►
From YouTube: CNCF SIG-Security 2020-03-11
Description
CNCF SIG-Security 2020-03-11
A
A
A
Am
I
coming
through
video
and
audio
wise,
clear,
yep,
great
okay,
I
put
together
some
pieces
from
the
agenda.
There
was
already
a
presentation
put
into
there
by
someone
else,
so
my
plan
was
just
to
stick
to
the
format.
That's
in
place,
quick
attendance
stand
up
and
then
presentations.
So
if
anyone
needs
to
duck
out
early,
they
at
least
get
to
see
the
presentation
and
then
bring
check-ins
and
then
issues
pr's
and
then
opening
to
the
floor.
Whatever
else
follows,
and
that's
about
it
that
sounds
about
right,
yeah.
B
Most
of
the
check
in
you
know
wore
clothes
unless
there's
a
major
check-in
and
then
we'll
kind
of
stop
coming
in
later
so,
like
I'm,
my
only
hesitation
is,
you
should
check-ins
and
any
you
know
quick
sort
of
notifications
around
issues
and
PRS
get
pushed
up
into
that
first
they're,
like
hey
like
this
needs,
is
you
know
attention
you
know
before
we
go
into
something
like
a
presentation,
but
you
know
it's
a
minor
detail.
Otherwise
it
looks
right.
Okay,.
A
I'll
put
like
an
extra
note:
there,
I
guess
critical,
check-ins
or
something
like
that,
or
maybe
just
check-ins,
and
then
the
one
I
already
have
in
column
in
a
row
or
would
just
be
additional
or
one-off
check-ins
I,
just
right
way
to
go
would
be
to
have
the
presentations
and
the
check-ins.
Let
all
the
people
that
maybe
only
have
a
30
minute
window
get
what
they
need
done
and
then
they
grant
knock
out
if
they
don't
want
to
stay
for.
Okay,.
B
That's
right,
so
you
know
one
thing
for
today
is
since
we
do
have
a
presentation
and
we
want
to
get
into
discussion.
You
know
if
you
don't
have
a
you
know
something
really
important,
we're
pressing
like
it's
better
to
keep
it
short
today
and
then
you
know
something
we
haven't
really
documented,
but
is
our
our
standard
practice?
B
You
know.
Actually
it's
only
been
like
a
couple
months
now.
Is
you
know
when
you
don't
when
you,
when
you
sign
in
you
put,
you
know
no,
no
update,
besides
your
name,
if
you
don't
want
to
get
called
on
you
know,
and
and
when
you're
facilitating,
you
basically
read
through
no
list
of
folks
know
anybody
who
doesn't
have
no
update.
Thank.
B
A
B
A
A
couple
like
was
one
of
them
off,
but
I
did
add
a
few
peers
relating
to
documentation.
One
is
on
the
scribe
role.
The
other
was
sort
of
a
jump
start
guide
for
a
Quick
Start
Guide
for
facilitators,
but
the
note
site
from
Brandon
and
a
couple
others
from
the
last
meeting
show
yeah
that'd,
be
overkill
and
then
I
believe
I
have.
Let
me
just
see
the
backlog
here
and
then
a
minor
one
on
updates
to
the
meeting
agenda
like
the
column
based
one
just
so
it
isn't
two
sets
of
notes
back-to-back.
A
B
A
B
B
B
So
welcome
everybody.
We
have
a
presentation
today,
I
just
dropped
a
link
to
our
meeting
note.
You
know
we
want
to
dive
into
the
presentation
and
you
know,
leave
ourself
time
for
discussion.
So
you
know,
let's
prioritize,
you
know
getting
through
your
standup
relatively
quick
quickly.
So
if
you're
new
we'd
love
to
have
you
introduce
yourself-
and
today
we
have
a
new
facilitator,
Matthew
Johnson
is
gonna,
be
facilitating
today
Matthew.
B
This
is
Matthew's
first
time
and
brings
you
know
some
experience,
and
you
know
it's
tribal
learning,
some
stuff,
so
I'm
going
to
shut
up
and
hand
things
over
to
Matthew
any
sort
of
feedback
that
you
have
be
great
to
either
capture
your
thoughts
in
in
the
document
in
the
meeting,
notes
or
or
no
issue
on
our
github.
Thank
you,
I.
Think
all
yours
thank.
A
You
Dan
so
I'm
just
going
to
go
through
the
regular
workload
that
we
have
for
this.
So
attendance
stand
up.
There's
the
link
there
in
the
chat,
so
anyone
that's
attending
the
police
feel
free
to
add
your
name
there
and
if
there's
no
updates
or
comments
or
you
don't
want
to
be
called
upon,
just
please
throw
no
update
and
parentheses
beside
your
name
and
we
won't
ping.
You
feel
free
to
leave
it
without
that.
A
If
your
say
new
here
and
you
just
want
to
get
a
quick
spiel
in
besides
that
I
thought,
we
can
just
move
into
the
presentation
that
we
have
today
so
cartography
using
graphs
to
improve
and
scale
security
decision-making
and
the
link
there
is
on
the
slide,
I,
just
ethnicity
and
who's.
Our
guest,
presenting
that
today
and.
A
C
C
Cartography
is
a
tool
that
is
a
Python
tool
that
pulls
in
assets,
infrastructure
assets
from
many
different
data
sources,
and
it
puts
it
all
in
to
a
neo4j
graph
database
and
what
we
found
is
that
having
things
in
a
graph
database
is
very
helpful
in
correlating
multiple
sources,
and
it's
also
helped
us
answer
some
very
complex
questions.
Cartography
is
open
source.
We
open
sourced
it
about
almost
a
year
ago.
C
It
might
be
coming
up
on
his
birthday,
so
happy
birthday
to
cartography
and
what
better
way
to
celebrate
its
birthday,
then
sharing
it
with
the
sig
security.
So
thank
you
all
very
much
for
having
me
here
at
this
time
we're
not
necessarily
looking
to
join
the
foundation.
However,
we
are
here
for
feedback
and
for
eventual
submission,
and
our
hope
is
that
you
all
will
find
this
as
useful
as
we
have
found
it
so
far,
and
so
some
of
the
motivations
going
into
the
project.
C
The
bottom
line
is
that
we
found
that
the
cloud
is
really
complicated
and
there
are
all
kinds
of
different
assets,
all
kinds
of
different
permissions
relationships
and
not
understanding
this
and
getting
this
stuff
wrong
can
have
some
pretty
bad
consequences
and
a
lot
of
us
on
the
project
who
have
worked
in
cartography.
We
all
come.
C
A
lot
of
us
come
from
in
a
sort
of
offensive
security
background
where
we
worked
as
red
teamers
and
what
we
found
is
that
looking
at
things
from
a
graph
point
of
view
has
been
very
helpful
in
having
us
identifier,
targets
performed
lateral
movements,
and
we
think
that
others
can
also
find
this
useful
as
well.
So
if
you
are
a
blue
team
or
if
you
are
a
service
owner,
if
you
any
number
of
different
roles
on
a
security
team
infrastructure
team,
what
have
you
I
think
that
looking
at
this
can
be
pretty
useful?
C
C
End-User
I
need
a
centralized
way
to
look
at
all
of
these
resources
as
a
developer,
I
can
perform
an
access
check
as
an
implementer
I
can
perform
auditing
of
resource
access,
and,
although
we
didn't
necessarily
build
it
with
these
scenarios
specifically
in
mind,
like
I
said
before
it
came
from
a
pen
testing
perspective,
I
think
that
there's
lots
of
ways
where
it
fits
into
that
I
want
to.
So
if,
at
any
point
in
time,
something
doesn't
sound
like
make
a
lot
of
sense
or,
if
I'm
being
confusing.
C
Please
interrupt
me
I
want
to
make
this
interactive
yeah.
Let
me
know
if
you
have
any
questions
at
all
and
so
I'm
just
gonna
dive
right
in
to
kind
of
some
of
the
use
cases
that
we
have
so
with
this
first
set
of
use
cases,
understanding
access
checks,
understanding,
auditing
and
looking
at
organizational
resources
in
one
way.
Well,
I'll
show
you
how
we
do
that
at
lift
as
kind
of
a
motivating
example,
so
I
lift
we
use
the
after
is
a
single
sign-on
provider.
C
You
authenticate
with
octa
and
then
it
delegates
your
access
to
all
sorts
of
other
different
providers
and
resources,
AWS
being
one
of
them
and
the
way
off
the
works
is
that
you'll
have
an
organization,
a
group,
a
user,
and
then
you
have
a
human
identity.
So
I
myself
can
have
an
octa
identity.
That
can
be
a
member
of
a
group,
and
this
is
sort
of
kind
of
modeling.
What
the
what
this
would
all
look
like
in
a
graph
and
what
okay
cool
sorry
I,
just
like
checking
stuff
all
right?
Yes,
so
and
then
so
one.
C
The
one
thing
I
want
to
highlight
here
is
that
if
we
wanted
to
keep
an
inventory
of
all
of
our
octave
groups
and
all
octa
users,
then
if
we
had
it
in
terms
of
a
relational
database,
every
single
one
of
these
edges
would
be
a
joint
and
joins.
You
know
they
can
work,
but
then
quickly,
if
you
want
to
correlate
it
with
other
things.
The
problem
of
keeping
track
of
all
of
this
in
a
relational
database
gets
pretty
complicated.
C
So,
as
I
mentioned
before,
we
use
octa
to
delegate
access
to
AWS
it's
a
fairly
as
far
as
I
understand
it's
a
fairly
common
workflow,
where
an
octa
group
will
be
allowed
to
toom
an
AWS
role
to
become
an
AWS
identity
and
that
AWS
identity
belongs
to
an
account
and
we
can
layer
this
together
with
other
things
too.
So
we
can
layer
a
HR
organization
in
HR
structure,
so
we
can
go
from
the
identity
of
myself
put
in
other
HR
data
from
a
provider
such
as
work
day
at
lyft
internally.
C
We
use
something
else,
but
workday
is
just
as
an
example
over
here.
We
can
layer
it
in
there
and
then
here
we
have
all
sorts
of
different
sources
that
are
put
together
in
this
graph
view
and
put
that
you
can
augment
this
further
and
then
add
things
like
I
myself:
I
have
a
G
suite
identity
and
this
G
suite
identity
can.
Let
me
connect
things
like
do:
OCR
excavator,
which
is
a
tool
that
identifies
risky
Chrome
extensions
that
are
installed
throughout
your
organization
and
so
putting
all
of
these
things
together.
C
C
So
it
just
looks
a
little
prettier,
so
I
have
here:
user
1,
2,
3
user,
1,
2
3
as
a
human
and
then
user
1
2
3
has
an
octa
user
identity
and
then
this
octa
user
identity
I
actually
wasn't
supposed
to
move
that
node.
So
I
kind
of
messed
up
my
demo
already,
but
you
can
see
that
if
I
expand
this
right
here,
this
user
1
2
3,
is
a
member
of
a
number
of
octa
groups,
including
this
AWS
admins
group.
C
If
I
expand
this
a
double
admins
group,
it
tells
me:
oh
man,
you
got
so
many
other
different
things.
You
can
go
to
well.
I'm,
just
gonna
I'm
only
interested
in
this
AWS
roll.
So
let
that
expand
and
then
like
this
AWS
roll.
So,
let's
expand
this
role,
I
get
to
another
role
and
then
I'm
gonna
back
up
and
explain
this
whole
path.
C
What
I'm
going
on
in
just
a
little
bit
once
I
get
everything
kind
of
expanded
here,
so
the
idea
here
is
that
I
have
a
user
of
a
human
that
happens
to
have
a
octa
user
identity.
This
octa
user
identity
is
able
to.
It
is
a
member
of
this
octa
group
and
because
it's
a
member
of
this
off
the
group,
it
is
allowed
to
assume
this
AWS
role
to
become
this
AWS
identity
and
AWS.
Has
this
feature
that
lets
you?
If
you
are
a
certain
role,
you
can
assume
other
roles.
C
So
that's
what
this
STS
assume
role
allow
relationship
is
so
if
I
am
this
role,
I
can
assume
this
role
and
sort
of
the
reasoning
for
a
cloud
provider
providing
this
functionality
is
for
flexibility
in
your
organization
and
it.
If
you
come
from
an
on-prem,
I,
guess
background,
then
this
can
be
well.
If
you
come
from
like
an
on-prem
hacking
background,
then
you
should
your
ears
should
be
perking
up
right
now,
because
this
is
very
interesting.
This
is
literally
lateral
movement.
C
C
Let's
look
at
this,
so
this
role,
the
6:03
rule,
is
a
member
of
account.
Df
AWS
separates
assets
into
different
accounts,
an
account
if
you're
familiar
with
Azure,
for
example,
is
a
Leica
Azure
subscription.
It
is
a
billable
unit
and
people
organizations
they
delegate
accesses
and
organize
a
lot
of
their
sets
into
different
AWS
accounts,
so
you
can
have
a
billing
account.
C
You
can
have
that
your
service
account,
you
can
have
all
sorts
of
other
things,
and
the
main
thing
that
I
want
to
highlight
in
this
demo
is
that
all
right,
our
user,
can
assume
this
role
that
lives
in
account
ABC,
because
we
are
this
role.
This
role
has
a
assume
role,
allow
relationship
with
this
6:03
role
that
lives
in
the
DF
account,
and
so
basically
the
TLDR.
This
is
showing
that
you
can.
C
Then
this
is
kind
of
the
problem
space
that
we
are
very
interested
in
being
able
to
move
between
different
permissions
relationships,
making
sure
that
we
have
all
of
our
assumptions
on
isolation
very
well
understood,
especially
when
they
cross
different
boundaries
between
services
like
this
is
an
all
AWS.
This
is
like
going
from
octa
to
AWS
and
there's
many
other
different
pivot
paths
that
we
are
interested
in.
We.
D
Yeah
I
was
just
curious
about
the
roll
names
here,
cuz
like
mostly
they
they
were
normally
a
natives
have
like
a
human,
readable
name,
and
they
look
at
this.
Look
as
though
they're
all
like
random
numbers.
Is
that
something
that's
introduced
as
per
the
import
or
is
that
the
actual
roll
name?
Oh,
this.
C
A
C
A
I'll
just
add
one
of
my
own
on
top
of
that,
and
that
was
this
appears
to
be
rendering
the
data
I'm
wondering
if
it
use
a
certain
API
is
where
you
could
go
in
and
say,
disabled
or
decommissioned,
say
a
role
or
an
account
like.
If
say,
an
account
was
compromised.
Does
this
allow
you
to
directly
jump
in
and
say
said
what
resource
should
I
disable
to
limit
the
damage
to
the
running
deployments
or
is.
E
C
Terms
of
so
the
tool
isn't
focused
on
real-time
at
the
moment.
It's
not
very
good
at
that,
so
I
guess
right
now.
They
we
are
definitely
looking
at
real-time
because
to
run
a
full
sync.
Admittedly,
it
takes
a
decent
amount
of
time
to
pull
in
all
of
these
nodes
process.
Them
load
them
to
the
graph,
we're
looking
at
other
ways
to
deliver
more
I.
Guess.
Real-Time
scenarios,
such
as
by
listening
and
on
a
cloud
trail
log,
for
example,
other
things
like
that.
But
so
we
focus
on
visibility.
C
You
can't,
for
example,
it
click
on
one
of
these
things
and
be
like
boom.
I'm
gonna
go
ahead
and
let
turn
that
off.
You
know
we
don't
have
that
capability
right
now,
no,
but
it
will
give
you
that
what
we
found
is
that
it
gives
us
that
visibility
to
go
to
another
console
and
then
take
that
action.
Ok,.
C
Okay,
let's
see,
is
there
any
functionality
for
viewing
changes
over
time
for
a
sake
of
auditing
changes
to
environment?
Oh
yeah,
yeah
I'll
talk
about
that
just
a
little
bit
viewing
changes
over
time.
You
mentioned
not
using
a
sequel.
Datastore.
Are
you?
What
are
you
using
a
the
backand
data
store?
How
are
you
at
a
high
level,
storing
data
and
performing
correlations?
So
we
don't
use
sequel.
This
database
is
neo4j
and
it
high
level
storing
the
data
performing
correlations.
We
have.
C
We
have
a
schema
so
kind
of
the
view
on
how
we
are
making
these
relationships
representing
them.
That's
kind
of
what
I
was
showing
there
with
like
the
diagrams,
are
the
way
that
we're
doing
our
data
modeling
yeah,
it's
neo4j,
UX,
there's
a
built-in
UI
yeah.
So
this
is
this
view.
I
have
right
here.
This
is
actually
linked.
Yuria
switch
I,
don't
want
to
distract
too
much
from
I
guess
the
actual
topic,
but
it
is
a
visualization
layer
on
top
of
neo4j.
That
just
makes
it
nicer
for
presentations.
C
C
So,
if
we
were
to
take
a
look
at
all
of
this,
we
can
zoom
out
even
more,
and
so
this
is
the
reason
why
I
didn't
want
to
use
the
vanilla
you
know
for
Jui
to
show
you
show
all
of
you.
This
is
that
if
we
wanted
to
visualize
all
of
these
all
of
the
possible
cross
I
am
role
assumption
opportunities
for
all
of
the
accounts
in
our
fake
organization.
You
know
this.
C
This
looks
kind
of
amazing
looks
kind
of
cool,
but
the
point
here
is
this:
just
to
kind
of
show
you
that
the
cloud
is
complicated
even
for
a
medium
to
large,
for
even
for
a
medium-sized
organization.
This
is
nothing
really
out
of
the
ordinary,
honestly
and
being
able
to
visualize
all
these
things
yeah.
This
is
intimidating.
However,
there
are
ways
that
we
provide
to
consume
this
data
and
make
it
a
lot
more
tractable,
because
this
is
not
necessary,
impressive
to
look
at,
but
let's
face
it.
C
This
isn't
really
I'll
show
you
I'm
just
what
I
mean
by
that
in
a
little
bit,
and
the
next
thing
that
I
want
to
show
you
is.
We
also
want
to
talk.
I
also
want
to
talk
to
a
couple
of
other
different
scenarios.
So
another
scenario
that
we
looked
at
that
fit
in
with
the
sig
security
use
cases
was
I
need,
as
a
network
operator.
I
need
a
central
way
to
look
at
the
networks
in
my
organization.
C
All
right,
so
just
a
little
bit
of
disclaimer.
The
these
examples
are
pretty
AWS
heavy,
mostly
because
lift
is
a
very
AWS
heavy
shop.
It
is
kind
of
our
area
of
familiarity,
however,
I
don't
want
to
say
that
this
is
our
only
focus
that
we're
not
going
to
welcome
other
clouds.
Yeah
we're
definitely
opened
the
whole
project
for
exploring
many
different
clouds.
We
yeah.
C
So
this
is
the
ten
dot
o
slash
16,
and
one
thing
that's
neat
with
V
pcs
is
that
you
can
take
these
subnets
and
pier
them
with
other
subnets,
and
what
that
means
is
that,
because
so
these
pink
relationships
that
I
have
here
in
this
diagram?
These
are
V
PC,
peering
relationships.
What
that
means
is,
if
I
have
a
host
connected
to
this
subnet,
it
is
able
to
talk
to
a
host
in
this
subnet,
and
what
I
want
to
highlight
here
is
that
these
subnets
belong
to
V,
pcs
that
belong
in
different
accounts.
C
So
you
should
see
that
this
is
kind
of
a
theme
in
my
presentation.
I
love
looking
at
things
that
go
across
different
account
boundaries
and
a
thing
that
I
want
to
highlight
here
is
I.
Have
this
name
account
for
service
ABC
service
ABC's
got
this
VPC.
It's
got.
This
subnet
is
paired
with
this
one.
Nine
two
one,
six,
eight
slash
twenty
four
lives
in
this
V
PC
that
lives
in
this
account
that
I
don't
even
know
what
the
name
is.
C
What's
going
on
here,
we
have
no
idea
what
this
AWS
account
is
well
I'll
explain
why
this
is
why
this
happens.
So
what
cartography
does
is
that
wheel
enumerate
all
the
accounts
will
enumerate
all
the
network
assets?
We
will
get
the
V
PC
data,
we'll
get
the
subnet
data
and
then,
when
we
enumerate
the
V
PC
data
will
enumerate
the
other
key
rings
that
are
available
and
what
happens
here
is
that
by
calling
that
we'll
get
back,
some
JSON
blobs
I'll
tell
us
hey.
You
know
we
know
about
this
other
cider
block.
C
C
C
What
that
query
language
looks
like,
but
the
idea
is
that
you
would
draw
out
a
relationship
from
here
to
here
to
here
all
to
visualize
this
whole
path
and
then,
whenever
that
path
matches
on
something
where
that
query
matches
on
something
you
can
fire
an
alert
or
take
an
action
again,
I'll
get
into
that
just
a
little
bit.
It's
not
specifically
tailored
for
our
scenarios,
but
we
have
the
ability.
I'll
show
this
in
a
little
bit.
Also,
we
have
the
ability
to
make
what
we
call
analysis
jobs
so
in
an
analysis
job.
C
C
Or
would
you
consider
leveraging
high
cardinality
data
like
VPC
flow
logs
that
goes
into
we're,
definitely
be
welcome
to
exploring
that
that
goes
into
kind
of
what
I
was
talking
about
earlier
on
consuming
new
sources
of
real-time
data,
such
as
cloud
show
logs.
It's
not
a
design
goal,
at
least
in
the
next
three
months.
In
the
next
six
months,
we
have
on
our
roadmap
to
start
exploring
at
least
cloud
trail,
but
VPC
flow
logs
that
we
can
definitely
like
put
that
in
that
same
family
of
real-time
data
sources
and.
C
Excuse
me,
and
then
so
then,
so
that's
a
very
pretty
good
segue
about
going
on
to
doing
some
analysis,
so
you
mentioned
about.
Oh,
you
know:
how
do
you
make
these
shortcuts
and
let's
kind
of
pivot
ourselves
a
little
bit
here,
because
we
want
to
ask
ourselves
alright:
I
have
a
bunch
of
compute
instances.
C
How
do
I
know
if
they
are
open
to
the
internet
or
not,
and
this
is
a
complicated
question
to
answer,
because
there's
all
sorts
of
different
security
group
rules
and
things
that
you
need
to
compute
to
figure
out
what's
going
on,
and
this
is
kind
of
the
data
model.
For
that
we've
got
our
instance.
It's
got
a
network
interface
member
of
a
security
group
which
has
a
number
of
different
firewall
rules
and
it's
got
a
which
is
connected
to
a
number
of
different
IP
ranges.
How
do
we
do
that?
C
C
What
are
the
security
group
rules
that
roll
up
to
that
IP
rule?
Are
they
connected
to
any
ec2
instances
via
their
network
interfaces,
so
we're
drawing
out
this
path?
And
if
so,
if
there
are
any
ec2
instances
that
satisfy
this
criteria,
set
them
set
this
flag
expose
the
Internet
equals
true.
So
what
that
does
is,
rather
than
run
this
massive
query.
Every
single
time
need
to
memorize
that
I
can
simply
ask
myself:
let's
go!
C
Look
at
all
of
the
ec2
instances
that
have
this
exposed
internet
true
flag,
and
we
applied
this
similar
set
of
logic
for
Google
cloud
instances.
Also.
So
we
have.
This
is
a
example,
analysis
job
and
we
have
similar
things
in
GCP
and
similar
rules.
You
can
do
the
same
thing
for
an
elastic
load
balancer
for
example,
and
so
I'll
show
that
just
real
quickly.
C
What
that
looks
like
in
demo,
land
I
have
a
question
here:
isn't
this
missing
network
ackles
for
each
ability
I
can
have
a
public
IP.
We
thought
yeah.
This
is
missing
all
sorts
of
different
things
for
this
demo.
I'm
I'm
glossing
over
all
kinds
of
details
in
the
interest
of
time
yeah.
So
sorry,
if
this
is
like
not
entirely
100%
correct,
but
this
is
yeah
trying
to
blast
through
this
very,
very
good
observations,
so
this
is
only
looking
at
it
from
the
perspective
of
rules
on
the
ec2
security
group.
C
So
in
this
case,
what
we
can
look
at
is
if
we've
got
different
accounts.
Let's
say:
I
have
this
account
for
service
ABC
and
I've
got
this
special
projects
account,
and
this
account
has
a
number
of
different
instances
that
we've
identified
as
internet
exposed.
So
this
flag
here
is
true,
and
so
let's
say
these
are
web
facing
roles
and
from
the
previous
demo.
We
know
that
there's
VPC
peering,
that's
possible.
Vpc
has
the
subnet
the
sudden
that
happens.
C
C
This
Web,
facing
instance,
is
able
to
talk
to
the
special
projects
instance,
even
though
the
special
projects
instance
is
not
directly
connected
to
the
internet,
and
it
is
an
I'll
leave
it
as
an
exercise
to
the
reader
to
draw
a
relationship
from
this
instance
over
to
this
instance
as
part
of
an
analysis
job.
So
again,
this
is
kind
of
the
set
of
problems
and
questions
that
we're
interested
in
answering
and
kind
of
them.
I
guess
motivating
scenarios
for
looking
at
our
tool
and,
let's
see
I'll
just
speak
briefly
on.
C
There
are
a
lot
of
questions
on.
How
can
you
view
changes
over
time
as
an
enterprise
operator?
I
need
to
see
what
about
the
resource
has
changed.
I
need
to
provide
logs
for
changes
to
critical
resources,
and
we
accomplish.
We
accomplish
this
through
something
that
we
call
drift
detection
and,
as
I
mentioned
earlier,
one
of
the
limitations
of
our
tool
or
the
very
it's
it's
a
pain
point
of
ours
will
be
known
for
a
while
is
that
we
need
to
pull
in
all
this
data.
C
That
graph
is
huge
and
it
takes
a
while
the
process
it
takes
a
while
to
sync
it
all
and
then
so
you
take
one
time
slice
and
you
take
another
time
slice.
It's
not
very
good
at
real-time,
but
we
can
kind
of
get
around
that
through
something
called
drift
detection.
So
in
this
particular
case,
let's
say
that
we
have
an
own
set
of
storage,
buckets
that
we
expect
to
be
open
to
the
Internet
every
so
then
we
can
keep
that
and
then
so
we
have.
C
We
build
ourselves,
a
query
asking
ourselves
which
are
the
s3
buckets
that
have
anonymous
access
equals.
True,
every
time
this
list
deviates
from
our
known
set
of
expectations.
We
can
fire
an
alert,
and
in
this
case
this
is
demonstrating
a
slack
alert.
So
we
have
a
couple
of
different
reporters
available
right
now
in
github,
we've
got
a
slack
reporter.
We
have
a
JIRA
ticket
reporter
and
then
you
know
it's
a
modular
enough
that
you
can
build
your
own
reporter.
C
On
top
of
that,
so
you
can
find
out
which
of
your
assets
deviate
from
a
known
set
of
expectations.
Every
time
a
graph
sync
is
run
and
it's
left
up
to
the
implementer.
How
often
you
want
this
sync
to
run
we're
far
from
the
open,
the
only
open
source
security
graph
in
town?
What
really
sets
us
apart
and
there's
a
few
things
first,
that
I
want
to
say
that
you
know
we
are
extensible
as
I
showed
earlier.
We
got
Intel
modules
from
different
sources.
We
got
GCP,
we
got
AWS
octa,
we
we
could.
C
You
can
extend
these
queries
with
analysis,
jobs
and,
like
I,
said,
multiple
data
sources.
We
are
also
not
deployment
opinionated,
we
don't
care
about
where
they
run.
A
docker
container,
run
vanilla
and
compute.
Instances
like
I
see
right
here.
It's
very
subjective
but
I
think
that
I
can
you
need
the
aspects
there.
I
think
we
got
a
pretty
great
growing
fledgling
community
and
we
hope
that
you
will
join
it
as
well
and
so
kind
of
moving
in
to
this
aspect.
I
think
that
this
is
one
of
the
strongest
aspects
of
cartography.
C
We
have
been
very
thankful
for
the
response
that
we've
gotten
from
the
community
so
far
over
the
past
year,
maybe
getting
about
100
clones
every
week
or
so,
and
one
I
guess
key
milestone
is
like
on
the
lift,
loves
open
source,
page
wow,
you
don't
even
got
a
scroll
down
for
us
anymore,
so
I
was
like
that
was
a
I
was
expense
ly.
Happy
about
that
selected
highlights.
For
a
brief
moment.
We
were
more
interesting
than
lifts
IPO.
Alright,
great
top
of
hacker
news.
That's
lifetime
achievement.
C
This
was
one
of
the
first
external
contributors
that
we
did
not
ask
for.
We
got
oh.
This
was
one
where
I
created
an
issue
and
then
a
community
member
jumped
in
to
come
and
help
me
out
Thank
You
Zac,
and
this
one
was
the
first
case
where
a
community
member
reviewed
the
code
of
another
community
member
and
where
it's
getting
to
a
point
where
we
have
more
people
from
the
community
working
on
this
project
than
we
do
have
lyft
employees
working
on
the
project
and
I
want
to
kind
of
foster.
C
That
sense
can
be
like
to
kind
of
grow
that
a
little
bit
even
more,
because
this
is
useful
to
so
many
more
places
than
just
lifts
and,
like
I
said
in
our
community,
you
can
join
us
on
our
open-source
slack.
We
have
a
monthly
meeting
calendar
link.
Is
there
minutes?
Are
there
video
recordings
of
our
meeting?
Are
there
we
have
users
from
all
kinds
of
different
companies
and
many
more
to
come.
Hopefully-
and
you
know,
I-
want
to
end
this
presentation
with
this
call
to
action
that
we
need
your
feedback.
C
Please
look
into
the
graph
play
with
it
say
hi
to
us,
and
you
know
we're
really
focused
on.
How
can
we
make
this
more
useful
for
you
and
speaking
of
us
a
bit
to
the
roadmap
in
about
one
within
like
one
month
or
so?
We
want
to
have
runnable
examples
for
new
users
so
that
you
don't
have
to
necessarily
install
neo4j
because
depending
are
because
they
can
be
a
little
tricky
so
having
things
runnable,
so
you
can
play
with
some
of
those
exposure
scenarios
that
I
showed
you
just
a
little
while
ago.
C
You
can
play
with
that
without
downloading
and
doing
a
lot
of
install
work,
we're
looking
at
ingesting
tags
so
that
you
can
look
at
getting
all
sorts
of
attribution
resource,
attribution
information
knowing
about
who
owns
what
on
a
service
and
then
in
kind
of
three
months
we're
looking
at
more
infrastructure
improvements
to
our
graph
synced
itself,
so
resilience
via
DAGs.
So
if
the
AWS
sink
fails,
then
what
will
happen
now
is
that
everything
else
will
fail.
After
that
and
that's
just
it
was
kind
of
a
movie
like
get
it
out
the
door.
C
Let
everything
run
serially
but
I
mean
there's
no
reason,
because
the
GCP
has
no
data
dependency
on
AWS.
So
we
should
create
something
smarter
than
that
and,
as
I
mentioned
in
six
plus
months,
we're
looking
at
ingesting
more
real-time
data
and
this
last
one
we
got
more
shameless
plugs
here
when
there's
some
blog
post
on
us.
There's
some
conference
talks
that
we've
given
but
yeah
again,
you
know,
thank
you
very
much
for
having
me
and
then
I
can
open
the
floor
for
some
more
questions.
A
C
See
that
there's
some
more
that
came
up
in
the
chat,
actually
that
I
missed.
Let's
see,
are
you
guys
using
this
in
practice
for
sock
operations
that
lived
yes
and
I,
didn't
talk
to
it
in
this
presentation?
But
if
you
look
at
the
RSA
link,
when
we
show
this
off
at
RSA,
I
think
my
colleague
Sascha.
He
shows
how
we
use
it
for
incident
response.
How
can
you
find
out
who
owns
a
given
service?
Who
do
you
loop
in?
How
do
who
is
the
VP
for
that
etc,
etc?
C
Is
neo4j
license
ever
been
an
issuer
for
potential
users?
Are
their
thoughts
on
pluggable
graph,
DB's
I'm,
not
the
best
person
to
ask
about
licensing
or
other
graph
databases
we
gravitated
toward
Neil
4j,
because
we
really
liked
the
cipher
syntax.
We
found
that
it's
very
useful
for
being
able
to.
You
literally
draw
things
out,
and
it's
reminds
me
of
Prolog
I.
Guess
anyway,
we
really
like
that
language,
Oh
GPL.
Okay,
did
you
explore
building
identities
as
abstract
rules,
layered
over
nodes
like
AWS
and
octa,
or
is
service-specific
chaining,
the
key
thing
abstract
rules?
B
Lair
bug
yeah,
so
you
know
if
you
have
a
cloud
operator,
and
you
know
maybe
your
multi
cloud
or
a
belly
out
contingency
plans.
You
know
as
you're
looking
at
those
roles
is
it
more
important
to
just
you
know,
get
the
actual
correlations
of
reality.
Or
is
there
any
thoughts
on
you
know
taking
those
and
kind
of
abstracting
that
so
you
could?
You
know,
look
at
a
AWS
and
a
you
know,
DCP
and
measure
I
think.
E
C
Is
that
there's
certain
cases
where
we
apply
multiple
labels
to
the
same
node?
So
a
compute
instance
is
a
compute
instance,
whether
it's
in
Azure
land
or
in
GCP,
so
we'll
apply
a
GCP
instance
label
to
it
and
we'll
also
apply
a
generic
instance
label
to
it
as
well,
right
and
then
so.
Similar
things
for
VP
sees
like
they
live
in
AWS.
They
also
live
in
other
cloud
providers
right.
A
A
Okay,
that
said,
I'll
move
on
to
the
essentially
working
group
and
sig
check-ins,
plus
individual
check-ins.
If
anyone
has
anything
to
bring
up
I
think
it
will
be
a
bit
brief
today.
I
think
we
just
have
one
update
so
far,
so
I
guess:
first,
the
SIG's
are
working
groups.
Do
you
have
any
reps
from
external
SIG's
or
working
groups
that
need
to
do
any
check-ins
or
bring
up
any
topics.
A
B
A
F
Doing
well,
thank
you,
yeah,
so
I've
put
in
a
suggestion.
There
suggestion
was
to
create
a
an
end
user
slide
deck
around
security
and
people
were
able
to
take
a
look
at
the
issue,
but
just
just
to
outline
who
sings
security
is
in
the
ciencia
and
also
to
dig
deeper
on
considerations
to
end
users
around
security
and
things
that
they
might
consider
for
security
and
public
cloud
for
security
around
kubernetes.
F
Whatever
cloud
made
a
platform
that
they
might
be
using
for
their
for
their
organization
for
their
application
delivery,
and
so
it's
just
a
way
to
get
the
word
out.
It's
a
way
to
express
some
of
the
considerations
from
the
sig
security
group
and
they
have
a
general
understanding
of
what
it
is
that
we're
trying
to
accomplish.
F
B
So
a
couple
of
things
that
you
potentially
pull
in
you
know
with
changes
to
Kim
cotton.
You
know
the
pressure
is
kind
of
gone
off
and
finalizing
everything,
but
we
do
have
you
know
intro
deep-dive
slide
decks
that
are
underway
for,
for
that
I
don't
see
Brandon
on
to
get
enough
hitter
on
you
know
where
those
stand
so
there's
a
prior
art
to
pull
in
you
lovely
initiative,
then
the
other
point
that
I
wanted
to
touch
on
in
terms
of
validating
you
know
getting
getting
early
feedback
invalidation
of
the
other
content
and
its
viability.
B
There
is
a
new
end
user
working
group
called
contributor
awareness,
I'm,
probably
butchering
that
that
is
focused
on
a
bit
more
on
contributors,
and
you
know
that
might
be
a
good
forum
to
go
and
present.
You
know
the
document
get
feedback
and
ensure
that
we've
captured
enough.
You
know
get
something
from
from
outside
of
our.
You
know.
Little
group
to
share.
A
Good
points
please,
the
only
thing
I
was
going
to
add
on
top
of
that
was
that
was
actually
just
like
pure
fluke.
One
of
the
suggestions
that
I
put
into
the
notes
for
today
and
my
take
on
that
was,
if
I
was
possible
to
take
either
that
or
a
subset
of
it
and
put
it
pretty
much
between
the
background
and
vision,
sections
of
the
six
security
main
page
sort
of
for
new
members.
How
do
I
get
started,
chopping,
wood
and
during
water
sort
of
thing?
Where
do
we
start
best?
A
G
A
G
I'll,
take
a
closer
look
and
then
yeah,
because
it's
very
generic
and
and
it
takes
it,
gives
up.
It
takes
a
posture
on
how
you
know
comprehensive
security
for
CIC,
D&I
and
I
notice
that
that
was
one
of
this.
So
so,
how
does
that
look
like
and
where
security
can
be
inserted
as
appropriate
and
so
on?.
A
Okay,
that
said,
it
looks
like
we've
covered
the
Sagan
working
group,
check-ins
plus
individual
contributor
chickens.
If
anyone
else
wants
to
jump
in
or
bring
up
anything
on
those
topics,
please
feel
free.
If
not,
there
was
one
other
ticket
here
in
the
two
other
tickets
here
in
the
agenda
and
then
usual
PRS
requiring
chair
approval
and
I'm
listed
and
opening
the
floor.
A
So
I'll
just
jump
into
one
that
I
put
together
myself
last
week,
minor
documentation
update
number
three
five:
zero
since
you're,
just
adding
a
scribe
role
to
the
existing
roles
within
our
documentation
on
the
six
security
page
I,
don't
imagine
there'll
be
too
much.
That
may
be
a
paragraph
or
two
in
bullet
form.
So
if
there's
no
concerns
about
it,
I'm
happy
to
just
go
in
create
the
poll
request,
run
the
draft
by
the
team
and
implement
any
recommended
edits
and
the
way
we
go
I.
Don't
imagine
we'll
be
very
much
time
on
that
one.
A
B
For
the
facilitator
role
deadline,
so
you
know
we've
gone
through
and
and
Doc
you
have
been
looking
to
document
most
of
our
roles,
the
facilitator
role.
Is
there
something
we
introduced
in
the
last
year,
or
so
you
know
is
actually
mentioned
in
the
roles,
but
not
documented,
so
really
appreciate
the
work
passages
could
get
that
documented
and
get
some
clarity,
so
we
can
help
more
folks
on
board
and
chop
wood
carry
water
participate.
Thank.
A
You
all
right
I'll
make
sure
to
include
that
for
the
facilitator,
+
scribe
a
tentative
scrag
role.
Okay,
let's
see
I
think
there
was
one
left
here
on
the
backlog,
a
suggestion
to
find
a
review
process
for
CN
CF
projects
being
considered
for
graduation
numbers.
367
I'm,
just
gonna,
get
that
here.
Hi.
G
This
is
ash,
so
we
spoke
about
this
last
week
about
formalizing
a
process
for
projects
looking
to
graduate
and
so
I
just
waited
an
issue
from
last
week's
meeting.
I
put
some
thoughts
on
this
issue,
three,
six,
seven!
So
if
you
guys
have
any
feedback
on
this
that'll
be
really
appreciate,
so
yeah
take
a
look
and
we
can
chat
on.
H
G
E
Had
some
discussion
I
like
detect
weeds
and
the
chairs,
regarding
that,
whatever
process
that
we
work
on
should
be
pretty
late,
wait
for
right
now
until
we
have
a
few
more
assessments
under
our
belts
because
we're
still
working
through
that
process,
I
don't
want
anybody
to
be
forced
to
comply
with
the
process.
It's
not
actually
going
to
work
because
we've
not
quite
gotten
to
that
point
of
evaluation
for
graduation
projects,
so
whatever
the
recommendation
is
or
someone
is
planning
on
and
drafting
a
PR
I
think
we
should
start
lightweight.
H
Yeah
I
think
that's.
That
makes
sense,
especially
as
I
think.
The
the
wording
on
the
pier
the
big
release
day
was
that
the
graduation
process
should
be
relatively
lightweight,
because
most
of
the
issues
should
have
been
addressed,
it
incubation
and
if
they
were
so,
if
there
were
specific
outstanding
ones
plays
with
a
duster
graduation,
but
in
general
it
should
graduation
should
be
relatively
lightweight.
A
Alright,
thank
you.
So
there
do
not
appear
to
be
any
peers
requiring
chair
approvals,
so
you
can
wrap
things
up
with
just
general
discussion.
/
opening
up
the
floor.
Anyone
wants
to
grab
the
mic
now's
the
time.