SlideShare uma empresa Scribd logo

2010.08 Applied Threat Modeling: Live (Hutton/Miller)

Allison Miller
Allison Miller

Alex Hutton & Allison Miller review their research and application of threat modeling. This version was presented at SOURCE Barcelona (2010), a previous version was presented at Black Hat.

Tecnologia
1 de 75
Baixar para ler offline
Threat Modeling Alex Hutton Principal, Risk & Intelligence - Verizon Business http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter LIVE Allison Miller Group Manager, Account Risk & Security - PayPal
what is this presentation about? - new way to look at risk management via data and threat modeling
what is a model?
what is risk management?
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
Managing risk means aligning the capabilities of the organization, control, influence over outcome and the exposure of the organization with the tolerance of the data owners threats manifest as loss of assets how much can you afford to lose?
Traditional Risk Management Find issue, call issue bad, fix issue, hope you don’t find it again...
Traditional Risk Management emphasis on assessment, compliance...what about security?
Closing the Gap Between Assessment and Defense
Design Management Operations
Design
Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
system models are different from maps, they include dynamics and boundaries
Management
risk management that simply reacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
the importance of feedback loop instrumentation (that‘s where metrics come from)
Operations
Prediction is very difficult, especially about the future Niels Bohr
Models in operations tend to assist in automating system decisions, or monitoring for quality defects
This means we need to understand what makes a good decision vs a bad decision
Patterns that can be defined can be detected
…and defining patterns means analyzing lots and lots of data
We don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
Friederich Hayek invades our dreams to give us visions of a new approach
These “risk” statements you’re making, I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
Risk Assessment Current Practice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
from Mark Curphey’s SecurityBullshit
Complex Systems
Complex Adaptive Systems
Complex Adaptive Systems: You can’t make point probabilities (sorry ALE) you can only work with patterns of information
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
Because we’re dealing with Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
We need a new approach
Complex Systems Create a business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
instead of R = T x V x I
behavioral analytics & data driven management
evidence based risk management
Verizon has shared data
- 2010 ~ 900 cases - (900 million records)
Verizon is sharing our framework
Verizon Enterprise Risk & Incident Sharing (VERIS) Framework it’s open*! * kinda
What is the Verizon Incident Sharing (VERIS) Framework? -A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
What makes up the VERIS framework? + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 information about the organization; including their size, location, industry, & security budget (implied) information about the attack (traditional threat model); including (meta) data about agent, action, asset, & security attribute (C/I/A) information about incident discovery, probable mitigating controls, and rough state of security management. information about impact categorization (a la’ FAIR & ISO 27005), aggregate estimate of loss (in $), & qualitative description of damage.
49 The Incident Classification section employs Verizon’s A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected chain of events> Incident as a 1 > 2 > 3 > 4 > 5
Cybertrust Security incident narrative incident metrics + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 > 5
Cybertrust Security case studies data set + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 > 5 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f
Cybertrust Security behaviors!
the potential for pattern matching demographics incident classification (a4) discovery 1 > 2 > 3 > 4 > 5 + $ $ $ 1 2 + $ $ $ > > > 4 > 5 1 > 2 > 3 > 3 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f & mitigation impact classification 3
Fraud, Incidents, and Good Lord Of The Dance: creating models for the real management of risk
F r a u d
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential theft
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential exfiltration in addition we can describe FOUR fraud events
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 1 > AGENT: external, organized crime, eastern europe ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 2 > AGENT: external, organized crime, eastern europe ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 3 > AGENT: external, organized crime, eastern europe ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, confidentiality
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 4 > AGENT: external, organized crime, eastern europe ACTION: impersonation
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 5 > AGENT: external, organized crime, eastern europe ACTION: impersonated transaction
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 6 > AGENT: external, organized crime, eastern europe ACTION: Buy goods or transfer funds
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 7 > AGENT: external, organized crime, eastern europe ACTION: Goods/Funds extraction
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldn’t it be nice if end users had desktop DLP?
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
the potential for pattern matching and control application demographics incident classification (a4) discovery 1 > 2 > 3 > 4 > 5 + $ $ $ 1 2 + $ $ $ > > > 4 > 5 1 > 2 > 3 > 3 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f & mitigation impact classification 3
if patterns can be defined, they can be stored for later use. demograp incident discover impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3
if they can be stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3
demographics incident classification discovery impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3
OBLIGATORY QUESTIONS SLIDE
MUCHAS GRACIAS

Recomendados

Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
 
2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & DisincentivesAllison Miller
 
2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos MonkeysAllison Miller
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
 
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Allison Miller
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityKelly Shortridge
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 

Recomendados

Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingTony Martin-Vegue
 
2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & DisincentivesAllison Miller
 
2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos MonkeysAllison Miller
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...Allison Miller
 
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Allison Miller
 
Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityKelly Shortridge
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Incident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptxIncident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptxssuser2a8bb7
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metriconAlexander Hutton
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
R af d
R af dR af d
R af dWilliam L. McGill
 
Ecommerce(2)
Ecommerce(2)Ecommerce(2)
Ecommerce(2)ecommerce
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 
Something Wicked
Something WickedSomething Wicked
Something WickedAllison Miller
 
When Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsAllison Miller
 

Mais conteúdo relacionado

Semelhante a 2010.08 Applied Threat Modeling: Live (Hutton/Miller)

Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk ManagementResolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Incident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptxIncident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptxssuser2a8bb7
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)- Mark - Fullbright
 
Ecommerce(2)
Ecommerce(2)Ecommerce(2)
Ecommerce(2)ecommerce
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information DisclosureOWASP EEE
 

Semelhante a 2010.08 Applied Threat Modeling: Live (Hutton/Miller) (20)

Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Incident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptxIncident_Response_for_Management_Presentation.pptx
Incident_Response_for_Management_Presentation.pptx
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metricon
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)2019 Data Breach Investigations Report (DBIR)
2019 Data Breach Investigations Report (DBIR)
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
R af d
R af dR af d
R af d
 
Ecommerce(2)
Ecommerce(2)Ecommerce(2)
Ecommerce(2)
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk Management
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure[Hungary] I play Jack of Information Disclosure
[Hungary] I play Jack of Information Disclosure
 

Mais de Allison Miller

When Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsAllison Miller
 
2014.06 Defending Debit
2014.06 Defending Debit2014.06 Defending Debit
2014.06 Defending DebitAllison Miller
 
2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, CoinAllison Miller
 
2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the NumbersAllison Miller
 
2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a GhostAllison Miller
 

Mais de Allison Miller (6)

Something Wicked
Something WickedSomething Wicked
Something Wicked
 
When Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-Pilots
 
2014.06 Defending Debit
2014.06 Defending Debit2014.06 Defending Debit
2014.06 Defending Debit
 
2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin
 
2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers
 
2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost
 

Último

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 

Último (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 

2010.08 Applied Threat Modeling: Live (Hutton/Miller)

  • 1. Threat Modeling Alex Hutton Principal, Risk & Intelligence - Verizon Business http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter LIVE Allison Miller Group Manager, Account Risk & Security - PayPal
  • 2. what is this presentation about? - new way to look at risk management via data and threat modeling
  • 3. what is a model?
  • 4. what is risk management?
  • 5. Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
  • 6. Managing risk means aligning the capabilities of the organization, control, influence over outcome and the exposure of the organization with the tolerance of the data owners threats manifest as loss of assets how much can you afford to lose?
  • 7. Traditional Risk Management Find issue, call issue bad, fix issue, hope you don’t find it again...
  • 8. Traditional Risk Management emphasis on assessment, compliance...what about security?
  • 9. Closing the Gap Between Assessment and Defense
  • 12. Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
  • 13. system models are different from maps, they include dynamics and boundaries
  • 14.
  • 15.
  • 16.
  • 18. risk management that simply reacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
  • 19. the importance of feedback loop instrumentation (that‘s where metrics come from)
  • 21. Prediction is very difficult, especially about the future Niels Bohr
  • 22. Models in operations tend to assist in automating system decisions, or monitoring for quality defects
  • 23. This means we need to understand what makes a good decision vs a bad decision
  • 24. Patterns that can be defined can be detected
  • 25. …and defining patterns means analyzing lots and lots of data
  • 26. We don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
  • 27. Friederich Hayek invades our dreams to give us visions of a new approach
  • 28. These “risk” statements you’re making, I don’t think you’re doing it right. - (Chillin’ Friederich Hayek)
  • 29. Risk Assessment Current Practice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
  • 30. from Mark Curphey’s SecurityBullshit
  • 31.
  • 32.
  • 35. Complex Adaptive Systems: You can’t make point probabilities (sorry ALE) you can only work with patterns of information
  • 36. How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
  • 37. Because we’re dealing with Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
  • 38. We need a new approach
  • 39. Complex Systems Create a business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
  • 40. instead of R = T x V x I
  • 41. behavioral analytics & data driven management
  • 42. evidence based risk management
  • 44. - 2010 ~ 900 cases - (900 million records)
  • 45. Verizon is sharing our framework
  • 46. Verizon Enterprise Risk & Incident Sharing (VERIS) Framework it’s open*! * kinda
  • 47. What is the Verizon Incident Sharing (VERIS) Framework? -A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
  • 48. What makes up the VERIS framework? + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 information about the organization; including their size, location, industry, & security budget (implied) information about the attack (traditional threat model); including (meta) data about agent, action, asset, & security attribute (C/I/A) information about incident discovery, probable mitigating controls, and rough state of security management. information about impact categorization (a la’ FAIR & ISO 27005), aggregate estimate of loss (in $), & qualitative description of damage.
  • 49. 49 The Incident Classification section employs Verizon’s A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected chain of events> Incident as a 1 > 2 > 3 > 4 > 5
  • 50. Cybertrust Security incident narrative incident metrics + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 > 5
  • 51. Cybertrust Security case studies data set + $ $ $ demographics incident classification (a4) discovery & mitigation impact classification 1 > 2 > 3 > 4 > 5 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f
  • 53. the potential for pattern matching demographics incident classification (a4) discovery 1 > 2 > 3 > 4 > 5 + $ $ $ 1 2 + $ $ $ > > > 4 > 5 1 > 2 > 3 > 3 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f & mitigation impact classification 3
  • 54. Fraud, Incidents, and Good Lord Of The Dance: creating models for the real management of risk
  • 55. F r a u d
  • 56. in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential theft
  • 57. in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential exfiltration in addition we can describe FOUR fraud events
  • 58. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
  • 59. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 1 > AGENT: external, organized crime, eastern europe ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
  • 60. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 2 > AGENT: external, organized crime, eastern europe ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
  • 61. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 3 > AGENT: external, organized crime, eastern europe ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, confidentiality
  • 62. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 4 > AGENT: external, organized crime, eastern europe ACTION: impersonation
  • 63. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 5 > AGENT: external, organized crime, eastern europe ACTION: impersonated transaction
  • 64. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 6 > AGENT: external, organized crime, eastern europe ACTION: Buy goods or transfer funds
  • 65. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 7 > AGENT: external, organized crime, eastern europe ACTION: Goods/Funds extraction
  • 66. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
  • 67. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldn’t it be nice if end users had desktop DLP?
  • 68. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
  • 69. the potential for pattern matching and control application demographics incident classification (a4) discovery 1 > 2 > 3 > 4 > 5 + $ $ $ 1 2 + $ $ $ > > > 4 > 5 1 > 2 > 3 > 3 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ 1 > 2 > 3 > 4 > 5 + $ $ $ a b c d e f & mitigation impact classification 3
  • 70. if patterns can be defined, they can be stored for later use. demograp incident discover impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3
  • 71. if they can be stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3
  • 72.
  • 73. demographics incident classification discovery impact 1> 2> 3> 4> 5 + $ $ $ 1 2 + $ $ $ > > > 4> 5 1> 2> 3> 3 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ 1> 2> 3> 4> 5 + $ $ $ a b c d e f 3