Risk Driven Fault Injection

Transcript

1. Risk Driven Fault Injection Security Chaos Engineering for The Fast

   & Furious Kennedy A . Torkura

2. Security Chaos Engineering • What is Security Chaos Engineering ◦

   How is differs from Chaos Engineering • Why it is important/why are we talking about it ◦ Complexity ◦ Increasing attacks against cloud native infrastructure ◦ Inefficient security countermeasures • Cloud Native Security ◦ What is it ◦ Challenges • Risk-Driven Fault Injection

3. Security Chaos Engineering Security Chaos Engineering is the identification of

   security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production Aaron Rinehart, Co-Founder & CTO,Verica

4. Security Chaos Engineering Chaos Engineering • Addresses availability problems •

   Resiliency patterns ◦ Timeouts ◦ Bulkheads ◦ Circuit breaker Security Chaos Engineering • Addresses ◦ Availability ◦ Integrity ◦ Confidentiality • Verify security patterns/controls ◦ Preventive controls e.g. firewalls ◦ Detective controls e.g. IDS ◦ Corrective controls e.g. incident response systems • AIM - detect security blind spots

5. Complexity Complexity is the worst enemy of security - Bruce

   Schneier

6. Increasing Cloud Attacks Cloud Native threat Report 2020 - Aqua

   Security Team

7. Evolving Security Challenges 99% cloud security incidents is caused by

   users - Gartner Why? • Knowledge gap • Insufficient tooling support

8. Evolving Security Challenges • Digital transformation • DevOps • CI/CD

   Traditional Security

9. Evolving Security Challenges • Digital transformation • DevOps • CI/CD

   Modern Security

10. Cloud Native Security Cloud Native Security is about securing cloud

    native infrastructure The 4C’s of Cloud Native Security • defence-in-depth https://kubernetes.io/docs/concepts/security/overview/#the-4c-s-of-cloud-native-security

11. Cloud Attack Paths

12. Cloud Attack Paths container code cloud cluster

13. Cloud Native Security Platforms Cloud Security Posture Management Cloud Access

    Security Brokers Cloud Workload Protection Platforms SCE

14. PLAN Apply outcome of analysis to improve security. Design and

    plan future security hypotheses ANALYZE Collect and analyze observations. Vulnerabilities can be ranked and prioritized MONITOR Observe and monitor the execution of security perturbations. Intervene when necessary to ensure safety EXECUTE Inject security faults based on crafted hypotheses KNOWLEDGE Security insights & information including security fault models, detected vulnerabilities & analytical outcomes Risk Driven Fault Injection • adapted from MAPE-K Feedback loop used in autonomous computer systems SCE Feedback Loop

15. Execute • 100% security is a dream • Risk driven

    security ◦ Quantitative risk assessments ◦ Data driven • Communicate security information/analysis to management and other teams • Measure progress Risk Driven Fault Injection

16. Execute • The aim of the experiment • Craft a

    suitable hypothesis • Determine the scope: scale, depth and intensity • Perform sanity check ◦ Coordinating with responsible teams (admin & social aspects) ◦ Recoverability (IaC, Git, State Management) SCE Feedback Loop

17. Implementation ▪ Modes of operation: □ Low- 30% □ Medium

    - 60% □ High - 90% ▪ Attack scenario: chaining of multiple attack actions

18. start create user Bob get cloud buckets select random bucket

    create malicious policy assign policy to Bob & bucket end An example of an experiment hypothesis: cloud buckets are secure SCE Attack Scenario

19. Monitor SCE Feedback Loop • Observe the progress of the

    experiments ◦ Logging ◦ Observability ◦ Tracing • Intervene if necessary ◦ Stop experiment ◦ Recover to good state

20. Analyze SCE Feedback Loop • Failed - had to stop

    , need to identify the reasons and figure out how to improve in the future • Success - Critical to derive answers to the questions posed at the planning stage

21. Analyse SCE Results Using Risk-Driven Methodologies OWASP Risk Rating Methodology

    https://owasp.org/www-project-top-ten/2017/Application_Security_Risks.html

22. SCE Feedback Loop Plan • Creating of backlogs ◦ Vulnerability

    management (patching) ◦ Security operations ◦ Development teams ◦ Threat modelling ◦ Awareness training • Next steps ◦ Remediate ◦ Construct hypothesis for the next iteration

23. SCE Feedback Loop Knowledge-base • Security automation ◦ Create cloudwatch

    rules to trigger alarms for specific events ◦ Create audit rules for CSPM ◦ Flag policies with broad permissions • Security analytics • Security correlation • Machine learning

24. Security Knowledgebase SIEM Data Collection Analysis, Visualization & Automation Unified

    Query & Storage Threat Intelligence Source Extended Detection & Response Security Chaos Engineering Security Orchestration, Automation & Response Compliance Automation Extract, Transform & Load Security Data Lake

25. Research & Publications

26. Thank you for listening ! Kennedy Torkura @run2obtain