Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...
Search
Hokuto Hoshi
September 25, 2019
Technology
7
2.7k
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
Hokuto Hoshi
September 25, 2019
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
転生CISOサバイバル・ガイド / CISO Career Transition Survival Guide
kanny
3
1.1k
Connecting organisation with Technology
kanny
0
220
Why Slack - 5 years of Cookpad with Slack
kanny
0
93
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.2k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.9k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.5k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
4
8.7k
Other Decks in Technology
See All in Technology
現場で役立つAPIデザイン
nagix
35
13k
2024.02.19 W&B AIエージェントLT会 / AIエージェントが業務を代行するための計画と実行 / Algomatic 宮脇
smiyawaki0820
15
4.1k
システム・ML活用を広げるdbtのデータモデリング / Expanding System & ML Use with dbt Modeling
i125
1
260
Building Products in the LLM Era
ymatsuwitter
10
6.1k
ホワイトボードチャレンジ 説明&実行資料
ichimichi
0
130
Apache Iceberg Case Study in LY Corporation
lycorptech_jp
PRO
0
130
AIエージェント元年
shukob
0
120
ローカルLLMを活用したコード生成と、ローコード開発ツールへの応用
kazuhitoyokoi
0
130
脳波を用いた嗜好マッチングシステム
hokkey621
0
170
表現を育てる
kiyou77
1
220
一度 Expo の採用を断念したけど、 再度 Expo の導入を検討している話
ichiki1023
1
230
Iceberg Meetup Japan #1 : Iceberg and Databricks
databricksjapan
0
160
Featured
See All Featured
For a Future-Friendly Web
brad_frost
176
9.5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.4k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
6
560
How to train your dragon (web standard)
notwaldorf
91
5.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
KATA
mclloyd
29
14k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Making Projects Easy
brettharned
116
6k
Scaling GitHub
holman
459
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.3k
Typedesign – Prime Four
hannesfritz
40
2.5k
How STYLIGHT went responsive
nonsquared
98
5.4k
Transcript
Security by builders ηΩϡϦςΟࢹΛΫϥυͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad
Inc. hokuto@cookpad.com
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of
Technology ࠪҕһձ ࠪิॿऀ • શࣾԣஅͰͷใηΩϡϦςΟϦʔυ͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013৽ଔೖࣾ, AWS ར༻ྺ9͘Β͍
None
None
None
None
None
None
None
None
None
None
None
None
None
None
ΫοΫύουͱ AWS • 2011ʹશҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS
αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ͚αʔϏε͜͜Ͱಈ͍͍ͯΔ
ΫοΫύουͱΫϥυ • ࣾγεςϜ΄΅શ͕ͯ AWS ্·ͨ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ •
ΦϑΟεʹ͋ΔͷωοτϫʔΫػثͷΈ
ΫοΫύουʹ͓͚Δ ใηΩϡϦςΟͷҙຯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢
ʮຖͷྉཧʯͱใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄਓؒͷੜ׆ͱີʹඥͮ͘ • μΠΤοτಛఆͷපؾͳͲϓϥΠόγʹؔΘΔใ • ΑΓۙʹ͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ ৴པΛಘͯใΛ༬͔ΓɺΛՌͨ͢͜ͱ͕ॏཁ
कΔ͖ΤϦΞ • શࣾࢹʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ͚αʔϏε • ࣾγεςϜ • ใͷऔΓѻ͍ํͳͲϧʔϧӡ༻ •
͋ΒΏΔηΩϡϦςΟ՝ʹνʔϜͱͯ͠ରԠ
࣮ࡍͷରࡦӡ༻
جຊతͳߟ͑ํ • ϧʔϧΦϖϨʔγϣϯͰͳٕ͘ज़ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒඞͣϛεΛ͢Δ • ΫϥυͱͷڥքΛೝࣝɺͤΔͱ͜ΖͤΔ •
ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛࢦ͢
ޚ100%Ͱͳ͍ཧ༝ • ʮશͳޚʯଘࡏ͠ͳ͍ • શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖͍͢ • ޚਫ਼Λ1%্͛Δίετ > ݕਫ਼Λ্͛Δίετ •
૯߹֨ಆٕͱͯ͠औΓΉ
ηΩϡϦςΟγεςϜͷઃܭํ • ޚ͢ΔͨΊͷΈϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺࢹɾੳ͢Δ ޚ ݕ ରԠ
ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS
WAF, etc • ηΩϡϦςΟ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc
໘͢Δ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • τϥϑΟοΫऔΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ݁ • ࢢൢͷ SIEM
SaaS ͷඅ༻ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷຊస • ੳ࣌ʹ͡ΊͯϑΟϧλ͞ΕΔ͖
OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
• Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻
Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service
Graylog Instance Security Engineer ੳ Application Load Balancer
ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑඇৗʹߴ͘ͳΔ • શͯͷϩά Amazon S3 ʹҰอଘ͔ͯ͠Βॲཧ
• ߴՄ༻Ͱεέʔϧ͢ΔࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ֨ೲ
ϩάอ࣋ظؒͷ • ΦϯϥΠϯετϨʔδϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁͳ͍ • Ұఆظؒܦͬͨϩά Graylog
͔Βআͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ Amazon Athena ͔ΒΫΤϦՄೳ • ίετ͔ͭेߴʹݕࡧɾੳͰ͖Δ
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function ηϯαʔ ू ੵɾอ࣋ ࢹɾੳ
ϩάͷੳɾݕ • ݕγεςϜΛ AWS Lambda Λ࣮ͬͯ • ࣗಈԽ, লྗԽͷ࣮ݱ •
ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ
https://speakerdeck.com/mizutani/techconf2019-mizutani
ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ݁ • ΑΓ҆ՁͳετϨʔδΛ͑ΔΞʔΩςΫνϟͷ࠾༻ •
ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻লྗԽ
ݱࡏͷঢ়گ • ࣾ֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺੳ • Ұ͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩάཧͱൺֱͯ͠ 1/4
ҎԼͷίετ • 2໊Ͱӡ༻
Security by builders: ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ
ʮηΩϡϦςΟରࡦʯͨΓલʹͳͬͨ • ߈ܸΑΓ༰қʹɺΑΓৗతʹ • ͲΜͳαΠζͷ৫ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷαʔϏε૿Ճ͠ଓ͚͍ͯΔ
ʮങͬͯઃஔʯ͚ͩͰෆे • ରʹ߹Θͤͨߴͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮ࣄऀʹ͔͠Ͱ͖ͳ͍
• ըҰతͳޚ͚ͩͰͳ͘γεςϜڥʹ߹ΘͤͨݕɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷੳ, ࣾγεςϜͱͷ࿈ܞ
σʔλऩूͱݕ • ࿈ܞͷ伴σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ͚ͩͰͳ͍σʔλͷऩूͱੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓखۚમίετ͔͔Δ
• τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ͍͘͢εέʔϧ͢ΔΈͮ͘Γ͕ෆՄܽ
ΫϥυͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓΉ͖ՕॴʹऔΓΉ • AWS ΛͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫
(S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕͷ࣮ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)
Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰΓͳ͍ • ʮશͳޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳϏδωεͦͷͷͱিಥ͢Δ • ʮޚʯ͚ͩͰकΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • ϏδωεͷΛอͪͳ͕ΒʮकΔʯʹͲ͏͢Εྑ͍ʁ
• ʮͭ͘ΔਓʯΛ્͠ͳ͍Έʹ͢Δඞཁ͕͋Δ
ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫ͦͷΈͷҰͭ
ΨʔυϨʔϧͷྫ • ϝΠϯڥͱಉͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β ࣗ༝ʹ͑Δ AWS ΞΧϯτΛ։์ • ։ൃऀ͚ΞΧϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧϯτ) •
ةݥͳ API ΛࢭΊΔ, ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨ (Config) • νʔϜ͝ͱͷΞΧϯτ (ಛʹࣗ༝ͳڥ͕ඞཁͳ߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ࢹϩάج൫ʹूͯ͠ߦ͏
ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜऔΓΈ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ৫ϓϩηεʹ ηΩϡϦςΟΛΈࠐΉ •
ʮͭ͘ΔʯͨΊͷෑډԼ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͑͠ΔαʔϏεʑ૿͍͑ͯΔ
https://unsplash.com/photos/1eFgYRwYctg
ϏδωεΛՃͰ͖ΔηΩϡϦςΟ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શྗΛग़ͤΔڥͮ͘Γ
Security for builders, by builders
We’re hiring • ʮຖͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/
Fin.