Upgrade to Pro — share decks privately, control downloads, hide ads and more …

There is no security team

There is no security team

I discuss how Envato builds a security conscious organisation without a formal security team

Patrick Robinson

February 16, 2019

More Decks by Patrick Robinson

Other Decks in Technology


  1. What’s this about? How does Envato work? What’s our approach

    to Security? A Case Study of a Security Tool we use What other ways can we help teams succeed?
  2. Approach We are a “Health Care provider not a Police

    Force”¹ We want to provide a safety net We want to close the feedback loop and educate teams on the “Right way”™ to do things We prefer incremental improvement over larger projects ¹Craig Templeton - CISO @ REA
  3. Case Study: AWS CloudTrail Scalable to dozens of accounts and

    teams Flexible to add and remove what works and what doesn’t Automatically Testable and Deployable
  4. Root account usage rule If userType is “Root” And invokedBy

    is null And recipientAccount equals invokingAccount Then generate an alarm
  5. It’s not all Unicorns and rainbows Monolithic Cyclical dependency between

    the source and StreamAlert Context is important StreamAlert 2.0 adds a great deal more complexity
  6. Summary Security is not a team or a process, it’s

    a function of your systems and people Start with high signal to noise ratio sources Try not to drink from the firehose Spend effort in ensuring the feedback loop is closed early