1 / 11

Jeffrey A. Ingalsbe Security Consulting and Strategic Research Ford Motor Company (313) 390-9278

Threat Modeling. Jeffrey A. Ingalsbe Security Consulting and Strategic Research Ford Motor Company (313) 390-9278 jingalsb@ford.com. The Problem(s). Security was viewed as IT’s responsibility Security was viewed as an add-on or a burden Internal Business customers were adversarial

graiden-frederick
Download Presentation

Jeffrey A. Ingalsbe Security Consulting and Strategic Research Ford Motor Company (313) 390-9278

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threat Modeling Jeffrey A. Ingalsbe Security Consulting and Strategic Research Ford Motor Company (313) 390-9278 jingalsb@ford.com

  2. The Problem(s) • Security was viewed as IT’s responsibility • Security was viewed as an add-on or a burden • Internal Business customers were adversarial • Internal Business customers were absent • Auditability of the sdlc was poor • The same vulnerabilities kept were not going away • There was no “dial” for controls • It was difficult to talk to lawyers about risk • The intranet was considered “safe” • Employees were “trusted”

  3. One Solution: Threat Modeling • Threat Modeling is : • A repeatable process • Collaborative • Proactive • Executed during the design phase (mostly) • Risk quantifying • Business empowering • Awareness raising

  4. Ford’s Journey • Piloted Microsoft’s TAM tool in 2005 • Rolled out Threat Modeling as a service in 2007 • Launched “Fast Pass” Threat Modeling in 2008 • Piloting Microsoft’s SDLTM tool in 2009

  5. Terms • Model: Representation of reality constructed using Roles, Data, and Components, used to build Use Cases, generate Threats, and analyze Risk, and develop a Risk response. • Use Case: Not a UML use case. A higher level interaction between people and the components of your system involving data to achieve some business objective. • Threat: Potential unintended event which may occur within a use case. There are three kinds of threats according to the Microsoft tools: threats to Confidentiality , threats to Integrity, and threats to Availability.NOTE: A threat doesn’t have to be malicious! • Risk: The aggregate of discoverability, reproducibility, exploitability, affected users, and damage potential (DREAD). • RiskResponse: Planned action to address risk. You can Reduce, Transfer, Avoid, Accept.

  6. Participants • Business owners • First and foremost • SMEs • Architects • Developers • Application owners • Infrastructure owners • IT Security • Threat modelers • CIRT • Forensics • Encryption • Authentication

  7. Time Commitment • Minimum • 7 calendar days • 3 half-day meetings with the entire team • 2 full-days of work for security members • Maximum • 4 to 6 calendar weeks • 4 to 6 half day meetings with the entire team • 1 or 2 full-days of work for security members

  8. Process • Identify business objectives • Set scope • Construct model • Roles • Data • Compnents • Use cases • Generate threats • Analyze threats • Determine Risk Responses • Report out • Improve process

  9. Process

  10. Results • Used threat modeling to reduce risk on strategically important IT projects. • Saved significant calendar time on processing launch related IT work. • Optimized process and applied to pilots, PoCs, and processes. • Raised awareness on risk-based decision making. • Taught people to fish. • Moved the needle with several important business customers (specifically the OGC).

  11. Questions Jeffrey A. Ingalsbe Security Consulting and Strategic Research Ford Motor Company (313) 390-9278 jingalsb@ford.com

More Related