DevSecCon London 2016

1. Join the conversation #devseccon
DevOps, Security, and
Compliance
WORKING IN UNISON

2. Co-Founder, Conjur Inc
What I get excited about….
Cybersecurity as a “public
health” problem
Providing better security related
experiences as a business
Access controls at scale for
“silica users” and “robots”
My husband, kids, dog, cat, &
chickens

7. Risk Factors

8. At risk connections (Cloud & IOT)

9. People can’t keep up
Then Now
Complexity Known # of identifiable components 100s- Millions of system components
Provisioned by People +/- approvals People, Code - ? approvals, ? traceable
Provisioned with days-weeks-months- … years.... seconds-minutes
Threat concerns Insiders, Physical/Environmental Tampered code, hijacked systems
Mainframe
Client/
Server Web
Containerized Cloud

10. INFRASTRUCTURE
Check
Deploy
Dev team, tools, &
tools admins
Dev teamDeveloper
Dev team, tools,
tools admins, &
operators
The business sees … Velocity!

11. INFRASTRUCTURE
Check
Deploy
Dev team, tools, &
tools admins
Dev teamDeveloper
Dev team, tools,
tools admins, &
operators
Credentials in github
Malware
injection
DDOS platform
Side-channel IT resources
for bitcoin mining
Out of date
libraries
Security and compliance sees….
Phished admin creds

13. Can we trust these people?

14. Story #1: “Meet the compliance team [Spike]”
• Don’t let security and compliance be unplanned work
GET BUY-IN PLAN IMPROVE

15. Start Here: Persona Map of Your Organization
Security strategy
aligned with
business goals
Policies that map to
security and
compliance controls
and key threats
Simple security model
that scales , no pager
fatigue
Application security
policies that work from
dev to prod and don’t
mess with “flow”

17. Say ….“What?!”
• Directive 95/46/EC
• HIPAA
• NIST-CSF
• SOX
• PCI
• PIPEDA
• ID.AM-2: Software platforms
within the organization are
inventoried
• ID.AM-6: Cybersecurity roles and
responsibilities for the entire
workforce and third-party
stakeholders (e.g., suppliers,
customers, partners) are
established
• CCS CSC 2
• COBIT 5 BAI09.01,
BAI09.02, BAI09.05
• ISA 62443-2-1:2009 4.2.3.4
• ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013
A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
• COBIT 5 APO01.02,
DSS06.03
• ISA 62443-2-1:2009
4.3.2.3.3
• ISO/IEC 27001:2013
A.6.1.1
• NIST SP 800-53 Rev. 4 CP-
2, PS-7, PM-11

18. Technology serves compliant and secure behavior

19. Step 2: Categorize Risk By Severity/Prevalence

20. Common threat actions are often “in-scope”
1.Access control
2.Management of
virtual assets
and inventories
3.Credentials and
shared
accounts
Source Verizon Breach Report 2015 “Threat Actions by Type”

21. Step 3: Describe the risk and proposed mitigation
R3. An external actor gains
unauthorized access to production
or pre-production environments
CS3. Unauthorized access is prevented,
detected, and corrected through the
regular review of access credentials
and system configuration
Source: DevOps Audit Defense Toolkit 2015

22. INFRASTRUCTURE
Check
Deploy
Dev team, tools, &
tools admins
Dev teamDeveloper
Dev team, tools,
tools admins, &
operators
Can you run the control through this system?

23. Step 3: Then Automate the Process (…or not!)
EXAMPLE COMPLIANCE
CONTROL
PR.AC-1: Identities and
credentials are managed
for authorized devices and
users
STATIC OR
ACTIVE ANALYSIS
Processes and
procedures for
managing identities
and credentials are
documented
STATIC ANALYSIS
Compliance procedures
like checklists with signoff,
tickets, forms, periodic
“hunts” for violations
EVENT
Hire a new
person
Provision
a new
device
Elevate
auth for a
system
admin
ACTIVE ANALYSIS
Automated tooling to
provide function or gate
processes, continuous
logging of activities, active
autimated warnings, and
executive reporting views
as real time risk
communication

24. Step 4: Test and Verify the Control
Teams that focus on testing, early detection, and
measuring progress have 30% fewer [security]
defects in production
Source: The Journey to DevSecOps, Shannon Lietz, 2016
NIST
CONTROL
PR.AC-4
Describe
compliance in
plain english
What do you
have in
place/plan to
have in place?
Describe
passing
scenarios
Write code that
leads to
consistent pass
state
FAIL
Write tests and
run them
Source: Audit Compliance with BDD tools,, Conjur blog

25. Step 5: Communicate controls to stake holders
“Excuse me … do you speak JSON?”
• Repeatable
• Reliable
• Fast
• Auditable
• Reportable
• Informative

26. Improve www.10factor.ci

27. Where do you fall on the cybersecurity spectrum?
Example NIST-CSF - 4 TIERS OF CYBER SECURITY AWARENESS
TIER 1 - Partial
TIER 2 - Risk Informed
TIER 3 - Repeatable
TIER 4 - Adaptive
Automated
There is always more….

28. Robot, IOT & Machine Identity and Access Control

29. AI & Access Controls … Access Control for AIs!

30. Join the conversation #devseccon
Thank You
Elizabeth Lawler
@ElizabethLawler
conjur.net
“It takes a village”... Thank you
Kevin Gilpin
Steve Coplan
Josh Bregman
Andy Ellicott
Dustin Collins
Bryan Sterling
and the team at Conjur

31. Source: Verizon 2016 Data Breach Investigations Report

32. Translating to Something Actionable
Control Domains
(NIST framework)
● Identify
● Protect
● Detect
● Respond
● Recover
Control Activities & Services for Operators
● Asset Management (CMDB)
● Network Security, Authentication, Key
Management
● Log Aggregation and Reporting
● Alerting, Incident Communication and Escalation
Plan
● Post-mortems, metrics tracking (e.g., MTTD,
MTTR)