Weitere ähnliche Inhalte Ähnlich wie RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering (20) Mehr von Aaron Rinehart (10) Kürzlich hochgeladen (20) RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering3. Agenda
Agenda
• System Engineering is Messy
• A New Approach to Learning
• Intro to Chaos Engineering
• Security Chaos Engineering
• Use Cases
• Case Study – Cardinal Health
• Case Study – UnitedHealth Group
• Getting Started
© 2020 RSA Conference. All Rights Reserved. 3
6. After a few months…
© 2020 RSA Conference. All Rights Reserved. 6
Hard Coded Passwords
Identity Conflicts
Lead Software Engineer
finds a new job at Google
New Security Tool
Refactor Pricing
300 Microservices Δ-> 850 Microservices
Cloud Provider API Outage
WAF Outage -> DisabledScalability Issues
Network is Unreliable
Autoscaling Keeps
Breaking
Large Customer
Outage
Delayed Features
DNS Resolution Errors
Expired Certificate
Regulatory
Audit
Rolling Sev1 Outage on
Portal
Code Freeze
Bolt-on batch jobs
Portal Retry Storm Outage
7. Years?
© 2020 RSA Conference. All Rights Reserved. 7
Hard Coded Passwords
Identity Conflicts
Lead Software Engineer
finds a new job at Google
New Security Tool
Refactor Pricing
300 Microservices Δ-> 850 Microservices
Cloud Provider API Outag
WAF Outage -> DisabledScalability Issues
Network is Unreliable
Autoscaling Keeps
Breaking
Large Customer
Outage
Delayed Features
DNS Resolution Errors
Expired Certificate
Regulatory
Audit
Rolling Sev1 Outage on
Portal
Code Freeze
Orphaned documentation
Migration to new CSP
Exposed secrets
FW Rule Misconfiguration
Bolt-on batch jobs
Portal Retry Storm Outage
3000 Microservices Δ-> 4000 Microservices
WAF Outage -> Disabled
Large Customer
Outage
DNS Resolution Errors
Portal Retry Storm Outage
Scalability Issues
Delayed Features
Expired Certificate
Code Freeze
Delayed Features
Rolling Sev1 Outage on
Portal
Code Freeze
Bolt-on batch jobs
WAF Outage -> Disabled
Large Customer
Outage
Lead Software Engineer
finds a new job at Google
Scalability Issues
Stability Issues
Full-Scale Customer
Outage
Autoscaling Keeps
Breaking
Bolt-on batch jobs
Bolt-on batch jobs
10. The Reality
“The only way to
understand complex
system is to interact
with it.”
- Dave Snowden
© 2020 RSA Conference. All Rights Reserved. 10
14. A Change
in Mindset
People operate
differently when they
expect things to fail.
© 2020 RSA Conference. All Rights Reserved. 14
24. Cardinal
Health:
Applied
Security
Assumption: The tools, technical designs,
and technology standards we have keep us
secure.
Reality:
© 2020 RSA Conference. All Rights Reserved.
48% of Data
Breaches are due
to failures of those
controls
IBM Security 2020 Cost of a Data Breach Report
26. Applied Security Goals for
Identifying Security Gaps
© 2020 RSA Conference. All Rights Reserved. 26
Identify
indisputable,
critical security
gaps
Illustrate the
“big picture” of
security gaps
Ensure security
gaps weren’t
re-opened later
28. © 2020 RSA Conference. All Rights Reserved. 28
Hypothesis: If someone accidentally or
maliciously introduced a misconfigured
port then we would immediately detect,
block, and alert on the event.
Alert
SOC?
Config
Mgmt?
Misconfigured
Port Injection
IR
Triage
Log
data?
Wait...
Firewall?
31. Test your security before someone
else does!
31
Software
Testing
Security
Chaos
Engineering
Validates
functional
requirements
Validates
security
requirements
Automated or
Manual
Continuous Execution
Test-Driven Development
opportunities
Ideal pre- and post-deployment
validation
32. © 2020 RSA Conference. All Rights Reserved. 32
Test Opportunities
Alert
SOC?
Config
Mgmt?
Misconfigured
Port Injection
IR
Triage
Log
data?
Wait...
Firewall?