Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cartography: using graphs to improve and scale security decision-making

Marco Lancini
November 17, 2020

Cartography: using graphs to improve and scale security decision-making

Alex Chantavy and I delivered a talk based on this presentation at the "Cloud Native Security Day North America 2020" (November 17th, 2020).

Video Recording: https://youtu.be/ZwMSkFzgiFc

---

This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.

Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.

The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

Marco Lancini

November 17, 2020
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. Using graphs to
    improve and scale
    security
    decision-making
    @alexchantavy @lancinimarco

    View full-size slide

  2. - Alex Chantavy
    - Software Engineer @Lyft
    - Background in red-teaming cloud environments
    - @alexchantavy
    - Marco Lancini
    - Security Engineer @Thought Machine
    - Curator of cloudseclist.com
    - @lancinimarco
    Who are we

    View full-size slide

  3. Why Cartography

    View full-size slide

  4. - Lots of security and tech debt
    - Tribal knowledge
    - Hypergrowth = larger attack surface
    Can we understand, track, and manage
    our infra as it changes over time?
    Moving too fast

    View full-size slide

  5. - Permissions models
    - Multiple vendors
    - Lots of knobs and dials
    - Easy to get security wrong
    - Big consequences for getting it wrong
    Modern infra is complicated!

    View full-size slide

  6. - Small team
    - Need to automate wherever practical
    - Need to aggressively prioritize
    Limited resources

    View full-size slide

  7. Can we apply an offensive security approach to
    these keep-the-lights-on problems?

    View full-size slide


  8. Defenders
    think in
    lists.
    https://github.com/JohnLaTwC/Shared

    View full-size slide


  9. Defenders
    think in
    lists.
    Attackers
    think in
    graphs -
    https://github.com/JohnLaTwC/Shared

    View full-size slide

  10. ..As long as this is true, attackers win.”
    https://github.com/JohnLaTwC/Shared

    View full-size slide

  11. - Highlight structural risks and answer
    hard-to-answer questions
    - Use cases
    - Central view over technical assets
    - Incident response
    - Security research, red + blue teaming
    - Compliance reports and audits
    We need a self-maintaining map

    View full-size slide

  12. - $$$$
    - Proprietary and locked down
    - Too focused or limited in scope
    - Limited in extensibility
    Existing solutions

    View full-size slide

  13. https://github.com/lyft/cartography

    View full-size slide

  14. Scenario: Okta to AWS transitivity

    View full-size slide

  15. Scenario: Okta to AWS transitivity

    View full-size slide

  16. Scenario: Okta to AWS transitivity

    View full-size slide

  17. Scenario: Okta to AWS transitivity

    View full-size slide

  18. Scenario: Okta to AWS transitivity

    View full-size slide

  19. Scenario: Okta to AWS transitivity

    View full-size slide

  20. Architecture

    View full-size slide

  21. Analysis job:
    Is my compute instance
    open to the internet?

    View full-size slide

  22. A real-life deployment

    View full-size slide

  23. Multi-Cloud Auditing

    View full-size slide

  24. Deployment on K8s

    View full-size slide

  25. Data Consumption - Neo4j

    View full-size slide

  26. Data Consumption - Query Format

    View full-size slide

  27. Data Consumption - Jupyter

    View full-size slide

  28. Elasticsearch Integration

    View full-size slide

  29. Data Consumption - Kibana

    View full-size slide

  30. High Level Dashboards

    View full-size slide

  31. Drift Detection

    View full-size slide

  32. What’s coming next

    View full-size slide

  33. - DAG-based data syncs
    - Nicer plugin framework
    - Near-real time updates
    - More data types
    Cartography’s roadmap

    View full-size slide

  34. - Play with your own graph
    - https://github.com/lyft/cartography
    - Join our community
    - Say hi on Slack
    - Participate in our monthly video discussion
    - Tell us how to be useful for you
    Go get started

    View full-size slide