Upgrade to Pro — share decks privately, control downloads, hide ads and more …

There is no security team

There is no security team

I discuss how Envato builds a security conscious organisation without a formal security team


Patrick Robinson

February 16, 2019


  1. There is no security team Patrick Robinson

  2. Patrick Robinson Senior DevOps Eng @ Envato Runner Skier Muay

    Thai Practitioner
  3. None
  4. What’s this about? How does Envato work? What’s our approach

    to Security? A Case Study of a Security Tool we use What other ways can we help teams succeed?
  5. Autonomy

  6. What Does Autonomy mean?

  7. We run entirely in AWS¹

  8. The Upsides More than 3,700 deploys in the last year

    60+ independent Services
  9. The Downsides Disparate systems, disparate standards Lack of controls and

  10. How do we help autonomous teams adhere to best practice?

  11. Approach We are a “Health Care provider not a Police

    Force”¹ We want to provide a safety net We want to close the feedback loop and educate teams on the “Right way”™ to do things We prefer incremental improvement over larger projects ¹Craig Templeton - CISO @ REA
  12. Case Study: AWS CloudTrail Scalable to dozens of accounts and

    teams Flexible to add and remove what works and what doesn’t Automatically Testable and Deployable
  13. Recommended approach

  14. Enter StreamAlert Framework with minimal boilerplate code Ability to write

    tests for each rule Integrates with Kinesis
  15. Root account usage rule If userType is “Root” And invokedBy

    is null And recipientAccount equals invokingAccount Then generate an alarm
  16. Context

  17. None
  18. It’s not all Unicorns and rainbows Monolithic Cyclical dependency between

    the source and StreamAlert Context is important StreamAlert 2.0 adds a great deal more complexity
  19. How can we make things better?

  20. Develop new Antibodies

  21. Expand our arsenal

  22. Summary Security is not a team or a process, it’s

    a function of your systems and people Start with high signal to noise ratio sources Try not to drink from the firehose Spend effort in ensuring the feedback loop is closed early
  23. Thank you.

  24. Questions?

  25. References AirBnB StreamAlert https://github.com/airbnb/ streamalert