DevOpsSec and Container/
FaaS (Function as a
Service) Security
Suppawut Kaopaiboon
Security Consultant
•Protecting customer applications through all threat vectors in the public cloud
Discover RespondDetect
Config Scanning
Compliance Reporting
Continuous monitoring of Config vulnerabilities across critical cloud services
Comprehensive compliance reporting across compliance standards
Public Cloud (IaaS/PaaS/FaaS) Private Cloud
Serverless Security
Visibility & runtime application security
IAM Security
Access governance, Privileged monitoring and UEBA through ML
Network Security
Detection of advanced network threats using flow traffic analytics
Data Protection
Data classification, malware & DLP scanning for cloud storage
Automated Response
Automated remediation combined with integration with SoC, Ticketing & other 3rd party tools
Host & Containers
Security
Vulnerability scanning & runtime security
4 | © 2019 Palo Alto Networks. All Rights Reserved.
Software Industry need to change!
5 | © 2019 Palo Alto Networks. All Rights Reserved.
Need of faster, cheaper, quality and secure
6 | © 2019 Palo Alto Networks. All Rights Reserved.
Coming of AGILE + CI/CD + DevOps
7 | © 2019 Palo Alto Networks. All Rights Reserved.
Changing of SW Engineering Process
8 | © 2019 Palo Alto Networks. All Rights Reserved.
Microservices
9 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
Monolithic application Microservices
Changing of the team formation
10 | © 2019 Palo Alto Networks. All Rights Reserved.
Overview of DevOps culture
The Goal of DevOps
- Fast Development Methodologies
- Fast Quality Assurance Methodologies
- Fast Deployment Methodologies
- Iteration & Continuous Feedback (strong and continuous communication between stakeholders - the end users and customers,
product owners, development, quality assurance, and production engineers)
11 | © 2019 Palo Alto Networks. All Rights Reserved.
DevSecOps
12 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
- Check Tool Chain and Library
- Static/Dynamic Code Analysis
- Compliance
Reference : https://www.microsoft.com/en-us/sdl/
Current CI/CD Pipeline
13 | © 2019 Palo Alto Networks. All Rights Reserved.
Orchestrators
• Orchestrators allow for better management containers
• Cluster management
• Scheduling
• Reliability
• Resource management
14 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
• Orchestrators
• Kubernetes
• OpenShift
• Amazon Elastic Container Service
(ECS)
• Fargate
• Docker Swarm
• Etc.
Containers and VMs
15 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
https://unit42.paloaltonetworks.com/making-containers-more-isolated-an-overview-of-sandboxed-container-technologies/
A lot of opensource tools on the cloud!
CI/CD Flow Example
18 | © 2018 Palo Alto Networks, Inc. All Rights Reserved.
Overall of CI/CD Process and Tools
19 | © 2019 Palo Alto Networks. All Rights Reserved.
Continuous Integration (CI) Continuous Deployment (CD) Monitor & Feedback
SERVERLESS IS REIMAGINING SOFTWARE DEVELOPMENT
20 | © 2019 Palo Alto Networks. All Rights Reserved.
Less operational
overhead
Only pay for what
you run
Designed for agility
& scale
No servers to patch,
no network to inspect
X
“20 percent of global enterprises will
have deployed serverless computing
technologies by 2020”
Gartner
What is Serverless?
21 | © 2019 Palo Alto Networks. All Rights Reserved.
Applications that fully rely on managed cloud services,
and leverage FaaS (AWS Lambda, Google Cloud
Functions) for core business logic.
Load balancer
Application servers, business logic
Database
Event trigger
Business logic
Output
Code repo
Code repo
Server-based application Serverless application
HR SERVERLESS APPLICATION EXAMPLE
22 | © 2019 Palo Alto Networks. All Rights Reserved.
1. Candidate sends CV as PDF in email
2. SES receives email, creates SNS message
3. SNS invokes the function
4. Function converts PDF to text + stores results in DynamoDB
5. Function sends receipt to candidate
Simple Email Service Simple Notification Service Lambda Function
DynamoDB
NEW SECURITY CHALLENGES ARE EMERGING
23 | © 2019 Palo Alto Networks. All Rights Reserved.
Threats have been reimagined
With serverless, application owners
have no control over infrastructure,
and must deal with new attack vectors.
Rapid adoption requires action
Over 20% of open-source serverless
apps have critical vulnerabilities.
Enterprises must adapt quickly.
Desired Security Outcomes
24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
• Prevent compromise of a resource
• Safe enablement of applications
Desired Security Outcomes
25 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
Reconnaissance Weaponization Delivery Exploitation InstallationCommand
& Control
Act on
Objective
Stop the attack at any point!
Cyber Attack Lifecycle
For hosts, containers,
and serverless
Across the
DevSecOps lifecycle
CYBERSECURITY FOR YOUR CLOUD NATIVE
APPLICATIONS
26 | © 2019 Palo Alto Networks. All Rights Reserved.
CI/CD is Enabling Security Earlier in the Lifecycle
27 | © 2019 Palo Alto Networks. All Rights Reserved.
Build RunDeploy
Shift Left – Ideal to implement security early in the dev lifecycle
Integrate vulnerability and
compliance scanning into
every build as part of any
CI workflow
Secure every deployment by
seamlessly integrating
security into continuous
delivery process
Reduce burden on security
teams by production with
minimized threat footprint
Current CI/CD Pipeline
28 | © 2019 Palo Alto Networks. All Rights Reserved.
Notification System
Fail Fail Fail Fail Fail Fail
Vulnerability Scanning & Penetration testing
Adding with Dev”Sec”Ops to Existing process
29 | © 2019 Palo Alto Networks. All Rights Reserved.
Notification System
Fail Fail Fail Fail Fail Fail
Vulnerability Scanning & Penetration testing
Scanning
Prevention
CI/CD INTEGRATION
CLOUD NATIVE FIREWALLING
ACCESS CONTROL
VULNERABILITY MANAGEMENT
VisibilityAutomation
RUN TIME DEFENSE
Container Security Requirement
30 | © 2019 Palo Alto Networks. All Rights Reserved.
COMPLIANCE
Vulnerability Management
Industry leading precision across hosts, images, containers, and serverless functions
Automated prioritization of vulnerabilities based on your unique environment
Prevent running vulnerable software across your environment
31 | © 2019 Palo Alto Networks. All Rights Reserved.
Automation Visibility Prevention
Cloud Native Firewalling
Layer 4 and Layer 7 firewalls tuned for cloud native environments
True Intrusion Detection and Intrusion Prevention
Fully automated mesh discovery and microsegmentation
32 | © 2019 Palo Alto Networks. All Rights Reserved.
Automation Visibility Prevention
Compliance
One-click enforcement for CIS, PCI-DSS, HIPAA, GDPR, NIST SP 800-190, and FISMA
Centrally discover and monitor cloud native services across all your providers, accounts, and regions
Custom checks using OpenSCAP, PowerShell, and Bash scripts
33 | © 2019 Palo Alto Networks. All Rights Reserved.
Automation Visibility Prevention
CI/CD Integration
Native plugins and standalone scanner for integration into any CI/CD workflow or tool
“Shift left” quality gates with compliance
and vulnerability thresholds in every build
Scan hosts, container images, serverless functions, and PCF blob stores
34 | © 2019 Palo Alto Networks. All Rights Reserved.
Automation Visibility Prevention
RUNTIME DEFENSE
Use machine learning to model what each image is intended to do
Automatically look for anomalies between the model and runtime behavior
35 | © 2019 Palo Alto Networks. All Rights Reserved.
Machine
learningPredictive
model
Runtime
Defense
Static
analysis
cache
data
fe01 fe02
ip, category, score, first_seen, last_seen, ports74.88.8.7,31,65,2016-04-16,2016-04-16, 233.16.9.49,35,125,2016-04-11,2016-04-20,80 82.16.9.65,35,127,2016-04-09,2016-04-21,80
Twistlock Advanced
Threat Protection
Docker Engine
Docker Engine
Docker Engine
nc –l –p 666Docker Engine
Ap
p vulnerable web service
buffer = OPENSSL_malloc(1 + 2 + payload + padding);bp = buffer;
storage sensors looks for malware and suspicious file access patterns
process sensors see a process not in the authentic image and stop it from spawning
network sensors detect abnormal traffic flows and dangerous endpoints
syscall sensors detect anomalous kernel calls
Ap
p
Ap
p
Ap
p
STOPPING THE KILL CHAIN
36 | © 2019 Palo Alto Networks. All Rights Reserved.
40 | © 2019 Palo Alto Networks. All Rights Reserved.
paloaltonetworks.com
Email: [email protected]
Thank You