Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

Masayoshi Mizutani
October 29, 2020
Technology
1
970

SOARによるセキュリティ監視業務の効率化とSecOps /soar-and-secops

CODE BLUE 2020での登壇資料です

Masayoshi Mizutani

October 29, 2020
Tweet

More Decks by Masayoshi Mizutani

See All by Masayoshi Mizutani
Ubieにおけるセキュリティ課題管理の自動化 / ubie-sec-issue-automation
mizutani
0
640
Trivy + Regoを用いたパッケージ脆弱性管理 /trivy-rego
mizutani
7
4k
リモートワークを支える 社内セキュリティ基盤の構築と運用 /secueiry-for-wfh
mizutani
0
630
Amazon Athena を使った セキュリティログ検索基盤の構築 /seclog-athena
mizutani
5
2.6k
Webサービス事業会社におけるEDRの検討と導入の事例 /falcon2019
mizutani
1
660
AWS re:Inforce recap 2019
mizutani
1
4.2k
スケーラブルなセキュリティ監視基盤の作り方 /techconf2019-mizutani
mizutani
3
2.9k
Webサービス事業会社におけるEDRの検討と導入の事例 /falconday201812
mizutani
3
2.2k
クックパッドのセキュリティログ 検索基盤の紹介 /security-log-search
mizutani
3
3.5k

Other Decks in Technology

See All in Technology
株式会社EventHub・エンジニア採用資料
eventhub
0
1.9k
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
62
18k
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
1
380
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110
SREとその組織類型
tatsuo48
8
1.5k
社内勉強会運営のコツ
senoo
6
1.2k
ユーザーストーリーのレビューを自動化したみたの
bun913
1
330
SPI原点回帰論:事業課題とFour Keysの結節点を見出す実践的ソフトウェアプロセス改善 / DevOpsDays Tokyo 2024
visional_engineering_and_design
4
1.6k
現代CSSフレームワークの内部実装とその仕組み
poteboy
6
1.8k
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
230
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
210
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
3
100

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.3k
The Art of Programming - Codeland 2020
erikaheidi
41
12k
For a Future-Friendly Web
brad_frost
171
8.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
5
1.5k
Designing Experiences People Love
moore
136
23k
How to train your dragon (web standard)
notwaldorf
72
5.1k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
Faster Mobile Websites
deanohume
297
30k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Designing for Performance
lara
601
67k

Transcript

  1. &GGFDUJWF4FDVSJUZ.POJUPSJOHCZ 40"3BOE4FD0QT $PPLQBE*OD 5FDI%FQBSUNFOU 4FDVSJUZ5FBN-FBEFS .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ  5IV 

    $0%&#-6&

  2. 5PEBZ`T"HFOEB w8IBUJT40"3  w40"3$BTF4UVEZ w4FDVSJUZCZ4PGUXBSF&OHJOFFSJOH 

  3. 8IPBSFZPV w1I%ʢ.FEJBBOE(PWFSOBODFʣ wʙ*#.+BQBO w 3FTFBSDIBOEEFWFMPQNFOUPGTFDVSJUZQSPEVDUTFSWJDF FH4*&.  w "OBMZTUPG40$ 4FDVSJUZ0QFSBUJPO$FOUFS

     wʙ$PPLQBE*OD w 4FDVSJUZ5FBN-FBEFS w %FWFMPQNFOUBOEPQFSBUJPOPGJOUFSOBMTFDVSJUZJOGSBTUSVDUVSF w $4*35 *OGPSNBUJPO4FDVSJUZ$PNNJUUFF  .BTBZPTIJ.J[VUBOJ ਫ୩ਖ਼ܚ

  4. #BDLHSPVOE 

  5. #BDLHSPVOEPGPVS$4*35 w-JNJUFEIVNBOSFTPVSDFT w 0OMZBDUJWFNFNCFST w 8PSLJOHGPSOPUPOMZJODJEFOUSFTQPOTFCVUBMTPDPNQBOZSJTLNBOBHFNFOU w'PDVTJOHPOl4FDVSJUZ.POJUPSJOHz w (VBSESBJM OPU(BUFLFFQFS

    w 1SFWFOUUPCSBLFCVTJOFTTBDUJWJUJFTCZTFDVSJUZSVMFT w $BQBCJMJUZPGEFUFDUJOHTFDVSJUZCSFBDIBOEJOWFTUJHBUJPO 

  6. $PNQPOFOUTPG4FDVSJUZ.POJUPSJOH  -PHHJOH "MFSUJOH "OUJ7JSVT &%3 &OEQPJOU %FUFDUJPO3FTQPOTF /FUXPSLCBTFE*%4 JOUSVTJPO%FUFDUJPO4ZTUFN

    4ZTUFN4FSWJDF-PHT 8"' 8FC"QQMJDBUJPO'JSFXBMM "VEJU-PHT /FUXPSL-PHT 4FOTPS .BOBHFS -PH.BOBHFS 4*&. 4FDVSJUZ*OGPSNBUJPO&WFOU.BOBHFS

  7. $ZDMFPG4FDVSJUZ.POJUPSJOH  0CTFSWBUJPO %FUFDUJPO 3FTQPOTF (BUIFSJOHTFDVSJUZ FWFOUTGSPNPXO TZTUFNFOWJSPONFOU %FUFDUJOHQPUFOUJBM PGTFDVSJUZCSFBDICZ

    PCTFSWFEFWFOU T +VEHJOHTFWFSJUZPG UIFEFUFDUFEBMFSUCZ JOWFTUJHBUJPO w 1SFTFSWJOHFWJEFODFT w .JUJHBUJOHEBNBHF 4FOTPST 4*&. /FFECJHNBOQPXFS 5SJBHF "TTFTTNFOU

  8. 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF 

  9.  %FUFDUJPO  5SJBHF  3FTQPOTF 40"3 4FDVSJUZ0SDIFTUSBUJPO "VUPNBUJPOBOE3FTQPOTF 

    40"3 "MFSUJOH1SPEVDU FH4*&. 0UIFS1SPEVDUT 4FSWJDFT 0UIFS1SPEVDUT 4FSWJDFT 4FDVSJUZ "MFSU *OGPSNBUJPO SFMBUFEUIFBMFSU $IBOHF DPOpHVSBUJPO w"VUPNBUJPOGPS5SJBHFBOE3FTQPOTF1IBTFTJO4FDVSJUZ .POJUPSJOHXJUI7BSJPVT1SPEVDUTBOE4FSWJDFT w 0SJHJOBMMZDPJOFECZ(BSUOFSJOUIFJSSFQPSU /PW   w %FpOJUJPOJTTMJHIUMZEJ⒎FSFOUCZFBDITFDVSJUZWFOEPS

  10. 40"3 WFSZTJNQMF 6TF$BTF  4*&. *1BEESFTT SFQVUBUJPOTFSWJDF "84 Detect suspicious

    activities in a EC2 instance on AWS One of IP addresses is Command & Control Server!! Take snapshot and quarantine the instance Inquiry about communicated IP addresses 7BSJPVT -PHT 1MBZCPPL 3VOCPPL FUD 40"3

  11. #FOFpUPG40"3 w4BWJOH-BCPSXPSLMPBE w 'VMMBVUPNBUFEUSJBHF SFTQPOTFGPSLOPXOBMFSUT w 3FEVDJOHXPSLMPBEPGUSJBHFGPSVOLOPXOBMFSUT w"EWBOUBHFT w )FMQGVMGPSBCVTZBOBMZTUCZNBLJOHBMFSUIBOEMJOHFBTZ

    w %POPUIFTJUBUFUPBEENPOJUPSJOHPGOFXBMFSUT 

  12. 40"3$BTF4UVEZ 4FDVSJUZ.POJUPSJOH"VUPNBUJPO 

  13. 5FDIOJDBM$IBMMFOHFTPG40"3JNQMFNFOUBUJPO w'MFYJCJMJUZ w )PXDBOXFEFTDSJCFDPNQMJDBUFEXPSLqPX  w 1SPQSJFUBSZMBOHVBHFEPFT/05XPSL w &DPTZTUFN w

    .BJOUFOBODFBCJMJUZ w&YUFOTJCJMJUZ w .BOZWBSJPVTPSDIFTUSBUJPOTFSWJDFTBOEQSPEVDUT w *OUFHSBUJPOXJUIJOUFSOBMTFSWJDFTBOEQSPEVDUT w"CTUSBDUJPO w 8PSLqPXNPEFMT w %BUBNPEFMT 

  14. %FFQ"MFSU w0VSPSJHJOBM40"3 GSBNFXPSL w *NQMFNFOUXJUI"84$%, w 5ISFFNBJOTUFQT w  *OTQFDUJPO&OSJDIQBSBNFUFST

    w  3FWJFX&WBMVBUFTFWFSJUZ w  &NJU5BLFBDUJPO w 4UBSUFEEFWFMPQNFOUBUFBSMZ   IUUQTHJUIVCDPNEFFQBMFSUEFFQBMFSU

  15. %FFQ"MFSU4UBDL <4UFQ>*OTQFDUJPO&OSJDIQBSBNFUFST w'SPNFYUFSOBMEBUBTPVSDF w 3FQVUBUJPOTFSWJDFT 7JSVT5PUBM )ZCSJE"OBMZTJT VSMTDBOJP FUD 

    w'SPNJOUFSOBMEBUBTPVSDF w 4FSWJDFBOETZTUFNMPHT (4VJUF "[VSF"% "84 *OUFSOBMTFSWFST  w &OEQPJOUMPHT $SPXE4USJLF'BMDPO PTRVFSZ  4/4 /PUJpDBUJPO4FSWJDF 424 2VFVF4FSWJDF 7JSVT5PUBM 4UBDL VSMTDBOJP 4UBDL $MPVE5SBJM 4UBDL "MFSU

  16. <4UFQ>3FWJFX&WBMVBUFTFWFSJUZ w&WBMVBUJPOQPMJDZXSJUUFOJO(PPO"84-BNCEB w 4FFOPUPOMZTFDVSJUZBMFSUCVUBMTPFOSJDIFEEBUB w &WFOUVBMMZ DIPJDFTFWFSJUZGSPN4BGF 6ODMBTTJpFEBOE6SHFOU w1PMJDZJTNBOBHFEJO(JU)VC&OUFSQSJTF w

    3FWJFXBCMFDPEF w 5FTUBCMFDPEF w $IBOHFIJTUPSZNBOBHFNFOU  4FDVSJUZBT$PEF

  17. 3FWJFX1PMJDZ$IBOHFT  w$IBOHFCZ13 1VMM3FRVFTU  w 0O(JU)VC&OUFSQSJTF w 3FWJFXFECZBUFBNNFNCFS w

    $BODPNNFOUUPDPEF w $BOBQQSPWFPGDIBOHFT w $IBOHFNBOBHFNFOU *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU $PNNFOU $IBOHFIJTUPSZ

  18. 5FTU1PMJDZ$IBOHFT  w5FTUCZ(FOFSBM'SBNFXPSLPG(P w 3FWJFX-BNCEB'VODUJPOJTJNQMFNFOUFE XJUITJNQMFJOQVUPVUQVU w *OQVU"MFSUBOE%BUB w 0VUQVU4FWFSJUZ

    w &BTZUPXSJUFVOJUUFTUCZTJNQMF*0 0SJHJOBM4FDVSJUZ"MFSU "OFOSJDIFEQBSBNFUFS GSPNJOUFSOBMEBUBTPVSDF "MTP *OUIFTBNFNBOOFSBT NPEFSOTPGUXBSFEFWFMPQNFOU 3VOVOJUUFTU

  19. <4UFQ>&NJU5BLFBDUJPO w/PUJpDBUJPO w 4MBDL 1BHFS%VUZ 0CTPMFUFE  w*ODJEFOU5JDLFU$SFBUJPO w (JU)VC&OUFSQSJTF

    w2VBSBOUJOFBOE&WJEFODF1SFTFSWBUJPO 0QUJPOBM  w 4IVUEPXOOFUXPSLCZFOEQPJOUTFDVSJUZTFSWJDF w 4IVUEPXOOFUXPSLBOEUBLFTOBQTIPUCZDMPVEQSPWJEFS`TGVODUJPO w 8FEPOPURVBSBOUJOFGPSOPXCFDBVTFMPXGSFRVFOU 

  20. *NQSPWF4FDVSJUZ.POJUPSJOH0QFSBUJPOCZ40"3 w3FEVDJOHBOVNCFSPGUSJBHFSFTQPOTF w 0WFSDBTFTBSFDMPTFEBVUPNBUJDBMMZ SFTVMUT  w3FEVDJOHUJNFUPUSJBHF w "OBOBMZTUTUBSUTUSJBHFQIBTFXJUIFOSJDIFEBMFSUJOGPSNBUJPO w-PXDPTU

    w "WFSBHFEBZ 

  21. 4FDVSJUZCZ 4PGUXBSF&OHJOFFSJOH 

  22. 40"3JT(PPE&YBNQMFPG4PGUXBSF&OHJOFFSJOH w4FDVSJUZNPOJUPSJOHTZTUFNNVTUCFVQEBUFEDPOUJOVPVTMZ w $IBOHJOHTUBUVTPGPSHBOJ[BUJPO w $IBOHJOHBUUBDLFS`TUSFOE w $IBOHJOHDBQBCJMJUZPGTFOTPSBOEBMFSUEFUFDUPS w'PSDPOUJOVPVTSFJOGPSDFNFOUMPPQPG40"3ʜ w

    %FWFMPQNFOUPGOFXGFBUVSFT w 6QEBUF pYBOESFJOGPSDFQPMJDJFT w $POUJOVPVT*OUFHSBUJPO w $POUJOVPVT%FMJWFSZ  .PEFSO%FW0QT UFDIOJRVFTBSFBQQMJBCMF

  23. 4FD0QT w"QQMZ%FW0QTQSJODJQMFTUP4FDVSJUZTZTUFNT w -JLF.-0QT BQQMZ%FW0QTQSJODJQMFTUP.-TZTUFNT  w %FW4FD0QTNFBOTlTFDVSJUZDIFDLJO$*QJQFMJOFzJOHFOFSBM w#VJMEBOEPQFSBUFZPVSTFDVSJUZTZTUFNCZZPVSPXO TFMG

    w 5PBSDIJWFTDBMBCJMJUZ FYUFOTJCJMJUZ BHJMJUZBOEDBQBCJMJUZ w 'PSNPOJUPSJOH DPNQMJBODF SJTLNBOBHFNFOU FUD w 1SJPSFYBNQMFT/FUqJY -JCFSUZ.VUVBM FUD 

  24. $BTF4UVEZ43& w4JUF3FMJBCJMJUZ&OHJOFFSJOH &OHJOFFS  w "EJTDJQMJOFUIBUJODPSQPSBUFTBTQFDUTPGTPGUXBSFFOHJOFFSJOHBOE BQQMJFTUIFNUPJOGSBTUSVDUVSFBOEPQFSBUJPOTQSPCMFNT GSPN8JLJQFEJB  w'SPN(PPHMF#PPL

    w lKeeping operational work (i.e., toil) below 50% of each SRE’s timez w lReducing toil and scaling up services is the ‘Engineering’ ” w 5IFZDPOUJOVPVTMZJNQSPWFTUIFJSXPSLTCZTPGUXBSFFOHJOFFSJOH "MMQSJODJQMFTPG43&BSFOPUSFRVJSFEJOTFDVSJUZ DPOUFYU CVUXFDBOMFBSONPSFGSPNUIFN 

  25. "QQSPBDIUP4FD0QT GSPNNZFYQFSJFODF w$IBOHFUIFDVMUVSF w 'VMMDPNNJUNFOUGPSPQFSBUJPOBMXPSLTJTCBE w $IBOHFEGSPNUPQ MFBEFSPSNBOBHFS  w#PUIPGEFWFMPQNFOUTLJMMTBOETFDVSJUZLOPXMFEHFT

    BSFSFRVJSFE w ,FFQZPVSNPUJWBUJPOGPSJOGPSNBUJPOTFDVSJUZ w -FBSOGSPNNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFT 

  26. $PODMVTJPO w40"3JTBDPODFQUPGBVUPNBUJPOBOEPSDIFTUSBUJPOJO USJBHFBOESFTQPOTFQIBTFTJOTFDVSJUZNPOJUPSJOH w%FFQ"MFSUJT$PPLQBEPXOFE40"3GSBNFXPSLXJUI TFSWFSMFTTBSDIJUFDUVSFPO"84 w &WBMVBUFTFWFSJUZXJUIJOUFSOBMFYUFSOBMEBUBTPVSDFBOEUBLFBDUJPO w 6TFNPEFSOTPGUXBSFEFWFMPQNFOUUFDIOJRVFTUPNBOBHFQPMJDZ w4FD0QTDPODFQUNBZCFDPNFNPSFJNQPSUBOU

    w 40"3JTBHPPEFYBNQMFUIBU4FD0QTDPODFQUXPSLTXFMM w 4FD0QTDBOIFMQTPUIFSTZTUFNBUJ[BUJPO 

  27. 5IBOLZPV