継続的な脆弱性検知とパッチマネジメント手法の紹介

Transcript

1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

   / eureka, Inc. 2017-12-21 Eureka x Retty x C Channel Approach for Vulnerability Detection and Progressive Change Management

2. Introduction ▪ Takuya Onda – eureka, Inc. – SRE team

   Engineer Lead

3. Agenda ▪ 1. Security overview and problems ▪ 2. Continuous

   vulnerability detection ▪ 3. Continuous change management ▪ 4. Access control and developer efficiency

4. Security Problems ▪ Vulnerability management – Detection / Reporting ▪

   Change management – Procedure to rollout new patch to production ▪ Access control management – SSH / DB / Monitoring

5. What we really want to achieve?

6. 1:Automated Detection and Prevention & Reporting ▪ External attack –

   DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application

7. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

   – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda

8. Solution: Standing on the Shoulders of Giants

9. 2: Easy & Safety Process for Patching ▪ Unified Patching

   Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing

10. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure

11. Solution: Patched Image & Blue Green Rollout

12. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers

13. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation

14. Solution: Log Consolidation for No SSH World

15. Solution: Log Consolidation for No SSH World

16. Solution: Log Consolidation for No SSH World

17. Summary

18. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation

19. CONFIDENTIAL Thank you :) Thank you :)

20. Any Questions??