InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0
Justin Smith
Pivotal
@justinjsmith
April 26, 2018
InfoSec: Evolve Thyself to Keep
Pace in the Age of DevOps
Fernando Montenegro
451 Research
@fsmontenegro
Jared Ruckle
Pivotal
@jaredruckle

Cover w/ Image
Agenda
■  Security in the Enterprise
■  Security Transformation Framework
■  Culture
■  Automation
■  Lean Controls
■  Metrics
■  Q+A

Slow Enforcement
●  Not enough security
team staffing
●  Enforcement stuck on a
local maximum
Project-based Mass Casualties
●  Team-based decisions
and choice
●  Massive variation across
the organization
●  Too many systems with
poor compliance
●  Triage becomes the vital
skill
●  Low morale
●  No-clear answer
●  Mundane, never-ending
tasks
Intractable
The Typical Scenario

INFORMATION SECURITY:
BUDGETS AND OUTLOOK 2017
INFORMATION SECURITY: BUDGETS AND
OUTLOOK 2017
Source: 451 Research, Voice of the
Enterprise: Information Security, Budgets
and Outlook 2017
Q5. Approximately, how is
your organization’s total
information security spending
currently distributed across the
following vendor based
security tools today? Please
sum to 100%.
40.0%
26.3%
19.6%
10.2%
3.9%
37.5%
29.4%
17.4%
8.9%
6.8%
35.9%
24.9%
20.0%
14.9%
4.3%
Network security
Endpoint security
Security management
Application security
Other
Percent of Sample
2015 Q4
(n=724)
2016 Q4
(n=401)
2017 Q4
(n=371)
Information Security
Spending Distribution
Among Security Tools
Information Security Respondents

It’s automatic.
Security Transformation Framework
Culture
Automation
Lean Controls
It’s attractive.
It’s valuable.
It’s visible.Metrics

Build Prestige
Shift away from domination and
enforcement as primary tools.
Collaborate and demonstrate value.
●  Security Inceptions with teams
●  Invest in external learning
●  Reserved use of the Big Stick
Spread Awareness
Create the ability to rotate people onto
the security team for 2-3 months. It
will change the organization.
●  Quarterly rotations
●  Lunch & Learns
●  Retros and stories
Generalists &
Specialists
Mix domain knowledge and
generalists. New graduates tend to
have higher security awareness.
●  You gotta code
●  Build tools others want to use
●  Very little is rocket surgery
Skills & Hiring
Rotations &
Education
Reputation
CONCEPTS CONCEPTS CONCEPTS
Culture

OUTLOOK 2017
Enterprise: Information Security, Budgets
and Outlook 2017
Q2. What are your top
strategic security objectives
for 2018? Please select up to
3.
Top Strategic Security
Objectives
34.5%
31.5%
24.2%
22.1%
21.5%
20.5%
19.4%
18.7%
18.7%
18.5%
15.3%
13.0%
11.2%
4.4%
Implement or improve security monitoring
Minimize the probability or impact of a possible data breach
Improve network security
Secure emerging architectures including the cloud
Implement or improve security analytics
Achieve regulatory compliance
Improve application security
Improve incident response
Automate common security tasks
Build (staff) the security team
Integrate new endpoint security tools
Raise the security team’s profile in the business
Securing Internet of Things (IoT) devices
Other
Percent of Sample
n = 562

App Scorecards
Centralize scoring for applications,
turn it into a game that attracts
participation and best-practices.
●  Security.yaml in repos
●  Visible badging
●  Opt-in participation
●  Iterative scoring
Build Service Brokers
Automate onboarding and offboarding
for accessing systems and API-
specific tasks like AuthN/AuthZ &
credentials.
●  Control connection points
●  Control credentials
●  Ensure visibility
●  Ensure consistency
Tiered Scanning
Dynamic, Static, Vulnerability, Logs,
and Configuration assurance scanning
can all be completely automated.
●  Control app stacks
●  CI/CD scanning
●  Ingestion Scanning
●  Logging alerts to SOC
●  Configuration Drift alerts
Automation

OUTLOOK 2017
Enterprise: Information Security, Vendor
Evaluations 2017
Q6. How is usage of
application security tools
allocated across the following
teams in your organization?
Please sum to 100.
22.7%
17.5%
57.3%
2.5%
27.6%
19.9%
46.2%
6.2%
30.5%
16.6%
44.7%
8.1%
Application Development
Quality Assurance
Information Security
Other
Mean percent
Q3 2015
(n=181)
Q3 2016
(n=256)
Q3 2017
(n=159)
Application Security
Vendor Usage Allocation
Respondents with application security in
use or in pilot

Compliance as Code
Inherit controls and compliance from
the platform. Automate the
documentation of controls and SSPs
as part of team motion.
●  Explore Open-Control.org
●  Always-on, always current
SSP
●  Expose as top-down controls
Leverage the Platform
Approach the platform as a way to
gain radical control. Leverage all
platform controls to inherit security in
applications.
●  Re-use vs. build
●  Shorten the on-ramp
●  Internal marketing
ATTACK-centric
Focus on Adversarial Tactics,
Techniques, and Common
Knowledge. Use standards as a way
to benchmark resilience.
●  Value-stream mapping
●  Start with the adversary
●  Describe threats and kill-
chains
Lean Controls

WORKLOADS AND KEY PROJECTS 2017
INFORMATION SECURITY: WORKLOADS
AND KEY PROJECTS 2017
Enterprise: Information Security,
Workloads and Key Projects 2017
Q10. What is your status of
implementation for each of the
following technologies?
88.6%
80.2%
76.0%
70.8%
70.6%
66.4%
55.7%
54.0%
49.6%
46.9%
44.1%
39.5%
33.0%
29.5%
29.1%
13.5%
5.8%
7.1%
6.0%
6.1%
9.8%
13.2%
8.0%
13.7%
7.0%
10.3%
9.3%
11.2%
4.1%
9.6%
9.2%
4.8%
4.0%
5.8%
8.9%
5.4%
7.2%
6.3%
4.5%
8.0%
5.8%
5.1%
4.8%
5.6%
4.4%
5.4%
5.8%
7.6%
4.9%
6.0%
8.4%
4.9%
4.8%
4.0%
8.1%
5.6%
11.6%
6.3%
10.0%
10.6%
9.7%
7.5%
11.7%
10.2%
7.7%
15.2%
26.1%
20.4%
34.9%
25.8%
35.3%
28.8%
52.1%
39.5%
53.2%
Firewall (Including Next-Generation Firewall) (n = 599)
Web Content Filtering (n = 586)
Vulnerability Management (Scanning) (n = 588)
Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579)
Encryption (n = 588)
Information Security Awareness Training (n = 584)
Multi-Factor Authentication (n = 574)
Web Application Firewall (WAF) (n = 522)
Mobile Device Management (MDM)/Enterprise Mobility Management (EMM)
(n = 568)
Anti-DDoS (Distributed Denial of Service) (n = 525)
Computer Forensics/Incident Response (n = 542)
Identity as a Service (IDaaS)/Single Sign-On (n = 550)
Data Leakage Prevention (DLP) (n = 528)
Managed Security Services Provider (MSSP) (n = 509)
Threat Intelligence Platforms (n = 501)
User Behavior Analytics (UBA) (n = 489)
Percent of Sample
In Use (Not Including Pilots) In Pilot/Proof of Concept
Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months
Planning To Deploy in the Next 12-24 Months Not in Plan
Status of
Implementation

SOC Events
Grow operational maturity by
constantly improving the quality and
types of notifications in the SOC.
●  Follows ATTACK concepts
●  Doesn’t matter where you start
●  Forces the right behaviors
Usual Suspects
Patching, vulnerabilities, # apps, #
brokers, # DCs, # users, # FIDs, #
certs, # domains, # security agents,
team size, LOC, etc.
●  The basics still apply
●  Consider false-positives also
●  Reduce friction for adoption
Emphasize Age
Cluster, VM, container, brokers,
credentials - they all have ages worth
measuring and attempting to shorten.
●  Older is more fragile
●  Requires automation
●  Forces the right behaviors
Metrics

ORGANIZATIONAL DYNAMICS 2017
INFORMATION SECURITY: ORGANIZATIONAL
DYNAMICS 2017
Enterprise: Information Security,
Organizational Dynamics 2017
Q44. Which of the following
metrics does your organization
use/track for information
security staff? Please select all
that apply.
Metrics To Manage
Security
53.0%
42.8%
44.9%
34.2%
34.4%
31.2%
32.4%
21.9%
2.2%
47.5%
39.0%
34.4%
34.2%
32.3%
29.2%
28.3%
21.9%
4.0%
Security Incidents Resolved
Tickets Resolved (e.g., ‘Trouble Tickets’)
Audit Issues Resolved
Application Availability (e.g., Uptime/
Downtime)
Project Completion
Time to Recovery/Restore from an Outage
Lack of Data Breaches
We Don’t Use Metrics
Other
Percent of Sample
Q2 2016
(n=837)
Q2 2017
(n=421)

To be more secure and go
faster

Repair
Repair vulnerable
software as soon as
updates are available.
Turnkey Compliance Repave
Apps inherit controls
from the platform,
simplifying audits.
Repave servers and
applications from a
known good state. Do
this often.
Rotate user credentials
frequently, so they are
only useful for short
periods of time.
Rotate
Call to Action: Investigate Cloud Native Security
Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials

Embedded OS
(Windows & Linux)
NSX-T
CPI (15 methods)
v1
v2
v3
...
CVEs
Product Updates
Java | .NET | NodeJS
Pivotal Application
Service (PAS)
Application Code &
Frameworks
Buildpacks | Spring Boot | Spring Cloud |
Steeltoe
Elastic | Packaged Software | Spark
Pivotal Container
Service (PKS)
>cf push >kubectl run
vSphere
Azure &
Azure StackGoogle CloudAWSOpenstack
Pivotal
Network
“3Rs”
Github
Concourse
Concourse
Pivotal Services
Marketplace
Pivotal and
Partner Products
Continuous
delivery
Public Cloud
Services
Customer
Managed
Services
OpenServiceBrokerAPI
Repair
— CVEs
Repave Rotate
— Credhub

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

Similar to InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps (20)

More from VMware Tanzu

More from VMware Tanzu (20)

Recently uploaded

Recently uploaded (20)

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps