Security Chaos Engineering- Cyberattacks are a new challenge for Chaos Engineering

Transcript

1. None

2. @yurynino Garagoa Boyacá Colombia https://www.yurynino.dev Site Reliability Engineer Chaos Engineering

   Advocate Universidad Nacional de Colombia

3. • Why are we afraid of cyberattacks? • Why do

   not we commit with security SLAs? • Classical Exercises are not enough • Security Chaos Engineering • Security Chaos Gamedays • Security Chaos Engineering Tools • Our Proposal!

4. Why are we afraid of cyberattacks?

5. None
6. None
7. None

8. As modern networks become more complex with a vastly larger

   threat surface, stopping break-ins before they happen takes on even greater importance. Cyberattacks are a new challenge for Chaos Engineering!

9. What about SLOs, SLIs & SLAs for Security? Let me

   compare and contrast these security measurement concepts with Google’s SRE.

10. Service Level Indicator Service Level Objective Service Level Agreement Key

    measurements of the availability of a system. Goals we set for how much availability we expect out of a system. Contracts with what happens if the system doesn’t meet its SLOs.

11. • Invisibility • Assessment • Simplicity • Evolution • Resilience

    • Detection • Crisis response • Recovery

12. Our traditional security testing methods that mitigate these risks!

13. Classical Methods

14. Red Team Exercises • They were originated with the US

    Armed Forces by Bryce Hoffman. • Adversarial approach that imitates the behaviors and techniques of attackers in the most realistic way possible. • Two common forms of Red Teaming seen in the enterprise are: ◦ Ethical hacking ◦ Penetration testing. • Blue teams are the defensive counterparts to the Red teams in these exercises. • Recommendations: Think-Write-Share and Devil’s advocacy.

15. Purple Team Exercises • They were intended as an evolution

    of Red Team exercises by delivering a more cohesive experience between the offensive and defensive teams. • The “Purple” in Purple Teaming reflects the cohesion of Red and Blue teaming. • The goal of these exercises is the collaboration of offensive and defensive tactics to improve the effectiveness of both groups in the event of an attempted compromise. • The intention is to increase transparency as well as provide a conduit for the security apparatus to learn about how effective their preparation is when subjected to a live fire exercise.

16. Security Chaos Engineering allows teams to proactively, safely discover system

    weakness before they disrupt business outcomes. This requires a fundamentally new approach to cybersecurity, one that keeps pace with the rapidly evolving world of software engineering.

17. About software systems we can proactively prepare us for cyberattacks!

    Bring Order through Chaos!

18. What is Chaos Engineering? It is the discipline of experimenting

    failures in production in order to reveal their weakness and to build confidence in their resilience capability. https://principlesofchaos.org/

19. Chaos Engineering Principles Hypothesize about Steady State Run Experiments Vary

    Real-World Events Automate Experiments Practice

20. What is Security Chaos Engineering? It is the identification of

    security control failures through proactive experimentation to build confidence in the system’s ability to defend against malicious conditions in production. Chaos Engineering Book. 2020

21. History 1986 Artificial Immune Systems 2008 Chaos Engineering was born

    2018 2020 Chapter dedicated to Security CE 2019 Aaron Rinehart first articles Artificial Intelligence for data security

22. With Security Chaos Engineering we can introduce false positives into

    production, to check whether procedures are capable of identifying security failures under controlled conditions.

23. More Chaos Security Engineering www.thoughtworks.com

24. What my mom thinks I do What my friends thinks

    I do What software engineers think I do What I really do Who is a Security Chaos Engineer? Help service owners to increase their security and resilience through education, tools and encouragement.

25. Our Proposal!

26. Security Chaos GameDays They are events to conduct chaos experiments

    against a system to validate or invalidate hypothesis about a system’s resilience. They are an ideal way to ease into Chaos Engineering. Brian Lee, Jason Doffing

27. Tools

28. ChaoSlingr • Serverless app in AWS. • Written in Python.

    • 100% Native in AWS. • Configuration as a Code. • Open Framework. • With example codes.

29. Experiments • Introduce latency on security controls. • Drop a

    folder like a script would do in production. • Software secret clear text disclosure. • Permission collision in a shared IAM role policy. • Disable service event logging. • API gateway shutdown. • Unencrypted S3 Bucket. • Disable MFA.

30. Experiments Hypothesis: After the owner of Root account in AWS

    left the company, we could use our cloud in a normal way. Result: Hypothesis disproved. In this experiment the access to AWS was connected to the Active Directory. When an employee left the company his account is dropped and we lost the access to AWS. Side Effect: Thinking in this scenario allows to consider another applications connected to Active Directory.

31. How to start? https://chaosengineering.slack.com https://github.com/dastergon/awesome-chao s-engineering https://www.infoq.com/chaos-engineering https://www.gremlin.com/community/

32. The World is Chaotic! and Insecure Black swans take our

    systems down and keep them down for a long time. Laura Nolan, SRE in Slack

33. “Don't worry about the future. Or worry, but know that

    worrying is as effective as trying to solve an algebra equation by chewing a bubble gum. The real troubles in your life are things that never crossed your worried mind, the kind that blindside you at 4 p.m. on some idle Tuesday" Mary Schmich
34. None

35. Thanks for coming! @yurynino