Building Security with Chaos Engineering

Transcript

1. Chaos Engineering Building Secure Systems using

2. YURY NIÑO Site Reliability Engineer Chaos Engineering Advocate Garagoa is

   a town located in Boyacá, a Department in Colombia.

3. If you know the enemy and know yourself, you need

   not fear the result of a hundred battles … The Art of War. Sun Tzu

4. How many of you have seen a black swan?

5. Black Swans 1. The event is a surprise. 2. The

   event has a major effect. 3. After the first recorded, it is rationalized by hindsight!

6. The impact of viruses are considered black swans. Biological viruses

   === Computer viruses. Solutions in both worlds: biology === cybersecurity. Security Chaos Engineering: definition, principles and practices. Software Security: a roadmap of the milestones and tools in security chaos engineering. Agenda
7. None

8. The metaphor of software viruses to biological ones is deeply

   ingrained, easily seen in the fact that biological viruses are at least the namesake, if not the inspiration for computer viruses.

9. Analogy Initial infection via a vulnerability Usb Vulnerability - targeting

   USB port infecting network node. A vulnerability that allows a virus to infect a healthy cell. Or Weis

10. Analogy Initial infection via a vulnerability Virus execute malicious code

    in order to produce more copies to infect the all system :( Virus execute an algorithm to infect cells and through ribosomes and RNA assemble new copies :( Or Weis

11. “Don't worry about the future. Or worry, but know that

    worrying is as effective as trying to solve an algebra equation by chewing a bubble gum. The real troubles in your life are things that never crossed your worried mind, the kind that blindside you at 4 p.m. on some idle Tuesday" Mary Schmich

12. Antivirus patterns and Antibodies Analogy Antivirus software often relies on

    malicious code/file signatures to identify and thwart malware. Our immune system produces signatures on viruses via memory cells. Or Weis

13. Antivirus patterns and Antibodies Analogy Imagine if our immune system

    could, like your AV software, download an update from the web or even from a local service. Or Weis

14. Firewalls and Masks Analogy Firewalls protects a network node from

    attacks by limiting the type or content of traffic and minimizing the attack surface. In the healthcare world are face masks. Or Weis

15. The World is Chaotic! and Insecure Black swans take our

    systems down and keep them down for a long time. Laura Nolan, SRE in Slack

16. Immunity Artificial Systems

17. It’s important to note that while we have a rather

    good understanding of software and cybersecurity, the world of biology still remains more of a mystery for us in comparison.

18. About software systems we can proactively prepare us for cyberattacks!

    Bring Order through Chaos!

19. What is Chaos Engineering? It is the discipline of experimenting

    failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/

20. What is Security Chaos Engineering? It is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020

21. History 1986 Artificial Immune Systems 2008 Chaos Engineering was born

    2018 2020 Chapter dedicated to Security CE 2019 Aaron Rinehart first articles Artificial Intelligence for data security

22. Principles Chaos Engineering Principles Injecting failure to achieve resilience! Hypothesize

    about Steady State Run Experiments Vary Real-World Events Automate Experiments

23. More Chaos Security Engineering With Security Chaos Engineering we can

    introduce false positives into production, to check whether procedures are capable of identifying security failures under controlled conditions.

24. More Chaos Security Engineering www.thoughtworks.com

25. Human factors in cybersecurity are perhaps the biggest challenge when

    building an effective threat prevention strategy. Vircom

26. A Report

27. Who is responsible for Security Chaos Engineering

28. What my mom thinks I do What my friends thinks

    I do What software engineers think I do What I really do Who is a Security Chaos Engineer? Help service owners to increase their security and resilience through education, tools and encouragement.

29. By intentionally introducing a failure mode or other event, engineering

    teams can discover how well instrumented, observable, and measurable security systems truly are. Everybody is responsible for the security!

30. Humans operate differently when they expect things to fail! Aaron

    Rinehart

31. Security Chaos GameDays They are events to conduct chaos experiments

    against a system to validate or invalidate hypothesis about a system’s resilience. They are an ideal way to ease into Chaos Engineering. Brian Lee, Jason Doffing

32. How can we start with Security Chaos Engineering?

33. Taken from Laura Nolan Talk

34. With technology, tools and automation!

35. Tools

36. ChaoSlingr Tools • Serverless app in AWS. • Written in

    Python. • 100% Native in AWS. • Configuration as a Code. • Configurable Operational Mode. • Open Framework. • With example codes.

37. Design Experiments!

38. Let me try one! Experiments • Introduce latency on security

    controls. • Drop a folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.

39. Let me try one! Experiments Hypothesis: After the owner of

    Root account in AWS left the company, we could use our cloud in a normal way. Result: Hypothesis disproved. In this experiment the access to AWS was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to AWS. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory.

40. Consider Human Factors

41. How to begin? How to begin? https://chaosengineering.slack.com https://github.com/dastergon/ awesome-chaos-engineering https://www.infoq.com/chaos-engineering

    @yurynino
42. None

43. As Henry Ford said, "Failure is only the opportunity to

    begin again, this time more intelligently." Security Chaos Engineering and Security Chaos Testing give us that opportunity. Taken from DevOpsSec by Jim Bird

44. This talk was inspired in the work of .. Thanks!

45. Thanks for coming! @yurynino