It All Started With a Wager About System Upgrades
•Télécharger en tant que PPTX, PDF•
1 j'aime•406 vues
When running workloads in Cloud environments, do organizations routinely and blindly upgrade their systems? While immutable infrastructure, blue/green deployments, and treating servers like cattle instead of pets is all the buzz, in reality, successfully executing these practices is trickier than expected.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (18)
Similaire à It All Started With a Wager About System Upgrades
Similaire à It All Started With a Wager About System Upgrades (20)
Dernier
Dernier (20)
It All Started With a Wager About System Upgrades
- 1. Why Aren’t Organizations Updating Their Cloud Infrastructure Regularly?: A Reality Check by Sam Bisbee, CTO, Threat Stack The System Upgrade Problem
- 2. 2 Truth: Systems aren’t being upgraded frequently enough We ran the numbers. Over a seven-day period, 13.86% of environments on our system ran incremental software upgrades. That number should be 100%.
- 3. 3 A DEEPER LOOK AT THE NUMBERS We dove into the numbers on our side to find out how, when and with what frequency people are actually updating their systems. Here’s what we learned. Image source
- 4. 4 A DEEPER LOOK AT THE NUMBERS If a server is terminated, it is likely after 1 month, suggesting a regular infrastructure refresh rate. Monthly refreshes aren’t terrible (certainly better than classic enterprise IT)... But it’s not great either (30 days is plenty of time for an attacker to steal and corrupt loads of data.) Average Age of Agents
- 5. 5 THE GOOD NEWS So what exactly are we looking at? These graphs show that if a server survives past its initial month that it’s it’s likely to survive for many months, possibly forever. These workloads are being treated as pets, not cattle. Think databases, load balancers and other critical path systems. Those long living workloads are prime targets for bad actors, especially since so few organizations are patching their systems.
- 6. 6 THE BAD NEWS Our data shows that, though a certain amount of instances are being churned out, there is a large population of critical or high-risk systems (pets) that are not being patched. They’re being left vulnerable for extended periods of time. (Yikes.) Image source
- 7. 7 OKAY, OKAY, ENOUGH FUD. HERE’S WHAT TO DO. The numbers tell the scary story, but we’re here to take the guesswork out of keeping your systems safe. Here’s what you need to know. Image source
- 8. 8 HOW OFTEN TO UPGRADE At a minimum, you should apply security patches from your vendor(s) EVERY DAY (Yes, even on weekends.) How? Use Chef, Puppet or other automation tools to make it easy.
- 9. 9 HOW TO PRIORITIZE VULNERABILITIES Dwell time between public disclosure & security patch can be unpredictable. So you need to know which vulnerabilities are highest priority. CVE (Common Vulnerabilities & Exposures) Ratings are a good place to start. cve.mitre.org
- 10. 10 BUT DON’T RELY ON CVE RATINGS ALONE They are a good initial indicator, but you need more context to appropriately prioritize. Here’s an example: You probably want to patch the medium severity iptables issue on your Internet-facing instances (hello public) before you worry about high severity local privilege escalation on your graphite metrics box (fairly protected.) Image source
- 11. 11 LISTEN TO YOUR MOTHER (OR ME) Some tough love (about cloud security): 1. Stop procrastinating 2. Practice good hygiene There are so many tools out there today to make it easy on you. No excuses. Image source
- 12. 12 READ MORE Check out the full blog post I wrote about these numbers and what they mean: It All Started With a Wager About System Upgrades (Spoiler alert: I lost that wager.) Image source
- 13. Tell us what you think on Twitter: @threatstack @sbisbee THANKS FOR READING 13
Notes de l'éditeur
- Fast Growing companies are increasingly relying on Modern Day Infrastructure (Public, Private, Hybrid Cloud) to fuel business scale However, many businesses find themselves scaling with limited visibility as to what is happening from a security perspective inside their cloud infrastructure, and in particular inside their workloads/VM’s where applications are running and data resides. The debate continues as to whether migration to the Public Cloud is more or less secure than traditional enterprise data center approach, but one fact remains clear. Adoption of public cloud is here today and is here to stay. You don’t need to look any further than projected spend in public cloud to realize it is the present & future reality So the only real question is Scale Blind or Scale with Confidence???
- Threat Stack continues to push the evolution of cloud security. We’ve listened to the market: What they’ve told us is that traditional security is too expensive, overly complex, requires way too much hands on attention to configure, integrate, deploy and manage… and if you do get it to work the data doesn’t tell you the whole story or provide you with actionable insights.... So we got to work to come up with a better, more modern solution that would address and solve these issues. We determined that a modern approach to security would require: An inversion of traditional security. This means starting at the workload, the center of the cloud security universe and the single source of truth, and working inside-out, building on additional layers of context to provide a complete picture of what’s happening in your cloud. We then fully integrated all the services and data streams on to a single cloud-native platform, that can be easily deployed across any enviornment, and is a snap to manage and use. Furthermore we’ve made the solution friendly with your favorite DevOps tools to streamline your existing workflows... The end result...