Threat Modeling: Make it Work FOR You!

strike three appreciate you being here I like a lot of us started in his teenage years

[Music]

thank you all for coming out I think the topic is dry start Molly would draw so many folks so hopefully won't be quite that dry we'll see how that might be back at b-side to smoke a couple years ago on thread honey and so try to think about the things I'm interested in things I hear a lot about so my role my job I get to travel all across the u.s. and talk to a lot of different security executives and technology leaders and managers and people down in the trenches it's really neat to see what challenges are going on across the kind of threat landscape people are doing may get a lot of questions and some of the more common

ones are you know hey even from the most basic immature security organizations even the most richer with you know huge stock and hundreds of people it's still a challenge around hey how do I prioritize so I don't know where to start what am I going to be working on looks important to me and then a lot of times how do we even represent that back of the business cuz I you know we're all but the business guys gonna think in terms of penis right they don't want to know things in terms of that revenue bro business and attack my margins and so as I started trying to think about that challenge it's really around I've gained

risk right and business leaders have understood risk for twenty years the longest you know and you know we think about risk would think about it differently and so how do we bridge that gap to see that he can communicate those together you know I guess the background a big start in my career the Marines so little about me that he's a great sunny day in a spring day and usually you'll find yourself probably riding a horse with my wife on a day like today rather than maybe go so like this but I do love this I'm passionate about it she works in security so she's here as well and Zoe for Grady gave up horse Raymond a

you these sides we're glad to be here that's truly that's fog like beware the fog in EKU folks I did okay but she did so that's and that's our baby over there mean for in our house and another thing I think that I never outgrew Tonka trucks so we recently bought some acreage and I got some cool toys this stop my boy this is actually sitting out there and our dogs hump kid this thing is got like more knobs and switches they're probably 747 doesn't see I got it there I'm like I didn't even know where he was you know find it horn honking all I did but I've got a tractor now building out we had a

horse with this one time and I bought it this kids doing that it's a lot of fun

but this give me another idea for security talk so this is a teeny little caterpillar right this is a huge back door just you know on a wheel could lend that kind of guy I tried Mikey and this yeah it started right on up I found out a couple things in order to eat equipment out of it but I got an extra key for my crib logo for example I was like hey I'm gonna match so my serial number and I'll model it's like candy the extra key all right throw it across the counter you care they cannot keep it small a year now

I can't get me think about another you talk people kind of think of something to do with that Casey on that alright so as part of my travel to I mean I'd like to take pictures of funny things I come across stuff like this all the time so does this ever and we are seeing like this the kind of weird or not I mean all right so I thought I'm gonna hand Emma adulthood but I fly a lot of Delta screens of death then all over the place right baby so you think about how how much for our block world is changed when years right so before these things would be mechanical right these will flip the

little its members make sure the kinds of flights and stuff well that's electronic but now there's a whole other set of risks and threats so that's the board's where they show in Atlanta where all the flight plans are anything is that a big deal we're not I don't know right there tell me something but we run the next 86 in Windows because it's got a blue screen yeah there's even a service right so no threats can take to manifest themselves a number of ways and on top of that threats have different levels of impact and that's we're going to talk about today is that you know how do we prioritize that understand the impact role to understand

what the risk is right so you know this system you know maybe some passenger might be a little bit annoying that can't find out what gate their flight is leaving from so from an impact perspective might be low but if this same thing happened like enough flight deck of the airplane that could be pretty bad right also I have new screens I can't do anything we're going to do and I could think of read an article recently were there kind of happened I think in-flight airplane took off across the United American they lost all the screens the cockpit get turned back come around I mean that's a big deal and I think the real reason making news is

that the guys kind of laid off is we have some sort of electrical malfunction is what they told passengers so the reality they lost everything in the cockpit and they're come back to Burundi that's a big deal I guess you want to scare people cause panic either so maybe I would lie it's a boat once again this is this is a Windows things as the computers will in every that's another one this is what it's a closed program prevent information loss in San Francisco it's pretty dude it's like the tablet is one of the most electronic kind of connect the stadiums in the world when we first opened up you have an app and you

literally order your food would come right to your chair that was five or six years ago again as an attacker I'd love to know what operating system was with it they just kind of gave it away you know wouldn't believe how many times I've come through an airport see like an error message event like Windows XP today

so let's not hold about surmounting that I was like to do this memory player I heard some people were talking over some students how many students we got in here you gave up majoring in Tigers all right okay how many of us work in cyber Street pretty much the rest maybe not cybersecurity some in general so I didn't understand audiences we're gonna go this this is violent it's not going to be a wholly in-depth talk so if you're looking for that first it started off as education for me you know hey how do I talkin ease you know there's customers companies people were asking me questions about the Lord will start how men can risk so as I kind of learned

about myself so it's rather basic because I think if you start down threat modeling I mean you started back in napkin as he was talking about right but pretty quickly you can be down rabbit holes and be very very educated with very complex and even when I started at his time I found myself getting that way it's really hard to stay that way and I'll talk about some of those complexities as we continue to do but sits right Molly there's just excited exactly that right it's a way to kind of think about how threats are posturing in your organization what kind of risks exist or the likelihood of those risks and attacks happening against your

environment and what is the potential impact is going to take down my business for a day an hour is going to cost us money and to understand how do I figure all that out put together a big picture and for the most part the idea is that you come up with a list it says right here are my top assets my top value items and your the risks that are against them here's what they classified in terms of how likely and the impact that they are then you can say alright now I'm starting from one end and go start tackling than what the most gruesome right you can't you can't protect everything I'm sure everybody in your

real of that realize that I won't spend $300 protects makes no sense but that's something like there's this this trade-off of understanding how much protection how it's going to cost me and what's the value of the assets protecting me none of us mean it's mandated right so it's it's there for a reason we obviously shop around for the best value but the value also represents risk right just that value is represented in terms of how much protection we have against physical assets against you know liability coverage etc and different from these a different logic to that in law school ERISA matrix they do against news the driver right so they evaluate a know the sugars got two speeding tickets or it's

been a lot of accidents I really a lot private is my risk to that company so it's kind of the same thing here yes see he said it was green and read so in the Marine Corps we had to study we cannot read that read so one of the things I learned about was some suit and the art of war and essentially the idea is that and threat modeling you have to basically kind of think about attacks from holistic perspective and mostly from the attackers point of meeting right so if the attacker wanted to attack your organization what are you going to be after what is he looking at what's important to him and then you can

turn that now say all right here's how he's looking at me you know maybe I've got a bank vault a little gold it's gonna want that right so I don't protect myself from death Becker that's kind of what Zoo is staying there in not so many bright more words than that but that's my that's my Marine Corps handsome down there okay so first some basics because I think it's good to get kind of an understanding of the terms so we've got how many cases DS alright so don't go by the ice you know first so interaction or maybe the students even so tell me what a threat anybody got an idea of what a threat might be how would

you classify its River to see what the threat is define that so if circumstances can not cause an adverse impact is how a study for a CSP alright this is a completely you know stuff so

alright what about the attack we being a threat common among a threat attacks how would you say what the definition

yeah it's the result of a straight action happen though absolutely because a safeguard that makes a threat potentially likely to hurt an asset you said asset so I would always need designation for DT right it could be a process it could be a business process of business unit it can be a petition any data things that you want to attend absolutely all right I'm going on schools not out yet so a lot of thread age and it's right after

that your opponent we're just trying to get to you yes opponent someone who's going to take advantage of an exploit to negatively impact you or anyone that gets to me he wants to steal something to get something from you my vulnerability weakness or flaw and then risk we're talking about risk a lot of today we want to take a crack at risk yeah gentle for for the locks right what have we cost to you what's the last one wrapping it up attack dad right that's the that's when a threat agent we talking about takes advantage of a vulnerability here attacking you're going after something an attack surface this will come up too much of me but I

thought I throw this thing with that we're your mobile right so it's the have all that exposure we're gonna pull all the things combined together to take its counter to you not only the bullet abilities and the threads of the actors but also the controls right so you can have all these I can take the packet pump we can all probably think of a million and one threats against us today right but we have controls that helps mitigate some of that right because we have these controls and minimize attack surface and there are a bunch of thread Mali methodologies they all have cool acronyms I'm try to come up with one for myself with my own one that I just made

out of it we talk about horse last night force anybody you heard any these stride yeah strike up there right in dread kind of Microsoft centric one so you're doing you've done anything with Microsoft or you software development probably familiar with this right or dread life cycles where everybody focused around the software there we hit use it was on it from studies and I was developing Microsoft Reich an octave I've never in here though that's all those in some of the research I was doing anybody use trying rock we've ever seen that before well so this has never been the knowledge is out there you know they all have their advantages this really models any of these

methodologies it's kind of my take on a way to start how to think about they're probably in your own organization so given our alright so today for a bot Lane Arthur bottle my third model is gonna be about risk right risk being the multiplication of likely period in the impact okay so if you if I even think about it this way and once I degrees I got risk right so it's one of our valued clients likelihood an increase impact means my risk of right so if I can make them both go down first with yeah here's some challenges with that right so think about likelihood can we influence likelihood pretty well right there's a lot of controls mitigating things we can

do to help reduce our throat posterior and reduce the likelihood how about impact there's some things you can do not agree not so much right and here's the other challenge we all were 19 right so how often through the last three or five years you've been working in technology as your impact your threat surface region right how many times have we got introduced systems reduce our deployment models reduce servers reduce the footprint we have reduce the amount of data we're collecting however they ever happened right the challenge here in fact generally there's always increasing so if you think about this equation right but I want to minimize or not in fact risk too much and that thing

is always increasing where's our only

the ones always increasing we're going to be gaining it back and that like would have been pretty good so let's talk about likelihood likely that is the probability of exploit so it's the the chances of the vulnerability being taken advantage and exploited that would be braying something bad happen to your environment well at the IC likelihood and as a way of evaluating kind of value of the targets right and a good place to start how many of us have D our business continuity plans well almost everything right so they're head of my security people they wanted no champ risk do I start well the good news is a lot of that work is argued entry right so

mr. Conti plan that usually says somewhere in there what are your high-value assets and so I start there right if you have a number one system that is hey this was most critical to our business why not start there from abreast best retrospect because you know that's gonna probably carry the the biggest impact right so we know what the risk perspective is can be pretty big too so how do we put together controls to reduce that likelihood that not as risky if something were to be exploited in internal versus external so if you think about likelihood these days is a little bit different but I still I still think that there's a difference between internal threats of internal targets

versus threats to external partners everybody kind of agree with that right I mean yeah I mean an attacker really wanted to get that past your controls that protect the exterior of your organization like an firewalls whatever they can do that right in the demonstrate the easier target is obviously I think it's already on the outside is your controller on it there's a lot you can do in our internal websites we want the public to see that so we can't lot of gallantly a lot otherwise they can see it right so the risk you know the attacks works there's a lot higher electing the skill level needed by an attacker why is that important because attackers come in different flavors

different capabilities right and when we look at attackers their skill level we've got guys out there doing a ton of research finding the zero days who knows hearing aids are out there we don't know how many there's a lot of all those clothes hold right but those are probably the most highest you know on the threshold of risk that I can think of an attack expect to break we have other ones that are ten year old windows vulnerabilities that somehow we still can't seem to get patched right and then there are Metasploit scripts already written for them and so a skill level for attacker to run another white strip is probably pretty pretty well but those

are considerations as well I think I covered that already known exploits versus can scripts to exploit those vulnerabilities so next impact we talk about the impact that impact is always increasing you know that are where the point of the cloud or having always having more data the amount of data collect is growing there not a system that we use is growing as pre see more complexity so this is a challenge for us we're doing risk analysis what's always most what is the most important for us or what are those assets that really don't have value so something's going to kind of cross between both risk likely of any intact version better the value system the scope the breadth of the system how

complexion is all managed you play a role financial impact so again come back to probably your business continuity and disaster recovery plan if you have one hopefully that talks about business impact so that the services or business process is not it work first period of time there's cost involved in that right and it costs ratcheted up of time you should admit no bitching is point where that make some hard decisions about what we're going to do with that cost

availability can be impacted just like those blue screens of death right we are concerned always concerned about the availability or business processes build with their leader systems and impact certainly plays a huge role there Deborah Kendall again same thing the scope and scale did that but it that means they get back to you kind of the scope and complexity of everything that we do and I'm gonna get into this in a couple slides but there are kind of a couple ways that I started thinking about threat probably and you do and there's probably an infinite number ways but I really think of it in terms of kind of to finish right one is looking at it from an asset perspective and I

could think of that you know when I was leading superior organization with hoc committees by for two directors they want to do things in terms of business impact right so what I think of assets I think of business Atlanta so all how am i offending the bottom line of the business in terms of the controls I put into place that causes those controls of protection mechanism and what is protecting the other way to look at it is I think from a threat perspective right what kind of threats can I knew rate you and think of that can pose a risk to my organization then why those threats against an asset that's just the right moves there and

hey no threat a may have low likelihood low impact meaning grab the heat can be high-impact moderate likelihood that something I'm gonna look at and control because that risk got higher than the threshold that I'm able to want through Thresh likely hit a threshold that I want my organization reporting requirements the big one coming up these days right so there are more more regulations that are happening in the world today Jeanne parable out those left you know here and you know all the states individual states don't rent to a few are breached we have an issue what David has got into the wrong hands the reporting requirements I think happen to play in that as well right so when you

look at in fact they're certain something you want anymore because you have reached out so there are all sorts of concerns about how much that costs you but that cost thousand clothes reporting the crimes so think about that when you're thinking through impact and I like to think of things in terms of qualitative as opposed to c'mon citator it makes a little bit in my mind easier to model and so this is kind of what a model will look like if you're going to put together risk and impact the scale or I like within the index go so you got likelihood from top to bottom almost certain dr. bear you guys we got the back I know I did get a huge screen snow

can track it across impact significant for beer and then we're the end where they intersect obviously that's your risk and anything that's probably rare it's a good impact that's like low it ignore that it's never going to happen I don't care even if it did happen the impacts so negligible it's not going to interrupt anything doctor matter now so how do you determine the risks scoring within that well that's up to you right so really it's up to you kind of the risk appetite of the organization that you're in right some organizations are highly risky they're okay with taking on risk and they're ok with taking on risk that's above average so maybe in that

case I'd only have a couple of extreme risks on that scenario because otherwise they're other organizations are probably of a gray low freshly risk and you probably see more extreme more high and probably fewer well with modern this were not kind of that's why I think qualitative as the connotated can help right sue you can adjust this to match what your organization understand and what they're interested in and how we want to tackle the resolution of Britain all right so what are we starting we're starting to talk about that you know the ability of organization or where they stand in terms of wanting risk and how it impacts get assets so I talked about they're

really I think over the two ways of how to think about understanding risk you can evaluate assets top to bottom most highly profitable or most important asset and work your way down and then again some be numerate all the threats that can happen today there's another way to do that you can take threats or attacks come up with a whole list of attacks and threats that can exist against your organization or you can think of and then you wouldn't immer eight those against your assets so here's where it gets really complex is that when I would see one city it happens when there's a many-to-many intersection right that's not assets I've got a ton of threats all these

threats wanted whatever I can think of can always can hit every single of my assets right so so first I was kind of leaning towards really doing from an asset perspective because I think this gives your best business - people talk to you your business leaders your board of directors about risks and what risks you should be concerned with they're gonna want to know in terms of business content right we're gonna go back and talk to engineers the IT guys they're not gonna care more about when your security team I haven't cared more about security limon right opening about threats and how those threats can impact my organization my assets so my thinking kind of swayed back and forth on his

talk so if kind of curious what you all think

broken up application I think that's kind of kind of a one direction to the other kind of headed back in doing invite assets by business alignment I think as part of this exercise that you try Molly you'd have to come up with a list of threats and the threats are going to be the same across the board against any asset you can think of what changes is the likelihood in the invite okay I've got a slide that will talk about that right so you can we can influence that so the denial service attack externally the likelihood an impact of that could be very different from an announcement attack coming from the outside inside a success protected by a couple

of firewalls laughs etcetera right so it's the same attack but the impact against an asset can differ based on that asset and the controls that are played behind so that's where I kind of came back and I thought you know being from an asset perspective most of the hands worries were here it's probably the best way to kind of tackle that you still have to creep up into the threat matrix or treachery or how do you want to come up with that you stop evaluate those gets all those assets in my mind I think that's probably the best way to go because especially when I think the business makes the decision right they the CEO of the Board of Directors

they're the ones were ultimately responsible accountable for understanding how much risk we're going to take on the front they're going to spend to reduce risk and there's always risk no matter what it is whether it's from a technology or security or even visit respective risk of someone across the street one in business and compete again right so they're always concerned about that they're always trying to manage that kind of teeter-totter of risk to make sure that hey we're doing it right enough money into that you know knocking to your tolerance to the other way Werner sent us out of business but yet I haven't spent so much money that that's gonna send me an exhibit ego Tom Chloe

death but for protection mechanisms so it helps us prioritize and there's always a lot of brainstorming in place right so get together with teams get together development get together with a business right and say hey let's start thinking about the threats that exist to you iEARN mark and how would we respond to those threats what controls we have in place already and then further on if it ends up in a very risk of space can we put more controls on that bring down that risk and so again putting you know some super work think about it from an attackers perspective this is like the magic quadrant of attackers right so the bottom we have effort at risk from most

difficult easy from the never risky from attack somebody and then of course the payout there's some sort of payoff when I attack I want something I did right so go to that mark the magic quadrant of the easiest and highest payout ends up being that far side and add fraud I'm gonna end up with me intellectual property threat or extortion up there and then of course your stuff that's kind of harder to do this understand but it really little payout get credit cards all day long but Indiana quality charge a couple of fraudulent charges on a card to go get another credit card right easy to do but the pants are pretty known so that's one

way you know put in that pack rafts we gotta start talking about threats with that power nothing use other cool sprint so when you guys can see to the back with design be seen this is a minor attack treatment there we're here in the minor tech framework quick great another great place reference carrier to the understand and find out about threads and packs how those attacks are carried out and whether or not they're applicable to the organization how do you discover threats well the goal of disturbing threats to find after the threats and then hopefully the mitigating controls that can minimize those threats against being exploited in your application so there are a bunch of

public threat libraries I'm sure most of us of see needed right whyever has one with a came back the standoff 25 I love I love it a lot top 10 there's a thread catalog that the open security architecture lights has and then bring the commercial tools above that's a little take to effects of the public threat libraries and come with some of their own model comm great domain for a looker model ever comes up like number one Google search right next to us pretty good tools but you know they're there for pain you know get some more value out of that Microsoft some people said the Microsoft from here so Microsoft has a full toolkit around threat modeling design

primarily around software development but hey I think that's a great place to trip only write this in today's world there's the everything runs on software and even think about the 737 max scenario right that yeah we could deploy because then mark we're out tomorrow right we even have to really test it thoroughly because we know we do fix issues through software patches right so you can overcome even hardware problems through potential future software fixes Hubble Space Telescope with another example ever ran that up headed that Amir so physically the mirror was wrong right but we can't bring it back earth with another mirror into the negative space so I they fix it they fix it

through software so we fixed a huge big spirit come here that was you know within whatever percent perfect the exception that we visited requirement so fix things your software so software is important critical and I will of here the organization is doing threat modeling against their software as part of their software so what a great place to start to think about tax I'm writing a line of code that can be buddy I just write something that could be susceptible to attack when he gets the point introduction you know ten years ago out to happen so this is great so using your software application yeah you know I was sick revenue for the last few years right

yeah same thing in that yeah but like ten years ago we rented opportune years okay and we do for hauling them yeah we started but in just like their matrix basically we do yeah we call it hazard analysis before this part was I mean I think we suffer development concern about meeting business around right I got a set of requirements I'll plug into that make sure that the other parent requires anything about a career crisis prospects for people ah but these are Jeanne that's great pretty here so some ways to brainstorm I picked up some these at RSA eight years ago I just thought it cool it's a deck of cards and then I put through to like wait a minute

there's like 70 cue cards here that's not a deck of cards well but it or not I figured I was like oh this is a total football in it so they actually it's open source you go to Microsoft to find these cards to call the elevations privilege cars it's kind of a game you can use to help jump start pranks for me on Fred Molly so the cars related to risk there and remember the stride methodology it's moving camp training remediation information disclosure in announcers elevation privilege and so there's cards from one of the case and they come through the scenario just kind of brainstorm through that scenario say all right hey I was worried about

tampering and this cheerio how could that affect my system software I'm working on my business process whatever it is and then it just kind of helps jumpstart MFI the process of range within there and I think a lot has hard to do these need a lot of cars go off has the simlar sent a card alright so I said you know you need simple tools I love spreadsheets I don't think those spreadsheet on work and I thought it might be hard to get it's not a screen so I'm glad I didn't forget about this smaller screen might even tougher to see but this is kind of an example I kind of broke it up into two parts because I did

the spreadsheet it could be probably a huge number of columns and so first I put up I'm gonna put up the trio kind of how do you evaluate or how I I was thinking of evaluating threats and attacks right so like I said you can get of Juiz assets and threats we've got a new break threads anyways so let's talk about threats so they can come up with a whole list attacks you know one to end and I gave some examples up here and then I think there are attributes about those attacks in your environment that make a difference on how those attacks impact and the likelihood of those attacks having a negative result in

instrumentation external internal skill Oh again I said you know plays a factor there right requires a little skill and there's a can of tact work you know from my perspective I think the likely that goes up significantly it also than anybody the role you download the Metasploit will start hitting my website to try to find the vulnerability pretty easy to do the countermeasures so the countermeasures can in decrement right it's the reduce the potential impacts about that counters in place that helped me worry about this less what hopefully does but I think there are some examples where you know a lot of countermeasures and the effectiveness probably doesn't get changed too much I think efficient right

so how many people win fish in their lives right everybody has right anybody don't for debate before right so you know though you can have training you gotta stay this way you do endpoint protection but fishing for some reason still seems to work in everybody does all those things right and you still see successful phishing attacks in organizations absolutely right so the likelihood of success even though you have all those controls in place doesn't get changed all that much that's okay right so we just part of the risk model right so we just got to think about around that how else can we mitigate attack can lies and then react to you that's right like that happen

zero days by example I think you know an external website on his ear they they're probably we know nobody quakes down right but there soon as that's really comes up hoping to come plum they exploit with it so no cabin measures and my guess is zero days away to be almost certain okay we consume about that but how do you protect yourself stop patching right that's one way of doing it but bizerte really means is that there's a next void that it's not the report about the bender it's not captain so yeah hope for the best so we put all together right so put it all together says that hey now we've got my assets

so now I'm going to numerate the threads against the assets this is a pretty simplistic view I would probably I mean Mike why do you have it so much spreadsheet I'm bringing out the attack evaluation from the impact so again we get the asset now we're gonna tie and liberate the attacks against it with the likelihood that we came up with in the previous slide right so probably the same line or where do you want to do it and then against that model they have group impact on Micra that intersect so if I had a unlikely moderate major impact I have a moderate risk the dependent any organization do you care about moderate risks or you care about

the extreme I would say probably most organizations do that backwards extreme we don't have mitigating control place and it's like highly highly risky you would certainly probably start thinking about how do we protect that control we use that risk and so again fishing accounts payable this would be likely because we think there probably no matter how much training we knew there's always a way to do it and I think of a fishing camp mean everyone swears like April 14th and I may look like RS they let me work at that this is gonna happen right so in fact a major risk in the beat high and then even those countermeasures I said are minimized so

final thoughts so this is a wrap this in my mind was rather simplistic so hopefully and I mean hopefully everybody can see where you can really start getting flex on necks right because if you have a infinite number of attacks and a pretty big number of assets you gotta map those all together with that evaluation gets pretty hairy pretty quick right so I try to keep it simplicity because a good place to start so if you're not even do anything why they look at it and damage that right there's nothing to do good place to start doing that be difficult but most poorly it was kind of clarity right it helps fire times it helps us to see

clearly know what our most risky areas that were concern about what our most important assets that we need to protect we have protection mechanism behind those are they adequate we have the right staff but it's break technology and in my mind I just think about the problem being kind of threefold writers people process technology so I think the point technology but it's not employed right it's not at work I've got a great example right up in my first sim and things were going right we're kind of detecting some stuff like day two it was like hey is not really working like we thought it would which became a lot more stuff from our intrusion detection

sensors well the intrusion detection those were then placed for like four years they've been this configure 21 so for four years the IDS's were doing nothing nothing for us right to the sim to discover that right so this configuration like that happen right so it was not a proper application of people process and technology we had a gap we thought we have protection we have thought we had a countermeasure in place of meeting also due diligence right at least at some point if something bad does happen we can I think we did a risk analysis you know they're gonna cover your after that I don't know but you know somebody who said we did it

and then we give you at least some mechanism say hey we missed something maybe there's a gap in our thread Mali a gap in our risk assessment or maybe even a gap in our risk tolerance organization maybe the risk the organization said you know what we're okay with at risk for Janette alright you gotta burn on that hey let's look at that risk tolerance since we're okay with that this happened we're not happy now what are we gonna change in our risk tolerance make sure that doesn't happen again and you can use this one robot right so we talked about people using it in their software I said well great that's awesome you can use it for security sessions

program 15 testing risk assessments a lot of that will applicability there you know the bottom line I think every watch the toy story witty like no one else in here use commercial modeling tool to be using commercial tools out there it's different those qualitative analysis is quantitative or give either side of the fence see do we give a quantitative there's really there's nothing even get solid results if you about quantitative analysis however I think the problem is the amount of data and definition to get to a front to put that quantitative about you on each of these different steps right this is kind of easy to write good to say yeah I mean well and

it made every together right first second third gear I mean well I mean well intersect care don't care but then again so long you know you know I want to organization we had CFO and right but I mean II might be of cambrian yeah but it's there and put in you can't argue these qualitative you know how to come up with that what do you say be in for that

if this is my airport they've got the big internet explorer window over over on both my supposed to be in that like that for like two days and I flew there with someone that would back this way -

oh maybe you're working there now well this is one of their naturally inquisitive so I've also the thing the hardened box has got a car on it

that's a

you know put in your particular flavor but do you expect that to have no you know they're you know either look like I said there's a number of factors to value risk you know something like parties right I think a lot of really good technical engineers like the guys that are here you probably think of Windows 98 locks part of that right not processes we're running this every time pretty pretty solid OS even though it's not being used and out of support not patched for like decades right rework the registry so so if I'm running Windows 98 should you run away from that evaluation right I can put them together counter measures in place to protect

something so maybe highly risky to begin with well with that might start applying all these protection mechanisms someone asked me once how would you feel a little like low secure network and I thought hmm now I probably put the computer on a router and some cabling and be good switch and I would keep it part off and no access to it but it doesn't absolutely nothing for you right so there's that trade-off in security right was easy easy to use a meaningful person secure but I think ratchet security pretty high but that mean it probably means people are maybe a lot of stuff done yeah so no I think that I would say like to show goes point to your point is

that like some of those tables that you got up there about you know what is the likelihood what is the threat we were doing to mitigate it if you're working in an organization where you know depending on the charity if people aren't thinking about that kind of stuff those those tables and spreadsheets and stuff there's tons of pre-built ones like online and you can go and like start evaluating what your company is doing and you know seeing you felony that's how sometimes security positions get started in organizations yes CIS minor they've got some great frameworks and great tools open sores spreadsheets great places to start right so you think oh my gosh how can I even think about

there's got to be a million different threats and attacks against me well they've got all those enumerated out right so start there right and then marry that up with the work like the simple dos did on your business continuity work so someone set up there said hey this is most important my business let's do together

you