SlideShare ist ein Scribd-Unternehmen logo

Continuous compliance using data and code

Erkang Zheng
Erkang Zheng

There's too much data and too much repetitive work when it comes to compliance. Cloud native organizations can maintain continuous compliance in a software-defined approach -- using data and code.

Technologie
1 von 23
Downloaden Sie, um offline zu lesen
Continuous Compliance via Data and Code ERKANG ZHENG Founder, JupiterOne | CISO, LifeOmic November 2019 © 2019 JupiterOne
Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring SEC COMP AUDITOR Our Security Program HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE
Now what? How? Is 100% visibility possible? “I don’t need more controls. I need to be able to effectively and efficiently manage and prove what I have.” “I need to full visibility so that I can make decisions faster, with confidence.”
Steps to continuous compliance via code 1. Define compliance framework in JSON 2. Write policies and procedures in Markdown 3. Aggregate data from everywhere (infrastructure, controls, endpoints, users, training, code, etc.) to a single source of truth 4. Write queries to generate evidence from data 5. Map policies and evidence to compliance requirements Step 1 Step 2 Step 3 Step 4 Step 5
Define Compliance Framework in JSON Step 1 { "standard": "HIPAA", "version": "2013", "webLink": "https://www.hhs.gov/hipaa/for-professionals/index.html", "sections": [ { "title": "Administrative Safeguards", "requirements": [ { "ref": "164.308(a)(1)(i)", "title": "Security management process", "summary": "Implement policies and procedures to prevent, detect, contain and correct security violations.", }, { "ref": "164.308(a)(1)(ii)(A)", "title": "Risk analysis", "summary": "Conduct an accurate and thorough assessment of the potential ......" }, ... ] }, { ... } ] } HIPAA example with sections and requirements HIPAA Example
Define Compliance Framework in JSON Step 1 { "standard": "SOC 2 Security", "version": ”AICPA 2017", "webLink": "https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust- services-criteria.pdf", "domains": [ { "title": "Control Environment", "controls": [ { "ref": "CC1.1", "title": "COSO Principle 1", "summary": "The entity demonstrates a commitment to integrity and ethical values." }, { "ref": "CC1.1 (a)", "summary": "A code of conduct/employee manual are in place and approved by top management" }, ... ] }, { ... } ] } SOC 2 example with domains and controls SOC 2 Example
Write Security Policy and Procedure Docs in Markdown • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML Step 2 Policies Markdown { "id": "rar", "file": "policies/rar.md", "name": "Roles, Responsibilities and Training", "adopted": true, "procedures": [ "cp-role-assignment", "cp-training-policy", "cp-training-awareness", "cp-training-hipaa", "cp-internal-comms" ] }, config.json
Publish to HTML Step 2 Policies HTML Site • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
Build a single source of truth Aggregate data from • Cloud Service Providers (AWS, Azure, GCP) • Identity Providers (Okta, Azure AD / O365, G Suite) • Code Repos (Github, Bitbucket) • Issues and Ticketing (Jira) • User Awareness Training (KnowBe4) • Endpoint Agents (Carbon Black, Stethoscope) • Vulnerability Scanners (Inspector, Nessus) • Code Scanners (Snyk, Veracode) • Network Alert Findings (GuardDuty) • Pen Tests, Bug Bounty (HackerOne) • Risk Assessments (Manual) • Vendors (SAML SSO Apps, Manual) Step 3 DATA Cloud Service Providers (AWS, Azure, GCP) Identity Providers (Okta, Azure AD / O365, G Suite) Code Repos (Github, Bitbucket) Issues and Ticketing (Jira) User Awareness Training (KnowBe4) Endpoint Agents (Carbon Black, Stethoscope) Vulnerability Scanners (Inspector, Nessus) Code Scanners (Snyk, Veracode) Network Alert Findings (GuardDuty) Pen Tests, Bug Bounty (HackerOne) Risk Assessments (Manual) Vendors (SAML SSO Apps, Manual) Aggregate Data
Step 3 Data Model
Ask questions and get answers by data queries Step 4 - query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical') What is the inventory of my sensitive data stores? Query Data - query: | Find HostAgent with firewall='ON' as agent that (PROTECTS|MONITORS|MANAGES) (user_endpoint|workstation|laptop|desktop|computer) as device return device.displayName, device.owner, agent.firewall Are my end-user workstations protected by hosted-based firewall? - query: | Find (Person | Organization | Vendor) as assessor that performed Assessment with createdOn > date.now-1yr or updatedOn > date.now-1yr as assessment return assessor.name, assessment._type, assessment.name, assessment.summary, assessment.reportURL What security assessments have been done in the past year and who performed them?
User queries to perform gap analysis Step 4 - name: good query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) - name: bad query: | Find DataStore with (classification='' or classification=undefined) and (production=true or tag.Production=true) - name: unknown query: | Find DataStore with (classification='' or classification=undefined) What is the inventory of my sensitive data stores? Query Gaps - name: good query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) and encrypted = true - name: bad query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) and encrypted != true Is my sensitive data encrypted?
Map control procedures and evidence to compliance Step 5 Create Mappings [ { "id": "cp-role-assignment", "implements": [ { "standard": "HIPAA", "requirements": [ "164.308(a)(2)" ] }, { "standard": "PCI DSS", "requirements": [ "12.1", "12.3", "12.4", "12.5" ] }, { "standard": ”SOC 2 Security", ”controls": [ ... ] } ] }, ... Controls Mapping (policies/procedures) - id: managed-question-data-direct-access-to-phi title: Which user or group or network or host has access to data stores containing PHI/ePHI? description: ... queries: - query: | Find (User | UserGroup | Network | Host) as entity that allows DataStore with tag.PHI=true or tag.ePHI=true as ds return entity._type, entity.displayName, entity.email, ds._type, ds.displayName, ds.tag.AccountName tags: - data - SecOps - compliance - HIPAA compliance: - standard: default controls: - cp-access-phi - standard: HIPAA requirements: - 164.308(a)(3)(ii)(B) - 164.308(a)(4)(ii)(B) Evidence Mapping (questions/queries)
Result: Continuous Compliance Dashboard
DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring CSEC AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE Our Security Program HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE
Data Graph Query Asset inventory and CMDB Cloud configuration visibility Access analysis Network and application architecture diagrams Vulnerability management Alerts / monitoring Metrics reporting User training status Incident correlation Policy and procedure docs Vendor management Compliance evidence collection What else can you do? It’s not only about compliance. Additional use cases: • Asset inventory and CMDB • Cloud configuration visibility • Access analysis • Network and application architecture diagrams • Vulnerability management • Alerts / monitoring • Metrics reporting • User training status • Policies and procedures documentation • Vendor management • Compliance evidence collection
S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
Metrics and charts built with queries Users and Access
Knowledge is Power Knowledge = Information (data) + Insights (understanding of that data) The graph is now the core of our entire security program. A knowledgebase, a foundation that allows me to take actions with confidence, faster. GRAPH Asset inventory and CMDB Cloud configuration visibility Access analysis Network and application architecture diagrams Vulnerability management
Questions? Demo? jupiterone.com

Empfohlen

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 

Empfohlen

Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
Setu Parimi
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Threat modeling with architectural risk patterns
Threat modeling with architectural risk patternsThreat modeling with architectural risk patterns
Threat modeling with architectural risk patterns
Stephen de Vries
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
Dinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
Adrian Sanabria
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
Prashanth B. P.
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
Rubal Jain
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Frank Kim
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen Middle
Alert Logic
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
Alert Logic
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
Frank Kim
 
Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
Erkang Zheng
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 

Weitere ähnliche Inhalte

Was ist angesagt?

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
Kevin Fealey
 

Was ist angesagt? (20)

8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green MethodSecure Code review - Veracode SaaS Platform - Saudi Green Method
Secure Code review - Veracode SaaS Platform - Saudi Green Method
 
Application Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio ScaleApplication Security at DevOps Speed and Portfolio Scale
Application Security at DevOps Speed and Portfolio Scale
 
DevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving SecurityDevSecOps: Minimizing Risk, Improving Security
DevSecOps: Minimizing Risk, Improving Security
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
AppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security AgileAppSec California 2016 - Making Security Agile
AppSec California 2016 - Making Security Agile
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
DevSecOps | DevOps Sec
DevSecOps | DevOps SecDevSecOps | DevOps Sec
DevSecOps | DevOps Sec
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen Middle
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
 
Simplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security ToolsSimplify Dev with Complicated Security Tools
Simplify Dev with Complicated Security Tools
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
 

Ähnlich wie Continuous compliance using data and code

Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
Erkang Zheng
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
Amazon Web Services
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
Mordecai Kraushar
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
Abe Newton
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
Invincea, Inc.
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Standards Customer Council
 

Ähnlich wie Continuous compliance using data and code (20)

Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...Build a complete security operations and compliance program using a graph dat...
Build a complete security operations and compliance program using a graph dat...
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdfCISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
 
Microsoft Office 365 Security and Compliance Updates
Microsoft Office 365 Security and Compliance UpdatesMicrosoft Office 365 Security and Compliance Updates
Microsoft Office 365 Security and Compliance Updates
 
Data Privacy By Design with AWS
Data Privacy By Design with AWSData Privacy By Design with AWS
Data Privacy By Design with AWS
 
Audit Practice at CipherTechs
Audit Practice at CipherTechsAudit Practice at CipherTechs
Audit Practice at CipherTechs
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Designing for Privacy in AWS cloud
Designing for Privacy in AWS cloudDesigning for Privacy in AWS cloud
Designing for Privacy in AWS cloud
 
Data Security Service Offering-v3
Data Security Service Offering-v3Data Security Service Offering-v3
Data Security Service Offering-v3
 
Cloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdfCloud App Security Customer Presentation.pdf
Cloud App Security Customer Presentation.pdf
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS BuildersAWS Cloud Governance & Security through Automation - Atlanta AWS Builders
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10Core.co.enterprise.deck.06.16.10
Core.co.enterprise.deck.06.16.10
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security Webinar
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
TSS - App Penetration Testing Services
TSS - App Penetration Testing ServicesTSS - App Penetration Testing Services
TSS - App Penetration Testing Services
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Kürzlich hochgeladen (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Continuous compliance using data and code

  • 1. Continuous Compliance via Data and Code ERKANG ZHENG Founder, JupiterOne | CISO, LifeOmic November 2019 © 2019 JupiterOne
  • 2. Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring SEC COMP AUDITOR Our Security Program HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE
  • 3. Now what? How? Is 100% visibility possible? “I don’t need more controls. I need to be able to effectively and efficiently manage and prove what I have.” “I need to full visibility so that I can make decisions faster, with confidence.”
  • 4. Steps to continuous compliance via code 1. Define compliance framework in JSON 2. Write policies and procedures in Markdown 3. Aggregate data from everywhere (infrastructure, controls, endpoints, users, training, code, etc.) to a single source of truth 4. Write queries to generate evidence from data 5. Map policies and evidence to compliance requirements Step 1 Step 2 Step 3 Step 4 Step 5
  • 5. Define Compliance Framework in JSON Step 1 { "standard": "HIPAA", "version": "2013", "webLink": "https://www.hhs.gov/hipaa/for-professionals/index.html", "sections": [ { "title": "Administrative Safeguards", "requirements": [ { "ref": "164.308(a)(1)(i)", "title": "Security management process", "summary": "Implement policies and procedures to prevent, detect, contain and correct security violations.", }, { "ref": "164.308(a)(1)(ii)(A)", "title": "Risk analysis", "summary": "Conduct an accurate and thorough assessment of the potential ......" }, ... ] }, { ... } ] } HIPAA example with sections and requirements HIPAA Example
  • 6. Define Compliance Framework in JSON Step 1 { "standard": "SOC 2 Security", "version": ”AICPA 2017", "webLink": "https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust- services-criteria.pdf", "domains": [ { "title": "Control Environment", "controls": [ { "ref": "CC1.1", "title": "COSO Principle 1", "summary": "The entity demonstrates a commitment to integrity and ethical values." }, { "ref": "CC1.1 (a)", "summary": "A code of conduct/employee manual are in place and approved by top management" }, ... ] }, { ... } ] } SOC 2 example with domains and controls SOC 2 Example
  • 7. Write Security Policy and Procedure Docs in Markdown • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML Step 2 Policies Markdown { "id": "rar", "file": "policies/rar.md", "name": "Roles, Responsibilities and Training", "adopted": true, "procedures": [ "cp-role-assignment", "cp-training-policy", "cp-training-awareness", "cp-training-hipaa", "cp-internal-comms" ] }, config.json
  • 8. Publish to HTML Step 2 Policies HTML Site • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
  • 9. Build a single source of truth Aggregate data from • Cloud Service Providers (AWS, Azure, GCP) • Identity Providers (Okta, Azure AD / O365, G Suite) • Code Repos (Github, Bitbucket) • Issues and Ticketing (Jira) • User Awareness Training (KnowBe4) • Endpoint Agents (Carbon Black, Stethoscope) • Vulnerability Scanners (Inspector, Nessus) • Code Scanners (Snyk, Veracode) • Network Alert Findings (GuardDuty) • Pen Tests, Bug Bounty (HackerOne) • Risk Assessments (Manual) • Vendors (SAML SSO Apps, Manual) Step 3 DATA Cloud Service Providers (AWS, Azure, GCP) Identity Providers (Okta, Azure AD / O365, G Suite) Code Repos (Github, Bitbucket) Issues and Ticketing (Jira) User Awareness Training (KnowBe4) Endpoint Agents (Carbon Black, Stethoscope) Vulnerability Scanners (Inspector, Nessus) Code Scanners (Snyk, Veracode) Network Alert Findings (GuardDuty) Pen Tests, Bug Bounty (HackerOne) Risk Assessments (Manual) Vendors (SAML SSO Apps, Manual) Aggregate Data
  • 10. Step 3 Data Model
  • 11. Ask questions and get answers by data queries Step 4 - query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical') What is the inventory of my sensitive data stores? Query Data - query: | Find HostAgent with firewall='ON' as agent that (PROTECTS|MONITORS|MANAGES) (user_endpoint|workstation|laptop|desktop|computer) as device return device.displayName, device.owner, agent.firewall Are my end-user workstations protected by hosted-based firewall? - query: | Find (Person | Organization | Vendor) as assessor that performed Assessment with createdOn > date.now-1yr or updatedOn > date.now-1yr as assessment return assessor.name, assessment._type, assessment.name, assessment.summary, assessment.reportURL What security assessments have been done in the past year and who performed them?
  • 12. User queries to perform gap analysis Step 4 - name: good query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) - name: bad query: | Find DataStore with (classification='' or classification=undefined) and (production=true or tag.Production=true) - name: unknown query: | Find DataStore with (classification='' or classification=undefined) What is the inventory of my sensitive data stores? Query Gaps - name: good query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) and encrypted = true - name: bad query: | Find DataStore with classification=('sensitive' or 'confidential' or 'critical’) and encrypted != true Is my sensitive data encrypted?
  • 13. Map control procedures and evidence to compliance Step 5 Create Mappings [ { "id": "cp-role-assignment", "implements": [ { "standard": "HIPAA", "requirements": [ "164.308(a)(2)" ] }, { "standard": "PCI DSS", "requirements": [ "12.1", "12.3", "12.4", "12.5" ] }, { "standard": ”SOC 2 Security", ”controls": [ ... ] } ] }, ... Controls Mapping (policies/procedures) - id: managed-question-data-direct-access-to-phi title: Which user or group or network or host has access to data stores containing PHI/ePHI? description: ... queries: - query: | Find (User | UserGroup | Network | Host) as entity that allows DataStore with tag.PHI=true or tag.ePHI=true as ds return entity._type, entity.displayName, entity.email, ds._type, ds.displayName, ds.tag.AccountName tags: - data - SecOps - compliance - HIPAA compliance: - standard: default controls: - cp-access-phi - standard: HIPAA requirements: - 164.308(a)(3)(ii)(B) - 164.308(a)(4)(ii)(B) Evidence Mapping (questions/queries)
  • 15. DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring CSEC AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE Our Security Program HIPAA SOC 2 FDA FedRAMP ...COMPLIANCE
  • 16. Data Graph Query Asset inventory and CMDB Cloud configuration visibility Access analysis Network and application architecture diagrams Vulnerability management Alerts / monitoring Metrics reporting User training status Incident correlation Policy and procedure docs Vendor management Compliance evidence collection What else can you do? It’s not only about compliance. Additional use cases: • Asset inventory and CMDB • Cloud configuration visibility • Access analysis • Network and application architecture diagrams • Vulnerability management • Alerts / monitoring • Metrics reporting • User training status • Policies and procedures documentation • Vendor management • Compliance evidence collection
  • 17. S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
  • 18. SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
  • 19. Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
  • 20. Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
  • 21. Metrics and charts built with queries Users and Access
  • 22. Knowledge is Power Knowledge = Information (data) + Insights (understanding of that data) The graph is now the core of our entire security program. A knowledgebase, a foundation that allows me to take actions with confidence, faster. GRAPH Asset inventory and CMDB Cloud configuration visibility Access analysis Network and application architecture diagrams Vulnerability management