book

Security Chaos Engineering

by Aaron Rinehart, Kelly Shortridge

December 2020

Intermediate to advanced

90 pages

2h 14m

English

O'Reilly Media, Inc.

Read now

Unlock full access

The Greatest Teacher
The Foundation of ResilienceThings Will FailBenefits of SCE
Decision Trees for Threat ModelingDecision Tree Walkthrough: S3 Bucket with Customer DataOutthinking Your AdversariesGetting Started on Your Own Decision TreeIncident Retrospectives
Security TheaterSecurity Approval Patterns
What Is Alternative Analysis?Distributed Alternative Analysis The Security Champions Program
Failure in the Build PhaseApplication Security Failures in Containers and Image RepositoriesSecurity Failures in Build Pipelines
The DIE TriadFailure in Production SystemsSystem Failures in Production
Validate Known AssumptionsCrafting Security Chaos ExperimentsExperiment Design ProcessDocument Steady State Design HypothesisContain the Blast Radius Fallback Plans Notify the OrganizationPlan Your Game Days and Execute the ExperimentMeasure the Impact of Each Failure!Validate the Feedback Expected from Your Security and Visibility Tools Automate the Experiment for Continual Use Game DaysUse Case: Security ArchitectureUse Case: Security MonitoringGaining New Insights with SCEUse Case: Incident ResponseSCE Tools: ChaoSlingrSCE Tools: CloudStrike
Case Study: Applied Security—Cardinal HealthBuilding the SCE CultureThe Mission of Applied Security The Method: Continuous Verification and ValidationCase Study: Cyber Chaos Engineering—Capital One Enter SCE Leadership Buy-In

Content preview from Security Chaos Engineering

Chapter 8. Case Studies

There is a growing community of security practitioners and organizations who are both advocating SCE and developing experiments through open source and other community initiatives. The following chapter shares a handful of case studies from organizations that have successfully implemented SCE as a practice within their security programs.

Case Study: Applied Security—Cardinal Health

Authored by Jamie Dicken, Cardinal Health and Rob Duhart Jr., Google

The need for SCE grew organically at Cardinal Health, a global Fortune 20 health-care products and services company based in Dublin, Ohio. With revenue of over $140 billion, Cardinal plays a critical role in the health-care ecosystem.

At the executive level, securing the company’s distribution centers, operations, products, and information was critical—not just for the company’s reputation but for the stability of the United States health-care system. In addition to investing in teams to advise on and implement security controls, they authorized purchases of security products and tools to protect the business, totaling millions of dollars. With such large investments, executives logically held high expectations for their effectiveness.

The SCE journey at Cardinal Health arose not only from the executive needs for security validation but from the Security Architecture team as well. That team, led by Robert Duhart, knew that theoretical security architecture would not protect an organization sprinting to the ...