What are we worried about?
What are we worried about? This is a talk about helping teams learn to build realistic threat models.
Security has been great at talking to security about how important it is to have a well considered threat model. However when we bring the rest of the business along with us and excitedly say to them " Lets be baddies" it can sometimes start to fall apart.
I will be taking you through some of the quite remarkable perceived threats engineers and executives alike put forward during threat modelling sessions I have recently run and the reactions I got when I had to course correct.
It turns out that when security is not 100% your daily grind the frame of reference you have for threat modelling will have come from all sorts of places like Mr Robot or media coverage of huge cyber attacks.
So how can we as security people be better educators? How do we help our teammates get the tools and context to build more realistic threat models?
I start with where to look for data on the breaches and incidents that typically happen in your industry and some places you can look internally in your own business to get even more information.
I'll also be talking through the process I have come up with to better define the kinds of threat actors you want to consider when building your threat model and how to write malicious user stories as a team.
A threat model based on industry evidence with realistic well considered threat actors is going to help teams pick better mitigation's and controls giving you confidence your limited defensive resources are being well used.