SlideShare a Scribd company logo

Build a complete security operations and compliance program using a graph data model

Download as PPTX, PDF
Erkang Zheng, profile picture
Erkang Zheng

The document outlines the establishment of a security operations and compliance program utilizing a graph database framework to enhance visibility and operational efficiency. It discusses the implementation of over 100 security controls, risk management practices, and compliance evidence collection while emphasizing the advantages of a graph structure for managing complex data relationships. The author promotes the graph as a foundational tool for streamlining security operations and facilitating informed decision-making.

Technology
Related topics:
Data Modeling Concepts
1 of 40
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Build a Complete Security Operations and Compliance Program on a Graph DB ERKANG ZHENG Founder, JupiterOne | CISO, LifeOmic October 2019 © 2019 JupiterOne | LifeOmic Security, LLC Triangle InfoSeCon
Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring SEC COMP AUDITOR Our Security Program HIPAA SOC 2 HITRU ST FDA FedRAMPCOMPLIANCE
Now what? How? Is 100% visibility possible? “I don’t need more controls. I need to be able to effectively and efficiently manage what I have.” “I need to be able to make decisions faster, with confidence.”
DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring CSEC AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE Our Security Program HIPAA SOC 2 HITRU ST FDA FedRAMPCOMPLIANCE
DATA
What data? COLLECT AND AGGREGATE
Build a complete security operations and compliance program using a graph data model
GRAPH
• A set of vertices (or nodes) and edges • A data structure for complex relationships (or context) What is graph?
Did I mention relationships / context? Why graph? Defenders think in lists. Attackers think in graphs. That’s why attackers win. https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/
QUERY
Our graph currently has • 47,313 nodes (entities) and • 134,218 edges (relationships) Needle in a Haystack A graph of 1348 nodes
• Graph data (Neptune) – relationships • Raw data (S3) – history and forensic analysis • Indexed data (Elasticsearch) – speed • Other data (DynamoDB) Not just the graph
DATA + GRAPH + QUERY = KNOWLEDGE Knowledge is Power
Graph •Asset inventory and CMDB •Cloud configuration visibility •Access analysis •Network and application architecture diagrams •Vulnerability management •Alerts / monitoring •Metrics reporting •User training status •Incident correlation •Policy and procedure docs •Vendor management •Compliance evidence collection What can you do with it? Example use cases: • Asset inventory and CMDB • Cloud configuration visibility • Access analysis • Network and application architecture diagrams • Vulnerability management • Alerts / monitoring • Metrics reporting • User training status • Policies and procedures documentation • Vendor management • Compliance evidence collection
AWS Cloud Security Which EC2 instances are exposed to the Internet? Find aws_subnet with public=true that HAS aws_instance that PROTECTS aws_security_group that ALLOWS Internet return tree
AWS Cloud Security Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets? find Internet that ALLOWS aws_security_group that PROTECTS aws_instance with active=true that USES aws_iam_role that ASSIGNED AccessPolicy that ALLOWS (aws_s3|aws_s3_bucket) with classification!='public’ return tree
Cross-Account Trust What are the cross-account IAM trust relationships in my AWS environment? Find aws_iam_role as a that TRUSTS (Account|AccessRole) as b where a.tag.AccountName != b.tag.AccountName return tree
S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
App Components and Data Flow Show the connections and flow diagram from: • CloudFront to API Gateway • CloudFront to S3 • API GW to Lambda Functions • Lambda to other resources
Which systems or apps are vulnerable to what CVEs? Find CVE that RELATES TO (Host|HostAgent|Application) return tree Vulnerability Management
Development Insight Which PRs did Adam open this past week? 'Adam' that OPENED PR with createdOn > date.now-7days return tree
Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
Org Chart What’s the reporting structure? Find Person that manages Person return tree
Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
Security Policy and Procedure Documents github.com/jupiterone/security-policy-templates • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
Security Policy and Procedure Documents (HTML) https://security.lifeomic.com/psp
Manual Assessments and Findings • Covers a variety of testing • Manual penetration testing • Risk assessment • Privacy impact assessment • Threat modeling • Assessment objects and findings written in JSON or YAML • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: assessment:prodsec:2019q1 entityType: prodsec_assessment entityClass: Assessment properties: name: internal-pen-test-2019q1 displayName: LifeOmic Internal Penetration Test 2019Q1 summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th description: Performed a thorough security assessment of the LifeOmic product line. Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android. category: penetration-testing status: complete assessors: - security.team@lifeomic.com open: false classification: confidential completedOn: 2019-04-05 reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src... ... - entityKey: finding:prodsec:2019q1:app-api-1 entityType: pentest_finding entityClass: Finding properties: name: Some made up issue displayName: ’[Medium] What it says’ summary: Summary of the made up issue targets: - Service API description: > Within the application API, .... stepsToReproduce: - '1 - Add ...’ - '2 - Use ...’ - '3 - Verify ...’ impact: ... severity: medium ...
Vendors and External Organizations • Maintain list of vendors as code • Leverage product management and dev leads to help maintain • Trigger third party security review and approval via PR • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: vendor:apple entityType: apple entityClass: Vendor properties: name: Apple displayName: Apple category: - software - mobile - development description: > Provides Developer account and App Store Connect account for mobile apps... validated: true approved: true approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2 approvalPRName: security-artifacts/2 website: https://www.apple.com owners: - owner.one@lifeomic.com - owner.two@lifeomic.com mainContactName: mainContactEmail: mainContactPhone: mainContactAddress: breachResponseDays: linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple- Developer-Agreement-English.pdf linkToMSA: https://developer.apple.com/programs/whats-included/ linkToSLA: criticality: 10 risk: 5 tag.PHI: false tag.PII: true tag.PCI: false statusPage: notes: ...
Compliance Evidence Collection • Compliance framework and control requirements defined in JSON • Map policy procedures to each control requirement • Map query questions to each control requirement • Write positive case queries and negative case queries for automated gap analysis • Include evidence associated with manual processes { "standard": "SOC 2", "version": "2019", "sections": [ { "title": "Access Controls", "requirements": [ { "ref": "SOC2-01", "title": "Single Sign On", "summary": "SSO for all users ..." }, ... ] } ] ”domains": [ { "title": ”Control Domain A", ”controls": [ { "ref": ”A-01", "title": ”A technical control", "summary": ”control description ..." }, ... ] } ] } { "title": "Which user accounts do not have multi- factor authentication enabled?", "description": ”...", "queries": [ { "name": "bad", "query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m fa_device" }, { "name": "good", "query": "Find User with mfaEnabled = true" }, { "name": "goodToo", "query": "Find User that (ASSIGNED|USES|HAS) mfa_device" } ], "compliance": [ { "standard": "CIS Controls", "requirements": [ "4.5", "12.11", "16.3" ] }, { "standard": "HITRUST CSF", "controls": [ "01.b", "01.j", "01.q" ] }, { "standard": "PCI DSS", "requirements": [ "8.2", "8.3" ] } ] } github.com/jupiterone/security-policy-templates/tree/master/templates/standards
Data driven compliance dashboard
Metrics and charts built with queries Users and Access
Metrics and charts built with queries Development Insights
Metrics and charts built with queries Cloud Resources
Metrics and charts built with queries Data Security
Metrics and charts built with queries Data Security
Metrics and charts built with queries Risk Management
Knowledge is Power Knowledge = Information (data) + Insights (understanding of that data) The graph is now the core of my entire security program. A knowledgebase, a foundation that allows me to take actions with confidence, faster. GRAPH •Asset inventory and CMDB •Cloud configuration visibility •Access analysis •Network and application architecture diagrams •Vulnerability management
Questions? Live Demo? jupiterone.com Contact me for a copy of the presentation. And, I’m hiring!

More Related Content

PPTX
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
PDF
Harnessing the power of cloud for real security
Erkang Zheng
 
PDF
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
PDF
Introduction to DevSecOps
Setu Parimi
 
PDF
Threat modeling with architectural risk patterns
Stephen de Vries
 
PDF
Application Security Guide for Beginners
Checkmarx
 
PDF
Using threat models to control project brief
Dinis Cruz
 
PDF
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Erkang Zheng
 
Harnessing the power of cloud for real security
Erkang Zheng
 
Veracode Automation CLI (using Jenkins for SDL integration)
Dinis Cruz
 
Introduction to DevSecOps
Setu Parimi
 
Threat modeling with architectural risk patterns
Stephen de Vries
 
Application Security Guide for Beginners
Checkmarx
 
Using threat models to control project brief
Dinis Cruz
 
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Dinis Cruz
 

What's hot (20)

PPTX
Introduction to DevSecOps
abhimanyubhogwan
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PDF
Scalable threat modelling with risk patterns
Stephen de Vries
 
PPTX
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
PPTX
DevSecOps without DevOps is Just Security
Kevin Fealey
 
PDF
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
PDF
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
PPTX
The New Security Practitioner
Adrian Sanabria
 
PPTX
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
PPTX
DevSecOps : an Introduction
Prashanth B. P.
 
PDF
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PDF
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PPTX
Application_security_Strategic
Ramesh VG
 
PPTX
DevOps and the Future of Enterprise Security
Frank Kim
 
PPTX
CSS17: Dallas - Thawing the Frozen Middle
Alert Logic
 
PPTX
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
PDF
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
Introduction to DevSecOps
abhimanyubhogwan
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Scalable threat modelling with risk patterns
Stephen de Vries
 
Application Security at DevOps Speed and Portfolio Scale
Jeff Williams
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
DevSecOps without DevOps is Just Security
Kevin Fealey
 
CSS17: Houston - Introduction to Security in the Cloud
Alert Logic
 
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
The New Security Practitioner
Adrian Sanabria
 
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
DevSecOps : an Introduction
Prashanth B. P.
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Achim D. Brucker
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
The Web AppSec How-To: The Defender's Toolbox
Checkmarx
 
DevSecOps | DevOps Sec
Rubal Jain
 
Application_security_Strategic
Ramesh VG
 
DevOps and the Future of Enterprise Security
Frank Kim
 
CSS17: Dallas - Thawing the Frozen Middle
Alert Logic
 
Simplify Dev with Complicated Security Tools
Kevin Fealey
 
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
Ad

Similar to Build a complete security operations and compliance program using a graph data model (20)

PDF
Continuous compliance using data and code
Erkang Zheng
 
PDF
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
PPTX
Securing Your Public Cloud Infrastructure
Qualys
 
PDF
Cloud App Security Customer Presentation.pdf
ErikHof4
 
PDF
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
PPTX
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar
 
PDF
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
PPTX
CSC AWS re:Invent Enterprise DevOps session
Tom Laszewski
 
PPTX
Trivandrumtechcon20
Jenkins NS
 
PDF
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
PPTX
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Jeremy Gray
 
PDF
AWS User Group November
PolarSeven Pty Ltd
 
PDF
AWS November meetup Slides
JacksonMorgan9
 
PPTX
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
PPTX
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
PPTX
Application Security in the Cloud - Best Practices
RightScale
 
PPTX
API Security: Essential Practices for Developers
Dinusha Kumarasiri
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PPTX
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
PPTX
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
Continuous compliance using data and code
Erkang Zheng
 
Sukumar Nayak-Agile-DevOps-Cloud Management
Sukumar Nayak
 
Securing Your Public Cloud Infrastructure
Qualys
 
Cloud App Security Customer Presentation.pdf
ErikHof4
 
Scaling security in a cloud environment v0.5 (Sep 2017)
Dinis Cruz
 
Multi cloud governance best practices - AWS, Azure, GCP
Faiza Mehar
 
AWS Cloud Governance & Security through Automation - Atlanta AWS Builders
James Strong
 
CSC AWS re:Invent Enterprise DevOps session
Tom Laszewski
 
Trivandrumtechcon20
Jenkins NS
 
APIsecure 2023 - Approaching Multicloud API Security USing Metacloud, David L...
apidays
 
Running Regulated Workloads on Azure PaaS services (DogFoodCon 2018)
Jeremy Gray
 
AWS User Group November
PolarSeven Pty Ltd
 
AWS November meetup Slides
JacksonMorgan9
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
Microsoft Cloud Adoption Framework for Azure: Governance Conversation
Nicholas Vossburg
 
Application Security in the Cloud - Best Practices
RightScale
 
API Security: Essential Practices for Developers
Dinusha Kumarasiri
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
Add-Structure-and-Credibility-to-Your-Security-Portfolio-with-CIS-Controls-v8...
hoang971
 
Ad

Recently uploaded (20)

PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Teaching material agriculture food technology
LiaRayya
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 

Build a complete security operations and compliance program using a graph data model

  • 1. Build a Complete Security Operations and Compliance Program on a Graph DB ERKANG ZHENG Founder, JupiterOne | CISO, LifeOmic October 2019 © 2019 JupiterOne | LifeOmic Security, LLC Triangle InfoSeCon
  • 2. Pick assessor Perform gap assessment Implement remediation Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEATMonitor, Manage, Optimize START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring SEC COMP AUDITOR Our Security Program HIPAA SOC 2 HITRU ST FDA FedRAMPCOMPLIANCE
  • 3. Now what? How? Is 100% visibility possible? “I don’t need more controls. I need to be able to effectively and efficiently manage what I have.” “I need to be able to make decisions faster, with confidence.”
  • 4. DATA + GRAPH + QUERY Pick assessor Perform gap assessment Implement remediation Monitor, Manage, Optimize Collect evidences Assess and certify Documented data flows Conducted risk analysis Wrote policies and procedures Created infrastructure and security architecture diagrams REPEAT START Implemented 100+ controls Endpoint malware protection Server vulnerability scanning Production change management SSO + MFA Application code scanning + pen testing User training Configuration audit Endpoint compliance agents Vendor risk management Firewalls and security groups Data encryption WAF + DDoS protection Asset inventory and tagging Activity and log monitoring CSEC AUDITOR CA / CC VISIBILITY GOVERNANCE ASSURANCE Our Security Program HIPAA SOC 2 HITRU ST FDA FedRAMPCOMPLIANCE
  • 9. • A set of vertices (or nodes) and edges • A data structure for complex relationships (or context) What is graph?
  • 10. Did I mention relationships / context? Why graph? Defenders think in lists. Attackers think in graphs. That’s why attackers win. https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win/
  • 11. QUERY
  • 12. Our graph currently has • 47,313 nodes (entities) and • 134,218 edges (relationships) Needle in a Haystack A graph of 1348 nodes
  • 13. • Graph data (Neptune) – relationships • Raw data (S3) – history and forensic analysis • Indexed data (Elasticsearch) – speed • Other data (DynamoDB) Not just the graph
  • 14. DATA + GRAPH + QUERY = KNOWLEDGE Knowledge is Power
  • 15. Graph •Asset inventory and CMDB •Cloud configuration visibility •Access analysis •Network and application architecture diagrams •Vulnerability management •Alerts / monitoring •Metrics reporting •User training status •Incident correlation •Policy and procedure docs •Vendor management •Compliance evidence collection What can you do with it? Example use cases: • Asset inventory and CMDB • Cloud configuration visibility • Access analysis • Network and application architecture diagrams • Vulnerability management • Alerts / monitoring • Metrics reporting • User training status • Policies and procedures documentation • Vendor management • Compliance evidence collection
  • 16. AWS Cloud Security Which EC2 instances are exposed to the Internet? Find aws_subnet with public=true that HAS aws_instance that PROTECTS aws_security_group that ALLOWS Internet return tree
  • 17. AWS Cloud Security Are there Internet-facing EC2 instances that are allowed access to non-public S3 buckets? find Internet that ALLOWS aws_security_group that PROTECTS aws_instance with active=true that USES aws_iam_role that ASSIGNED AccessPolicy that ALLOWS (aws_s3|aws_s3_bucket) with classification!='public’ return tree
  • 18. Cross-Account Trust What are the cross-account IAM trust relationships in my AWS environment? Find aws_iam_role as a that TRUSTS (Account|AccessRole) as b where a.tag.AccountName != b.tag.AccountName return tree
  • 19. S3 Bucket Access Are there non-public S3 bucket access granted to anybody outside of its account? Find aws_s3_bucket with classification!='public' as bucket that ALLOWS * as grantee where bucket.tag.AccountName != grantee.tag.AccountName return tree
  • 20. SSO Access Which Okta user is assigned what AWS IAM role? find okta_user that ASSIGNED aws_iam_role return tree
  • 21. App Components and Data Flow Show the connections and flow diagram from: • CloudFront to API Gateway • CloudFront to S3 • API GW to Lambda Functions • Lambda to other resources
  • 22. Which systems or apps are vulnerable to what CVEs? Find CVE that RELATES TO (Host|HostAgent|Application) return tree Vulnerability Management
  • 23. Development Insight Which PRs did Adam open this past week? 'Adam' that OPENED PR with createdOn > date.now-7days return tree
  • 24. Vulnerability in Code Which PRs / developer introduced new vulnerability findings this past week? Find User that OPENED PR with createdOn > date.now-7days that RELATES TO CodeRepo that HAS (Vulernability|Finding) with _createdOn > date.now-7days return tree
  • 25. Org Chart What’s the reporting structure? Find Person that manages Person return tree
  • 26. Use query to create alerts and trigger remediation Alert rules from query with actions: • Send Email • Send Slack message • Create Jira issue • Capture Trend Future remediation automation: • Trigger Webhook • Invoke Lambda Function • etc.
  • 27. Security Policy and Procedure Documents github.com/jupiterone/security-policy-templates • Written in Markdown • Small, individual files – “micro-docs” like micro-services • Linked together via config.json • Document reviews and approvals via PRs • Templatized and published in HTML
  • 28. Security Policy and Procedure Documents (HTML) https://security.lifeomic.com/psp
  • 29. Manual Assessments and Findings • Covers a variety of testing • Manual penetration testing • Risk assessment • Privacy impact assessment • Threat modeling • Assessment objects and findings written in JSON or YAML • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: assessment:prodsec:2019q1 entityType: prodsec_assessment entityClass: Assessment properties: name: internal-pen-test-2019q1 displayName: LifeOmic Internal Penetration Test 2019Q1 summary: LifeOmic Internal Penetration Test conducted between Mar 18th - Mar 29th description: Performed a thorough security assessment of the LifeOmic product line. Scope includes PHC, Life 2.0 ios/Android, Connect and LifeExtend ios/Android. category: penetration-testing status: complete assessors: - security.team@lifeomic.com open: false classification: confidential completedOn: 2019-04-05 reportURL: https://bitbucket.org/lifeomic/prodsec-assessments/src... ... - entityKey: finding:prodsec:2019q1:app-api-1 entityType: pentest_finding entityClass: Finding properties: name: Some made up issue displayName: ’[Medium] What it says’ summary: Summary of the made up issue targets: - Service API description: > Within the application API, .... stepsToReproduce: - '1 - Add ...’ - '2 - Use ...’ - '3 - Verify ...’ impact: ... severity: medium ...
  • 30. Vendors and External Organizations • Maintain list of vendors as code • Leverage product management and dev leads to help maintain • Trigger third party security review and approval via PR • Publish to graph for report and analysis Follows the same code deploy process when PR is merged to `master` branch github.com/jupiterone/secops-automation-examples - entityKey: vendor:apple entityType: apple entityClass: Vendor properties: name: Apple displayName: Apple category: - software - mobile - development description: > Provides Developer account and App Store Connect account for mobile apps... validated: true approved: true approvalPRLink: https://bitbucket.org/lifeomic/security-artifacts/pull-requests/2 approvalPRName: security-artifacts/2 website: https://www.apple.com owners: - owner.one@lifeomic.com - owner.two@lifeomic.com mainContactName: mainContactEmail: mainContactPhone: mainContactAddress: breachResponseDays: linkToNDA: https://developer.apple.com/terms/apple-developer-agreement/Apple- Developer-Agreement-English.pdf linkToMSA: https://developer.apple.com/programs/whats-included/ linkToSLA: criticality: 10 risk: 5 tag.PHI: false tag.PII: true tag.PCI: false statusPage: notes: ...
  • 31. Compliance Evidence Collection • Compliance framework and control requirements defined in JSON • Map policy procedures to each control requirement • Map query questions to each control requirement • Write positive case queries and negative case queries for automated gap analysis • Include evidence associated with manual processes { "standard": "SOC 2", "version": "2019", "sections": [ { "title": "Access Controls", "requirements": [ { "ref": "SOC2-01", "title": "Single Sign On", "summary": "SSO for all users ..." }, ... ] } ] ”domains": [ { "title": ”Control Domain A", ”controls": [ { "ref": ”A-01", "title": ”A technical control", "summary": ”control description ..." }, ... ] } ] } { "title": "Which user accounts do not have multi- factor authentication enabled?", "description": ”...", "queries": [ { "name": "bad", "query": "Find User with mfaEnabled != true that !(ASSIGNED|USES|HAS) m fa_device" }, { "name": "good", "query": "Find User with mfaEnabled = true" }, { "name": "goodToo", "query": "Find User that (ASSIGNED|USES|HAS) mfa_device" } ], "compliance": [ { "standard": "CIS Controls", "requirements": [ "4.5", "12.11", "16.3" ] }, { "standard": "HITRUST CSF", "controls": [ "01.b", "01.j", "01.q" ] }, { "standard": "PCI DSS", "requirements": [ "8.2", "8.3" ] } ] } github.com/jupiterone/security-policy-templates/tree/master/templates/standards
  • 33. Metrics and charts built with queries Users and Access
  • 34. Metrics and charts built with queries Development Insights
  • 35. Metrics and charts built with queries Cloud Resources
  • 36. Metrics and charts built with queries Data Security
  • 37. Metrics and charts built with queries Data Security
  • 38. Metrics and charts built with queries Risk Management
  • 39. Knowledge is Power Knowledge = Information (data) + Insights (understanding of that data) The graph is now the core of my entire security program. A knowledgebase, a foundation that allows me to take actions with confidence, faster. GRAPH •Asset inventory and CMDB •Cloud configuration visibility •Access analysis •Network and application architecture diagrams •Vulnerability management
  • 40. Questions? Live Demo? jupiterone.com Contact me for a copy of the presentation. And, I’m hiring!