Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Security with Chaos Engineering

Building Security with Chaos Engineering

Yury Nino

May 01, 2020
Tweet

More Decks by Yury Nino

Other Decks in Technology

Transcript

  1. YURY NIÑO Site Reliability Engineer Chaos Engineering Advocate Garagoa is

    a town located in Boyacá, a Department in Colombia.
  2. If you know the enemy and know yourself, you need

    not fear the result of a hundred battles … The Art of War. Sun Tzu
  3. Black Swans 1. The event is a surprise. 2. The

    event has a major effect. 3. After the first recorded, it is rationalized by hindsight!
  4. The impact of viruses are considered black swans. Biological viruses

    === Computer viruses. Solutions in both worlds: biology === cybersecurity. Security Chaos Engineering: definition, principles and practices. Software Security: a roadmap of the milestones and tools in security chaos engineering. Agenda
  5. The metaphor of software viruses to biological ones is deeply

    ingrained, easily seen in the fact that biological viruses are at least the namesake, if not the inspiration for computer viruses.
  6. Analogy Initial infection via a vulnerability Usb Vulnerability - targeting

    USB port infecting network node. A vulnerability that allows a virus to infect a healthy cell. Or Weis
  7. Analogy Initial infection via a vulnerability Virus execute malicious code

    in order to produce more copies to infect the all system :( Virus execute an algorithm to infect cells and through ribosomes and RNA assemble new copies :( Or Weis
  8. “Don't worry about the future. Or worry, but know that

    worrying is as effective as trying to solve an algebra equation by chewing a bubble gum. The real troubles in your life are things that never crossed your worried mind, the kind that blindside you at 4 p.m. on some idle Tuesday" Mary Schmich
  9. Antivirus patterns and Antibodies Analogy Antivirus software often relies on

    malicious code/file signatures to identify and thwart malware. Our immune system produces signatures on viruses via memory cells. Or Weis
  10. Antivirus patterns and Antibodies Analogy Imagine if our immune system

    could, like your AV software, download an update from the web or even from a local service. Or Weis
  11. Firewalls and Masks Analogy Firewalls protects a network node from

    attacks by limiting the type or content of traffic and minimizing the attack surface. In the healthcare world are face masks. Or Weis
  12. The World is Chaotic! and Insecure Black swans take our

    systems down and keep them down for a long time. Laura Nolan, SRE in Slack
  13. It’s important to note that while we have a rather

    good understanding of software and cybersecurity, the world of biology still remains more of a mystery for us in comparison.
  14. What is Chaos Engineering? It is the discipline of experimenting

    failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/
  15. What is Security Chaos Engineering? It is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020
  16. History 1986 Artificial Immune Systems 2008 Chaos Engineering was born

    2018 2020 Chapter dedicated to Security CE 2019 Aaron Rinehart first articles Artificial Intelligence for data security
  17. Principles Chaos Engineering Principles Injecting failure to achieve resilience! Hypothesize

    about Steady State Run Experiments Vary Real-World Events Automate Experiments
  18. More Chaos Security Engineering With Security Chaos Engineering we can

    introduce false positives into production, to check whether procedures are capable of identifying security failures under controlled conditions.
  19. Human factors in cybersecurity are perhaps the biggest challenge when

    building an effective threat prevention strategy. Vircom
  20. What my mom thinks I do What my friends thinks

    I do What software engineers think I do What I really do Who is a Security Chaos Engineer? Help service owners to increase their security and resilience through education, tools and encouragement.
  21. By intentionally introducing a failure mode or other event, engineering

    teams can discover how well instrumented, observable, and measurable security systems truly are. Everybody is responsible for the security!
  22. Security Chaos GameDays They are events to conduct chaos experiments

    against a system to validate or invalidate hypothesis about a system’s resilience. They are an ideal way to ease into Chaos Engineering. Brian Lee, Jason Doffing
  23. ChaoSlingr Tools • Serverless app in AWS. • Written in

    Python. • 100% Native in AWS. • Configuration as a Code. • Configurable Operational Mode. • Open Framework. • With example codes.
  24. Let me try one! Experiments • Introduce latency on security

    controls. • Drop a folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.
  25. Let me try one! Experiments Hypothesis: After the owner of

    Root account in AWS left the company, we could use our cloud in a normal way. Result: Hypothesis disproved. In this experiment the access to AWS was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to AWS. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory.
  26. As Henry Ford said, "Failure is only the opportunity to

    begin again, this time more intelligently." Security Chaos Engineering and Security Chaos Testing give us that opportunity. Taken from DevOpsSec by Jim Bird