Security & Chaos Engineering: A Novel Approach to Crafting Secure and Resilient Distributed Systems

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 10:30 a.m. (45 minutes)

Security today is customarily a reactive and chaotic exercise. Modern systems pose a number of thorny challenges and securing the transformation from legacy monolithic systems to distributed systems demands a change in mindset and engineering toolkit. The security engineering toolkit is unfortunately out-of-style and outdated with today's approach to building, security and operating distributed systems. Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. What if you could flip a security incident scenario on its head and drive it in reverse? Chaos Engineering allows for security teams to proactively experiment on recurring incident patterns to derive new information about underlying factors that were previously unknown by reversing the postmortem and preparation phase. This is done by developing live-fire exercises that can be measured, managed, and automated. Contrary to Red/Purple Team game days, chaos engineering does not use threat actor tactics, techniques, and procedures. It develops teams by building a learning culture around system failure to challenge engineering teams to discover new insights on how they can improve their applied security. People operate differently when they expect things to fail. Additionally, teams are more likely to keep an open mind about what is actually causing those things to fail when they are not fighting fires. There is a fundamental shift in mental focus and operational momentum that drives teams to put the fire out versus thorough examination of what caused the incident to begin with. As far as we know it Chaos Engineering is the only proactive mechanism for detecting availability and security incidents before they happen. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes. In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.

Presenters:

• Aaron - Verica
  Aaron is most notably known for expanding the possibilities of Chaos Engineering in its application to other safety-critical portions of the IT domain notably cybersecurity. He began pioneering the application of Security in Chaos Engineering during his tenure as the Chief Security Architect at the largest private healthcare company in the world, UnitedHealth Group (UHG). While at UHG Aaron released ChaoSlingr, one of the first open source software releases focused on using Chaos Engineering in cybersecurity to build more resilient systems. Aaron recently founded a Chaos Engineering startup called Verica with Casey Rosenthal from Netflix and is a frequent author, consultant and speaker in the space.

Links:

• https://globalappsecdc2019.sched.com/event/Ur5G/security-chaos-engineering-a-novel-approach-to-crafting-secure-and-resilient-distributed-systems

Similar Presentations:

• Black Hat USA 2019 / Every Security Team is a Software Team Now
• Black Hat USA 2019 / Controlled Chaos: The Inevitable Marriage of DevOps & Security
• DeepSec 2017 „Science First!“ / Building Security Teams