SlideShare ist ein Scribd-Unternehmen logo

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Aaron Rinehart
Aaron Rinehart

Navigating the Unknowable: Resilience through Security Chaos Engineering When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.

Software
1 von 34
Downloaden Sie, um offline zu lesen
Navigating the Unknowable: Creating Resilience with Security Chaos Engineering Aaron Rinehart, CTO and Founder, Verica Jamie Dicken, Manager of Applied Security, Cardinal Health
About Us
Agenda Agenda • System Engineering is Messy • A New Approach to Learning • Intro to Chaos Engineering • Security Chaos Engineering • Use Cases • Case Study – Cardinal Health • Case Study – UnitedHealth Group • Getting Started © 2020 RSA Conference. All Rights Reserved. 3
Problem System Engineering is Messy
In the Beginning… © 2020 RSA Conference. All Rights Reserved. 5
After a few months… © 2020 RSA Conference. All Rights Reserved. 6 Hard Coded Passwords Identity Conflicts Lead Software Engineer finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze Bolt-on batch jobs Portal Retry Storm Outage
Years? © 2020 RSA Conference. All Rights Reserved. 7 Hard Coded Passwords Identity Conflicts Lead Software Engineer finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outag WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze Orphaned documentation Migration to new CSP Exposed secrets FW Rule Misconfiguration Bolt-on batch jobs Portal Retry Storm Outage 3000 Microservices Δ-> 4000 Microservices WAF Outage -> Disabled Large Customer Outage DNS Resolution Errors Portal Retry Storm Outage Scalability Issues Delayed Features Expired Certificate Code Freeze Delayed Features Rolling Sev1 Outage on Portal Code Freeze Bolt-on batch jobs WAF Outage -> Disabled Large Customer Outage Lead Software Engineer finds a new job at Google Scalability Issues Stability Issues Full-Scale Customer Outage Autoscaling Keeps Breaking Bolt-on batch jobs Bolt-on batch jobs
The Design-Oriented Mindset is Old-School
Forget Something? © 2020 RSA Conference. All Rights Reserved. 9 • • • • •
The Reality “The only way to understand complex system is to interact with it.” - Dave Snowden © 2020 RSA Conference. All Rights Reserved. 10
A New Approach to Learning
What is Learning? Continuous Learning != Continuous Fixing © 2020 RSA Conference. All Rights Reserved. 12
Think About It… How does a System become stable? © 2020 RSA Conference. All Rights Reserved. 13
A Change in Mindset People operate differently when they expect things to fail. © 2020 RSA Conference. All Rights Reserved. 14
Instrumenting Chaos © 2020 RSA Conference. All Rights Reserved. 15 Testing vs Experimentation
Chaos Engineering It’s about establishing order from Chaos
Security Chaos Engineering
Why Security Chaos Engineering? Understand your system and where its security gaps are before an adversary does. © 2020 RSA Conference. All Rights Reserved. 18
Why Security Chaos Engineering? We often misremember what our systems really are. As a result, the opportunity for accidents and mistakes increases. © 2020 RSA Conference. All Rights Reserved. 19
Continuous Security Verification Reduce uncertainty by building confidence in how the system actually functions. © 2020 RSA Conference. All Rights Reserved. 20
Security Chaos Engineering Use Cases
Use Cases •Incident Response •Security Control Validation •Security Observability •Compliance Monitoring © 2020 RSA Conference. All Rights Reserved. 22
Security Chaos Engineering in Action Applied Security at Cardinal Health ChaoSlingr at UnitedHealth Group
Cardinal Health: Applied Security Assumption: The tools, technical designs, and technology standards we have keep us secure. Reality: © 2020 RSA Conference. All Rights Reserved. 48% of Data Breaches are due to failures of those controls IBM Security 2020 Cost of a Data Breach Report
Cardinal Health: Applied Security © 2020 RSA Conference. All Rights Reserved. 25
Applied Security Goals for Identifying Security Gaps © 2020 RSA Conference. All Rights Reserved. 26 Identify indisputable, critical security gaps Illustrate the “big picture” of security gaps Ensure security gaps weren’t re-opened later
Continuous Verification and Validation © 2020 RSA Conference. All Rights Reserved. 27
© 2020 RSA Conference. All Rights Reserved. 28 Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Getting Started with Security Chaos Engineering
Released! © 2020 RSA Conference. All Rights Reserved. 30
Test your security before someone else does! 31 Software Testing Security Chaos Engineering Validates functional requirements Validates security requirements Automated or Manual Continuous Execution Test-Driven Development opportunities Ideal pre- and post-deployment validation
© 2020 RSA Conference. All Rights Reserved. 32 Test Opportunities Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
Conclusion The case for Security Chaos Engineering to improve Resilience
Thank You!

Empfohlen

AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 

Empfohlen

AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering AllTheTalks Security Chaos Engineering
AllTheTalks Security Chaos Engineering
Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
Aaron Rinehart
 
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
HealthConDX Virtual Summit 2021 - How Security Chaos Engineering is Changing ...
Aaron Rinehart
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
Aaron Rinehart
 
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
Blameless Retrospectives in DevSecOps (at Global Healthcare Giants)
DJ Schleen
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
James Wickett
 
DevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos EngineeringDevSecOps Days Istanbul 2020 Security Chaos Engineering
DevSecOps Days Istanbul 2020 Security Chaos Engineering
Aaron Rinehart
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
Aaron Rinehart
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
Shannon Lietz
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
Dinis Cruz
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
Shannon Lietz
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
Stefan Streichsbier
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
Shannon Lietz
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
SeniorStoryteller
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
Shannon Lietz
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
ControlCase
 

Weitere ähnliche Inhalte

Was ist angesagt?

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
Aaron Rinehart
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
Aaron Rinehart
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
Aaron Rinehart
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
DevSecCon
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
Stefan Streichsbier
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
Stefan Streichsbier
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
Kevin Fealey
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
Mike Spaulding
 

Was ist angesagt? (20)

VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
AllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security DifferentlyAllDayDevOps 2020 Aaron Rinehart Security Differently
AllDayDevOps 2020 Aaron Rinehart Security Differently
 
OWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos EngineeringOWASP AppSec Global 2019 Security & Chaos Engineering
OWASP AppSec Global 2019 Security & Chaos Engineering
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringRSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
RSA Conference APJ 2019 DevSecOps Days Security Chaos Engineering
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
Using security to drive chaos engineering
Using security to drive chaos engineeringUsing security to drive chaos engineering
Using security to drive chaos engineering
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs security
 
ChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos TestingChaoSlingr: Introducing Security-Based Chaos Testing
ChaoSlingr: Introducing Security-Based Chaos Testing
 
Security as Code owasp
Security as Code owaspSecurity as Code owasp
Security as Code owasp
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
The Future of DevSecOps
The Future of DevSecOpsThe Future of DevSecOps
The Future of DevSecOps
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersThe DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
 
S360 2015 dev_secops_program
S360 2015 dev_secops_programS360 2015 dev_secops_program
S360 2015 dev_secops_program
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015DevSecCon KeyNote London 2015
DevSecCon KeyNote London 2015
 

Ähnlich wie RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
awish11
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
Wayne Anderson
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Amazon Web Services
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Jason Mashak
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 

Ähnlich wie RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering (20)

Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Unrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINALUnrestricted - Complex Regulation Practical Security FINAL
Unrestricted - Complex Regulation Practical Security FINAL
 
HEMISPHERE SMB Case Study
HEMISPHERE SMB Case StudyHEMISPHERE SMB Case Study
HEMISPHERE SMB Case Study
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startups
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
 
Enhancing your Cyber Skills through a Cyber Range
Enhancing your Cyber Skills through a Cyber RangeEnhancing your Cyber Skills through a Cyber Range
Enhancing your Cyber Skills through a Cyber Range
 
WatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptxWatchGuard Corporate Presentation.pptx
WatchGuard Corporate Presentation.pptx
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV Ready
 
Protecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data BreachProtecting the Software-Defined Data Center from Data Breach
Protecting the Software-Defined Data Center from Data Breach
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
How to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT StackHow to Monitor Digital Dependencies Across Your Modern IT Stack
How to Monitor Digital Dependencies Across Your Modern IT Stack
 
Getting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of ConceptsGetting Started with ThousandEyes Proof of Concepts
Getting Started with ThousandEyes Proof of Concepts
 
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT CybersecurityPAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
PAS: Leveraging IT/OT - Convergence and Developing Effective OT Cybersecurity
 
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)Runecast: Simplified Security with Unparalleled Transparency (March 2022)
Runecast: Simplified Security with Unparalleled Transparency (March 2022)
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 

Mehr von Aaron Rinehart

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Aaron Rinehart
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
Aaron Rinehart
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Aaron Rinehart
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
Aaron Rinehart
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
Aaron Rinehart
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-Workshops
Aaron Rinehart
 

Mehr von Aaron Rinehart (10)

Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
Conf42-SRE - 2020 - "Applied Security: Crafting Secure and Resilient Distribu...
 
ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020 ADDO - Navigating the DevSecOps App-ocalypse 2020
ADDO - Navigating the DevSecOps App-ocalypse 2020
 
Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019Security Differently - DevSecOps Days Austin 2019
Security Differently - DevSecOps Days Austin 2019
 
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
Nexus User Conference DevOps "Table Stakes": The minimum required to play the...
 
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
Velocity 2019 - Security Precognition 2019 Slides - San Jose 2019
 
Craft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security PrecognitionCraft 2019 - Security Chaos Engineering - Security Precognition
Craft 2019 - Security Chaos Engineering - Security Precognition
 
GDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos EngineeringGDS-Austin - DevSecOps & Security Chaos Engineering
GDS-Austin - DevSecOps & Security Chaos Engineering
 
Does 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragonsDoes 2018 presentation rinehart - how to train your dragons
Does 2018 presentation rinehart - how to train your dragons
 
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the UnknownAllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
AllDayDevOps : DevSecOps & Chaos Engineering: Knowing the Unknown
 
TestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-WorkshopsTestBed-Cyber-Security-Workshops
TestBed-Cyber-Security-Workshops
 

Kürzlich hochgeladen

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 

Kürzlich hochgeladen (20)

8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

  • 1. Navigating the Unknowable: Creating Resilience with Security Chaos Engineering Aaron Rinehart, CTO and Founder, Verica Jamie Dicken, Manager of Applied Security, Cardinal Health
  • 3. Agenda Agenda • System Engineering is Messy • A New Approach to Learning • Intro to Chaos Engineering • Security Chaos Engineering • Use Cases • Case Study – Cardinal Health • Case Study – UnitedHealth Group • Getting Started © 2020 RSA Conference. All Rights Reserved. 3
  • 5. In the Beginning… © 2020 RSA Conference. All Rights Reserved. 5
  • 6. After a few months… © 2020 RSA Conference. All Rights Reserved. 6 Hard Coded Passwords Identity Conflicts Lead Software Engineer finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outage WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze Bolt-on batch jobs Portal Retry Storm Outage
  • 7. Years? © 2020 RSA Conference. All Rights Reserved. 7 Hard Coded Passwords Identity Conflicts Lead Software Engineer finds a new job at Google New Security Tool Refactor Pricing 300 Microservices Δ-> 850 Microservices Cloud Provider API Outag WAF Outage -> DisabledScalability Issues Network is Unreliable Autoscaling Keeps Breaking Large Customer Outage Delayed Features DNS Resolution Errors Expired Certificate Regulatory Audit Rolling Sev1 Outage on Portal Code Freeze Orphaned documentation Migration to new CSP Exposed secrets FW Rule Misconfiguration Bolt-on batch jobs Portal Retry Storm Outage 3000 Microservices Δ-> 4000 Microservices WAF Outage -> Disabled Large Customer Outage DNS Resolution Errors Portal Retry Storm Outage Scalability Issues Delayed Features Expired Certificate Code Freeze Delayed Features Rolling Sev1 Outage on Portal Code Freeze Bolt-on batch jobs WAF Outage -> Disabled Large Customer Outage Lead Software Engineer finds a new job at Google Scalability Issues Stability Issues Full-Scale Customer Outage Autoscaling Keeps Breaking Bolt-on batch jobs Bolt-on batch jobs
  • 9. Forget Something? © 2020 RSA Conference. All Rights Reserved. 9 • • • • •
  • 10. The Reality “The only way to understand complex system is to interact with it.” - Dave Snowden © 2020 RSA Conference. All Rights Reserved. 10
  • 11. A New Approach to Learning
  • 12. What is Learning? Continuous Learning != Continuous Fixing © 2020 RSA Conference. All Rights Reserved. 12
  • 13. Think About It… How does a System become stable? © 2020 RSA Conference. All Rights Reserved. 13
  • 14. A Change in Mindset People operate differently when they expect things to fail. © 2020 RSA Conference. All Rights Reserved. 14
  • 15. Instrumenting Chaos © 2020 RSA Conference. All Rights Reserved. 15 Testing vs Experimentation
  • 18. Why Security Chaos Engineering? Understand your system and where its security gaps are before an adversary does. © 2020 RSA Conference. All Rights Reserved. 18
  • 19. Why Security Chaos Engineering? We often misremember what our systems really are. As a result, the opportunity for accidents and mistakes increases. © 2020 RSA Conference. All Rights Reserved. 19
  • 20. Continuous Security Verification Reduce uncertainty by building confidence in how the system actually functions. © 2020 RSA Conference. All Rights Reserved. 20
  • 22. Use Cases •Incident Response •Security Control Validation •Security Observability •Compliance Monitoring © 2020 RSA Conference. All Rights Reserved. 22
  • 23. Security Chaos Engineering in Action Applied Security at Cardinal Health ChaoSlingr at UnitedHealth Group
  • 24. Cardinal Health: Applied Security Assumption: The tools, technical designs, and technology standards we have keep us secure. Reality: © 2020 RSA Conference. All Rights Reserved. 48% of Data Breaches are due to failures of those controls IBM Security 2020 Cost of a Data Breach Report
  • 25. Cardinal Health: Applied Security © 2020 RSA Conference. All Rights Reserved. 25
  • 26. Applied Security Goals for Identifying Security Gaps © 2020 RSA Conference. All Rights Reserved. 26 Identify indisputable, critical security gaps Illustrate the “big picture” of security gaps Ensure security gaps weren’t re-opened later
  • 27. Continuous Verification and Validation © 2020 RSA Conference. All Rights Reserved. 27
  • 28. © 2020 RSA Conference. All Rights Reserved. 28 Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event. Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 29. Getting Started with Security Chaos Engineering
  • 30. Released! © 2020 RSA Conference. All Rights Reserved. 30
  • 31. Test your security before someone else does! 31 Software Testing Security Chaos Engineering Validates functional requirements Validates security requirements Automated or Manual Continuous Execution Test-Driven Development opportunities Ideal pre- and post-deployment validation
  • 32. © 2020 RSA Conference. All Rights Reserved. 32 Test Opportunities Alert SOC? Config Mgmt? Misconfigured Port Injection IR Triage Log data? Wait... Firewall?
  • 33. Conclusion The case for Security Chaos Engineering to improve Resilience