Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cartography: using graphs to improve and scale security decision-making

Marco Lancini
November 17, 2020
Technology
0
460

Cartography: using graphs to improve and scale security decision-making

Alex Chantavy and I delivered a talk based on this presentation at the "Cloud Native Security Day North America 2020" (November 17th, 2020).

Video Recording: https://youtu.be/ZwMSkFzgiFc

---

This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.

Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.

The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

Marco Lancini

November 17, 2020
Tweet

More Decks by Marco Lancini

See All by Marco Lancini
2022-03-24_Doyensec - Infrastructure Review
marcolancini
0
32
Needle - Black Hat Arsenal USA 2017
marcolancini
0
180
Needle - Black Hat Arsenal EU 2016
marcolancini
0
120
Needle - OWASP AppSec USA 2016
marcolancini
0
180
Enhancing Mobile Malware: an Android RAT Case Study - BSides Vienna 2014
marcolancini
0
550
Social Authentication: Vulnerabilities, Mitigations, and Redesign - DEEPSEC 2014
marcolancini
0
200
Social Authentication - CyCon 2014
marcolancini
0
140
Social Authentication: Vulnerabilities, Mitigations, and Redesign
marcolancini
1
200
Showcase
marcolancini
0
56

Other Decks in Technology

See All in Technology
コミュニティサービスに「あなたへ」フィードを リリースするまでの試行錯誤
takapy
1
150
Datadog Cloud SIEMを使ってAWS環境の脅威を可視化した話/lifeistech-datadog-cloud-siem
gidajun
0
480
サービス開発を前に進めるために 新米リードエンジニアが 取り組んだこと / Steps Taken by a Novice Lead Engineer to Advance Service Development
nologyance
0
180
技術負債による事業の失敗はなぜ起こるのか / Why do business failures due to technical debt occur?
i35_267
0
190
データベース研修 分析向けSQL入門【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
110
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
AWSでRAGを作る法方
sonoda_mj
1
140
20240725 LLMによるDXのビジョンと、今何からやるべきか @Azure OpenAI Service Dev Day
nrryuya
3
1.2k
ギークの理想が7つ集まるエムスリーで夢を叶えよう - エムスリー株式会社
m3_engineering
1
260
サーバーレスAPI(API Gateway+Lambda)とNext.jsで 個人ブログを作ろう!
shuntaka
PRO
0
560
Amazon FSx for NetApp ONTAPのパフォーマンスチューニング要素をまとめてみた #cm_odyssey #devio2024
non97
0
220
ABEMAにおけるLLMを用いたコンテンツベース推薦システム導入と効果検証
cyberagentdevelopers
PRO
1
730

Featured

See All Featured
Leading Effective Engineering Teams 2024
addyosmani
3
300
Designing for humans not robots
tammielis
247
25k
From Idea to $5000 a Month in 5 Months
shpigford
377
46k
Faster Mobile Websites
deanohume
303
30k
Designing Experiences People Love
moore
136
23k
What's new in Ruby 2.0
geeforr
338
31k
How to train your dragon (web standard)
notwaldorf
79
5.5k
Thoughts on Productivity
jonyablonski
64
4.1k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
36
9.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
44
4.7k
How GitHub Uses GitHub to Build GitHub
holman
471
290k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
353
29k

Transcript

  1. Using graphs to improve and scale security decision-making @alexchantavy @lancinimarco

  2. - Alex Chantavy - Software Engineer @Lyft - Background in

    red-teaming cloud environments - @alexchantavy - Marco Lancini - Security Engineer @Thought Machine - Curator of cloudseclist.com - @lancinimarco Who are we

  3. Why Cartography

  4. - Lots of security and tech debt - Tribal knowledge

    - Hypergrowth = larger attack surface Can we understand, track, and manage our infra as it changes over time? Moving too fast

  5. - Permissions models - Multiple vendors - Lots of knobs

    and dials - Easy to get security wrong - Big consequences for getting it wrong Modern infra is complicated!

  6. - Small team - Need to automate wherever practical -

    Need to aggressively prioritize Limited resources

  7. Can we apply an offensive security approach to these keep-the-lights-on

    problems?

  8. “ Defenders think in lists. https://github.com/JohnLaTwC/Shared

  9. “ Defenders think in lists. Attackers think in graphs -

    https://github.com/JohnLaTwC/Shared

  10. ..As long as this is true, attackers win.” https://github.com/JohnLaTwC/Shared

  11. - Highlight structural risks and answer hard-to-answer questions - Use

    cases - Central view over technical assets - Incident response - Security research, red + blue teaming - Compliance reports and audits We need a self-maintaining map

  12. - $$$$ - Proprietary and locked down - Too focused

    or limited in scope - Limited in extensibility Existing solutions

  13. https://github.com/lyft/cartography

  14. None

  15. {

  16. {

  17. }

  18. None

  19. Scenario: Okta to AWS transitivity

  20. Scenario: Okta to AWS transitivity

  21. Scenario: Okta to AWS transitivity

  22. Scenario: Okta to AWS transitivity

  23. Scenario: Okta to AWS transitivity

  24. Scenario: Okta to AWS transitivity

  25. Architecture

  26. Analysis job: Is my compute instance open to the internet?

  27. None
  28. None
  29. None
  30. None

  31. A real-life deployment

  32. Multi-Cloud Auditing

  33. Deployment on K8s

  34. Data Consumption - Neo4j

  35. Data Consumption - Query Format

  36. Data Consumption - Jupyter

  37. Elasticsearch Integration

  38. Data Consumption - Kibana

  39. High Level Dashboards

  40. Drift Detection

  41. What’s coming next

  42. - DAG-based data syncs - Nicer plugin framework - Near-real

    time updates - More data types Cartography’s roadmap

  43. - Play with your own graph - https://github.com/lyft/cartography - Join

    our community - Say hi on Slack - Participate in our monthly video discussion - Tell us how to be useful for you Go get started

  44. Thank you