Organization Threat Models Addressing the Cyber Risk Dilemma Tony UcedaVelez| VerSprite CEO | OWASP ATL Chapter Leader

Speaker Bio  CEO, VerSprite – Global Security Consulting Firm (www.versprite.com)  Chapter Leader – OWASP Atlanta (past 7 years) (www.owasp.org)  Author, “Risk Centric Threat Modeling – Process for Attack Simulation & Threat Analysis”, Wiley June 2015  Former Sr. Security Director, Fortune 50 | Symantec | Dell-Secureworks  +15 years of Security Risk Management Experience

Frameworks? Security Studies? Threat Intelligence? Security Incidents? What Drives Your Security Strategy? A L O O K AT T O D AY ’ S D R I V E R S F O R C Y B E R S E C U R I T Y P R O G R A M S Diabetes type A

OWASP 2013 SURVEY S N A P S H O T O N T E C H R I S K R E A D I N E S S Application Security Risks Still Concerning Insecure development practices and non-existent secure design patterns continue to weigh down maturity levels of IT groups to bake-in security. AppSec Only One Facet of Overall Risk Application security risks (threats + vulns + impact) still needs to be integrated to greater risk model. Security “risk islands” essentially inhibit risk correlation 1 2

One in CISOs report to CEO on cyber security related risks to their respective companies. 7

of polled security professionals said they weren’t sure what “threat actors exploited their organizations.” -RSA + ISACA 2016 Security Survey

“More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.” — BRUCE SCHNEIER

Difficult to operationalize threat intelligence Massive amounts of data can thwart proper analysis Limited security operation resources Organizations challenged with contextualizing threats or threat intel Integrity of threat data Lack of understanding of threat actor Threat motives and potential targets left unaddressed RISK DILEMMA FA C T O R S T H AT A F F E C T T H R E AT A N A LY S I S Diabetes type A

Companies in the dark in terms of impact levels Financial :: Quantifying Security Risk to Dollars Reputational :: Analyzing Long Term Effects of Tainted Public Image Contractual/ Legal :: Regulatory RISK DILEMMA (continued) FA C T O R S T H AT A F F E C T I M PA C T A N A LY S I S

Vulnerability analysis more prevalent than identifying weaknesses Heavy focus on technical vulnerabilities Burdened by false positive analysis Process gaps not correlated to viable threat patterns Vendor risk not correlated to an organizational threat model Weak architectural design not integrated to broader threat model Resource awareness gaps not factored into organizational threat model RISK DILEMMA (continued) FA C T O R S T H AT A F F E C T V U L N E R A B I L I T Y / W E A K N E S S I D E N T I F I C AT I O N

Some organizations don’t realize their own range of countermeasures or enterprise controls Control testing generally compliance driven Disconnect between what controls/ countermeasures exist or are effective to viable threat patterns RISK DILEMMA (continued) FA C T O R S T H AT A F F E C T C O R P O R AT E K N O W L E D G E O F C O U N T E R M E A S U R E S & R E L AT E D E F F E C T I V E N E S S

Knowing your own darkness is the best method for dealing with the darkness of other people. — CARL GUSTAV JUNG RENOWN ANALYTICAL PSYCHOLOGIST

Organizational Threat Model Methodology S I M U L AT I N G T H R E AT S F O R I M P R O V E D A W A R E N E S S , G O V E R N A N C E , A N D R I S K M I T I G AT I O N I ID Client Target(s)/ Related Assets Impact awareness of business data, transactions, processes trigger threat actor interests II ID Technology Footprint for Target(s) Knowledge of high impact technologies/ vendor services. III Map Target Processes to Supporting Tech Map relationship between business processes to supportive tech & vendor services. IV Model Threats Model threats based upon precedence of attacks, threat motives, feasibility to probable targets.

Organizational Threat Model Methodology … S I M U L AT I N G T H R E AT S F O R I M P R O V E D A W A R E N E S S , G O V E R N A N C E , A N D R I S K M I T I G AT I O N V Weakness/ Vulnerability Probing Identify threat targets & related processes that are weak/ vulnerable to exploitation. VI Attack Modeling Attack simulation substantiates feasibility of multi-faceted attack patterns. VII Residual Risk Analysis Based upon threat likelihood against likely targets & exploitation feasibility, residual risk actions can be taken.

Organizational Threat Model Players Vendor Mgt Provide scope of vendor services & helps address vendor risks from org threat model HR Addresses risks (threats | weaknesses) to/ from workforce The Executive Receives summary of multi-faceted risks and proposed strategies w/ substantiated findings. Ability to build a threat model sustained by probable targets, associated weaknesses IT

Organizational Threat Model Roles Process Owner Provide scope of vendor services & helps address vendor risks from org threat model Product Manager Knows context of impact to services/ products Physical Security Responsible for denoting PhySec controls & remediating identified PhySec risks from threat model Provides threat data that may denote precedence of attack patterns as supported by log data. SecOps

Risk Challenges When Addressing Threats Knowledge of Threats is Growing, Context of Threats is Not Ransomware, Drive-by- download, Injection Attacks, Phishing, Exploit kits, botnets, smishing, vishing, XSS, CSRF, MITM, Trojans 1. What Hacktivists, Organized Crime Groups, Fraudsters, Insiders, Nation States, Corporate Competitors, IP Thievery, Hacker Cells, Private Vigilantes, PII Thievery, Defacement, Defamation, Corporate Espionage 2. Who | Why Companies caught flat footed on how exactly attack patterns translate to either real or simulated attacks against various targeted assets, processes, vendors, or people. 3. How

Contextualizing Threats How Org Threat Models Present Attack Trees to Provide Threat Context Organizational Areas

Evolving Current Assessment Patterns E V O LV I N G T O G R E AT E R T H R E AT A N D R I S K C O N T E X T Penetration Testing Red Teaming Org Threat Models TECHNICAL ATTACK PATTERNS HUMAN ATTACK PATTERNS VENDOR CONSIDERATIONS BUSINESS IMPACT ANALYSIS GOVERNANCE ROADMAP

Reaping Risk Visibility C O N T E X T E N H A N C E S R I S K U N D E R S TA N D I N G Threat Context Substantiate threats from threat intel sources to define root threat causes. Net threat assertions resonate at all levels. Attack Patterns Mapping layers of attack patterns supports how threats get weaponized across physical, human, vendor, business process, and technology targets. Probabilistic Analysis For each ‘attack branch’ in a model, simulations define probabilistic analysis. Adds credibility to viability of threats for risk analysis. Impact Visibility Understanding targets around infrastructure, vendor, business processes forces an understanding around business impact in terms of dollars, reputation, mitigation costs.

Addressing security risk needs to have greater threat context Companies need to know what countermeasures reduce residual risk Organizational threat model can create framework for security program direction Need better threat management sources and workflows to operationalize Organizational threat model contextualizes threat information Organization threat models can also serve as a backbone for awareness and governance efforts Summary K E Y TA K E A W AY S O N E M B R A C I N G O R G A N I Z AT I O N T H R E AT M O D E L S

Tell me and I forget. Teach me and I remember. Involve me & I learn. — BENJAMIN FRANKLIN

Any questions? Q&A session