Upgrade to Pro — share decks privately, control downloads, hide ads and more …

継続的な脆弱性検知とパッチマネジメント手法の紹介

7890032b748bfc156d75aca46db99562?s=47 takuya542
December 22, 2017

 継続的な脆弱性検知とパッチマネジメント手法の紹介

7890032b748bfc156d75aca46db99562?s=128

takuya542

December 22, 2017
Tweet

Transcript

  1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

    / eureka, Inc. 2017-12-21 Eureka x Retty x C Channel Approach for Vulnerability Detection and Progressive Change Management
  2. Introduction ▪ Takuya Onda – eureka, Inc. – SRE team

    Engineer Lead
  3. Agenda ▪ 1. Security overview and problems ▪ 2. Continuous

    vulnerability detection ▪ 3. Continuous change management ▪ 4. Access control and developer efficiency
  4. Security Problems ▪ Vulnerability management – Detection / Reporting ▪

    Change management – Procedure to rollout new patch to production ▪ Access control management – SSH / DB / Monitoring
  5. What we really want to achieve?

  6. 1:Automated Detection and Prevention & Reporting ▪ External attack –

    DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application
  7. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

    – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda
  8. Solution: Standing on the Shoulders of Giants

  9. 2: Easy & Safety Process for Patching ▪ Unified Patching

    Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing
  10. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure
  11. Solution: Patched Image & Blue Green Rollout

  12. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers
  13. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation
  14. Solution: Log Consolidation for No SSH World

  15. Solution: Log Consolidation for No SSH World

  16. Solution: Log Consolidation for No SSH World

  17. Summary

  18. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation
  19. CONFIDENTIAL Thank you :) Thank you :)

  20. Any Questions??