AGILE AND CONTINUOUS THREAT MODELS

Similar documents
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Designing and Building a Cybersecurity Program

CyberArk Privileged Threat Analytics

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

PRACTICAL SECURITY PRINCIPLES FOR THE WORKING ARCHITECT. Eoin Woods,

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Cyber Security Technologies

Automating Security Practices for the DevOps Revolution

PrecisionAccess Trusted Access Control

Spotlight Report. Information Security. Presented by. Group Partner

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

How Breaches Really Happen

Tripwire State of Cyber Hygiene Report

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Cybersecurity The Evolving Landscape

AKAMAI CLOUD SECURITY SOLUTIONS

AppSec in a DevOps World

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

CLOUD WORKLOAD SECURITY

10 FOCUS AREAS FOR BREACH PREVENTION

Sage Data Security Services Directory

Insider Threat Detection Including review of 2017 SolarWinds Federal Cybersecurity Survey

the SWIFT Customer Security

Cyber Security. Our part of the journey

Defense in Depth Security in the Enterprise

Copyright

Security Fundamentals for your Privileged Account Security Deployment

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

THE EVOLUTION OF SIEM

Security Readiness Assessment

Application Security at Scale

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cybersecurity Today Avoid Becoming a News Headline

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CSWAE Certified Secure Web Application Engineer

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Certified Secure Web Application Engineer

CyberSecurity: Top 20 Controls

API Security: Assume Possible Interference

Combating Cyber Risk in the Supply Chain

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cloud Customer Architecture for Securing Workloads on Cloud Services

Will your application be secure enough when Robots produce code for you?

CISO as Change Agent: Getting to Yes

Transportation Security Risk Assessment

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Weaving Security into Every Application

Defensible and Beyond

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Protect Your Organization from Cyber Attacks

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Segmentation for Security

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Secure Access & SWIFT Customer Security Controls Framework

Critical Hygiene for Preventing Major Breaches

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Copyright 2016 EMC Corporation. All rights reserved.

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

RiskSense Attack Surface Validation for Web Applications

Nebraska CERT Conference

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

HOSTED SECURITY SERVICES

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

.NET JAVA C ASE. Certified. Certified. Application Security Engineer.

Les joies et les peines de la transformation numérique

THE ART OF SECURING 100 PRODUCTS. Nir

Security Solutions. Overview. Business Needs

90% of data breaches are caused by software vulnerabilities.

Trends in Cybersecurity in the Water Industry A Strategic Approach to Mitigate Control System Risk

Overcoming the Challenges of Automating Security in a DevOps Environment

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Defensible Security DefSec 101

IBM Future of Work Forum

Cybersecurity for the SMB. CrowdStrike s Murphy on Steps to Improve Defenses on a Smaller Scale

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Security and Compliance at Mavenlink

Tripwire State of Container Security Report

Security+ SY0-501 Study Guide Table of Contents

Effective Strategies for Managing Cybersecurity Risks

Understanding Threat Intelligence In Today s Layered Security World

Next Generation Privilege Identity Management

Transcription:

SESSION ID: DEV-R04 AGILE AND CONTINUOUS THREAT MODELS Nancy Davoust Vice President, Security Architecture and Technology Solutions Comcast

CONTEXT FOR AGILE AND CONTINUOUS THREAT MODELING

The Landscape is Chaotic Exploding Number of Attack Surfaces and Attacks Evolving Business Models Innovative but Insecure Technologies Agile & Continuous Revolutionary Security Principles and Practices 3

Embracing Agile and Continuous Methodology While we are Developing and Operating at the Speed of Light 4

Build Security In Don t Bolt It On Education and Training Fuzzing Pen Testing Compliance Validation Recover Respond Code Review Dev Sec Ops Detect Monitor Static / IAST Analysis Policies Log Audit Threat Intel Threat Model 5

AGILE AND CONTINUOUS THREAT MODEL WORKSHOP

Threat Model Workshop In a Day with Each DevSecOps Team Introduction, Goals and Background 1 2 Examples and Exercises Live Threat Model 3 4 Risk Assessment 7

Threat Modeling Workshop Success Objectives Team trained to use agile and continuous threat modeling as a practice Reviewed architecture for real-world threats Common understanding of the threats and mitigations Protect customers and products earlier in the product lifecycle Team buy-in as the security findings were generated by the team 8

Everyone is Responsible for Security Open Posture Transparent One Team Be Honest No Blaming We are here to help one another Build security in by design Teamwork to identify attack surfaces We are all in this together 9

Threat Modeling Fundamentals What is threat modeling? Threats & Risk Mitigations Defense in depth Architecture & Features Use Cases Why do we need it? Reduce security design flaws Reduce cost to recover from attacks Create effective security requirements Attack Surfaces Data 10 Know your enemies and their tactics

Security Breaches Can Happen Anywhere Banking Retail Healthcare Social Media Transportation Entertainment Email Food Utilities Defense Education Services Manufacturing Technology 11

Common Weaknesses and Countermeasures Weaknesses Insufficient API security Exposed infrastructure & admin ports Lack of privileged account management & monitoring Hard-coded credentials and API secrets Secure SDLC Practices not integrated into your CI/CD pipeline 12 Countermeasures API security gateway, OAuth, Tokens, Certificates, Signing Keys Jump boxes, network ACLs, security groups, iptables, MFA (deprecate telnet!) Limit shared credentials, local accounts, monitor credential use for abuse. Forward logs to a centralized location, use correlation rules in a SIEM and defined alerts Key management solutions such as SafeNet, HashiCorp Vault, Ansible Vault, Puppet, Chef Data Bags, SALT, or your company recommended vault Secure the pipeline (e.g. Jenkins, Ansible, Salt, GitHub, other tools), automate static code analysis, use scanning tools web app scanners, Nessus, Qualys)

Attacker Profile Exercise ATTACKER ATTACK GOALS ATTACKER RISK TOLERANCE ATTACKER LEVEL OF EFFORT ATTACKER METHODS Cyber Criminals Financial Low Low medium Known proven Industrial spies Information & Disruption Low High extreme Sophisticated & unique Hacktivists Information, disruption, media attention Medium high Low medium System administration errors and social engineering Internal Attack/Insider Information & Disruption High High extreme Known proven 13

The Process Threat Model Lead Architect Team Provides Guidance Leads Discussion Asks Questions Identifies Vulnerabilities and Action Items Assess Risk Threat Model PM Posts Architecture, Action Items and Findings and tracks issues to closure with the product team. 14

Threat Model Example Identifying the Attack Surfaces Service 1 1 HTTP Middleware App HTTPS Data Source 1 Service 2 Service 3 User API 4 Data Local Logging 3 Update API SSH 2 Admin Access Data Source 2 Data Source 3 15

Attack Surface Exercise 1 HTTP 2 Update API 3 SSH 4 Logs Unencrypted Unauthorized Access Root Access No Audit Trail Code Update Management Stolen Data Update Code Unencrypted Sensitive Data Self-signed TLS Certificates Redirection Attacks Configuration Changes No Pruning of Data 16

Threat Impacts Personal Safety, Financial Safety Scaled Theft of Customer Data Scaled Denial of Service Scaled Theft of Service Malware Intellectual Property Theft Equipment Theft 17

Risk Generalized Risk Equation Risk = (Threat Impact * Likelihood) / Level of Effort 18

Summary Today you learned about Threats, Impacts and Risk How to Perform an Agile and Continuous Threat Model Examples of attacks, vulnerabilities and effective countermeasures Build security in by design, don t bolt it on Everyone is responsible for security 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback