Enterprise Cloud Security via DevSecOps Shannon Lietz Cloud Sec. Eng. Leader Intuit Shrikant Raman Engagement Mgr FireEye Who are we?    We’ve developed and operated some of the largest Security Operations Centers We’ve led crisis management for some of the world’s largest breaches We’ve worked in the Cloud before it was a Cloud (and cool), anyone remember utility computing…circa 2002? 2 What is DevSecOps? Problem Statement  DevOps requires continuous deployments  Fast decision making is critical to DevOps success  Traditional Security just doesn’t scale… Welcome DevSecOps…  Customer focused mindset  Scale, Scale, Scale  Objective Criteria  Proactive Hunting  Continuous Detection & Response 3 How did we discover DevSecOps?      Pain Trial & Error Blood, sweat & tears Ouch, my head hurts! It would have been great to hear this speech a couple years ago…. Bang Head Here 4 Speaking from experience… DevSecOps is NOT…  Application Security on Steroids  an embedded resource model  always saying yes to the business  a one-size-fits all program  a continuance of the Culture of “No”  Compliance Gone Wild  a Complex set of requirements  Security for security’s sake  SecDevOps, DevOpsSec, RuggedOps, other... DOH!! 5 Cloud huh? What the heck is a software defined environment? Migrating into the cloud… − − − − Compliance didn’t take us far before we stopped scaling… We couldn’t keep up with deployments without automation… Standard Security Operations did not work… And we needed far more data than we expected to help the business make decisions… Security Engineering Compliance Ops DevSecOps Security Ops Security Science 6 The Art of DevSecOps DevSecOps Security Engineering Security Operations Security Science Compliance Operations Experiment, Automate, Test Hunt, Detect, Contain Learn, Measure, Forecast Respond, Manage, Train 7 Tools of the Trade  Start coding… − −  Find solutions and integrate… − − − −  DevSecOps Toolkit Security Services & APIs Filtering & Intelligence Big Data Threat Analytics Case Management Hold people accountable − Metrics & Reporting 8 Tools of the Trade  Code in development : - Use cloudwatch / TAP to detect DoS attacks  >X concurrent sessions  Monitor and determine if need to scale elastically or cut off access − Use TAP APIs to look for AWS credential usage and scour the interweb for leaked credentials.  Automatically cycle AWS credentials and issue new credentials, assuming the old credentials were compromised − Use TAP APIs to identify S3 bucketfinder activity  Automatically block further searches − Use internal data and data mining to predict attacks before they happen ala OpenDNS’ Security Graph 9 DevSecOps Toolkit DEMO 10 TAPping into Detection & Response DEMO 11 What have we learned?     Not much within the industry that can be re-used Cloud context requires details and is difficult to obtain It’s important for us to use the same platforms and tools as the teams and applications we are helping to defend Our job is to translate security information into the actions we need from other teams 12 Q&A DevSecOps Manifesto at: http://www.devsecops.org DevSecOps Toolkit at: https://github.com/devsecops shannon lietz -> [email protected] shrikant raman -> [email protected] 13