Security / AuditabilityをSREチームの成果指標に加えた話

Security / AuditabilityをSREチームの成果指標に加えた話

7890032b748bfc156d75aca46db99562?s=128

takuya542

May 22, 2020
Tweet

Transcript

  1. 1.
  2. 4.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    Agenda • ొஃऀɾձࣾ঺հ • Կ͕՝୊͔ͩͬͨɿηΩϡϦςΟରԠঢ়گ΁ͷةػײ • ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛ • Կ͕ى͖͔ͨɿ͍͍ײ͡ʹ෺ࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝୊͕ൃੜ • ԿΛ΍͔ͬͨɿ3ຊͷࢦ਑ͱ۩ମྫ঺հ • ·ͱΊ !4
  3. 5.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ొஃऀ঺հ • ໊લɿԸా୓໵ • ॴଐɿגࣜձࣾΤ΢ϨΧ • ࢓ࣄɿSRE෦໳ɺSecurity෦໳ɺ৘γε෦໳ͷ ౷ׅɻ·ͨɺ಺෦౷੍΍ϓϥΠόγʔରԠɺ ֤छ঎ඪରԠͳͲ΋୲౰ͯ͠·͢ • ˎ ຊ೔ࣗ୐͔ΒͷొஃͷͨΊɺ່ͷઈڣԻ్͕தަ͡Δ͔΋ ͠Ε·ͤΜ͕ɺ͝༰͍͚ࣻͨͩΕ͹ͱࢥ͍·͢ mm !5
  4. 6.

    ձࣾ֓ཁ ձ໊ࣾ ɹ גࣜձࣾΤ΢ϨΧ / eureka, Inc. ૑ۀ ɹ 2008೥11݄20೔

    ܦӦਞ ɹ CEO ੴڮ४໵ ɹ CMO தଜ༟Ұ ɹ CTO ۚࢠ৻ଠ࿠ ɹ VP of Finance Andrew Badham ɹ VP of Product, Pairs ۚా༔ر ɹ Brand Director ੢ࢁֆເ ɹ Data Director Ԟଜ७ ɹ Customer Care Director ҆৴ཽഅ ɹ Information Director Ըా୓໵ ࣄۀ಺༰ ɹࣗࣾαʔϏεͷاըɾ։ൃɾӡӦ ɹɾ࿀Ѫɾࠗ׆ϚονϯάΞϓϦʮPairsʯ ɹɾΦϯϥΠϯ݁ࠗ૬ஊॴʮPairsΤϯήʔδʯ ɹɾΧοϓϧઐ༻ΞϓϦʮCouplesʯ
  5. 9.
  6. 11.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ొ࿥ ͕͢͞ ϓϩϑΟʔϧ ͍͍Ͷʂ Ϛονϯά ϝοηʔδ ࣮ࡍʹग़ձ͏ αʔϏε֓ཁ ຊਓ֬ೝ ಠ਎֬ೝ
  7. 12.
  8. 14.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    Agenda • ొஃऀɾձࣾ঺հ • Կ͕՝୊͔ͩͬͨɿηΩϡϦςΟରԠঢ়گ΁ͷةػײ • ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛ • Կ͕ى͖͔ͨɿ͍͍ײ͡ʹ෺ࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝୊͕ൃੜ • ԿΛ΍͔ͬͨɿ3ຊͷࢦ਑ͱ۩ମྫ঺հ • ·ͱΊ !14
  9. 15.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    എܠɿձࣾͱࣄۀΛͱΓ·͘มԽ • ϚονϯάΞϓϦͷϦʔσΟϯάΧϯύχʔͱͯ͠ͷࣾձత੹೚ • ࣄۀͷ҆৺ɾ҆શ΁ͷχʔζ • ֦େ͢Δ૊৫ɾαʔϏεن໛ɾγεςϜ !15
  10. 16.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ηΩϡϦςΟରࡦ ΋ͬͱγϡοͱ͍ͨ͠ʂ !16
  11. 17.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ηΩϡϦςΟରࡦͷ՝୊ (౰࣌) • ਪਐྗ͕ෆ଍͍ͯͨ͠ • ੹೚ॴࡏ͕ᐆດɻ͔ͭɺݗҾ໾͕͍ͳ͍ɻ • CTO΍։ൃνʔϜɺSREνʔϜ΍MISνʔϜ͕ͦΕͱͳ͘ਪਐ͍ͯͨ͠ ɻ • ہॴతͳηΩϡϦςΟରࡦʹͳΓ͕ͪ • ๷ޚͱݕ஌ʹ໨ઢ͕޲͖͕ͪ • ඇٕज़෼໺ͷηΩϡϦςΟରԠͷ஗Ε !17
  12. 18.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    Agenda • ొஃऀɾձࣾ঺հ • Կ͕՝୊͔ͩͬͨɿηΩϡϦςΟରԠঢ়گ΁ͷةػײ • ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛ • Կ͕ى͖͔ͨɿ͍͍ײ͡ʹ෺ࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝୊͕ൃੜ • ԿΛ΍͔ͬͨɿ3ຊͷࢦ਑ͱ۩ମྫ঺հ • ·ͱΊ !18
  13. 19.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ηΩϡϦςΟνʔϜ͕ൃ଍ • ηΩϡϦςΟྖҬͷΞΧ΢ϯλϏϦςΟΛू໿ • ঢ়گͷಁ໌ԽͱϨϙʔςΟϯά • ϩʔυϚοϓͷࡦఆ • ༧ࢉͱਓࣄܭը • ඇٕज़ྖҬ΋ؚΊͨแׅతͳηΩϡϦςΟରࡦͷਪਐ • IRମ੍ͷϒϥογϡΞοϓɺܦӦਞΛר͖ࠐΜͩΠϯγσϯτDrillͷ࣮ࢪ • શैۀһ޲͚ηΩϡϦςΟτϨʔχϯάͷ࣮ࢪɺηΩϡΞίʔσΟϯάτϨʔχϯάͷܭը • Πϕϯτͷू໿ͱ੬ऑੑͷτϦΞʔδ • ʮPCͳ͘͠·ͨ͠ʂʯɺʮมͳϝʔϧདྷͨΜͰ͚͢Ͳʂʯʮxxͱ͍͏πʔϧ͔ΒΞϥʔτདྷͨͧʯ • ʮ͜ͷπʔϧ࢖ͬͯେৎ෉ʁʯɺʮ͜Μͳ੬ऑੑ͕ੈͷதʹʂʯ !19
  14. 20.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    Agenda • ొஃऀɾձࣾ঺հ • Կ͕՝୊͔ͩͬͨɿηΩϡϦςΟରԠঢ়گ΁ͷةػײ • ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛ • Կ͕ى͖͔ͨɿ͍͍ײ͡ʹ෺ࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝୊͕ൃੜ • ԿΛ΍͔ͬͨɿ3ຊͷࢦ਑ͱ۩ମྫ঺հ • ·ͱΊ !20
  15. 21.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ہॴతͳτϨʔυΦϑ • શ͕ͯॱௐͳ࣌,ηΩϡϦςΟ͸ݟ͑ͳ͍. ࡟ݮ or ԆظՄೳͳίετͱΈͳͤ͞Δ • ʮͦΕࠓ΍ͬͨํ͕Α͍ʁʯɺʮ੬ऑੑରԠɺ͑ʔɺ͜Εظݶ੾Βͳ͍ͱμϝɺɺʁʯ • ʮxxΛಋೖ͢Δʁ͍͍͚Ͳɺࠓ͜Εಋೖͯ͠΋୭΋ӡ༻Ͱ͖ͳ͘ͳ͍ʁʯ • ߟ͑ํͷ͢Εҧ͍ • ࠷খಛݖͱ৬຿෼ঠ | You built it, you run itͷਫ਼ਆ • Security By Design(ϓϩδΣΫτͷ಄Ͱ࢓༷֓ཁΛ஌Γ͍ͨ) | ࡉ͔͘ૣ࢝͘Ί͍ͨ • ίϛϡχέʔγϣϯίετͷ૿Ճ • Qɿʮ֎෦ʹηΩϡϦςΟ਍அґཔ͢Δ͔Βɺߏ੒ਤ͘Ε΁Μʁʯ,Aɿ(ͦΜͳ΋ͷ͸ͳ͍)ʮɺɺ͸͍༻ҙ͠·͢ʯ • QɿʮxxͬͯϦιʔεԿʹ࢖ͬͯΔͷʁͲΜͳഎܠʁʯ Aɿ(͜ͷ΍ΓͱΓ࠷ۙଟͯ͘͠ΜͲ͍ΜͩΑͳɺɺ) ʮ͑ʔͱͰ͢Ͷɺ͜Ε͸ɺɺʯ !21
  16. 22.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    Agenda • ొஃऀɾձࣾ঺հ • Կ͕՝୊͔ͩͬͨɿηΩϡϦςΟχʔζ΁ͷ஗Ε • ԿΛ࢝Ί͔ͨɿSecurityνʔϜͷ্ཱͪ͛ • Կ͕ى͖͔ͨɿ͍͍ײ͡ʹ෺ࣄ͕ಈ͖࢝ΊͨҰํɺ͋Βͨͳ՝୊͕ൃੜ • ԿΛ΍͔ͬͨɿ3ຊͷࢦ਑ͱ۩ମྫ঺հ • ·ͱΊ !22
  17. 23.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ސ٬΁ͷՁ஋ఏڙʹूத͍ͨ͠ͷ͸Ұॹ • 3ຊͷࢦ਑Λݩʹɺຎࡲͷղফ΁ 1.໨ඪઃܭ & ໨ඪͷڞ༗ 2.҆શͳબ୒ΛσϑΥϧτʹ 3.ίϛϡχέʔγϣϯͷૄ݁߹ԽͱϧʔςΟϯԽ !23
  18. 24.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ໨ඪઃܭ & ໨ඪͷڞ༗ • ηΩϡϦςΟϦεΫ(Πϕϯτ)ରԠঢ়گΛνʔϜؒڞ௨ͷ੒Ռࢦඪʹ • SLI = ໨ඪऩଋ೔਺Ҏ಺ʹରԠ׬ྃͨ͠Ҋ݅਺/ શΠϕϯτ x 100 • SLO = xx% !24
  19. 25.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ηΩϡϦςΟϦεΫɾΠϕϯτιʔε(Ұ෦) !25 SRE Team MIS Team Developer Team GuardDuty ◦ ECR Scanning ◦ AWS Inspector ◦ CrowdStrike ◦ Cisco Meraki ◦ Static Analysis ◦
  20. 26.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ηΩϡϦςΟϦεΫɾධՁํ๏ !26 ఆٛ (Ұ෦) CVSS Base Score ରԠ໨ඪ Broker ݖݶͷͳ͍౰ࣄऀ͕10Λ௒͑ΔϢʔβʔͷೝূτʔΫϯ/ࢿ֨৘ใ/ΫοΩʔ/ύε ϫʔυɺϝοηʔδɺੜ೥݄೔·ͨ͸ͦͷଞͷPII, ࢧ෷͍Χʔυɺ·ͨ͸ਖ਼֬ͳ GPSҐஔ৘ใΛऔಘͰ͖ΔΑ͏ʹ͢Δ੬ऑੑɻ 9 - 10 xx೔Ҏ಺ Critical 7 - 8.9 ʓʓ೔Ҏ಺ Major 4.0 - 6.9 ˚˚೔Ҏ಺ Minor 0.1 - 3.9 □□೔Ҏ಺
 (ϦεΫอ༗൑அՄ) Trivial - ˑˑ೔Ҏ಺
 (ϦεΫอ༗൑அՄ)
  21. 27.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ҆શͳબ୒ΛσϑΥϧτʹ • ಁաతͳػೳΛఏڙ͢ΔࣄͰෛ୲Λ͔͚Δࣄͳ͘ਖ਼͍͠ࣄΛͳ͢ • ಛఆɿΞηοτϚωδϝϯτͷίετΛԼ͛Δ • λάʹΑΔετϨʔδɾϦιʔεͷࣗݾఆٛత෼ྨ • AWS System Manger Inventory • ๷ޚɿߏ੒ඪ४ԽͰ༧๷త౷੍ͷෛՙΛԼ͛Δ • IAM Account෼཭ / IAM User࡞੒ෆՄ • 3Tier Architecture x WAF x Shield AdvanceʹΑΔอޢ • EC2 x ASG | FargageʹΑΔγεςϜͷRotate, • ݕ஌ɿࣄ࣮ೝࣝͷίετΛԼ͛Δ • AuditΞΧ΢ϯτͰAWS Config | GuardDuty | CloudTrail ͷAggregation • ࣄ࣮ೝࣝλΠϛϯάΛνʔϜϧʔςΟϯʹ૊ΈࠐΉ !27
  22. 28.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ΞηοτϚωδϝϯτͷίετΛԼ͛Δ !28 • ϦιʔεͷSensitivityΛλάͰఆٛ.System Manager΍GASͳͲͰλά छผΛݩʹऩू (ˎ λά͓Αͼίʔυ͸͢΂ͯٙࣅίʔυͰ͢)
  23. 29.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ߏ੒ඪ४ԽͰ༧๷త౷੍ͷෛՙΛԼ͛Δ !29 • 3Tier Architecture x WAF x Shield AdvanceʹΑΔอޢ (ˎٙࣅίʔυ)
  24. 30.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ߏ੒ඪ४ԽͰ༧๷త౷੍ͷෛՙΛԼ͛Δ !30 • IdPܦ༝ͰͷSSOͷΈڐՄ & IAM Userͷ࡞੒๷ࢭΛ࢓૊ΈԽ͢Δ (ˎٙ ࣅίʔυ) ΤϯδχΞ৬੹ผ
 Roleઃܭ
  25. 31.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ߏ੒ඪ४ԽͰ༧๷త౷੍ͷෛՙΛԼ͛Δ !31 • EC2 on ASG | Fargate x Resource Rotation ࢀߟɿηΩϡϦςΟύονΛࢧ͑Δ αʔόՈசԽٕज़ͷ঺հ https://speakerdeck.com/takuya542/sekiyuriteipatutiwozhi-eru-sabajia-chu-hua-ji-shu-falseshao-jie
  26. 32.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ίϛϡχέʔγϣϯͷૄ݁߹ԽͱϧʔςΟϯԽ • ඞཁͳ৘ใΛඞཁͳਓ͕ࣗ෼ͰऔΓ΍͍͢ঢ়ଶʹ • ൃݟత౷੍ͷࣄ࣮ೝࣝͷίετΛԼ͛Δ • ࠩ͠ࠐ·ΕΔͷͰ͸ͳ͘ɺఆظతʹঢ়ଶΛ֬ೝ͢Δ !32
  27. 33.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    SecurityΞΧ΢ϯτʹ৘ใΛू໿͢Δ !33 • AWS Config Rules | GuardDuty | CloudTrail Log & ViewerΛू໿ Guard Duty x Multi Accountମ੍
 (ˎ ٙࣅίʔυ)
  28. 34.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ൃݟద౰ੑɾࣄ࣮ೝࣝΛϧʔςΟϯԽ • ηΩϡϦςΟΞϥʔτΛड͚ͬͺͳ͠ʹ͠ͳ͍ɻೳಈతʹ֬ೝ͢Δ࣌ؒ Λ֬อ͢Δ !34
  29. 35.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ൃݟద౰ੑɾࣄ࣮ೝࣝΛϧʔςΟϯԽ • ηΩϡϦςΟΞϥʔτΛड͚ͬͺͳ͠ʹ͠ͳ͍ɻೳಈతʹ֬ೝ͢Δ࣌ؒ Λ֬อ͢Δ !35
  30. 36.

    CONFIDENTIAL INFORMATION: Not for Public Distribution - Do Not Copy

    ૯ׅ • ݟ͚ͭͨڴҖͷରԠ͕ڴҖϞσϧʹج͖ͮɺద੾ʹߦΘΕͯΔঢ়ଶΛҡ ࣋͠ͳ͕ΒɺڴҖݕ஌ͷ෯Λ޿͛ͯ͘ͷ͕ॏཁ (SREຊͷSLOઃܭͷ νϟϓλʔʹ௨͡Δͱ͜Ζ͕ଟ෼ʹ͋Δͱ͍͏ॴײ) • ༧๷త౷੍ͱൃݟత౷੍͸ͲͪΒʹภͬͯ΋͍͚ͳ͍ɻ·ͨɺ૒ํͷ౷ ੍ίετΛৗʹԼ͛ΔΑ͏ʹϓϩδΣΫτΛϩʔυϚοϓʹ૊ΈࠐΉ • ϓϩηε΍ϙϦγʔͰ͸ͳ͘࢓૊ΈͰकΔɻϓϩηεͰकΔՕॴ͸ɺί ϛϡχέʔγϣϯ͕ۃྗൃੜ͠ͳ͍Α͏ʹ͢Δ or ϦζϜΛ࡞Γ΍͍͢ ۀ຿ઃܭϓϩηεΛෑ͘ !36