Alexander Hutton, profile picture
Uploaded byAlexander Hutton
PDF, PPTX416 views

Hutton/Miller SourceBarcelona

The document discusses threat modeling and risk management. It introduces VERIS, an open framework developed by Verizon for categorizing cyber security incidents. VERIS breaks incidents down into metrics including demographics, a classification of the incident using an "A3" model of agents, actions and assets, details on discovery and mitigation, and impact classification including estimated losses. VERIS aims to enable pattern matching across incidents to better understand behaviors and risks. The presentation argues that a data-driven, behavioral approach is needed for effective risk management of complex adaptive systems.

Embed presentation

Download as PDF, PPTX
Threat Modeling LIVE Alex Hutton Allison Miller Principal, Risk & Intelligence - Verizon Group Manager, Account Risk & Security - Business PayPal http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter
what is this presentation about? - new way to look at risk management via data and threat modeling
what is a model?
what is risk management?
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
Managing risk means aligning the capabilities of the control, influence organization, and the exposure over outcome threats manifest of the organization with the of assets as loss tolerance howyou data owners ofmuch can the afford to lose?
Traditional Risk Management Find issue, call issue bad, fix issue, hope you don’t find it again...
Traditional Risk Management emphasis on assessment, compliance...what about security?
Closing the Gap Between Assessment and Defense
Design Management Operations
Design
Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
system models are different from maps, they include dynamics and boundaries
Management
risk management that simply reacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
the importance of feedback loop instrumentation (that‘s where metrics come from)
Operations
Prediction is very difficult, especially about the future Niels Bohr
Models in operations tend to assist in automating system decisions, or monitoring for quality defects
This means we need to understand what makes a good decision vs a bad decision
Patterns that can be defined can be detected
…and defining patterns means analyzing lots and lots of data
We don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
Friederich Hayek invades our dreams to give us visions of a new approach
These “risk” statements you’re making, I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
Risk Assessment Current Practice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
from Mark Curphey’s SecurityBullshit
Complex Systems
Complex Adaptive Systems
Complex Adaptive Systems: You can’t make point probabilities (sorry ALE) you can only work with patterns of information
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
Because we’re dealing with Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
We need a new approach
Complex Systems Create a business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
instead of R = T x V x I
behavioral analytics & data driven management
evidence based risk management
Verizon has shared data
- 2010 ~ 900 cases - (900 million records)
Verizon is sharing our framework
Verizon Enterprise Risk & Incident Sharing (VERIS) Framework it’s open*! * kinda
What is the Verizon Incident Sharing (VERIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
What makes up the VERIS framework? discovery demographics incident classification (a4) & mitigation impact classification 1> 2> 3> 4 + $$$ information about information about information about information about the the incident impact organization; attack (traditional discovery, categorization (a including threat model); probable la’ FAIR & ISO their size, location, including (meta) mitigating 27005), aggregate industry, & security data controls, and estimate of loss budget (implied) about agent, action, rough state of (in $), & qualitative asset, & security security description of attribute (C/I/A) management. damage.
The Incident Classification section employs Verizon’s A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected > Incident as a chain of events 1 > 2 > 3 > 4 > 5 49
Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security behaviors!
the potential for pattern matching discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Fraud, Incidents, and Good Lord Of The Dance: creating models for the real management of risk
F r a u d
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential theft
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential exfiltration in addition we can describe FOUR fraud events
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 1 ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 2 ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 3 ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, confidentiality
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 4 ACTION: impersonation
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 5 ACTION: impersonated transaction
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 6 ACTION: Buy goods or transfer funds
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 7 ACTION: Goods/Funds extraction
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldn’t it be nice if end users had desktop DLP?
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
the potential for pattern matching and control application discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
if patterns can be defined, they can be stored for later use. demograp incident discover impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
if they can be stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
demographics incident classification discovery impact a 1> 2> 3> 4 > 5 + $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
OBLIGATORY QUESTIONS SLIDE
MUCHAS GRACIAS

More Related Content

PDF
Analisis de Riesgos O-ISM3
byConferencias FIST
 
PPTX
How to VERISize v2 - BSidesQuebec2013
byBSidesQuebec2013
 
PPTX
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
bypatmisasi
 
KEY
Bay threat2011
byEd Bellis
 
PPTX
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
PPTX
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PDF
Alex hutton metricon
byAlexander Hutton
 
Analisis de Riesgos O-ISM3
byConferencias FIST
 
How to VERISize v2 - BSidesQuebec2013
byBSidesQuebec2013
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
bypatmisasi
 
Bay threat2011
byEd Bellis
 
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Alex hutton metricon
byAlexander Hutton
 

Similar to Hutton/Miller SourceBarcelona

PDF
Risk Management - Time to blow it up and start over? - Alex Hutton
bySecurity B-Sides
 
PDF
Hutton B Side Sf
byAlexander Hutton
 
PDF
From technology risk_to_enterprise_risk_the_new_frontier
byRamsés Gallego
 
PDF
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
byAllison Miller
 
PDF
Information Security in the Gaming World
byDimitrios Stergiou
 
PPTX
Gainful Information Security 2012 services
byCade Zvavanjanja
 
PPT
Cases
byAlexandra
 
PPTX
Fs isac fico and core presentation10222012
bySeema Sheth-Voss
 
PDF
En Crisp Grc Audit Automation Overview And Sustainability Strategies
byISACA New England
 
PPT
RSA 2006 - Visual Security Event Analysis
byRaffael Marty
 
PDF
Electricity Subsector Cybersecurity Capability Maturity Model Case Study
byEnergySec
 
PPTX
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
CISSP Summary V1.1
bychristianreina
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Doug brown
byNASAPMC
 
PPTX
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
byJorge Sebastiao
 
PPTX
116 - Making the most of your information assets
byAssociation of University Administrators
 
PDF
Risks threats and vulnerabilities
byManish Chaurasia
 
PDF
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
PPTX
S thomas sfield
byNASAPMC
 
Risk Management - Time to blow it up and start over? - Alex Hutton
bySecurity B-Sides
 
Hutton B Side Sf
byAlexander Hutton
 
From technology risk_to_enterprise_risk_the_new_frontier
byRamsés Gallego
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
byAllison Miller
 
Information Security in the Gaming World
byDimitrios Stergiou
 
Gainful Information Security 2012 services
byCade Zvavanjanja
 
Cases
byAlexandra
 
Fs isac fico and core presentation10222012
bySeema Sheth-Voss
 
En Crisp Grc Audit Automation Overview And Sustainability Strategies
byISACA New England
 
RSA 2006 - Visual Security Event Analysis
byRaffael Marty
 
Electricity Subsector Cybersecurity Capability Maturity Model Case Study
byEnergySec
 
NIST 800 30 revision Sep 2012
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
CISSP Summary V1.1
bychristianreina
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
byS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Doug brown
byNASAPMC
 
GCC eGov Cyberwar, Cybercrime Risks and Defences 2010
byJorge Sebastiao
 
116 - Making the most of your information assets
byAssociation of University Administrators
 
Risks threats and vulnerabilities
byManish Chaurasia
 
Web Application Remediation - OWASP San Antonio March 2007
byDenim Group
 
S thomas sfield
byNASAPMC
 

Recently uploaded

PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 

Hutton/Miller SourceBarcelona

  • 1.
    Threat Modeling LIVE Alex Hutton Allison Miller Principal, Risk & Intelligence - Verizon Group Manager, Account Risk & Security - Business PayPal http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter
  • 2.
    what is thispresentation about? - new way to look at risk management via data and threat modeling
  • 3.
    what is amodel?
  • 4.
    what is riskmanagement?
  • 5.
    Managing risk meansaligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
  • 6.
    Managing risk meansaligning the capabilities of the control, influence organization, and the exposure over outcome threats manifest of the organization with the of assets as loss tolerance howyou data owners ofmuch can the afford to lose?
  • 7.
    Traditional Risk Management Find issue,call issue bad, fix issue, hope you don’t find it again...
  • 8.
  • 9.
    Closing the Gap Between Assessment and Defense
  • 10.
  • 11.
  • 12.
    Evolution strongly favors strategiesthat minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
  • 13.
    system models are differentfrom maps, they include dynamics and boundaries
  • 17.
  • 18.
    risk management that simplyreacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
  • 19.
    the importance of feedbackloop instrumentation (that‘s where metrics come from)
  • 20.
  • 21.
    Prediction is verydifficult, especially about the future Niels Bohr
  • 22.
    Models in operations tendto assist in automating system decisions, or monitoring for quality defects
  • 23.
    This means we needto understand what makes a good decision vs a bad decision
  • 24.
  • 25.
  • 26.
    We don't talkabout what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
  • 27.
    Friederich Hayek invades ourdreams to give us visions of a new approach
  • 28.
    These “risk” statements you’remaking, I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
  • 29.
    Risk Assessment CurrentPractice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
  • 30.
    from Mark Curphey’sSecurityBullshit
  • 33.
  • 34.
  • 35.
    Complex Adaptive Systems: You can’tmake point probabilities (sorry ALE) you can only work with patterns of information
  • 36.
    How Complex SystemsFail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
  • 37.
    Because we’re dealingwith Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
  • 38.
    We need anew approach
  • 39.
    Complex Systems Createa business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
  • 40.
    instead of R= T x V x I
  • 41.
    behavioral analytics & datadriven management
  • 42.
  • 43.
  • 44.
    - 2010 ~ 900 cases - (900 million records)
  • 45.
    Verizon is sharingour framework
  • 46.
    Verizon Enterprise Risk& Incident Sharing (VERIS) Framework it’s open*! * kinda
  • 47.
    What is theVerizon Incident Sharing (VERIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
  • 48.
    What makes upthe VERIS framework? discovery demographics incident classification (a4) & mitigation impact classification 1> 2> 3> 4 + $$$ information about information about information about information about the the incident impact organization; attack (traditional discovery, categorization (a including threat model); probable la’ FAIR & ISO their size, location, including (meta) mitigating 27005), aggregate industry, & security data controls, and estimate of loss budget (implied) about agent, action, rough state of (in $), & qualitative asset, & security security description of attribute (C/I/A) management. damage.
  • 49.
    The Incident Classificationsection employs Verizon’s A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected > Incident as a chain of events 1 > 2 > 3 > 4 > 5 49
  • 50.
    Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
  • 51.
    Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 52.
  • 53.
    the potential forpattern matching discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 54.
    Fraud, Incidents, and GoodLord Of The Dance: creating models for the real management of risk
  • 55.
  • 56.
    in VERIS wesee THREE events. 1 > 2 > 3 phishing malware infection credential theft
  • 57.
    in VERIS wesee THREE events. 1 > 2 > 3 phishing malware infection credential exfiltration in addition we can describe FOUR fraud events
  • 58.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
  • 59.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 1 ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
  • 60.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 2 ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
  • 61.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 3 ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, confidentiality
  • 62.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 4 ACTION: impersonation
  • 63.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 5 ACTION: impersonated transaction
  • 64.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 6 ACTION: Buy goods or transfer funds
  • 65.
    from the initialnarrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 7 ACTION: Goods/Funds extraction
  • 66.
    we can studythe event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
  • 67.
    we can studythe event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldn’t it be nice if end users had desktop DLP?
  • 68.
    we can studythe event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
  • 69.
    the potential forpattern matching and control application discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 70.
    if patterns canbe defined, they can be stored for later use. demograp incident discover impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
  • 71.
    if they canbe stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
  • 73.
    demographics incident classification discovery impact a 1> 2> 3> 4 > 5 + $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 74.
  • 75.