aaronrinehart verica io chaosengineering aaronrinehart

@aaronrinehart @verica_io #chaosengineering @aaronrinehart - PowerPoint PPT Presentation

Jul 20, 2023 •40 likes •750 views

@aaronrinehart @verica_io #chaosengineering @aaronrinehart @verica_io #chaosengineering CONFIDENTIAL Security Precognition @aaronrinehart @verica_io #chaosengineering Resilience is the story of the outage that never happened. - John

  1. @aaronrinehart @verica_io #chaosengineering

  2. @aaronrinehart @verica_io #chaosengineering

  3. CONFIDENTIAL

  4. Security Precognition @aaronrinehart @verica_io #chaosengineering

  5. “Resilience is the story of the outage that never happened.” - John Allspaw @aaronrinehart

  6. About A.A.Ron CTO of Stealthy Startup ● Former Chief Security Architect ● @UnitedHealth responsible for security engineering strategy Led the DevOps and Open Source ● Transformation at UnitedHealth Group Former (DOD, NASA, DHS, CollegeBoard ) ● Frequent speaker and author on Chaos ● Engineering & Security Pioneer behind Security Chaos Engineering ● Led ChaoSlingr team at UnitedHealth ● 6

  7. In this Session we will cover

  8. Our systems have evolved beyond human ability to mentally model their behavior. 8

  9. Our systems have evolved beyond human ability to mentally model their behavior. everyone 9

  11. Complex? Microservice Continuous Distribute Architectures Delivery d Systems Automation Pipelines Containers Continuous Blue/Green DevOps Integration Deployments Immutable Cloud Infrastructure Infracode CI/CD Computing Service Mesh Auto Canaries API Circuit Breaker Patterns 11

  12. Security? Stateful in Mostly Expert nature Monolithic Systems Prevention Adversary Poorly focused Focused Aligned DevSecOps Defense Requires not widely in Depth Domain adopted Knowledge 12

  13. Simplify?

  14. Software Only Increases in Complexity

  15. Software Complexity Essential Accidental Complexity Complexity

  16. Woods Theorem: “As the complexity of a system increases, the accuracy of any single agent’s own model of that system decreases” - Dr. David Woods

  17. How well do you really understand how your system works?

  18. Difficult to Grok behavior

  19. So what does all of this have to do with Security?

  20. Failure Happens.

  21. Incidents & System Outages are Expensive

  22. Security Incidents are Subjective in Nature

  23. We really don't know very much Who? Where? Why? What? How?

  24. Lets face it, when outages happen…..

  25. Teams spend too much time reacting to outages instead of building more resilient systems .

  26. “Response” is the problem with Incident Response

  27. “Chaos Engineering is the discipline of experimenting on a distributed system in order to build confidence in the system’s ability to withstand turbulent conditions”

  30. P Ch A A Control A Experiment

  31. Who is doing Chaos?

  33. Security Engineering

  34. Security Engineering

  35. People Operate Differently when they expect things to fail

  38. The Normal Condition of a Human & Systems they Build is to FAIL

  39. We need failure to Learn & Grow 39

  40. Lets Flip the Model Post Mortem = Preparation

  41. Bring Order through Chaos

  42. Use Chaos Engineering to initiate Objective Feedback Loops about Security Effectiveness

  43. Proactively Manage & Measure Validate Runbooks Measure Team Skills Determine Control Effectiveness Learn new insights into system behavior Transfer knowledge Build a learning culture

  44. Testing vs. Experimentation

  45. Security Crayon Differences Noisy distributed system behavior Not geared for Cascading Events Point-in-time even if Automated Performed by Security Teams with Specialized skill sets

  46. Security Chaos Differences Distributed Systems Focus Goal: Experimentation Human Factors focused Small Isolated Scope Focus on Cascading Events Performed by Mixed Engineering Teams in Gameday During business hours

  47. 2018 Causes of Data Breaches

  48. 2018 Causes of Data Breaches

  49. 2018 Causes of Data Breaches

  50. 2018 Causes of Data Breaches

  51. ‘Human Error’, Root Cause, & Blame Culture

  52. Proactively Manage & Measure

  53. Continuous SECURITY Validation

  54. Build Confidence in What Actually Works

  55. So how does it work?

  56. Stop looking for better answers and start asking better questions. - John Allspaw

  57. What is the system actually doing?

  58. What is the system actually doing? Has it done this before?

  59. What is the system actually doing? Has it done this before? Why is it behaving that way?

  60. What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next?

  61. What is the system actually doing? Has it done this before? Why is it behaving that way? What is it supposed to do next? How did it get into this state?

  62. How does My Security Really Work?

  63. What evidence do I have to prove it?

  64. An Open Source Tool 64

  65. ChaoSlingr Product Features Serverless App in AWS • ChatOps Integration • 100% Native AWS • Configuration-as-Code • Configurable Operational Mode & • Example Code & Open Framework • Frequency Opt-In | Opt-Out Model •

  66. Firewall? Config Log Alert IR Wait... Mgmt? data? SOC? Triage Misconfigured Port Injection Hypothesis: If someone accidentally or maliciously introduced a misconfigured port then we would immediately detect, block, and alert on the event.

  67. Firewall? Config Log Alert IR Wait... Mgmt? data? SOC? Triage Result: Hypothesis disproved. Firewall did not detect Misconfigured or block the change on all instances. Standard Port Port Injection AAA security policy out of sync on the Portal Team instances. Port change did not trigger an alert and log data indicated successful change audit. However we unexpectedly learned the configuration mgmt tool caught change and alerted the SoC.

  68. More Experiment Examples ● Software Secret Clear ● Internet exposed Text Disclosure Kubernetes API ● Permission collision in ● Unauthorized Bad Shared IAM Role Policy Container Repo ● Disabled Service Event ● Unencrypted S3 Bucket Logging ● Disable MFA ● Introduce Latency on ● Bad AWS Automated Block Security Controls Rule ● API Gateway Shutdown

  69. Q&A @aaronrinehart aaron@verica.io

  70. Thank you! @aaronrinehart aaron@verica.io

  71. CONFIDENTIAL

Recommend

P RIORITY MEDICINES FOR CHILDREN 2013 ACHIEVEMENTS SINCE 2004 AND AREAS FOR IMPROVEMENTS Verica

P RIORITY MEDICINES FOR CHILDREN 2013 ACHIEVEMENTS SINCE 2004 AND AREAS FOR IMPROVEMENTS Verica

P RIORITY MEDICINES FOR CHILDREN 2013 ACHIEVEMENTS SINCE 2004 AND AREAS FOR IMPROVEMENTS Verica Ivanovska WHO Collaborating Centre for Pharmacoepidemiology and Pharmaceutical Policy Analysis Winter Meeting 11 January 2013 P RESENTATION C ONTENT

721 views • 20 slides
Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes 10/4/00 Event Processing,

Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes 10/4/00 Event Processing,

Blue Sensors, Sensor Correlation, and Alert Fusion Al Valdes 10/4/00 Event Processing, Monitoring, and Correlation Note: Event counts Represent 6 weeks of Meta Alerts Meta Alert CSL Data (500) Fusion Other Monitors Alerts (1.5K)

842 views • 15 slides
Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the

Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the

14th Summer Institute on Migration and Global Health, July 2019 Best Practices in Responding to Refugee and Migrant Health Challenges in Europe Report on the Health of Refugees and Migrants in the WHO European Region Dr. Santino Severoni,

563 views • 20 slides
Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of

Migration Control General Theme Migration control policies often depend on perceptions of migrants rather than empirical data When Mexico sends its people, theyre not sending their best. Theyre not sending you. Theyre not sending

472 views • 20 slides
129 million people across the world are affected by the current humanitarian crisis

129 million people across the world are affected by the current humanitarian crisis

Making #RefugeesWelcome 129 million people across the world are affected by the current humanitarian crisis According to local Red Cross workers, it is not possible to calculate the number of refugees or asylum seekers there are

148 views • 12 slides
Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast

Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast

01/10/2018 Belfast Port Health Our role & BREXIT City and Neighbourhood Services Department Belfast Docks 1 01/10/2018 Belfast Port Health 70% of NIs seaborne trade 20% the island of Irelands trade 125,000 containers

436 views • 8 slides
Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing

Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing

4/15/2014 A WHOLE NEW BALLGAME Indian Leasing Under the HEARTH Act Bryan Newland Fletcher, PLLC bnewland@fletcherlawpllc.com Big Changes in Leasing Policy HEARTH Act was signed into law in 2012 BIA Leasing Regulations revised in 2012

380 views • 8 slides
!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1

!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1

!"#$%&#'($)*+",-'.*($',*/,%%(0(&('1 !"#$#%&#'()*+((,-")-"-(.//01-%$ 2")-%(3-%'(4%$&5&6&# 7-*(89:(;<8= A Place of Possibility !"#$%&'()*%&+",+ Population Growth

586 views • 14 slides
EMA/ IFAH Europe Info Day London, 8 March 2013 Presented by: Melanie Leivers, Head of

EMA/ IFAH Europe Info Day London, 8 March 2013 Presented by: Melanie Leivers, Head of

Variations and W ork-sharing Regulatory perspective EMA/ IFAH Europe Info Day London, 8 March 2013 Presented by: Melanie Leivers, Head of Veterinary Regulatory and Organisational Support 1 Areas to be covered: Possibility to w

732 views • 12 slides
A VIRTUAL CONFERENCE #EmERGeLeadership Leveraging Different Heritage Months to Build ONE

A VIRTUAL CONFERENCE #EmERGeLeadership Leveraging Different Heritage Months to Build ONE

A VIRTUAL CONFERENCE #EmERGeLeadership Leveraging Different Heritage Months to Build ONE Inclusive Culture QUINNIE WONG GLOBAL DIVERSITY & INCLUSION: BRANDING, COMMUNICATIONS, PARTNERSHIPS VERIZON #EmERGeLeadership How to measure

562 views • 7 slides
ICHEP MC Production Post-Mortem J-R Vlimant on behalf of everyone else Disclaimer

ICHEP MC Production Post-Mortem J-R Vlimant on behalf of everyone else Disclaimer

ICHEP MC Production Post-Mortem J-R Vlimant on behalf of everyone else Disclaimer Post-Mortem : is after death/end, while there are still MC samples being produced, as we speak. The body is still warm ! A full computing operation

249 views • 11 slides
HEALTHCARE REFORM WEBINAR SERIES PART 1 Melissa Gierach, Policy Advisor Washington, DC *This

HEALTHCARE REFORM WEBINAR SERIES PART 1 Melissa Gierach, Policy Advisor Washington, DC *This

HEALTHCARE REFORM WEBINAR SERIES PART 1 Melissa Gierach, Policy Advisor Washington, DC *This presentation is offered for informational purposes only, and the content should not be construed as legal advice on any matter. www.dlapiper.com

175 views • 6 slides
Outline SOFC Anode-supported Planar for IT-SOFC CGCRIs Current Activities

Outline SOFC Anode-supported Planar for IT-SOFC CGCRIs Current Activities

Outline SOFC Anode-supported Planar for IT-SOFC CGCRIs Current Activities Challenges Summary Advantage of Solid Oxide Fuel Cell Environment Friendly All solid state -- No NOx,SOx and particulate emissions

547 views • 40 slides
A posteriori error estimates Part II Complementary estimates Tom a s Vejchodsk y

A posteriori error estimates Part II Complementary estimates Tom a s Vejchodsk y

A posteriori error estimates Part II Complementary estimates Tom a s Vejchodsk y vejchod@math.cas.cz Institute of Mathematics, Academy of Sciences Zitn a 25, 115 67 Praha 1 Czech Republic E M H A A T T I C M S f

661 views • 37 slides
CONSIDERATIONS ON METHODOLOGY, STUDY DESIGN AND STATISTICAL APPROACHES Gerard PONS, MD, PhD

CONSIDERATIONS ON METHODOLOGY, STUDY DESIGN AND STATISTICAL APPROACHES Gerard PONS, MD, PhD

WORKSHOP ON REGULATORY AND SCIENTIFIC ISSUES RELATED TO THE INVESTIGATION OF MEDICINAL PRODUCTS INTENDED FOR NEONATAL USE EMEA London October 11, 2006 CONSIDERATIONS ON METHODOLOGY, STUDY DESIGN AND STATISTICAL APPROACHES Gerard PONS,

892 views • 57 slides
Using Data Dependent Noise to Aid Error Correction Manchester Conference Centre 14 th July 2005

Using Data Dependent Noise to Aid Error Correction Manchester Conference Centre 14 th July 2005

Signal Processing for Data Storage Using Data Dependent Noise to Aid Error Correction Manchester Conference Centre 14 th July 2005 Dr. Mohammed Zaki Ahmed email : mahmed@plymouth.ac.uk url : http://www.plymouth.ac.uk/staff/mahmed Centre for

311 views • 20 slides
Validation and quality control for InSAR using trihedral radar reflectors Delft University of

Validation and quality control for InSAR using trihedral radar reflectors Delft University of

Validation and quality control for InSAR using trihedral radar reflectors Delft University of Technology Petar Marinkovic, Gini Ketelaar, Freek van Leijen, Ramon Hanssen DEOS: Delft Institute of Earth Observation and Space Systems January 16,

325 views • 30 slides
Business Aviation point of view How can inspections help to solve the illegal operations issue?

Business Aviation point of view How can inspections help to solve the illegal operations issue?

Business Aviation point of view How can inspections help to solve the illegal operations issue? Belarmino GONALVES PARADELA EBAA Senior Manager Cologne, 25 th October 2012 What is Business Aviation in Europe Economic importance 650,000

435 views • 14 slides
Online shortterm heat load forecast An experimental investigation on greenhouses Pierre

Online shortterm heat load forecast An experimental investigation on greenhouses Pierre

Online shortterm heat load forecast An experimental investigation on greenhouses Pierre J.C. VoglerFinck (Neogrid, AAU) , Peder Bacher, Henrik Madsen (DTU) 12/09/2017 4DH Conference Copenhagen Greenhouses are major, sensitive

265 views • 14 slides
Springing the Delaware Tax Trap: Drafting Limited Powers of Appointment to Increase Asset Income

Springing the Delaware Tax Trap: Drafting Limited Powers of Appointment to Increase Asset Income

Presenting a live 90-minute webinar with interactive Q&A Springing the Delaware Tax Trap: Drafting Limited Powers of Appointment to Increase Asset Income Tax Basis TUESDAY, JUNE 28, 2016 1pm Eastern | 12pm Central | 11am Mountain

598 views • 27 slides
Criminal Justice Information System July 27, 2017 Hosting CT: CHIEF Update CISS Project

Criminal Justice Information System July 27, 2017 Hosting CT: CHIEF Update CISS Project

Criminal Justice Information System July 27, 2017 Hosting CT: CHIEF Update CISS Project Update Project Health Check 2 Status on CT: Chief Wethersfield, New Britain, and Enfield PDs are live Plainville PD Migration in

490 views • 24 slides
Community What Will it Take for Us to Transform the Dream Into Reality in Kalamazoo? Tim Ready

Community What Will it Take for Us to Transform the Dream Into Reality in Kalamazoo? Tim Ready

The Power of One Community What Will it Take for Us to Transform the Dream Into Reality in Kalamazoo? Tim Ready Lewis Walker Institute for the Study of Race and Ethnic Relations Western Michigan University Progress of Kalamazoos Ninth

480 views • 11 slides
An exploratory search for presentation contents based on slide semantic structure Article

An exploratory search for presentation contents based on slide semantic structure Article

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/289298273 An exploratory search for presentation contents based on slide semantic structure Article January 2014 CITATIONS READS 0

112 views • 7 slides
PROCESS February 2016 Michelle Olson Greg Bean Jennifer Jolly SandieYamauchi Counselor (A-G)

PROCESS February 2016 Michelle Olson Greg Bean Jennifer Jolly SandieYamauchi Counselor (A-G)

COLLEGE SEARCH PROCESS February 2016 Michelle Olson Greg Bean Jennifer Jolly SandieYamauchi Counselor (A-G) Counselor (H-O) Counselor (P-Z) (Career Center) olsonm@wlwv.k12.or.us beang@wlwv.k12.or.us jollyj@wlwv.k12.or.us

562 views • 17 slides

More recommend