IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

Similar documents
Application Security Design Principles. What do you need to know?

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Software Architectural Risk Analysis (SARA): SSAI Roadmap

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

National State Auditors Association Vulnerability Management: An Audit Primer September 20, 2018

Secure Development Processes

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

How Threat Modeling Can Improve Your IAM Solution

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

OWASP March 19, The OWASP Foundation Secure By Design

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Application Security Kung-Fu Competitive Advantage from Threat Modeling

Development*Process*for*Secure* So2ware

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

From Zero to Security Hero

*NSTAC Report to the President on the Internet of Things.

Trustwave Managed Security Testing

UEFI and the Security Development Lifecycle

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Security Governance and Management Scorecard

SANS Institute , Author retains full rights.

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

An Example of use the Threat Modeling Tool

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Security analysis and assessment of threats in European signalling systems?

ITG. Information Security Management System Manual

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Instructor: Eric Rettke Phone: (every few days)

Threat Modeling against Payment systems

Threat Modeling Using STRIDE

Certified Information Security Manager (CISM) Course Overview

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

ISC2 EXAM - CISSP. Certified Information Systems Security Professional. Buy Full Product.

Effective Threat Modeling using TAM

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Building a Resilient Security Posture for Effective Breach Prevention

Safety & Cybersecurity of embedded softwares in product and process

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Medical Device Cybersecurity: FDA Perspective

Cyber Security Program

Comodo Certificate Manager

Threat Modeling. SecAppDev Copyright 2010 KRvW Associates, LLC

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Ontology- and Bayesian- based Information Security Risk Management

K12 Cybersecurity Roadmap

IT Vulnerabilities: What an IT Auditor Should be Thinking About

ITG. Information Security Management System Manual

z/os Operating System Vulnerabilities ( )

Risk Analysis for Secure Software Design

GDPR drives compliance to top of security project list for 2018

Practical Guide to Securing the SDLC

CERT Secure Coding Initiative. Define security requirements. Model Threats 11/30/2010

Vulnerability Management

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

A Supply Chain Attack Framework to Support Department of Defense Supply Chain Security Risk Management

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Courses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X

Demystifying GRC. Abstract

Tricolour Alphanumerical Spaghetti

Information Technology Branch Organization of Cyber Security Technical Standard

WHO AM I? Been working in IT Security since 1992

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Chapter 5: Vulnerability Analysis

Vulnerability Assessments and Penetration Testing

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

FDA & Medical Device Cybersecurity

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Instructor-led Training Course Catalog

Unit Level Secure by Design Approach

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Trustwave Managed Security Testing

Security and Architecture SUZANNE GRAHAM

Designing and Building a Cybersecurity Program

DOWNLOAD OR READ : THREAT AND VULNERABILITY MANAGEMENT COMPLETE SELF ASSESSMENT GUIDE PDF EBOOK EPUB MOBI

Ingram Micro Cyber Security Portfolio

CYBER SECURITY AIR TRANSPORT IT SUMMIT

A company built on security

ICS Penetration Testing

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Securing Cloud Computing

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

Practical Threat Modeling. SecAppDev 2018

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Practical OpenSCAP Security Standard Compliance and Reporting. Robin Price II Senior Solutions Architect Martin Preisler Senior Software Engineer

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

The Common Controls Framework BY ADOBE

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Transcription:

IANS Pragmatic Threat Modeling Michael Pinch, IANS Faculty

Agenda What Is Threat Modeling? Who Should Be Considering Threat Modeling? Methodologies for Threat Modeling Common Pitfalls Introduction of IANS Pragmatic Threat Modeling Toolkit Integrating into Your Organization Advanced Threat Modeling Tools IANS 2016 Client and IANS Confidential - 2

What Is Threat Modeling? Threat modeling is the process of reviewing a system from the perspective of a hacker to identify potential weaknesses or areas for improvement Threat models are often confused with risk assessments, which focus more on reviewing a system against a predefined list of controls Threat modeling is an effective complement to risk assessments Risk Assessments Threat Modeling What Controls and Compliance Based System Infrastructure, Service Based Who Audit, Compliance, Security IT Operations, Development, Security IANS 2016 Client and IANS Confidential - 3

Should We Use Threat Modeling? Threat modeling is generally better adopted by organizations with more mature security programs Strong risk assessment process in place Mature security architecture review process Strong risk management process in place Quantified risk review and remediation process Think vulnerability management Progressive organizations with development shops typically push partial ownership on vulnerability identification and remediation to development teams Similar concept is ideal for threat modeling - teach these teams to threat model themselves and get better results! IANS 2016 Client and IANS Confidential - 4

Various Threat Modeling Approaches Methodology Description Publisher/Creator More Info STRIDE Acronym used to represent different categories of exploit or compromise Microsoft STRIDE Octave A large risk management methodology that includes threat modeling as one aspect CERT OCTAVE DREAD A threat risk scoring methodology Microsoft (loosely affiliated) Threat Risk Modeling CVSS The same methodology followed for public rating of vulnerabilities - also provides a framework for risk management at your organization First.org CVSS IANS 2016 Client and IANS Confidential - 5

Threat Modeling Pitfalls Threat modeling can quickly create paralysis by analysis IANS often sees highly complex methodologies that attempt to account for every possible variable, and quickly become untenable This was the genesis for the IANS Pragmatic Threat Modeling Toolkit CISO review: I could spend 10x as much time doing a threat assessment and not get results 5% better IANS 2016 Client and IANS Confidential - 6

IANS Approach - STRIDE & DREAD Every aspect of the tool is designed to be simple, fast and easy Threats are reviewed against two axes: Category and Risk STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges DREAD Damage Reproducibility Exploitability Affected Users Discoverability IANS 2016 Client and IANS Confidential - 7

Overview of IANS Pragmatic Threat Modeling Toolkit Simple, self-documenting Excel spreadsheet Steps: Collect general application information Inventory processes, services, ports and protocols Enumerate possible threats on each port/protocol in use according to STRIDE taxonomy Risk rate each categoric threat across DREAD methodology Generate overall risk inventory and graphical representation IANS 2016 Client and IANS Confidential - 8

System Information IANS 2016 Client and IANS Confidential - 9

Service Inventory IANS 2016 Client and IANS Confidential - 10

Threat Identification and Risk Rating IANS 2016 Client and IANS Confidential - 11

Overall Threat Scoring IANS 2016 Client and IANS Confidential - 12

Integrating Threat Modeling There are many ways to integrate, but ideally it is tightly tied to architecture review and major system changes An ideal development lifecycle is shown below: IANS 2016 Client and IANS Confidential - 13

Advanced Threat Modeling Tools and Resources In early 2016, Microsoft built and published a very robust threat modeling tool Similar underlying methodology Much more detailed process and user interface Significant learning curve For organizations that want more from their threat modeling tool, this should be their first stop: Microsoft Threat Modeling Tool 2016 IANS 2016 Client and IANS Confidential - 14

Questions? info@iansresearch.com IANS 2016 Client and IANS Confidential - 15

Join Us Next Time Building and Staffing a Winning Security Team Sept. 21, 2016 Register: https://attendee.gotowebinar.com/register/2568320998342649857 Using Big Data Techniques to Bolster Information Security Oct. 12, 2016 Register: https://attendee.gotowebinar.com/register/6818092867512332289 IANS 2016 Client and IANS Confidential - 16

Upcoming Forums Chicago Sept. 13-14: Register Philadelphia Oct. 5-6: Register Atlanta Oct. 18-19: Register Boston Nov. 2-3: Register Charlotte Nov. 9-10: Register Los Angeles Nov. 15-16: Register IANS 2016 Client and IANS Confidential - 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback