Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

14a602891dce5c68facca9de28340522?s=47 Hokuto Hoshi
September 25, 2019
Technology
7
1.9k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

14a602891dce5c68facca9de28340522?s=128

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
14a602891dce5c68facca9de28340522?s=48 kanny
2
3.3k
14a602891dce5c68facca9de28340522?s=48 kanny
1
3.5k
14a602891dce5c68facca9de28340522?s=48 kanny
2
1.6k
14a602891dce5c68facca9de28340522?s=48 kanny
0
580
14a602891dce5c68facca9de28340522?s=48 kanny
22
13k
14a602891dce5c68facca9de28340522?s=48 kanny
3
7.4k
14a602891dce5c68facca9de28340522?s=48 kanny
30
19k
14a602891dce5c68facca9de28340522?s=48 kanny
63
48k

Other Decks in Technology

See All in Technology
2cf373725ded741824c50fd571eda6e1?s=48 udzura
0
1.1k
992ab21437c2ec7c70d9af79ed2a2273?s=48 7110
0
230
B440848190075251e012e587b82f54e2?s=48 czmirror
0
240
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
1
220
5b47136bedcba2799edf4fcd27ea66d7?s=48 yaegashi
0
310
F3f3eec8682a76ed430054e8fd994f15?s=48 tmnakagawa
0
760
9c42c4bc1d91c409d754da88c91cb2ef?s=48 kur0cky
1
230
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
0
260
92e7a56a50535ef4c51c112c71d3f9c1?s=48 jkubota
0
280
470bbf16e3547a17e40c34da937be921?s=48 kikmysy4
0
140
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
3
290
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200

Featured

See All Featured
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
295
39k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
101
4.8k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
50
3.9k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
70
3.3k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
28
3.1k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
115
4.7k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.3k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
26
850
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
314
18k
245cee81a9c424266e5e401d844ea881?s=48 lara
588
60k
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
236
9.7k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
4
430

Transcript

  1. Security by builders ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad

    Inc. hokuto@cookpad.com

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of

    Technology
 ؂ࠪҕһձ ؂ࠪิॿऀ • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. ΫοΫύουͱ AWS • 2011೥ʹ׬શҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS

    αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

  18. ΫοΫύουͱΫϥ΢υ • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒ •

    ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

  19. ΫοΫύουʹ͓͚Δ ৘ใηΩϡϦςΟͷҙຯ

  20. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

  21. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘ • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋ • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ
 ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

  23. कΔ΂͖ΤϦΞ • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ޲͚αʔϏε • ࣾ಺γεςϜ • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻ •

    ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

  24. ࣮ࡍͷରࡦ΍ӡ༻

  25. جຊతͳߟ͑ํ • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒ͸ඞͣϛεΛ͢Δ • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ •

    ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝ • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍ • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢ • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ •

    ૯߹֨ಆٕͱͯ͠औΓ૊Ή

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑ • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ ๷ޚ ݕ஌ ରԠ

  28. ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS

    WAF, etc • ηΩϡϦςΟ੡඼ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

  29. ௚໘͢Δ໰୊ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ௚݁ • ࢢൢͷ SIEM

    ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗ • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

  30. OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ

    • Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻

  31. Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service

    Graylog
 Instance Security Engineer ෼ੳ Application
 Load Balancer

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ

    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

  33. ϩάอ࣋ظؒͷ໰୊ • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍ • Ұఆظؒܦͬͨϩά͸ Graylog

    ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

  36. ϩάͷ෼ੳɾݕ஌ • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷ • ࣗಈԽ, লྗԽͷ࣮ݱ •

    ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

  38. ໰୊ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ௚݁ • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻ •

    ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

  39. ݱࡏͷঢ়گ • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4

    ҎԼͷίετ • 2໊Ͱӡ༻

  40. Security by builders:
 ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼ • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍

    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

  43. σʔλऩूͱݕ஌ • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ

    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫

    (S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍ • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ

    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

  47. ΨʔυϨʔϧͷྫ • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β
 ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์ • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ) •

    ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config) • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

  48. ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ
 ηΩϡϦςΟΛ૊ΈࠐΉ •

    ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

  49. https://unsplash.com/photos/1eFgYRwYctg

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

  51. Security for builders, by builders

  52. We’re hiring • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ
 Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/

  53. Fin.