Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...

Avatar for Hokuto Hoshi Hokuto Hoshi
September 25, 2019
Technology
7
2.8k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Avatar for Hokuto Hoshi

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
AIとともに歩む情報セキュリティ / Information Security with AI
Avatar for Hokuto Hoshi kanny
5
3.9k
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
Avatar for Hokuto Hoshi kanny
5
4.6k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
Avatar for Hokuto Hoshi kanny
4
2.5k
Connecting organisation with Technology
Avatar for Hokuto Hoshi kanny
0
340
Why Slack - 5 years of Cookpad with Slack
Avatar for Hokuto Hoshi kanny
0
170
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
Avatar for Hokuto Hoshi kanny
2
4.3k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
Avatar for Hokuto Hoshi kanny
1
5.2k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
Avatar for Hokuto Hoshi kanny
2
2.6k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
Avatar for Hokuto Hoshi kanny
1
1.1k

Other Decks in Technology

See All in Technology
「使いにくい」も「運用疲れ」も卒業する UIデザイナーとエンジニアが創る持続可能な内製開発
Avatar for NRI Netcom nrinetcom
PRO
1
430
バクラクのSREにおけるAgentic AIへの挑戦/Our Journey with Agentic AI
Avatar for SadayoshiTada taddy_919
1
390
器用貧乏が強みになるまで ~「なんでもやる」が導いたエンジニアとしての現在地~
Avatar for KAKEHASHI kakehashi
PRO
5
610
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
5
18k
Exadata Fleet Update
Avatar for oracle4engineer oracle4engineer
PRO
0
1.3k
2026-02-25 Tokyo dbt meetup プロダクトと融合したCI/CD で実現する、堅牢なデータパイプラインの作り方
Avatar for Kentaro Yoshida y_ken
0
150
Webアクセシビリティ技術と実装の実際
Avatar for tomokusaba tomokusaba
0
110
AI が Approve する開発フロー / How AI Reviewers Accelerate Our Development
Avatar for Hiroka Zaitsu zaimy
1
220
primeNumber DATA MANAGEMENT CAMP #2:
Avatar for 阿部 昌利 masatoshi0205
1
610
Introduction to Sansan Meishi Maker Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
360
LINEヤフーにおけるAI駆動開発組織のプロデュース施策
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
180
Claude Codeはレガシー移行でどこまで使えるのか?
Avatar for ak2ie ak2ie
1
1.1k

Featured

See All Featured
Building Adaptive Systems
Avatar for Chris Keathley keathley
44
2.9k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.9k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
Designing for Performance
Avatar for Lara Hogan lara
611
70k
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
3
2.6k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.5k
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
0
250
Claude Code のすすめ
Avatar for schroneko schroneko
67
210k
What Being in a Rock Band Can Teach Us About Real World SEO
Avatar for Ade Holder 427marketing
0
180
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
187
22k
The innovator’s Mindset - 
Leading Through an Era of Exponential Change - McGill University 2025
Avatar for Jean-Marc De Jonghe jdejongh
PRO
1
110

Transcript

  1. Security by builders ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad

    Inc. [email protected]

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of

    Technology
 ؂ࠪҕһձ ؂ࠪิॿऀ • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. ΫοΫύουͱ AWS • 2011೥ʹ׬શҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS

    αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

  18. ΫοΫύουͱΫϥ΢υ • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒ •

    ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

  19. ΫοΫύουʹ͓͚Δ ৘ใηΩϡϦςΟͷҙຯ

  20. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

  21. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘ • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋ • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ
 ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

  23. कΔ΂͖ΤϦΞ • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ޲͚αʔϏε • ࣾ಺γεςϜ • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻ •

    ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

  24. ࣮ࡍͷରࡦ΍ӡ༻

  25. جຊతͳߟ͑ํ • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒ͸ඞͣϛεΛ͢Δ • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ •

    ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝ • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍ • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢ • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ •

    ૯߹֨ಆٕͱͯ͠औΓ૊Ή

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑ • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ ๷ޚ ݕ஌ ରԠ

  28. ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS

    WAF, etc • ηΩϡϦςΟ੡඼ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

  29. ௚໘͢Δ໰୊ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ௚݁ • ࢢൢͷ SIEM

    ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗ • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

  30. OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ

    • Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻

  31. Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service

    Graylog
 Instance Security Engineer ෼ੳ Application
 Load Balancer

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ

    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

  33. ϩάอ࣋ظؒͷ໰୊ • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍ • Ұఆظؒܦͬͨϩά͸ Graylog

    ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

  36. ϩάͷ෼ੳɾݕ஌ • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷ • ࣗಈԽ, লྗԽͷ࣮ݱ •

    ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

  38. ໰୊ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ௚݁ • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻ •

    ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

  39. ݱࡏͷঢ়گ • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4

    ҎԼͷίετ • 2໊Ͱӡ༻

  40. Security by builders:
 ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼ • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍

    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

  43. σʔλऩूͱݕ஌ • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ

    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫

    (S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍ • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ

    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

  47. ΨʔυϨʔϧͷྫ • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β
 ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์ • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ) •

    ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config) • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

  48. ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ
 ηΩϡϦςΟΛ૊ΈࠐΉ •

    ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

  49. https://unsplash.com/photos/1eFgYRwYctg

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

  51. Security for builders, by builders

  52. We’re hiring • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ
 Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/

  53. Fin.