Threat Modeling Security in a Connected World

Terry Gold, Founder and Principal Analyst, D6 Research LLC

SIA’s blog was able to catch up with Terry Gold, Founder and Principal Analyst, D6 Research LLC

Gold will present Threat Modeling Security in a Connected World on Thursday, April 12, at 2:30 p.m., at SIA Education@ISC West. SIA’s blog chatted with Gold to learn more about his session.

SIA Education@ISC West will provide conferees with more than 80 sessions of valuable information on important topics in the security industry at the Sands Expo in Las Vegas on April 10-12. Register for ISC West and find more info on SIA Education@ISC West class sessions.

SIA: Can you tell us a little bit about your background and how you were inspired to present on the topic of ” Threat Modeling Security in a Connected World ” at ISC West?

Gold: I started on the information security side almost 20 years ago and got into physical security by accident when clients wanted to marry PKI smart cards with physical security badges and authentication. I designed the first physical/logical integrated authentication system before “convergence” was a “thing”. I’ve spent the last 10 years designing SaaS models, working with hackers, and researching methods of exploitation and remediation.

I want to contribute by enabling practitioners with additional skills that they aren’t getting elsewhere in the industry. They don’t have to take our threat model literally, but I hope they understand how to go about building their own or qualifying preparedness of people that may assist them.

SIA: From your perspective, why do you think professionals in the physical security industry have been reluctant to adapt to the same threat models as the information security industry?

Gold: The short version is that there hasn’t been a published threat model for physical security to “adapt” to. Even if there was, how to build one or apply it isn’t part of any of the industry training and certainly doesn’t come up with vendors and integrators. So, it’s quite far out of view.

The reasons for this, are that the education, certifications and practices in physical security do not keep pace with the reality of where the focus of end user security personnel needs to be. Information security has continuously evolved their principles and practices in ways that can increasingly be validated and measured whereas physical security hasn’t. The reality is that they shouldn’t be any different in principal and only slightly different in practice/application. The result of physical security being a silo, are separate practices that really wouldn’t survive outside the bubble in which they are created – and threats don’t adhere to practices in that bubble.

SIA: How is the first detailed threat model similar or different or from threat models we see used in the industry today?

Gold: Great question. If anyone can show me other threat models for physical security I’d love to see it. We couldn’t find any, so we just built one over time over the course of real-world engagements, situations and findings. We knew what we were looking for but documenting a model really helped being in an executive briefing with 30 stakeholders that are typically paralyzed on getting to agreements on what’s being presented – and a visual heatmap really hits home. We put a logic and flow in the design so almost anyone could follow it. Take something complex and making it easy for everyone to get on the same page within a few minutes without watering down the value. That’s really the purpose of the actual artifact

There’s some very high level, anecdotal, stuff out there but that doesn’t provide any actionable value to end users. Its seems they stop short at the point when specific exploits, dynamic attacks that incorporate multiple steps or vectors need to be considered. But this is the actual reality of attacks – unless practitioners only want to build defenses around simple attacks they don’t help much. You really must get to the level of how data and code flows, for example, how an XSRF exploit can impact credentials without even touching a credential because the web server was exploited to get to the PACs and game the system that issues the badges or manages the configuration of how they are read. It can be a very abstract practice. I haven’t counted the current version, but it has a few thousand possible combinations of attacks, results, and impact in it – and its still growing and evolving. It’s easy these days for an organization relying on traditional practices to get completely owned and not even know it happened.

SIA: What advice can you provide attendees for how to change to the assessment process for assessing organizational threats?

Gold: I feel obligated to disclose context (because not everyone may share the same goal or circumstance). D6 Research specializes in Fortune 500 security, and within that end users contact us when they realize they need to change their approach and as part of this move away from traditional suppliers, relationships and advisory to get different insight. The goal is always about helping them put together a unique strategy – usually dealing with addressing short term problems but also transforming their security program that is improved and sustainable over the long-term.

In the session, I’ll review the threat model that we built. However, the more important part is understanding the overall process to get from current-state industry security that is really lacking to a transformational model – from top down – from executive goals through the whole chain of execution to KNOW you are secure and highly operationalized so its more efficient all the while. So, we’ll be focused on the threat model for context, but the tentacles reach across several areas to actually put it into practice.

Things we’ll try and help attendees figure out:
• How to do your own threat model.
• When to do it and where to begin.
• How it fits within the enterprise flows of meetings, reviews and getting people on board with the process.
• After its done. Now what? Continuous validation and improvement measures because a static model is a bad model.

If I can get attendees to understand that and go back into the wild to start applying it, then I’ll be a very to have contributed.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association (SIA).