Wednesday 

Room 2 

15:00 - 16:00 

(UTC+01

Talk (60 min)

Optimizing Cloud Detection & Response With Security Chaos Engineering

Cloud Detection and Resposne (CDR) is an evolving approach to proactively defending cloud infrastructure against cyber-attacks. CDR takes a lot of approaches from traditional Threat Detection and Incident Response (TDIR) and applies these approaches to cloud-native infrastructure. This approach allows for optimized strategies specifically designed to fit the cloud-native threat landscape, given the limitations of traditional TDIR in cloud-native infrastructure.

Cloud Security
Experience report
Testing
Tools

CDR strategies combine cloud threat detection and incident response by employing several techniques, including active monitoring, log analytics, threat intelligence, incident response, forensic analysis, and threat analysis. This is advantageous since security teams are enabled to be agile and more productive; hence CDRs are rapidly becoming essential tools for security teams focused on protecting cloud-native infrastructure, including detection engineers, cloud security engineers, cloud incident responders, and SOC teams.

However, enabling efficient CDR strategies is challenging for several reasons, including cloud complexities, insufficient expertise, and cloud misconfiguration. These challenges often lead to blindspots; some cloud attacks are not detected, leading to successful compromises. Furthermore, the ephemerality of cloud resources requires continuous assessment, validation, and configuration of CDR to align with the evolving threat landscape. This level of security validation is challenging for most teams, and there are hardly solutions that can be easily leveraged.

Security Chaos Engineering (SCE) is an evolving approach to cyber security that employs empirical evaluation of security controls to proactively gain evidence about their effectiveness via quick feedback loops. These feedback loops, a core of system thinking, allow for quick analysis and adaption of security systems to stay ahead of cyber attacks. SCE is aligned with cloud-native infrastructure, given its roots are chaos engineering, a discipline Netflix formulated as part of its digital transformation process over a decade ago. Consequently, SCE empowers cloud security teams to quickly and continuously evaluate CDR efficiently in a variety of ways.

This talk provides practical steps and examples based on a hybrid CDR system consisting of AWS GuardDuty, AWS Detective, and Datadog Cloud SIEM. Security chaos engineering experiments are conducted using the Mitigant Cloud Immunity platform, which is the first of its kind. Using the examples, we are able to demonstrate how CDR systems can miss malicious patterns, including those defined in the MITRE ATT&CK library. The talk provides recommendations on how to remediate these blindspots to enhance CDR systems' efficiency.

Kennedy Torkura

Kennedy is a cybersecurity researcher, cloud security engineer and the CTO/Co-Founder at Mitigant. He has spent over 11 years in cybersecurity and is passionate about exploring the intersection of security chaos engineering, incident response, risk analysis and threat detection in cloud security. He has published more than 20 academic papers about several cloud security domains and was a contributing author in the first O'Reilly book on Security Chaos Engineering. He is also a third time member of the AWS Community Builder Program and has spoken at various international conferences including KubeCon (Cloud Native Security Day), Conf42 Chaos Engineering, ChaosCarnival, and BSides Berlin.