ChaoSlingr introduces the discipline of security testing into chaos engineering with the focus on driving failure out of the model and going beyond the reactive processes that currently dominate traditional security testing methodology. (Source: RSA Conference USA 2018)

1. SESSION ID:
#RSAC
Aaron Rinehart
ChaoSlingr: Introducing Security-Based
Chaos Testing
CSV-W04
Chief Enterprise Security Architect
UnitedHealth Group
Grayson Brewer
IT Security Consultant
UnitedHealth Group

2. #RSAC
Security + Chaos = Security Experimentation
2

3. #RSAC
About Aaron
3

4. #RSAC
About Grayson
4

5. #RSAC
Overview UnitedHealth Group
5

6. #RSAC
Outline
6

7. #RSAC
A Tool to Build or a Weapon to Destroy?
7

8. #RSAC
The Reality is…...
8

9. #RSAC
Failure is Necessary
9

10. #RSAC
10

11. #RSAC
Revisiting the Problem
11

12. #RSAC
Where do Security Failures come from?
12

13. #RSAC
The Gap b/t Modern Software & Security
13

14. #RSAC
Distributed Systems Are Tricky
14

15. #RSAC
Distributed Systems Are Tricky
15

16. #RSAC
Don't Drift into the Unknown
16

17. #RSAC
Ask Better Questions
17

18. #RSAC
Ask yourself……...
18

19. #RSAC
Ask yourself……...
19

20. #RSAC
Ask yourself……...
20

21. #RSAC
So in fact do we identify Security Failures?
21

22. #RSAC
Its toooooo late…..
22

23. #RSAC
It worked for Rebel Alliance but not here
23

24. #RSAC
Build Confidence through Instrumentation
24

25. #RSAC
What is Chaos Engineering?
25

26. #RSAC
A brief history of Chaos
26

27. SecurityExperimentationSecurityExperimentation
THENEWPLAYBOOK

28. #RSAC
Do Less, Better
28

29. #RSAC
The New Playbook
29

30. #RSAC
What's the Difference?
30
• Testing is assessment or validation of an expected
outcome
• Experimentation seeks to derive new insights and
information that were previously unknown

31. #RSAC
Security Experimentation: A Definition
31

32. #RSAC
32
• Drive out failure.
• Observe failure.
• Learn from failure.
• Build resilient systems.
Be Objective & Use Failure as a Tool

33. #RSAC
Build a Learning Culture
33

34. #RSAC
Why do it?
34
• Build Confidence in Security Measures
• Strengthen Incident Management
• Measure Incident Response Readiness
• Identify Security Failures within the Security Control Plane
• Proactively Detect Security Failures
• Measure Investments in Security Technology

35. #RSAC
GameDays + Post Mortem
35

36. #RSAC
Value of Game Day Exercises
36
• Provides Objective Measurement for Security Incident Response
• Identify Control Coverage Gaps
• Keeping the Team Sharp and “Battle Ready”
• Learn how your Security Really Works vs. How you Assume it Works.
“If you’re not cultivating a Learning Culture,
you wIll probably end up losing to someone
else who is.”

37. #RSAC
Open Source Security Experimentation Tool
37

38. #RSAC
So, eh, what is it exactly
38

39. #RSAC
FYI ChaoSlingr is on Github (FREE!)
39

40. #RSAC
An Example Experiment Using ChaoSlingr
40

41. #RSAC
An Example Security Experiment
41

42. #RSAC
How the experiment works
42

43. #RSAC
Summary: Takeaways
43
• Security Problems in
Distributed Systems
• Chaos Engineering
• Security Experimentation
• ChaoSlingr: Open Source Tool
• Think Differently, Be Objective

44. #RSAC
Apply What You Have Learned Today
44
• Next week you should:
• Start asking yourself the Right Questions
• Go to Github and check out ChaoSlingr
• Find out if your organization has an Site Reliability Engineer and tell them what you learned in this talk.
• In the first three months following this presentation you should:
• Conduct your first GameDay Exercise and manual Security Chaos Experiment
• Attend a Chaos Engineering Community Event near you
• Within six months you should:
• Write your own experiments for ChaoSlingr or your own tool.
• Run your first automated Security Chaos Experiment

45. #RSAC
The New Normal: Continuous Evolution
45

46. #RSAC
Questions
@aaronrinehart
@BrewerSecurity
Hit us with some questions