Why is Scoring Important?
• Grades are powerful motivators
• Allows the PD leader to drill down
• Why am I failing?
• Where am I using that?
• But, then what?
23. CVSS modeling
• How to the decisions I make affect my grading scores?
• How frequently do I have to restack?
• What is the impact of package choices?
• Ruby or Python?
• MySQL or Postgres?
• Apache or Nginx?
24. Future directions
• Continue to create tooling for PD teams
• Encryption methods vs. cracking costs
• Key rotation tempo vs. re-encryption speed/costs
• Deep dive on DNS queries
• Find misuse without blocking
• Redirection for laptops, cloud, & Datacenter for intel
gathering
25. Wrap up
• Join DevSecOps Community via LinkedIn, GitHub, and Twitter
• DevSecOps.org
• linkedin.com/grp/home?gid=6817408
• github.com/devsecops
• twitter.com/devsecops
• Assess your org's cloud adoption strategy, security requirements
and work backwards
• Bring science into your security decisions.
26. Related Sessions
• BDT205 - Your First Big Data Application on AWS
• SEC308 - Wrangling Security Events in the Cloud
• SEC320 - AWS Security Beyond the Host: Leveraging
the Power of AWS to Automate Security and Compliance
• SEC402 - Enterprise Cloud Security via DevSecOps 2.0