AppSec USA 2014 Denver, Colorado Project Monterey or how we learned to stop worrying and love the cloud.

Slides:

Advertisements

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Advertisements

Dan Stolts Chief Technology Strategist Microsoft Corporation Blog: Managing and Monitoring Critical Infrastructure.

© 2014 Cognizant 4 th March 2015 MBaaS: Mobile Backend as a Service Pablo Gutiérrez / Senior Mobility developer.

High Performance Computing Course Notes Grid Computing.

A Federated Approach to Systems Management Todd Nugent Mike Huffstatler Sr. Product Specialist Systems Engineer.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

Google App Engine Cloud B. Ramamurthy 7/11/2014CSE651, B. Ramamurthy1.

Created by the Community for the Community Building a RFID solution in BTS 09.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.

Let's build a media sharing website # 1 Hosting.

Cloud Computing Definitions Cloud The set of hardware, networks, storage, services and interfaces that combine to deliver computing as a service Cloud.

Ch 13. Wireless Management and Support Myungchul Kim

CONTENTS Arrival Characters Definition Merits Chararterstics Workflows Wfms Workflow engine Workflows levels & categories.

Research Business Technology Pfizer Enterprise Elastic HPC Mike Miller Pfizer Research Business Technology May 18 th Prism Meeting Stockholm Sweden.

Windows Azure Conference 2014 Deploy your Java workloads on Windows Azure.

Microsoft Azure SoftUni Team Technical Trainers Software University

IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.

Tool Integration with Data and Computation Grid GWE - “Grid Wizard Enterprise”

IBM Bluemix Your gateway to cloud innovation Dejan Podgoršek IBM Ecosystem Development Manager, SEE IBM Slovenija.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

MBL206 A First Look at the Microsoft Location Server (MLS) Steve Lombardi Technical Product Manager MapPoint Business Unit Microsoft Corporation.

IBM Bluemix Ecosystem Development Hands on Workshop Section 1 - Overview.

HUSKY CONSULTANTS FRANKLIN VALENCIA WIOLETA MILCZAREK ANTHONY GAGLIARDI JR. BRIAN CONNERY.

Leveraging Kinetic Task Management Unus Gaffoor & Michael Poole Kinetic Data.

Optimal Pipeline Using Perforce, Jenkins & Puppet Nitin Pathak Works on

Ad Hoc VO Akylbek Zhumabayev Images. Node Discovery vs. Registration VO Node Resource User discover register Resource.

1 Company Confidential Fluke Networks OptiView Wireless Network Analyzer Bringing the power of OptiView to Wireless LANS.

CONTINUOUS DELIVERY OF MICROSERVICES Ken Mugrage

Perfecto Mobile Automation

Windows Azure Web Sites Second-generation PaaS Boston Cloud Meetup 14-January-2014 (00:30) Boston Azure User Group

Tool Integration with Data and Computation Grid “Grid Wizard 2”

Release Management with Visual Studio Team Services

1 NETE4631 Using Google Web Services Lecture Notes #6.

Alfresco on Azure Shah Rahman Founder and CEO, CloudlyIO.

숭실대 IoT , Openstack, DevOps 숭실대

DIRAC for Grid and Cloud Dr. Víctor Méndez Muñoz (for DIRAC Project) LHCb Tier 1 Liaison at PIC EGI User Community Board, October 31st, 2013.

Declarative Configuration Management with Azure Automation DSC and ARM Nathan Lasnoski Vice President of blog.concurrency.com Concurrency.

Long Live Azure Automation!Long Live Azure Automation! Cloud-first Configuration Management and Automation Beth Cooper Program Manager.

Azure App Service an overview Seth

1 Tihomir Surdilovic jBPM Core Developer Jun, 2012 jBPM5 : Bringing more Power to your Business Processes Web-based BPM with jBPM 5.

Leverage Big Data With Hadoop Analytics Presentation by Ravi Namboori Visit

11/19/2017 9:41 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Figure 1. Gartner DevOps Model

Microsoft Operations Management Suite Insight and Analytics

Docker Birthday #3.

Logo here Module 3 Microsoft Azure Web App. Logo here Module Overview Introduction to App Service Overview of Web Apps Hosting Web Applications in Azure.

Microsoft SharePoint Server 2016

Building and Running an Enterprise-grade Serverless Platform on Kubernetes Quinton Hoole, Technical VP Ying Huang, Sr. Architect US R&D, Huawei.

SERVICENOW ADMIN & ADVANCED ONLINE TRAINING

Exploring Azure Event Grid

Microsoft Connect /7/ :48 PM

A Must to Know - Testing IoT

Future Data Architectures Big Data Workshop – April 2018

Azure Event Grid with Custom Events

ChatOps Supercharge your DevOps Teams

Getting Started.

Simplified Development Toolkit

ChatOps Supercharge your DevOps Teams

Getting Started.

Automating Security Operations using Phantom

IT Service Level Level 4 Level 3 Level 2 Level 1 Level 0

Increase and Improve your PC management with Windows Intune

Delivering great hardware solutions for Windows

Remedy Integration Strategy Leverage the power of the industry’s leading service management solution via open APIs February 2018.

Microsoft Training & Certifications

Road Ahead – ArcGIS Workflow Manager

Dev-Sec-Ops Jose Alvarez DevSecOps Engineer & Evangelist

Presentation transcript:

AppSec USA 2014 Denver, Colorado Project Monterey or how we learned to stop worrying and love the cloud

Kevin Glisson Introduction Cloud Security Engineer – Working on all forms of security automation and operations (SSL, AWS, PCI, and more.) – Lover of all things Python and AngularJS Mountain Biker Pizza Aficionado

50+ million subscribers 47+ countries 700+ compatible devices 34% of US peak evening Internet traffic 700+ applications Netflix

High Performance Culture Fail Fast, Learn Fast … Get Results Core Value: “Freedom & Responsibility” Engineering Culture DevOps means engineering teams own – New deployments and maintenance – Capacity planning & procurement Netflix Culture

Acts as a consultancy – Pentest applications – Evaluate application security design/implementation Define best practices Trust but verify Create tools to manage and secure cloud infrastructure (e.g. Security Monkey) Cloud Security

Monterey Tons of apps and lots of code changes (a/b testing, canaries, etc.) There are no traditional security roadblocks or gateways Using traditional tool chains is very human intensive (we are a small team) Monterey was created as a tool to help application security engineers, identify and evaluate application security state

Overview Discovery Uses APIs from other systems to detect and enroll applications Inventory Allows for ad hoc or automated asset creation Scanning Leverages open source and commercial tools (best in category philosophy) Results Presents and filters relative findings depending on severity

Monklets Basic unit of work Simple and dumb Integration point between Monterey and external applications or resources Not limited to scans, monklets can be used for discovery or result processing Scalable and distributed A monklet’s only goal in life is execute jobs. It has no state; has no awareness of where it is in the execution chain, it simply receives a job and executes it.

Third Party Tools Most of the heavy security lifting is accomplished by established tool chains (NMAP, ZAP, Arachini, Threadfix etc.). This allows us to: Be tool agnostic Leverage best in class toolsets Use both upstream and downstream tools

How a task is executed 1.Asset monitoring or a user executes a scan 2.Scan is evaluated, a task is created for each asset and each configuration associated with it 3.Tasks are published to an SNS topic for each individual monklet 4.Monklet receives SNS notification and pulls job off of the associated SQS queue 5.Monklet executes the task 6.Monklet persists any task data to S3

Demo Time!

Road Map Build monklet specific auto scaling into Monterey Authentication and User Management Workflow and use case development Continue to evaluate new tools that could be used as monklets Open Source! Get feedback from community about interest, approach, etc.