Conf42 DevSecOps 2022 - Online

It’s a log eat log world. Crucial Log Management Skills for DevSecOps

Video size:

Abstract

The coupling of security operations and software delivery offers a wonderful use case for logs — both to unify developers and security engineers behind a single source of truth, and to surface possible security issues at every stage of the development lifecycle. Learn how centralized log management is crucial in DevSecOps during this instructive session from a technical engineer.

Summary

  • Arfan Sharif is a technical marketing engineer at Crowdstrike. We'll talk through the fundamentals of logging and then tie the two together. We can then go into data types and data sources which may be relevant for Devsecops. Finally, we'll wrap up on why log management is important for DevSecops teams.
  • With the rise of cloud technology as well as containers and microservices, this has really changed the way that software is developed. Organizations need to embrace cloud native application development securely and make security an equal consideration alongside the development and operations.
  • In a DevsecOps approach, security is built into every part of the DevOps lifecycle. Log files make it easier for developers, DevOps,sysadmins and secops to get insights. Logs are also useful when systems behave normally.
  • log management provides insight into the health and the compliance of your systems, platforms and applications. Log management is especially important for cloud native applications because of their dynamic, distributed and ephemeral nature. And log management solutions bring in data from many different areas behind the use cases.
  • Most common and core log management use case is a software application and infrastructure troubleshooting. Having a good log management tool really helps to reduce the meantime to recovery. Security and log analysis is really at the heart of any log management or SIEM solution.
  • More and more applications are deployed in containers, containers and applications running inside them. Unlike traditional applications and servers, they're quite promiscuous. There are ways to get that data in and move them into a central log management solution. Security has a large role to play in all of this data.
  • Security testing should be incorporated throughout the development cycle. Many teams enable a devsecops mindset by including a security champion within their development teams. Organizations can work with their cybersecurity partners to develop a curriculum or training to advance with this process.
  • Logs provide excellent visibility into potential security considerations. Logs from production environments can help in the detection of security issues. You can't practice devsecops if your developers, IT engineers and security engineers lack shared visibility into the state of each application release.
  • CrowdStrike's log management solution allows you to bring in data from your entire estate. It helps across use cases such as DevOps, it operations, security and compliance, as well as business analytics. Crowdstrike also offers an all in one cloud native platform.

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hi everyone, welcome to this session. My name is Arfan Sharif. I'm a technical marketing engineer at Crowdstrike and I work in the Falcon log scale team. And today I'm going to be covering it's a log eat log world. Crucial log management skills for devsecops. Let's have a look at the agenda for today and what we'll do is we'll start with Devsecops and talk about the fundamentals around that area. We'll talk through the fundamentals of logging and then we'll tie the two together. So we'll look at what boxes can log management tick for devsecops. We can then go into data types and data sources which may be relevant for Devsecops. We can then talk about best practice and we'll wrap up on why log management is important for Devsecops teams. So just to start, let's talk about Devsecops fundamentals, particularly about why do you need Devsecops? So with the rise of cloud technology as well as containers and microservices, this has really fundamentally changed the way that software is developed. And in a DevOps culture, APIs and configuration tools are needed to break down the infrastructure as code, which can then be adapted and revised by the development team. So this allows developers to provision and scale the infrastructure without involvement of a separate infrastructure team. And there's been a growth of serverless functions, microservices and containers by developers. And this has introduced new security risks that now need to be accounted for. So if you think about the architecture of cloud native applications and it requiring its own infrastructure, sorry, its own unique approach to security in terms of policies and controls, this additionally having to meet the challenge of maintain a consistent security approach across data center and public cloud environments where the applications are being deployed. And it often have to contend with lack of maturity of tools for securing containers, API vulnerabilities and other issues. And if you think about the VM or virtual machine based cloud deployments, security tools and best practices are a bit more mature and they offer more full feature detection and visibility into threats and performance issues. So at the moment we can't say the same about cloud native environments that are leveraging microservices and containers. And despite these challenges, cloud native approaches offer an opportunity for businesses to transform the security alongside digital initiatives to support the organization and to reach the peak of DevOps organizations. So to reach that peak, organizations need to find a way to embrace cloud native application development securely and making security an equal consideration alongside the development and operations. It's really another important aspect. So coming back to how does Devsecops work? So, in a DevsecOps approach, security is built into every part of the DevOps lifecycle and the key tactics they involve, incorporating infosec professionals or security experts within the DevOps team to oversee the security agenda within the development lifecycle. Also elevating the security skill set of the it team so to understand cyber risks and best practice so that each member can consider implications during the developers process and writing code with security in mind, and then also automating security processes and tasks such as testing for security exploits to enable an agile workflow and developing security processes and tools that are specifically designed to support agile technologies such as cloud containers and microservices. In a traditional DevOps approach, security testing is often done near the end of the development process and typically once the application has been deployed to production. And this is because security related tasks such as secure configuration and management, and also vulnerability scanning, they historically have been known to be fairly time intensive and essentially they slow down the development process. Let's talk about logs management fundamentals. So if you're not familiar with log management itself, essentially, if you think about a log file, it is a text file where applications, including operating systems, write events and logs show you what happened behind the scenes when it happened. So if something should go wrong with your systems, you've got a detailed record of every action prior to the anomaly. Therefore, log files make it easier for developers, DevOps, sysadmins and secops to get insights and identify the root cause of an issue with applications and infrastructure. And logs are also useful when systems behave normally. You can get insights into how your applications react and perform in order to improve them. And there are many different sources of logs as well as log types, and we can talk about some of them as we go through the session. So now we've had an overview of both what boxes can log management tick for devsecops. So log management provides insight into the health and the compliance of your systems, platforms and applications. Without it, you'd be stumbling around in the dark, hoping to pinpoint sources of performance issues, bugs, unexpected behavior and other similar issues, and you'd be forced to manually inspect multiple log files while trying to troubleshoot production issues. This can be a painful, slow, error prone and expensive process. It's not often scalable either. Log management is especially important for cloud native applications because of their dynamic, distributed and ephemeral nature. So unlike traditional applications, cloud native applications often run in containers. They emit logs to standard output rather than writing them to files. So this means you don't have the default option for manually grepping logs. Typically, you'd capture the logs and ship them to a centralized log management solution. Essentially in a nutshell, log management enables applications and infrastructure operations to troubleshoot problems and allow business stakeholders to derive insights from data embedded in log events. And logs are also known as the key sources of data for many use cases, whether it be it operations, DevOps and security analytics. And log management solutions bring in data from many different areas behind the use cases we've just discussed. So let's just touch on some of the areas that log management will help devsecops with. So firstly, let's talk about monitoring and troubleshooting. So if you think about the most common and core log management use case is a software application and infrastructure troubleshooting. So this is one of the most popular historically, and log events go hand in hand with application monitoring and server monitoring developers devsecops, sysadmins and devsecops. They utilize both metrics and logs, so they're alerted about application and infrastructure performance and health issues, but also to find the root cause of those issues. Having a good log management tool really helps to reduce the meantime to recovery, which in turn improves the user experience and long downtimes. Or even applications and infrastructure that perform poorly can also be an impact on the organization and the business. Therefore, log management plays a critical role in reducing the meantime to recovery. Logs provide value beyond troubleshooting though. So if you have structured logs, either from the source or parsed in the pipeline, you can extract interesting metadata. For example, we often look at slow queries as an example, and we can answer lots of questions depending on how we query the data. So as touched on, there's a vast amount of data that can be brought into these platforms and you have the ability to query them based on your requirements and your use cases. And it can be across use cases. So it doesn't have to be structured logs, they can be unstructured logs too, and then you can structure them as you go along. Now, if you think about improving operations as applications and systems become more and more complex, so does the size and the difficulty of the operation. Secops, sysadmins and devsecops would have a harder time monitoring everything manually, thus requiring more and more financial resources. And by logging, you can identify trends across your company's infrastructure, allowing you to adapt early and come up with solutions that prevent fires versus having to put them out. Another aspect is actually better resource usage. So when it comes to system performance and system overload is also like a dark cloud looming over an organization. And you need to keep in mind that it's not always the software at fault, but rather the requests that are going to the server or the environment. Whether there's too many requests or whether they're too complex, your system can have difficulties dealing with them. And in this case, log management helps you track resource usage. And you can see when your system is close to being overloaded, so you can allocate enough resources for it to cope. Performance monitoring can let you know if there's any performance issues, for example, if the nintieth percentile queries are slow and they may also reveal bottlenecks. So if you think about many requests going to a particular node or a particular server, this can cause some issues. And essentially log management will help you identify the issue and be a step in addressing the problem that you're facing. Now, most of the above actually ties up with user experience, but this is one of the biggest headaches people report is with applications, long response time to query or not getting a response at all is a major challenge. And log management really allows you to monitor requests at any level, whether it's at API level, whether it's at database level, to see what's actually underperforming. And this enables you to step in and understand why something occurred and helps you keep in control of your user experience. And last but not least, security and compliance. So there's no such thing as too much protection when it comes to it. Security and log analysis is really at the heart of any log management or SIEM solution. So from network system and audit to application logs, anomalies may signal an attack. And logs really help security administrators diagnose anomalies in real time. So they provide a live stream of log events. So whenever someone's attempting to breach, to carry out a breach or impact the environment, whether it's from the inside or an external threat, you'll have more insight into what actually happened. And if you have enough data, you can go back in time and look at the trail the adversary may have left as they went through the environment and then compliance the best way to ensure compliance and security and audit requirements is to create a logging and monitoring policy. And a log management policy sets security standards for audit logs, including system logs, network access logs, authentication logs, and any other data that correlates a network or system event with a user's activity. And more specifically, it provides guidelines as to what to log, where to store the logs, how long you keep this data, how often it should be reviewed. So compliance is a really key area when it comes to log management itself. Now let's go into a bit more detail and just talk about some of the logs which are relevant for devsecops. So in this example here, on the left hand side, we've got many different areas of it which would generate data, and some of these are much more relevant to devsecops than others. On the right hand side we've got the more relevant ones. So we've got things like network data. And as we interact with mobile apps and web apps, websites, we generate a lot of network traffic. And this could be network routers or switches and so on, they can generate lots of data. And unlike servers and application logs, even cloud logs which are in more modern formats, network data historically has been based on Syslog in terms of the format and the transmission. So that's a common method of working with network data. You also have server and application logs. So traditional sources of logs like servers and applications running on those servers. The kernel limits log messages such as which drivers it loads, and then there could be system services. It will help to show which services are up and available and which ones have been stopped. And then you can have information and context around when a user logged in. And this information really helps you diagnose stability and security issues. As for applications, you can have, let's say you've got NgInX web server, or a Java web app running on a Apache Tomcat, or a PHP application running in Apache web server. They'll emit various information, whether it's errors or debug logs events, or whether it's HTTP status codes. And some of the logs use standard formats. It could be like a common log format, while others use various custom formats including structured logging. So you typically would have like key and value logging as well as JSON logs as examples. If you write your own application, it's often suggested to use a structured logging method, which is easier to case down the pipeline. One area which is really relevant devsecops would be container logs. And nowadays more and more applications are deployed in containers, containers and applications running inside them. They're a big source of logs, and unlike traditional applications and servers, they're quite promiscuous. So a container orchestration framework like Kubernetes moves containers from host to host, adapting to demand and resource availability. And an average container's lifespan can be really short. On top of that, you don't have the practice to SSH in and tail and grep the logs to troubleshoot. This was deemed a bad practice in the cloud native world and hence it's more important to have log management solution where all of this ephemeral data can reside and be available. Should you need to troubleshoot or carry out an investigation, then beyond that you have mobile devices which are ubiquitous, so you might not think of them as sources of logs because you can't easily access system or application logs on an iOS or an Android device. So there's often limited disk space and unreliable network means you can't log verbose messages locally and you can't assume that you'll ship the logs to a central location in real time. In spite of those challenges, there are ways to get that data in and move them into a central log management solution. Now, security has a large role to play in all of this data and it really depends on the use case and what lens you're using, even if you go beyond security. So you could be interested in performance and uptime and availability, or you could be interested in getting security context from that data. So logging is quite unique from that perspective as you can look at it from the lens you choose to, there's a variety of data, you can look at it from many different aspects. Now let's just touch on some Devsecops best practices and organizations they want to unify it operations the security team and application developers need to make security a core component of the software development workflow. So in order to enable devsecops, the organization should do some basic things. Firstly, they should ensure that security testing is incorporated throughout the development cycle and completed by the development team. So this was often something that was left right to the end, so it really should be incorporated into the full process. They should enable the development team to manage and solve issues found during the testing. And to that end, there's a few Devsecops best practices that help ensure that the organization can shift to this new agile method. Essentially, it would be good to dedicate an info security leader within the Devsecops team, and many teams enable a devsecops mindset by including a security champion within their development teams. This is someone who has expertise in application security and has taken a more advanced training in this field than most of the team, and this person can review security fixes to make sure they're correct. So if you involve your security champion or team early in the development process, integrating best practice from the initial phases of development, and really being able to upskill the IT team to ensure security is infused throughout every aspect of the development lifecycle itself. So this is really essential. And given that this wasn't a core responsibility of a DevOps engineer in the past, it might be necessary for the organization to upskill staff to support these new requirements. Organizations can work with their cybersecurity partners to develop a curriculum or training to really advance with this process. Now, some of the other key aspects that should be considered is really automation and recurring security processes should be automated logs analysis is really the next part of the process. So from a security viewpoint, it's vital that devsecops engineers in charge of the production environment understand how to read and analyze logs. DevOps teams usually lack the knowledge and the ability to identify security breaches or hacking attempts from log data. And having a log management tool capable of reading and parsing logs and distinguishing between permitted and unauthorized activities is really crucial for both tracking each action within the system and creating confidence in the application and the devsecops process. And essentially, you want to make sure that you ensure you log data from all the relevant data sources that you have to give you context over both devsecops and secops. So let's just wrap up on this particular subject and talk about why log management is so important. So logging and log analysis are really essential factors in achieving and maintaining application security. They're also essential for the success of a Devsecops organization as a whole. One of the biggest concepts in agile development is the idea of continuously evaluating the application, and examples include continuously testing the application to catch errors at the earliest possible moment in the development cycle, or continuously integrating code into a common code base to allow for detection of code integration issues at the earliest viewpoint possible. Now, there's no different for logging and log analysis as it relates to application security. While developing the software, the engineer should be sure to write code that will log information regarding any relevant security events, such as authorization failures, maybe even successes and input validation issues. In doing so, the developers will help build the foundation for a secure application as they integrate their code in a common code base to be deployed to test environments that mimic the specifications of production environments. Logs provide excellent visibility into potential security considerations and related to newly developers software. So most importantly, logs come from every system in your pipeline. A CI server could be used to identify anomalous code and operations, and log files from application tests and builds provide an opportunity to evaluate how software runs and find potential vulnerabilities before deployment. And logs from production environments can help in the detection of security issues that may arise from a running application. The other aspect is really about faster processes and investigation. So if we think about when a security issue arises in production developers, IT engineers, and security engineers, they need to react quickly and efficiently to resolve problems. And logging is critical for enabling fast and coordinated responses. Waiting on manual sharing of sensitive data can slow down the reaction times. But when every stakeholders can get the data they need from logs, access to the information is no longer the weakest link in the security incident remediation process. And I guess lastly, to touch on the final aspect, which is better collaboration, you can't practice devsecops if your developers, IT engineers and security engineers lack shared visibility into the state of each application release, in which features are coming next and which features are actually coming next and therefore need to be secured. So you could try to gain this shared visibility by asking various stakeholders to collaborate manually. They could hold meetings, talk on Slack, or so on. Yet having some live collaboration is always helpful, so you're unlikely to achieve complete shared visibility through manual collaboration alone. So that's why it's critical to leverage logs as a single source of truth to provide visibility into the pipeline. When security engineers, developers and IT engineers have access to log data from across the pipeline, they can use that data to assess its state, and as a result, they can find security issues better. And these may be overlooked if a centralized solution isn't used where multiple teams or people within a team are having the same access. Now, I just like to talk about Falcon log scale. So this is CrowdStrike's log management solution, and essentially what this allows you to do is bring in data from your entire estate. So if you think about cloud data as an example, it allows you to bring in that type of data, as well as other telemetry multicloud tools from your data center, from your network, from your applications, and then it allows you to work against that data, correlate that data, and you have the ability to configure alerts for any errors or issues. And on the right hand side, you can see the number of use cases that you can work with Falcon log case. So it helps across use cases such as DevOps, it operations, security and compliance, as well as business analytics. Now, Crowdstrike also offers an all in one cloud native platform that simplifies monitoring, detecting and acting on potential cloud security threats and vulnerabilities. As an increasing number of organizations adopt devsecops, they're looking for ways to ensure cloud native application security, protect business critical workloads and streamline operations. And the solution combines multiple tools and capabilities into a single software solution to minimize complexity and facilitate DevOps and devsecops team operations. Further, it offers an end to end cloud and application security through the whole CI CD application lifecycle. I'd like to thank you very much for joining this session, and if you have any further queries or you'd like to learn more about Falcon log scale or any of Crowdstrike's other solutions which help with challenges that devsecops teams face, please have a look on our website or reach out. Thank you again.
...

Arfan Sharif

Lead Technical Marketing Engineer @ CrowdStrike

Arfan Sharif's LinkedIn account Arfan Sharif's twitter account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)