attack trees security
play

Attack Trees, Security modelling for Agile Teams Michael - PowerPoint PPT Presentation

Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall Why Security Matters Michael Brunton-Spall


  1. Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall

  2. Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall

  3. Why Security Matters Michael Brunton-Spall @bruntonspall

  4. Michael Brunton-Spall @bruntonspall 05/03/2018 4

  5. Michael Brunton-Spall @bruntonspall 05/03/2018 5

  6. Michael Brunton-Spall @bruntonspall 05/03/2018 6

  7. Michael Brunton-Spall @bruntonspall 05/03/2018 7

  8. Criminal users on the internet Michael Brunton-Spall @bruntonspall

  9. Michael Brunton-Spall @bruntonspall

  10. Michael Brunton-Spall @bruntonspall

  11. Advanced Persistent Threats Michael Brunton-Spall @bruntonspall

  12. Michael Brunton-Spall @bruntonspall

  13. Michael Brunton-Spall @bruntonspall

  14. Security is not compliance Michael Brunton-Spall @bruntonspall

  15. Certification Accreditation PCI ISO27001 Michael Brunton-Spall @bruntonspall

  16. Michael Brunton-Spall @bruntonspall 05/03/2018 18

  17. Michael Brunton-Spall @bruntonspall 05/03/2018 19

  18. Agile principles Michael Brunton-Spall @bruntonspall

  19. In Individuals and in interactions over processes and tools Work rking soft ftware over comprehensive documentation Customers collaboration over contract negotiation Responding to change over following a plan Michael Brunton-Spall @bruntonspall

  20. Risk methodologies Michael Brunton-Spall @bruntonspall

  21. Component based Michael Brunton-Spall @bruntonspall

  22. IS1, ISO27005, NIST SP-800-30 Michael Brunton-Spall @bruntonspall

  23. System based Michael Brunton-Spall @bruntonspall

  24. TOGAF, SABSA, Attack Trees Michael Brunton-Spall @bruntonspall

  25. Component Pro’s Thorough, Exhaustive, Objective Michael Brunton-Spall @bruntonspall

  26. Systemic – Pro’s Subjective, Holistic, Interaction focused Michael Brunton-Spall @bruntonspall

  27. Simple Systems – A bike Michael Brunton-Spall @bruntonspall

  28. Complicated systems – A car Michael Brunton-Spall @bruntonspall

  29. Complex Systems - Traffic Michael Brunton-Spall @bruntonspall

  30. We don’t solve motorway congestion by assuring tires Michael Brunton-Spall @bruntonspall

  31. Attack trees Michael Brunton-Spall @bruntonspall

  32. Business needs System Scope Threats Attack Tree Workshop Michael Brunton-Spall @bruntonspall

  33. Understand the business Michael Brunton-Spall @bruntonspall

  34. Work out what’s in scope Michael Brunton-Spall @bruntonspall

  35. Understand the threats Michael Brunton-Spall @bruntonspall

  36. The Workshop Michael Brunton-Spall @bruntonspall

  37. Who are the attackers? Michael Brunton-Spall @bruntonspall

  38. What do they want? Michael Brunton-Spall @bruntonspall

  39. How will they get it? Michael Brunton-Spall @bruntonspall

  40. Workshop the attacks Michael Brunton-Spall @bruntonspall 05/03/2018 42

  41. Build trees Michael Brunton-Spall @bruntonspall 05/03/2018 43

  42. Breadth first Michael Brunton-Spall @bruntonspall

  43. Understand impact of attacks Michael Brunton-Spall @bruntonspall

  44. Ranking 1-6, often order of magnitude increase Michael Brunton-Spall @bruntonspall

  45. Cost to the attacker Michael Brunton-Spall @bruntonspall

  46. Complexity of the attack Michael Brunton-Spall @bruntonspall

  47. Consequences on the attacker Michael Brunton-Spall @bruntonspall

  48. Reward to the attacker Michael Brunton-Spall @bruntonspall

  49. Damage to the organisation Michael Brunton-Spall @bruntonspall

  50. How often can it be repeated Michael Brunton-Spall @bruntonspall

  51. Michael Brunton-Spall @bruntonspall 05/03/2018 53

  52. Post workshop Michael Brunton-Spall @bruntonspall

  53. Determine countermeasures Michael Brunton-Spall @bruntonspall

  54. In place and planned Michael Brunton-Spall @bruntonspall

  55. Planned countermeasures go on the backlog Michael Brunton-Spall @bruntonspall

  56. Repeat as needed Michael Brunton-Spall @bruntonspall

  57. Fitting into the agile cycle Michael Brunton-Spall @bruntonspall

  58. Workshop with whole team* Michael Brunton-Spall @bruntonspall

  59. Visible outputs for walls Michael Brunton-Spall @bruntonspall

  60. Threat Actor Personas Michael Brunton-Spall @bruntonspall

  61. Misuse cases Michael Brunton-Spall @bruntonspall

  62. Record decisions against stories Michael Brunton-Spall @bruntonspall

  63. Record deferred security debt Michael Brunton-Spall @bruntonspall

  64. Product Owner is in control Michael Brunton-Spall @bruntonspall

  65. Attack Trees: System based risk methodology, for the whole team, iteratively updated Michael Brunton-Spall @bruntonspall

  66. Any questions? @bruntonspall michael@brunton-spall.co.uk Michael Brunton-Spall @bruntonspall

Recommend


More recommend