Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Risk Driven Fault Injection

Risk Driven Fault Injection

Most cloud security tools are reactive and employ firefighting techniques, which often leads to missed security gaps. These gaps range from misconfigured assets to complex security vulnerabilities, therefore better security models are imperative. This talk proposes the application of chaos engineering techniques to cloud security based on risk-driven techniques.

Kennedy Torkura

March 31, 2021
Tweet

More Decks by Kennedy Torkura

Other Decks in Technology

Transcript

  1. Security Chaos Engineering • What is Security Chaos Engineering ◦

    How is differs from Chaos Engineering • Why it is important/why are we talking about it ◦ Complexity ◦ Increasing attacks against cloud native infrastructure ◦ Inefficient security countermeasures • Cloud Native Security ◦ What is it ◦ Challenges • Risk-Driven Fault Injection
  2. Security Chaos Engineering Security Chaos Engineering is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production Aaron Rinehart, Co-Founder & CTO,Verica
  3. Security Chaos Engineering Chaos Engineering • Addresses availability problems •

    Resiliency patterns ◦ Timeouts ◦ Bulkheads ◦ Circuit breaker Security Chaos Engineering • Addresses ◦ Availability ◦ Integrity ◦ Confidentiality • Verify security patterns/controls ◦ Preventive controls e.g. firewalls ◦ Detective controls e.g. IDS ◦ Corrective controls e.g. incident response systems • AIM - detect security blind spots
  4. Evolving Security Challenges 99% cloud security incidents is caused by

    users - Gartner Why? • Knowledge gap • Insufficient tooling support
  5. Cloud Native Security Cloud Native Security is about securing cloud

    native infrastructure The 4C’s of Cloud Native Security • defence-in-depth https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security
  6. Cloud Native Security Platforms Cloud Security Posture Management Cloud Access

    Security Brokers Cloud Workload Protection Platforms SCE
  7. PLAN Apply outcome of analysis to improve security. Design and

    plan future security hypotheses ANALYZE Collect and analyze observations. Vulnerabilities can be ranked and prioritized MONITOR Observe and monitor the execution of security perturbations. Intervene when necessary to ensure safety EXECUTE Inject security faults based on crafted hypotheses KNOWLEDGE Security insights & information including security fault models, detected vulnerabilities & analytical outcomes Risk Driven Fault Injection • adapted from MAPE-K Feedback loop used in autonomous computer systems SCE Feedback Loop
  8. Execute • 100% security is a dream • Risk driven

    security ◦ Quantitative risk assessments ◦ Data driven • Communicate security information/analysis to management and other teams • Measure progress Risk Driven Fault Injection
  9. Execute • The aim of the experiment • Craft a

    suitable hypothesis • Determine the scope: scale, depth and intensity • Perform sanity check ◦ Coordinating with responsible teams (admin & social aspects) ◦ Recoverability (IaC, Git, State Management) SCE Feedback Loop
  10. Implementation ▪ Modes of operation: □ Low- 30% □ Medium

    - 60% □ High - 90% ▪ Attack scenario: chaining of multiple attack actions
  11. start create user Bob get cloud buckets select random bucket

    create malicious policy assign policy to Bob & bucket end An example of an experiment hypothesis: cloud buckets are secure SCE Attack Scenario
  12. Monitor SCE Feedback Loop • Observe the progress of the

    experiments ◦ Logging ◦ Observability ◦ Tracing • Intervene if necessary ◦ Stop experiment ◦ Recover to good state
  13. Analyze SCE Feedback Loop • Failed - had to stop

    , need to identify the reasons and figure out how to improve in the future • Success - Critical to derive answers to the questions posed at the planning stage
  14. Analyse SCE Results Using Risk-Driven Methodologies OWASP Risk Rating Methodology

    https://owasp.org/www-project-top-ten/2017/Application_Security_Risks.html
  15. SCE Feedback Loop Plan • Creating of backlogs ◦ Vulnerability

    management (patching) ◦ Security operations ◦ Development teams ◦ Threat modelling ◦ Awareness training • Next steps ◦ Remediate ◦ Construct hypothesis for the next iteration
  16. SCE Feedback Loop Knowledge-base • Security automation ◦ Create cloudwatch

    rules to trigger alarms for specific events ◦ Create audit rules for CSPM ◦ Flag policies with broad permissions • Security analytics • Security correlation • Machine learning
  17. Security Knowledgebase SIEM Data Collection Analysis, Visualization & Automation Unified

    Query & Storage Threat Intelligence Source Extended Detection & Response Security Chaos Engineering Security Orchestration, Automation & Response Compliance Automation Extract, Transform & Load Security Data Lake