ChaoSlingr: Introducing Security-Based Chaos Testing
2 likes335 views
The document outlines a presentation on security-based chaos testing by Aaron Rinehart and Grayson Brewer, focusing on enhancing security through experimentation. It emphasizes the need to understand and utilize failure as a tool to build resilient systems in distributed environments, while introducing an open-source tool called Chaoslingr. The presenters encourage the audience to adopt a culture of learning and to actively engage in security experiments to improve incident response and readiness.
ChaoSlingr: Introducing Security-Based Chaos Testing
- 1. SESSION ID: #RSAC Aaron Rinehart ChaoSlingr: Introducing Security-Based Chaos Testing CSV-W04 Chief Enterprise Security Architect UnitedHealth Group Grayson Brewer IT Security Consultant UnitedHealth Group
- 2. #RSAC Security + Chaos = Security Experimentation 2
- 7. #RSAC A Tool to Build or a Weapon to Destroy? 7
- 10. #RSAC 10
- 12. #RSAC Where do Security Failures come from? 12
- 13. #RSAC The Gap b/t Modern Software & Security 13
- 14. #RSAC Distributed Systems Are Tricky 14
- 15. #RSAC Distributed Systems Are Tricky 15
- 16. #RSAC Don't Drift into the Unknown 16
- 21. #RSAC So in fact do we identify Security Failures? 21
- 23. #RSAC It worked for Rebel Alliance but not here 23
- 24. #RSAC Build Confidence through Instrumentation 24
- 25. #RSAC What is Chaos Engineering? 25
- 26. #RSAC A brief history of Chaos 26
- 30. #RSAC What's the Difference? 30 • Testing is assessment or validation of an expected outcome • Experimentation seeks to derive new insights and information that were previously unknown
- 31. #RSAC Security Experimentation: A Definition 31
- 32. #RSAC 32 • Drive out failure. • Observe failure. • Learn from failure. • Build resilient systems. Be Objective & Use Failure as a Tool
- 33. #RSAC Build a Learning Culture 33
- 34. #RSAC Why do it? 34 • Build Confidence in Security Measures • Strengthen Incident Management • Measure Incident Response Readiness • Identify Security Failures within the Security Control Plane • Proactively Detect Security Failures • Measure Investments in Security Technology
- 35. #RSAC GameDays + Post Mortem 35
- 36. #RSAC Value of Game Day Exercises 36 • Provides Objective Measurement for Security Incident Response • Identify Control Coverage Gaps • Keeping the Team Sharp and “Battle Ready” • Learn how your Security Really Works vs. How you Assume it Works. “If you’re not cultivating a Learning Culture, you wIll probably end up losing to someone else who is.”
- 37. #RSAC Open Source Security Experimentation Tool 37
- 38. #RSAC So, eh, what is it exactly 38
- 39. #RSAC FYI ChaoSlingr is on Github (FREE!) 39
- 40. #RSAC An Example Experiment Using ChaoSlingr 40
- 41. #RSAC An Example Security Experiment 41
- 42. #RSAC How the experiment works 42
- 43. #RSAC Summary: Takeaways 43 • Security Problems in Distributed Systems • Chaos Engineering • Security Experimentation • ChaoSlingr: Open Source Tool • Think Differently, Be Objective
- 44. #RSAC Apply What You Have Learned Today 44 • Next week you should: • Start asking yourself the Right Questions • Go to Github and check out ChaoSlingr • Find out if your organization has an Site Reliability Engineer and tell them what you learned in this talk. • In the first three months following this presentation you should: • Conduct your first GameDay Exercise and manual Security Chaos Experiment • Attend a Chaos Engineering Community Event near you • Within six months you should: • Write your own experiments for ChaoSlingr or your own tool. • Run your first automated Security Chaos Experiment
- 45. #RSAC The New Normal: Continuous Evolution 45
- 46. #RSAC Questions @aaronrinehart @BrewerSecurity Hit us with some questions