Upgrade to Pro — share decks privately, control downloads, hide ads and more …

継続的な脆弱性検知とパッチマネジメント手法の紹介

takuya542
December 22, 2017
Technology
0
720

 継続的な脆弱性検知とパッチマネジメント手法の紹介

takuya542

December 22, 2017
Tweet

More Decks by takuya542

See All by takuya542
Security / AuditabilityをSREチームの成果指標に加えた話
takuya542
0
1.3k
Webサービスの品質とは何か?アラート地獄と監視の失敗、サービスレベル目標設計
から学んだ3つの答え
takuya542
5
6.6k
セキュリティパッチを支える サーバ家畜化技術の紹介
takuya542
1
1.2k
継続的な脆弱性検知とパッチマネジメント手法の紹介
takuya542
0
2.3k
技術エントロピー増大との戦い。エウレカSREチームの事例
takuya542
0
110
投稿監視マイクロサービスの継続的なデプロイと構成変更の実現手段の紹介
takuya542
0
510
pairsのプロビジョニング要件とInfrastructure as Code実例
takuya542
0
390
動的ホスト管理を使い倒す!
pairsのプロビジョニング要件とInfrastructure as Code実例
takuya542
0
200
Mackerel Agent プロビジョニングフロー実例 / Mackerel Meetup #7 Tokyo
takuya542
0
2.7k

Other Decks in Technology

See All in Technology
OpenShift.Run2023_create-aro-with-terraform
ishiitaiki20fixer
1
360
re:Inventの完全招待制イベント Building a Roadmap to SaaSについて / Building a Roadmap to SaaS an invitation only event at reinvent
yayoi_dd
0
160
re:Invent2022 前後の Amazon EventBridge のアップデートを踏まえつつ、情シスの仕事をより楽しくしたい話。 / EventBridge for Information Systems Department
_kensh
2
800
OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200
ocise
2
7.2k
AI Services 概要 / AI Services overview
oracle4engineer
PRO
0
180
モバイルモーションキャプチャーデバイス「mocopi」を軽く試してみた / IoTLT vol.95 (新年会IoTLTラジオ)
you
0
100
金属加工屋の営業マンがSTマイクロで・・・
usashirou
0
180
インフラ技術基礎勉強会 開催概要
toru_kubota
0
190
SPA・SSGでSSRのようなOGP対応!
simo123
2
170
Raspberry Pi Camera 3 介紹
piepie_tw
PRO
0
170
オブザーバビリティのベストプラクティスと弥生の現状 / best practices for observability and YAYOI’s current state
yayoi_dd
0
170
re:Inventで発表があったIoT事例の紹介と考察
kizawa2020
0
200

Featured

See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
Infographics Made Easy
chrislema
235
17k
Gamification - CAS2011
davidbonilla
75
4.1k
Imperfection Machines: The Place of Print at Facebook
scottboms
254
12k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
A better future with KSS
kneath
230
16k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
182
15k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
44
14k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
15
1.2k
Faster Mobile Websites
deanohume
295
29k

Transcript

  1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

    / eureka, Inc. 2017-12-21 Eureka x Retty x C Channel Approach for Vulnerability Detection and Progressive Change Management

  2. Introduction ▪ Takuya Onda – eureka, Inc. – SRE team

    Engineer Lead

  3. Agenda ▪ 1. Security overview and problems ▪ 2. Continuous

    vulnerability detection ▪ 3. Continuous change management ▪ 4. Access control and developer efficiency

  4. Security Problems ▪ Vulnerability management – Detection / Reporting ▪

    Change management – Procedure to rollout new patch to production ▪ Access control management – SSH / DB / Monitoring

  5. What we really want to achieve?

  6. 1:Automated Detection and Prevention & Reporting ▪ External attack –

    DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application

  7. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

    – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda

  8. Solution: Standing on the Shoulders of Giants

  9. 2: Easy & Safety Process for Patching ▪ Unified Patching

    Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing

  10. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure

  11. Solution: Patched Image & Blue Green Rollout

  12. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers

  13. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation

  14. Solution: Log Consolidation for No SSH World

  15. Solution: Log Consolidation for No SSH World

  16. Solution: Log Consolidation for No SSH World

  17. Summary

  18. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation

  19. CONFIDENTIAL Thank you :) Thank you :)

  20. Any Questions??