SLIDE 1 @aaronrinehart @verica_io #chaosengineering
@aaronrinehart @verica_io #chaosengineering @aaronrinehart - - PowerPoint PPT Presentation
@aaronrinehart @verica_io #chaosengineering @aaronrinehart - - PowerPoint PPT Presentation
@aaronrinehart @verica_io #chaosengineering @aaronrinehart @verica_io #chaosengineering CONFIDENTIAL Security Precognition @aaronrinehart @verica_io #chaosengineering Resilience is the story of the outage that never happened. - John
SLIDE 2 @aaronrinehart @verica_io #chaosengineering
SLIDE 3 CONFIDENTIAL
SLIDE 4
Security Precognition
@aaronrinehart @verica_io #chaosengineering SLIDE 5 @aaronrinehart
“Resilience is the story of the
- utage that never happened.”
- John Allspaw
SLIDE 6 6
About A.A.Ron
- CTO of Stealthy Startup
- Former Chief Security Architect
- Led the DevOps and Open Source
- Former (DOD, NASA, DHS, CollegeBoard )
- Frequent speaker and author on Chaos
- Pioneer behind Security Chaos Engineering
- Led ChaoSlingr team at UnitedHealth
SLIDE 7
In this Session we will cover
SLIDE 8
Our systems have evolved beyond human ability to mentally model their behavior.
8 SLIDE 9
Our systems have evolved beyond human ability to mentally model their behavior.
9everyone
SLIDE 10
SLIDE 11 Circuit Breaker Patterns
11
Continuous Delivery Distribute d Systems Blue/Green Deployments
Cloud Computing Service Mesh
Containers
Immutable Infrastructure
Infracode Continuous Integration
Microservice Architectures
API Auto Canaries CI/CD DevOps
Automation PipelinesComplex?
SLIDE 12 12
Mostly Monolithic
Requires Domain Knowledge Prevention focused Poorly Aligned Defense in Depth
Stateful in nature
DevSecOps not widely adopted
Security?
Expert Systems Adversary Focused
SLIDE 13
Simplify?
SLIDE 14
Software Only Increases in Complexity
SLIDE 15
Accidental Complexity Essential Complexity
Software Complexity
SLIDE 16
Woods Theorem: “As the complexity of a system increases, the accuracy of any single agent’s
- wn model of that system decreases”
- Dr. David Woods
SLIDE 17
How well do you really understand how your system works?
SLIDE 18
Difficult to Grok behavior
SLIDE 19
So what does all of this have to do with Security?
SLIDE 20
Failure Happens.
SLIDE 21
Incidents & System Outages are
Expensive
SLIDE 22
Security Incidents are Subjective in Nature
SLIDE 23
We really don't know
Where? Why? Who? What? How?
very much
SLIDE 24
Lets face it, when outages happen…..
SLIDE 25
Teams spend too much time reacting to
- utages instead
- f building more
resilient systems.
SLIDE 26
“Response” is the problem with Incident Response
SLIDE 27
“Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions”
SLIDE 28
SLIDE 29
SLIDE 30
A P Ch A
ControlA
Experiment SLIDE 31
Who is doing Chaos?
SLIDE 32
SLIDE 33
Security Engineering
SLIDE 34
Security Engineering
SLIDE 35
People Operate Differently when they expect things to fail
SLIDE 36
SLIDE 37
SLIDE 38
The Normal Condition of a Human & Systems they Build is to
FAIL
SLIDE 39
We need failure to Learn & Grow
39 SLIDE 40
Post Mortem = Preparation
Lets Flip the Model
SLIDE 41
Bring Order through Chaos
SLIDE 42
Use Chaos Engineering to initiate Objective Feedback Loops about Security Effectiveness
SLIDE 43
Proactively Manage & Measure
Validate Runbooks Measure Team Skills Determine Control Effectiveness Learn new insights into system behavior Transfer knowledge Build a learning culture
SLIDE 44
Testing vs. Experimentation
SLIDE 45
Security Crayon Differences
Noisy distributed system behavior Not geared for Cascading Events Point-in-time even if Automated Performed by Security Teams with Specialized skill sets
SLIDE 46
Security Chaos Differences
Distributed Systems Focus Goal: Experimentation Human Factors focused Small Isolated Scope Focus on Cascading Events Performed by Mixed Engineering Teams in Gameday During business hours
SLIDE 47
2018 Causes of Data Breaches
SLIDE 48
2018 Causes of Data Breaches
SLIDE 49
2018 Causes of Data Breaches
SLIDE 50
2018 Causes of Data Breaches
SLIDE 51
‘Human Error’, Root Cause, & Blame Culture
SLIDE 52
Proactively Manage & Measure
SLIDE 53
Continuous
SECURITY
Validation
SLIDE 54
Build Confidence in What Actually Works
SLIDE 55
So how does it work?
SLIDE 56
Stop looking for better answers and start asking better questions.
- John Allspaw
SLIDE 57
What is the system actually doing?
SLIDE 58
What is the system actually doing? Has it done this before?
SLIDE 59
What is the system actually doing? Has it done this before? Why is it behaving that way?
SLIDE 60
What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next?
SLIDE 61
What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next? How did it get into this state?
SLIDE 62
How does My Security Really Work?
SLIDE 63
What evidence do I have to prove it?
SLIDE 64 64
An Open Source Tool
SLIDE 65
- ChatOps Integration
- Configuration-as-Code
- Example Code & Open Framework
ChaoSlingr Product Features
- Serverless App in AWS
- 100% Native AWS
- Configurable Operational Mode &
- Opt-In | Opt-Out Model
SLIDE 66 Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
SLIDE 67 Result: Hypothesis disproved. Firewall did not detect
- r block the change on all instances. Standard Port
- instances. Port change did not trigger an alert and
SLIDE 68
More Experiment Examples
- Internet exposed
Kubernetes API
- Unauthorized Bad
Container Repo
- Unencrypted S3 Bucket
- Disable MFA
- Bad AWS Automated Block
Rule
- Software Secret Clear
Text Disclosure
- Permission collision in
Shared IAM Role Policy
- Disabled Service Event
Logging
- Introduce Latency on
Security Controls
- API Gateway Shutdown
SLIDE 69
Q&A
@aaronrinehart aaron@verica.io
SLIDE 70
Thank you!
@aaronrinehart aaron@verica.io
SLIDE 71 CONFIDENTIAL