1

Continuous Assurance Using Data Threat Modeling

Fouad Khalil, Vice President of ComplianceSecurityScorecard

2

Agenda• What’s new?• All about the Data• Background• Current state• Regulatory perspective• Threat Modeling Case Study• Continuous Assurance• Putting all this into practice• Q & A

3

Latest Headlines• Facebook prime example of privacy scandals (dating back to

2005) most recent potential $1.6B fine – Ireland Data Regulator• British Airways PCI compliant but breached…• Bupa fined for malicious insider privacy breach (£175,000 by UK

regulators for “systematic data protection failures”)• Google exposed private data of 1000s of Google+ users. Still

under investigation.

4

A Quick Look Ahead• Connected clouds (private, public, hybrid)• Blockchain finally understood but a mess• Data analytics Machine Learning AI• GDPR Global trend – companies measured

by compliance• Economy boom into 2019 but 2020 is a bit

questionable

5

Are We Exposed?• 45% of IoT buyers concerned about security (Bain & Co)

• 90% say IoT devices pose moderate to significant risk (Bain & Co)

• IoT market size expected to reach $457B by 2020 (Growthenabler)

• SaaS application security architectures are broken

• New Compliance requirements and penalties drive pain level higher

• So many open or misconfigured servers in the cloud (Tesla, Walmart)

6

7

8

Best example of protected data? GDPR of course!!

Basic Information:• Beliefs, thoughts, political

allegiance, etc.• Credentials (for

authentication)• Preferences and interests.

Financial Information:• Accounts, financial status• Ownership, structures• Transactions, patterns• Credit history

Social Information:• Professional, career• Criminal record• Public life• Family and relationships• Social network• Private communications

Real Time Data:• Device-dependent tracking• Contact information• Location-based, e.g.

geotagging• Behavioral, i.e. usage

patterns.

Added Information:• Unique or semi-unique identifiers• Ethnicity• Sexual preferences• Behavioral patterns• Age, health, geography etc.• Medical / health• Physical data

Historical Information:• Individual life experience• Notable events• Patterns allowing inference• Etc.

9

SIG

GDPR

NY DFSCA Privacy

HIPAA

ISO27K

SAMA

HiTrust

NIST 800-171

ISAE 3402SOC2

NERC CIP

NESA

NIST CSF

PCI DSS

TISAX

EU Cyber Cert

CSA CMM

TruSight

MASPII legislations

DRAFTDigital Data Governance

CPS 234

Ghana Cyber Policy

Data Protection Regs

Cybersecurity law

Digital Privacy Act

NIST 800-53

FedRamp

PSD2

COBIT5

10

Background – All About the Data• Enterprise competitiveness, regulatory considerations, process

maturity• Data key consideration to manage and monitor risk• Manage changes to minimize risk• Applying application threat modeling principles to data• Methodically analyze applications to identify and map threats in

post-prod – Take an attacker’s viewpoint.

11

All About the Data

Competition

Regulations

Customer Engagements

Pursuit of new Markets

Maturity &

Resiliency

Factor in everything of significance

The DATA!!

12

What Data changes to monitor• Continuous changes impact level of risk to data• Changes in context, environmental factors and threat landscape • What data changes to monitor (listing a few)

o How the data is usedo How data is protected (new, changed or removed controls)o Threats of which data is likely to be exposedo New or modified business activities change impact if a compromise

may now occur

13

Adopt a Hacker’s view• Fairly easy to understand why • Enterprises want to know how to realize the hacker’s vision• Attacker sees data as a target accessible through a number of

pathways• Data is profit for hackers and breach potential for us• Threat modeling exercise can help systematically evaluate an

application• Application threat modeling discipline has developed as an

application security strategy

14

How Does Application Threat Modeling help?

• Assists in developing applications that are robust, resilient and hardened

• Maps the threats applications might encounter in production• Enables addressing threats and monitoring conditions impacting data

over time• Enable better tracking of changes in data that impact risk• Provides better visibility into data that intersects with the supply

chain• Enterprises use this model to understand state of data (stored,

transmitted or processed).

15

The Current State• Best to understand exiting conditions that pertain to data

• Two parallel transformations that make a thorny problemo Practical challenges in data management as data proliferateso Legal, regulatory and other mandatory requirements that govern how data is (or can

be) used• Practical challenges – how data is stored, processed an transmitted is changing:o Data consolidation: Denser data due to new data processing methods and increased

analytical capabilities.o Data ubiquity: Data becoming more pervasive - spreads throughout the enterpriseo Data expansion: Data becoming more plentiful.o Processing parallelization: Data increasingly being processed in parallel

16

Beyond the current state• Organizations are witnessing transformations depending on business

activities, industry and regulatory constraints.

• Organizations with even an accurate and solid inventory of assets, may have less clear idea of data processing.

• Poor data inventory leads to challenges ranging from resources and time and the problem data tends to compound over time.

• Enterprises become more externalized (supply chain) challenges may compound as new players come into play

17

Regulatory requirements add to challenges• Several regulations and standards impact data in difficult ways

• GDPR pertains to data that intersects with operations performed in EU

• CA first state to enact GDPR like Privacy law

• Breach disclosure requirements specify the what, how and when to notify of a breach

• Industry specific standards add to the challenge such as PCI DSS, HIPAA, HITECH.

18

Threat Modeling Case StudyObjectives:

1. Case Study Example based on by Antonio Fontes (Threat Modeling, Detecting Web Application Threats Before Coding)

2. Understand the concept of Threat Modeling3. Build an actionable Threat Model4. Know when to build a threat model and how to

document it

19

Threat Model Case StudyNewspaper that uses standard news distribution channel• They host a website on which articles are posted all day by the

online editor• They Distribute a printed journal every day of the week.• Content on the website is free• The printed version is sold

20

Threat Model Case Study - Continued• The company has decided to also sell an electronic edition of the

newspaper• Access to the content must be restricted to authorized customers• The team is designing a feature to enable users to authenticate

to access their account for payment.• The board is worried about the threats associated with this

decision.

21

Threat Modeling StepsUnderstand the application

• Review Business Requirements • Comprehend application configuration (technologies,

architecture, functionalities components)• Role of application in the organization• Be Clear on the objective/drivers

o Stay complianto Protect against hackerso Never want system to be compromisedo Protect user privacyo Avoid system downtime

22

Threat Modeling StepsUnderstand the application…

• What are the use cases (how is the application used)?

• How are users authenticated?

• Understand the data classification

• Understand the data flow…especially financial flow

23

Threat Modeling StepsIdentify Potential Threat Sources

• Based on what we know who might be interested in compromising the system

• Perform research to identify other sources (media, business owners, users)

• List all potential Threatso Hackerso Untrained employeeso Disgruntled employeeso Governmento And so on...

24

Threat Modeling StepsIdentify Major Threat Sources

• Identify Threat Triggers• Understand complete scenario• Understand the likelihood• Understand the impact• Finalize major threat model

o Threat, Source, Description of attack

25

Threat Modeling StepsIdentify Controls

• Document Threat with identified sources and attack description• Develop controls to mitigation the likelihood and impact of the threat

o Ensure controls are designed effectively

• Make recommendation on controls and prioritization

o Based on asset criticality and threat likelihood and impact

26

Threat Model - SampleThreat Source Description Likelihood ControlDenial of Service Attack

Hacker perpetrator seeks to make a system unavailable by disrupting services of a host connected to the Internet

Stealing Intellectual Property

Disgruntled Employee

Copying data due to authorized access

Stealing Customer Data

Competitor Social Engineering attack

27

Continuous Assurance• Case study shows how data can be used to analyze threats

• We need to move to continuous assurance understanding of the threats

• Point-in-time view compared to continuous auditing (ongoing validation)

• Continuous monitoring provides near real-time status of security controls

• Continuous assurance notifies of changes that impact threats to data

28

Continuous view (KRIs)• We need something to measure• Perform that measurement in an ongoing way• A retailer has different risks to measure than a bank• First step is to determine what to measure• Map out the threats of greatest risk• Set up and monitor the security controls to mitigate these risks• Automation is key – such as data shared with supply chain

29

Putting all this into practice• What KRI to use to measure control efficiencies?• How will enterprises know about changes impacting threats to

data?• How to evaluate control performance at 3rd, Nth parties?• How to stay informed of changes at the supply chain?• Who owns and maintains the continuous view?• Amount of effort enterprises are prepared to invest in this?

30

In Conclusion• Continuous assurance makes risk decisions easier• Start small with narrow scope and build from there• Determine approach that is best for you• Enterprises struggling with data protection greatly benefit from

threat modeling• No hidden problems go unexamined• Near real-time view of what hackers see• Flexible approach that works for every environment

31

Questions?