Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall
Why Security Matters Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall 05/03/2018 4
Michael Brunton-Spall @bruntonspall 05/03/2018 5
Michael Brunton-Spall @bruntonspall 05/03/2018 6
Michael Brunton-Spall @bruntonspall 05/03/2018 7
Criminal users on the internet Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall
Advanced Persistent Threats Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall
Security is not compliance Michael Brunton-Spall @bruntonspall
Certification Accreditation PCI ISO27001 Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall 05/03/2018 18
Michael Brunton-Spall @bruntonspall 05/03/2018 19
Agile principles Michael Brunton-Spall @bruntonspall
In Individuals and in interactions over processes and tools Work rking soft ftware over comprehensive documentation Customers collaboration over contract negotiation Responding to change over following a plan Michael Brunton-Spall @bruntonspall
Risk methodologies Michael Brunton-Spall @bruntonspall
Component based Michael Brunton-Spall @bruntonspall
IS1, ISO27005, NIST SP-800-30 Michael Brunton-Spall @bruntonspall
System based Michael Brunton-Spall @bruntonspall
TOGAF, SABSA, Attack Trees Michael Brunton-Spall @bruntonspall
Component Pro’s Thorough, Exhaustive, Objective Michael Brunton-Spall @bruntonspall
Systemic – Pro’s Subjective, Holistic, Interaction focused Michael Brunton-Spall @bruntonspall
Simple Systems – A bike Michael Brunton-Spall @bruntonspall
Complicated systems – A car Michael Brunton-Spall @bruntonspall
Complex Systems - Traffic Michael Brunton-Spall @bruntonspall
We don’t solve motorway congestion by assuring tires Michael Brunton-Spall @bruntonspall
Attack trees Michael Brunton-Spall @bruntonspall
Business needs System Scope Threats Attack Tree Workshop Michael Brunton-Spall @bruntonspall
Understand the business Michael Brunton-Spall @bruntonspall
Work out what’s in scope Michael Brunton-Spall @bruntonspall
Understand the threats Michael Brunton-Spall @bruntonspall
The Workshop Michael Brunton-Spall @bruntonspall
Who are the attackers? Michael Brunton-Spall @bruntonspall
What do they want? Michael Brunton-Spall @bruntonspall
How will they get it? Michael Brunton-Spall @bruntonspall
Workshop the attacks Michael Brunton-Spall @bruntonspall 05/03/2018 42
Build trees Michael Brunton-Spall @bruntonspall 05/03/2018 43
Breadth first Michael Brunton-Spall @bruntonspall
Understand impact of attacks Michael Brunton-Spall @bruntonspall
Ranking 1-6, often order of magnitude increase Michael Brunton-Spall @bruntonspall
Cost to the attacker Michael Brunton-Spall @bruntonspall
Complexity of the attack Michael Brunton-Spall @bruntonspall
Consequences on the attacker Michael Brunton-Spall @bruntonspall
Reward to the attacker Michael Brunton-Spall @bruntonspall
Damage to the organisation Michael Brunton-Spall @bruntonspall
How often can it be repeated Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall 05/03/2018 53
Post workshop Michael Brunton-Spall @bruntonspall
Determine countermeasures Michael Brunton-Spall @bruntonspall
In place and planned Michael Brunton-Spall @bruntonspall
Planned countermeasures go on the backlog Michael Brunton-Spall @bruntonspall
Repeat as needed Michael Brunton-Spall @bruntonspall
Fitting into the agile cycle Michael Brunton-Spall @bruntonspall
Workshop with whole team* Michael Brunton-Spall @bruntonspall
Visible outputs for walls Michael Brunton-Spall @bruntonspall
Threat Actor Personas Michael Brunton-Spall @bruntonspall
Misuse cases Michael Brunton-Spall @bruntonspall
Record decisions against stories Michael Brunton-Spall @bruntonspall
Record deferred security debt Michael Brunton-Spall @bruntonspall
Product Owner is in control Michael Brunton-Spall @bruntonspall
Attack Trees: System based risk methodology, for the whole team, iteratively updated Michael Brunton-Spall @bruntonspall
Any questions? @bruntonspall michael@brunton-spall.co.uk Michael Brunton-Spall @bruntonspall
Recommend
More recommend