The document presents a methodology for conducting infrastructure security gap analysis tailored for CISOs and security professionals. It highlights challenges with existing analysis approaches and aims to provide actionable insights for improving security posture through threat modeling and incident response evaluation. The author emphasizes the importance of analyzing connectivity, identity management, and organizational maturity in cybersecurity practices.

1. 1 / 20
[How-To] Infrastructure
Security Gap Analysis
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

2. 2 / 20
#whoami
Copyright © Carlo Dapino 2019 - All rights reserved
- Almost 20 years of infrastructure security experience
- Consulting and in-house experience evaluating
infrastructure maturity (on-prem, multi-cloud, hybrid)
- Threat model of complex Network Infrastructures (SDN/
NFV, SD-WAN, MPLS, etc.)
- Specialized in DFIR
- Survived the cyber security ninja era, evangelists and
whatever the market decided to feed us with....
Carlo Dapino
https://carlo.dapino.info

3. 3 / 20
Tailored for...
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
- CISOs starting the evaluation of a new challenge
- Cyber Security Architects
- Security professionals zooming in or out of Infrastructure
- Whoever wants to connect the dots and see the big security picture

4. 4 / 20
A bit of Why history...
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
https://acklost.weebly.com/tech-blog/tmm-technical-threat-matrix
2
0
1
6

5. 5 / 20
Issues with standard
analysis approaches
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
- High Level Design can be specific to applications, cloud environments or not
evaluating the connectivity link risks or technical differences across Function As
Service Vs. PaaS Vs. Iaas
- Gap Analysis producing gaps and findings but no clear actionable items to score
maturity
- Threat modeling is common in applications but less popular with Infrastructures
- Gap Analysis result with actionable items are not owned by business different
teams (network, application, etc)
- Gap Analysis disconnected from a configuration standing point

6. 6 / 20
Target
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
- Define an easy and repeatable methodology
- Help to define a CISO and Security Architecture strategy and road map
- Prioritise gaps and understand how to tune the security monitoring to cover areas
of weakness
- Define areas of investment and structure a cyber security budget items list
- Define corrective actions in accordance with the business organization by
skills/teams
- Connect the dots, understand the attack surface, incident response capabilities
and potential lateral movements

7. 7 / 20
Let’s go!
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
High Level Design
+
Infra Threat Modeling
+
IAM/AAA Analysis
+
Security Maturity
+
Incident Response

8. 8 / 20
ON-PREM
Cloud
BYOD
//define
building
blocks
./start CloudCloud
GCP
AWS
Azure
Branch Offices
VPN
MPLSMPLS
Dedicated Links
VPN
WAN
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

9. 9 / 20
//analyse
threats by
connectivity
./links
WAN
MPLSVPN
LAN
Northbound
Southbound
West
●
Ddos
●
BGP attacks
●
DNS Hijacking
●
Public API attacks
●
Etc, etc...
East
●
ARP spoofing
●
VLAN hopping
●
Internal threat
●
Management access
●
Golden tickets
●
Lateral move
●
Etc, etc...
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

10. 10 / 20
//analyse
Identity
./IAM Vs. AAA
IDentity Provider (IDP)
Authentication
Authorization
Accountability
●
Centralized? => Behavioural analysis
●
Federated? => 3rd
party trusted domain
●
SSON => 3rd
party incident response
●
Radius/TACACS+ network devices
East
West
Northbound
Southbound
API token, Secrets, Appl. Tokens
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

11. 11 / 20
./how_to_glue_blocks
l
a
y
e
r
s
Physical
Data Link
Network
Presentation
Application
People / IAM
Transport
Session
Assets & Data
Switch Port Security
MAC filtering, Vlan security
DHCP, VPN, Firewall
DLP, encription at
rest, etc.
Social Engineer,
Internal threats, etc.
TLS vulns,
Application/Code vuln
WAF/CDN bypass
Subdomain take over
Sys Admins
Network & Infra
teams
DevOps, DEV
teams, Infra
teams
HR, Audit,
Monitoring, Sys
Admins, etc.Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

12. 12 / 20
./cloud_visualization
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
//use
Jericho
cube
model
https://collaboration.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

13. 13 / 20
./cloud_controls
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
//use
CSA
Cloud
Control
Matrix
https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/

14. 14 / 20
./connect_dots
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved

15. 15 / 20
./readme
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
This is a technical methodology and it does require for each device a configuration
review ....THIS IS NOT A RISK ANALYSIS!

16. 16 / 20
./incident_response
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
Paying a gym membership doesn’t make you an athlete.... (I discovered that!)
....in the same way....
....having various security controls doesn’t give you incident response
capabilities (people, processes, tools, skills, etc.)
//score
Incident
response

17. 17 / 20
./score_DFIR
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
//score
Incident
response
https://www.crest-approved.org/cyber-security-incident-response-maturity-assessment/index.html
CREST - Cyber Security Incident Response Maturity Assessment
https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-capabilities/csirt-maturity
ENISA – SIM3 – CSIRT Maturity
NIST Cyber Security Framework
https://www.nist.gov/cyberframework
https://www.soc-cmm.com/
SOC Capability Maturity Model

18. 18 / 20
./my2cents
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
- Security products directly connected to cloud, e.g. without reverse proxy, are
potentially at risk of reverse shell, needs to be flagged and analysed. You can help
yourself in this analysis using MITRE ATT&CK matrix
- TLS v.1.3 issue in inspection or specific cloud TAP issues needs to be considered
- API gw policy enforcement should be listed as a stand-alone control
- NAT changing src.ip and VLAN not extended showing only gateway layer 2 info,
should be flagged in the incident response capabilities matrix
- DevOps CI/CD pipeline should be analysed and included in the analysis too,
especially automation layers like Terraform, K8s, Ansible, etc....their (in)Security
has to change the result of your analysis
- Internal Threat is part of Layer8 analysis, don’t forget that layer...the same for
Layer 0 (data and assets)

19. 19 / 20
Thanks, if want to hear more
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
https://www.amazon.co.uk/Cyber-Security-Heads-up-Carlo-Dapino-ebook/dp/B082S5CQXK

20. 20 / 20
./Q&A
Carlo Dapino
https://carlo.dapino.info
Copyright © Carlo Dapino 2019 - All rights reserved
Contact me on LinkedIN
https://www.linkedin.com/in/carlodapino