SlideShare a Scribd company logo

Corporate Threat Modeling v2

SensePost, profile picture
SensePost

The document discusses the concepts of Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) and how to calculate them to assess risk. It outlines a methodology for threat modeling, including identifying security objectives, creating application overviews, decomposing applications, identifying threats and vulnerabilities. Additionally, it emphasizes the iterative process of risk assessment and the importance of conducting various tests to evaluate the effectiveness of threat management.

TechnologyBusiness
1 of 64
Downloaded 24 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
1
2
3
4
5
6
7
Single loss expectancy (SLE) is the value you expect to lose each time a risk occurs. You calculate SLE by using the following formula: SLE = AV x EF 8
Single loss expectancy (SLE) is the value you expect to lose each time a risk occurs. You calculate SLE by using the following formula: SLE = AV x EF 9
Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 10
Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 11
Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 12
13
14
15
16
17
18
Microsoft says: Provides a consistent methodology for objectively identifying and evaluating threats to applications. Translates technical risk to business impact. Empowers a business to manage risk. Creates awareness among teams of security dependencies and assumptions. 19
20
Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps. Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4. Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats. Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context. Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made. 21
22
23
24
25
26
Would prefer to use a diagram here 27
28
29
30
31
32
33
34
35
36
Define Locations, Interfaces & Users (Trust Levels) But not “assets”, as organizations are too complex Create a map showing how Locations, Users and Interfaces relate Users are restricted to locations Interfaces are exposed to locations 37
Risks are gleamed from three sources Analyst Experience Organizational History Group Brainstorming Each Risk has key elements Likelihood Impact Use an iterative process to describe the Risk, apply it to an Interface, then refine as required A new Risk is added if: Likelihood or Impact differs The required defense is likely to differ 38
This creates a Threat Vector Directly linked: What Interfaces could this Risk Impact? Indirectly linked: What Trust Level is required? At which location would such Users be found? 39
The Threat Vector therefore becomes a 4-Tuple Risk, Interface, Location, User A many-to-many relation means the number of Threat Vectors scales linearly 40
Tests could be any of Focused Technical Tests E.g. Penetration Test Sample Data Drawn from existing monitoring systems e.g. Incident Logs or previous assessments Interviews Conducted with relevant individuals or teams Policy and procedure reviews Research Drawing on external sources The more tests are conducted the more certainty we have However, the most ‘efficient’ tests are easily calculated by considering the Weights of all the Threat Vectors impacted 41
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

More Related Content

DOCX
Cloud security part two
EbenezerKotapuriFIEI
 
PPTX
6 Most Popular Threat Modeling Methodologies
EC-Council
 
PPTX
Threat modeling
Ankita Ganguly
 
PDF
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
PPTX
Cyber Threat Modeling
EC-Council
 
PPTX
Threat Modeling And Analysis
Lalit Kale
 
PPTX
Appsec2013 assurance tagging-robert martin
drewz lin
 
PPTX
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
wcooling
 
Cloud security part two
EbenezerKotapuriFIEI
 
6 Most Popular Threat Modeling Methodologies
EC-Council
 
Threat modeling
Ankita Ganguly
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Cyber Threat Modeling
EC-Council
 
Threat Modeling And Analysis
Lalit Kale
 
Appsec2013 assurance tagging-robert martin
drewz lin
 
Enterprise-wide Risk Assessment Presentation, dated 03-08-11
wcooling
 

Similar to Corporate Threat Modeling v2 (20)

PDF
Session2-Application Threat Modeling
zakieh alizadeh
 
PPTX
Fendley how secure is your e learning
Bryan Fendley
 
PPTX
Threat modelling
Rajeev Venkata
 
PPT
Ch09 Performing Vulnerability Assessments
Information Technology
 
PDF
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
PDF
McAfee Labs 2017 Threats Predictions
Matthew Rosenquist
 
PDF
20160831_app_storesecurity_Seminar
Jisoo Park
 
DOCX
Risk Management Insight FAIR(FACTOR ANA.docx
madlynplamondon
 
PDF
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
Cenzic
 
DOCX
Introductory Physics Electrostatics Practice Problems Spring S.docx
bagotjesusa
 
PPTX
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
PPTX
Modeling application risk at scale @ netflix
Scott Behrens
 
PPTX
3- Security Risk Analysis and Management.pptx
ssusercb1c87
 
PDF
Vulnerability Scanning Techniques and Vulnerability scores & exposures
LearningwithRayYT
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
tarifarmarie
 
PPTX
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
PPTX
The security mindset securing social media integrations and social learning...
franco_bb
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
boadverna
 
DOCX
Risk Management Insight FAIR(FACTOR AN.docx
adkinspaige22
 
DOCX
Risk Management Insight FAIR(FACTOR ANA
troutmanboris
 
Session2-Application Threat Modeling
zakieh alizadeh
 
Fendley how secure is your e learning
Bryan Fendley
 
Threat modelling
Rajeev Venkata
 
Ch09 Performing Vulnerability Assessments
Information Technology
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
McAfee Labs 2017 Threats Predictions
Matthew Rosenquist
 
20160831_app_storesecurity_Seminar
Jisoo Park
 
Risk Management Insight FAIR(FACTOR ANA.docx
madlynplamondon
 
HARM Score: Approaches to Quantitative Risk Analysis for Web Applications
Cenzic
 
Introductory Physics Electrostatics Practice Problems Spring S.docx
bagotjesusa
 
OWASP Risk Rating Methodology.pptx
Chandan Singh Ghodela
 
Modeling application risk at scale @ netflix
Scott Behrens
 
3- Security Risk Analysis and Management.pptx
ssusercb1c87
 
Vulnerability Scanning Techniques and Vulnerability scores & exposures
LearningwithRayYT
 
Risk Management Insight FAIR(FACTOR AN.docx
tarifarmarie
 
How to Build and Validate Ransomware Attack Detections (Secure360)
Scott Sutherland
 
The security mindset securing social media integrations and social learning...
franco_bb
 
Risk Management Insight FAIR(FACTOR AN.docx
boadverna
 
Risk Management Insight FAIR(FACTOR AN.docx
adkinspaige22
 
Risk Management Insight FAIR(FACTOR ANA
troutmanboris
 
Ad

More from SensePost (20)

PDF
objection - runtime mobile exploration
SensePost
 
PPTX
Vulnerabilities in TN3270 based Application
SensePost
 
PDF
Ruler and Liniaal @ Troopers 17
SensePost
 
PDF
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
PPTX
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
PPTX
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
PDF
Heartbleed Overview
SensePost
 
PDF
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
PPTX
Rat a-tat-tat
SensePost
 
PDF
Hacking Z-Wave Home Automation Systems
SensePost
 
PPTX
Offence oriented Defence
SensePost
 
PPTX
Threats to machine clouds
SensePost
 
PPTX
Inside .NET Smart Card Operating System
SensePost
 
PDF
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
PPT
Its Ok To Get Hacked
SensePost
 
PPT
Web Application Hacking
SensePost
 
PDF
Putting the tea back into cyber terrorism
SensePost
 
PPT
Major global information security trends - a summary
SensePost
 
PPT
Attacks and Defences
SensePost
 
PPTX
State of the information security nation
SensePost
 
objection - runtime mobile exploration
SensePost
 
Vulnerabilities in TN3270 based Application
SensePost
 
Ruler and Liniaal @ Troopers 17
SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
SensePost
 
ZaCon 2015 - Zombie Mana Attacks
SensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
SensePost
 
Heartbleed Overview
SensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
SensePost
 
Rat a-tat-tat
SensePost
 
Hacking Z-Wave Home Automation Systems
SensePost
 
Offence oriented Defence
SensePost
 
Threats to machine clouds
SensePost
 
Inside .NET Smart Card Operating System
SensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SensePost
 
Its Ok To Get Hacked
SensePost
 
Web Application Hacking
SensePost
 
Putting the tea back into cyber terrorism
SensePost
 
Major global information security trends - a summary
SensePost
 
Attacks and Defences
SensePost
 
State of the information security nation
SensePost
 
Ad

Recently uploaded (20)

PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Cloud computing and distributed systems.
kkkkkhan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Corporate Threat Modeling v2

  • 1. 1
  • 2. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. 7
  • 8. Single loss expectancy (SLE) is the value you expect to lose each time a risk occurs. You calculate SLE by using the following formula: SLE = AV x EF 8
  • 9. Single loss expectancy (SLE) is the value you expect to lose each time a risk occurs. You calculate SLE by using the following formula: SLE = AV x EF 9
  • 10. Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 10
  • 11. Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 11
  • 12. Annual loss expectancy (ALE) is the value you expect to lose to a given risk each year. You calculate ALE by using the following formula: ALE = SLE x ARO 12
  • 13. 13
  • 14. 14
  • 15. 15
  • 16. 16
  • 17. 17
  • 18. 18
  • 19. Microsoft says: Provides a consistent methodology for objectively identifying and evaluating threats to applications. Translates technical risk to business impact. Empowers a business to manage risk. Creates awareness among teams of security dependencies and assumptions. 19
  • 20. 20
  • 21. Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps. Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4. Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats. Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context. Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made. 21
  • 22. 22
  • 23. 23
  • 24. 24
  • 25. 25
  • 26. 26
  • 27. Would prefer to use a diagram here 27
  • 28. 28
  • 29. 29
  • 30. 30
  • 31. 31
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35
  • 36. 36
  • 37. Define Locations, Interfaces & Users (Trust Levels) But not “assets”, as organizations are too complex Create a map showing how Locations, Users and Interfaces relate Users are restricted to locations Interfaces are exposed to locations 37
  • 38. Risks are gleamed from three sources Analyst Experience Organizational History Group Brainstorming Each Risk has key elements Likelihood Impact Use an iterative process to describe the Risk, apply it to an Interface, then refine as required A new Risk is added if: Likelihood or Impact differs The required defense is likely to differ 38
  • 39. This creates a Threat Vector Directly linked: What Interfaces could this Risk Impact? Indirectly linked: What Trust Level is required? At which location would such Users be found? 39
  • 40. The Threat Vector therefore becomes a 4-Tuple Risk, Interface, Location, User A many-to-many relation means the number of Threat Vectors scales linearly 40
  • 41. Tests could be any of Focused Technical Tests E.g. Penetration Test Sample Data Drawn from existing monitoring systems e.g. Incident Logs or previous assessments Interviews Conducted with relevant individuals or teams Policy and procedure reviews Research Drawing on external sources The more tests are conducted the more certainty we have However, the most ‘efficient’ tests are easily calculated by considering the Weights of all the Threat Vectors impacted 41
  • 42. 44
  • 43. 45
  • 44. 46
  • 45. 47
  • 46. 48
  • 47. 49
  • 48. 50
  • 49. 51
  • 50. 52
  • 51. 53
  • 52. 54
  • 53. 55
  • 54. 56
  • 55. 57
  • 56. 58
  • 57. 59
  • 58. 60
  • 59. 61
  • 60. 62
  • 61. 63
  • 62. 64
  • 63. 65
  • 64. 66