Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...

Hokuto Hoshi
September 25, 2019
Technology
7
2.7k

Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders

Hokuto Hoshi

September 25, 2019
Tweet

More Decks by Hokuto Hoshi

See All by Hokuto Hoshi
Connecting organisation with Technology
kanny
0
200
Why Slack - 5 years of Cookpad with Slack
kanny
0
79
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.2k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.9k
事例でわかる、AWS 運用を支える
サポート活用方法と
エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.4k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
1k
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
4
8.7k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
22k

Other Decks in Technology

See All in Technology
Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024
tkmru
0
860
My small contributions - Fujiwara Tech Conference 2025
ijin
0
1.4k
Goで実践するBFP
hiroyaterui
1
120
技術に触れたり、顔を出そう
maruto
1
150
Unsafe.BitCast のすゝめ。
nenonaninu
0
200
なぜfreeeはハブ・アンド・スポーク型の データメッシュアーキテクチャにチャレンジするのか?
shinichiro_joya
2
490
Formal Development of Operating Systems in Rust
riru
1
420
機械学習を「社会実装」するということ 2025年版 / Social Implementation of Machine Learning 2025 Version
moepy_stats
5
1.2k
【NGK2025S】動物園(PINTO_model_zoo)に遊びに行こう
kazuhitotakahashi
0
240
シフトライトなテスト活動を適切に行うことで、無理な開発をせず、過剰にテストせず、顧客をビックリさせないプロダクトを作り上げているお話 #RSGT2025 / Shift Right
nihonbuson
3
2.2k
Kotlin Multiplatformのポテンシャル
recruitengineers
PRO
2
150
ABWGのRe:Cap!
hm5ug
1
120

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
222
9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
960
Designing Experiences People Love
moore
139
23k
jQuery: Nuts, Bolts and Bling
dougneiner
62
7.6k
Navigating Team Friction
lara
183
15k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Done Done
chrislema
182
16k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.5k
How to train your dragon (web standard)
notwaldorf
89
5.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
113
50k
Gamification - CAS2011
davidbonilla
80
5.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.4k

Transcript

  1. Security by builders ηΩϡϦςΟ؂ࢹΛΫϥ΢υͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad

    Inc. [email protected]

  2. ੕ ๺ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of

    Technology
 ؂ࠪҕһձ ؂ࠪิॿऀ • શࣾԣஅͰͷ৘ใηΩϡϦςΟϦʔυ΋΍͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013೥৽ଔೖࣾ, AWS ར༻ྺ͸9೥͘Β͍
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None

  17. ΫοΫύουͱ AWS • 2011೥ʹ׬શҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS

    αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ޲͚αʔϏε͸͜͜Ͱಈ͍͍ͯΔ

  18. ΫοΫύουͱΫϥ΢υ • ࣾ಺γεςϜ΋΄΅શ͕ͯ AWS ্·ͨ͸ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ੒ •

    ΦϑΟεʹ͋Δ΋ͷ͸ωοτϫʔΫػثͷΈ

  19. ΫοΫύουʹ͓͚Δ ৘ใηΩϡϦςΟͷҙຯ

  20. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ

  21. Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹ৘ใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢

  22. ʮຖ೔ͷྉཧʯͱ৘ใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄ͸ਓؒͷੜ׆ͱີ઀ʹඥͮ͘ • μΠΤοτ΍ಛఆͷපؾͳͲϓϥΠόγʹؔΘΔ৘ใ΋ • ΑΓ਎ۙʹ࢖͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ
 ৴པΛಘͯ৘ใΛ༬͔Γɺ੹೚ΛՌͨ͢͜ͱ͕ॏཁ

  23. कΔ΂͖ΤϦΞ • શࣾࢹ఺ʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ޲͚αʔϏε • ࣾ಺γεςϜ • ৘ใͷऔΓѻ͍ํͳͲϧʔϧ΍ӡ༻ •

    ͋ΒΏΔηΩϡϦςΟ՝୊ʹνʔϜͱͯ͠ରԠ

  24. ࣮ࡍͷରࡦ΍ӡ༻

  25. جຊతͳߟ͑ํ • ϧʔϧ΍ΦϖϨʔγϣϯͰͳٕ͘ज़΍࢓૊ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒ͸ඞͣϛεΛ͢Δ • Ϋϥ΢υͱͷ੹೚ڥքΛೝࣝɺ೚ͤΔͱ͜Ζ͸೚ͤΔ •

    ๷ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛ໨ࢦ͢

  26. ๷ޚ100%Ͱ͸ͳ͍ཧ༝ • ʮ׬શͳ๷ޚʯ͸ଘࡏ͠ͳ͍ • ׬શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖΍͍͢ • ๷ޚਫ਼౓Λ1%্͛Δίετ > ݕ஌ਫ਼౓Λ্͛Δίετ •

    ૯߹֨ಆٕͱͯ͠औΓ૊Ή

  27. ηΩϡϦςΟγεςϜͷઃܭํ਑ • ๷ޚ͢ΔͨΊͷ࢓૊Έ΍ϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺ؂ࢹɾ෼ੳ͢Δ ๷ޚ ݕ஌ ରԠ

  28. ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS

    WAF, etc • ηΩϡϦςΟ੡඼ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc

  29. ௚໘͢Δ໰୊ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • τϥϑΟοΫ΍औΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ௚݁ • ࢢൢͷ SIEM

    ΍ SaaS ͷඅ༻͸ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷ͸ຊ຤స౗ • ෼ੳ࣌ʹ͸͡ΊͯϑΟϧλ͞ΕΔ΂͖

  30. OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ

    • Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻

  31. Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service

    Graylog
 Instance Security Engineer ෼ੳ Application
 Load Balancer

  32. ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑ΋ඇৗʹߴ͘ͳΔ • શͯͷϩά͸ Amazon S3 ʹҰ౓อଘ͔ͯ͠Βॲཧ

    • ߴՄ༻Ͱεέʔϧ͢Δ෼ࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏ੒ΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ΁֨ೲ

  33. ϩάอ࣋ظؒͷ໰୊ • ΦϯϥΠϯετϨʔδ͸௿ϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁ͸ͳ͍ • Ұఆظؒܦͬͨϩά͸ Graylog

    ͔Β࡟আͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ͸ Amazon Athena ͔ΒΫΤϦՄೳ • ௿ίετ͔ͭे෼ߴ଎ʹݕࡧɾ෼ੳͰ͖Δ

  34. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function

  35. εέʔϧ͢ΔΞʔΩςΫνϟ΁ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis
 Firehose

    Lambda Function S3 Bucket Athena Graylog ΁ EC2 Instances Lambda Function ηϯαʔ ू໿ ஝ੵɾอ࣋ ؂ࢹɾ෼ੳ

  36. ϩάͷ෼ੳɾݕ஌ • ݕ஌γεςϜΛ AWS Lambda Λ࢖࣮ͬͯ૷ • ࣗಈԽ, লྗԽͷ࣮ݱ •

    ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ޲্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ

  37. https://speakerdeck.com/mizutani/techconf2019-mizutani

  38. ໰୊ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔ΍छྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ௚݁ • ΑΓ҆ՁͳετϨʔδΛ࢖͑ΔΞʔΩςΫνϟͷ࠾༻ •

    ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻΋লྗԽ

  39. ݱࡏͷঢ়گ • ࣾ಺֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺ෼ੳ • Ұ೔͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩά؅ཧ੡඼ͱൺֱͯ͠ 1/4

    ҎԼͷίετ • 2໊Ͱӡ༻

  40. Security by builders:
 ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ

  41. ʮηΩϡϦςΟରࡦʯ͸౰ͨΓલʹͳͬͨ • ߈ܸ͸ΑΓ༰қʹɺΑΓ೔ৗతʹ • ͲΜͳαΠζͷ૊৫΋ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷ੡඼΍αʔϏε͸૿Ճ͠ଓ͚͍ͯΔ

  42. ʮങͬͯઃஔʯ͚ͩͰ͸ෆे෼ • ର৅ʹ߹Θͤͨߴ౓ͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮૷͸౰ࣄऀʹ͔͠Ͱ͖ͳ͍

    • ըҰతͳ๷ޚ͚ͩͰͳ͘γεςϜ΍؀ڥʹ߹Θͤͨݕ஌ɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷ෼ੳ, ࣾ಺γεςϜͱͷ࿈ܞ

  43. σʔλऩूͱݕ஌ • ࿈ܞͷ伴͸σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ੡඼͚ͩͰͳ͍σʔλͷऩूͱ෼ੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓख΋ۚમίετ΋͔͔Δ

    • τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ΋࢖͍΍͘͢εέʔϧ͢Δ࢓૊Έͮ͘Γ͕ෆՄܽ

  44. Ϋϥ΢υͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε΍૊৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓ૊Ή΂͖ՕॴʹऔΓ૊Ή • AWS Λ࢖ͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫

    (S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕ஌ͷ࣮૷ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)

  45. Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰ͸଍Γͳ͍ • ʮ׬શͳ๷ޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳ΍Ϗδωεͦͷ΋ͷͱিಥ͢Δ • ʮ๷ޚʯ͚ͩͰ͸कΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • Ϗδωεͷ଎౓Λอͪͳ͕ΒʮकΔʯʹ͸Ͳ͏͢Ε͹ྑ͍ʁ

    • ʮͭ͘ΔਓʯΛ્֐͠ͳ͍࢓૊Έʹ͢Δඞཁ͕͋Δ

  46. ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ΁ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰ͸ͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫͸ͦͷ࢓૊ΈͷҰͭ

  47. ΨʔυϨʔϧͷྫ • ϝΠϯ؀ڥͱಉ౳ͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β
 ࣗ༝ʹ࢖͑Δ AWS ΞΧ΢ϯτΛ։์ • ։ൃऀ޲͚ΞΧ΢ϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧ΢ϯτ) •

    ةݥͳ API ΛࢭΊΔ, ؂ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨஌ (Config) • νʔϜ͝ͱͷΞΧ΢ϯτ (ಛʹࣗ༝ͳ؀ڥ͕ඞཁͳ৔߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ؂ࢹ͸ϩάج൫ʹू໿ͯ͠ߦ͏

  48. ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜ΋औΓ૊Έ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ࢖͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ૊৫΍ϓϩηεʹ
 ηΩϡϦςΟΛ૊ΈࠐΉ •

    ʮͭ͘ΔʯͨΊͷෑډ͸Լ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͠࢖͑ΔαʔϏε͸೔ʑ૿͍͑ͯΔ

  49. https://unsplash.com/photos/1eFgYRwYctg

  50. ϏδωεΛՃ଎Ͱ͖ΔηΩϡϦςΟ΁ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શ଎ྗΛग़ͤΔ؀ڥͮ͘Γ

  51. Security for builders, by builders

  52. We’re hiring • ʮຖ೔ͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ
 Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/

  53. Fin.