SESSION ID:

#RSAC

Nancy Davoust

AGILE AND CONTINUOUS THREAT MODELS

DEV-R04

Vice President, Security Architecture and Technology SolutionsComcast

#RSAC

CONTEXT FOR AGILE AND CONTINUOUS THREAT MODELING

#RSAC

3

The Landscape is Chaotic

Evolving Business Models

Exploding Number of

Attack Surfaces and

Attacks

Innovative

but Insecure

Technologies

Agile & Continuous

Revolutionary Security Principles and Practices

#RSAC

4

While we are Developing and Operating at the Speed of Light

Embracing Agile and Continuous Methodology

#RSAC

Dev Ops

Pen Testing

Fuzzing

Code Review

Static / IAST Analysis

Threat Model

Compliance Validation Recover

Respond

Audit

5

Build Security In – Don’t Bolt It On

Policies

SecDetect

Threat IntelLog

Monitor

Education and

Training

#RSAC

AGILE AND CONTINUOUS THREAT MODEL WORKSHOP

#RSAC

Threat Model Workshop In a Day with Each DevSecOps Team

7

1Introduction, Goals

and BackgroundExamples and Exercises

Risk Assessment3Live Threat Model

2

4

#RSAC

8

Threat Modeling Workshop Success Objectives

Reviewed architecture for real-world threats

Protect customers and products earlier in the product lifecycle

Team buy-in as the security findings were generated by the team

Common understanding of the threats and mitigations

Team trained to use agile and continuous threat modeling as a practice

#RSAC

9

• Be Honest• No Blaming• We are here to help one another

• Build security in by design• Teamwork to identify attack surfaces• We are all in this together

• Open Posture• Transparent• One Team

Everyone is Responsible for Security

#RSAC

10

Reduce cost

to recover from attacks

Create effective security

requirements

Know your enemies and

their tactics

Reduce

security design flaws

What is threat modeling? Why do we need it?

Defense in depth

Data

Use Cases

Threats & Risk

Attack Surfaces

Architecture & Features

Threat Modeling Fundamentals

Mitigations

#RSAC

11

Security Breaches Can Happen Anywhere

Utilities

Defense

Transportation

Services

Entertainment

Retail

Email

Banking

Social Media

Healthcare

ManufacturingEducation

Food

Technology

#RSAC

12

Common Weaknesses and Countermeasures

Weaknesses Countermeasures

Insufficient API security API security gateway, OAuth, Tokens, Certificates, Signing Keys

Exposed infrastructure & admin ports

Jump boxes, network ACLs, security groups, iptables, MFA (deprecate telnet!)

Lack of privileged account management & monitoring

Limit shared credentials, local accounts, monitor credential use for abuse. Forward logs to a centralized location, use correlation rules in a SIEM and defined alerts

Hard-coded credentials and API secrets

Key management solutions such as SafeNet, HashiCorp Vault, Ansible Vault, Puppet, Chef Data Bags, SALT, or your company recommended vault

Secure SDLC Practices not integrated into your CI/CD pipeline

Secure the pipeline (e.g. Jenkins, Ansible, Salt, GitHub, other tools), automate static code analysis, use scanning tools web app scanners, Nessus, Qualys)

#RSAC

13

Attacker Profile Exercise

Cyber

CriminalsFinancial Low

Low

medium

Industrial spiesInformation &

DisruptionLow

High

extreme

Hacktivists

Information,

disruption,

media attention

Medium

high

Low

medium

Known proven

Sophisticated & unique

System administration

errors and

social engineering

ATTACKER ATTACK GOALS

ATTACKER RISK

TOLERANCE

ATTACKER

LEVEL OF

EFFORT ATTACKER METHODS

Internal

Attack/Insider

Information &

DisruptionHigh

High

extremeKnown proven

#RSAC

14

The Process

Provides Guidance

Leads Discussion

Asks Questions

IdentifiesVulnerabilities and

Action Items

Assess Risk

Threat Model Lead

Architect

Team

Posts Architecture, Action Items and Findings and tracks issues to closure with the product team.

Threat Model PM

#RSAC

Service 1

Service 2

Service 3

Data Source 1

Data Source 2

Data Source 3

Middleware App

Data

HTTP

Local Logging

HTTPS

SSHAdmin Access

User API

Update API

15

Threat Model Example Identifying the Attack Surfaces

1

2

3

4

#RSAC

16

Attack Surface Exercise

SSHUpdate API

Root Access

Update Code

Configuration Changes

Unauthorized Access

Stolen Data

Redirection Attacks

No Audit Trail

Unencrypted Sensitive

Data

No Pruning of Data

Unencrypted

Code Update Management

Self-signed TLS Certificates

LogsHTTP1 2 3 4

#RSAC

17

Personal Safety, Financial Safety

Scaled Theft of Customer Data

Scaled Denial of Service

Scaled Theft of Service

Malware

Intellectual Property Theft

Equipment

Theft

Threat Impacts

#RSAC

18

Risk

Generalized Risk EquationRisk = (Threat Impact * Likelihood) / Level of Effort

#RSAC

19

Summary

Build security

in by design,

don’t bolt it

on

Today you learned about Threats,

Impacts and Risk

How to Perform an Agile and

Continuous Threat Model

Examples of attacks, vulnerabilities and

effective countermeasures

Everyone is responsible for security