This week's articles
Introducing Twilio's SOCless: Automated Security Runbooks
Twilio just released SOCless, a serverless framework built to help organizations easily automate their incident response and operations processes, so to respond to threats quickly and at scale. The idea behind SOCless is to have security teams focusing on designing their runbooks, while SOCless executes them both quickly and effectively in response to threats.
How Dropbox Security builds tools for threat detection and incident response
This week has been strong on incident detetcion and alerting apparently, with also the Dropbox Detection and Response Team (DART) discussing their alerting and response pipeline, which uses Kafka, Python and Jupyter notebooks to create new tools. Alertbox was the first project built to start cutting down their triage time. The goal was to move the DART's alert response runbooks into code, and have them execute before even beginning the triage process.
What's Next for Vault and Kubernetes
Hashicorp is considering releasing a plugin for Kubernetes designed to mount Vault secrets in a Pod. Injecting Vault secrets into Pods via a sidecar will enable more automatic access to secrets within the context of applications that don’t have native Vault logic built-in. This will allow applications to only concern themselves with finding a secret at a filesystem path, rather than managing the auth tokens and other mechanisms for direct interaction with Vault.
Beyond The Security Team
This is the transcript of the keynote Julien Vehent delivered at DevSecCon Seattle in September 2019. Julien talks about his really interesting journey within the security industry, and describes how you should really get the security team closer to your organization.
How the scorecard works
This is a post from Chris Farris which I didn't appreciate enough when it was first published (but I'm redeeming myself now). The post describes a process to perform inventory and generate scorecards on an hourly basis using the basic building block of AWS, as well as announcing the release of Antiope, an Inventory and Compliance Framework for AWS. I'm very curious to see how this approach could be adapted to GCP.
Security Program Tactics. A thread.
When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving.
Amazon CloudWatch Anomaly Detection
CloudWatch just announced Anomaly Detection, which aims to help avoiding manual configuration and experimentation, and can be used in conjunction with any standard or custom CloudWatch metric that has a discernible trend or pattern.