SLIDE 1
Michael Brunton-Spall @bruntonspall
Michael Brunton-Spall @bruntonspall
Attack Trees, Security modelling for Agile Teams Michael - - PowerPoint PPT Presentation
Attack Trees, Security modelling for Agile Teams Michael - - PowerPoint PPT Presentation
Attack Trees, Security modelling for Agile Teams Michael Brunton-Spall @bruntonspall Michael Brunton-Spall He/His/Him Independent Cybersecurity Consultant Michael Brunton-Spall @bruntonspall Why Security Matters Michael Brunton-Spall
SLIDE 2
SLIDE 3
Michael Brunton-Spall @bruntonspall
Why Security Matters
SLIDE 4
05/03/2018 4
Michael Brunton-Spall @bruntonspall
SLIDE 5
05/03/2018 5
Michael Brunton-Spall @bruntonspall
SLIDE 6
05/03/2018 6
Michael Brunton-Spall @bruntonspall
SLIDE 7
05/03/2018 7
Michael Brunton-Spall @bruntonspall
SLIDE 8
Michael Brunton-Spall @bruntonspall
Criminal users on the internet
SLIDE 9
Michael Brunton-Spall @bruntonspall
SLIDE 10
Michael Brunton-Spall @bruntonspall
SLIDE 11
Michael Brunton-Spall @bruntonspall
Advanced Persistent Threats
SLIDE 12
Michael Brunton-Spall @bruntonspall
SLIDE 13
Michael Brunton-Spall @bruntonspall
SLIDE 14
Michael Brunton-Spall @bruntonspall
Security is not compliance
SLIDE 15
Michael Brunton-Spall @bruntonspall
Certification Accreditation PCI ISO27001
SLIDE 16
05/03/2018 18
Michael Brunton-Spall @bruntonspall
SLIDE 17
05/03/2018 19
Michael Brunton-Spall @bruntonspall
SLIDE 18
Michael Brunton-Spall @bruntonspall
Agile principles
SLIDE 19
Michael Brunton-Spall @bruntonspall
In Individuals and in interactions over processes and tools Work rking soft ftware over comprehensive documentation Customers collaboration over contract negotiation Responding to change over following a plan
SLIDE 20
Michael Brunton-Spall @bruntonspall
Risk methodologies
SLIDE 21
Michael Brunton-Spall @bruntonspall
Component based
SLIDE 22
Michael Brunton-Spall @bruntonspall
IS1, ISO27005, NIST SP-800-30
SLIDE 23
Michael Brunton-Spall @bruntonspall
System based
SLIDE 24
Michael Brunton-Spall @bruntonspall
TOGAF, SABSA, Attack Trees
SLIDE 25
Michael Brunton-Spall @bruntonspall
Component Pro’s Thorough, Exhaustive, Objective
SLIDE 26
Michael Brunton-Spall @bruntonspall
Systemic – Pro’s Subjective, Holistic, Interaction focused
SLIDE 27
Michael Brunton-Spall @bruntonspall
Simple Systems – A bike
SLIDE 28
Michael Brunton-Spall @bruntonspall
Complicated systems – A car
SLIDE 29
Michael Brunton-Spall @bruntonspall
Complex Systems - Traffic
SLIDE 30
Michael Brunton-Spall @bruntonspall
We don’t solve motorway congestion by assuring tires
SLIDE 31
Michael Brunton-Spall @bruntonspall
Attack trees
SLIDE 32
Michael Brunton-Spall @bruntonspall
Attack Tree Workshop System Scope Business needs Threats
SLIDE 33
Michael Brunton-Spall @bruntonspall
Understand the business
SLIDE 34
Michael Brunton-Spall @bruntonspall
Work out what’s in scope
SLIDE 35
Michael Brunton-Spall @bruntonspall
Understand the threats
SLIDE 36
Michael Brunton-Spall @bruntonspall
The Workshop
SLIDE 37
Michael Brunton-Spall @bruntonspall
Who are the attackers?
SLIDE 38
Michael Brunton-Spall @bruntonspall
What do they want?
SLIDE 39
Michael Brunton-Spall @bruntonspall
How will they get it?
SLIDE 40
05/03/2018 42
Michael Brunton-Spall @bruntonspall
Workshop the attacks
SLIDE 41
05/03/2018 43
Michael Brunton-Spall @bruntonspall
Build trees
SLIDE 42
Michael Brunton-Spall @bruntonspall
Breadth first
SLIDE 43
Michael Brunton-Spall @bruntonspall
Understand impact of attacks
SLIDE 44
Michael Brunton-Spall @bruntonspall
Ranking 1-6, often order of magnitude increase
SLIDE 45
Michael Brunton-Spall @bruntonspall
Cost to the attacker
SLIDE 46
Michael Brunton-Spall @bruntonspall
Complexity of the attack
SLIDE 47
Michael Brunton-Spall @bruntonspall
Consequences on the attacker
SLIDE 48
Michael Brunton-Spall @bruntonspall
Reward to the attacker
SLIDE 49
Michael Brunton-Spall @bruntonspall
Damage to the organisation
SLIDE 50
Michael Brunton-Spall @bruntonspall
How often can it be repeated
SLIDE 51
05/03/2018 53
Michael Brunton-Spall @bruntonspall
SLIDE 52
Michael Brunton-Spall @bruntonspall
Post workshop
SLIDE 53
Michael Brunton-Spall @bruntonspall
Determine countermeasures
SLIDE 54
Michael Brunton-Spall @bruntonspall
In place and planned
SLIDE 55
Michael Brunton-Spall @bruntonspall
Planned countermeasures go
- n the backlog
SLIDE 56
Michael Brunton-Spall @bruntonspall
Repeat as needed
SLIDE 57
Michael Brunton-Spall @bruntonspall
Fitting into the agile cycle
SLIDE 58
Michael Brunton-Spall @bruntonspall
Workshop with whole team*
SLIDE 59
Michael Brunton-Spall @bruntonspall
Visible outputs for walls
SLIDE 60
Michael Brunton-Spall @bruntonspall
Threat Actor Personas
SLIDE 61
Michael Brunton-Spall @bruntonspall
Misuse cases
SLIDE 62
Michael Brunton-Spall @bruntonspall
Record decisions against stories
SLIDE 63
Michael Brunton-Spall @bruntonspall
Record deferred security debt
SLIDE 64
Michael Brunton-Spall @bruntonspall
Product Owner is in control
SLIDE 65
Michael Brunton-Spall @bruntonspall
Attack Trees: System based risk methodology, for the whole team, iteratively updated
SLIDE 66
Michael Brunton-Spall @bruntonspall