Upgrade to Pro — share decks privately, control downloads, hide ads and more …

継続的な脆弱性検知とパッチマネジメント手法の紹介

takuya542
December 22, 2017

 継続的な脆弱性検知とパッチマネジメント手法の紹介

takuya542

December 22, 2017
Tweet

More Decks by takuya542

Other Decks in Technology

Transcript

  1. Copyright © 2009-2017 eureka, inc. All rights reserved. Takuya Onda

    / eureka, Inc. 2017-12-21 Eureka x Retty x C Channel Approach for Vulnerability Detection and Progressive Change Management
  2. Agenda ▪ 1. Security overview and problems ▪ 2. Continuous

    vulnerability detection ▪ 3. Continuous change management ▪ 4. Access control and developer efficiency
  3. Security Problems ▪ Vulnerability management – Detection / Reporting ▪

    Change management – Procedure to rollout new patch to production ▪ Access control management – SSH / DB / Monitoring
  4. 1:Automated Detection and Prevention & Reporting ▪ External attack –

    DDOS / Penetration / Injection ▪ Internal vulnerabilities – Network / Middleware / Application
  5. Solution: Standing on the Shoulders of Giants ▪ Akamai WAF

    – Risk grouping / reputation control – Automated detection / prevention ▪ AWS Inspector – Host based security scanner by AWS – Scheduled implementation and reporting via lambda
  6. 2: Easy & Safety Process for Patching ▪ Unified Patching

    Process – No manual modification ▪ Frequent changes by replacing, not updating – Progressive rollout by replacing instances – Much easier for testing
  7. Solution: Patched Image & Blue Green Rollout ▪ Patched Golden

    Image by Packer x Ansible – Same role & steps for staging / production ▪ ASG on ELB + CodeDeploy by Terraform – Rollout new AMI by create new ASG and replace old one – Treat instances as disposable – Fully codenized Infrastructure
  8. 3: Compatibility between Access Control & Devs Efficiency ▪ No

    SSH – Exterminate reason that developers need direct access ▪ Resolve complicated procedures into simple ones – Want to provide all info about production for developers
  9. Solution: Log Consolidation for No SSH World ▪ Definition of

    deployment completion – Dev just needed to know whether their deploy really was ok ▪ Log consolidation via StackDriver / CloudPubSub – Visualize all app-logs and set regex-based error alert – Also used for audit log consolidation
  10. Summary ▪ Security overview and problem – Categorized into 3

    major problems ▪ Continuous vulnerability detection – Akamai WAF / AWS Inspector ▪ Continuous change management – Packer x Ansible x Terraform for progressive patch rollout ▪ Access control and developers efficiency – StackDriver for log consolidation