際際滷

際際滷Share a Scribd company logo

Hutton/Miller SourceBarcelona

Alexander Hutton
Alexander Hutton

The document discusses threat modeling and risk management. It introduces VERIS, an open framework developed by Verizon for categorizing cyber security incidents. VERIS breaks incidents down into metrics including demographics, a classification of the incident using an "A3" model of agents, actions and assets, details on discovery and mitigation, and impact classification including estimated losses. VERIS aims to enable pattern matching across incidents to better understand behaviors and risks. The presentation argues that a data-driven, behavioral approach is needed for effective risk management of complex adaptive systems.

1 of 75
Threat Modeling LIVE Alex Hutton Allison Miller Principal, Risk & Intelligence - Verizon Group Manager, Account Risk & Security - Business PayPal http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter
what is this presentation about? - new way to look at risk management via data and threat modeling
what is a model?
what is risk management?
Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
Managing risk means aligning the capabilities of the control, in鍖uence organization, and the exposure over outcome threats manifest of the organization with the of assets as loss tolerance howyou data owners ofmuch can the afford to lose?
Traditional Risk Management Find issue, call issue bad, fix issue, hope you dont find it again...
Traditional Risk Management emphasis on assessment, compliance...what about security?
Closing the Gap Between Assessment and Defense
Design Management Operations
Design
Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
system models are different from maps, they include dynamics and boundaries
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
Management
risk management that simply reacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
the importance of feedback loop instrumentation (thats where metrics come from)
Operations
Prediction is very dif鍖cult, especially about the future Niels Bohr
Models in operations tend to assist in automating system decisions, or monitoring for quality defects
This means we need to understand what makes a good decision vs a bad decision
Patterns that can be de鍖ned can be detected
and de鍖ning patterns means analyzing lots and lots of data
We don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
Friederich Hayek invades our dreams to give us visions of a new approach
These risk statements youre making, I dont think youre doing it right. - (Chillin Friederich Hayek)
Risk Assessment Current Practice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
from Mark Curpheys SecurityBullshit
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
Complex Systems
Complex Adaptive Systems
Complex Adaptive Systems: You cant make point probabilities (sorry ALE) you can only work with patterns of information
How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
Because were dealing with Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
We need a new approach
Complex Systems Create a business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
instead of R = T x V x I
behavioral analytics & data driven management
evidence based risk management
Verizon has shared data
- 2010 ~ 900 cases - (900 million records)
Verizon is sharing our framework
Verizon Enterprise Risk & Incident Sharing (VERIS) Framework its open*! * kinda
What is the Verizon Incident Sharing (VERIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
What makes up the VERIS framework? discovery demographics incident classification (a4) & mitigation impact classification 1> 2> 3> 4 + $$$ information about information about information about information about the the incident impact organization; attack (traditional discovery, categorization (a including threat model); probable la FAIR & ISO their size, location, including (meta) mitigating 27005), aggregate industry, & security data controls, and estimate of loss budget (implied) about agent, action, rough state of (in $), & qualitative asset, & security security description of attribute (C/I/A) management. damage.
The Incident Classification section employs Verizons A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 As: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected > Incident as a chain of events 1 > 2 > 3 > 4 > 5 49
Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Cybertrust Security behaviors!
the potential for pattern matching discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
Fraud, Incidents, and Good Lord Of The Dance: creating models for the real management of risk
F r a u d
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential theft
in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential ex鍖ltration in addition we can describe FOUR fraud events
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 1 ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 2 ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 3 ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, con鍖dentiality
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 4 ACTION: impersonation
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 5 ACTION: impersonated transaction
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 6 ACTION: Buy goods or transfer funds
from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 7 ACTION: Goods/Funds extraction
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldnt it be nice if end users had desktop DLP?
we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
the potential for pattern matching and control application discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
if patterns can be defined, they can be stored for later use. demograp incident discover impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
if they can be stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
Hutton/Miller SourceBarcelona
demographics incident classification discovery impact a 1> 2> 3> 4 > 5 + $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
OBLIGATORY QUESTIONS SLIDE
MUCHAS GRACIAS

More Related Content

Hutton/Miller SourceBarcelona

  • 1. Threat Modeling LIVE Alex Hutton Allison Miller Principal, Risk & Intelligence - Verizon Group Manager, Account Risk & Security - Business PayPal http://securityblog.verizonbusiness.com http://www.newschoolsecurity.com Society of Information Risk Analysts http://societyinforisk.org/ @alexhutton on the twitter
  • 2. what is this presentation about? - new way to look at risk management via data and threat modeling
  • 3. what is a model?
  • 4. what is risk management?
  • 5. Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners - Jack Jones
  • 6. Managing risk means aligning the capabilities of the control, in鍖uence organization, and the exposure over outcome threats manifest of the organization with the of assets as loss tolerance howyou data owners ofmuch can the afford to lose?
  • 7. Traditional Risk Management Find issue, call issue bad, fix issue, hope you dont find it again...
  • 9. Closing the Gap Between Assessment and Defense
  • 12. Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain. Len Fisher Rock, Paper, Scissors: Game Theory in Everyday Life
  • 13. system models are different from maps, they include dynamics and boundaries
  • 18. risk management that simply reacts to yesterday's news is not risk management at all Douglas Hubbard The Failure of Risk Management
  • 19. the importance of feedback loop instrumentation (thats where metrics come from)
  • 21. Prediction is very dif鍖cult, especially about the future Niels Bohr
  • 22. Models in operations tend to assist in automating system decisions, or monitoring for quality defects
  • 23. This means we need to understand what makes a good decision vs a bad decision
  • 24. Patterns that can be de鍖ned can be detected
  • 25. and de鍖ning patterns means analyzing lots and lots of data
  • 26. We don't talk about what we see; we see only what we can talk about Donella Meadows Thinking in Systems: A Primer
  • 27. Friederich Hayek invades our dreams to give us visions of a new approach
  • 28. These risk statements youre making, I dont think youre doing it right. - (Chillin Friederich Hayek)
  • 29. Risk Assessment Current Practice Dutch Model, Likelihood & Impact statement very physics/engineering oriented
  • 30. from Mark Curpheys SecurityBullshit
  • 35. Complex Adaptive Systems: You cant make point probabilities (sorry ALE) you can only work with patterns of information
  • 36. How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety) Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago http://www.ctlab.org/documents/How %20Complex%20Systems %20Fail.pdf
  • 37. Because were dealing with Complex Adaptive Systems engineering risk statements = bankrupt (sorry GRC)
  • 38. We need a new approach
  • 39. Complex Systems Create a business process Process is a collection of system interaction (system behavior) Process has human interaction (human behavior)
  • 40. instead of R = T x V x I
  • 41. behavioral analytics & data driven management
  • 44. - 2010 ~ 900 cases - (900 million records)
  • 45. Verizon is sharing our framework
  • 46. Verizon Enterprise Risk & Incident Sharing (VERIS) Framework its open*! * kinda
  • 47. What is the Verizon Incident Sharing (VERIS) Framework? - A means to create metrics from the incident narrative - how Verizon creates measurements for the DBIR - how *anyone* can create measurements from an incident - https://verisframework.wiki.zoho.com
  • 48. What makes up the VERIS framework? discovery demographics incident classification (a4) & mitigation impact classification 1> 2> 3> 4 + $$$ information about information about information about information about the the incident impact organization; attack (traditional discovery, categorization (a including threat model); probable la FAIR & ISO their size, location, including (meta) mitigating 27005), aggregate industry, & security data controls, and estimate of loss budget (implied) about agent, action, rough state of (in $), & qualitative asset, & security security description of attribute (C/I/A) management. damage.
  • 49. The Incident Classification section employs Verizons A4 event model A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 As: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected > Incident as a chain of events 1 > 2 > 3 > 4 > 5 49
  • 50. Cybertrust Security incident narrative incident metrics discovery demographics incident classification (a4) impact classification + & mitigation 1> 2> 3> 4 > 5 $$$
  • 51. Cybertrust Security case studies data set discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3> 4 > 5 + $$$ c 1> 2> 3> 4 > 5 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 52. Cybertrust Security behaviors!
  • 53. the potential for pattern matching discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 54. Fraud, Incidents, and Good Lord Of The Dance: creating models for the real management of risk
  • 56. in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential theft
  • 57. in VERIS we see THREE events. 1 > 2 > 3 phishing malware infection credential ex鍖ltration in addition we can describe FOUR fraud events
  • 58. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7
  • 59. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 1 ACTION: social, type: phishing, channel: email, target: end-user ASSET: human, type: end-user ATTRIBUTE: integrity
  • 60. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 2 ACTION: malware, type: install additional malware or software ASSET: end-user device; type: desktop (more meta-data possible) ATTRIBUTE: integrity
  • 61. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 3 ACTION: malware, type: harvest system information ASSET: end-user device, type: desktop (more meta-data possible) ATTRIBUTE: integrity, con鍖dentiality
  • 62. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 4 ACTION: impersonation
  • 63. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 5 ACTION: impersonated transaction
  • 64. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 6 ACTION: Buy goods or transfer funds
  • 65. from the initial narrative, we now have a threat event model with SEVEN objects 1 > 2 > 3 > 4 > 5 > 6 > 7 > AGENT: external, organized crime, eastern europe 7 ACTION: Goods/Funds extraction
  • 66. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 end user could have made better choices
  • 67. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Wouldnt it be nice if end users had desktop DLP?
  • 68. we can study the event model to understand control opportunities 1 > 2 > 3 > 4 > 5 > 6 > 7 Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???
  • 69. the potential for pattern matching and control application discovery demographics incident classification (a4) impact classification + & mitigation a 1> 2> 3> 4 > 5 $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$
  • 70. if patterns can be defined, they can be stored for later use. demograp incident discover impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
  • 71. if they can be stored for later use, they can be used to Detect, Respond, and Prevent. demographic incident classification (a4) discovery impact a 1> 2 > 3 > 4 > 5 + $$$ b 1> 2 > 3 > 4 > 5 + $$$ c 1> 2 > 3 > 3 > 5 4 + $$$ d 1> 2 > 3 > 4 > 5 + $$$ e 1> 2 > 3 > 4 > 5 + $$$ f 1> 2 > 3 > 4 > 5 + $$$
  • 73. demographics incident classification discovery impact a 1> 2> 3> 4 > 5 + $$$ b 1> 2> 3 > 4 > 5 + $$$ c 1> 2> 3> 3 > 5 4 + $$$ d 1> 2> 3> 4 > 5 + $$$ e 1> 2> 3> 4 > 5 + $$$ f 1> 2> 3> 4 > 5 + $$$