Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cartography: using graphs to improve and scale security decision-making

Marco Lancini
November 17, 2020

Cartography: using graphs to improve and scale security decision-making

Alex Chantavy and I delivered a talk based on this presentation at the "Cloud Native Security Day North America 2020" (November 17th, 2020).

Video Recording: https://youtu.be/ZwMSkFzgiFc


This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.

Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.

The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

Marco Lancini

November 17, 2020

More Decks by Marco Lancini

Other Decks in Technology


  1. - Alex Chantavy - Software Engineer @Lyft - Background in

    red-teaming cloud environments - @alexchantavy - Marco Lancini - Security Engineer @Thought Machine - Curator of cloudseclist.com - @lancinimarco Who are we
  2. - Lots of security and tech debt - Tribal knowledge

    - Hypergrowth = larger attack surface Can we understand, track, and manage our infra as it changes over time? Moving too fast
  3. - Permissions models - Multiple vendors - Lots of knobs

    and dials - Easy to get security wrong - Big consequences for getting it wrong Modern infra is complicated!
  4. - Small team - Need to automate wherever practical -

    Need to aggressively prioritize Limited resources
  5. “ Defenders think in lists. Attackers think in graphs -

  6. - Highlight structural risks and answer hard-to-answer questions - Use

    cases - Central view over technical assets - Incident response - Security research, red + blue teaming - Compliance reports and audits We need a self-maintaining map
  7. - $$$$ - Proprietary and locked down - Too focused

    or limited in scope - Limited in extensibility Existing solutions
  8. {

  9. {

  10. }

  11. - DAG-based data syncs - Nicer plugin framework - Near-real

    time updates - More data types Cartography’s roadmap
  12. - Play with your own graph - https://github.com/lyft/cartography - Join

    our community - Say hi on Slack - Participate in our monthly video discussion - Tell us how to be useful for you Go get started