Post banner
Threat Stack 5 Min Read

Implementing Better DevOps Security: Expert Perspectives

On Wednesday, Threat Stack was featured in an important GigaOM webinar panel, Iron Clad DevOps Security for Your EC2 Environments. The panel included our own Director of Ops and Support, Pete Cheslock, along with David Linthicum of GigaOM, Greg Ferro, Independent Analyst, and Matt Sarrel, Executive Director of Sarrel Group. It was a deeply informative hour-long discussion which David himself claimed as one of the best security webinars he’s had. We couldn’t agree more!

In case you couldn’t make it yesterday, or if you want to go through it again, here is the live recording of the webinar, as well as a recap of the top advice shared by the panelists.


The importance of this webinar lies in the fact that there is a real lack of sophisticated security features in public cloud infrastructure environments like AWS. We’re at a point now where it’s critical for DevOps teams to implement audit trails in order to adhere to compliance and regulation mandates.

Expert Insights: Panel Q&A

“What are the limitations to gaining visibility and understanding security coverage in AWS environment and how to overcome them?”

“There is a big risk in assuming AWS handles security for you, and as your AWS footprint extends, your attack surface grows exponentially,” Greg explained. If you don’t have proper visibility, you won’t know where exposures even exist. Pete added that shadow IT is a big factor in limiting visibility. “What we’re going to see more of in the next few years is security getting ingrained in development processes from the start.”

“What are the key advantages of using continuous security monitoring and auditing to keep data secure?”

Pete posed this question: “Think about where you want to put your engineering calories: Do you want to maintain security yourself or outsource that knowledge to someone who can manage it better and faster?” Continuously monitoring gives you a real time view into the files you care about, whereas most traditional and in-house security methods don’t separate the signal from the noise since they are not operating at the network or host layer. This has lead to major security vulnerabilities such as Bash and Ghost.

Greg explained because a breach can happen at any time, continuous monitoring is now a necessity. Security threats don’t crop up during regular business hours, they happen 24/7, so you need a system to look for them at all times.

“Why aren’t people implementing this and dealing with operational aspects of security?”

Knowing the up’s and down’s of auditd and OSSEC all too well, Pete explained that while these open source tools have been around for awhile, they are painful to implement and automate which is why many companies simply don’t use them. The other option has been to build your own security tools in-house, yet these are hard to maintain. Solutions like Threat Stack on the other hand are up and running in minutes and completely automated, making security a no-brainer for DevOps. To that point, Matt stressed how security and operations teams must be much more proactive with the amount of data they are dealing with.

“What are the differences between continuous monitoring and polling?”

All panelists agreed that continuous security monitoring is proactive, polling is not. While polling will notify you of file changes, most changes are unimportant, especially given the lack of context polling provides. It’s back to the signal versus noise problem. Worse, polling only gets data every few minutes, whereas continuous monitoring gets data instantly and analyzes it in real-time.

“The biggest differentiator of continuous monitoring is the speed in which you can get that information out of the system by targeting files or processes you care about and placing special attention on them. This determines who did what when,” said Pete. Threat Stack does this by having our agent talk to the kernel, capturing data at the kernel layer as ports are opened and files are touched. We then tie all that data together for quicker, smarter insights.

“What are the key advantages of anomaly based behavioral intrusion detection compared to signature based alerts?”

Signature-based alerts tell you what you already know — they’re the known knowns. In fact, Greg reported that the detection rate in signature-based systems is merely 40%. “The real magic happens when a tool can see anomalous activity, so when alerts fire and tell you there are behavior changes, you can respond immediately,” said Pete. Matt added that, “Timeliness is important in understanding what’s going on, digesting it, and responding to it. There is a delay in that process when using signature-based alerts.”

“What is the largest concern around DevOps Security?”

We asked the audience about their biggest concerns this year about DevOps security. The results were not too surprising:

  1. Data breaches: 60% are most concerned
  2. Operations-oriented security: 25% are most concerned
  3. Security monitoring: 8% are most concerned
  4. Security auditing: 8% are most concerned

Of course all four are important, but a data breach is the worst and most public scenario. The other three areas of concern deal with what you can do to avoid the breach, which is now at the forefront of nearly everyone’s to-do list.

“What measures are proven to be successful to protect against zero day attacks?”

Matt explained that anomaly detection is most successful, as well staying on top of new security issues so you can implement a patch before they hit you. “Zero day attacks get a lot of attention, but the ones that are most common are those that are old vulnerabilities rehashed. This includes some zero day attacks, which is why patching and decreasing your attack surface to begin with keeps your systems lean,” he advised.

To know your surfaces, who owns them and what is happening, you need to implement smart monitoring tools to do the thinking for you so you’re well ahead of the game. While cloud services give you a lot of great tools, Pete emphasized that you still need to reduce what is visible from the outside. His advice is to limit the ability to open a port, enable two-factor authentication everywhere, implement centralized logging, monitor for host-based events and collect event details. The best part about this is DevOps can monitor all of this the same way they monitor if memory usage gets too high.

“What are the key factors critical to provide comprehensive data security for public cloud environments?”

“If it happens on your systems, it needs to be recorded,” explained Pete. “Going a step further, no matter how much you monitor or patch, you must know normal versus abnormal behaviors indicators from your cloud security monitoring solution to help drive your security response.”

“What are the security gaps that need to be addressed to architect a secure solution in EC2 environment?”

“Just because you’ve moved to the cloud doesn’t mean security is taken care of for you,” Greg explained. You face many of the same security risks since your EC2 environment has now become an attack vector, which is why continuous security monitoring is critical in the cloud. “Enterprises throw away their security practices and processes when they move to the cloud, but there are still big security vulnerabilities,” he said.

“What can businesses learn from early adopters of PaaS for their DevOps needs?”

“When it comes to bringing servers up and down, there are huge flexibility and speed benefits,” Matt explained. However, the two main things to look out for are system sprawl, as Matt mentioned, and the responsibility of two platforms to secure, as Greg explained. You not only have to secure the platform itself but once it’s deployed and accessible over the internet, the application itself needs to be secured. With DevOps, both of these can be brought together.

The way in which you implement PaaS that is not a set process, but fortunately there are many ways to learn how to (and how not to) do it available online as early adopters have paved the way and documented their experiences. There are also systems and applications in place now, such as Threat Stack, that take the pain out of PaaS by helping users better protect their cloud environments.

In a Wrap

We had an excellent time being a part of this deep discussion on a very timely and important topic. It’s the lack of visibility and complex nature of cloud security that has driven Threat Stack to make modern security, clear and simple.  Our ultimate goal is to create an intelligent security service that allows you to get back to growing your business and providing value to your customers, not wondering whether you’re protected. Start a free trial today to see what you’ve been missing.