Post on 27-May-2018
SESSION ID:
#RSAC
Nancy Davoust
AGILE AND CONTINUOUS THREAT MODELS
DEV-R04
Vice President, Security Architecture and Technology SolutionsComcast
#RSAC
3
The Landscape is Chaotic
Evolving Business Models
Exploding Number of
Attack Surfaces and
Attacks
Innovative
but Insecure
Technologies
Agile & Continuous
Revolutionary Security Principles and Practices
#RSAC
4
While we are Developing and Operating at the Speed of Light
Embracing Agile and Continuous Methodology
#RSAC
Dev Ops
Pen Testing
Fuzzing
Code Review
Static / IAST Analysis
Threat Model
Compliance Validation Recover
Respond
Audit
5
Build Security In – Don’t Bolt It On
Policies
SecDetect
Threat IntelLog
Monitor
Education and
Training
#RSAC
Threat Model Workshop In a Day with Each DevSecOps Team
7
1Introduction, Goals
and BackgroundExamples and Exercises
Risk Assessment3Live Threat Model
2
4
#RSAC
8
Threat Modeling Workshop Success Objectives
Reviewed architecture for real-world threats
Protect customers and products earlier in the product lifecycle
Team buy-in as the security findings were generated by the team
Common understanding of the threats and mitigations
Team trained to use agile and continuous threat modeling as a practice
#RSAC
9
• Be Honest• No Blaming• We are here to help one another
• Build security in by design• Teamwork to identify attack surfaces• We are all in this together
• Open Posture• Transparent• One Team
Everyone is Responsible for Security
#RSAC
10
Reduce cost
to recover from attacks
Create effective security
requirements
Know your enemies and
their tactics
Reduce
security design flaws
What is threat modeling? Why do we need it?
Defense in depth
Data
Use Cases
Threats & Risk
Attack Surfaces
Architecture & Features
Threat Modeling Fundamentals
Mitigations
#RSAC
11
Security Breaches Can Happen Anywhere
Utilities
Defense
Transportation
Services
Entertainment
Retail
Banking
Social Media
Healthcare
ManufacturingEducation
Food
Technology
#RSAC
12
Common Weaknesses and Countermeasures
Weaknesses Countermeasures
Insufficient API security API security gateway, OAuth, Tokens, Certificates, Signing Keys
Exposed infrastructure & admin ports
Jump boxes, network ACLs, security groups, iptables, MFA (deprecate telnet!)
Lack of privileged account management & monitoring
Limit shared credentials, local accounts, monitor credential use for abuse. Forward logs to a centralized location, use correlation rules in a SIEM and defined alerts
Hard-coded credentials and API secrets
Key management solutions such as SafeNet, HashiCorp Vault, Ansible Vault, Puppet, Chef Data Bags, SALT, or your company recommended vault
Secure SDLC Practices not integrated into your CI/CD pipeline
Secure the pipeline (e.g. Jenkins, Ansible, Salt, GitHub, other tools), automate static code analysis, use scanning tools web app scanners, Nessus, Qualys)
#RSAC
13
Attacker Profile Exercise
Cyber
CriminalsFinancial Low
Low
medium
Industrial spiesInformation &
DisruptionLow
High
extreme
Hacktivists
Information,
disruption,
media attention
Medium
high
Low
medium
Known proven
Sophisticated & unique
System administration
errors and
social engineering
ATTACKER ATTACK GOALS
ATTACKER RISK
TOLERANCE
ATTACKER
LEVEL OF
EFFORT ATTACKER METHODS
Internal
Attack/Insider
Information &
DisruptionHigh
High
extremeKnown proven
#RSAC
14
The Process
Provides Guidance
Leads Discussion
Asks Questions
IdentifiesVulnerabilities and
Action Items
Assess Risk
Threat Model Lead
Architect
Team
Posts Architecture, Action Items and Findings and tracks issues to closure with the product team.
Threat Model PM
#RSAC
Service 1
Service 2
Service 3
Data Source 1
Data Source 2
Data Source 3
Middleware App
Data
HTTP
Local Logging
HTTPS
SSHAdmin Access
User API
Update API
15
Threat Model Example Identifying the Attack Surfaces
1
2
3
4
#RSAC
16
Attack Surface Exercise
SSHUpdate API
Root Access
Update Code
Configuration Changes
Unauthorized Access
Stolen Data
Redirection Attacks
No Audit Trail
Unencrypted Sensitive
Data
No Pruning of Data
Unencrypted
Code Update Management
Self-signed TLS Certificates
LogsHTTP1 2 3 4
#RSAC
17
Personal Safety, Financial Safety
Scaled Theft of Customer Data
Scaled Denial of Service
Scaled Theft of Service
Malware
Intellectual Property Theft
Equipment
Theft
Threat Impacts