Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Transcript

1. Security by builders ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad

   Inc. hokuto@cookpad.com

2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of

   Technology
 ؂ࠪҕһձ ؂ࠪิॿऀ • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍
3. None
4. None
5. None
6. None
7. None
8. None
9. None
10. None
11. None
12. None
13. None
14. None
15. None
16. None

17. ΫοΫύουͱ AWS • 2011೥ʹ׬શҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS

    αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

18. ΫοΫύουͱΫϥ΢υ • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒ •

    ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

19. ΫοΫύουʹ͓͚Δ ৘ใηΩϡϦςΟͷҙຯ

20. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

21. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢

22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘ • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋ • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ
 ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

23. कΔ΂͖ΤϦΞ • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ޲͚αʔϏε • ࣾ಺γεςϜ • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻ •

    ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

24. ࣮ࡍͷରࡦ΍ӡ༻

25. جຊతͳߟ͑ํ • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒ͸ඞͣϛεΛ͢Δ • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ •

    ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝ • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍ • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢ • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ •

    ૯߹֨ಆٕͱͯ͠औΓ૊Ή

27. ηΩϡϦςΟγεςϜͷઃܭํ਑ • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ ๷ޚ ݕ஌ ରԠ

28. ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS

    WAF, etc • ηΩϡϦςΟ੡඼ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

29. ௚໘͢Δ໰୊ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ௚݁ • ࢢൢͷ SIEM

    ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗ • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

30. OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ

    • Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻

31. Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service

    Graylog
 Instance Security Engineer ෼ੳ Application
 Load Balancer

32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ

    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

33. ϩάอ࣋ظؒͷ໰୊ • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍ • Ұఆظؒܦͬͨϩά͸ Graylog

    ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

34. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function

35. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

36. ϩάͷ෼ੳɾݕ஌ • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷ • ࣗಈԽ, লྗԽͷ࣮ݱ •

    ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

37. https://speakerdeck.com/mizutani/techconf2019-mizutani

38. ໰୊ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ௚݁ • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻ •

    ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

39. ݱࡏͷঢ়گ • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4

    ҎԼͷίετ • 2໊Ͱӡ༻

40. Security by builders:
 ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼ • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍

    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

43. σʔλऩूͱݕ஌ • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ

    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫

    (S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍ • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ

    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

47. ΨʔυϨʔϧͷྫ • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β
 ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์ • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ) •

    ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config) • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

48. ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ
 ηΩϡϦςΟΛ૊ΈࠐΉ •

    ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

49. https://unsplash.com/photos/1eFgYRwYctg

50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

51. Security for builders, by builders

52. We’re hiring • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ
 Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/

53. Fin.