Upload
seniorstoryteller
View
190
Download
2
Embed Size (px)
Citation preview
SESSION ID:SESSION ID:
#RSAC
Shannon Lietz
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World!
PROF-T11
Director, DevSecOpsIntuit@devsecops
#RSAC
Take Responsibility.Give Credit.
@seniorstoryteller
<me />1984 1989 1996 2001 2011
DEVELOPER
OPERATIONS“DEVSECOPS”
“RUGGED”
SECURITY
PRESENT
-- FOUNDER --
SAFER SOFTWARE
SOONER
#RSAC
3
How we’ll spend our time today…
Educate + Learn = ApplySo that we can achieve safer
software sooner in our lifetime.
…the next generation of security is ours to ignite!
In hopes of speeding up your journey and
inspiring you to rebel in your own way…
I have banged my head against the
wall many times to bring you these
lessons…
4
Most say it’s never a good idea to break the rules...
Pixabay @ Pickit
until the forces of change demand it.
#RSAC
Software is eating the world!!!
http://www.wsj.com/articles/SB10001424053111903480904576512250915629460
-Mark Andreessen, 2011
#RSAC
DevOps is eating the world!!!
Imagine solving the world’s problems faster by collaborating and taking responsibility.In connection with Cloud Computing, DevOps is the cultural enabler needed to scale creativity and innovation.With the goal of solving customer problems faster, no wonder DevOps is taking over.
~1500% increase In 2 years
#RSAC
Cloud is eating the world!!!
Public Cloud adoption is accelerating at a rapid pace…Software defined environments allow scale to happen and more decisions to be made daily…More people can experiment, learn and fail at a rapid pace to solve for customer demand….Creativity is the next frontier…
http://www.geekwire.com/2016/study-aws-45-share-public-cloud-infrastructure-market-microsoft-google-ibm-combined/
#RSAC
Security is blocking the world!!! <- Say What???
“THIS IS THE END OF SECURITY AS WE KNOW IT… AND ISN’T IT A GOOD THING!”-Josh Corman
#RSAC
Security is viewed as the proctologist of the
technology universe… and we really need
to change this perception!
http://www.flowmotioncafe.com
@petecheslock
#RSAC
https://www.flickr.com/photos/mjhagen/2973212926
Unicorns suck!!!!
WE MUST AVOID SECURITY EXTINCTION…http://donsmaps.com/images22/mutta1200.jpgStock Unlimited 1288835 @ Pickit
Security DNA
DevOps
Cloud
LeaderMobile
IoT
End Users
#RSAC
Culture Hacking
Traditional Security
Security isEveryone’s
Responsibility
DEVSECOPS
#RSAC
Why is this necessary?
evolution
value
compliance
genesis
customer
custom-built
product(+rental)
commodity(+utility)
devsecops
visible
invisible compute
cloud
compliance as code
informational website
domain names
devopscontinuous deployment
continuous integration
transparent security
rugged software
fewer better suppliers
security as code
agile
mobile
customer-driveninnovation
traditionalSDLC
traditionalsecurity
web appsearch engine
red team
penetrationtesting
commodity boundgrowthemerging
Catching up takes commitment
#RSAC
How hard could it be?
SourceCode CI Server Artifacts MonitoringDeployTest & Scan
DevOps Code - Creating Value & Availability
DevSecOps Code - Creating Trust & Confidence
#RSAC
15
What type of skills are required?
Dev Sec Ops Dev Sec Ops Dev Sec Ops
Developer Sys Admin Security Engineer
competencyneeded skill; functional
#RSAC
Is everyone bought in?
Management has some firm requirements due to financial commitments and reportingDevOps and Innovation can easily live in 3 out of 4 boxes but hardly like ControlSecurity practitioners tend to write policies and distrust everyone not them; rightfully so, 1% insider threat is a lot!
CONTROLCOLLABORATION
CULTIVATION COMPETENCE
people company
reality
possibility
#RSAC
17
Who can help?
Forming the C.A.T. Team:
Big bet10 rare people in 6 months Hire for passionRemove barriers (logical and physical) Mixed skills and levels
P. Svangren @ Pickit
C.A.T.T. aka Cyber Attack Tiger Team
Bring big leadership skills if you want to wrangle big cats…
#RSAC
At first, it looked a lot like this…
Offices fostered the wrong culture
• Break down the walls• Long flat tables• Lounge areas• Continuous Learning• Increase communication• Small teams with purpose• Take a walk• Difficult discussions• Dedicated to success
#RSAC
How do I avoid being eaten by big CATTs?
FROMAUTHORITYSTRUCTURED POLICIESCOMMAND & CONTROLRISK MITIGATEDAPPROVALS
TOINSPIRATIONFIRST PRINCIPLESVALUE DRIVENRISK BALANCEDLESSONS LEARNED
Stock
Unlimite
d 1492669@ Pick
it
#RSAC
20
Goals matter…
Without a goal you are neither a great leader nor a good follower…
0 15 years5 10
“Security is done!” J. Ekstam @ Pickit
#RSAC
21
HPO starts with team principles…
• Everyone is learning• No one left behind• Don’t hug your code• Check your ego at the
door• One for all
S. Khuntale 1434620403900 @ Pickit
Measure for crunchiness once a week…
#RSAC
22
Confidence is critical…
Operating model must increase confidence at all stagesOpt for Coaching vs. ManagingIncrease communicationPatience pays offKeep it blameless
operatecommit
understandaware
confi
denc
e
#RSAC
23
Does your team keep score?
Everyone can be a hero!Keeping score is fun!Outcomes driven by the team provide greater valueUnderstanding how to score is empoweringBrings us together…
http://www.4dxbook.com/blog/people-play-differently-when-theyre-keeping-score/
S. Zahnfee @ Pickit
#RSAC
This path gave us DevSecOps…
DevSecOps
Security Engineering
Experiment, Automate, Test
Security Operations
Hunt, Detect, Contain
Compliance Operations
Respond, Manage, Train
Security Science
Learn, Measure, Forecast
#RSAC
Enabled us to understand the problem space…
Gating processes are not Deming-likeSecurity is a design constraintDecisions made by engineering teams
Hard to avoid business catastrophes by applying one-size-fits-all strategies Security defects is more like a security “recall”
design build deploy operate
How do I secure my app?
What component is secure enough?
How do I secure secrets for the
app?
Is my app getting attacked? How?
Typical gates for security
checks & balances
Mistakes and drift often happen after design and build phases that
result in weaknesses and potentially exploits
Most costly mistakesHappen during design
Faster security feedback loop
#RSAC
Gave us the courage to question everything…
Determine defect and feature flows for Security to funnel to distributed teamsInventory work processes, guidelines, policies, experiments, data and toolsIdentify groups, roles and skills required to support processesIdentify friction and measure speed of MTTRIdentify types of decisionsIdentify metrics for measuring experiments and adapting processes
• Implement Code & Infrastructure Guidelines• Implement Rules Engineering Processes• Implement Security Defect Reporting • Implement Consulting and Requests Process• Implement Infrastructure Templates• Implement Red Team & SOC Processes• Implement Manual Staging Processes• Implement a Decisions Process • Implement an Escalation Process with clear
stakeholders
• All systems should be run with API inspection available via a Security Fabric. (Systems without inspection require manual intervention.)
• Implement Security Portal for feedback consolidation across security processes
• Implement Case Management for Requests, Defects, and Incidents
• Implement Testing framework• Implement Correlation engine• Implement foundational security controls• Integrate with core organizational systems
Operating Model Processes Tooling
n number of experiments to refine processes and automate where possible
• Identified opportunities to develop capacity without increasing risk to too high a level
• Inventory provides information for Decisions board to help with risk decisions
outcomes
• Decisions board with clear escalation path by type of decision
• Ability to Communicate and Train on initial processes
• Consistent Ins/Outs of Dynamic Work with standard templates
• SDE helps with reducing manual efforts• Ability to build up capacity for Stage Two
Expected Issues: Communication changes, adaptation of skills, decisions processes, expectations, audits and risk guidelines mismatch
#RSAC
Empowered us to challenge the status quo…
API KEY EXPOSURE -> 8 HRS
DEFAULT CONFIGS -> 24 HRS
SECURITY GROUPS -> 24 HRS
ESCALATION OF PRIVS -> 5 D
KNOWN VULN -> 8 HRS
#RSACGot us to communicate with developers like a developer…
#RSAC
Made us think about how to shift left…
Everyone knows Maslow…If you can remember 5 things, remember these ->
“Apps & data are as safe as where you put it, what’s in it, how you inspect it, who talks to it, and how its protected…”
#RSAC
30
Helped us blaze a trail so others could succeed too…
Stock Unlimited 1515599 @ Pickit
#RSAC
How do I learn more about this?
#RSAC
32
It is time to change…
Get involved.Write an article.Give and take feedback.Contribute to Open Source.Give feedback.Volunteer.