DevSecOps and Secure Incident Response

A presentation at WTF Is SRE Conference 2021 in May 2021 in by Quintessence Anx

Slide 1

Slide 1

DevSecOps and Secure Incident Response @QuintessenceAnx Developer Advocate @ PagerDuty

Slide 2

Slide 2

Don’t panic @QuintessenceAnx

Slide 3

Slide 3

The Now @QuintessenceAnx

Slide 4

Slide 4

@QuintessenceAnx

Slide 5

Slide 5

Software Development Life Cycle @QuintessenceAnx

Slide 6

Slide 6

Vault over “The Wall” for Security Review @QuintessenceAnx

Slide 7

Slide 7

Software Development Life Cycle Security @QuintessenceAnx

Slide 8

Slide 8

@QuintessenceAnx

Slide 9

Slide 9

! @QuintessenceAnx

Slide 10

Slide 10

DevSecOps @QuintessenceAnx

Slide 11

Slide 11

What is DevSecOps? @QuintessenceAnx

Slide 12

Slide 12

DevSecOps stands for development, security, and operations. DevSecOps seeks to integrate security across the SDLC and streamline the workflows between dev, sec, and ops. @QuintessenceAnx

Slide 13

Slide 13

What DevSecOps is not @QuintessenceAnx

Slide 14

Slide 14

DevSecOps is not replacing security with dev and/or ops, or expecting dev and/or ops to become security specialists, or expecting security to become devs and/or ops. @QuintessenceAnx

Slide 15

Slide 15

Phew. @QuintessenceAnx

Slide 16

Slide 16

@QuintessenceAnx

Slide 17

Slide 17

How? @QuintessenceAnx

Slide 18

Slide 18

The Secure SDLC + Shifting Left @QuintessenceAnx

Slide 19

Slide 19

@QuintessenceAnx

Slide 20

Slide 20

@QuintessenceAnx

Slide 21

Slide 21

@QuintessenceAnx

Slide 22

Slide 22

SecOps Activities • Secure architecture / design • Threat modeling • Testing, e.g. SAST and DAST • Scanning images and dependencies • Fuzzing • And more! @QuintessenceAnx

Slide 23

Slide 23

Shift Left @QuintessenceAnx

Slide 24

Slide 24

@QuintessenceAnx

Slide 25

Slide 25

How? @QuintessenceAnx

Slide 26

Slide 26

Cultural Support @QuintessenceAnx

Slide 27

Slide 27

Humans. @QuintessenceAnx

Slide 28

Slide 28

Sharp end: High Risk Low Power Blunt end: Low Risk High Power @QuintessenceAnx

Slide 29

Slide 29

Exec Buy-in @QuintessenceAnx

Slide 30

Slide 30

Never trick staff, ever. @QuintessenceAnx

Slide 31

Slide 31

Training @QuintessenceAnx

Slide 32

Slide 32

Full Service Ownership @QuintessenceAnx

Slide 33

Slide 33

Capture the Flag @QuintessenceAnx

Slide 34

Slide 34

Threat Modeling @QuintessenceAnx

Slide 35

Slide 35

” @QuintessenceAnx

Slide 36

Slide 36

Secure Incident Response @QuintessenceAnx

Slide 37

Slide 37

  1. Stop the attack in progress. 2. Cut off the attack vector.
  2. Apply additional mitigations, make changes to monitoring, etc.
  3. Assemble the response team. 10.Forensic analysis of compromised systems.
  4. Isolate affected instances. 11.Internal communication.
  5. Identify timeline of attack. 12.Involve law enforcement.
  6. Identify compromised data. 13.Reach out to external parties that may have been used as vector for attack.
  7. Assess risk to other systems. 8. Assess risk of re-attack. 14.External communication. @QuintessenceAnx

Slide 38

Slide 38

Stop the attack in progress @QuintessenceAnx

Slide 39

Slide 39

Cut off the attack vector @QuintessenceAnx

Slide 40

Slide 40

Assemble the response team @QuintessenceAnx

Slide 41

Slide 41

Isolate the affected instances @QuintessenceAnx

Slide 42

Slide 42

Identify timeline of the attack @QuintessenceAnx

Slide 43

Slide 43

Identify compromised data @QuintessenceAnx

Slide 44

Slide 44

Assess risk to other systems @QuintessenceAnx

Slide 45

Slide 45

Assess risk of re-attack @QuintessenceAnx

Slide 46

Slide 46

Apply additional mitigations, additions to monitoring, etc. @QuintessenceAnx

Slide 47

Slide 47

Forensic analysis of compromised systems @QuintessenceAnx

Slide 48

Slide 48

Internal communication @QuintessenceAnx

Slide 49

Slide 49

Involve law enforcement @QuintessenceAnx

Slide 50

Slide 50

Reach out to external parties that may have been used as attack vectors @QuintessenceAnx

Slide 51

Slide 51

External communication @QuintessenceAnx

Slide 52

Slide 52

  1. Stop the attack in progress. 2. Cut off the attack vector.
  2. Apply additional mitigations, make changes to monitoring, etc.
  3. Assemble the response team. 10.Forensic analysis of compromised systems.
  4. Isolate affected instances. 11.Internal communication.
  5. Identify timeline of attack. 12.Involve law enforcement.
  6. Identify compromised data. 13.Reach out to external parties that may have been used as vector for attack.
  7. Assess risk to other systems. 8. Assess risk of re-attack. 14.External communication. @QuintessenceAnx

Slide 53

Slide 53

Resources & References noti.st/quintessence @QuintessenceAnx

Slide 54

Slide 54

PagerDuty Summit 22-25 June Register: http://bit.ly/PDsummitCAD @QuintessenceAnx

Slide 55

Slide 55

Questions? Quintessence Anx Developer Advocate noti.st/quintessence @QuintessenceAnx