There is no security team

Transcript

1. There is no security team Patrick Robinson

2. Patrick Robinson Senior DevOps Eng @ Envato Runner Skier Muay

   Thai Practitioner
3. None

4. What’s this about? How does Envato work? What’s our approach

   to Security? A Case Study of a Security Tool we use What other ways can we help teams succeed?

5. Autonomy

6. What Does Autonomy mean?

7. We run entirely in AWS¹

8. The Upsides More than 3,700 deploys in the last year

   60+ independent Services

9. The Downsides Disparate systems, disparate standards Lack of controls and

   rigour

10. How do we help autonomous teams adhere to best practice?

11. Approach We are a “Health Care provider not a Police

    Force”¹ We want to provide a safety net We want to close the feedback loop and educate teams on the “Right way”™ to do things We prefer incremental improvement over larger projects ¹Craig Templeton - CISO @ REA

12. Case Study: AWS CloudTrail Scalable to dozens of accounts and

    teams Flexible to add and remove what works and what doesn’t Automatically Testable and Deployable

13. Recommended approach

14. Enter StreamAlert Framework with minimal boilerplate code Ability to write

    tests for each rule Integrates with Kinesis

15. Root account usage rule If userType is “Root” And invokedBy

    is null And recipientAccount equals invokingAccount Then generate an alarm

16. Context

17. None

18. It’s not all Unicorns and rainbows Monolithic Cyclical dependency between

    the source and StreamAlert Context is important StreamAlert 2.0 adds a great deal more complexity

19. How can we make things better?

20. Develop new Antibodies

21. Expand our arsenal

22. Summary Security is not a team or a process, it’s

    a function of your systems and people Start with high signal to noise ratio sources Try not to drink from the firehose Spend effort in ensuring the feedback loop is closed early

23. Thank you.

24. Questions?

25. References AirBnB StreamAlert https://github.com/airbnb/ streamalert