Alex HuttonPrincipal, Risk & Intelligence - Verizon Business

http://securityblog.verizonbusiness.comhttp://www.newschoolsecurity.com

Society of Information Risk Analystshttp://societyinforisk.org/

@alexhutton on the twitter

Threat Modeling

Allison MillerGroup Manager, Account Risk & Security - PayPal

LIVE

what is this presentation about?- new way to look at risk management via

data and threat modeling

what is a model?

what is risk management?

Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners

- Jack Jones

Managing risk means aligning the capabilities of the organization, and the exposure of the organization with the tolerance of the data owners

control, influence over outcome

threats manifest as loss of assets

how much can you afford to lose?

Traditional Risk Management

Find issue, call issue bad, fix issue, hope you don’t find it again...

Traditional Risk Management

emphasis on assessment, compliance...what about security?

Closing the Gap

Between Assessment and Defense

Design

Management

Operations

Design

Evolution strongly favors strategies that minimize the risk of loss, rather than which maximize the chance of gain.

Len FisherRock, Paper, Scissors: Game Theory in Everyday Life

system models are different from maps, they include dynamics and boundaries

Management

risk management that simply reacts to yesterday's news is not risk management at all

Douglas HubbardThe Failure of Risk Management

the importance of feedback loop instrumentation

(that‘s where metrics come from)

Operations

Prediction is very difficult, especially about the future

Niels Bohr

Models in operations tend to assist in automating system decisions, or monitoring for quality defects

This means we need to understand what makes a good decision vs a bad decision

Patterns that can be defined can be detected

…and defining patterns means analyzing lots and lots of data

We don't talk about what we see; we see only what we can talk about

Donella Meadows Thinking in Systems: A Primer

Friederich Hayek invades our dreams to give us visions of a new approach

These “risk” statements you’re making, I don’t think you’re doing it right.

- (Chillin’ Friederich Hayek)

Risk Assessment Current Practice

Dutch Model, Likelihood & Impact statement

very physics/engineering oriented

from Mark Curphey’s SecurityBullshit

ComplexSystems

Complex AdaptiveSystems

Complex Adaptive Systems:

You can’t make point probabilities (sorry ALE) you can only work with patterns of information

How Complex Systems Fail (Being a Short Treatise on the Nature of Failure; How Failure is Evaluated; How Failure is Attributed to Proximate Cause; and the Resulting New Understanding of Patient Safety)

Richard I. Cook, MD Cognitive technologies Laboratory University of Chicago

http://www.ctlab.org/documents/How%20Complex%20Systems%20Fail.pdf

Because we’re dealing with Complex Adaptive Systems

engineering risk statements = bankrupt

(sorry GRC)

We need a new approach

Complex Systems Create a business process

Process is a collection of system interaction (system behavior)

Process has human interaction (human behavior)

instead of R = T x V x I

behavioral analytics &data driven management

evidence based risk management

Verizon has shared data

- 2010 ~ 900 cases- (900 million

records)

Verizon is sharing our framework

Verizon Enterprise Risk & Incident Sharing (VERIS) Framework

it’s open*!

* kinda

What is the Verizon Incident Sharing (VERIS) Framework?

- A means to create metrics from the incident narrative

- how Verizon creates measurements for the DBIR

- how *anyone* can create measurements from an incident

- https://verisframework.wiki.zoho.com

What makes up the VERIS framework?

$ $ $+demographics incident classification (a4)

discovery& mitigation impact classification

1 2 3 4> > >

information about the organization; including their size, location,industry, & securitybudget (implied)

information about the attack (traditional threat model); including (meta) data about agent, action,asset, & security attribute (C/I/A)

information about incident discovery, probable mitigating controls, and rough state of security management.

information about impact categorization (a la’ FAIR & ISO 27005), aggregate estimate of loss (in $), & qualitative description of damage.

49

The Incident Classification section employs Verizon’s A4 event model

A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s:

Agent: Whose actions affected the assetAction: What actions affected the asset Asset: Which assets were affectedAttribute: How the asset was affected

1 2 3 4 5> > > >Incident as a chain of events>

Cybertrust Security

$ $ $+demographics incident classification (a4) discovery

& mitigation impact classification

1 2 3 4 5> > > >

incident narrative incident metrics

Cybertrust Security

$ $ $+demographics incident classification (a4) discovery

& mitigation impact classification

1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

case studies data set

a

b

c

d

e

f

Cybertrust Security

behaviors!

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2

3

4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

the potential for pattern matching

a

b

c

d

e

f

demographics incident classification (a4) discovery& mitigation impact classification

3

Fraud, Incidents, andGood Lord Of The Dance:

creating models for the real management of risk

Fraud

in VERIS we see THREE events.

1 2 3> >

phishing

malware infection

credential theft

in VERIS we see THREE events.

1 2 3> >

phishingmalware infectioncredential exfiltration

in addition we can describe FOUR fraud events

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

1> AGENT: external, organized crime,

eastern europe

ACTION: social, type: phishing, channel: email, target: end-user

ASSET: human, type: end-user

ATTRIBUTE: integrity

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

2> AGENT: external, organized crime,

eastern europe

ACTION: malware, type: install additional malware or software

ASSET: end-user device; type: desktop (more meta-data possible)

ATTRIBUTE: integrity

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

3> AGENT: external, organized crime,

eastern europe

ACTION: malware, type: harvest system information

ASSET: end-user device, type: desktop (more meta-data possible)

ATTRIBUTE: integrity, confidentiality

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

4> AGENT: external, organized crime,

eastern europe

ACTION: impersonation

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

5> AGENT: external, organized crime,

eastern europe

ACTION: impersonated transaction

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

6> AGENT: external, organized crime,

eastern europe

ACTION: Buy goods or transfer funds

from the initial narrative, we now have a threat event model with SEVEN objects

1 2 3 4 5> > > > 6 7>>

7> AGENT: external, organized crime,

eastern europe

ACTION: Goods/Funds extraction

we can study the event model to understand control opportunities

1 2 3 4 5> > > > 6 7>>

end user could have made better choices

we can study the event model to understand control opportunities

1 2 3 4 5> > > > 6 7>>

Wouldn’t it be nice ifend users had desktopDLP?

we can study the event model to understand control opportunities

1 2 3 4 5> > > > 6 7>>

Why is Mrs. Francis Neely, 68 years of age from Lexington, KY suddenly purchasing items from European websites to be shipped to Asia???

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2

3

4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

the potential for pattern matching and control application

a

b

c

d

e

f

demographics incident classification (a4) discovery& mitigation impact classification

3

if patterns can be defined, they can be stored for later use.

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2

3

4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

a

b

c

d

e

f

demograp incident discover impact

3

if they can be stored for later use, they can be used to Detect, Respond, and Prevent.

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2

3

4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

a

b

c

d

e

f

demographic incident classification (a4) discovery impact

3

$ $ $+1 2 3 4 5> > > >

$ $ $+1 234 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

$ $ $+1 2 3 4 5> > > >

a

b

c

d

e

f

demographics incident classification discovery impact

3

OBLIGATORY QUESTIONS SLIDE

MUCHAS GRACIAS