Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cartography: using graphs to improve and scale ...

Marco Lancini
November 17, 2020
Technology
0
510

Cartography: using graphs to improve and scale security decision-making

Alex Chantavy and I delivered a talk based on this presentation at the "Cloud Native Security Day North America 2020" (November 17th, 2020).

Video Recording: https://youtu.be/ZwMSkFzgiFc

---

This talk highlights using Cartography (https://github.com/lyft/cartography) to improve and scale security decision-making in cloud-native environments. Attendees of this session will be introduced to the platform and shown a broad set of compelling scenarios including understanding complex permissions relationships, tracking and alerting on infrastructure changes, and enabling teams to see and better understand their security risk regardless of the platforms they use.

Cartography is a free open-source tool that consolidates your technical assets and the relationships between them in an intuitive graph database.

The presenters hope that sharing their approaches to these problems will help you better understand, categorize, and secure all the assets deployed in your cloud-native organization. They are thrilled to grow the Cartography community in the first couple years as an open source project and look forward to hearing your feedback!

Marco Lancini

November 17, 2020
Tweet

More Decks by Marco Lancini

See All by Marco Lancini
2022-03-24_Doyensec - Infrastructure Review
marcolancini
0
34
Needle - Black Hat Arsenal USA 2017
marcolancini
0
200
Needle - Black Hat Arsenal EU 2016
marcolancini
0
130
Needle - OWASP AppSec USA 2016
marcolancini
0
190
Enhancing Mobile Malware: an Android RAT Case Study - BSides Vienna 2014
marcolancini
0
620
Social Authentication: Vulnerabilities, Mitigations, and Redesign - DEEPSEC 2014
marcolancini
0
210
Social Authentication - CyCon 2014
marcolancini
0
150
Social Authentication: Vulnerabilities, Mitigations, and Redesign
marcolancini
1
200
Showcase
marcolancini
0
60

Other Decks in Technology

See All in Technology
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
組織に自動テストを書く文化を根付かせる戦略(2024冬版) / Building Automated Test Culture 2024 Winter Edition
twada
PRO
12
3.5k
5分でわかるDuckDB
chanyou0311
10
3.2k
DevOps視点でAWS re:invent2024の新サービス・アプデを振り返ってみた
oshanqq
0
180
re:Invent をおうちで楽しんでみた ~CloudWatch のオブザーバビリティ機能がスゴい!/ Enjoyed AWS re:Invent from Home and CloudWatch Observability Feature is Amazing!
yuj1osm
0
120
成果を出しながら成長する、アウトプット駆動のキャッチアップ術 / Output-driven catch-up techniques to grow while producing results
aiandrox
0
180
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
110
AWS re:Invent 2024 ふりかえり
kongmingstrap
0
130
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
C++26 エラー性動作
faithandbrave
2
690
LINEスキマニにおけるフロントエンド開発
lycorptech_jp
PRO
0
330
alecthomas/kong はいいぞ / kamakura.go#7
fujiwara3
1
300

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
789
250k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
96
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Site-Speed That Sticks
csswizardry
2
190
Done Done
chrislema
181
16k
Embracing the Ebb and Flow
colly
84
4.5k
Typedesign – Prime Four
hannesfritz
40
2.4k
Facilitating Awesome Meetings
lara
50
6.1k

Transcript

  1. Using graphs to improve and scale security decision-making @alexchantavy @lancinimarco

  2. - Alex Chantavy - Software Engineer @Lyft - Background in

    red-teaming cloud environments - @alexchantavy - Marco Lancini - Security Engineer @Thought Machine - Curator of cloudseclist.com - @lancinimarco Who are we

  3. Why Cartography

  4. - Lots of security and tech debt - Tribal knowledge

    - Hypergrowth = larger attack surface Can we understand, track, and manage our infra as it changes over time? Moving too fast

  5. - Permissions models - Multiple vendors - Lots of knobs

    and dials - Easy to get security wrong - Big consequences for getting it wrong Modern infra is complicated!

  6. - Small team - Need to automate wherever practical -

    Need to aggressively prioritize Limited resources

  7. Can we apply an offensive security approach to these keep-the-lights-on

    problems?

  8. “ Defenders think in lists. https://github.com/JohnLaTwC/Shared

  9. “ Defenders think in lists. Attackers think in graphs -

    https://github.com/JohnLaTwC/Shared

  10. ..As long as this is true, attackers win.” https://github.com/JohnLaTwC/Shared

  11. - Highlight structural risks and answer hard-to-answer questions - Use

    cases - Central view over technical assets - Incident response - Security research, red + blue teaming - Compliance reports and audits We need a self-maintaining map

  12. - $$$$ - Proprietary and locked down - Too focused

    or limited in scope - Limited in extensibility Existing solutions

  13. https://github.com/lyft/cartography

  14. None

  15. {

  16. {

  17. }

  18. None

  19. Scenario: Okta to AWS transitivity

  20. Scenario: Okta to AWS transitivity

  21. Scenario: Okta to AWS transitivity

  22. Scenario: Okta to AWS transitivity

  23. Scenario: Okta to AWS transitivity

  24. Scenario: Okta to AWS transitivity

  25. Architecture

  26. Analysis job: Is my compute instance open to the internet?

  27. None
  28. None
  29. None
  30. None

  31. A real-life deployment

  32. Multi-Cloud Auditing

  33. Deployment on K8s

  34. Data Consumption - Neo4j

  35. Data Consumption - Query Format

  36. Data Consumption - Jupyter

  37. Elasticsearch Integration

  38. Data Consumption - Kibana

  39. High Level Dashboards

  40. Drift Detection

  41. What’s coming next

  42. - DAG-based data syncs - Nicer plugin framework - Near-real

    time updates - More data types Cartography’s roadmap

  43. - Play with your own graph - https://github.com/lyft/cartography - Join

    our community - Say hi on Slack - Participate in our monthly video discussion - Tell us how to be useful for you Go get started

  44. Thank you