継続的な脆弱性検知とパッチマネジメント手法の紹介

Transcript

1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

   / eureka, Inc. 2018-01-23 SRE Lounge #1 Approach for Vulnerability Detection and Progressive Change Management

2. Introduction ▪ Takuya Onda – eureka, Inc. – SRE team

   Engineer Lead

3. CONFIDENTIAL

4. About Us - Pairs https://eure.jp/pairs-5million-thanks/

5. About Us - Couples

6. About Us - IAC/Match Group

7. About Us - SRE Group Objectives ▪ 99.95% Availability ▪

   Minimize Security Risks ▪ Automated & Self-Healing Architecture ▪ Maximize Profit Rate by Opt WebOps Capacity ▪ Fast & Comfortable Delivery Pipeline

8. Agenda ▪ 1. Security Overview & Problems ▪ 2. Continuous

   Vulnerability Detection ▪ 3. Continuous Change Management ▪ 4. Access Control & Developer Efficiency

9. Security Problems ▪ Vulnerability Management – Detection / Reporting ▪

   Change Management – Procedure to rollout new patch to production ▪ Access Control Management – SSH / DB / Monitoring

10. What we really want to achieve?

11. 1:Automated Detection and Prevention & Reporting ▪ External attack –

    DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application

12. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

    – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda

13. Solution: Standing on the Shoulders of Giants

14. 2: Easy & Safety Process for Patching ▪ Unified Patching

    Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing

15. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure

16. Solution: Patched Image & Blue Green Rollout

17. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers

18. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation

19. Solution: Log Consolidation for No SSH World

20. Solution: Log Consolidation for No SSH World

21. Solution: Log Consolidation for No SSH World

22. Summary

23. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation

24. CONFIDENTIAL Thank you :) Thank you :)

25. Any Questions??