• Insight
  • Security

Embracing the chaos to reduce unknown unknowns

By Methods4 November 20212 min read

Embrace the chaos are not normally words you would associate with predicting cyber-attacks and stopping hackers from infiltrating your systems. At Methods however, we ’embrace the chaos” of the principles of Security Chaos Engineering – the technique of using controlled experiments to discover flaws in complex, distributed systems before problems happen.

Whilst many organisations apply the principles of DevOps and Site Reliability Engineering (SRE) to bring security programs into architectural and organisational alignment, the challenge continues as we move towards more complex, distributed systems and can threaten the ability of teams to model and keep pace with your own systems development.

Security chaos engineering principles are not meant to replace Red, Purple team or other security methodologies that provide value, but instead prepare products and platforms for an adverse event. In a highly distributed multi-cloud architecture, the development of security threat models help build confidence in the system’s capability to withstand cyber-attacks. Our simulations include using the MITRE ATT&CK knowledge base of adversary tactics and techniques based on real-world observations, and in combination with Threat Modelling techniques develop adaptive simulations that can adjust TTPs (tactics, techniques, and procedures) in response to behaviours or failures or actions that often seem to characterise cyber incidents.

The benefits of these simulations and associated Threat Models helps organisations identify many more potential points of failure ensuring the new services developed and deployed are resilient and reliable.

Chaos engineering is the process of testing a distributed computing system to ensure that it can withstand unexpected disruptions – all credit to the team at Netflix who identified the real business value in this practice, now evangelised by so many other companies including Microsoft, Google, Facebook and Hashicorp etc.

Embrace the chaos is the methodology to assess and increase observability, moving security from subjective assessment into objective measurement. As they do in the DevOps world, chaos experiments enable our security teams to reduce the “unknown unknowns” and over time, replace “known unknowns” with information that can drive improvements to security posture.