Controlled Chaos: The Inevitable Marriage of DevOps & Security

Conference:  BlackHat USA 2019



The presentation discusses the importance of ephemerality, immutability, and resilience in cybersecurity and DevOps.
  • Ephemerality raises the attacker bar by design and reduces risk
  • Mean time between failure is an unrealistic metric and prioritizing failure is important
  • Game days and continuous defense are essential for resilience
  • Immutable systems restrict user modification and force attackers to stay in memory
  • Testing for ephemerality involves statelessness, reverse uptime, and throughput
The presenter suggests creating a 'bamboozle layer' in a docker container filled with enticing garbage files that will trigger an automated shutdown if an attacker attempts to write to them, ruining the attacker's day.


We've all heard "software is eating the world" – that most organizations are becoming software organizations in some form. In this new era, DevOps rises as the engine of the business, and organizations resisting its ascension empirically fall behind. Those in information security often view DevOps as demons by another name and assume that if they aren't a hyperscale tech organization, they can safely ignore these trends. In reality, information security has a choice: marry with their DevOps colleagues and embrace the philosophy of controlled chaos, or eventually be shoved aside, descending into impotence and irrelevancy. In this session, we'll explain the basics of DevOps and the concepts of resilience and chaos engineering. Using large-scale survey data, we'll illuminate which factors determine whether an organization is "elite" in this software-dominant world. We'll then uncover how DevOps' priorities and goals aren't so dissimilar from modern infosec's goals. We'll delve into implications for security programs, particularly the shift from security for its own sake to security as an enabler of business objectives. Then, we'll expose why chaos and resilience engineering represents the future of security programs – and why it catalyzes the dawn of defensive innovation. We'll show how chaos and resilience fit with the C.I.A. triad and why the D.I.E. triad of distributed, immutable, and ephemeral might be the model of the future. Focusing on practical implementation, we'll examine metrics, GameDays, and existing resiliency tools that security teams can adopt and extend to meet their goals. Finally, we'll propose pragmatic approaches for security teams to make a marriage to DevOps last through a love of controlled chaos. We'll conclude by discussing partnership opportunities with DevOps to support the organization on its path to leetness – and to transform security from a frustrating cost center to a lean, mean, innovation machine.