Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security by builders - セキュリティ監視をクラウドで「つくる」 / Se...
Search
Hokuto Hoshi
September 25, 2019
Technology
7
2.6k
Security by builders - セキュリティ監視をクラウドで「つくる」 / Security by builders
Hokuto Hoshi
September 25, 2019
Tweet
Share
More Decks by Hokuto Hoshi
See All by Hokuto Hoshi
Connecting organisation with Technology
kanny
0
170
Why Slack - 5 years of Cookpad with Slack
kanny
0
62
セキュリティ担当者から見た re:Invent と AWS Security Hub / Impression of re:Invent and AWS Security Hub
kanny
2
4.2k
自由でセキュアな環境のつくりかた / Building free and secure cloud environment
kanny
1
4.8k
事例でわかる、AWS 運用を支える サポート活用方法と エンタープライズサポートという選択 / AWS Enterprise Support and Cookpad
kanny
2
2.4k
AWS で加速する機械学習 / Accelerate Machine Learning with AWS
kanny
1
990
クックパッドのログをいい感じにしているアーキテクチャ / Logging architecture at Cookpad
kanny
23
15k
クックパッドの機械学習を支える基盤のつくりかた / Machine Learning ops at Cookpad
kanny
4
8.7k
cookpad.com 全 HTTPS 化の軌跡
kanny
30
22k
Other Decks in Technology
See All in Technology
プロダクト活用度で見えた真実 ホリゾンタルSaaSでの顧客解像度の高め方
tadaken3
0
180
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
430
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.7k
初心者向けAWS Securityの勉強会mini Security-JAWSを9ヶ月ぐらい実施してきての近況
cmusudakeisuke
0
130
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.2k
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
The Role of Developer Relations in AI Product Success.
giftojabu1
0
140
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
170
SSMRunbook作成の勘所_20241120
koichiotomo
3
160
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
243
12k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
4 Signs Your Business is Dying
shpigford
180
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Language of Interfaces
destraynor
154
24k
Building Adaptive Systems
keathley
38
2.3k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
Navigating Team Friction
lara
183
14k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Transcript
Security by builders ηΩϡϦςΟࢹΛΫϥυͰʮͭ͘Δʯ Hokuto Hoshi VP of Technology, Cookpad
Inc.
[email protected]
ే (΄͠ ΄͘ͱ) / @kani_b • ΫοΫύουגࣜձࣾ VP of
Technology ࠪҕһձ ࠪิॿऀ • શࣾԣஅͰͷใηΩϡϦςΟϦʔυ͍ͬͯ·͢ • Site Reliability & Security Engineer • AWS ೝఆ SA, DevOps ΤϯδχΞ (Professional) • 2013৽ଔೖࣾ, AWS ར༻ྺ9͘Β͍
None
None
None
None
None
None
None
None
None
None
None
None
None
None
ΫοΫύουͱ AWS • 2011ʹશҠߦ • 2ͭͷϦʔδϣϯΛओʹར༻ • 400 Ҏ্ͷ ECS
αʔϏε͕ EC2 Spot Πϯελϯε্ͰՔಇ • શͯͷϢʔβ͚αʔϏε͜͜Ͱಈ͍͍ͯΔ
ΫοΫύουͱΫϥυ • ࣾγεςϜ΄΅શ͕ͯ AWS ্·ͨ SaaS ͱͯ͠Քಇ • ࣗલӡ༻ΛۃྗݮΒ͢ߏ •
ΦϑΟεʹ͋ΔͷωοτϫʔΫػثͷΈ
ΫοΫύουʹ͓͚Δ ใηΩϡϦςΟͷҙຯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ
Α͘ฉ͔ΕΔ͜ͱ • ʮϨγϐαʔϏεʹใηΩϡϦςΟ͕ඞཁͳΜͰ͔͢ʁʯ • A. ඞཁ͔ͭෆՄܽͰ͢
ʮຖͷྉཧʯͱใηΩϡϦςΟ • Ϩγϐσʔλɺࣸਅɺίϝϯτɺϩάɺ༷ʑͳσʔλ • ৯ࣄਓؒͷੜ׆ͱີʹඥͮ͘ • μΠΤοτಛఆͷපؾͳͲϓϥΠόγʹؔΘΔใ • ΑΓۙʹ͍͚ͬͯͨͩΔαʔϏεͰ͋Γଓ͚ΔͨΊʹ ৴པΛಘͯใΛ༬͔ΓɺΛՌͨ͢͜ͱ͕ॏཁ
कΔ͖ΤϦΞ • શࣾࢹʹཱͬͨରࡦ͕ॏཁ • Ϣʔβ͚αʔϏε • ࣾγεςϜ • ใͷऔΓѻ͍ํͳͲϧʔϧӡ༻ •
͋ΒΏΔηΩϡϦςΟ՝ʹνʔϜͱͯ͠ରԠ
࣮ࡍͷରࡦӡ༻
جຊతͳߟ͑ํ • ϧʔϧΦϖϨʔγϣϯͰͳٕ͘ज़ΈͰकΔ • ૿Ճ͠ଓ͚ΔτϥϑΟοΫʹରԠͰ͖ͳ͍ • ਓؒඞͣϛεΛ͢Δ • ΫϥυͱͷڥքΛೝࣝɺͤΔͱ͜ΖͤΔ •
ޚ100%Ͱͳ͘ “Կ͕ى͖͔ͨΘ͔Δ” ঢ়ଶΛࢦ͢
ޚ100%Ͱͳ͍ཧ༝ • ʮશͳޚʯଘࡏ͠ͳ͍ • શʹ͚ۙͮΔ΄ͲίϯϑϦΫτ͕ى͖͍͢ • ޚਫ਼Λ1%্͛Δίετ > ݕਫ਼Λ্͛Δίετ •
૯߹֨ಆٕͱͯ͠औΓΉ
ηΩϡϦςΟγεςϜͷઃܭํ • ޚ͢ΔͨΊͷΈϩΪϯάγεςϜ: ηϯαʔ • ηϯαʔ͔ΒσʔλΛूΊɺࢹɾੳ͢Δ ޚ ݕ ରԠ
ηϯαʔ • AWS ͷηΩϡϦςΟαʔϏε • Amazon CloudTrail, Amazon GuardDuty, AWS
WAF, etc • ηΩϡϦςΟ • IDS, EDR, ίϯςφΠϝʔδεΩϟϯ, NGFW, etc • ͋ΒΏΔϩά • ΞΫηεϩά, OS ͷϩά, ΦϑΟεεΠʔτͷϩά, etc
໘͢Δ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • τϥϑΟοΫऔΓࠐΉγεςϜͷ૿Ճ • ίετ૿ʹ݁ • ࢢൢͷ SIEM
SaaS ͷඅ༻ओʹετϨʔδʹ͔͔Δ • ͦͷͨΊʹϩάͷྔΛߜΔͷຊస • ੳ࣌ʹ͡ΊͯϑΟϧλ͞ΕΔ͖
OSS ͷྗΛआΓΔ • Graylog: ϩάϚωδϝϯτͷͨΊͷ OSS • ϩάͷશจݕࡧɺՄࢹԽɺΞϥʔςΟϯάͳͲ͕Մೳ • ਫฏεέʔϧ͢Δઃܭʹͳ͍ͬͯΔ
• Elasticsearch ͕όοΫΤϯυ • Amazon Elasticsearch Service Ͱলྗӡ༻
Graylog ͷల։ ϩά EC2 Instances Network Load Balancer Elasticsearch Service
Graylog Instance Security Engineer ੳ Application Load Balancer
ΑΓͨ͘͞ΜͷϩάΛऔΓࠐΉͨΊʹ • ϩάͷૹΓઌ͕τϥϑΟοΫΛड͚͖Εͳ͘ͳΔ • όοΫΤϯυʹٻΊΒΕΔՄ༻ੑඇৗʹߴ͘ͳΔ • શͯͷϩά Amazon S3 ʹҰอଘ͔ͯ͠Βॲཧ
• ߴՄ༻Ͱεέʔϧ͢ΔࢄετϨʔδ • όοϑΝΛઃ͚Δ͜ͱͰߏΛॊೈʹͰ͖Δ • อଘͨ͠ϑΝΠϧΛ AWS Lambda Ͱલॲཧͯ͠ Graylog ֨ೲ
ϩάอ࣋ظؒͷ • ΦϯϥΠϯετϨʔδϨΠςϯγ, ߴίετ (Elasticsearch) • શͯͷϩάΛΦϯϥΠϯʹ͓ͯ͘͠ඞཁͳ͍ • Ұఆظؒܦͬͨϩά Graylog
͔Βআͯ͠ S3 ͷΈͰอ࣋ • ඞཁͳࡍ Amazon Athena ͔ΒΫΤϦՄೳ • ίετ͔ͭेߴʹݕࡧɾੳͰ͖Δ
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function
εέʔϧ͢ΔΞʔΩςΫνϟ EC2 Instances Office GuardDuty, CloudTrail, etc …. Kinesis Firehose
Lambda Function S3 Bucket Athena Graylog EC2 Instances Lambda Function ηϯαʔ ू ੵɾอ࣋ ࢹɾੳ
ϩάͷੳɾݕ • ݕγεςϜΛ AWS Lambda Λ࣮ͬͯ • ࣗಈԽ, লྗԽͷ࣮ݱ •
ίʔυهड़ͰಘΒΕΔॊೈੑɺอकੑͷ্ɺଐਓੑͷഉআ • ૿Ճ͠ଓ͚Δϩάʹର͢ΔεέʔϥϏϦςΟΛಘΔ
https://speakerdeck.com/mizutani/techconf2019-mizutani
ʹରͯ͠ • ऩू͢Δϩάͷྲྀྔछྨ͕ଟ͗͢Δ • εέʔϧՄೳͳΞʔΩςΫνϟʹΑͬͯड͚ࢭΊΒΕΔΑ͏ʹ • ίετ૿ʹ݁ • ΑΓ҆ՁͳετϨʔδΛ͑ΔΞʔΩςΫνϟͷ࠾༻ •
ࣗಈԽɺϚωʔδυαʔϏεར༻Ͱӡ༻লྗԽ
ݱࡏͷঢ়گ • ࣾ֎ͷ༷ʑͳγεςϜͷϩάΛऩूɺੳ • Ұ͋ͨΓ 140GB Ҏ্ͷϩάΛॲཧ • Ұൠతͳϩάཧͱൺֱͯ͠ 1/4
ҎԼͷίετ • 2໊Ͱӡ༻
Security by builders: ͜Ε͔ΒͷϢʔβاۀͷηΩϡϦςΟ
ʮηΩϡϦςΟରࡦʯͨΓલʹͳͬͨ • ߈ܸΑΓ༰қʹɺΑΓৗతʹ • ͲΜͳαΠζͷ৫ηΩϡϦςΟΛؾʹ͍ͯ͠Δ • ηΩϡϦςΟͷͨΊͷαʔϏε૿Ճ͠ଓ͚͍ͯΔ
ʮങͬͯઃஔʯ͚ͩͰෆे • ରʹ߹Θͤͨߴͳ߈ܸ • e.g.) Web ΞϓϦέʔγϣϯʹର͢Δ߈ܸ, ඪతܕ߈ܸ • ʮίϯςΩετʯͷ࣮ࣄऀʹ͔͠Ͱ͖ͳ͍
• ըҰతͳޚ͚ͩͰͳ͘γεςϜڥʹ߹ΘͤͨݕɾରԠ • e.g.) ΞϓϦέʔγϣϯϩάͷੳ, ࣾγεςϜͱͷ࿈ܞ
σʔλऩूͱݕ • ࿈ܞͷ伴σʔλ (ϩά, Ξϥʔτ, etc) • ηΩϡϦςΟ͚ͩͰͳ͍σʔλͷऩूͱੳ͕ඞཁ͕ͩ… • ӡ༻ʹਓखۚમίετ͔͔Δ
• τϥϑΟοΫ૿ՃʹΑΓ͞Βʹ૿େ • ӡ༻ऀʹ͍͘͢εέʔϧ͢ΔΈͮ͘Γ͕ෆՄܽ
ΫϥυͰηΩϡϦςΟΛʮͭ͘Δʯ • αʔϏε৫ͷίϯςΩετΛηΩϡϦςΟγεςϜʹؚΊΔ • ϚωʔδυαʔϏεΛར༻ͭͭ͠औΓΉ͖ՕॴʹऔΓΉ • AWS ΛͬͨηΩϡϦςΟͷՄೳੑ • εέʔϥϒϧͳσʔλॲཧج൫
(S3, Athena, Kinesis, EMR, Redshift..) • ҟৗݕͷ࣮ (SageMaker, Forecast) • ࣮ੈքͷηΩϡϦςΟ (IoT, Kinesis Video Streams, Rekognition)
Ͳ͏ͭ͘Δ͔: ʮࢭΊΔʯ͚ͩͰΓͳ͍ • ʮશͳޚʯʹۙͮ͘΄ͲίϯϑϦΫτ͕ى͖Δ • ΞϓϦέʔγϣϯͷػೳϏδωεͦͷͷͱিಥ͢Δ • ʮޚʯ͚ͩͰकΓ͖Δ͜ͱ͕Ͱ͖ͳ͍ • ϏδωεͷΛอͪͳ͕ΒʮकΔʯʹͲ͏͢Εྑ͍ʁ
• ʮͭ͘ΔਓʯΛ્͠ͳ͍Έʹ͢Δඞཁ͕͋Δ
ʮήʔτΩʔύʔʯ͔ΒʮΨʔυϨʔϧʯ • ʮͭ͘ΔਓʯΛޙԡ͢͠ΔηΩϡϦςΟ • ͱΓ͋͑ͣࢭΊΔͷͰͳ͘Կ͔͋ͬͨͱ͖ʹकͬͯ͘ΕΔ • ϩάج൫ͦͷΈͷҰͭ
ΨʔυϨʔϧͷྫ • ϝΠϯڥͱಉͷηΩϡϦςΟϨϕϧΛ֬อ͠ͳ͕Β ࣗ༝ʹ͑Δ AWS ΞΧϯτΛ։์ • ։ൃऀ͚ΞΧϯτ (ࣗ༝ʹར༻Ͱ͖ΔΞΧϯτ) •
ةݥͳ API ΛࢭΊΔ, ࢹ (IAM, CloudTrail), ةݥͳઃఆΛ௨ (Config) • νʔϜ͝ͱͷΞΧϯτ (ಛʹࣗ༝ͳڥ͕ඞཁͳ߹) • ηοτΞοϓ࣌ʹ CloudTrail, GuardDuty, Config ͳͲΛల։ • ࢹϩάج൫ʹूͯ͠ߦ͏
ʮͭ͘Δྗʯ͕ॏཁ • ੈքͷηΩϡϦςΟνʔϜऔΓΈ࢝Ί͍ͯΔ • “Builder” ͱͯ͠ͷྗ • ͏ٕज़Λબͼɺઃܭ͠ɺίʔυΛॻ͖ɺ৫ϓϩηεʹ ηΩϡϦςΟΛΈࠐΉ •
ʮͭ͘ΔʯͨΊͷෑډԼ͕Γଓ͚͍ͯΔ • ίϯϙʔωϯτͱͯ͑͠ΔαʔϏεʑ૿͍͑ͯΔ
https://unsplash.com/photos/1eFgYRwYctg
ϏδωεΛՃͰ͖ΔηΩϡϦςΟ • ͪΌΜͱػೳ͢ΔʮΨʔυϨʔϧʯͷԼͰ • ҆৺ͯ͠શྗΛग़ͤΔڥͮ͘Γ
Security for builders, by builders
We’re hiring • ʮຖͷྉཧΛָ͠Έʹ͢ΔʯͨΊͷηΩϡϦςΟΛ Ұॹʹͭ͘Γ·ͤΜ͔ʁ https://cookpad.jobs/
Fin.