Upgrade to Pro — share decks privately, control downloads, hide ads and more …

継続的な脆弱性検知とパッチマネジメント手法の紹介

7890032b748bfc156d75aca46db99562?s=47 takuya542
January 28, 2018

 継続的な脆弱性検知とパッチマネジメント手法の紹介

7890032b748bfc156d75aca46db99562?s=128

takuya542

January 28, 2018
Tweet

Transcript

  1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

    / eureka, Inc. 2018-01-23 SRE Lounge #1 Approach for Vulnerability Detection and Progressive Change Management
  2. Introduction ▪ Takuya Onda – eureka, Inc. – SRE team

    Engineer Lead
  3. CONFIDENTIAL

  4. About Us - Pairs https://eure.jp/pairs-5million-thanks/

  5. About Us - Couples

  6. About Us - IAC/Match Group

  7. About Us - SRE Group Objectives ▪ 99.95% Availability ▪

    Minimize Security Risks ▪ Automated & Self-Healing Architecture ▪ Maximize Profit Rate by Opt WebOps Capacity ▪ Fast & Comfortable Delivery Pipeline
  8. Agenda ▪ 1. Security Overview & Problems ▪ 2. Continuous

    Vulnerability Detection ▪ 3. Continuous Change Management ▪ 4. Access Control & Developer Efficiency
  9. Security Problems ▪ Vulnerability Management – Detection / Reporting ▪

    Change Management – Procedure to rollout new patch to production ▪ Access Control Management – SSH / DB / Monitoring
  10. What we really want to achieve?

  11. 1:Automated Detection and Prevention & Reporting ▪ External attack –

    DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application
  12. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

    – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda
  13. Solution: Standing on the Shoulders of Giants

  14. 2: Easy & Safety Process for Patching ▪ Unified Patching

    Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing
  15. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure
  16. Solution: Patched Image & Blue Green Rollout

  17. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers
  18. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation
  19. Solution: Log Consolidation for No SSH World

  20. Solution: Log Consolidation for No SSH World

  21. Solution: Log Consolidation for No SSH World

  22. Summary

  23. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation
  24. CONFIDENTIAL Thank you :) Thank you :)

  25. Any Questions??