Slide 1

Slide 1 text

@ken5scal, 2024/08/07 ੬ऑੑରԠΛ ͜ͷઌੜ͖ͷ͜Δʹ͸

Slide 2

Slide 2 text

Πϯτϩ

Slide 3

Slide 3 text

- ॴଐ - ࡾҪ෺࢈σδλϧɾΞηοτϚωδϝϯτ - ίʔϙϨʔτγεςϜ෦: DevSecOps, Corp Eng౳ - LayerX Fintechࣄۀ෦ʢˢʹग़޲ʣ - ݸਓ׆ಈ - िؒχϡʔεϨʔλʔɺPodCastɺಉਓࢽ - དྷྺ - ۚ༥ܥSIer > ࢿ࢈؅ཧɾՈܭ฽ɾձܭSP > ূ݊ձࣾ > ݱ৬ - ͳΜ͔ͩΜͩFintech/ূ݊ܥʹ͍Δ - ࠷ۙ͸σʔλΤϯδχΞϦϯάΛཤमத @ken5scal χϡʔεϨλʔ: https://ken5scal.notion.site/54bda4932da14add9e9911ab3e9a6e5c podcast: https://open.spotify.com/show/73sFeKzUIkSYfCZWVBNO70

Slide 4

Slide 4 text

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ݟग़͠ https://speakerdeck.com/layerx/company-deck

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

ຊ೔ͷςʔϚ: ੬ऑੑ

Slide 8

Slide 8 text

- ͲͷΑ͏ͳछผͷ੬ऑੑରࡦΛͲΜͳํ਑Ͱݟ͍͔ͯ͘ͱ͍͏࿩ʹͳΓ·͢ɻ - ࣮ࡍͷରԠɾ۩ମతରԠ͸ɺݱ৔ͷऩӹɾച্ߏ଄ɺνʔϜߏ੒ɺ఩ֶʹΑΓҟͳΓ·͢ - ͲΜͳʮ࣠ʯͰݟΔ͔ͱ͍͏࿩ - ݟ͚ͭͨ੬ऑੑͷରԠͷ۩ମతରԠΛฉ͖͍ͨํ͸ͥͻͪ͜ΒͷΠϕϯτʹ - όϧεࡇΓ#10 | ੬ऑੑ؅ཧͷ࠷લઢʙϦεΫධՁ͔ΒSSVCɺVEXɺAI·Ͱʙ (08/20) - https://vuls-jp.connpass.com/event/327031/ - ※ར֐ؔ܎͸͋Γ·ͤΜ - IPA͞Μͷʮ੬ऑੑରԠʹ͓͚ΔϦεΫධՁख๏ͷ·ͱΊʯ͸·ͩಡΊͯͳ͍Ͱ͢ - SBOMͷ࿩͸ϛϦ΋͠·ͤΜ - ݸਓͰ΍ͬͯΔPodcastͰ࿩ͨ͠ͷͰྑ͚Ε͹ௌ͍͍ͯͩ͘͞ - ʮSBOMʹ͍ͭͯϫΠϫΠ࿩͢ձʯ by ηΩϡΞཱྀஂ͕چϨʔτ͢ΔʮSecure Liaisonʯ લఏ https://www.ipa.go.jp/jinzai/ics/core_human_resource/ fi nal_project/2024/risk-assessment-methods.html https://podcasters.spotify.com/pod/show/secure-fm/episodes/SBOM-e2l42ri

Slide 9

Slide 9 text

̍ͭҎ্ͷڴҖʹΑͬͯ෇͚ࠐ·ΕΔ Մೳੑͷ͋Δɺࢿ࢈·ͨ͸؅ཧࡦͷऑ ఺ JIS Q27000:2019

Slide 10

Slide 10 text

- ڴҖͱ૊Έ͋Θͬͨ͞ͱ͖ʹɺϦεΫ͕ݦࡏԽ͢Δ Մೳੑ͕͋Δ - ڴҖ:γεςϜ·ͨ͸૊৫ʹଛ֐Λ༩͑ΔՄೳੑ͕͋ Δɺ๬·͘͠ͳ͍ΠϯγσϯτͷજࡏతͳݪҼ - ϦεΫ: ໨తʹର͢Δෆ͔֬͞ͷӨڹ ੬ऑੑͷԿ͕ࠔΔͷ͔ JIS Q27000:2019

Slide 11

Slide 11 text

https://www.yomiuri.co.jp/pluralphoto/20230727-OYT1I50104/ https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

HUNTERxHUNTER 27ר

Slide 14

Slide 14 text

- Ұཡදͷ඼࣭͕௿͍ - Մࢹੑ͕ѱ͍ - ৴པੑ͕௿͍ - ໢ཏੑ͕௿͍ - ਂ౓͕ਂ͍ - Chain͢Δ Whyେม? https://engineering.mercari.com/en/blog/entry/20240722-mapping-the-attack-surface-from-the-inside/

Slide 15

Slide 15 text

Ͱ΋ɺ΍ͬͺΓ ਖ਼͍͠

Slide 16

Slide 16 text

- ૑ۀ5೥໨ - ϑϧΫϥ΢υ - ໌೔ͷΩϟογϡŠƂŘ - ηΩϡϦςΟϚϯઐଐ 0ਓ - ࠾༻͸શࣾͷ3%͘Β͍Λ໨ࢦ͢ લఏ: ౰ࣾͷ؀ڥ

Slide 17

Slide 17 text

جຊతͳ౰ࣾͷελϯε IUUQTYDPNLBOJ@CTUBUVT ิ଍: ίʔϙϨʔτΤϯδχΞ΍ ৘γε΋ؚΉ

Slide 18

Slide 18 text

౰ࣾʢͱ͍͏ࢲʣͷ৺৅෩ܠʢϝϯλϧϞσϧʣ JIS Q27000:2019

Slide 19

Slide 19 text

- 20೥ؒӳࠃαΠόʔηΩϡϦςΟ౰ہ ʢNCSCʣʹ౒ΊɺςΫχΧϧσΟϨΫλʔʹ ͳͬͨํͷୀ৬ϒϩάɻ - ”we’d be able to link that work with the graph of the system (and the rich data we have about it) to make sure that we hadn’t missed any attack paths, and that we’d actually built what we thought. It’d be much easier to understand what was going on.” γεςϜΛάϥϑͱͯ͠ଊ͑Δ https://www.ncsc.gov.uk/blog-post/so-long-thanks-for-all-the-bits

Slide 20

Slide 20 text

άϥϑͰଊ͑ͨͱ͖ͷΫϥ΢υ

Slide 21

Slide 21 text

ΤϯυϢʔβʔ

Slide 22

Slide 22 text

ΤϯυϢʔβʔ ੬ऑੑ͸Ͳ͜ʹʁ ੬ऑੑ: ̍ͭҎ্ͷڴҖʹΑͬͯ෇͚ࠐ·ΕΔՄೳੑͷ͋Δɺࢿ࢈·ͨ͸؅ཧࡦͷऑ఺

Slide 23

Slide 23 text

ΤϯυϢʔβʔ

Slide 24

Slide 24 text

ΤϯυϢʔβʔ ϑΟογϯά ઃఆෆඋ ઃఆෆඋ αʔϏε/Ϧϙδ τϦͷઃఆෆඋ GithubActionͷ ੬ऑੑ OSɺϛυϧ΢Σ Ξɺϒϥ΢βͷ੬ऑੑ ઃఆෆඋ ઃఆෆඋ ΞϓϦ੬ऑੑ ϛυϧ΢ΣΞ੬ऑੑ ϑΟογϯάɺ ͳΓ͢·͠ ઃఆෆඋ

Slide 25

Slide 25 text

ΤϯυϢʔβʔ αϓϥΠνΣʔϯϦεΫ

Slide 26

Slide 26 text

- ΫϥγοΫͳ੬ऑੑ - ΤϯυϙΠϯτʢMac, Win, Ұ෦Linuxʣ:ɹMicrosoft Defender Vulnerability Management - ίʔυ: Dependabot, ೥࣍Web੬ऑੑ਍அ - Ϋϥ΢υ੬ऑੑ - ౷ҰతͳCSPMͳ͠: ΧόϨοδͱίετ͕ݟ߹Θͳ͔ͬͨ - AWS: AWS Con fi g, AWS Security Hub - GCP: Security Command Center Enterprise ݱࡏͷ౰ࣾʢLv̌ʣ

Slide 27

Slide 27 text

- ΫϥγοΫͳ੬ऑੑ - ΤϯυϙΠϯτʢMac, Win, Ұ෦Linuxʣ:ɹMicrosoft Defender Vulnerability Management - ίʔυ: Dependabot, ೥࣍Web੬ऑੑ਍அ - Ϋϥ΢υ੬ऑੑ - ౷ҰతͳCSPMͳ͠: ΧόϨοδͱίετ͕ݟ߹Θͳ͔ͬͨ - AWS: AWS Con fi g, AWS Security Hub - GCP: Security Command Center Enterprise ݱࡏͷ౰ࣾʢLv̌ʣ Ͱ͸ɺ࣍ͷϨϕϧ͸Ͳ͜Λ໨ࢦ͢ʁ ੬ऑੑҰཡͷूத؅ཧ͔ɺ ੬ऑੑରԠͷ௥੻͔ɺ ಛఆͷ੬ऑੑͷछผʹಛԽ͢Δ͔ɺ લஈͷࢿ࢈؅ཧͷ޲্͔ɺ Ϣʔβʔ෦໳ʢϓϩμΫτνʔϜʣ΁ͷҕৡ͔ɺ ࠾༻͔

Slide 28

Slide 28 text

- ੬ऑੑͷछผ - ΤϯυϙΠϯτ - ࣗࣾϓϩμΫτ - αʔυύʔςΟ੡඼ - ਓ - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά - ੬ऑੑͷใࠂ਺ - KEVର৅ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ - ۀ຿ҕୗ - ࢲ༻୺຤ ൑அ࣠ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

Slide 29

Slide 29 text

- ੬ऑੑͷछผ - ΤϯυϙΠϯτ-> ύονద༻ঢ়ଶͷ௥੻ྗ޲্ - ࣗࣾϓϩμΫτ -> DevSecOpsʹΑΔϓϩμΫτϦϦʔε·Ͱ ͷ҆શੑ֬อ, ASMʹΑΔϦϦʔεࡁΈϓϩμΫτͷࣗಈ਍அ - αʔυύʔςΟ੡඼ -> CSPMʹΑΔMiscon fi gൃݟ - ਓ - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά -> ASMʹΑΔࢿ࢈؅ཧ޲্ - ੬ऑੑͷධՁ -> CVSS, SSVC, EPSSʹΑΔධՁ - KEVର৅ -> ੬ऑੑରԠͷ༏ઌ౓ΛϦεΫϕʔεʹ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ -> ϑΟογϯά܇࿅ - ۀ຿ҕୗ - ࢲ༻୺຤ -> BYODԽʹΑΔࢿ࢈؅ཧର৅ͷ֦େ - ؅ཧ֎ʢΤϯυϢʔβʔʣ ൑அ࣠ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g -> - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

Slide 30

Slide 30 text

൑அ࣠ Ͳ͏൑அ࣠Λબ୒͢Δ͔ 1. ϦεΫϕʔε 2. ίϯϓϥϕʔε - ੬ऑੑͷछผ - ΤϯυϙΠϯτ - ࣗࣾϓϩμΫτ - αʔυύʔςΟ੡඼ - ਓ - ࢿ࢈ঢ়گ - ΠϯλʔωοτϑΣΠγϯά - ੬ऑੑͷใࠂ਺ - KEVର৅ - ؅ཧπʔϧͱͷ࿈ܞঢ়گ - ؅ཧݩ - ਖ਼ࣾһ - ۀ຿ҕୗ - ࢲ༻୺຤ - ڴҖͷछผ - ಺෦ෆਖ਼ - ޡૢ࡞ɾmiscon fi g - ֎෦ΞΫλʔ - ߈ܸͷTactics - Init access, Exec, persistence, privi esc…. - ଞࣾͰൃੜͨ͠ࣄྫ - ۀքͷಈ޲ - ࠃ಺๏ن੍ɾΨΠυϥΠϯରԠ - ࠃࡍతن੍ରԠʢྫ: AML/CFTʣ - ৽ٕज़ඪ४ରԠʢྫ: ύεΩʔʣ - ଞ - νʔϜϝϯόʔͷWillɺεΩϧηοτ - ৽ϓϩμΫτձ্ཱࣾͪ͛ɾM&A - Ϣʔβʔཁ๬

Slide 31

Slide 31 text

ίϯϓϥΠϯε vs ڴҖ 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

Slide 32

Slide 32 text

ίϯϓϥΠϯεϕʔε 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

Slide 33

Slide 33 text

ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ - ISMSͷ؅ཧࡦ: ໿90ۙ͘ - FISCͷج४ɿ໿300ۙ͘ - ਌ձࣾΨΠυϥΠϯ: ໿230ۙ͘ - ͔͠΋Ұ෦͸ҟͳΔจݴͰඃ͍ͬͯΔɻ

Slide 34

Slide 34 text

ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ - ༏ઌॱҐ͕͚ͭͮΒ͍ - ಘΒΕΔΞ΢τΧϜ͕ɺୡ੒཰xx%͘Β͍ - 0~100ͷ͏ͪ1Ͱ΋΍͍ͬͯͨΒʮ΍͍ͬͯΔʯͱ Ԡ͑ΒΕΔ (΍͍ͬͯΔײʹؕΓ΍͍͢ʣ

Slide 35

Slide 35 text

ڴҖϕʔεΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ

Slide 36

Slide 36 text

ϦεΫ؅ཧͷΞϓϩʔν 1-1 ܦӦͱηΩϡϦςΟͷᓔੵ , CISOͷͨΊͷ৘ใηΩϡϦςΟઓུ ←ิ׬ؔ܎ͱΈͳ͠ɺλΠϜϦϛοτ಺ͰՄೳͳݶΓ ࣮γεςϜΛௐ΂ɺجຊɺະରࡦͷ෦෼ʹूதɻߋͳ ΔूதϙΠϯτͱͯ͠ݫબͨ͠ڴҖϕΫτϧΛબఆˠ ϦεΫධՁʹΑΓɺڴҖϕΫτϧͷܦ࿏ʹͳΔࢿ࢈ೋ ूத

Slide 37

Slide 37 text

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ݟग़͠ ۀ຿ςʔϒϧ ࢒ଘ੬ऑੑςʔϒϧ ڴҖςʔϒϧ ϦεΫධՁςʔϒϧ

Slide 38

Slide 38 text

- Ϧετ - Ϧετ - Ϧετ - Ϧετͷڧௐจࣈ - Ϧετ ݟग़͠

Slide 39

Slide 39 text

ྫ: ۀ຿ ྫ: ۀ຿ςʔϒϧ্ͷϑϩʔɹͱɹ࢒ଘ੬ऑੑʢϛεϢʔεʣ

Slide 40

Slide 40 text

ࠓ೔ͷഎܠ ࢛൒ظɾ൒ظɾ೥࣍Ϩϙʔτ౳

Slide 41

Slide 41 text

ͬ͘͟Γ૝ఆڴҖΛܾఆ

Slide 42

Slide 42 text

ରॲ͢΂͖ϦεΫͱܦ࿏ͷબ୒

Slide 43

Slide 43 text

- લऀ͸METIͳͲ΋ʮASMʢAttack Surface ManagementʣಋೖΨΠμϯε ~ ֎෦ ͔Β೺Ѳग़དྷΔ৘ใΛ༻͍ͯࣗ૊৫ͷITࢿ࢈Λൃݟ͠؅ཧ͢Δ ~ ʯΛग़͢ͳͲ - ϓϨΠϠʔɾαʔϏεϓϩόΠμʔ΋૿͍͑ͯΔʢҹ৅ʣ - ޙऀ͸ࣗ෼ͨͪͰؤுΔ - ʢࣾ಺ʣϢʔβʔϑΟογϯά܇࿅ - Crown Jewel௚લϊʔυͷϋʔυχϯάɺύονద༻ͳͲ ڴҖͷೖޱͱCrown Jewel௚લͷϊʔυʹूத

Slide 44

Slide 44 text

←Ԡื ໘ஊˠ ←ࡶஊ DM (X): @ken5scal