A Must Read – Bright Fulton on Log Management

Log management is hard.  Always has been, always will be.   Good to know that there are bright folks like Mr. Fulton and his team over at @swipley that get it. (and share!)
Technically –|  Rsyslog –> Logstash –> to –> S3 and Sumologic

Tactically –| “Engineers at Swipely start weekly tactical meetings by reporting trailing seven day metrics. For example: features shipped, slowest requests, error rates, analytics pipeline durations. These indicators help guide and prioritize discussion. Although many of these metrics are from different sources, we like to see them together in one dashboard. With sumo-search and the Search Job API, we can turn any number from a log query into a dashboard widget in a couple lines of Ruby.”

Brilliant.

Read his post via the @Sumologic blog here.

 

CoreOS and Docker – Game-changers that security pros should know about

Key Takeaways:  CoreOS and Docker will fundamentally change the way SaaS companies deliver software.  CoreOS and Docker used together provide a compelling package by combining an “operating system as a service” and an application container to run applications in isolation from the operating system. Security professionals should know that the introduction of these technologies will mitigate some traditional risks while creating others.
CoreOS in particular is interesting in the way that it handles operating system updates and patches using an active/passive partition scheme.  More information here.

The ability to sanely roll operating system updates into deployment lifecycle will solve a major pain point for SaaS operations. The dirty little secret that is while many agile shops are starting to push code out “continuously”, operating systems are often left either untouched or unpatched.

CoreOS will help make “infrastructure as code” less buzzword and more reality in the not too distant future.

 

A Monkey and a Gun. Netflix’ Latest OSS Project – Security

Operating a highly available, secure SaaS solution in the AWS cloud is hard.  The problems faced by both large and small organizations are roughly the same.  Therefore it may be logical to assume that the solutions are as well.  The only real difference is scale.
Enter Netflix.  I have always been impressed by the depth and openness of Netflix relative to internally developed open source tools they make available through their Open Source Software Center.  Startups and emerging companies typically lack resources to utilize best of breed paid solutions for security, availability, cloud management etc.

Netflix has made a conscious decision to pay it forward and I for one appreciate their commitment.

Enter “Security Monkey“.  A Netflix security and audit tool for aggregating and reporting on configuration, specifically as it relates to state.  The last is important. As explained by Netflix:

“CloudTrail provides verbose data on API calls, but has no sense of state in terms of how a particular configuration item (e.g. security group) has changed over time. Security Monkey provides exactly this capability.”

Security Monkey adds another tool to the AWS security practitioners tool-belt to help mitigate operational risk and prove up our security posture at audit time.  Win-Win.

But never give a monkey a gun…  BAD security practice.

sm

sm

Austin, Devops and Great Folks

There are a couple of people that I want to take the time to highlight; Ernest Mueller @ernestmueller and Tim Virtue @timvirtue.
Ernest’s thought leadership, publication and iteration of “What is Devops” has been exceedingly helpful in my quest to both define devops in my own head as well as communicate the vision and future of operations/development/cloud to others.

Tim is the first security leader that I know of that has presented devops in the context of security. I had the opportunity to listen and speak to Tim this year at SecureWorld Houston.  A slidshare of his presentation is here.

The fact that both of these guys are in Austin?  Bonus!

My take on agile/devops? relative to security?  The fundamentals of information security will remain the same.  Devops will demand that we as security leaders, change our tactics, and speed the heck up, to retain any relevancy in the face of the insane pace that devops and agile processes facilitate.