DevSecOps is the name of the game, but there isnt always a clear path to implementation and adoption. Between protecting against major attacks that arrive on a daily basis to maintaining compliance with strict regulations, leaving the boundaries of traditional IT can leave some security professionals quaking in their boots.
Fear not, friends! There is a way to be secure and compliant in the cloud with the right approach. In this webinar, George Gerchow, VP of Security and Compliance at Sumo Logic, will do a deep dive into the steps it takes to successfully implement and maintain DevSecOps in your organization at scale. He will be discussing:
· What it took to build a world-class data analytics service on AWS from the ground up
· Technologies used to gain necessary operational and security visibility
· Tips and tricks to maintain optimal levels of performance, integrity and availability of the data
· How to best approach regulatory compliance in the cloud in pursuing certifications like PCI DSS, ISO 27001, CSA STAR, TRUSTe, SOC 2, Type 2, etc.
· Challenges encountered in the journey and how they were addressed
1. Sumo Logic Confidential
Implementing and Maintaining a DevSecOps
Approach in the Cloud
Operational and Security Tips, Tricks and Best Practices
Wednesday January 25
10am PST / 12 noon CST
2. Sumo Logic Confidential
Today’s Presenters
George Gerchow, VP Security & Compliance
As Sumo Logic's Vice President of Security and Compliance, George Gerchow brings 18 years
of information technology and systems management expertise to the application of IT
processes and disciplines. His expertise impacts the security, compliance, and operational
status of complex, heterogeneous, virtual and cloud computing environments. Mr. Gerchow's
practical experience and insight from managing the infrastructures of some of the world's
largest corporate and government institutions, make him a highly regarded speaker and invited
panelist on topics including cloud secure architecture design, virtualization, configuration
management, operational security and compliance. George was one of the original founders of
the VMware Center for Policy and Compliance and he holds CISSP, ITIL, Cisco, and Microsoft
Certifications. Mr. Gerchow is also an active Board Member for several technology start ups
and the coauthor of Center for Internet Security Quick Start Cloud Infrastructure Benchmark
v1.0.0 and is a Faculty Member for IANS Institute of Applied Network Security.
Mark Bloom, Dir. Product Marketing, Security & Compliance
Mark has over 15 years of sales, marketing and business development experience in a variety
of financial service and high-technology markets. Past clients/employers have included Ford,
Motorola, United Technologies, Cisco, Chrysler, SonicWall/Dell, Trend Micro and Compuware.
4. "Security must be more tightly integrated into the DevOps process to
deliver a DevSecOps process that builds in security from the earliest
stages of application design."
Gartner Top 10 Strategic Technology Trends for
2016: Adaptive Security Architecture
Gartner Top 10 Strategic Trend for 2016
http://www.gartner.com/document/3229017
6. Sumo Logic Confidential
Security Challenges in Our Cloud Journey
• Starts simple, get more complex
• CSP offerings are growing
• Filling in the CSP offerings with 3rd party solutions
• Compliance, audit and more regulations are coming
• Attacks on the Cloud are increasing
8. Sumo Logic Confidential
1,300+Customers in the cloud
100+ PBDataAnalyzed Daily
10M+Keys Under Management
Sumo Logic at Scale in the Cloud
SECURITY BAKED IN
10K+EC2 Instances
14. Sumo Logic Confidential
Sumo Logic: Fully Secure
Protecting Customer Data with Best-in-Class Security
• PCI/DSS 3.1 Service Provider Level 1 Certified
• SOC 2 Type attestation
• ISO 27001 certified
• CSA Star certified
• HIPAA-HITECH compliance
• U.S. – EU Privacy Shield
• AES 256-bit encryption at rest
• TLS encryption in transit
• FIPS 140-2 compliant
Industry’s Most
Secure
Cloud-Native
Analytics Service
15. Sumo Logic Confidential
Sumo Logic PCI App for AWS CloudTrail
Protecting Customer Data with Best-in-Class Security
19. Sumo Logic Confidential
• Password Hygiene is still the #1 threat to security
• People who should be the most responsible are not
• Audit everything
• BitCoin Miners
The Cloud Attack that never goes away
20. Sumo Logic Confidential
Bitcoin mining in AWS
• Only 21 Million BitCoin Allowed to be Mined
• International Non Regulated Currency
• AWS GPU EC2 P2 Instances are perfect for mining
Bitcoins
• Use two-factor authentication.
• Never hardcode your cloud computing credentials
• Use Identity Access Management
Seeking Free Compute Power! please put your AWS credentials into a config file and upload
to GitHub
“Don’t put your Amazon credentials into source code and then share
that source code in a public place like GitHub!”
21. Sumo Logic Confidential
• Recent DDoS attacks targeted Dynamic Network Services Inc.,
better known as Dyn
• Dyn is one of many DNS providers to AWS
• AWS has some services (Shield)in place to help, and we have
3rd party tools but…
• Could AWS eat itself or be used to attack Azure in Mass?
“Security may be critical, but “agility is the single biggest reason enterprise are moving to the
cloud”
The latest Akamai security report highlights a 138 percent YoY increase in total DDoS
Q1: DevSecOps seems like a buzz word that everyone is using these days. What does DevSecOps really mean?
Q2: So SL is a cloud native service running in AWS – why did you decide to build your service in the cloud? Can you describe a bit about that journey, what was it likes, what obstacles did you face, how did you overcome them? what did you learn?
Q3: So what is your current footprint like in AWS?
-- after the question, move immediately to the next slide
Q4: So What Tools and Technologies are you using in AWS?
-- after the question, move immediately to the next slide
Q5: So how are you leveraging Sumo to secure your own service?
Can you share some of the tips, tricks and best practices you have gleaned over the years?
Q6: You talked earlier about the technology stack you use. How does this stack help you with Compliance?
Sumo provides the most secure cloud-based analytics service on the market
Only Sumo has achieved this level of validation and certification
We have done this because our business is collecting and storing our customers’ sensitive log data. If they don’t trust us, then we don’t have a business model.
So we have made significant investment in security certifications and attestations.
Not only do we encrypt data at rest and in transit, but we hold various attestations as you can see by this comprehensive list.
We are the only service in the machine data analytics space that holds the PCI DSS 3.1 certification and are helping our customers like Twitter and AirBnB simplify the process for demonstrating compliance with PCI…. particulary around Req. 10
Organizations are making different decisions based on the trust level they have with their partners, and we take this very seriously investing significant resources to achieve and maintain on an ongoing basis, these competitive differentiators
Too many people try to live vicariously through the certifications AWS has and pass this on as adequate
Q7: Can you talk about the operational and security best practices that SL employs to maintain a scalable, highly secure, always on service? As well as the DevSecOps methodologies that are followed?
A: it all starts with
embedding security directly into engineering
Checks and balances
Process dev QA prod
All changes to production follow a well documented change management process.
Traditional processes never seemed like a suitable way to implement change management at Sumo Logic. Even a Change Management Board (CMB) that meets daily is much too slow for our environment, where changes are implemented every day, at any time of the day. In this blog, I’ll describe our current solution, which we have iterated towards over the past several years.
The goals for a our change management process are that:
Anybody can propose a change to the production system, at anytime, and anybody can follow what changes are being proposed.
A well-known set of reviewers can quickly and efficiently review changes and decide on whether to implement them.
Any change to production needs to leave an audit trail to meet compliance requirements.
Workflow and Audit Trail
We used Atlassian JIRA to model the workflow for any System Change Request (SCR). Not only is JIRA a good tool for workflows, but we also use it for most of our other bug and project tracking, making it trivial to link to relevant bugs or issues. Here’s what the current workflow for a system change request looks like:
-- after the question, move immediately to the next slide
Q8: There are a lot of threat actors out there, from Cyber Criminals, Corporate Spies, Hacktivists and Nation States. My question is:
How do you see the threat landscape changing wrt the cloud. Is the risk greater given the massive scale of the attack surface?
If someone hacked into an account, could they cause more damage by pointing their attack at Amazon, from within the service, possibly affecting millions of customers?
Mirai (Japanese for "the future") is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers
Q9: So when you look out toward the future, wrt the DevSecOps movement, the phenomenal growth of cloud providers like AWS and Azure, Machine learning and Artificial Intelligence, the rise of security as code, ….
What are your thoughts, where do you see things going, and how should companies respond?
AWS and Sumo Logic and other tools provide us with an opportunity for all teams to use the same tool. We are able to scale due to the simplicity of the Sumo Logic product and the visibility that it provides. Our Security Operations team works more effectively with the Operations allowing us to do more with less. All this while providing visibility into the on-going operations and verifying compliance as needed.