Soumettre la recherche
Mettre en ligne
Security for AWS: Journey to Least Privilege
•
0 j'aime
•
95 vues
Lacework
Suivre
A baker's dozen of top items to consider when migrating or deploying in AWS.
Lire moins
Lire la suite
Technologie
Signaler
Partager
Signaler
Partager
1 sur 244
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Lacework for AWS Security Overview
Lacework for AWS Security Overview
Lacework
Lacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
Lacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
Lacework
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
Cloud Security Demo
Cloud Security Demo
Cheah Eng Soon
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
Recommandé
Lacework for AWS Security Overview
Lacework for AWS Security Overview
Lacework
Lacework slides from AWS Meetups
Lacework slides from AWS Meetups
John Varghese
Lacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
Lacework
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
Lacework
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
Alert Logic
Cloud Security Demo
Cloud Security Demo
Cheah Eng Soon
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
Lacework
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Alert Logic
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Amazon Web Services
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Teri Radichel
Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015
Robert Berlin
Advanced Security Automation Made Simple
Advanced Security Automation Made Simple
Mark Nunnikhoven
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
Encryption in the Cloud
Encryption in the Cloud
SVForum Cloud SIG
AWS Summit Auckland Sponsor Presentation - Intel
AWS Summit Auckland Sponsor Presentation - Intel
Amazon Web Services
Azure sentinal
Azure sentinal
Allied Consultants
Cloud university intel security
Cloud university intel security
Ingram Micro Cloud
AWS Security Strategy
AWS Security Strategy
Teri Radichel
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
Securing Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloud
DATA SECURITY SOLUTIONS
Cloud Security - Kloudlearn
Cloud Security - Kloudlearn
KloudLearn
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
An Introduction to Prometheus (GrafanaCon 2016)
An Introduction to Prometheus (GrafanaCon 2016)
Brian Brazil
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum Japan
Brian Brazil
Contenu connexe
Tendances
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
Lacework
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Alert Logic
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Amazon Web Services
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
Alert Logic
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Teri Radichel
Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015
Robert Berlin
Advanced Security Automation Made Simple
Advanced Security Automation Made Simple
Mark Nunnikhoven
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Alert Logic
Encryption in the Cloud
Encryption in the Cloud
SVForum Cloud SIG
AWS Summit Auckland Sponsor Presentation - Intel
AWS Summit Auckland Sponsor Presentation - Intel
Amazon Web Services
Azure sentinal
Azure sentinal
Allied Consultants
Cloud university intel security
Cloud university intel security
Ingram Micro Cloud
AWS Security Strategy
AWS Security Strategy
Teri Radichel
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
Securing Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloud
DATA SECURITY SOLUTIONS
Cloud Security - Kloudlearn
Cloud Security - Kloudlearn
KloudLearn
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
Tendances
(20)
#ALSummit: Architecting Security into your AWS Environment
#ALSummit: Architecting Security into your AWS Environment
Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018
Alert Logic: Realities of Security in the Cloud
Alert Logic: Realities of Security in the Cloud
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Automating Event Driven Security in the AWS Cloud - AWS Public Sector Summit ...
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
Soha Systems DevOps Summit New York June 2015
Soha Systems DevOps Summit New York June 2015
Advanced Security Automation Made Simple
Advanced Security Automation Made Simple
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
#ALSummit: Amazon Web Services: Understanding the Shared Security Model
Encryption in the Cloud
Encryption in the Cloud
AWS Summit Auckland Sponsor Presentation - Intel
AWS Summit Auckland Sponsor Presentation - Intel
Azure sentinal
Azure sentinal
Cloud university intel security
Cloud university intel security
AWS Security Strategy
AWS Security Strategy
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
Securing Applications in the Cloud
Securing Applications in the Cloud
How to maintain business equality secured in network and cloud
How to maintain business equality secured in network and cloud
Cloud Security - Kloudlearn
Cloud Security - Kloudlearn
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Similaire à Security for AWS: Journey to Least Privilege
An Introduction to Prometheus (GrafanaCon 2016)
An Introduction to Prometheus (GrafanaCon 2016)
Brian Brazil
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum Japan
Brian Brazil
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Priyanka Aash
Evolving to Cloud-Native - Nate Schutta (2/2)
Evolving to Cloud-Native - Nate Schutta (2/2)
VMware Tanzu
Cloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defenders
Gerald Steere
Microservices pros and cons
Microservices pros and cons
Andrew Siemer
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
VMware Tanzu
Gluecon Monitoring Microservices and Containers: A Challenge
Gluecon Monitoring Microservices and Containers: A Challenge
Adrian Cockcroft
Availability in a cloud native world v1.6 (Feb 2019)
Availability in a cloud native world v1.6 (Feb 2019)
Haytham Elkhoja
Evolving to Cloud-Native - Nate Schutta 2/2
Evolving to Cloud-Native - Nate Schutta 2/2
VMware Tanzu
Herding cats in the Cloud
Herding cats in the Cloud
Dewey Sasser
Securing a Cloud Migration
Securing a Cloud Migration
Carlos Andrés García
Securing a Cloud Migration
Securing a Cloud Migration
VMware Tanzu
Moving to Microservices with the Help of Distributed Traces
Moving to Microservices with the Help of Distributed Traces
KP Kaiser
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
Priyanka Aash
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
NETWAYS
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays
Skynet project: Monitor, analyze, scale, and maintain a system in the Cloud
Skynet project: Monitor, analyze, scale, and maintain a system in the Cloud
Sylvain Kalache
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
EnergySec
Similaire à Security for AWS: Journey to Least Privilege
(20)
An Introduction to Prometheus (GrafanaCon 2016)
An Introduction to Prometheus (GrafanaCon 2016)
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum Japan
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security Headaches
Evolving to Cloud-Native - Nate Schutta (2/2)
Evolving to Cloud-Native - Nate Schutta (2/2)
Cloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defenders
Microservices pros and cons
Microservices pros and cons
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
Cloud-Native Fundamentals: An Introduction to 12-Factor Applications
Gluecon Monitoring Microservices and Containers: A Challenge
Gluecon Monitoring Microservices and Containers: A Challenge
Availability in a cloud native world v1.6 (Feb 2019)
Availability in a cloud native world v1.6 (Feb 2019)
Evolving to Cloud-Native - Nate Schutta 2/2
Evolving to Cloud-Native - Nate Schutta 2/2
Herding cats in the Cloud
Herding cats in the Cloud
Securing a Cloud Migration
Securing a Cloud Migration
Securing a Cloud Migration
Securing a Cloud Migration
Moving to Microservices with the Help of Distributed Traces
Moving to Microservices with the Help of Distributed Traces
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
stackconf 2023 | Infrastructure-From-Code and the end of Microservices by Ala...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
Skynet project: Monitor, analyze, scale, and maintain a system in the Cloud
Skynet project: Monitor, analyze, scale, and maintain a system in the Cloud
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Daniel Lance - What "You've Got Mail" Taught Me About Cyber Security
Plus de Lacework
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
Lacework
All Your Containers Are Belong To Us
All Your Containers Are Belong To Us
Lacework
Practical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
Lacework
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
Lacework Protection for AWS S3 Buckets
Lacework Protection for AWS S3 Buckets
Lacework
Guidebook Case Study
Guidebook Case Study
Lacework
Container Security Research
Container Security Research
Lacework
Containers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud Environments
Lacework
Plus de Lacework
(11)
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
All Your Containers Are Belong To Us
All Your Containers Are Belong To Us
Practical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework Protection for AWS S3 Buckets
Lacework Protection for AWS S3 Buckets
Guidebook Case Study
Guidebook Case Study
Container Security Research
Container Security Research
Containers At-Risk A Review of 21,000 Cloud Environments
Containers At-Risk A Review of 21,000 Cloud Environments
Dernier
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
Stephanie Beckett
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Fwdays
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
charlottematthew16
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Precisely
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
How to write a Business Continuity Plan
How to write a Business Continuity Plan
Databarracks
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Lars Bell
Dernier
(20)
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
How to write a Business Continuity Plan
How to write a Business Continuity Plan
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
Security for AWS: Journey to Least Privilege
1.
.start
2.
Bakers Dozen to
Securing AWS
3.
Dan Hubbard, Lacework
4.
@dhubbard858
5.
So, you are
running in AWS?
6.
AWS has amazing
advantages….
7.
Speed
8.
Velocity
9.
Auto-scale
10.
They run the
infrastructure.
11.
And let you
focus on your apps.
12.
That is what
matters.
13.
But how do
you secure all of this?
14.
Think different.
15.
It’s less about
the castle and moat.
16.
And more about
automation.
17.
scale.
18.
visibility.
19.
context.
20.
And most importantly….
21.
Shrinking your attack
surface.
22.
Minimizing mistakes.
23.
And fitting security
INTO your architecture.
24.
NOT in FRONT
of it.
25.
Where do we
start?
26.
Drive towards least-privilege systems.
27.
I know, you
may not be there TODAY.
28.
You may be
migrating
29.
Least Privilege is
easier said than done.
30.
But it’s a
destination you want to drive to.
31.
And if you
have the luxury of starting over.
32.
then start with
least privilege.
33.
Start with templatized
workload configuration.
34.
Terraform (multi-platform)
35.
CloudFormation = AWS
specific
36.
Next select your
orchestration system.
37.
Kubernetes
38.
Docker Swarm
39.
Mesos.
40.
Choose your favorite
container tech.
41.
Likely Docker or
equiv..
42.
And finally your
favorite OS.
43.
CoreOS
44.
Redhat
45.
Ubuntu
46.
OK, now let’s
think about the security...
47.
Start with AWS
Accounts.
48.
Then your services
49.
API’s
50.
Compliance
51.
Applications
52.
Users
53.
Secure your AWS
account.1
54.
Design your accounts
carefully !
55.
This is not
easy to unwind and it’s super important.
56.
Balance accounts and responsibilities.
57.
Watch for sprawl.
58.
You do not
want to have too many accounts.
59.
If you have
a reason for a LOT of accounts.
60.
Justify it !
61.
Use AWS organizations.
62.
MFA critical for
all console authentication.
63.
Use instance roles
for services.
64.
Roles manage ephemeral
keys internally
65.
CloudTrail2
66.
Make sure it’s
on for ALL accounts.
67.
Log it in
a place that you can query.
68.
CloudTrail is very
noisy
69.
You need to
understand the needles in the data
70.
Context is critical
71.
Understand relevant change.
72.
Change in config’s
73.
Change in API
usage
74.
Change in critical
services.
75.
Change in user
patterns.
76.
Attackers can delete
/ turn off CloudTrail
77.
Segment S3 bucket
with different from monitored account
78.
Secure Services3
79.
EC2, S3, RDS,
KMS...
80.
Set a policy
and a framework for your services
81.
Each service has
unique attack surface
82.
How do you
think about threats in 1000’s of services.
83.
Lambda surface?
84.
ECS ?
85.
EKS ?
86.
S3 ?
87.
RDS ?
88.
Redshift ?
89.
Don’t boil the
ocean YET.
90.
Understand what you
use, why, and focus on those.
91.
Learn what dev.
is looking at next.
92.
Compliance4
93.
Your accounts and
services need continual checks
94.
This is not
your annual compliance audit
95.
Its all the
time every time.
96.
Start with CIS
for AWS benchmarks
97.
Expand into your
relevant areas.
98.
PCI
99.
SOC II
100.
HIPAA.
101.
Secure the network.5
102.
It’s not your
network.
103.
Yeah it’s virtual.
104.
Limit what can
go in and out.
105.
Minimize in AND
out.
106.
Understand inter network
traffic (east-west)
107.
But the network
diminishes in importance in cloud.
108.
Like console access
to the router
109.
Firmare on edge
router.
110.
You don’t own
it. Get used to that.
111.
Network often static.
112.
But systems are
dynamic.
113.
Containers and orchestration
limit relevance.
114.
But monitor config’s
still important in VPC’s.
115.
Secure the applications.6
116.
What are they
talking to?
117.
And Why ?
118.
Understand application topologies and
systems.
119.
Gain insight into
typical system behavior
120.
Understand outliers.
121.
Log ALL application
behaviors.
122.
Abstract containers :
translate apps : containers : machines.
123.
Did I mention
log everything.
124.
Ephemeral workloads must
be monitored
125.
in near real-time.
126.
Make meaning of
the logs.
127.
Good data turns
into information when it answers questions.
128.
Who ran this
app?
129.
When did it
run?
130.
What did it
do?
131.
Where did it
connect to?
132.
Good data turns
into information
133.
when you either
gain security knowledge
134.
or when your
can answer questions with context.
135.
“Hey Dan, did
you mean to install 50 new GPU instances in the Europe Region running Bitcoin Miners last night”?
136.
Secure Users.7
137.
Who can log
into what machines.
138.
Why?
139.
Limit logins wherever
you can!
140.
Least Privileged systems.
141.
If logins necessary….
142.
NO SHARED ACCOUNTS
143.
Unique accounts per
user
144.
Use MFA.
145.
Setup a bastion.
146.
3 Factors of
ID..
147.
Setup VPN
148.
Limit access via
IP
149.
Use IAM (oauth,
SAML)
150.
3 Factors
151.
Account password
152.
Temporary password
153.
And keys.
154.
Log ALL logins.
155.
Failures and Successes
156.
Avoid service accounts
logging in.
157.
Yes no login
as say...
158.
ubuntu
159.
coreos
160.
admin
161.
Or...root !!!!
162.
Where possible limit
users from installing apps.
163.
Immutable images.
164.
Use the orchestration.
That is what its for.
165.
Understand the app
behaviors.
166.
Both to from
and to the Internet.
167.
And laterally from
application to application.
168.
Within your “network”
169.
And from container
to container.
170.
Secure the Data.8
171.
Encrypt it.
172.
ALL OF IT.
173.
Its likely someone
will find value in your data
174.
Regardless of what
you think.
175.
Keys are critical.
176.
Look into vaults.
177.
Rotate.
178.
Ephemeral keys
179.
Layer 8 :
People9
180.
“DevSecOps”
181.
It’s just a
made up word.
182.
Establish communication channel from/to
devops and security.
183.
#Slack works.
184.
Alert on criticals
: PagerDuty or ?
185.
Log criticals and
below in #channel
186.
Email still works
too.
187.
Retrospectives on alerts.
188.
Get good at
triage.
189.
A great security
product/system will help bridge gaps
190.
from developers to
security
191.
from security to
developers.
192.
within or across
teams.
193.
Best practices.10
194.
There is no
time continuum in security.
195.
It does not
stop or start.
196.
It is just
part of the system
197.
And the system
needs testing.
198.
Pen testing.
199.
Vulnerability testing
200.
It’s not as
scary as it sounds.
201.
War game with
dev.
202.
Think evil.
203.
What if I
had privileged access to ….
204.
Think about.
205.
Data exfil.
206.
Data destruction.
207.
Public disclosures.
208.
Inadvertent configuration mistakes.
209.
Compliance failures.
210.
Low level bugs
out of your control.
211.
Ring0 happens.
212.
Be prepared
213.
For recovery
214.
It’s not *if*
the market will ask about your security.
215.
It’s *when*.
216.
Have the answers
before they ask.
217.
But what about
bugs in MY applications? 11
218.
Be responsible.
219.
Follow responsible disclosures.
220.
Answer security@yourdomain
221.
Be friendly to
bug hunters
222.
Bug bounty not
mandatory but look into it.
223.
Don’t be held
hostage to hunters.
224.
But be responsible.
225.
They are saving
your time, money, and potentially losses.
226.
Run your own
internal bug program.
227.
Hack a thons
are great for this.
228.
And finally….
229.
Have fun.12
230.
Be thankful.
231.
You are designing
the future state.
232.
Starting over is
a privilege.
233.
Learn from past
mistakes.
234.
To determine the
future.
235.
Wait, bakers dozen!13
236.
What do you
feel is missing?
237.
Add your comments
here.
238.
Share your experiences.
239.
Give back to
the community :)
240.
Lacework : Let
us run your security
241.
Lacework : While
you focus on your apps.
242.
Dan Hubbard, Lacework
243.
@dhubbard858
244.
.end
Télécharger maintenant