Understanding Security Threat Models and Behavioral Biases

Guest:

• Kelly Shortridge, Senior Principal Engineer in the Office of the CTO at Fastly

Topics:

•  So what is Security Chaos Engineering?

• “Chapter 5. Operating and Observing” is Anton’s favorite. One thing that mystifies me, however, is that you outline how to fail with alerts (send too many), but it is not entirely clear how to practically succeed with them? How does chaos engineering help security alerting / detection?

• How chaos engineering (or is it really about software resilience?)  intersects with Cloud security - is this peanut butter and chocolate or more like peanut butter and pickles?

• How can organizations get started with chaos engineering for software resilience and security?

• What is your favorite chaos engineering experiment that you have ever done?

• We often talk about using the SRE lessons for security, and yet many organizations do security the 1990s way. Are there ways to use chaos engineering as a forcing function to break people out of their 1990s thinking and time warp them to 2023?

Resources:

• Video (LinkedIn, YouTube)

• “Security Chaos Engineering: Sustaining Resilience in Software and Systems” by Kelly Shortridge, Aaron Rinehart

• “Cybersecurity Myths and Misconceptions” book

• “Designing Data-Intensive Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems“ book

• “Normal Accidents: Living with High-Risk Technologies” book

• “Deploy Security Capabilities at Scale: SRE Explains How” (ep85)

• “The Good, the Bad, and the Epic of Threat Detection at Scale with Panther” (ep123)

• “Can a Small Team Adopt an Engineering-Centric Approach to Cybersecurity?” (ep117)

• IKEA Effect

• “Modernizing SOC ... Introducing Autonomic Security Operations” blog