Cartography: using graphs to improve and scale security decision-making

Cartography: using graphs to improve and scale security decision-making

Alex Chantavy and I delivered a talk based on this presentation at the "Cloud Native Security Day North America 2020" (November 17th, 2020).

Video Recording: https://youtu.be/ZwMSkFzgiFc

---

This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.

Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.

The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

November 17, 2020
Tweet

Transcript

  1. Using graphs to improve and scale security decision-making @alexchantavy @lancinimarco

  2. - Alex Chantavy - Software Engineer @Lyft - Background in

    red-teaming cloud environments - @alexchantavy - Marco Lancini - Security Engineer @Thought Machine - Curator of cloudseclist.com - @lancinimarco Who are we
  3. Why Cartography

  4. - Lots of security and tech debt - Tribal knowledge

    - Hypergrowth = larger attack surface Can we understand, track, and manage our infra as it changes over time? Moving too fast
  5. - Permissions models - Multiple vendors - Lots of knobs

    and dials - Easy to get security wrong - Big consequences for getting it wrong Modern infra is complicated!
  6. - Small team - Need to automate wherever practical -

    Need to aggressively prioritize Limited resources
  7. Can we apply an offensive security approach to these keep-the-lights-on

    problems?
  8. “ Defenders think in lists. https://github.com/JohnLaTwC/Shared

  9. “ Defenders think in lists. Attackers think in graphs -

    https://github.com/JohnLaTwC/Shared
  10. ..As long as this is true, attackers win.” https://github.com/JohnLaTwC/Shared

  11. - Highlight structural risks and answer hard-to-answer questions - Use

    cases - Central view over technical assets - Incident response - Security research, red + blue teaming - Compliance reports and audits We need a self-maintaining map
  12. - $$$$ - Proprietary and locked down - Too focused

    or limited in scope - Limited in extensibility Existing solutions
  13. https://github.com/lyft/cartography

  14. None
  15. {

  16. {

  17. }

  18. None
  19. Scenario: Okta to AWS transitivity

  20. Scenario: Okta to AWS transitivity

  21. Scenario: Okta to AWS transitivity

  22. Scenario: Okta to AWS transitivity

  23. Scenario: Okta to AWS transitivity

  24. Scenario: Okta to AWS transitivity

  25. Architecture

  26. Analysis job: Is my compute instance open to the internet?

  27. None
  28. None
  29. None
  30. None
  31. A real-life deployment

  32. Multi-Cloud Auditing

  33. Deployment on K8s

  34. Data Consumption - Neo4j

  35. Data Consumption - Query Format

  36. Data Consumption - Jupyter

  37. Elasticsearch Integration

  38. Data Consumption - Kibana

  39. High Level Dashboards

  40. Drift Detection

  41. What’s coming next

  42. - DAG-based data syncs - Nicer plugin framework - Near-real

    time updates - More data types Cartography’s roadmap
  43. - Play with your own graph - https://github.com/lyft/cartography - Join

    our community - Say hi on Slack - Participate in our monthly video discussion - Tell us how to be useful for you Go get started
  44. Thank you