DevOpsDay London Ben Hughes Security

Security and shizzle

Monday, 11 November 13

Whom be this?
• Ben Hughes, security monkey at Etsy.
• Bullet point fanatic.
• Terrible at slides.
• Shout out to the Etsy security team.

@benjammingh

It’s a tale of two halves
• Security, where did it all go wrong?
• Don’t go alone, take this!
• Security-devops-maybe-DBAs-too-

oh and-QA-sure-who-else?
• I quite like Etsy, here’s why.
@benjammingh

Security, where did
it all go wrong?

@benjammingh

Wait, but we bought a ﬁrewall!

@benjammingh

They’re coming out of the walls

@benjammingh

teh cloudz
• AWS logo goes here.
• Maybe not in AWS... (other cloudiness

vendors may be available)

@benjammingh

But we’re secure, right?

@benjammingh

The Watering hole attacks of Feb

@benjammingh

Other than the occasional RCE/
SQLi or 0-day, companies just
aren’t getting breached directly
through their servers like they
used to.

@benjammingh

I’d buy that for a dollar
[laptop:~]% id
uid=501(ben) gid=20(staff) groups=20(staff)
[laptop:~]% ./magic
[*] running old exploit against unpatched OSX.
[*] firing off connect back shell to AWS.
[*] throwing mad persistence in to LaunchAgents.
[*] dropping to a shell.
[laptop:~]# id
uid=0(root) gid=0(root)

@benjammingh

Zero [cool] day
• Zero day is bad!

@benjammingh

Surprise!
• You can’t defend against unknown

attacks.
• Clue is in the name.

@benjammingh

Rejoice. That mostly doesn’t matter!

@benjammingh

Treat the symptoms
• Lateral movement can be more

important than how they got in.
• You don’t care that they broke a

window, you care that they got in your
living room and took your TV.
• (still ﬁx your window)

@benjammingh

Hudson hawk reference
• Why is /bin/sh running on your

webserver?
• Why is your webserver trying to SSH to

other hosts?
• Why is the Cold Fusion process reading

arbitrary ﬁles oﬀ of disk (SE/NSA Linux
time)
@benjammingh

But still patch
• Please, still patch things.
• Know that it isn’t a panacea.
• Realise that is okay.

@benjammingh

Please do patch!
• No really!

@benjammingh

Logs are your eyes.
“If it’s not monitored...
...it’s not in production”
Well
“If it’s not logged, did it really happen?”

@benjammingh

You have a limited number of eyes.

@benjammingh

Alerts

@benjammingh

Logstash
• http://logstash.net/
• http://www.elasticsearch.org/overview/

kibana/
• http://www.logstashbook.com/
• https://github.com/miah/chef_logstash
• https://forge.puppetlabs.com/tags/

logstash
@benjammingh

Two factor all the things
•Duo - https://www.duosecurity.com/
•Authy - https://www.authy.com/
•Google - http://goo.gl/hvre2D
•YubiKey - https://www.yubico.com/
Hat tip to Jan Schaumann (@jschauma),
from whom I stole the title of this slide from.

@benjammingh

Duo and Yubikeys
vvbrc

@benjammingh

Pen Testing
• Don’t pay someone else to tell you to

patch things.
• Don’t pay someone to run Nessus.
• Hire more security people before paying

for pen-tests.
• Attack simulations are better. http://

bit.ly/attacksims
@benjammingh

Attack simulations?
• Everything in scope.

@benjammingh

Attack simulations?
• Don’t have security run it.

@benjammingh

Attack simulations?
• Don’t have security run it.
• Don’t block on fragility.

@benjammingh

Transparency!
• Invite people to the brief.
• Don’t just expect a PDF.
• Treat it as a postmortem.
• Come out of it with a set of actions.

@benjammingh

Game days.
• Ops’ “game day” simulations, but for

security.

@benjammingh

Phishing
• Who’s stopped phishing?

@benjammingh

Phishing
• You’re not going to stop phishing.

@benjammingh

Phishing
• That doesn’t matter.

@benjammingh

Phishing
• That doesn’t matter.
• Don’t think you can fully eliminate it, get

it reported instead.

@benjammingh

Intermission.

@benjammingh

New, Improved Devops

• Silo smashing in to one new larger silo!

@benjammingh

DevSecOpsFarmerQueen
•
•
•

Many hats.

•

Security doesn’t just

Not just dev.
Not just ops.

magically happen.
@benjammingh

Get security involved!
• This can be done is all sized

environments!
•

Small - having someone who has a security background or
interest.

•

Large - ”Chris Eng & Ryan O’Boyle – From the Trenches:
Real-World Agile SDLC” - http://nsc.is/presentation/chris-engryan-oboyle-from-the-trenches-real-world-agile-sdlc/

@benjammingh

Security are people too!

@benjammingh

Security are people too!
• they just might not always act like it...
• security is the only area of technology

with genuine adversaries.

@benjammingh

Infosec, this one’s for you
• Dev and ops (and everyone else) are

people too.
• They made those decisions without

malice in mind.
• People don’t go out of their way to

make things insecure!

@benjammingh

Primary action items
• Don’t just say “did you speak to security

about this?”
• Get people involved!
• Security has never [succesfully] been a

check box.

@benjammingh

Reducing barriers.
Having an approachable security team is
the most important thing they can do.
The second you lose the ability to talk to
them about anything, you effectively lose
your security team.

@benjammingh

So, that party you mentioned?
• Skill sharing.

@benjammingh

• Hack week.

@benjammingh

• Boot camping.

@benjammingh

Borrowing from the devops.
• Tests!

@benjammingh

• Tests!
• Test your code and your infrastructure.

@benjammingh

• Tests!
• Test your code and your infrastructure.
• Wait, someone already gave this talk:
http://www.slideshare.net/nickgsuperstar/
devopssec-apply-devops-principles-to-security/32

@benjammingh

So did Gareth!
https://speakerdeck.com/garethr/securitymonitoring-penetration-testing-meetsmonitoring

@benjammingh

Stop saying “No!”

@benjammingh

So ﬁnally
• The most important thing that we do as

a security team is...
• Humility.

@benjammingh

So ﬁnally
• The most important thing that we do as

a security team is...
• Humility.
• Security isn’t everything. People are rad.

@benjammingh

Fin

<golden axe screen shot>

@benjammingh

DevOpsDay London Ben Hughes Security

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

DevOpsDay London Ben Hughes Security