In April I discussed the IT Infrastructure Threat Modeling Guide (then in beta), a Solutions Accelerator I've written with the Solution Accelerators for Security and Compliance team.
The IT Infrastructure Threat Modeling Guide is now available for download via the Technet Library and the Download Center.
Networkworld's kind coverage of the guide's release provides additional insight.
Purpose of this Guide:
Provide an easy-to-understand method that enables IT professionals to develop threat models for their environments and prioritize their investments in IT infrastructure security.
IT infrastructure threat modeling should be incorporated into an organization's IT mindset as a matter of policy, much like any other part of the validation, implementation, and installation process. Threat modeling in the name of secure infrastructure should be performed throughout the technology implementation process, much like any other component that is measured for performance, usability, and availability.
This guide maps directly to SDL guidance and marries threat modeling infrastructure to a sound, existing framework.
This has been quite an effort and a valuable learning experience for me.
I'd like to thank the following for their contributions, leadership, and effort during this process:
Kelly Hengesteg, Steve Wacker, Karina Larson, Adam Shostack, Frank Simorjay, Jeff Sigman, Chase Carpenter, Sumit Parikh, and Shruti Kala.
To the numerous people who reviewed and provided feedback, thank you as well.
When you use a structured method as described in this guidance to develop threat models for your IT infrastructure, you identify and mitigate threats to your environment in an efficient and effective manner.
It is the intent and hope of this guidance that the benefits of choosing to develop a threat model portfolio for your IT infrastructure will be many, and that a holistic state of security becomes commonplace for those who undertake the process.
I look forward to your feedback as you read the IT Infrastructure Threat Modeling Guide and hope to learn of your success stories as you utilize it to enhance security in your associated environments.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)
Russ McRee's HolisticInfoSec™ includes articles and research, as well as feedback and an occasional rant. HolisticInfoSec™ promotes standards, simplicity, tooling and efficiency in achieving holistic information security.
Subscribe to:
Post Comments (Atom)
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ... -
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho...
No comments:
Post a Comment