Slide 1

Slide 1 text

Handmade security at Etsy https://www.flickr.com/photos/roland/ by Speaker 4

Slide 2

Slide 2 text

@benjammingh Whom be this? • Ben Hughes, security monkey manager at Etsy. • Bullet point fanatic. • Terrible at slides. • Shout out to the Etsy security team.

Slide 3

Slide 3 text

@benjammingh It’s a tale of two halves • Security, where did it all go wrong? • Don’t go alone, take this! ! • Security-devops-maybe-DBAs-too- oh and-QA-sure-who-else? • I quite like Etsy, here’s why.

Slide 4

Slide 4 text

@benjammingh Security, where did it all go wrong?

Slide 5

Slide 5 text

@benjammingh Wait, but we bought a firewall!

Slide 6

Slide 6 text

@benjammingh They’re coming out of the walls

Slide 7

Slide 7 text

@benjammingh #Cloud #Clouds #CloudAAS • AWS logo goes here. • Maybe not in AWS... (other cloudiness vendors may be available)

Slide 8

Slide 8 text

@benjammingh But we’re secure, right?

Slide 9

Slide 9 text

@benjammingh But we’re secure, right?

Slide 10

Slide 10 text

@benjammingh The Watering hole attacks of Feb

Slide 11

Slide 11 text

@benjammingh Other than the very occasional RCE/SQLi or 0- day, companies just aren’t getting breached directly through their servers like they used to. Quotes to be taken out of context

Slide 12

Slide 12 text

@benjammingh I’d buy that for a dollar [laptop:~]% id uid=501(ben) gid=20(staff) groups=20(staff) [laptop:~]% ./magic [*] running old exploit against unpatched OSX. [*] firing off connect back shell to AWS. [*] throwing mad persistence in to LaunchAgents. [*] dropping to a shell. [laptop:~]# id uid=0(root) gid=0(root)

Slide 13

Slide 13 text

@benjammingh Zero [cool] day • Zero day is bad! — 2

Slide 14

Slide 14 text

@benjammingh Surprise! • You can’t defend against unknown attacks. • Clue is in the name.

Slide 15

Slide 15 text

@benjammingh Rejoice. That mostly doesn’t matter!

Slide 16

Slide 16 text

@benjammingh Treat the symptoms • Lateral movement can be more important than how they got in. • You don’t care that they broke a window, you care that they got in your living room and took your TV. • (still fix your window)

Slide 17

Slide 17 text

@benjammingh Hudson hawk reference • Why is /bin/sh running on your webserver? • Why is your webserver trying to SSH to other hosts? • Why is the Cold Fusion process reading arbitrary files off of disk (SE/NSA Linux time)

Slide 18

Slide 18 text

@benjammingh But still patch • Please, still patch things. (disable Java) • Know that it isn’t a panacea. • Realise that is mostly okay.

Slide 19

Slide 19 text

@benjammingh Please do patch! • No really! !

Slide 20

Slide 20 text

@benjammingh Logs are your eyes. “If it’s not monitored... ...it’s not in production” Well “If it’s not logged, did it really happen?”

Slide 21

Slide 21 text

@benjammingh You have a limited number of eyes.

Slide 22

Slide 22 text

@benjammingh Alerts

Slide 23

Slide 23 text

@benjammingh Logstash • http://logstash.net/ • http://www.elasticsearch.org/overview/ kibana/ • http://www.logstashbook.com/ • https://github.com/miah/chef_logstash • https://forge.puppetlabs.com/tags/logstash

Slide 24

Slide 24 text

@benjammingh Two factor all the things •Duo - https://www.duosecurity.com/ •Authy - https://www.authy.com/ •Google - http://goo.gl/hvre2D •YubiKey - https://www.yubico.com/ ! Hat tip to Jan Schaumann (@jschauma), from whom I stole the title of this slide from.

Slide 25

Slide 25 text

@benjammingh vvngrglugvhtfcdrvvghtgpizzalrflvuurvikcvedvk

Slide 26

Slide 26 text

@benjammingh Phishing • Who’s stopped phishing?

Slide 27

Slide 27 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing.

Slide 28

Slide 28 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter.

Slide 29

Slide 29 text

@benjammingh Phishing • Who’s stopped phishing? • You’re not going to stop phishing. • That doesn’t matter. • Don’t think you can fully eliminate it, get it reported instead.

Slide 30

Slide 30 text

@benjammingh Intermission.

Slide 31

Slide 31 text

@benjammingh New, Improved Devops ! ! • Silo smashing in to one new larger silo!

Slide 32

Slide 32 text

@benjammingh DevSecOpsFarmerQueen • Many hats. • Not just dev. • Not just ops. ! • Security doesn’t just magically happen.

Slide 33

Slide 33 text

@benjammingh Get security involved! • This can be done is all sized environments! • Small: having someone who has a security background or interest. • Large: ”Chris Eng & Ryan O’Boyle – From the Trenches: Real-World Agile SDLC” - http://nsc.is/ presentation/chris-eng-ryan-oboyle-from-the-trenches-real- world-agile-sdlc/

Slide 34

Slide 34 text

@benjammingh Security are people too!

Slide 35

Slide 35 text

@benjammingh Security are people too! • they just might not always act like it... • security is the only area of technology with genuine adversaries.

Slide 36

Slide 36 text

@benjammingh Infosec, this one’s for you • Dev and ops (and everyone else) are people too. • They made those decisions without malice in mind. • People don’t go out of their way to make things insecure!

Slide 37

Slide 37 text

@benjammingh Science time http://info.veracode.com/rs/veracode/images/soss-v3.pdf

Slide 38

Slide 38 text

@benjammingh Primary action items • Don’t just say “did you speak to security about this?” • Get people involved! • Security has never [succesfully] been a check box.

Slide 39

Slide 39 text

@benjammingh Reducing barriers. Having an approachable security team is the most important thing they can do. ! The second you lose the ability to talk to them about anything, you effectively lose your security team.

Slide 40

Slide 40 text

@benjammingh So, that party you mentioned? • Skill sharing.

Slide 41

Slide 41 text

@benjammingh So, that party you mentioned? • Skill sharing. • Hack week.

Slide 42

Slide 42 text

@benjammingh So, that party you mentioned? • Skill sharing. • Hack week. • Boot camping.

Slide 43

Slide 43 text

@benjammingh Borrowing from the devops. • Unit tests! • Test your code and your infrastructure.

Slide 44

Slide 44 text

@benjammingh Borrowing from the devops. • Unit tests! https://gist.github.com/barn/45586d9690abaa53f933

Slide 45

Slide 45 text

@benjammingh Borrowing from the devops. • Unit tests! • http://www.morethanseven.net/2013/12/29/ making-the-web-secure/ from @Garethr • https://www.youtube.com/watch? v=XfBIouZ7roc @Garethr again & @Wickett Don’t worry, these links will be online…

Slide 46

Slide 46 text

@benjammingh Borrowing from the devops. • Unit tests! • Test your code and your infrastructure. • Wait, someone other than Gareth already gave this talk too: http://www.slideshare.net/nickgsuperstar/devopssec- apply-devops-principles-to-security/32 Don’t worry, these links will be online…

Slide 47

Slide 47 text

@benjammingh Borrowing from the devops. Yet again so did Gareth! https://speakerdeck.com/garethr/security- monitoring-penetration-testing-meets- monitoring Don’t worry, these links will be online…

Slide 48

Slide 48 text

@benjammingh Stop saying “No!”

Slide 49

Slide 49 text

@benjammingh So finally • The most important thing that we do as a security team is... • Humility.

Slide 50

Slide 50 text

@benjammingh So finally • The most important thing that we do as a security team is... • Humility. • Security isn’t everything. People are. !

Slide 51

Slide 51 text

@benjammingh Fin How can security work better with you?