Episode 203 - Evaluating Your Security Program: Threat Mapping

  1. Why Evaluate Your Program
    1. Part of annual policy review
    2. If you don’t evaluate you will never improve
    3. Continual review will help protect your budget
  2. Start At The Outside and Move Your Way In
    1. Awareness and Education is how most people in your org know the program
    2. Threat Mapping maps the outside threats to your inside controls & tech
    3. Communications is that final turn from the inside out
  3. What is “Threat Mapping”?
    1. How is this different from threat modeling?
    2. Threat modeling is listing what could happen to you.
    3. Threat mapping is mapping the holes in your program.
  4. How To Get Started
    1. Must have a assessment management program
      1. You can’t protect what you don’t know about
      2. This isn’t “I have a CMDB”. It’s actually taking actions based on what you know about what you have
    2. Understand what your “real” threats are
      1. Map assets to known threats
      2. What are you doing to know this?
        1. industry
        2. entry points
        3. technology
        4. Online threat maps
      3. What controls do you currently have in place to mitigate or reduce the risk?
    3. Scope and prioritize - break down into areas to tackle
      1. Apps
      2. Infrastructure
      3. 3rd parties
      4. etc
  5. How To Measure
    1. Scorecard (KRI)
      1. What is important and helpful
    2. Risk Registry
  6. How To Improve/Modify
    1. Use your risk registry or GRC tool to track progress and keep management updated. You need them onboard to improve.
    2. Once you have some areas mapped don’t ignore them
    3. Implement solid change control and change management processes
    4. Keep risk scores updated so you aren’t focusing on unimportant things