DevOpsSec and Container/ FaaS (Function as a …...Serverless Security Visibility & runtime application security IAM Security Access governance, Privileged monitoring and UEBA through

DevOpsSec and Container/

FaaS (Function as a

Service) Security

Suppawut Kaopaiboon

Security Consultant

•Protecting customer applications through all threat vectors in the public cloud

Discover RespondDetect

Config Scanning

Compliance Reporting

Continuous monitoring of Config vulnerabilities across critical cloud services

Comprehensive compliance reporting across compliance standards

Public Cloud (IaaS/PaaS/FaaS) Private Cloud

Serverless Security

Visibility & runtime application security

IAM Security

Access governance, Privileged monitoring and UEBA through ML

Network Security

Detection of advanced network threats using flow traffic analytics

Data Protection

Data classification, malware & DLP scanning for cloud storage

Automated Response

Automated remediation combined with integration with SoC, Ticketing & other 3rd party tools

Host & Containers

Security

Vulnerability scanning & runtime security

4 | © 2019 Palo Alto Networks. All Rights Reserved.

Software Industry need to change!


Need of faster, cheaper, quality and secure


Coming of AGILE + CI/CD + DevOps


Changing of SW Engineering Process


Microservices

9 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.

Monolithic application Microservices

Changing of the team formation


Overview of DevOps culture

The Goal of DevOps

- Fast Development Methodologies

- Fast Quality Assurance Methodologies

- Fast Deployment Methodologies

- Iteration & Continuous Feedback (strong and continuous communication between stakeholders - the end users and customers,

product owners, development, quality assurance, and production engineers)


DevSecOps


- Check Tool Chain and Library

- Static/Dynamic Code Analysis

- Compliance

Reference : https://www.microsoft.com/en-us/sdl/

Current CI/CD Pipeline


Orchestrators

• Orchestrators allow for better management containers

• Cluster management

• Scheduling

• Reliability

• Resource management


• Orchestrators

• Kubernetes

• OpenShift

• Amazon Elastic Container Service

(ECS)

• Fargate

• Docker Swarm

• Etc.

Containers and VMs


https://unit42.paloaltonetworks.com/making-containers-more-isolated-an-overview-of-sandboxed-container-technologies/

https://unit42.paloaltonetworks.com/making-containers-more-isolated-an-overview-of-sandboxed-container-technologies/

A lot of opensource tools on the cloud!

CI/CD Flow Example


Overall of CI/CD Process and Tools


Continuous Integration (CI) Continuous Deployment (CD) Monitor & Feedback

SERVERLESS IS REIMAGINING SOFTWARE DEVELOPMENT


Less operational

overhead

Only pay for what

you run

Designed for agility

& scale

No servers to patch,

no network to inspect

X

“20 percent of global enterprises will

have deployed serverless computing

technologies by 2020”

Gartner

What is Serverless?


Applications that fully rely on managed cloud services,

and leverage FaaS (AWS Lambda, Google Cloud

Functions) for core business logic.

Load balancer

Application servers, business logic

Database

Event trigger

Business logic

Output

Code repo

Code repo

Server-based application Serverless application

HR SERVERLESS APPLICATION EXAMPLE


1. Candidate sends CV as PDF in email

2. SES receives email, creates SNS message

3. SNS invokes the function

4. Function converts PDF to text + stores results in DynamoDB

5. Function sends receipt to candidate

Simple Email Service Simple Notification Service Lambda Function

DynamoDB

NEW SECURITY CHALLENGES ARE EMERGING


Threats have been reimagined

With serverless, application owners

have no control over infrastructure,

and must deal with new attack vectors.

Rapid adoption requires action

Over 20% of open-source serverless

apps have critical vulnerabilities.

Enterprises must adapt quickly.

Desired Security Outcomes


• Prevent compromise of a resource

• Safe enablement of applications

Desired Security Outcomes


Reconnaissance Weaponization Delivery Exploitation InstallationCommand

& Control

Act on

Objective

Stop the attack at any point!

Cyber Attack Lifecycle

For hosts, containers,

and serverless

Across the

DevSecOps lifecycle

CYBERSECURITY FOR YOUR CLOUD NATIVE

APPLICATIONS


CI/CD is Enabling Security Earlier in the Lifecycle


Build RunDeploy

Shift Left – Ideal to implement security early in the dev lifecycle

Integrate vulnerability and

compliance scanning into

every build as part of any

CI workflow

Secure every deployment by

seamlessly integrating

security into continuous

delivery process

Reduce burden on security

teams by production with

minimized threat footprint

Current CI/CD Pipeline


Notification System

Fail Fail Fail Fail Fail Fail

Vulnerability Scanning & Penetration testing

Adding with Dev”Sec”Ops to Existing process


Notification System

Fail Fail Fail Fail Fail Fail

Vulnerability Scanning & Penetration testing

Scanning

Prevention

CI/CD INTEGRATION

CLOUD NATIVE FIREWALLING

ACCESS CONTROL

VULNERABILITY MANAGEMENT

VisibilityAutomation

RUN TIME DEFENSE

Container Security Requirement


COMPLIANCE

Vulnerability Management

Industry leading precision across hosts, images, containers, and serverless functions

Automated prioritization of vulnerabilities based on your unique environment

Prevent running vulnerable software across your environment


Automation Visibility Prevention

Cloud Native Firewalling

Layer 4 and Layer 7 firewalls tuned for cloud native environments

True Intrusion Detection and Intrusion Prevention

Fully automated mesh discovery and microsegmentation



Compliance

One-click enforcement for CIS, PCI-DSS, HIPAA, GDPR, NIST SP 800-190, and FISMA

Centrally discover and monitor cloud native services across all your providers, accounts, and regions

Custom checks using OpenSCAP, PowerShell, and Bash scripts



CI/CD Integration

Native plugins and standalone scanner for integration into any CI/CD workflow or tool

“Shift left” quality gates with compliance

and vulnerability thresholds in every build

Scan hosts, container images, serverless functions, and PCF blob stores



RUNTIME DEFENSE

Use machine learning to model what each image is intended to do

Automatically look for anomalies between the model and runtime behavior


Machine

learningPredictive

model

Runtime

Defense

Static

analysis

cache

data

fe01 fe02

ip, category, score, first_seen, last_seen, ports74.88.8.7,31,65,2016-04-16,2016-04-16, 233.16.9.49,35,125,2016-04-11,2016-04-20,80 82.16.9.65,35,127,2016-04-09,2016-04-21,80

Twistlock Advanced

Threat Protection

Docker Engine

Docker Engine

Docker Engine

nc –l –p 666Docker Engine

Ap

p vulnerable web service

buffer = OPENSSL_malloc(1 + 2 + payload + padding);bp = buffer;

storage sensors looks for malware and suspicious file access patterns

process sensors see a process not in the authentic image and stop it from spawning

network sensors detect abnormal traffic flows and dangerous endpoints

syscall sensors detect anomalous kernel calls

Ap

p

Ap

p

Ap

p

STOPPING THE KILL CHAIN



paloaltonetworks.com

Email: [email protected]

Thank You

DevOpsSec and Container/ FaaS (Function as a …...Serverless Security Visibility & runtime application security IAM Security Access governance, Privileged monitoring and UEBA through

Documents