Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals...
Transcript of Continuous Assurance Using Data Threat Modeling · •Facebook prime example of privacy scandals...
1
Continuous Assurance Using Data Threat Modeling
Fouad Khalil, Vice President of ComplianceSecurityScorecard
2
Agenda• What’s new?• All about the Data• Background• Current state• Regulatory perspective• Threat Modeling Case Study• Continuous Assurance• Putting all this into practice• Q & A
3
Latest Headlines• Facebook prime example of privacy scandals (dating back to
2005) most recent potential $1.6B fine – Ireland Data Regulator• British Airways PCI compliant but breached…• Bupa fined for malicious insider privacy breach (£175,000 by UK
regulators for “systematic data protection failures”)• Google exposed private data of 1000s of Google+ users. Still
under investigation.
4
A Quick Look Ahead• Connected clouds (private, public, hybrid)• Blockchain finally understood but a mess• Data analytics Machine Learning AI• GDPR Global trend – companies measured
by compliance• Economy boom into 2019 but 2020 is a bit
questionable
5
Are We Exposed?• 45% of IoT buyers concerned about security (Bain & Co)
• 90% say IoT devices pose moderate to significant risk (Bain & Co)
• IoT market size expected to reach $457B by 2020 (Growthenabler)
• SaaS application security architectures are broken
• New Compliance requirements and penalties drive pain level higher
• So many open or misconfigured servers in the cloud (Tesla, Walmart)
6
7
8
Best example of protected data? GDPR of course!!
Basic Information:• Beliefs, thoughts, political
allegiance, etc.• Credentials (for
authentication)• Preferences and interests.
Financial Information:• Accounts, financial status• Ownership, structures• Transactions, patterns• Credit history
Social Information:• Professional, career• Criminal record• Public life• Family and relationships• Social network• Private communications
Real Time Data:• Device-dependent tracking• Contact information• Location-based, e.g.
geotagging• Behavioral, i.e. usage
patterns.
Added Information:• Unique or semi-unique identifiers• Ethnicity• Sexual preferences• Behavioral patterns• Age, health, geography etc.• Medical / health• Physical data
Historical Information:• Individual life experience• Notable events• Patterns allowing inference• Etc.
9
SIG
GDPR
NY DFSCA Privacy
HIPAA
ISO27K
SAMA
HiTrust
NIST 800-171
ISAE 3402SOC2
NERC CIP
NESA
NIST CSF
PCI DSS
TISAX
EU Cyber Cert
CSA CMM
TruSight
MASPII legislations
DRAFTDigital Data Governance
CPS 234
Ghana Cyber Policy
Data Protection Regs
Cybersecurity law
Digital Privacy Act
NIST 800-53
FedRamp
PSD2
COBIT5
10
Background – All About the Data• Enterprise competitiveness, regulatory considerations, process
maturity• Data key consideration to manage and monitor risk• Manage changes to minimize risk• Applying application threat modeling principles to data• Methodically analyze applications to identify and map threats in
post-prod – Take an attacker’s viewpoint.
11
All About the Data
Competition
Regulations
Customer Engagements
Pursuit of new Markets
Maturity &
Resiliency
Factor in everything of significance
The DATA!!
12
What Data changes to monitor• Continuous changes impact level of risk to data• Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few)
o How the data is usedo How data is protected (new, changed or removed controls)o Threats of which data is likely to be exposedo New or modified business activities change impact if a compromise
may now occur
13
Adopt a Hacker’s view• Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision• Attacker sees data as a target accessible through a number of
pathways• Data is profit for hackers and breach potential for us• Threat modeling exercise can help systematically evaluate an
application• Application threat modeling discipline has developed as an
application security strategy
14
How Does Application Threat Modeling help?
• Assists in developing applications that are robust, resilient and hardened
• Maps the threats applications might encounter in production• Enables addressing threats and monitoring conditions impacting data
over time• Enable better tracking of changes in data that impact risk• Provides better visibility into data that intersects with the supply
chain• Enterprises use this model to understand state of data (stored,
transmitted or processed).
15
The Current State• Best to understand exiting conditions that pertain to data
• Two parallel transformations that make a thorny problemo Practical challenges in data management as data proliferateso Legal, regulatory and other mandatory requirements that govern how data is (or can
be) used• Practical challenges – how data is stored, processed an transmitted is changing:o Data consolidation: Denser data due to new data processing methods and increased
analytical capabilities.o Data ubiquity: Data becoming more pervasive - spreads throughout the enterpriseo Data expansion: Data becoming more plentiful.o Processing parallelization: Data increasingly being processed in parallel
16
Beyond the current state• Organizations are witnessing transformations depending on business
activities, industry and regulatory constraints.
• Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing.
• Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time.
• Enterprises become more externalized (supply chain) challenges may compound as new players come into play
17
Regulatory requirements add to challenges• Several regulations and standards impact data in difficult ways
• GDPR pertains to data that intersects with operations performed in EU
• CA first state to enact GDPR like Privacy law
• Breach disclosure requirements specify the what, how and when to notify of a breach
• Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH.
18
Threat Modeling Case StudyObjectives:
1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding)
2. Understand the concept of Threat Modeling3. Build an actionable Threat Model4. Know when to build a threat model and how to
document it
19
Threat Model Case StudyNewspaper that uses standard news distribution channel• They host a website on which articles are posted all day by the
online editor• They Distribute a printed journal every day of the week.• Content on the website is free• The printed version is sold
20
Threat Model Case Study - Continued• The company has decided to also sell an electronic edition of the
newspaper• Access to the content must be restricted to authorized customers• The team is designing a feature to enable users to authenticate
to access their account for payment.• The board is worried about the threats associated with this
decision.
21
Threat Modeling StepsUnderstand the application
• Review Business Requirements • Comprehend application configuration (technologies,
architecture, functionalities components)• Role of application in the organization• Be Clear on the objective/drivers
o Stay complianto Protect against hackerso Never want system to be compromisedo Protect user privacyo Avoid system downtime
22
Threat Modeling StepsUnderstand the application…
• What are the use cases (how is the application used)?
• How are users authenticated?
• Understand the data classification
• Understand the data flow…especially financial flow
23
Threat Modeling StepsIdentify Potential Threat Sources
• Based on what we know who might be interested in compromising the system
• Perform research to identify other sources (media, business owners, users)
• List all potential Threatso Hackerso Untrained employeeso Disgruntled employeeso Governmento And so on...
24
Threat Modeling StepsIdentify Major Threat Sources
• Identify Threat Triggers• Understand complete scenario• Understand the likelihood• Understand the impact• Finalize major threat model
o Threat, Source, Description of attack
25
Threat Modeling StepsIdentify Controls
• Document Threat with identified sources and attack description• Develop controls to mitigation the likelihood and impact of the threat
o Ensure controls are designed effectively
• Make recommendation on controls and prioritization
o Based on asset criticality and threat likelihood and impact
26
Threat Model - SampleThreat Source Description Likelihood ControlDenial of Service Attack
Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet
Stealing Intellectual Property
Disgruntled Employee
Copying data due to authorized access
Stealing Customer Data
Competitor Social Engineering attack
27
Continuous Assurance• Case study shows how data can be used to analyze threats
• We need to move to continuous assurance understanding of the threats
• Point-in-time view compared to continuous auditing (ongoing validation)
• Continuous monitoring provides near real-time status of security controls
• Continuous assurance notifies of changes that impact threats to data
28
Continuous view (KRIs)• We need something to measure• Perform that measurement in an ongoing way• A retailer has different risks to measure than a bank• First step is to determine what to measure• Map out the threats of greatest risk• Set up and monitor the security controls to mitigate these risks• Automation is key – such as data shared with supply chain
29
Putting all this into practice• What KRI to use to measure control efficiencies?• How will enterprises know about changes impacting threats to
data?• How to evaluate control performance at 3rd, Nth parties?• How to stay informed of changes at the supply chain?• Who owns and maintains the continuous view?• Amount of effort enterprises are prepared to invest in this?
30
In Conclusion• Continuous assurance makes risk decisions easier• Start small with narrow scope and build from there• Determine approach that is best for you• Enterprises struggling with data protection greatly benefit from
threat modeling• No hidden problems go unexamined• Near real-time view of what hackers see• Flexible approach that works for every environment
31
Questions?