isaca ireland keynote 2015

Embracing DevSecOps to support Rugged Innovation at

Speed and Scale

Shannon LietzINTUIT

Who am I?

• 25+ yrs Technology & Security Experience

• Background in Security R&D• Working with the Cloud before it was

called the “Cloud”• Manage teams using DevOps, Agile &

Scrum• Incident Response & Crisis Management

-- FOUNDER --

Are you ready for the end of Security & Compliance as we know it?

The Race for Competitive Advantage…

Indicators that demonstrate change:• Tailoring business to the needs of customers to

achieve large-scale business returns is driving Cloud & DevOps adoption

• Small businesses and entrepreneurs are enabled to compete in complex business models with boutique appeal against Enterprises

• High performing teams are being developed and incubated in Enterprises to mimic the DevOps teams found in Start-ups.

Startups on the Rise in 2015…From 1996 to 2015:• Increase in Startups in 2015,

shows rebound• Entrepreneurs over 55 has

nearly doubled• Significant Rise in Immigrant

Entrepreneurs• New Entrepreneurs are on

the rise again• More men than women are

becoming first time Entrepreneurs

kauffman.org

DevOps Growth…Google Trends• DevOps.com was bought in

2004• Google searches for “DevOps”

started to rise in 2010• Major influences:

– Saving your Infrastructure from DevOps / Chicago Tribune

– DevOps: A Culture Shift, Not a Technology / Information Week

– DevOps: A Sharder’s Tale from Etsy

– DevOps.com articles

• RuggedSoftware.org was bought in 2010

https://www.google.com/trends/

Cloud Security Boom…• Cloud Platform security

features are on the rise the last few years

• Security in the Cloud is becoming the norm

• Default configurations are still not quite there but will become the focus with growing thought leadership

• Cloud Provider’s must solve for providing security features that scale

• Security teams need to learn to use these features quickly

2007 2008 2009 2010 2011 2012 2013 2014 2015

48 61 82159

280

514

?

AWS re:Invent 2015

Big Data?• Reflecting on this 2013

Utilities article• Devices & IoT drive

bigger data• Instrumentation <-

Security needs this• Asset management &

monitoring• Service Support

http://www.enterprisecioforum.com/big-data-case-study-utilities/

DevOps increases speed & scale…

This collaborative effort can help DevOps-led projects make IT operational metrics 100 times better, and in so doing offers “an evolutionary fork in the road” which could lead to the “end of security as we know it,” added Joshua Corman – founder of Rugged DevOps and I am the Cavalry.

http://www.infosecurity-magazine.com/news/infosec15-devops-end-of-security

So what hinders “secure” innovation @ speed & scale?

1. Friction for friction’s sake2. Manual processes & meeting culture3. Point in time assessments4. Decisions being made outside of value creation5. Contextual misunderstandings6. Late constraints and requirements7. Big commitments, big teams, and big failures 8. Fear of failure, lack of learning 9. Lack of inspiration10.Management and political interference (approvals, exceptions)

And then there’s … the brand of Security & Compliance!

• The discipline is very complex• Thousands of Controls• Majority of the Security

Industry is Vendor dependent• Requires Meetings,

Appointments, and Point in Time evaluations with low context

• Requirements are dependent on what is developed

• The art of “No” has become its own science

Isn’t DevOps in the best Interest of Security & Compliance?

https://www.kpmg.com/BE/en/IssuesAndInsights/ArticlesPublications/Documents/Transforming-Internal-Audit.pdf

What’s the DevSecOps Mission?

…creating targeted customer value

through secure iterative innovation

at speed & scale …

Security is Everyone’s

Job!

What should we value to evolve Security for DevOps?

Leaning in over Always Saying “No”Data & Security Science over Fear, Uncertainty and Doubt

Open Contribution & Collaboration over Security-Only RequirementsConsumable Security Services with APIs over Mandated Security Controls & Paperwork

Business Driven Security Scores over Rubber Stamp SecurityRed & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities

24x7 Proactive Security Monitoring over Reacting after being Informed of an IncidentShared Threat Intelligence over Keeping Info to Ourselves

Compliance Operations over Clipboards & Checklists

In essence, don’t waste people’s time withFear -> Uncertainty -> Doubt

devsecops.org

Now - Imagine adding Security into the DevOps pipeline…

Security Self-Service

skills Biz UX Dev Data App Sec Sec Eng Science Comp Ops Sec Ops Ops Training

Software & Infrastructure Platforms

Software Components & Resources

YOUR APP STACK GOES HERE

Operational Tools & Monitoring

collaboration, partnership, value creation, self-service[DevOps, Agile, Scrum, Cloud]

The Art of DevSecOps (Security View)

DevSecOps

Security Engineering

Experiment, Automate, Test

Security Operations

Hunt, Detect, Contain

Compliance Operations

Respond, Manage, Train

Security Science

Learn, Measure, Forecast

Can we make it simple? Yes!

• Smaller Teams• Smaller Services• Smaller Failures• Rest APIs drive culture• Customer focus• Deep problem understanding throughout org• Deliberate dedication to solving and simplifying tech challenges• Products and Services have security built-in along the supply chain• Security removes barriers and roadblocks as self-service for DevOps• Managers map, magnify and multiply to create culture• Measurement is built-in to support culture of Continuous Improvement

blast radius

How can we get started?Small Project Migration Big Project

Approach is tailored to small experiments and pipeline testing.

Pros:• Requires DevOps Approach• Fast failures• Team learns to collaborate• Higher Productivity, Less

waste

Cons:• Skill shortages• Team needs vision to avoid

micro-focus churn

Approach allows organization to map and adjust for what they already know.

Pros:• Allows companies to keep

operating while teams figure out what’s needed

Cons:• Overload• Can be slower to accomplish

completion• Failures can become complex

Approach is “all-in” and used to transform an organization as a whole.

Pros:• Firm commitment alleviates

political back and forth• Focus & All-in Speed

Cons:• Bigger Failures• Difficult for everyone to learn

from mistakes and experiments

Small Project -> The ProvocationHow can we transform a control into a self-aware, self-reporting, self-healing component that can be consumed at speed & scale?Our challenge is to begin the process of creating self-aware and self-reporting components. This process can be achieved using configuration management tools, open source and log management systems. Let’s work with the IA Controls from NIST 800-53 today and use the implementation of MFA as an example. Specifically, IA-2 calls for multi-factor authentication which is available in some Software Defined Environments as a feature. Let’s look at how we can enable MFA within our Stack and the different use cases that are present and require security baseline components. Questions to answer:

1. How can baseline components be shared and extended?2. Once the component is ready to be used, implemented, then what? 3. What about the feedback loop? 4. What is the best way to create an automated report that is continuously built and maintained?5. How can we report across a full-stack?6. What tools can assist?

FW ?

Web ?

Compliance at Velocity (https://medium.com/compliance-at-velocity)

Migrations -> One foot in… One foot out...

Web

App

Web

DB

App

DB

Traditional IT & Security DevOps + DevSecOps

FW/IDS FW/IDS

ELB

App

ELB

DBAAS

App

DBAAS

Big Project -> The Hail Mary

Web

App

Web

DB

App

DB

Traditional IT & Security DevOps? + DevSecOps?

FW/IDS FW/IDS

Web

App

Web

DB

App

DB

FW/IDS FW/IDS

What is this?

Why is approach so important?

API KEY EXPOSURE -> 8 HRS

DEFAULT CONFIGS -> 24 HRS

SECURITY GROUPS -> 24 HRS

ESCALATION OF PRIVS -> 5 D

KNOWN VULN -> 8 HRS

So let’s recap before we move on to examples…

DevSecOps needs:• Active Collaboration• High Engagement• Smaller Projects• Smaller Blast Radius• Experimentation• Open Contribution • Fail Fast Culture• Ability to adapt and learn• DevOps Understanding• Focusing on Simplicity

Not this one…

This one!!

Perimeter TestingTHEN

PCI DSS1.1.1 – Approve/Test/Detect firewall changes

NOW

Scan API, Ingest Config/Cloudtrail, trigger firewall audits and revert unapproved changes to heal to spec

Labor: 40 hours/Annually Tools: Excel, Text Pad, Open Source or Commercial Config Management

Labor: 40 hours/First Year, 8 hours per yr maintainTools: APIs, Logs, Open Source, Commercial

Measure: Certify annuallyImpact: High

Measure: Mean time to Detection, Mean time to ResolveImpact: Depends on Resource

Configuration Management/BaselinesTHEN

PCI DSS2.2 - Develop & Assure configuration standards for all system components.

NOWTrack known good CF stacks & AMIs, alert or neutralize non-compliant/non-approved deploys

Labor: 40 hours/Annually/Per Major Component Tools: Excel, Text Pad, Open Source or Commercial Config Management

Labor: 40 hours/First Year, 1 hour per yr maintain/PerComponentTools: APIs, Logs, Open Source, Commercial


Measure: Mean time to Detection, Mean time to ResolveImpact: High

Encrypting Sensitive DataTHEN

HIPAA 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information.

NOWEnforce encryption of all assets by platform or data classification tags. Continuous enforcement and automated detection.

Labor: 1 FTE minimum per 3 DevOps TeamsTools: Commercial, Open Source

Labor: 8 hoursTools: APIs, Logs, Open Source, Commercial



Access ManagementTHEN

NIST800-53 AC2(12) – Monitors and report atypical usage of information system accounts.

NOWCloudtrail/Config user attribution of use/abuse, ability to reduce team size and allow for smaller containers

Labor: 1 FTE minimum Tools: Commercial, Open Source

Labor: 40 hours Dev, 8 hours MaintainTools: APIs, Logs, Open Source, Commercial

Measure: Certify quarterly, annuallyImpact: High


Multi-Factor AuthenticationTHEN

NIST800-53 IA-2 – The information system uniquely identifies and authenticates organizational users

NOWMFA built into APIs and Cloud Platforms can be exposed for authorization decisions

Labor: 1 FTE minimumTools: Commercial, Open Source

Labor: 1 hour per weekTools: APIs, Logs, Open Source, Commercial


Measure: Mean time to ResolveImpact: High

Global Call to Action 2015

Are you ready to make decisions easier?

Or translate security like this?

In the end, isn’t this what we are ALL trying to avoid?

Get Involved and Join the Community

• devsecops.org• @devsecops on Twitter• DevSecOps on LinkedIn• DevSecOps on Github• RuggedSoftware.org• Compliance at Velocity• Join Us !!!• Spread the word!!!