SlideShare uma empresa Scribd logo

Maturing Your Organization from DevOps to DevSecOps

Amazon Web Services
Amazon Web Services

(1) This document discusses maturing an organization's security practices from DevOps to DevSecOps. It outlines a DevSecOps maturity model with three stages: adopt, expand, and scale. (2) Key learnings from recent cloud security breaches like Equifax and Gemalto are discussed, emphasizing the need for continuous monitoring, prioritizing vulnerable hosts, and securing configurations. (3) The shared responsibility model is explained, with the organization responsible for security "in" the cloud through practices like monitoring network traffic, hosts, applications, user activities, and resource configurations.

1 de 12
Maturing Your Organization from DevOps to DevSecOps Varun Badhwar CEO & Co-founder
RedLock Confidential & Proprietary About Us Founded 2015 and headquartered in Menlo Park, CA Backed by Dell Technologies Capital, Sierra Ventures, Storm Ventures, and other high profile investors Protecting 5+ million resources for a number of high profile customers Finalist for Most Innovative Startup at RSA 2017 San Francisco
RedLock Confidential & Proprietary Cloud Security Learnings from Recent Breaches: Equifax Background: ● Vulnerability in Apache Struts (CVE-2017-5638) ● Apache Struts is used in one of Equifax’s web applications ● Equifax did not upgrade the software in the application ● Hackers scanned the internet for applications running this old software version, found the Equifax server, and compromised it Cloud Security Learnings: ● Vulnerability management tools identify unpatched hosts based on IP addresses ● IP addresses in the cloud are dynamic and constantly changing ● Running periodic scans is ineffective since the IP address of the unpatched hosts may have changed; continuous scanning is required ● Also, unpatched hosts that are exposed to the internet are more vulnerable and should be prioritized * 81% of organizations are not managing host vulnerabilities in the cloud *Cloud Security Trends Report: https://info.redlock.io/cloud-security-trends-oct2017
RedLock Confidential & Proprietary Cloud Security Learnings from Recent Breaches: Gemalto, Aviva & Others Background: ● RedLock CSI team discovered hundreds of unpassword protected Kubernetes administrative consoles ● Hackers executing bitcoin mining commands from some of the Kubernetes containers (examples: Aviva, Gemalto, and others) ● RedLock CSI team discovered access keys and secret tokens stored in plaintext in the containers Cloud Security Learnings: ● Monitor resources to detect misconfigurations and auto-remediate issues ● Monitor inbound and outbound network traffic and correlate with resource configurations to spot suspicious activity ● Monitor user activity for suspicious behaviour to detect insider threats or account compromises *Cloud Security Trends Report: https://info.redlock.io/cloud-security-trends-oct2017
RedLock Confidential & Proprietary Organizations are Responsible for Security “in” the Cloud The Shared Responsibility Model Resource Configurations User Activities Network Traffic Hosts Applications Responsible for security “in” the cloud Organization Hubs Switches Routers Hypervisor Data Center Responsible for security “of” the cloud Cloud Service Provider
RedLock Confidential & Proprietary The Problems You Need to Solve Organization’s Responsibility Network Traffic Real-time network visibility Suspicious traffic detection Incident investigation Hosts Host IDS/IPS Vulnerable host detection Applications Data encryption Data loss prevention Application security monitoring User Activities Account & access key compromise detection Anomalous insider activity detection Privileged activity monitoring Resource Configurations Compliance scanning (CIS, PCI, etc.) Storage, snapshots, & image configuration monitoring VPC, security groups & firewall configuration monitoring IAM configuration monitoring Encryption & key rotation configuration monitoring
RedLock Confidential & Proprietary DevSecOps Maturity Model A framework to evaluate where your organization’s cloud security practices are and where they need to go. Cloud Footprint: ● Dozens of workloads ● Few cloud accounts Stage 1 - Adopt Objectives: ● Compliance assurance ● Policy guardrails Security Solutions: ● CloudTrail analysis (SIEM) ● Configuration monitoring tools Cloud Footprint: ● Hundreds of workloads ● Many cloud accounts Stage 2 - Expand Objectives: ● Central visibility ● Threat detection ● Vulnerability management + Stage 1 Objectives Security Solutions: ● None Cloud Footprint: ● Multiple cloud providers ● Thousands of workloads ● Dozens of cloud accounts Stage 3 - Scale Objectives: ● Auto-remediation ● Incident investigation + Stage 2 Objectives Security Solutions: ● None
RedLock Confidential & Proprietary ● Control identification (CIS, PCI, etc) ● Resource discovery & profiling ● Monitoring & remediation ● Audit reporting RedLock Enables Cloud Threat Defense Compliance Assurance DevSecOps Enablement SOC Enablement ● Resource visibility ● Policy guardrails ● User attribution ● Remediation ● Vulnerability management ● Advanced threat detection ● Cloud forensics ● Remediation
RedLock Confidential & Proprietary RedLock Takes a Holistic Approach 2. CORRELATES DATA USING AI Uses AI to correlate network, user, configuration, and threat intel data. 1. DISCOVERS ENVIRONMENT Ingests data via APIs and automatically discovers resources. No agents, no proxies. CLOUD 360 PLATFORM 3. REMEDIATES RISKS Remediate issues via RedLock or enterprise integrations. ENTERPRISE INTEGRATIONS APIs Resource Configurations User Activity Network Traffic Hosts THIRD PARTY FEEDS APIs
Demo
RedLock Confidential & Proprietary
RedLock Confidential & Proprietary 3 Simple Steps to Security Governance “Get a FREE risk assessment of your public cloud environment Provide RedLock with API access to environment We will set up an account on the RedLock Cloud 360 platform See results immediately 1 2 3

Recomendados

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 

Recomendados

Secure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in AzureSecure Your Code Implement DevSecOps in Azure
Secure Your Code Implement DevSecOps in Azurekloia
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101Narudom Roongsiriwong, CISSP
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and HowNotSoSecure Global Services
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTAmazon Web Services
 
Welcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution OverviewWelcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution OverviewAmazon Web Services
 

Mais conteúdo relacionado

Mais procurados

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsAmazon Web Services
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps SecRubal Jain
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference ArchitecturesSonatype
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 

Mais procurados (20)

DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecOps What Why and How
DevSecOps What Why and HowDevSecOps What Why and How
DevSecOps What Why and How
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Securing Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOpsSecuring Systems at Cloud Scale with DevSecOps
Securing Systems at Cloud Scale with DevSecOps
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures2019 DevSecOps Reference Architectures
2019 DevSecOps Reference Architectures
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby Steps
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 

Destaque

Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTAmazon Web Services
 
Welcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution OverviewWelcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution OverviewAmazon Web Services
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPTAmazon Web Services
 
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...Amazon Web Services
 
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWS
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWSVoice of the Customer: Zocdoc and Elevating Security While Moving to AWS
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWSAmazon Web Services
 
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPTAmazon Web Services
 
PASS 17 SQL Server on AWS Best Practices
PASS 17 SQL Server on AWS Best PracticesPASS 17 SQL Server on AWS Best Practices
PASS 17 SQL Server on AWS Best PracticesAmazon Web Services
 
PASS 17: RDS SQL Server on Amazon Web Services Overview
PASS 17: RDS SQL Server on Amazon Web Services OverviewPASS 17: RDS SQL Server on Amazon Web Services Overview
PASS 17: RDS SQL Server on Amazon Web Services OverviewAmazon Web Services
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseAmazon Web Services
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Amazon Web Services
 
Turn Big Data into Big Value on Informatica and AWS
Turn Big Data into Big Value on Informatica and AWSTurn Big Data into Big Value on Informatica and AWS
Turn Big Data into Big Value on Informatica and AWSAmazon Web Services
 
Dev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarDev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarAmazon Web Services
 
Building a Strong Foundation with AWS Storage Services
Building a Strong Foundation with AWS Storage ServicesBuilding a Strong Foundation with AWS Storage Services
Building a Strong Foundation with AWS Storage ServicesAmazon Web Services
 
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...Amazon Web Services
 

Destaque (16)

Secure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPTSecure and Streamline Access to Your AWS Management Console with Okta PPT
Secure and Streamline Access to Your AWS Management Console with Okta PPT
 
Welcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution OverviewWelcome and AWS Big Data Solution Overview
Welcome and AWS Big Data Solution Overview
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT
 
Future of Enterprise IT
Future of Enterprise IT Future of Enterprise IT
Future of Enterprise IT
 
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...
Deploy and Enforce Compliance Controls When Archiving Large-Scale Data Stores...
 
Opportunities derived by AI
Opportunities derived by AIOpportunities derived by AI
Opportunities derived by AI
 
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWS
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWSVoice of the Customer: Zocdoc and Elevating Security While Moving to AWS
Voice of the Customer: Zocdoc and Elevating Security While Moving to AWS
 
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT
Guard Against Fraud and Financial Crime with NICE Actimize & AWS PPT
 
PASS 17 SQL Server on AWS Best Practices
PASS 17 SQL Server on AWS Best PracticesPASS 17 SQL Server on AWS Best Practices
PASS 17 SQL Server on AWS Best Practices
 
PASS 17: RDS SQL Server on Amazon Web Services Overview
PASS 17: RDS SQL Server on Amazon Web Services OverviewPASS 17: RDS SQL Server on Amazon Web Services Overview
PASS 17: RDS SQL Server on Amazon Web Services Overview
 
Incident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat ResponseIncident Response: Preparing and Simulating Threat Response
Incident Response: Preparing and Simulating Threat Response
 
Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change: Detective Controls: Gain Visibility and Record Change:
Detective Controls: Gain Visibility and Record Change:
 
Turn Big Data into Big Value on Informatica and AWS
Turn Big Data into Big Value on Informatica and AWSTurn Big Data into Big Value on Informatica and AWS
Turn Big Data into Big Value on Informatica and AWS
 
Dev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarDev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL Webinar
 
Building a Strong Foundation with AWS Storage Services
Building a Strong Foundation with AWS Storage ServicesBuilding a Strong Foundation with AWS Storage Services
Building a Strong Foundation with AWS Storage Services
 
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...
Big Data Experience Sharing: Building Collaborative Data Analytics Platform -...
 

Semelhante a Maturing Your Organization from DevOps to DevSecOps

Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Managed security services
Managed security servicesManaged security services
Managed security servicesmanoharparakh
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCPatrick Sklodowski
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaPatrick Sklodowski
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersIBM Security
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero 3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero Amazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsAmazon Web Services
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Securitycentralohioissa
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 

Semelhante a Maturing Your Organization from DevOps to DevSecOps (20)

Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Managed security services
Managed security servicesManaged security services
Managed security services
 
The Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYCThe Share Responsibility Model of Cloud Computing - ILTA NYC
The Share Responsibility Model of Cloud Computing - ILTA NYC
 
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA PhiladelphiaThe Share Responsibility Model of Cloud Computing - ILTA Philadelphia
The Share Responsibility Model of Cloud Computing - ILTA Philadelphia
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup Slides
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Detect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange PartnersDetect and Respond to Threats Better with IBM Security App Exchange Partners
Detect and Respond to Threats Better with IBM Security App Exchange Partners
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero 3 Secrets to Becoming a Cloud Security Superhero
3 Secrets to Becoming a Cloud Security Superhero
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 

Mais de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mais de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Maturing Your Organization from DevOps to DevSecOps

  • 1. Maturing Your Organization from DevOps to DevSecOps Varun Badhwar CEO & Co-founder
  • 2. RedLock Confidential & Proprietary About Us Founded 2015 and headquartered in Menlo Park, CA Backed by Dell Technologies Capital, Sierra Ventures, Storm Ventures, and other high profile investors Protecting 5+ million resources for a number of high profile customers Finalist for Most Innovative Startup at RSA 2017 San Francisco
  • 3. RedLock Confidential & Proprietary Cloud Security Learnings from Recent Breaches: Equifax Background: ● Vulnerability in Apache Struts (CVE-2017-5638) ● Apache Struts is used in one of Equifax’s web applications ● Equifax did not upgrade the software in the application ● Hackers scanned the internet for applications running this old software version, found the Equifax server, and compromised it Cloud Security Learnings: ● Vulnerability management tools identify unpatched hosts based on IP addresses ● IP addresses in the cloud are dynamic and constantly changing ● Running periodic scans is ineffective since the IP address of the unpatched hosts may have changed; continuous scanning is required ● Also, unpatched hosts that are exposed to the internet are more vulnerable and should be prioritized * 81% of organizations are not managing host vulnerabilities in the cloud *Cloud Security Trends Report: https://info.redlock.io/cloud-security-trends-oct2017
  • 4. RedLock Confidential & Proprietary Cloud Security Learnings from Recent Breaches: Gemalto, Aviva & Others Background: ● RedLock CSI team discovered hundreds of unpassword protected Kubernetes administrative consoles ● Hackers executing bitcoin mining commands from some of the Kubernetes containers (examples: Aviva, Gemalto, and others) ● RedLock CSI team discovered access keys and secret tokens stored in plaintext in the containers Cloud Security Learnings: ● Monitor resources to detect misconfigurations and auto-remediate issues ● Monitor inbound and outbound network traffic and correlate with resource configurations to spot suspicious activity ● Monitor user activity for suspicious behaviour to detect insider threats or account compromises *Cloud Security Trends Report: https://info.redlock.io/cloud-security-trends-oct2017
  • 5. RedLock Confidential & Proprietary Organizations are Responsible for Security “in” the Cloud The Shared Responsibility Model Resource Configurations User Activities Network Traffic Hosts Applications Responsible for security “in” the cloud Organization Hubs Switches Routers Hypervisor Data Center Responsible for security “of” the cloud Cloud Service Provider
  • 6. RedLock Confidential & Proprietary The Problems You Need to Solve Organization’s Responsibility Network Traffic Real-time network visibility Suspicious traffic detection Incident investigation Hosts Host IDS/IPS Vulnerable host detection Applications Data encryption Data loss prevention Application security monitoring User Activities Account & access key compromise detection Anomalous insider activity detection Privileged activity monitoring Resource Configurations Compliance scanning (CIS, PCI, etc.) Storage, snapshots, & image configuration monitoring VPC, security groups & firewall configuration monitoring IAM configuration monitoring Encryption & key rotation configuration monitoring
  • 7. RedLock Confidential & Proprietary DevSecOps Maturity Model A framework to evaluate where your organization’s cloud security practices are and where they need to go. Cloud Footprint: ● Dozens of workloads ● Few cloud accounts Stage 1 - Adopt Objectives: ● Compliance assurance ● Policy guardrails Security Solutions: ● CloudTrail analysis (SIEM) ● Configuration monitoring tools Cloud Footprint: ● Hundreds of workloads ● Many cloud accounts Stage 2 - Expand Objectives: ● Central visibility ● Threat detection ● Vulnerability management + Stage 1 Objectives Security Solutions: ● None Cloud Footprint: ● Multiple cloud providers ● Thousands of workloads ● Dozens of cloud accounts Stage 3 - Scale Objectives: ● Auto-remediation ● Incident investigation + Stage 2 Objectives Security Solutions: ● None
  • 8. RedLock Confidential & Proprietary ● Control identification (CIS, PCI, etc) ● Resource discovery & profiling ● Monitoring & remediation ● Audit reporting RedLock Enables Cloud Threat Defense Compliance Assurance DevSecOps Enablement SOC Enablement ● Resource visibility ● Policy guardrails ● User attribution ● Remediation ● Vulnerability management ● Advanced threat detection ● Cloud forensics ● Remediation
  • 9. RedLock Confidential & Proprietary RedLock Takes a Holistic Approach 2. CORRELATES DATA USING AI Uses AI to correlate network, user, configuration, and threat intel data. 1. DISCOVERS ENVIRONMENT Ingests data via APIs and automatically discovers resources. No agents, no proxies. CLOUD 360 PLATFORM 3. REMEDIATES RISKS Remediate issues via RedLock or enterprise integrations. ENTERPRISE INTEGRATIONS APIs Resource Configurations User Activity Network Traffic Hosts THIRD PARTY FEEDS APIs
  • 10. Demo
  • 11. RedLock Confidential & Proprietary
  • 12. RedLock Confidential & Proprietary 3 Simple Steps to Security Governance “Get a FREE risk assessment of your public cloud environment Provide RedLock with API access to environment We will set up an account on the RedLock Cloud 360 platform See results immediately 1 2 3