Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Hokuto Hoshi
September 25, 2019
Technology
2.8k
7
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
Hokuto Hoshi
September 25, 2019
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
AIとともに歩む情報セキュリティ / Information Security with AI
kanny
5
4.9k
開発も運用もビジネス部門も! クラウドで実現する「つらくない」統制とセキュリティ / Effortless Governance and Security Enabled by the Cloud
kanny
5
4.9k
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
4
2.7k
Connecting organisation with Technology
kanny
0
380
Why Slack - 5 years of Cookpad with Slack
kanny
0
190
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.3k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
5.3k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.6k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1.1k
Other Decks in Technology
See All in Technology
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.7k
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
7.9k
CVE-2026-20833_脆弱性対応とAES 化について
jukishiya
0
340
Fabricをフル活用する AI Agent Hub -製造業特化AIエージェントの設計
iotcomjpadmin
0
190
WebGIS AI Agentの紹介
_shimizu
0
610
#エンジニアBooks 30分でわかる 「技術記事を書く技術」 / engineer-books 2026-06-30
jnchito
1
170
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
1
960
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
330
AIに「使われる」時代のSaaS戦略 〜既存WebAPIのMCPサーバー化における開発ノウハウ〜
ekispert_api
0
270
AIDLC_ヤフーショッピングの取り組み
lycorptech_jp
PRO
0
470
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
170
Docker Desktop不要の時代が来る? WSL標準の「wslc」で Linuxコンテナを動かしてみた.
ueponx
0
530
Featured
See All Featured
Marketing to machines
jonoalderson
1
5.5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
23k
Statistics for Hackers
jakevdp
799
230k
Site-Speed That Sticks
csswizardry
13
1.2k
A Modern Web Designer's Workflow
chriscoyier
698
190k
The Pragmatic Product Professional
lauravandoore
37
7.3k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
430
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
170
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
A better future with KSS
kneath
240
18k
Transcript
Security by builders ηΩϡϦςΟࢹΛΫϥυͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad
Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of
Technology ࠪҕһձ ࠪิॿऀ • શࣾԣஅͰͷใηΩϡϦςΟϦʔυ͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013৽ଔೖࣾ, AWS ར༻ྺ9͘Β͍
None
None
None
None
None
None
None
None
None
None
None
None
None
None
ΫοΫύουͱ AWS • 2011ʹશҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS
αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ͚αʔϏε͜͜Ͱಈ͍͍ͯΔ
ΫοΫύουͱΫϥυ • ࣾγεςϜ΄΅શ͕ͯ AWS ্·ͨ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ •
ΦϑΟεʹ͋ΔͷωοτϫʔΫػثͷΈ
ΫοΫύουʹ͓͚Δ ใηΩϡϦςΟͷҙຯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢
ʮຖͷྉཧʯͱใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄਓؒͷੜ׆ͱີʹඥͮ͘ • μΠΤοτಛఆͷපؾͳͲϓϥΠόγʹؔΘΔใ • ΑΓۙʹ͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ ৴པΛಘͯใΛ༬͔ΓɺΛՌͨ͢͜ͱ͕ॏཁ
कΔ͖ΤϦΞ • શࣾࢹʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ͚αʔϏε • ࣾγεςϜ • ใͷऔΓѻ͍ํͳͲϧʔϧӡ༻ •
͋ΒΏΔηΩϡϦςΟ՝ʹνʔϜͱͯ͠ରԠ
࣮ࡍͷରࡦӡ༻
جຊతͳߟ͑ํ • ϧʔϧΦϖϨʔγϣϯͰͳٕ͘ज़ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒඞͣϛεΛ͢Δ • ΫϥυͱͷڥքΛೝࣝɺͤΔͱ͜ΖͤΔ •
ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛࢦ͢
ޚ100%Ͱͳ͍ཧ༝ • ʮશͳޚʯଘࡏ͠ͳ͍ • શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖͍͢ • ޚਫ਼Λ1%্͛Δίετ > ݕਫ਼Λ্͛Δίετ •
૯߹֨ಆٕͱͯ͠औΓΉ
ηΩϡϦςΟγεςϜͷઃܭํ • ޚ͢ΔͨΊͷΈϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺࢹɾੳ͢Δ ޚ ݕ ରԠ
ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS
WAF, etc • ηΩϡϦςΟ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc
໘͢Δ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • τϥϑΟοΫऔΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ݁ • ࢢൢͷ SIEM
SaaS ͷඅ༻ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷຊస • ੳ࣌ʹ͡ΊͯϑΟϧλ͞ΕΔ͖
OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
• Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻
Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service
Graylog Instance Security Engineer ੳ Application Load Balancer
ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑඇৗʹߴ͘ͳΔ • શͯͷϩά Amazon S3 ʹҰอଘ͔ͯ͠Βॲཧ
• ߴՄ༻Ͱεέʔϧ͢ΔࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ֨ೲ
ϩάอ࣋ظؒͷ • ΦϯϥΠϯετϨʔδϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁͳ͍ • Ұఆظؒܦͬͨϩά Graylog
͔Βআͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ Amazon Athena ͔ΒΫΤϦՄೳ • ίετ͔ͭेߴʹݕࡧɾੳͰ͖Δ
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function ηϯαʔ ू ੵɾอ࣋ ࢹɾੳ
ϩάͷੳɾݕ • ݕγεςϜΛ AWS Lambda Λ࣮ͬͯ • ࣗಈԽ, লྗԽͷ࣮ݱ •
ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ
https://speakerdeck.com/mizutani/techconf2019-mizutani
ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ݁ • ΑΓ҆ՁͳετϨʔδΛ͑ΔΞʔΩςΫνϟͷ࠾༻ •
ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻লྗԽ
ݱࡏͷঢ়گ • ࣾ֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺੳ • Ұ͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩάཧͱൺֱͯ͠ 1/4
ҎԼͷίετ • 2໊Ͱӡ༻
Security by builders: ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ
ʮηΩϡϦςΟରࡦʯͨΓલʹͳͬͨ • ߈ܸΑΓ༰қʹɺΑΓৗతʹ • ͲΜͳαΠζͷ৫ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷαʔϏε૿Ճ͠ଓ͚͍ͯΔ
ʮങͬͯઃஔʯ͚ͩͰෆे • ରʹ߹Θͤͨߴͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮ࣄऀʹ͔͠Ͱ͖ͳ͍
• ըҰతͳޚ͚ͩͰͳ͘γεςϜڥʹ߹ΘͤͨݕɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷੳ, ࣾγεςϜͱͷ࿈ܞ
σʔλऩूͱݕ • ࿈ܞͷ伴σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ͚ͩͰͳ͍σʔλͷऩूͱੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓखۚમίετ͔͔Δ
• τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ͍͘͢εέʔϧ͢ΔΈͮ͘Γ͕ෆՄܽ
ΫϥυͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓΉ͖ՕॴʹऔΓΉ • AWS ΛͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫
(S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕͷ࣮ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)
Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰΓͳ͍ • ʮશͳޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳϏδωεͦͷͷͱিಥ͢Δ • ʮޚʯ͚ͩͰकΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • ϏδωεͷΛอͪͳ͕ΒʮकΔʯʹͲ͏͢Εྑ͍ʁ
• ʮͭ͘ΔਓʯΛ્͠ͳ͍Έʹ͢Δඞཁ͕͋Δ
ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫ͦͷΈͷҰͭ
ΨʔυϨʔϧͷྫ • ϝΠϯڥͱಉͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β ࣗ༝ʹ͑Δ AWS ΞΧϯτΛ։์ • ։ൃऀ͚ΞΧϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧϯτ) •
ةݥͳ API ΛࢭΊΔ, ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨ (Config) • νʔϜ͝ͱͷΞΧϯτ (ಛʹࣗ༝ͳڥ͕ඞཁͳ߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ࢹϩάج൫ʹूͯ͠ߦ͏
ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜऔΓΈ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ৫ϓϩηεʹ ηΩϡϦςΟΛΈࠐΉ •
ʮͭ͘ΔʯͨΊͷෑډԼ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͑͠ΔαʔϏεʑ૿͍͑ͯΔ
https://unsplash.com/photos/1eFgYRwYctg
ϏδωεΛՃͰ͖ΔηΩϡϦςΟ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શྗΛग़ͤΔڥͮ͘Γ
Security for builders, by builders
We’re hiring • ʮຖͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/
Fin.