Enhancing Cloud Detection & Response with Security Chaos Engineering

How Hopeful Effective Is Your Cloud Detection & Response Capability
? Hope is NOT a strategy ! @run2obtain

Effective Cloud Detection & Response (CDR) capabilities play a vital
role in promptly identifying and responding to security incidents. @run2obtain

• Cost savings – post breach investigations, fines from regulatory
institutions .. • Quick & reliable incident response • Safeguard enterprise reputation • Confidence in your capabilities • Happy customers • ….. The ROI of early attack detection & swift response is HUGE ! @run2obtain

CDR mechanisms are challenged by the rapid evolution of cloud
infrastructure and fast- paced threat landscape. @run2obtain The absence of alerts does not imply all is well ... neither does the abundance of alerts imply effectiveness (alert fatigue is REAL).

Since HOPE is NOT a strategy, assumptions about CDR effectiveness
should be practically and continuously evaluated. Security chaos engineering enables continuous verification of CDR ! @run2obtain Security Chaos Engineering 101: The Mind Map & Feedback Loop (mitigant.io)

How does Security Chaos Engineering enhance CDR effectiveness? Quick, simple
example. How do you know if AWS Cloudtrail is disabled by a malicious attacker ? We run this basic example in the Mitigant Security Chaos Engineering platform. @run2obtain

Luckily, we have our CDR set up quite well. (DataDog
Cloud SIEM) We can see the Cloudtrail stopped event. This is a trigger for an appropriate response. One lesson though ! The MTTD was roughly 6 minutes … can be improved ! What if the CDR set up was broken ? How do you know ? Happens all the time -> misconfigured S3 bucket, broken lambda forwarder … @run2obtain

We run a couple more SCE experiments. This time the
dreaded bucket replication attack which abuses the S3 replication service. Our CDR captures some interesting events. Some teams might miss this out, notice the MITRE ATTACK Tactics & Techniques -> exfiltration, persistence and account manipulation. Does it ring a bell ? Crafting a detection rule for these pattern of events would makes sense. @run2obtain Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service by Kat Traxler (vectra.ai)

So, verify the effectiveness of your CDR rather than hoping
for effectiveness ! How do you start ? • Defend from inside out & assume breach ! • Identity your high-value targets (HVT) • Enhance CDR specifically for your HVT using SCE • Move backwards, apply same to non-HVTs • Rinse & Repeat • Become cyber-resilient • ….. @run2obtain Demystifying Security Chaos Engineering - Part II (mitigant.io)

Hope root for the effectiveness of your CDR. Cloud Immunity
| Mitigant https://mitigant.io Leverage The Mitigant Security Chaos Engineering Platform @run2obtain

Enhancing Cloud Detection & Response with Security Chaos Engineering

Enhancing Cloud Detection & Response with Security Chaos Engineering

Kennedy Torkura

More Decks by Kennedy Torkura

Other Decks in Technology

Featured

Transcript

How Hopeful Effective Is Your Cloud Detection & Response Capability

Effective Cloud Detection & Response (CDR) capabilities play a vital

• Cost savings – post breach investigations, fines from regulatory

CDR mechanisms are challenged by the rapid evolution of cloud

Since HOPE is NOT a strategy, assumptions about CDR effectiveness

How does Security Chaos Engineering enhance CDR effectiveness? Quick, simple

Luckily, we have our CDR set up quite well. (DataDog

We run a couple more SCE experiments. This time the

So, verify the effectiveness of your CDR rather than hoping

Hope root for the effectiveness of your CDR. Cloud Immunity