Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Hokuto Hoshi
September 25, 2019
Technology
7
2.4k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
Connecting organisation with Technology
kanny
0
44
Why Slack - 5 years of Cookpad with Slack
kanny
0
13
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.4k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.1k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
0
840
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
14k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
3
8.2k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
21k

Other Decks in Technology

See All in Technology
hacomonoポストモーテムの取り組み(2023/09)
hacomono
1
510
組織・プロセス・技術 - フロントエンドの生産性向上への複眼的アプローチ / 20230921
bengo4com
3
690
ドラッグ&ドロップを支える技術
takatsunobuhiro
0
130
「挑戦しなければ障害は生まれない」 社内ポストモーテム共有会について
sheep_san_white
0
380
Generative UX in LLM Application
huffon
1
370
kanto_kaggler_senkin13
senkin13
0
540
UIコンポーネントライブラリをうまく使うためにできること / components-with-designer
mottox2
4
1.9k
KubernetesにおけるSBOMを利用した脆弱性管理/Vulnerability_Management_with_SBOM_in_Kubernetes
takumakume
0
330
【新卒研修資料】基礎統計学 / Basic of statistics
brainpadpr
72
47k
データベーススペシャリストというキャリアと生存戦略 ~10年後も変わらないこと、変わること / career-spiral
soudai
16
4.5k
[PHPカンファレンス沖縄2023]【実践編】良いプロダクト作りのための組織育成 健全なコードは健全な組織、健全なチームから
ikezoemakoto
1
190
Better PHP - Keep your code up to date
wernerkrauss
1
120

Featured

See All Featured
What the flash - Photography Introduction
edds
64
11k
Automating Front-end Workflow
addyosmani
1354
200k
Support Driven Design
roundedbygravity
91
9.2k
Robots, Beer and Maslow
schacon
154
7.6k
Web Components: a chance to create the future
zenorocha
304
41k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Teambox: Starting and Learning
jrom
125
8.1k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Become a Pro
speakerdeck
PRO
8
3.5k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
The Invisible Customer
myddelton
113
12k
Rails Girls Zürich Keynote
gr2m
90
12k

Transcript

  1. Security by builders
    ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ
    Hokuto Hoshi
    VP of Technology, Cookpad Inc.
    [email protected]

    View Slide

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b
    • ΫοΫύουגࣜձࣾ VP of Technology

    ؂ࠪҕһձ ؂ࠪิॿऀ
    • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢
    • Site Reliability & Security Engineer
    • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
    • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. ΫοΫύουͱ AWS
    • 2011೥ʹ׬શҠߦ
    • 2ͭͷϦʔδϣϯΛओʹར༻
    • 400 Ҏ্ͷ ECS αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ
    • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

    View Slide

  18. ΫοΫύουͱΫϥ΢υ
    • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ
    • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒
    • ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

    View Slide

  19. ΫοΫύουʹ͓͚Δ
    ৘ใηΩϡϦςΟͷҙຯ

    View Slide

  20. Α͘ฉ͔ΕΔ͜ͱ
    • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

    View Slide

  21. Α͘ฉ͔ΕΔ͜ͱ
    • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
    • A. ඞཁ͔ͭෆՄܽͰ͢

    View Slide

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ
    • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ
    • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘
    • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋
    • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ

    ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

    View Slide

  23. कΔ΂͖ΤϦΞ
    • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ
    • Ϣʔβ޲͚αʔϏε
    • ࣾ಺γεςϜ
    • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻
    • ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

    View Slide

  24. ࣮ࡍͷରࡦ΍ӡ༻

    View Slide

  25. جຊతͳߟ͑ํ
    • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ
    • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍
    • ਓؒ͸ඞͣϛεΛ͢Δ
    • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ
    • ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

    View Slide

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝
    • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍
    • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢
    • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ
    • ૯߹֨ಆٕͱͯ͠औΓ૊Ή

    View Slide

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑
    • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ
    • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ
    ๷ޚ ݕ஌ ରԠ

    View Slide

  28. ηϯαʔ
    • AWS ͷηΩϡϦςΟαʔϏε
    • Amazon CloudTrail, Amazon GuardDuty, AWS WAF, etc
    • ηΩϡϦςΟ੡඼
    • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc
    • ͋ΒΏΔϩά
    • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

    View Slide

  29. ௚໘͢Δ໰୊
    • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ
    • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ
    • ίετ૿ʹ௚݁
    • ࢢൢͷ SIEM ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ
    • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗
    • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

    View Slide

  30. OSS ͷྗΛआΓΔ
    • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS
    • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ
    • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
    • Elasticsearch ͕όοΫΤϯυ
    • Amazon Elasticsearch Service Ͱলྗӡ༻

    View Slide

  31. Graylog ͷల։
    ϩά
    EC2 Instances Network Load Balancer Elasticsearch Service
    Graylog

    Instance
    Security Engineer
    ෼ੳ
    Application

    Load Balancer

    View Slide

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ
    • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ
    • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ
    • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ
    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ
    • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ
    • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

    View Slide

  33. ϩάอ࣋ظؒͷ໰୊
    • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch)
    • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍
    • Ұఆظؒܦͬͨϩά͸ Graylog ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋
    • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ
    • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

    View Slide

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁
    EC2 Instances
    Office
    GuardDuty, CloudTrail, etc
    ….
    Kinesis

    Firehose
    Lambda
    Function
    S3 Bucket
    Athena
    Graylog ΁
    EC2 Instances
    Lambda
    Function

    View Slide

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁
    EC2 Instances
    Office
    GuardDuty, CloudTrail, etc
    ….
    Kinesis

    Firehose
    Lambda
    Function
    S3 Bucket
    Athena
    Graylog ΁
    EC2 Instances
    Lambda
    Function
    ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

    View Slide

  36. ϩάͷ෼ੳɾݕ஌
    • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷
    • ࣗಈԽ, লྗԽͷ࣮ݱ
    • ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ
    • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

    View Slide

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

    View Slide

  38. ໰୊ʹରͯ͠
    • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ
    • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ
    • ίετ૿ʹ௚݁
    • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻
    • ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

    View Slide

  39. ݱࡏͷঢ়گ
    • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ
    • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ
    • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4 ҎԼͷίετ
    • 2໊Ͱӡ༻

    View Slide

  40. Security by builders:

    ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

    View Slide

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ
    • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ
    • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ
    • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

    View Slide

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼
    • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ
    • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ
    • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍
    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ
    • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

    View Slide

  43. σʔλऩूͱݕ஌
    • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc)
    • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ…
    • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ
    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ
    • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

    View Slide

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ
    • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ
    • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή
    • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ
    • εέʔϥϒϧͳσʔλॲཧج൫ (S3, Athena, Kinesis, EMR, Redshift..)
    • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast)
    • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

    View Slide

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍
    • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ
    • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ
    • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍
    • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ
    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

    View Slide

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁
    • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ
    • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ
    • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

    View Slide

  47. ΨʔυϨʔϧͷྫ
    • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β

    ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์
    • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ)
    • ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config)
    • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹)
    • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։
    • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

    View Slide

  48. ʮͭ͘Δྗʯ͕ॏཁ
    • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ
    • “Builder” ͱͯ͠ͷྗ
    • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ

    ηΩϡϦςΟΛ૊ΈࠐΉ
    • ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ
    • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

    View Slide

  49. https://unsplash.com/photos/1eFgYRwYctg

    View Slide

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁
    • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ
    • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

    View Slide

  51. Security for builders,
    by builders

    View Slide

  52. We’re hiring
    • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ

    Ұॹʹͭ͘Γ·ͤΜ͔ʁ
    https://cookpad.jobs/

    View Slide

  53. Fin.

    View Slide