SlideShare a Scribd company logo

Threat Modeling in the Cloud

P
Paige Cruz

Threat modeling is a key part of securing your cloud computing environment and is unique to each organization's people, practices and processes. Without a threat model you could end up going on wild goose chases and miss the forest for the trees. This talk will introduce the concept of threat modeling including how to get started, guiding questions and recap findings from the Argo Project Threat Model from 2021. Learn how and why to start threat modeling today!

Technology
1 of 52
Download to read offline
Threat Modeling in the ☁ Paige Cruz @paigerduty
What threats are likely for a vending machine?
Your threat model is not my threat model: Hospital edition 🏥
4
5 Warning Do not use endoscopy equipment to steal chocolate from this vending machine.
What is threat modeling?
A structured process to identify security requirements, pinpoint threats and potential vulnerabilities, quantify threat and vulnerability criticality and prioritize remediation methods. The Official ™ Definition 7
“ Threat modeling is a conversation. - Matthew Coles Sr Principal Product Security Eng @ Dell 8 Real World Definition
Guiding Questions 9 What are we working on?
Guiding Questions 10 What are we working on? What can go wrong?
Guiding Questions 11 What are we working on? What can go wrong? What are we going to do about it?
Guiding Questions 12 What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job?
13 ✨ ✨
14 Architect
15 Architect Software Developer
16 Architect Software Developer Customer Support
17 Architect Software Developer Customer Support Quality Assurance (QA)
18 Architect Software Developer Customer Support Quality Assurance (QA) Tech Writer
19
Threat Modeling in the Cloud ☁
Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 21 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 22 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 23 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 24 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
25
26
27 🙃 🤨 😬
28 “If Defendant had disclosed the full extent of the breach in August instead of waiting months, Plaintiff/Class would have been on heightened alert and changed passwords to avoid theft that ensued.”
29
30
31
32 👀 👀 👀 👀 👀
33
Case Study
“While Argo services often support various risk or threat prevention methods, these are frequently under-documented or are provided on an opt-in basis rather than default - Argo Project Threat Model 35
36
37
Minimal Service Documentation: Argo 38
Threat Modeling and You ✨
40 1 Identify 1 feature or service to begin threat modeling
41 1 2 Identify 1 feature or service to begin threat modeling Schedule a meeting. Agenda: The 4 Guiding Questions
42 1 3 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Schedule a meeting. Agenda: The 4 Guiding Questions
43 1 3 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation
44 1 3 5 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Assign a scribe and facilitator for the meeting Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation
45 1 3 5 6 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Assign a scribe and facilitator for the meeting Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation Rinse and repeat
Case Study
47 2019 Data Exposure
Threat Modeling is a conversation
Further Resources ⬡ Threat Modeling Manifesto ⬡ OWASP Top Ten Web App Security Risks ⬡ Hiding Malware in Docker Desktop <- srsly a hilarious and informative read ⬡ MITRE ATT&CK adversarial knowledge base 101 blog post 49
Minimal Service Documentation ⬡ How does the service work? ⬡ Are there any subcomponents or shared boundaries? ⬡ What communication protocols does it use? ⬡ Where does it store data? ⬡ What is the most sensitive data it stores? 50
1. Data Breaches 2. Misconfiguration and Inadequate Change Control 3. Lack of Cloud Security Architecture + Strategy 4. Insufficient IAM and Key Management 5. Account Hijacking 6. Insider Threat 7. Insecure Interfaces + APIs 8. Weak Control Plane 9. Metastructure + Applistructure Failures 10. Limited Cloud Usage Visibility 11. Abuse + Nefarious Use of Cloud Services 51
52 Let’s Chat @ CNCF Booth G3 Friday, 2:20 - 3:20 paigerduty.com ★ @chronosphere.io ★ @hachyderm.io

Recommended

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Null bachav
Null bachavNull bachav
Null bachavNaga Venkata Sunil Alamuri
 
Azure Security.pdf
Azure Security.pdfAzure Security.pdf
Azure Security.pdfCloudthat Technologies Private
 
Azure security
Azure securityAzure security
Azure securityCloudthat Technologies Private
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 

Recommended

Security Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsSecurity Training: #3 Threat Modelling - Practices and Tools
Security Training: #3 Threat Modelling - Practices and ToolsYulian Slobodyan
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Null bachav
Null bachavNull bachav
Null bachavNaga Venkata Sunil Alamuri
 
Azure Security.pdf
Azure Security.pdfAzure Security.pdf
Azure Security.pdfCloudthat Technologies Private
 
Azure security
Azure securityAzure security
Azure securityCloudthat Technologies Private
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachCloudLock
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
DevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOpDevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOpVMware Tanzu
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modellingn|u - The Open Security Community
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...TechSoup
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?London School of Cyber Security
 
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docxalinainglis
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 
Power Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LAPower Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LAPaige Cruz
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 

More Related Content

Similar to Threat Modeling in the Cloud

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018Paula Januszkiewicz
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachCloudLock
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
DevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOpDevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOpVMware Tanzu
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...TechSoup
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docxalinainglis
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-WilheminaRossi174
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingKnoldus Inc.
 

Similar to Threat Modeling in the Cloud (20)

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
The Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security BreachThe Anatomy of a Cloud Security Breach
The Anatomy of a Cloud Security Breach
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
DevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOpDevSecOps: Security at the Speed of DevOp
DevSecOps: Security at the Speed of DevOp
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
Cybersecurity in Low-Risk Organizations: Understanding Your Risk and Making P...
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-Suite
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
VMworld 2013: Using The Cloud Compass to Evaluate Technology Risk in Cloud De...
 
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
4MANUAL OVERVIEW5SECTION 1Introduction Welcome.docx
 
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
Chapter 4Secure Design PrinciplesCopyright © 2014 by McGraw-
 
Security Fundamentals and Threat Modelling
Security Fundamentals and Threat ModellingSecurity Fundamentals and Threat Modelling
Security Fundamentals and Threat Modelling
 

More from Paige Cruz

Power Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LAPower Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LAPaige Cruz
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
OTel Orientation: How to Train Teams (OTel in Practice)
OTel Orientation: How to Train Teams (OTel in Practice)OTel Orientation: How to Train Teams (OTel in Practice)
OTel Orientation: How to Train Teams (OTel in Practice)Paige Cruz
 
Avoiding Alert Bankruptcy and Burnout
Avoiding Alert Bankruptcy and Burnout Avoiding Alert Bankruptcy and Burnout
Avoiding Alert Bankruptcy and BurnoutPaige Cruz
 
Tracing Adventures from PR - Production
Tracing Adventures from PR - ProductionTracing Adventures from PR - Production
Tracing Adventures from PR - ProductionPaige Cruz
 
There's No Place Like Production
There's No Place Like ProductionThere's No Place Like Production
There's No Place Like ProductionPaige Cruz
 
Taming Feral DevOps
Taming Feral DevOps Taming Feral DevOps
Taming Feral DevOps Paige Cruz
 
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of Power
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of PowerSRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of Power
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of PowerPaige Cruz
 
Pushing Observability Uphill - The Single “Pain” of Glass
Pushing Observability Uphill - The Single “Pain” of GlassPushing Observability Uphill - The Single “Pain” of Glass
Pushing Observability Uphill - The Single “Pain” of GlassPaige Cruz
 
Power Up with Podman
Power Up with PodmanPower Up with Podman
Power Up with PodmanPaige Cruz
 
Intro to Instrumentation
Intro to InstrumentationIntro to Instrumentation
Intro to InstrumentationPaige Cruz
 
From Cardinal(ity) Sins to Cost-Efficient Metrics Aggregation
From Cardinal(ity) Sins to Cost-Efficient Metrics AggregationFrom Cardinal(ity) Sins to Cost-Efficient Metrics Aggregation
From Cardinal(ity) Sins to Cost-Efficient Metrics AggregationPaige Cruz
 
99.9% of Your Traces are Trash
99.9% of Your Traces are Trash99.9% of Your Traces are Trash
99.9% of Your Traces are TrashPaige Cruz
 
3rd Wave Observability: Open or Bust
3rd Wave Observability: Open or Bust 3rd Wave Observability: Open or Bust
3rd Wave Observability: Open or Bust Paige Cruz
 

More from Paige Cruz (14)

Power Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LAPower Up with Podman - Kubernetes Community Day LA
Power Up with Podman - Kubernetes Community Day LA
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
OTel Orientation: How to Train Teams (OTel in Practice)
OTel Orientation: How to Train Teams (OTel in Practice)OTel Orientation: How to Train Teams (OTel in Practice)
OTel Orientation: How to Train Teams (OTel in Practice)
 
Avoiding Alert Bankruptcy and Burnout
Avoiding Alert Bankruptcy and Burnout Avoiding Alert Bankruptcy and Burnout
Avoiding Alert Bankruptcy and Burnout
 
Tracing Adventures from PR - Production
Tracing Adventures from PR - ProductionTracing Adventures from PR - Production
Tracing Adventures from PR - Production
 
There's No Place Like Production
There's No Place Like ProductionThere's No Place Like Production
There's No Place Like Production
 
Taming Feral DevOps
Taming Feral DevOps Taming Feral DevOps
Taming Feral DevOps
 
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of Power
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of PowerSRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of Power
SRECon23 Cognitive Apprenticeship in Action_ Alert Triage Hour of Power
 
Pushing Observability Uphill - The Single “Pain” of Glass
Pushing Observability Uphill - The Single “Pain” of GlassPushing Observability Uphill - The Single “Pain” of Glass
Pushing Observability Uphill - The Single “Pain” of Glass
 
Power Up with Podman
Power Up with PodmanPower Up with Podman
Power Up with Podman
 
Intro to Instrumentation
Intro to InstrumentationIntro to Instrumentation
Intro to Instrumentation
 
From Cardinal(ity) Sins to Cost-Efficient Metrics Aggregation
From Cardinal(ity) Sins to Cost-Efficient Metrics AggregationFrom Cardinal(ity) Sins to Cost-Efficient Metrics Aggregation
From Cardinal(ity) Sins to Cost-Efficient Metrics Aggregation
 
99.9% of Your Traces are Trash
99.9% of Your Traces are Trash99.9% of Your Traces are Trash
99.9% of Your Traces are Trash
 
3rd Wave Observability: Open or Bust
3rd Wave Observability: Open or Bust 3rd Wave Observability: Open or Bust
3rd Wave Observability: Open or Bust
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Threat Modeling in the Cloud

  • 2. What threats are likely for a vending machine?
  • 3. Your threat model is not my threat model: Hospital edition 🏥
  • 4. 4
  • 5. 5 Warning Do not use endoscopy equipment to steal chocolate from this vending machine.
  • 7. A structured process to identify security requirements, pinpoint threats and potential vulnerabilities, quantify threat and vulnerability criticality and prioritize remediation methods. The Official ™ Definition 7
  • 8. “ Threat modeling is a conversation. - Matthew Coles Sr Principal Product Security Eng @ Dell 8 Real World Definition
  • 10. Guiding Questions 10 What are we working on? What can go wrong?
  • 11. Guiding Questions 11 What are we working on? What can go wrong? What are we going to do about it?
  • 12. Guiding Questions 12 What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job?
  • 19. 19
  • 21. Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 21 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
  • 22. Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 22 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
  • 23. Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 23 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
  • 24. Which make up the top 3 cloud threats? ⬡ Weak Control Plane ⬡ Account Hijacking ⬡ Data Breaches ⬡ Insufficient IAM and Key Management ⬡ Metastructure + Applistructure Failures ⬡ Abuse + Nefarious Use of Cloud Services 24 ⬡ Insecure Interfaces + APIs ⬡ Insider Threat ⬡ Misconfiguration and Inadequate Change Control ⬡ Lack of Cloud Security Architecture + Strategy ⬡ Limited Cloud Usage Visibility
  • 25. 25
  • 26. 26
  • 28. 28 “If Defendant had disclosed the full extent of the breach in August instead of waiting months, Plaintiff/Class would have been on heightened alert and changed passwords to avoid theft that ensued.”
  • 29. 29
  • 30. 30
  • 31. 31
  • 33. 33
  • 35. “While Argo services often support various risk or threat prevention methods, these are frequently under-documented or are provided on an opt-in basis rather than default - Argo Project Threat Model 35
  • 36. 36
  • 37. 37
  • 40. 40 1 Identify 1 feature or service to begin threat modeling
  • 41. 41 1 2 Identify 1 feature or service to begin threat modeling Schedule a meeting. Agenda: The 4 Guiding Questions
  • 42. 42 1 3 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Schedule a meeting. Agenda: The 4 Guiding Questions
  • 43. 43 1 3 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation
  • 44. 44 1 3 5 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Assign a scribe and facilitator for the meeting Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation
  • 45. 45 1 3 5 6 4 2 Identify 1 feature or service to begin threat modeling Send pre-read of the Threat Modeling Manifesto Assign a scribe and facilitator for the meeting Schedule a meeting. Agenda: The 4 Guiding Questions Ensure minimal service documentation Rinse and repeat
  • 48. Threat Modeling is a conversation
  • 49. Further Resources ⬡ Threat Modeling Manifesto ⬡ OWASP Top Ten Web App Security Risks ⬡ Hiding Malware in Docker Desktop <- srsly a hilarious and informative read ⬡ MITRE ATT&CK adversarial knowledge base 101 blog post 49
  • 50. Minimal Service Documentation ⬡ How does the service work? ⬡ Are there any subcomponents or shared boundaries? ⬡ What communication protocols does it use? ⬡ Where does it store data? ⬡ What is the most sensitive data it stores? 50
  • 51. 1. Data Breaches 2. Misconfiguration and Inadequate Change Control 3. Lack of Cloud Security Architecture + Strategy 4. Insufficient IAM and Key Management 5. Account Hijacking 6. Insider Threat 7. Insecure Interfaces + APIs 8. Weak Control Plane 9. Metastructure + Applistructure Failures 10. Limited Cloud Usage Visibility 11. Abuse + Nefarious Use of Cloud Services 51
  • 52. 52 Let’s Chat @ CNCF Booth G3 Friday, 2:20 - 3:20 paigerduty.com ★ @chronosphere.io ★ @hachyderm.io