ChaoSlingr: Introducing Security-Based Chaos Testing

•

2 likes•318 views

ChaoSlingr introduces the discipline of security testing into chaos engineering with the focus on driving failure out of the model and going beyond the reactive processes that currently dominate traditional security testing methodology. (Source: RSA Conference USA 2018)

Technology

SESSION ID:
#RSAC
Aaron Rinehart
ChaoSlingr: Introducing Security-Based
Chaos Testing
CSV-W04
Chief Enterprise Security Architect
UnitedHealth Group
Grayson Brewer
IT Security Consultant
UnitedHealth Group

#RSAC
Security + Chaos = Security Experimentation
2

#RSAC
A Tool to Build or a Weapon to Destroy?
7

#RSAC
Where do Security Failures come from?
12

#RSAC
The Gap b/t Modern Software & Security
13

#RSAC
So in fact do we identify Security Failures?
21

#RSAC
It worked for Rebel Alliance but not here
23

#RSAC
Build Confidence through Instrumentation
24

SecurityExperimentationSecurityExperimentation
THENEWPLAYBOOK

#RSAC
What's the Difference?
30
• Testing is assessment or validation of an expected
outcome
• Experimentation seeks to derive new insights and
information that were previously unknown

#RSAC
Security Experimentation: A Definition
31

#RSAC
32
• Drive out failure.
• Observe failure.
• Learn from failure.
• Build resilient systems.
Be Objective & Use Failure as a Tool

#RSAC
Why do it?
34
• Build Confidence in Security Measures
• Strengthen Incident Management
• Measure Incident Response Readiness
• Identify Security Failures within the Security Control Plane
• Proactively Detect Security Failures
• Measure Investments in Security Technology

#RSAC
Value of Game Day Exercises
36
• Provides Objective Measurement for Security Incident Response
• Identify Control Coverage Gaps
• Keeping the Team Sharp and “Battle Ready”
• Learn how your Security Really Works vs. How you Assume it Works.
“If you’re not cultivating a Learning Culture,
you wIll probably end up losing to someone
else who is.”

#RSAC
Open Source Security Experimentation Tool
37

#RSAC
FYI ChaoSlingr is on Github (FREE!)
39

#RSAC
An Example Experiment Using ChaoSlingr
40

#RSAC
Summary: Takeaways
43
• Security Problems in
Distributed Systems
• Chaos Engineering
• Security Experimentation
• ChaoSlingr: Open Source Tool
• Think Differently, Be Objective

#RSAC
Apply What You Have Learned Today
44
• Next week you should:
• Start asking yourself the Right Questions
• Go to Github and check out ChaoSlingr
• Find out if your organization has an Site Reliability Engineer and tell them what you learned in this talk.
• In the first three months following this presentation you should:
• Conduct your first GameDay Exercise and manual Security Chaos Experiment
• Attend a Chaos Engineering Community Event near you
• Within six months you should:
• Write your own experiments for ChaoSlingr or your own tool.
• Run your first automated Security Chaos Experiment

#RSAC
The New Normal: Continuous Evolution
45

#RSAC
Questions
@aaronrinehart
@BrewerSecurity
Hit us with some questions

What's hot

Stephen Sadowski - Securely automating infrastructure in the cloud

DevSecCon

Auditors can have a significant positive impact on Cybersecurity. This slide deck is from a sold out presentation on Azure for Auditors for ISACA and IIA in Seattle. How can auditors help cloud security? What should auditors and those performing cloud security assessments consider when evaluating cloud security on Azure? If you'd like to learn more check out my cybersecurity classes at https://2ndsightlab.com

Azure for Auditors

Teri Radichel

Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.

Chaos engineering for cloud native security

Kennedy

We’ve got more assets in the cloud than ever. Unfortunately, we also have less visibility and control in these environments, as well. Implementing detection and response controls that leverage cloud provider tools and controls, as well as automation strategies and processes, is critical for effective incident detection and response in hybrid cloud environments. This session will get you started! (Source: RSA Conference USA 2018)

Incident response-in-the-cloud

Priyanka Aash

The SDLC has been the model for web application security over the last decade. However, the SDLC was originally designed in a Waterfall world and often causes more problems than it solves in the shift to agile, DevOps and CI/CD. This talk will share actionable tips on the most effective application security techniques in today’s increasingly rapid environment of application creation and delivery. (Source : RSA Conference USA 2017)

Practical appsec lessons learned in the age of agile and DevOps

Priyanka Aash

Top 5 Priorities for Cloud Security

Teri Radichel

Navigating the Unknowable: Resilience through Security Chaos Engineering When applied to Cyber Security, Chaos Engineering is advancing our ability to reveal objective information about the effectiveness of operational security measures proactively through empirical experimentation. In this session we will introduce the core concepts behind this new technique and how you can get started in building and applying it.

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

Aaron Rinehart

AllDayDevOps 2019 AppSensor

jtmelton

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecCon

AllDayDevOps Security Chaos Engineering 2019

Aaron Rinehart

There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL. (Source : RSA Conference USA 2017)

Collaborative security : Securing open source software

Priyanka Aash

Many companies establish their Secure Development Lifecycle. The adoption of it crucial especially for corporations with dozens of applications. The main challenges they face are the diversity of architecture, dev languages, methodologies, compliance, regulations, etc. This talk will shed light on scaling up and out the application security capabilities and maximizing the software security maturity. (Source : RSA Conference USA 2017)

Securing 100 products - How hard can it be?

Priyanka Aash

Estimating Development Security Maturity in About an Hour

Priyanka Aash

DevSecOps in Baby Steps

Priyanka Aash

This talk will detail knowledge gained from years spent building runtime application self-protection technology. RASP sounds like a silver bullet—security pixie dust that protects vulnerable code. But does it solve real problems? Who integrates and operates it? Is it fast enough? Accurate enough? Reliable enough? Will answering these questions change your thinking on RASP? (Source : RSA Conference USA 2017)

Lessons from a recovering runtime application self protection addict

Priyanka Aash

Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar

Sumo Logic

[OPD 2019] Governance as a missing part of IT security architecture

OWASP

Designing a secure DevOps workflow is tough: Developers, testers, IT security teams, and managers all have different control points within the software development lifecycle. Additionally, each application in development and production has a unique profile and features. Then you have the different types of organizations which have different maturity levels and needs: Retail has different day-to-day priorities than Finance or Healthcare, although all industries are united by a need to defend against the current threat landscape of data breaches and ransomware. How do you find the right touch points? How do you build application security into your DevOps workflow successfully, turning the workflow from a process into a program?

Take Control: Design a Complete DevSecOps Program

Deborah Schalm

Modern systems pose a number of thorny challenges and securing the transformation from legacy monolithic systems to distributed systems demands a change in mindset and engineering toolkit. The security engineering toolkit is unfortunately out-of-style and outdated with today's approach to building, security and operating distributed systems. Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works.

Pivotal APJ Security Chaos Engineering

Aaron Rinehart

Extending Amazon GuardDuty with Cloud Insight Essentials

Alert Logic

What's hot (20)

Stephen Sadowski - Securely automating infrastructure in the cloud

Azure for Auditors

Chaos engineering for cloud native security

Incident response-in-the-cloud

Practical appsec lessons learned in the age of agile and DevOps

Top 5 Priorities for Cloud Security

RSAC 365 2021 Virtual Summit Spotlite Presentation on Security Chaos Engineering

AllDayDevOps 2019 AppSensor

Elizabeth Lawler - Devops, security, and compliance working in unison

AllDayDevOps Security Chaos Engineering 2019

Collaborative security : Securing open source software

Securing 100 products - How hard can it be?

Estimating Development Security Maturity in About an Hour

DevSecOps in Baby Steps

Lessons from a recovering runtime application self protection addict

Making the Shift from DevOps to Practical DevSecOps | Sumo Logic Webinar

[OPD 2019] Governance as a missing part of IT security architecture

Take Control: Design a Complete DevSecOps Program

Pivotal APJ Security Chaos Engineering

Extending Amazon GuardDuty with Cloud Insight Essentials

Similar to ChaoSlingr: Introducing Security-Based Chaos Testing

Security precognition chaos engineering in incident response

Priyanka Aash

A discussion of the real-world work and challenges to introduce and maintain a comprehensive security program to a large and complex set of legacy storage products. This includes developing a security architecture, vulnerability response, pushing for necessary security enhancements and application security. In this session, you will hear about which efforts worked well and which didn’t. (Source: RSA USA 2016-San Francisco)

Introducing a Security Program to Large Scale Legacy Products

Priyanka Aash

Threat Intelligence Is Like Three Day Potty Training

Priyanka Aash

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...

SeniorStoryteller

Too often security is reviewed at the end of the vendor selection process. It ends up blocking projects moving forward as you identify issues with already selected vendors. Reverse the process with security considered early and business teams can avoid investing precious time on unsuitable vendor candidates and get rankings for suitable ones. This session will show you how using real examples. (Source: RSA USA 2016-San Francisco)

Vendor Security Practices: Turn the Rocks Over Early and Often

Priyanka Aash

str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often

Michael Hammer

Exploring the Real-World Application Security Top 10

Priyanka Aash

Understanding what you own is step one in securing your assets. A simple concept that still escapes the grasp of most, and it’s getting harder in a cloud-enabled world. Despite this struggle there’s a plethora of APIs and publicly available data to give you a jumpstart on identifying high-risk assets. This session will share techniques and tools to gather data and identify unknown risks. Learning Objectives: 1: Learn about sources and methods to identify public, unknown assets. 2: Gain access to OSS tooling allowing defenders to operationalize asset inventory process. 3: Learn to apply risk methods using public data attributes to understand quantitative risk. (Source: RSA Conference USA 2018)

Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow

Priyanka Aash

RSA 2018: Recon For the Defender - You know nothing (about your assets)

Jonathan Cran

Developers should be the first line of security defense. Security teams purchase secure coding classes and claim success. Hours of training does not change the developer mindset. When developers hear security, they respond as either unlearned, overworked, apathetic or gung ho. This session will explore why developers reject security and will provide a programmatic approach to answer the challenges. (Source : RSA Conference USA 2017)

How to transform developers into security people

Priyanka Aash

Less tech more talk the future of the ciso role

Priyanka Aash

PayPal delivers secure payment solutions across the world. Managing the security of customer data is expected across the financial services industry. This talk will focus on real-world strategies that PayPal has employed within our data environment, all while supporting multiple “As a Service,” “World-wide Scale,” “NoSQL” and “Cloud” technologies within a 10+-year-old company. (Source: RSA USA 2016-San Francisco)

Realities of Data Security

Priyanka Aash

RSA 2016 Realities of Data Security

Scott Carlson

Embedded Systems Security: Building a More Secure Device

Priyanka Aash

Embedded Systems Security: Building a More Secure Device

Priyanka Aash

BSides Vienna 2015

Daniel Liber

The connected world is a dangerous place. CISOs must lead their companies to adopt safe business practices. How should you proceed? IANS reveals the secrets of high-performing CISOs by drilling into findings from CISO ImpactTM, a framework of best practices and diagnostic data gleaned from over 1000 organizations. Armed with strong guidance, CISOs can chart their own paths to leadership. (Source : RSA Conference USA 2017)

The five secrets of high performing cisos

Priyanka Aash

Security professionals often call people “the weakest link.” We claim that they'll always make mistakes, however hard we try, and throw up our hands. But the simple truth is that we can help people do well at a wide variety of security tasks, and it’s easy to get started. Building on work in usable security and threat modeling, this session will give you actionable, proven ways to secure people. (Source: RSA USA 2016-San Francisco)

Securing the “Weakest Link”

Priyanka Aash

As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa. (Source: RSA USA 2016-San Francisco)

The Rise of the Purple Team

Priyanka Aash

Demystifying Security Analytics: Data, Methods, Use Cases

Priyanka Aash

Similar to ChaoSlingr: Introducing Security-Based Chaos Testing (20)

Security precognition chaos engineering in incident response

Introducing a Security Program to Large Scale Legacy Products

Threat Intelligence Is Like Three Day Potty Training

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...

Vendor Security Practices: Turn the Rocks Over Early and Often

str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often

Exploring the Real-World Application Security Top 10

Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow

RSA 2018: Recon For the Defender - You know nothing (about your assets)

How to transform developers into security people

Less tech more talk the future of the ciso role

Realities of Data Security

RSA 2016 Realities of Data Security

Embedded Systems Security: Building a More Secure Device

BSides Vienna 2015

The five secrets of high performing cisos

Securing the “Weakest Link”

The Rise of the Purple Team

Demystifying Security Analytics: Data, Methods, Use Cases

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Priyanka Aash

Verizon Breach Investigation Report (VBIR).pdf

Priyanka Aash

Top 10 Security Risks .pptx.pdf

Priyanka Aash

Simplifying data privacy and protection.pdf

Priyanka Aash

Generative AI and Security (1).pptx.pdf

Priyanka Aash

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

Priyanka Aash

DPDP Act 2023.pdf

Priyanka Aash

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Priyanka Aash

Cyber Crisis Management.pdf

Priyanka Aash

CISOPlatform journey.pptx.pdf

Priyanka Aash

Chennai Chapter.pptx.pdf

Priyanka Aash

Cloud attack vectors_Moshe.pdf

Priyanka Aash

Stories From The Web 3 Battlefield

Priyanka Aash

Lessons Learned From Ransomware Attacks

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Priyanka Aash

Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Priyanka Aash

Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.

Cyber Security Governance

Priyanka Aash

The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.

Ethical Hacking

Priyanka Aash

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Verizon Breach Investigation Report (VBIR).pdf

Top 10 Security Risks .pptx.pdf

Simplifying data privacy and protection.pdf

Generative AI and Security (1).pptx.pdf

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

DPDP Act 2023.pdf

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Cyber Crisis Management.pdf

CISOPlatform journey.pptx.pdf

Chennai Chapter.pptx.pdf

Cloud attack vectors_Moshe.pdf

Stories From The Web 3 Battlefield

Lessons Learned From Ransomware Attacks

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Cyber Security Governance

Ethical Hacking

Recently uploaded

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Advantages of Hiring UIUX Design Service Providers for Your Business

Pixlogix Infotech

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Histor y of HAM Radio presentation slide

vu2urc

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

Recently uploaded (20)

presentation ICT roal in 21st century education

🐬 The future of MySQL is Postgres 🐘

Apidays New York 2024 - The value of a flexible API Management solution for O...

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Tech Trends Report 2024 Future Today Institute.pdf

2024: Domino Containers - The Next Step. News from the Domino Container commu...

How to Troubleshoot Apps for the Modern Connected Worker

AWS Community Day CPH - Three problems of Terraform

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Advantages of Hiring UIUX Design Service Providers for Your Business

GenCyber Cyber Security Day Presentation

Partners Life - Insurer Innovation Award 2024

How to Troubleshoot Apps for the Modern Connected Worker

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Histor y of HAM Radio presentation slide

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Finology Group – Insurtech Innovation Award 2024

[2024]Digital Global Overview Report 2024 Meltwater.pdf

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

ChaoSlingr: Introducing Security-Based Chaos Testing

1. SESSION ID: #RSAC Aaron Rinehart ChaoSlingr: Introducing Security-Based Chaos Testing CSV-W04 Chief Enterprise Security Architect UnitedHealth Group Grayson Brewer IT Security Consultant UnitedHealth Group

2. #RSAC Security + Chaos = Security Experimentation 2

3. #RSAC About Aaron 3

4. #RSAC About Grayson 4

5. #RSAC Overview UnitedHealth Group 5

6. #RSAC Outline 6

7. #RSAC A Tool to Build or a Weapon to Destroy? 7

8. #RSAC The Reality is…... 8

9. #RSAC Failure is Necessary 9

10. #RSAC 10

11. #RSAC Revisiting the Problem 11

12. #RSAC Where do Security Failures come from? 12

13. #RSAC The Gap b/t Modern Software & Security 13

14. #RSAC Distributed Systems Are Tricky 14

15. #RSAC Distributed Systems Are Tricky 15

16. #RSAC Don't Drift into the Unknown 16

17. #RSAC Ask Better Questions 17

18. #RSAC Ask yourself……... 18

19. #RSAC Ask yourself……... 19

20. #RSAC Ask yourself……... 20

21. #RSAC So in fact do we identify Security Failures? 21

22. #RSAC Its toooooo late….. 22

23. #RSAC It worked for Rebel Alliance but not here 23

24. #RSAC Build Confidence through Instrumentation 24

25. #RSAC What is Chaos Engineering? 25

26. #RSAC A brief history of Chaos 26

27. SecurityExperimentationSecurityExperimentation THENEWPLAYBOOK

28. #RSAC Do Less, Better 28

29. #RSAC The New Playbook 29

30. #RSAC What's the Difference? 30 • Testing is assessment or validation of an expected outcome • Experimentation seeks to derive new insights and information that were previously unknown

31. #RSAC Security Experimentation: A Definition 31

32. #RSAC 32 • Drive out failure. • Observe failure. • Learn from failure. • Build resilient systems. Be Objective & Use Failure as a Tool

33. #RSAC Build a Learning Culture 33

34. #RSAC Why do it? 34 • Build Confidence in Security Measures • Strengthen Incident Management • Measure Incident Response Readiness • Identify Security Failures within the Security Control Plane • Proactively Detect Security Failures • Measure Investments in Security Technology

35. #RSAC GameDays + Post Mortem 35

36. #RSAC Value of Game Day Exercises 36 • Provides Objective Measurement for Security Incident Response • Identify Control Coverage Gaps • Keeping the Team Sharp and “Battle Ready” • Learn how your Security Really Works vs. How you Assume it Works. “If you’re not cultivating a Learning Culture, you wIll probably end up losing to someone else who is.”

37. #RSAC Open Source Security Experimentation Tool 37

38. #RSAC So, eh, what is it exactly 38

39. #RSAC FYI ChaoSlingr is on Github (FREE!) 39

40. #RSAC An Example Experiment Using ChaoSlingr 40

41. #RSAC An Example Security Experiment 41

42. #RSAC How the experiment works 42

43. #RSAC Summary: Takeaways 43 • Security Problems in Distributed Systems • Chaos Engineering • Security Experimentation • ChaoSlingr: Open Source Tool • Think Differently, Be Objective

44. #RSAC Apply What You Have Learned Today 44 • Next week you should: • Start asking yourself the Right Questions • Go to Github and check out ChaoSlingr • Find out if your organization has an Site Reliability Engineer and tell them what you learned in this talk. • In the first three months following this presentation you should: • Conduct your first GameDay Exercise and manual Security Chaos Experiment • Attend a Chaos Engineering Community Event near you • Within six months you should: • Write your own experiments for ChaoSlingr or your own tool. • Run your first automated Security Chaos Experiment

45. #RSAC The New Normal: Continuous Evolution 45

46. #RSAC Questions @aaronrinehart @BrewerSecurity Hit us with some questions

ChaoSlingr: Introducing Security-Based Chaos Testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to ChaoSlingr: Introducing Security-Based Chaos Testing

Similar to ChaoSlingr: Introducing Security-Based Chaos Testing (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

ChaoSlingr: Introducing Security-Based Chaos Testing