Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Hokuto Hoshi
September 25, 2019
Technology
7
2.4k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
3.9k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.3k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
0
800
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
14k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
3
8.1k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
21k
秒間数万のログをいい感じにするアーキテクチャ
kanny
64
56k

Other Decks in Technology

See All in Technology
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k
BIMIとメールセキュリティ
sbtechnight
PRO
0
410
チームで導入する Jetpack Compose あの素晴らしいLTをもう一度.ver
kako351
1
150
テスト技法を使ったテストケースの表現方法/How to express test cases using test techniques
shimashima35
0
250
アプリケーション開発をさらに加速させるフレームワークとCI/CD技術
sbtechnight
PRO
0
380
LINE Blockchain Developers APIではじめるWeb3
sbtechnight
PRO
0
380
可読性を高めるためのコードレビューテクニック
sbtechnight
PRO
0
470
Jotaiで作ったフォームをApollo_Clientで投げたらいい感じだった件.pdf
asazutaiga
1
210
Oracle Container Engine for Kubernetes (OKE) ご紹介 / oke-overview
oracle4engineer
PRO
1
950
ジョブキューシステムFireworqのアーキテクチャ設計と運用時のベストプラクティス
tarao
1
790
6G/テラヘルツの取り組み
sbtechnight
PRO
0
460
マネジメント3.0モデル入門(120分版)
takufujii
11
2.7k

Featured

See All Featured
The Mythical Team-Month
searls
210
40k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
128
8.8k
Happy Clients
brianwarren
90
5.9k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
Why Our Code Smells
bkeepers
PRO
326
55k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Scaling GitHub
holman
453
140k
Unsuck your backbone
ammeep
659
56k
Product Roadmaps are Hard
iamctodd
38
7.9k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k

Transcript

  1. Security by builders
    ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ
    Hokuto Hoshi
    VP of Technology, Cookpad Inc.
    [email protected]

    View Slide

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b
    • ΫοΫύουגࣜձࣾ VP of Technology

    ؂ࠪҕһձ ؂ࠪิॿऀ
    • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢
    • Site Reliability & Security Engineer
    • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional)
    • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍

    View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. View Slide

  13. View Slide

  14. View Slide

  15. View Slide

  16. View Slide

  17. ΫοΫύουͱ AWS
    • 2011೥ʹ׬શҠߦ
    • 2ͭͷϦʔδϣϯΛओʹར༻
    • 400 Ҏ্ͷ ECS αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ
    • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

    View Slide

  18. ΫοΫύουͱΫϥ΢υ
    • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ
    • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒
    • ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

    View Slide

  19. ΫοΫύουʹ͓͚Δ
    ৘ใηΩϡϦςΟͷҙຯ

    View Slide

  20. Α͘ฉ͔ΕΔ͜ͱ
    • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

    View Slide

  21. Α͘ฉ͔ΕΔ͜ͱ
    • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
    • A. ඞཁ͔ͭෆՄܽͰ͢

    View Slide

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ
    • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ
    • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘
    • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋
    • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ

    ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

    View Slide

  23. कΔ΂͖ΤϦΞ
    • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ
    • Ϣʔβ޲͚αʔϏε
    • ࣾ಺γεςϜ
    • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻
    • ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

    View Slide

  24. ࣮ࡍͷରࡦ΍ӡ༻

    View Slide

  25. جຊతͳߟ͑ํ
    • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ
    • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍
    • ਓؒ͸ඞͣϛεΛ͢Δ
    • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ
    • ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

    View Slide

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝
    • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍
    • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢
    • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ
    • ૯߹֨ಆٕͱͯ͠औΓ૊Ή

    View Slide

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑
    • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ
    • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ
    ๷ޚ ݕ஌ ରԠ

    View Slide

  28. ηϯαʔ
    • AWS ͷηΩϡϦςΟαʔϏε
    • Amazon CloudTrail, Amazon GuardDuty, AWS WAF, etc
    • ηΩϡϦςΟ੡඼
    • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc
    • ͋ΒΏΔϩά
    • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

    View Slide

  29. ௚໘͢Δ໰୊
    • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ
    • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ
    • ίετ૿ʹ௚݁
    • ࢢൢͷ SIEM ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ
    • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗
    • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

    View Slide

  30. OSS ͷྗΛआΓΔ
    • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS
    • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ
    • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
    • Elasticsearch ͕όοΫΤϯυ
    • Amazon Elasticsearch Service Ͱলྗӡ༻

    View Slide

  31. Graylog ͷల։
    ϩά
    EC2 Instances Network Load Balancer Elasticsearch Service
    Graylog

    Instance
    Security Engineer
    ෼ੳ
    Application

    Load Balancer

    View Slide

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ
    • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ
    • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ
    • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ
    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ
    • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ
    • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

    View Slide

  33. ϩάอ࣋ظؒͷ໰୊
    • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch)
    • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍
    • Ұఆظؒܦͬͨϩά͸ Graylog ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋
    • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ
    • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

    View Slide

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁
    EC2 Instances
    Office
    GuardDuty, CloudTrail, etc
    ….
    Kinesis

    Firehose
    Lambda
    Function
    S3 Bucket
    Athena
    Graylog ΁
    EC2 Instances
    Lambda
    Function

    View Slide

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁
    EC2 Instances
    Office
    GuardDuty, CloudTrail, etc
    ….
    Kinesis

    Firehose
    Lambda
    Function
    S3 Bucket
    Athena
    Graylog ΁
    EC2 Instances
    Lambda
    Function
    ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

    View Slide

  36. ϩάͷ෼ੳɾݕ஌
    • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷
    • ࣗಈԽ, লྗԽͷ࣮ݱ
    • ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ
    • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

    View Slide

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

    View Slide

  38. ໰୊ʹରͯ͠
    • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ
    • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ
    • ίετ૿ʹ௚݁
    • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻
    • ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

    View Slide

  39. ݱࡏͷঢ়گ
    • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ
    • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ
    • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4 ҎԼͷίετ
    • 2໊Ͱӡ༻

    View Slide

  40. Security by builders:

    ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

    View Slide

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ
    • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ
    • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ
    • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

    View Slide

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼
    • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ
    • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ
    • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍
    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ
    • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

    View Slide

  43. σʔλऩूͱݕ஌
    • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc)
    • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ…
    • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ
    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ
    • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

    View Slide

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ
    • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ
    • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή
    • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ
    • εέʔϥϒϧͳσʔλॲཧج൫ (S3, Athena, Kinesis, EMR, Redshift..)
    • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast)
    • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

    View Slide

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍
    • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ
    • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ
    • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍
    • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ
    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

    View Slide

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁
    • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ
    • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ
    • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

    View Slide

  47. ΨʔυϨʔϧͷྫ
    • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β

    ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์
    • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ)
    • ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config)
    • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹)
    • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։
    • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

    View Slide

  48. ʮͭ͘Δྗʯ͕ॏཁ
    • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ
    • “Builder” ͱͯ͠ͷྗ
    • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ

    ηΩϡϦςΟΛ૊ΈࠐΉ
    • ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ
    • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

    View Slide

  49. https://unsplash.com/photos/1eFgYRwYctg

    View Slide

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁
    • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ
    • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

    View Slide

  51. Security for builders,
    by builders

    View Slide

  52. We’re hiring
    • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ

    Ұॹʹͭ͘Γ·ͤΜ͔ʁ
    https://cookpad.jobs/

    View Slide

  53. Fin.

    View Slide