SlideShare a Scribd company logo

Rapid Threat Modeling Techniques

Priyanka Aash
Priyanka Aash

Rapid Threat Modeling Techniques

Technology
1 of 33
SESSION ID: #RSAC Chad Childers Rapid Threat Modeling Techniques ASD-R01 IT Security Ford Motor Company
#RSAC Agenda 2  Threat Modeling background  Lessons Learned to make threat modeling faster  Techniques specifically for DFD and STRIDE effectiveness  Issues  Customizations & other security analysis tools  Success!
#RSAC What is Threat Modeling? 3  Design practice from the Software Assurance Forum (SAFECode)  Attack trees  Threat library (CAPEC, OWASP Top Ten)  Use Cases  STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
#RSAC What is Threat Modeling? 4  Microsoft Security Development Lifecycle - Threat Modeling tool  Architectural model based on Data Flow Diagram  Each element of the diagram generates a set of STRIDE threats Process element User element Data Flow element
#RSAC STRIDE by elements 5 Threats Data Flows Data Stores Processes Interactors Spoofing X X Tampering X X X Repudiation X X X Information Disclosure X X X Denial of Service X X X Elevation of Privilege X
#RSAC Why Rapid Threat Modeling? 6  Professional benefits  Security skill in demand  Architects make issues surface, clarify design issues  Developers can avoid rework, prioritize  Deliver Results  Teams can see value quickly, understand vulnerabilities  Answer “What do I do now?”
#RSAC Security hurdles • Controls documentation • Paperwork exercise • Last minute gate review • Athletes have the right training • They prepare and practice • They are not surprised
#RSAC Who should use Threat Modeling tools 8  Facilitated by security experts  Provide mitigation advice and consulting  Guide team  Mindset “What is the worst that can happen?”  Keep on-track and fast paced  Self-Service  Security knowledge prefilled within tool can provide guidance  Can be updated immediately if design or controls changed
#RSAC Set yourself up for success 9  Session Duration: 90 minutes ± 30  Cadence: 2 sessions a week  Web sessions save time, projector bulbs, more productive  Group size  Architect – who can answer design and controls questions  SME – who can answer business impact questions  Split up sessions per SME to save valuable time  Too many cooks…
#RSAC What to Threat Model? 10  High risk (Confidentiality/Integrity, external facing, reputational, compliance…)  Complex interactions between systems, emergent properties  Data or control transfer across a boundary  New technology/architecture to your company  Architect has trouble thinking through potential issues
#RSAC What not to Threat Model? 11  A repeat implementation using all standard controls  No significant revisions to application or data  You already have a fully documented Control Review and all the questions fit well
#RSAC Art of the Data Flow Diagram 12 …make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation… - Einstein Threat Modeling Is Like Playing A Violin - Shostack
#RSAC Data Flow Diagram elements 13 Application User Data Store External Application Application out of scope Admin
#RSAC  Description/Impact - What’s the worst that can happen if this Threat is manifested? (or certify that it is not a threat)  Review common impacts to help customize default Description Threat: Data Flow Sniffing Category: Information Disclosure Mitigated Description Justification for threat state change PII Data in transit exposed. Default text appears here and can be customized so it makes sense to your users
#RSAC  Solution/Justification for state change - What Mitigations or Controls do we have in place or plan to put in place as a solution?  Common mitigations may help customize controls elements Threat: Data Flow Sniffing Category: Information Disclosure Mitigated Description Justification for threat state change PII Data in transit exposed TLS encrypted
#RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
#RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
#RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
#RSAC Capture an Issues List  Paste actions/controls gaps into a spreadsheet or immediately enter in backlog, test tool, or project management tool  A-ha moments: “oh, we never thought of that!”  Critical controls that are not already documented anywhere else  The mitigation sounds like a reason we can’t figure out how to mitigate  Nonstandard controls that need to be tested
#RSAC Sample Issues Threat model Issue Approach/Plan to Address Priority ∇ Status Owner Determine strategy to assure that logs provide traceability Interface team has item in their backlog, test plan to be developed Medium Mitigated Judy Make sure that any PII or Secret data is encrypted before drop off or transfer Encryption in place, key transfer out of band High ∇ Mitigated Chad How are we going to manage customer data, who owns CRM interface? High Lou Host based IDS rules turn off unused ports/protocols? Medium Chris
#RSAC  Don’t waste time assessing threat priority by committee  Priority may have value for Needs Investigation issues  Priority may have value if you use it to reduce workload Threat Priority High
#RSAC Security unit test – regression test  Develop from Threat Model issues list  Example: verify that all changes from any source are logged  Work with QC to develop test cases for nonfunctional requirements  Run at each iteration before release  Run annually to validate controls
#RSAC Common Controls - Example: Guide to Interoperability Table 2.2 CI capability for Table 2.3 CIA Capability for Core Interoperability Transport Protocols Basic Interoperability Security Tech
#RSAC Common Controls - Customize MODEL ELEMENTS THREATS Data Flows Data Stores Processes Interactors Spoofing N/A N/A WSL WSL Strong Auth Active Directory Tampering SSL TLS Config validation Database Encryption APS N/A Repudiation N/A Oracle/SQL Farm Turn on table level logs Logs Digital Signing Logs Information Disclosure SSL TLS Database Encryption APS N/A Denial of Service CDN ANX Oracle/SQL Farm Config Validation CSP N/A Elevation of Privilege N/A N/A Config Validation CSP N/A
#RSAC Common Controls - Customize 25  Add your standard controls to StandardElementCollection.XML  Don’t ask threat questions where a control is already covered  Modify ThreatTypes.XML  Example: TLS Data Flow doesn’t need to answer Sniffing question  Make sure an issue is addressed in future threat models  Modify ThreatTypes.XML  Add “assure that logs provide traceability” or add a new Repudiation threat that occurs for specified elements
#RSAC Security Analysis Tools 26  Portfolio Risk Assessment – what to threat model  Threat Modeling  Secure Code training and manual code review  Static Analysis (SAST)  Dynamic Analysis (DAST)  Penetration Testing  External Audit
#RSAC 27 TAM - Quantitative analysis with DREAD
#RSAC Metrics  What does success look like?  Don’t impact project timing  Head off issues that could delay launch  Number of sessions completed is more meaningful than number of threat models, but not much  Number of threats  Mitigated with common control  Mitigated with nonstandard control  Unmitigated or Accepted
#RSAC Futures  How do we define “finished”?  Send XML TMS file to Security Consulting  Check off mitigation jointly with Security  Mitigations completed  Actions entered in Backlog/Test plan  File as Control Review attachment  Custom elements  What do YOU think we need?
#RSAC Summary 30  Threat Modeling makes Security look good  Treat SME time like gold and they will treasure you  Include only irreducible elements where answers are different  Resolving issues is the hard part!  Don’t be afraid to customize especially to save time  Success is every A-ha moment  Massive success is when the SMEs want to do it themselves
#RSAC Apply Threat Modeling in your organization  Next week you should:  Install the SDL Threat Modeling tool from http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx  In the first three months following this presentation you should:  Think about new projects in your organization that are good candidates for Threat Modeling and complete your first Threat Model  Within six months you should:  Review what you have learned in your organization and determine who else can benefit from using Threat Modeling 31
#RSAC Questions?  Please use the microphones
#RSAC Acknowledgements  SAFECode, “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today”  Lou Kunimatsu, “My, What Big Teeth You Have: A Threat Analysis and Modeling Fairy Tale”  Michael Jones photograph “400M Hurdles” from the 2012 Olympics, Creative Commons license CC BY-NC-SA 2.0  Adam Shostack, “New Foundations for Threat Modeling”  Albert Einstein, “On the Method of Theoretical Physics”

Recommended

Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 

Recommended

Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsPriyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitecturePriyanka Aash
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
STRIDE And DREAD
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
 
Westjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightWestjets Security Architecture Made Simple We Finally Got It Right
Westjets Security Architecture Made Simple We Finally Got It RightPriyanka Aash
 
Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRobert Grupe, CSSLP CISSP PE PMP
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 

More Related Content

What's hot

STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...Tom Nipravsky
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple TeamPriyanka Aash
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSPriyanka Aash
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defensePriyanka Aash
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 

What's hot (20)

Red7 Software Application Security Threat Modeling
Red7 Software Application Security Threat ModelingRed7 Software Application Security Threat Modeling
Red7 Software Application Security Threat Modeling
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digita...
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
The Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOSThe Incident Response Playbook for Android and iOS
The Incident Response Playbook for Android and iOS
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Leveraging red for defense
Leveraging red for defenseLeveraging red for defense
Leveraging red for defense
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 

Viewers also liked

An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Designcentralohioissa
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Antonio Fontes
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat ModelingCigital
 

Viewers also liked (6)

An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
 
Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)Threat Modeling web applications (2012 update)
Threat Modeling web applications (2012 update)
 
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsTen Commandments of Secure Coding - OWASP Top Ten Proactive Controls
Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 

Similar to Rapid Threat Modeling Techniques

Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
It's Not Dead Yet - Email Security Matters
It's Not Dead Yet - Email Security MattersIt's Not Dead Yet - Email Security Matters
It's Not Dead Yet - Email Security MattersTrent Adams
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DevicePriyanka Aash
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software DevelopmentDevOps.com
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudSafeNet
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security EngineeringMarco Morana
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationpeter lam
 
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsLance Peterman
 
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsPriyanka Aash
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingPriyanka Aash
 

Similar to Rapid Threat Modeling Techniques (20)

Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
It's Not Dead Yet - Email Security Matters
It's Not Dead Yet - Email Security MattersIt's Not Dead Yet - Email Security Matters
It's Not Dead Yet - Email Security Matters
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security Architecture
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
Embedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure DeviceEmbedded Systems Security: Building a More Secure Device
Embedded Systems Security: Building a More Secure Device
 
Security at the Speed of Software Development
Security at the Speed of Software DevelopmentSecurity at the Speed of Software Development
Security at the Speed of Software Development
 
Whose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the CloudWhose Cloud is It Anyway - Data Security in the Cloud
Whose Cloud is It Anyway - Data Security in the Cloud
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
str-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalizationstr-w04_next-wave-of-security-operationalization
str-w04_next-wave-of-security-operationalization
 
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
 
Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directors
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Make IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and ReportingMake IR Effective with Risk Evaluation and Reporting
Make IR Effective with Risk Evaluation and Reporting
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Rapid Threat Modeling Techniques

  • 1. SESSION ID: #RSAC Chad Childers Rapid Threat Modeling Techniques ASD-R01 IT Security Ford Motor Company
  • 2. #RSAC Agenda 2  Threat Modeling background  Lessons Learned to make threat modeling faster  Techniques specifically for DFD and STRIDE effectiveness  Issues  Customizations & other security analysis tools  Success!
  • 3. #RSAC What is Threat Modeling? 3  Design practice from the Software Assurance Forum (SAFECode)  Attack trees  Threat library (CAPEC, OWASP Top Ten)  Use Cases  STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege
  • 4. #RSAC What is Threat Modeling? 4  Microsoft Security Development Lifecycle - Threat Modeling tool  Architectural model based on Data Flow Diagram  Each element of the diagram generates a set of STRIDE threats Process element User element Data Flow element
  • 5. #RSAC STRIDE by elements 5 Threats Data Flows Data Stores Processes Interactors Spoofing X X Tampering X X X Repudiation X X X Information Disclosure X X X Denial of Service X X X Elevation of Privilege X
  • 6. #RSAC Why Rapid Threat Modeling? 6  Professional benefits  Security skill in demand  Architects make issues surface, clarify design issues  Developers can avoid rework, prioritize  Deliver Results  Teams can see value quickly, understand vulnerabilities  Answer “What do I do now?”
  • 7. #RSAC Security hurdles • Controls documentation • Paperwork exercise • Last minute gate review • Athletes have the right training • They prepare and practice • They are not surprised
  • 8. #RSAC Who should use Threat Modeling tools 8  Facilitated by security experts  Provide mitigation advice and consulting  Guide team  Mindset “What is the worst that can happen?”  Keep on-track and fast paced  Self-Service  Security knowledge prefilled within tool can provide guidance  Can be updated immediately if design or controls changed
  • 9. #RSAC Set yourself up for success 9  Session Duration: 90 minutes ± 30  Cadence: 2 sessions a week  Web sessions save time, projector bulbs, more productive  Group size  Architect – who can answer design and controls questions  SME – who can answer business impact questions  Split up sessions per SME to save valuable time  Too many cooks…
  • 10. #RSAC What to Threat Model? 10  High risk (Confidentiality/Integrity, external facing, reputational, compliance…)  Complex interactions between systems, emergent properties  Data or control transfer across a boundary  New technology/architecture to your company  Architect has trouble thinking through potential issues
  • 11. #RSAC What not to Threat Model? 11  A repeat implementation using all standard controls  No significant revisions to application or data  You already have a fully documented Control Review and all the questions fit well
  • 12. #RSAC Art of the Data Flow Diagram 12 …make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation… - Einstein Threat Modeling Is Like Playing A Violin - Shostack
  • 13. #RSAC Data Flow Diagram elements 13 Application User Data Store External Application Application out of scope Admin
  • 14. #RSAC  Description/Impact - What’s the worst that can happen if this Threat is manifested? (or certify that it is not a threat)  Review common impacts to help customize default Description Threat: Data Flow Sniffing Category: Information Disclosure Mitigated Description Justification for threat state change PII Data in transit exposed. Default text appears here and can be customized so it makes sense to your users
  • 15. #RSAC  Solution/Justification for state change - What Mitigations or Controls do we have in place or plan to put in place as a solution?  Common mitigations may help customize controls elements Threat: Data Flow Sniffing Category: Information Disclosure Mitigated Description Justification for threat state change PII Data in transit exposed TLS encrypted
  • 16. #RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
  • 17. #RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
  • 18. #RSAC  When you find an issue that needs investigation, do provide security consulting, but don’t stop, add it to the issues list and move on. Threat: Insufficient Auditing Category : Repudiation Needs investigation Description Justification for threat state change Does the log capture enough data to understand what happened and what the source of the change was? Need to determine strategy to assure that logs provide traceability
  • 19. #RSAC Capture an Issues List  Paste actions/controls gaps into a spreadsheet or immediately enter in backlog, test tool, or project management tool  A-ha moments: “oh, we never thought of that!”  Critical controls that are not already documented anywhere else  The mitigation sounds like a reason we can’t figure out how to mitigate  Nonstandard controls that need to be tested
  • 20. #RSAC Sample Issues Threat model Issue Approach/Plan to Address Priority ∇ Status Owner Determine strategy to assure that logs provide traceability Interface team has item in their backlog, test plan to be developed Medium Mitigated Judy Make sure that any PII or Secret data is encrypted before drop off or transfer Encryption in place, key transfer out of band High ∇ Mitigated Chad How are we going to manage customer data, who owns CRM interface? High Lou Host based IDS rules turn off unused ports/protocols? Medium Chris
  • 21. #RSAC  Don’t waste time assessing threat priority by committee  Priority may have value for Needs Investigation issues  Priority may have value if you use it to reduce workload Threat Priority High
  • 22. #RSAC Security unit test – regression test  Develop from Threat Model issues list  Example: verify that all changes from any source are logged  Work with QC to develop test cases for nonfunctional requirements  Run at each iteration before release  Run annually to validate controls
  • 23. #RSAC Common Controls - Example: Guide to Interoperability Table 2.2 CI capability for Table 2.3 CIA Capability for Core Interoperability Transport Protocols Basic Interoperability Security Tech
  • 24. #RSAC Common Controls - Customize MODEL ELEMENTS THREATS Data Flows Data Stores Processes Interactors Spoofing N/A N/A WSL WSL Strong Auth Active Directory Tampering SSL TLS Config validation Database Encryption APS N/A Repudiation N/A Oracle/SQL Farm Turn on table level logs Logs Digital Signing Logs Information Disclosure SSL TLS Database Encryption APS N/A Denial of Service CDN ANX Oracle/SQL Farm Config Validation CSP N/A Elevation of Privilege N/A N/A Config Validation CSP N/A
  • 25. #RSAC Common Controls - Customize 25  Add your standard controls to StandardElementCollection.XML  Don’t ask threat questions where a control is already covered  Modify ThreatTypes.XML  Example: TLS Data Flow doesn’t need to answer Sniffing question  Make sure an issue is addressed in future threat models  Modify ThreatTypes.XML  Add “assure that logs provide traceability” or add a new Repudiation threat that occurs for specified elements
  • 26. #RSAC Security Analysis Tools 26  Portfolio Risk Assessment – what to threat model  Threat Modeling  Secure Code training and manual code review  Static Analysis (SAST)  Dynamic Analysis (DAST)  Penetration Testing  External Audit
  • 27. #RSAC 27 TAM - Quantitative analysis with DREAD
  • 28. #RSAC Metrics  What does success look like?  Don’t impact project timing  Head off issues that could delay launch  Number of sessions completed is more meaningful than number of threat models, but not much  Number of threats  Mitigated with common control  Mitigated with nonstandard control  Unmitigated or Accepted
  • 29. #RSAC Futures  How do we define “finished”?  Send XML TMS file to Security Consulting  Check off mitigation jointly with Security  Mitigations completed  Actions entered in Backlog/Test plan  File as Control Review attachment  Custom elements  What do YOU think we need?
  • 30. #RSAC Summary 30  Threat Modeling makes Security look good  Treat SME time like gold and they will treasure you  Include only irreducible elements where answers are different  Resolving issues is the hard part!  Don’t be afraid to customize especially to save time  Success is every A-ha moment  Massive success is when the SMEs want to do it themselves
  • 31. #RSAC Apply Threat Modeling in your organization  Next week you should:  Install the SDL Threat Modeling tool from http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx  In the first three months following this presentation you should:  Think about new projects in your organization that are good candidates for Threat Modeling and complete your first Threat Model  Within six months you should:  Review what you have learned in your organization and determine who else can benefit from using Threat Modeling 31
  • 33. #RSAC Acknowledgements  SAFECode, “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today”  Lou Kunimatsu, “My, What Big Teeth You Have: A Threat Analysis and Modeling Fairy Tale”  Michael Jones photograph “400M Hurdles” from the 2012 Olympics, Creative Commons license CC BY-NC-SA 2.0  Adam Shostack, “New Foundations for Threat Modeling”  Albert Einstein, “On the Method of Theoretical Physics”