Explore adaptive threat modeling techniques in this NDC Security 2018 conference talk. Discover how to analyze web traffic and transform request logs into actionable data for identifying threat actors by intent and categorizing them for quantitative risk analysis. Learn to create a dynamic threat model that adapts to the constantly shifting threat landscape, enabling continuous examination of security controls. Gain insights into developing a quantitative risk-driven approach to security and understand the importance of this data in driving risk analysis and creating an effective security program. Delve into topics such as threat event frequency, automated threat scenario building, and the use of Markov chains for modeling both predictable and irrational behavior. Understand how to leverage intent and capability in risk analysis, build near real-time threat models, and maintain active risk registers for improved communication with business stakeholders. Acquire valuable skills to focus on what truly matters in your security efforts and optimize your organization's network security.
Overview
Syllabus
Adaptive Threat Modeling
If there isn't a reason, stop doing it
It's the reason you're doing this!
Security should always come with purpose and intent
How do we understand threats?
Threat modeling is a procedure for optimizing network Security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of threats to the system.
Drawing, documenting, prioritizing
We're not going to cover methodologies
Focus on reality
Clearly define the capabilities of the threat actor
Understand what the true business impact is
Threat Event Frequency
In order to determine risk we need to identify how often
We can do this with a SIEM
Or via custom tooling
Whatever you do, use the data!
Deliver value, focus, and prioritize
You have realized that things change
Start building threat scenarios automatically
Both predictable and irrational behavior can be modeled
Think about a series of requests as a state transition
You can produce Markov chains from behavioral patterns
Use the request information to produce intended and identifiably malicious transition matrices
You can take this incredibly far
Intent and capability are vital to risk analysis
Using these Markov chains, you can show both
Once you identify this you can build your threat models in near real time
This gives you apply controls to scenarios
Active risk registers tell everyone the story
It allows you to be in constant communication with the business
You can't do it all
Learn to focus on what matters
Taught by
NDC Conferences
