Story-Driven Security and Threat Modeling

Archive for April, 2014

Story-Driven Security and Threat Modeling

Posted by

I continue to expand the Story-Driven Security concept that I discussed a few years back. Over the past six months, I have fleshed out its role in the security program (GrrCON), the method for creating the models (CircleCityCon), using those models to run incident response drills (GrrCON), and finally its use in driving change (BSides Chicago). Below are links to talks that cover these areas. Check it out, give it a try, and please provide me feedback.

Beautiful Models @ GrrCON 2013

We need beautiful models. Models attract and hold your attention. They excite you. They prompt action. And action, excitement, and focus is exactly what is needed to defend IT. By models, of course, we mean threat models. Intricate and beautiful, a good threat model tells a story. It indicates what we are protecting and where the attacks may come from. Done right, modelling highlights both the strengths and weaknesses of our IT. It becomes a means for strengthening and focusing our efforts. We need beautiful models to see what is and what could be. This session will explore threat modeling as part of the secure development lifecycle. A case study will be presented. The stories are real and only the names have been changed to protect the innocent. Beautiful Models answers the question: what is it that makes a threat model beautiful and actionable?

How to create an attack path threat model @ CircleCityCon

Everyone advocates for threat modeling. Few actually do it. This session aims to close that gap by demonstrating the #misec Attack Path methodology. First, we will select and analyze a security incident. Using threat modeling, we will break the incident down into the path the attacker followed through the network. Second, we will perform a table top exercise to identify the detective and preventative controls along that path. Using a controls assessment, we can determine our actual defense-in-depth for this particular attack. Third and finally, we will create a security exercise that tests the controls along the path. The session will conclude with a discussion of using the Attack Path for incident response drills.

Exercising with Threat Models @ GrrCon 2014

Now that we have a threat model, let’s cover using the model to create and execute security exercises.

Aligning Threats and Allies through Stories @ BSides Chicago 2014

Successful defense occurs when the interests of a security team’s stakeholders intersect with the attackers actions. This session provides a three-part management methodology to enable defense-in-depth through effective stakeholder and threat management. Internally, the method models the political power of our target audience, the audience coverage of our message, the timing, and the benefits used to influence our audience. Externally, the method models the attacker’s objectives, tactics, techniques, and mitigating controls. Using this story-driven security methodology, we can identify what our allies need, identify what our attackers want, and build business cases to satisfy one while thwarting the other.

(Updated: 2014-06/18 following CircleCityCon)
(Updated: 2014-10/18 following GrrCon)

Friday Books and Talks 04/25/2014

Posted by

Here are some of the books I enjoyed this week.


By Bob Rosen

Internationally renowned CEO advisor Bob Rosen proposes a new approach to leadership in Grounded in which leaders at every level can become more self-aware, develop their untapped potential, and drive better results for themselves, their teams and their organizations. Rosen’s Healthy Leader model highlights six personal dimensions that any leader can master: physical, emotional, intellectual, social, vocational and spiritual health.
The strangeness of scale at Twitter
By Del Harvey

When hundreds of thousands of Tweets are fired every second, a one-in-a-million chance — including unlikely sounding scenarios that could harm users — happens about 500 times a day. For Del Harvey, who heads Twitter’s Trust and Safety Team, these odds aren’t good. The security maven spends her days thinking about how to prevent worst-case scenarios while giving voice to people around the globe. With deadpan humor, she offers a window into how she keeps 240 million users safe.

Friday Books and Talks 04/18/2014

Posted by

Great Work, Great Career
by Jennifer Colosimo, Stephen R. Covey

Do you have a good career, a mediocre career, or a great career? How do you know? And how do your create a great career? The most respected business thinker of our time, Dr. Stephen R. Covey, and change consultant Jennifer Colosimo offer a complete handbook for anyone seeking answers.

“The energy you invest in regularly and frequently building your village will pay dividends not only in advancing your career, but also in personal satisfaction. You will get into the habit of service, which is the foundation of a great career. With a synergy mindset, you will learn from the best people in your life. And when you need them, they’ll be there for you because you have been there for them.”

“The village you build might ultimately be your greatest career achievement. It might even become the source of great new advances in understanding your field. It’s a natural principle that you cannot achieve anything truly worthwhile alone –– at least not in the world of work.”