SlideShare a Scribd company logo

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

VMware Tanzu, profile picture
VMware Tanzu

The document discusses the need for security transformation within enterprise environments, particularly in the context of DevOps, highlighting the importance of culture, automation, and collaboration. It presents insights from 451 Research on security budgets and priorities, stressing the integration of security tools and metrics to enhance organizational security and efficiency. Recommendations include implementing rotation policies for security team members, automating security tasks, and focusing on compliance and threat management.

Technology
Related topics:
Information Security
1 of 26
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
© Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Justin Smith Pivotal @justinjsmith April 26, 2018 InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps Fernando Montenegro 451 Research @fsmontenegro Jared Ruckle Pivotal @jaredruckle
Cover w/ Image Agenda ■  Security in the Enterprise ■  Security Transformation Framework ■  Culture ■  Automation ■  Lean Controls ■  Metrics ■  Q+A
Security in the enterprise.
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps
Cover w/ Image
Cover w/ Image
Security is kinda similar.
Slow Enforcement ●  Not enough security team staffing ●  Enforcement stuck on a local maximum Project-based Mass Casualties ●  Team-based decisions and choice ●  Massive variation across the organization ●  Too many systems with poor compliance ●  Triage becomes the vital skill ●  Low morale ●  No-clear answer ●  Mundane, never-ending tasks Intractable The Typical Scenario
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q5. Approximately, how is your organization’s total information security spending currently distributed across the following vendor based security tools today? Please sum to 100%. 40.0% 26.3% 19.6% 10.2% 3.9% 37.5% 29.4% 17.4% 8.9% 6.8% 35.9% 24.9% 20.0% 14.9% 4.3% Network security Endpoint security Security management Application security Other Percent of Sample 2015 Q4 (n=724) 2016 Q4 (n=401) 2017 Q4 (n=371) Information Security Spending Distribution Among Security Tools Information Security Respondents
You want speed & security.
It’s automatic. Security Transformation Framework Culture Automation Lean Controls It’s attractive. It’s valuable. It’s visible.Metrics
Build Prestige Shift away from domination and enforcement as primary tools. Collaborate and demonstrate value. ●  Security Inceptions with teams ●  Invest in external learning ●  Reserved use of the Big Stick Spread Awareness Create the ability to rotate people onto the security team for 2-3 months. It will change the organization. ●  Quarterly rotations ●  Lunch & Learns ●  Retros and stories Generalists & Specialists Mix domain knowledge and generalists. New graduates tend to have higher security awareness. ●  You gotta code ●  Build tools others want to use ●  Very little is rocket surgery Skills & Hiring Rotations & Education Reputation CONCEPTS CONCEPTS CONCEPTS Culture
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q2. What are your top strategic security objectives for 2018? Please select up to 3. Top Strategic Security Objectives Information Security Respondents 34.5% 31.5% 24.2% 22.1% 21.5% 20.5% 19.4% 18.7% 18.7% 18.5% 15.3% 13.0% 11.2% 4.4% Implement or improve security monitoring Minimize the probability or impact of a possible data breach Improve network security Secure emerging architectures including the cloud Implement or improve security analytics Achieve regulatory compliance Improve application security Improve incident response Automate common security tasks Build (staff) the security team Integrate new endpoint security tools Raise the security team’s profile in the business Securing Internet of Things (IoT) devices Other Percent of Sample n = 562
App Scorecards Centralize scoring for applications, turn it into a game that attracts participation and best-practices. ●  Security.yaml in repos ●  Visible badging ●  Opt-in participation ●  Iterative scoring Build Service Brokers Automate onboarding and offboarding for accessing systems and API- specific tasks like AuthN/AuthZ & credentials. ●  Control connection points ●  Control credentials ●  Ensure visibility ●  Ensure consistency Tiered Scanning Dynamic, Static, Vulnerability, Logs, and Configuration assurance scanning can all be completely automated. ●  Control app stacks ●  CI/CD scanning ●  Ingestion Scanning ●  Logging alerts to SOC ●  Configuration Drift alerts CONCEPTS CONCEPTS CONCEPTS Automation
INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Vendor Evaluations 2017 Q6. How is usage of application security tools allocated across the following teams in your organization? Please sum to 100. 22.7% 17.5% 57.3% 2.5% 27.6% 19.9% 46.2% 6.2% 30.5% 16.6% 44.7% 8.1% Application Development Quality Assurance Information Security Other Mean percent Q3 2015 (n=181) Q3 2016 (n=256) Q3 2017 (n=159) Application Security Vendor Usage Allocation Respondents with application security in use or in pilot
Compliance as Code Inherit controls and compliance from the platform. Automate the documentation of controls and SSPs as part of team motion. ●  Explore Open-Control.org ●  Always-on, always current SSP ●  Expose as top-down controls Leverage the Platform Approach the platform as a way to gain radical control. Leverage all platform controls to inherit security in applications. ●  Re-use vs. build ●  Shorten the on-ramp ●  Internal marketing ATTACK-centric Focus on Adversarial Tactics, Techniques, and Common Knowledge. Use standards as a way to benchmark resilience. ●  Value-stream mapping ●  Start with the adversary ●  Describe threats and kill- chains CONCEPTS CONCEPTS CONCEPTS Lean Controls
INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Workloads and Key Projects 2017 Q10. What is your status of implementation for each of the following technologies? 88.6% 80.2% 76.0% 70.8% 70.6% 66.4% 55.7% 54.0% 49.6% 46.9% 44.1% 39.5% 33.0% 29.5% 29.1% 13.5% 5.8% 7.1% 6.0% 6.1% 9.8% 13.2% 8.0% 13.7% 7.0% 10.3% 9.3% 11.2% 4.1% 9.6% 9.2% 4.8% 4.0% 5.8% 8.9% 5.4% 7.2% 6.3% 4.5% 8.0% 5.8% 5.1% 4.8% 5.6% 4.4% 5.4% 5.8% 7.6% 4.9% 6.0% 8.4% 4.9% 4.8% 4.0% 8.1% 5.6% 11.6% 6.3% 10.0% 10.6% 9.7% 7.5% 11.7% 10.2% 7.7% 15.2% 26.1% 20.4% 34.9% 25.8% 35.3% 28.8% 52.1% 39.5% 53.2% Firewall (Including Next-Generation Firewall) (n = 599) Web Content Filtering (n = 586) Vulnerability Management (Scanning) (n = 588) Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579) Encryption (n = 588) Information Security Awareness Training (n = 584) Multi-Factor Authentication (n = 574) Web Application Firewall (WAF) (n = 522) Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) (n = 568) Anti-DDoS (Distributed Denial of Service) (n = 525) Computer Forensics/Incident Response (n = 542) Identity as a Service (IDaaS)/Single Sign-On (n = 550) Data Leakage Prevention (DLP) (n = 528) Managed Security Services Provider (MSSP) (n = 509) Threat Intelligence Platforms (n = 501) User Behavior Analytics (UBA) (n = 489) Percent of Sample In Use (Not Including Pilots) In Pilot/Proof of Concept Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months Planning To Deploy in the Next 12-24 Months Not in Plan Status of Implementation Information Security Respondents
SOC Events Grow operational maturity by constantly improving the quality and types of notifications in the SOC. ●  Follows ATTACK concepts ●  Doesn’t matter where you start ●  Forces the right behaviors Usual Suspects Patching, vulnerabilities, # apps, # brokers, # DCs, # users, # FIDs, # certs, # domains, # security agents, team size, LOC, etc. ●  The basics still apply ●  Consider false-positives also ●  Reduce friction for adoption Emphasize Age Cluster, VM, container, brokers, credentials - they all have ages worth measuring and attempting to shorten. ●  Older is more fragile ●  Requires automation ●  Forces the right behaviors CONCEPTS CONCEPTS CONCEPTS Metrics
INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Organizational Dynamics 2017 Q44. Which of the following metrics does your organization use/track for information security staff? Please select all that apply. Metrics To Manage Security Information Security Respondents 53.0% 42.8% 44.9% 34.2% 34.4% 31.2% 32.4% 21.9% 2.2% 47.5% 39.0% 34.4% 34.2% 32.3% 29.2% 28.3% 21.9% 4.0% Security Incidents Resolved Tickets Resolved (e.g., ‘Trouble Tickets’) Audit Issues Resolved Application Availability (e.g., Uptime/ Downtime) Project Completion Time to Recovery/Restore from an Outage Lack of Data Breaches We Don’t Use Metrics Other Percent of Sample Q2 2016 (n=837) Q2 2017 (n=421)
It’s possible...
To be more secure and go faster
Repair Repair vulnerable software as soon as updates are available. Turnkey Compliance Repave Apps inherit controls from the platform, simplifying audits. Repave servers and applications from a known good state. Do this often. Rotate user credentials frequently, so they are only useful for short periods of time. Rotate Call to Action: Investigate Cloud Native Security Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
Thank You. Questions?
Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.

More Related Content

PDF
Spring and Pivotal Application Service - SpringOne Tour Dallas
VMware Tanzu
 
PDF
Accelerate Digital Transformation with Pivotal Cloud Foundry on Azure
VMware Tanzu
 
PDF
PCF: Platform for a New Era - Kubernetes for the Enterprise - London
VMware Tanzu
 
PDF
A Single Platform to Run All The Things - Kubernetes for the Enterprise - London
VMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.3: A First Look
VMware Tanzu
 
PDF
PCF Cloud-Native Workshop Slides
VMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.5: A First Look
VMware Tanzu
 
PPTX
Application Security in the Cloud - Best Practices
RightScale
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
VMware Tanzu
 
Accelerate Digital Transformation with Pivotal Cloud Foundry on Azure
VMware Tanzu
 
PCF: Platform for a New Era - Kubernetes for the Enterprise - London
VMware Tanzu
 
A Single Platform to Run All The Things - Kubernetes for the Enterprise - London
VMware Tanzu
 
Pivotal Cloud Foundry 2.3: A First Look
VMware Tanzu
 
PCF Cloud-Native Workshop Slides
VMware Tanzu
 
Pivotal Cloud Foundry 2.5: A First Look
VMware Tanzu
 
Application Security in the Cloud - Best Practices
RightScale
 

What's hot (20)

PDF
Pivotal Cloud Foundry 2.4: A First Look
VMware Tanzu
 
PDF
Tools and Recipes to Replatform Monolithic Apps to Modern Cloud Environments
VMware Tanzu
 
PDF
VMware Developer-Ready Transformation
VMware Tanzu
 
PDF
Pivotal Cloud Foundry: A Technical Overview
VMware Tanzu
 
PDF
Pivotal Developer-Ready Infrastructure Slides
VMware Tanzu
 
PDF
Using Google Cloud Services with Spring Boot and Pivotal Cloud Foundry (Pivot...
VMware Tanzu
 
PDF
Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
VMware Tanzu
 
PDF
Maintaining SLOs of Cloud-native Applications via Self-Adaptive Resource Sharing
Vladimir Podolskiy
 
PDF
Cncf checkov and bridgecrew
LibbySchulze
 
PDF
PKS: The What and How of Enterprise-Grade Kubernetes
VMware Tanzu
 
PDF
Four considerations when monitoring microservices
Jason Bloomberg
 
PDF
Pivotal Cloud Foundry 1.10: First Look - Windows at Scale, Network Isolation
VMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.1: Making Transformation Real Webinar
VMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.0: First Look
VMware Tanzu
 
PPTX
Deep Dive into Pivotal Cloud Foundry 2.0
VMware Tanzu
 
PDF
Pivotal Cloud Foundry 2.6: A First Look
VMware Tanzu
 
PDF
How to Scale Operations for a Multi-Cloud Platform using PCF
VMware Tanzu
 
PPTX
Cloud Foundry Platform Operations - CF Summit 2015
cornelia davis
 
PDF
Eseguire Applicazioni Cloud-Native con Pivotal Cloud Foundry su Google Cloud ...
VMware Tanzu
 
PDF
Using Pivotal Cloud Foundry with Google’s BigQuery and Cloud Vision API
VMware Tanzu
 
Pivotal Cloud Foundry 2.4: A First Look
VMware Tanzu
 
Tools and Recipes to Replatform Monolithic Apps to Modern Cloud Environments
VMware Tanzu
 
VMware Developer-Ready Transformation
VMware Tanzu
 
Pivotal Cloud Foundry: A Technical Overview
VMware Tanzu
 
Pivotal Developer-Ready Infrastructure Slides
VMware Tanzu
 
Using Google Cloud Services with Spring Boot and Pivotal Cloud Foundry (Pivot...
VMware Tanzu
 
Upgrade your InfoSec, Ops and Dev teams with PCF 1.12
VMware Tanzu
 
Maintaining SLOs of Cloud-native Applications via Self-Adaptive Resource Sharing
Vladimir Podolskiy
 
Cncf checkov and bridgecrew
LibbySchulze
 
PKS: The What and How of Enterprise-Grade Kubernetes
VMware Tanzu
 
Four considerations when monitoring microservices
Jason Bloomberg
 
Pivotal Cloud Foundry 1.10: First Look - Windows at Scale, Network Isolation
VMware Tanzu
 
Pivotal Cloud Foundry 2.1: Making Transformation Real Webinar
VMware Tanzu
 
Pivotal Cloud Foundry 2.0: First Look
VMware Tanzu
 
Deep Dive into Pivotal Cloud Foundry 2.0
VMware Tanzu
 
Pivotal Cloud Foundry 2.6: A First Look
VMware Tanzu
 
How to Scale Operations for a Multi-Cloud Platform using PCF
VMware Tanzu
 
Cloud Foundry Platform Operations - CF Summit 2015
cornelia davis
 
Eseguire Applicazioni Cloud-Native con Pivotal Cloud Foundry su Google Cloud ...
VMware Tanzu
 
Using Pivotal Cloud Foundry with Google’s BigQuery and Cloud Vision API
VMware Tanzu
 
Ad

Similar to InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps (20)

PDF
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
North Texas Chapter of the ISSA
 
PDF
Assessing and Managing IT Security Risks
Chris Ross
 
PDF
G05.2013 gartner top security trends
Satya Harish
 
PPTX
IT Security Essentials
Skoda Minotti
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
PPTX
SAM05_Barber PW (7-9-15)
Norm Barber
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
PDF
IREC165473PR RP 2017 Security Outlook
Chris Cornillie
 
PDF
Cyber risk reporting aicpa framework
James Deiotte
 
PPTX
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
IBM Security
 
PDF
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Bill Burns
 
PDF
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
Draup3
 
PDF
The top challenges to expect in network security in 2019 survey report
Bricata, Inc.
 
PDF
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
PPTX
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
PDF
Microsoft Power Point Information Security And Risk Managementv2
Graeme Payne
 
PPTX
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
IBM Security
 
PDF
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
North Texas Chapter of the ISSA
 
Assessing and Managing IT Security Risks
Chris Ross
 
G05.2013 gartner top security trends
Satya Harish
 
IT Security Essentials
Skoda Minotti
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
OSB50: Operational Security: State of the Union
Ivanti
 
SAM05_Barber PW (7-9-15)
Norm Barber
 
Building an effective Information Security Roadmap
Elliott Franklin
 
IREC165473PR RP 2017 Security Outlook
Chris Cornillie
 
Cyber risk reporting aicpa framework
James Deiotte
 
Cybersecurity in the Cognitive Era: Priming Your Digital Immune System
IBM Security
 
Scale vp wisegate-investing-in_security_innovation_aug2014-gartner_catalyst
Bill Burns
 
Securing the Digital Frontier - An Analysis of Cybersecurity Landscape and Tr...
Draup3
 
The top challenges to expect in network security in 2019 survey report
Bricata, Inc.
 
Finding a Strategic Voice - IBM CISO Study
IBMGovernmentCA
 
Lessons Learned From Heartbleed, Struts, and The Neglected 90%
Sonatype
 
Microsoft Power Point Information Security And Risk Managementv2
Graeme Payne
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
IBM Security
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Denim Group
 
Ad

More from VMware Tanzu (20)

PDF
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
PDF
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
PDF
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
PPTX
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
PDF
Spring Update | July 2023
VMware Tanzu
 
PPTX
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
PPTX
Building Cloud Ready Apps
VMware Tanzu
 
PDF
Spring Boot 3 And Beyond
VMware Tanzu
 
PDF
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
PPTX
tanzu_developer_connect.pptx
VMware Tanzu
 
PDF
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
PDF
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
PDF
Virtual Developer Connect Workshop - English
VMware Tanzu
 
PDF
Tanzu Developer Connect - French
VMware Tanzu
 
PDF
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
PDF
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
PDF
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
PDF
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 
Spring into AI presented by Dan Vega 5/14
VMware Tanzu
 
What AI Means For Your Product Strategy And What To Do About It
VMware Tanzu
 
Make the Right Thing the Obvious Thing at Cardinal Health 2023
VMware Tanzu
 
Enhancing DevEx and Simplifying Operations at Scale
VMware Tanzu
 
Spring Update | July 2023
VMware Tanzu
 
Platforms, Platform Engineering, & Platform as a Product
VMware Tanzu
 
Building Cloud Ready Apps
VMware Tanzu
 
Spring Boot 3 And Beyond
VMware Tanzu
 
Spring Cloud Gateway - SpringOne Tour 2023 Charles Schwab.pdf
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Boston 2023
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Seattle 2023
VMware Tanzu
 
tanzu_developer_connect.pptx
VMware Tanzu
 
Tanzu Virtual Developer Connect Workshop - French
VMware Tanzu
 
Tanzu Developer Connect Workshop - English
VMware Tanzu
 
Virtual Developer Connect Workshop - English
VMware Tanzu
 
Tanzu Developer Connect - French
VMware Tanzu
 
Simplify and Scale Enterprise Apps in the Cloud | Dallas 2023
VMware Tanzu
 
SpringOne Tour: Deliver 15-Factor Applications on Kubernetes with Spring Boot
VMware Tanzu
 
SpringOne Tour: The Influential Software Engineer
VMware Tanzu
 
SpringOne Tour: Domain-Driven Design: Theory vs Practice
VMware Tanzu
 

Recently uploaded (20)

PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps

  • 1. © Copyright 2018 Pivotal Software, Inc. All rights Reserved. Version 1.0 Justin Smith Pivotal @justinjsmith April 26, 2018 InfoSec: Evolve Thyself to Keep Pace in the Age of DevOps Fernando Montenegro 451 Research @fsmontenegro Jared Ruckle Pivotal @jaredruckle
  • 2. Cover w/ Image Agenda ■  Security in the Enterprise ■  Security Transformation Framework ■  Culture ■  Automation ■  Lean Controls ■  Metrics ■  Q+A
  • 3. Security in the enterprise.
  • 8. Security is kinda similar.
  • 9. Slow Enforcement ●  Not enough security team staffing ●  Enforcement stuck on a local maximum Project-based Mass Casualties ●  Team-based decisions and choice ●  Massive variation across the organization ●  Too many systems with poor compliance ●  Triage becomes the vital skill ●  Low morale ●  No-clear answer ●  Mundane, never-ending tasks Intractable The Typical Scenario
  • 10. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q5. Approximately, how is your organization’s total information security spending currently distributed across the following vendor based security tools today? Please sum to 100%. 40.0% 26.3% 19.6% 10.2% 3.9% 37.5% 29.4% 17.4% 8.9% 6.8% 35.9% 24.9% 20.0% 14.9% 4.3% Network security Endpoint security Security management Application security Other Percent of Sample 2015 Q4 (n=724) 2016 Q4 (n=401) 2017 Q4 (n=371) Information Security Spending Distribution Among Security Tools Information Security Respondents
  • 11. You want speed & security.
  • 12. It’s automatic. Security Transformation Framework Culture Automation Lean Controls It’s attractive. It’s valuable. It’s visible.Metrics
  • 13. Build Prestige Shift away from domination and enforcement as primary tools. Collaborate and demonstrate value. ●  Security Inceptions with teams ●  Invest in external learning ●  Reserved use of the Big Stick Spread Awareness Create the ability to rotate people onto the security team for 2-3 months. It will change the organization. ●  Quarterly rotations ●  Lunch & Learns ●  Retros and stories Generalists & Specialists Mix domain knowledge and generalists. New graduates tend to have higher security awareness. ●  You gotta code ●  Build tools others want to use ●  Very little is rocket surgery Skills & Hiring Rotations & Education Reputation CONCEPTS CONCEPTS CONCEPTS Culture
  • 14. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Budgets and Outlook 2017 Q2. What are your top strategic security objectives for 2018? Please select up to 3. Top Strategic Security Objectives Information Security Respondents 34.5% 31.5% 24.2% 22.1% 21.5% 20.5% 19.4% 18.7% 18.7% 18.5% 15.3% 13.0% 11.2% 4.4% Implement or improve security monitoring Minimize the probability or impact of a possible data breach Improve network security Secure emerging architectures including the cloud Implement or improve security analytics Achieve regulatory compliance Improve application security Improve incident response Automate common security tasks Build (staff) the security team Integrate new endpoint security tools Raise the security team’s profile in the business Securing Internet of Things (IoT) devices Other Percent of Sample n = 562
  • 15. App Scorecards Centralize scoring for applications, turn it into a game that attracts participation and best-practices. ●  Security.yaml in repos ●  Visible badging ●  Opt-in participation ●  Iterative scoring Build Service Brokers Automate onboarding and offboarding for accessing systems and API- specific tasks like AuthN/AuthZ & credentials. ●  Control connection points ●  Control credentials ●  Ensure visibility ●  Ensure consistency Tiered Scanning Dynamic, Static, Vulnerability, Logs, and Configuration assurance scanning can all be completely automated. ●  Control app stacks ●  CI/CD scanning ●  Ingestion Scanning ●  Logging alerts to SOC ●  Configuration Drift alerts CONCEPTS CONCEPTS CONCEPTS Automation
  • 16. INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 INFORMATION SECURITY: BUDGETS AND OUTLOOK 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Vendor Evaluations 2017 Q6. How is usage of application security tools allocated across the following teams in your organization? Please sum to 100. 22.7% 17.5% 57.3% 2.5% 27.6% 19.9% 46.2% 6.2% 30.5% 16.6% 44.7% 8.1% Application Development Quality Assurance Information Security Other Mean percent Q3 2015 (n=181) Q3 2016 (n=256) Q3 2017 (n=159) Application Security Vendor Usage Allocation Respondents with application security in use or in pilot
  • 17. Compliance as Code Inherit controls and compliance from the platform. Automate the documentation of controls and SSPs as part of team motion. ●  Explore Open-Control.org ●  Always-on, always current SSP ●  Expose as top-down controls Leverage the Platform Approach the platform as a way to gain radical control. Leverage all platform controls to inherit security in applications. ●  Re-use vs. build ●  Shorten the on-ramp ●  Internal marketing ATTACK-centric Focus on Adversarial Tactics, Techniques, and Common Knowledge. Use standards as a way to benchmark resilience. ●  Value-stream mapping ●  Start with the adversary ●  Describe threats and kill- chains CONCEPTS CONCEPTS CONCEPTS Lean Controls
  • 18. INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 INFORMATION SECURITY: WORKLOADS AND KEY PROJECTS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Workloads and Key Projects 2017 Q10. What is your status of implementation for each of the following technologies? 88.6% 80.2% 76.0% 70.8% 70.6% 66.4% 55.7% 54.0% 49.6% 46.9% 44.1% 39.5% 33.0% 29.5% 29.1% 13.5% 5.8% 7.1% 6.0% 6.1% 9.8% 13.2% 8.0% 13.7% 7.0% 10.3% 9.3% 11.2% 4.1% 9.6% 9.2% 4.8% 4.0% 5.8% 8.9% 5.4% 7.2% 6.3% 4.5% 8.0% 5.8% 5.1% 4.8% 5.6% 4.4% 5.4% 5.8% 7.6% 4.9% 6.0% 8.4% 4.9% 4.8% 4.0% 8.1% 5.6% 11.6% 6.3% 10.0% 10.6% 9.7% 7.5% 11.7% 10.2% 7.7% 15.2% 26.1% 20.4% 34.9% 25.8% 35.3% 28.8% 52.1% 39.5% 53.2% Firewall (Including Next-Generation Firewall) (n = 599) Web Content Filtering (n = 586) Vulnerability Management (Scanning) (n = 588) Intrusion Detection/Prevention Systems (IDS/IPS) (n = 579) Encryption (n = 588) Information Security Awareness Training (n = 584) Multi-Factor Authentication (n = 574) Web Application Firewall (WAF) (n = 522) Mobile Device Management (MDM)/Enterprise Mobility Management (EMM) (n = 568) Anti-DDoS (Distributed Denial of Service) (n = 525) Computer Forensics/Incident Response (n = 542) Identity as a Service (IDaaS)/Single Sign-On (n = 550) Data Leakage Prevention (DLP) (n = 528) Managed Security Services Provider (MSSP) (n = 509) Threat Intelligence Platforms (n = 501) User Behavior Analytics (UBA) (n = 489) Percent of Sample In Use (Not Including Pilots) In Pilot/Proof of Concept Planning To Deploy in the Next 6 Months Planning To Deploy in the Next 6-12 Months Planning To Deploy in the Next 12-24 Months Not in Plan Status of Implementation Information Security Respondents
  • 19. SOC Events Grow operational maturity by constantly improving the quality and types of notifications in the SOC. ●  Follows ATTACK concepts ●  Doesn’t matter where you start ●  Forces the right behaviors Usual Suspects Patching, vulnerabilities, # apps, # brokers, # DCs, # users, # FIDs, # certs, # domains, # security agents, team size, LOC, etc. ●  The basics still apply ●  Consider false-positives also ●  Reduce friction for adoption Emphasize Age Cluster, VM, container, brokers, credentials - they all have ages worth measuring and attempting to shorten. ●  Older is more fragile ●  Requires automation ●  Forces the right behaviors CONCEPTS CONCEPTS CONCEPTS Metrics
  • 20. INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 INFORMATION SECURITY: ORGANIZATIONAL DYNAMICS 2017 Source: 451 Research, Voice of the Enterprise: Information Security, Organizational Dynamics 2017 Q44. Which of the following metrics does your organization use/track for information security staff? Please select all that apply. Metrics To Manage Security Information Security Respondents 53.0% 42.8% 44.9% 34.2% 34.4% 31.2% 32.4% 21.9% 2.2% 47.5% 39.0% 34.4% 34.2% 32.3% 29.2% 28.3% 21.9% 4.0% Security Incidents Resolved Tickets Resolved (e.g., ‘Trouble Tickets’) Audit Issues Resolved Application Availability (e.g., Uptime/ Downtime) Project Completion Time to Recovery/Restore from an Outage Lack of Data Breaches We Don’t Use Metrics Other Percent of Sample Q2 2016 (n=837) Q2 2017 (n=421)
  • 22. To be more secure and go faster
  • 23. Repair Repair vulnerable software as soon as updates are available. Turnkey Compliance Repave Apps inherit controls from the platform, simplifying audits. Repave servers and applications from a known good state. Do this often. Rotate user credentials frequently, so they are only useful for short periods of time. Rotate Call to Action: Investigate Cloud Native Security Reduce Your MTTR | Resist Advanced Persistent Threats | Reduce the Threat of Leaked Credentials
  • 24. Embedded OS (Windows & Linux) NSX-T CPI (15 methods) v1 v2 v3 ... CVEs Product Updates Java | .NET | NodeJS Pivotal Application Service (PAS) Application Code & Frameworks Buildpacks | Spring Boot | Spring Cloud | Steeltoe Elastic | Packaged Software | Spark Pivotal Container Service (PKS) >cf push >kubectl run vSphere Azure & Azure StackGoogle CloudAWSOpenstack Pivotal Network “3Rs” Github Concourse Concourse Pivotal Services Marketplace Pivotal and Partner Products Continuous delivery Public Cloud Services Customer Managed Services OpenServiceBrokerAPI Repair — CVEs Repave Rotate — Credhub
  • 26. Transforming How The World Builds Software © Copyright 2018 Pivotal Software, Inc. All rights Reserved.