#chaosday19 @aaronrinehart now talking about security precognition

#chaosday19 @aaronrinehart : We're going to be covering a LOT of stuff during this talk. Our systems have grown beyond our ability to grok them.

#chaosday19 @aaronrinehart case in point here’s Vizceral

#chaosday19 @aaronrinehart : when it comes to security we're still (unfortunately) managing failure as a human factor issue

#chaosday19 @aaronrinehart : With all the complexity in our systems can we simplify it? Depends on the type. There's accidental complexity and essential (feature driven) complexity.

#chaosday19 @aaronrinehart : "As the complexity of a system increases, the accuracy of any single agent's own model of that system decreases" - @ddwoods2 [ed: I've read articles preaching the 'death of the all knowing architect' because of this factor]

#chaosday19 @aaronrinehart : Failure still happens with security!

#chaosday19 @aaronrinehart : "As I've gotten deeper into Resilience Engineering I've gotten more and more scared of how much software is taking over and how little we know about our systems" [ed: I think it's important to consider the system including both software and humans]

#chaosday19 @aaronrinehart : Security incidents are subjective in nature. We really don't know very much. Have to answer questions like 'where? why? who? when? how?

#chaosday19 @aaronrinehart : When security incidents happen things go a bit crazy. Security hasn't quite caught up to SRE types of concepts for incident response, recovery, and reflection. [ed: I'd attribute the blamelessness more to Human Factors studies and IT maturity here]

#chaosday19 @aaronrinehart : People operate differently when they expect things to fail. [ed: to me one of the holy grails of Chaos is the ability to update our mental model of not just how our compute systems operate but also our people coordination, communication and action]

Adding this to my reading list #chaosday19 @aaronrinehart

#chaosday19 @aaronrinehart : Sabotage is rare (if you have internal security issues, you don't have a security problem you have an HR problem!)

#chaosday19 @aaronrinehart : Moving on to ChaosSlingr an OSS tool for security chaos.

#chaosday19 @aaronrinehart : Q&A Time - what's the difference between pen test and chaos security test? Traditional security tools are very noisy. This is a bit more structured and formulaic.

#chaosday19 @aaronrinehart : How do you create a blameless culture? Security is a bit different and is a bit behind the curve. There's no such thing as root cause (*applause*) or human error

#chaosday19 @aaronrinehart : Explain a bit more on flipping post-mortem to preparation. Usually a multitude of things for security incident in the wild. Sometimes difficult to understand how we got to where we were. Focused approach to chaos helps provide structure.