The Inner Circle

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

This is all we do in the open source world. I am running 2 such fully remote assessments currently. I don't have templates but check out this site for real world examples:
https://github.com/cncf/tag-security/tree/main/assessments/projects

as to specific tool we heavily use google docs and sheets and github and if you want to use sticky notes, github and jira and trello all have Kanban board views.

use the MITRE ATT&CK tool online to scaffold the discussion.

happy to lead an open session for anyone who wants to see how it all works first hand. Just send me your contact info or post a reply here.

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC
------------------------------

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Thanks Robert, I'll pm you my details it would be good to get a view on how it all works first hand.

------------------------------
Rowan Sheridan
it
it
------------------------------

Original Message:
Sent: Aug 23, 2021 08:39:07 AM
From: Robert Ficcaglia
Subject: Threat Modelling with remote participants

This is all we do in the open source world. I am running 2 such fully remote assessments currently. I don't have templates but check out this site for real world examples:
https://github.com/cncf/tag-security/tree/main/assessments/projects

as to specific tool we heavily use google docs and sheets and github and if you want to use sticky notes, github and jira and trello all have Kanban board views.

use the MITRE ATT&CK tool online to scaffold the discussion.

happy to lead an open session for anyone who wants to see how it all works first hand. Just send me your contact info or post a reply here.

------------------------------
Robert Ficcaglia
CTO
SunStone Secure, LLC

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

I've done threat modeling with remote participants using the STRIDE method.  It's pretty simple to teach.  Also, I've setup the template on company's Confluence since that is where we keep all our documentation.  Happy to help in anyway possible.

------------------------------
Sai Honig CISSP, CCSP


Wellington
------------------------------

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Hi Sai, 

Thank you for your reply. Would it be possible to send me a copy of the template you've set up?

Thanks,
Rowan

------------------------------
Rowan Sheridan
it
it
------------------------------

Original Message:
Sent: Aug 23, 2021 01:30:16 PM
From: Sai Honig
Subject: Threat Modelling with remote participants

I've done threat modeling with remote participants using the STRIDE method.  It's pretty simple to teach.  Also, I've setup the template on company's Confluence since that is where we keep all our documentation.  Happy to help in anyway possible.

------------------------------
Sai Honig CISSP, CCSP


Wellington

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Hello Sai,

Would appreciate it if you could share the template, we are yet start-up with this method.

Regards,
Shyam M

------------------------------
Shyam Muthiah
PIS
SST
------------------------------

Original Message:
Sent: Aug 23, 2021 01:30:16 PM
From: Sai Honig
Subject: Threat Modelling with remote participants

I've done threat modeling with remote participants using the STRIDE method.  It's pretty simple to teach.  Also, I've setup the template on company's Confluence since that is where we keep all our documentation.  Happy to help in anyway possible.

------------------------------
Sai Honig CISSP, CCSP


Wellington

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Hi Rowan,

I participated in a threat modeling workshop where we used a Confluence site created for the activity. Each team had a dedicated confluence page and each participant had a dedicated page - these were used for lab exercises. Access rights to the pages were given accordingly. The site was used for sharing the threat diagram (with application architecture, which we were going to threat model); the threat matrix and threat analysis table. The lectures and the sessions themselves were held via zoom. Zoom also has the feature of breaking a meeting into different break rooms, each dedicated to one team. Hope this helps.

Regards,
Rima

------------------------------
Rima Bose
Vice President
J P Morgan Chase & Co
------------------------------

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Hi .. not sure if it helps anything. We work with partners that actually does what Robert F. (above) is doing - one using a different toolset. They also use ZafePass (see https://zafehouze.com/what-we-do ) to have all app's for all external users controlled in the way the application should work / be managed. These apps will show in ZafePass as menu items - and the security around this environment is second to none. we can guarantee no-one except the ones you provide the login will be able to gain access to the environment. Just a security option if the client requires a fully confidential environment. 
Kr,
[email protected]

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

Original Message:
Sent: Aug 25, 2021 05:23:58 AM
From: Rima Bose
Subject: Threat Modelling with remote participants


Hi Rowan,

I participated in a threat modeling workshop where we used a Confluence site created for the activity. Each team had a dedicated confluence page and each participant had a dedicated page - these were used for lab exercises. Access rights to the pages were given accordingly. The site was used for sharing the threat diagram (with application architecture, which we were going to threat model); the threat matrix and threat analysis table. The lectures and the sessions themselves were held via zoom. Zoom also has the feature of breaking a meeting into different break rooms, each dedicated to one team. Hope this helps.

Regards,
Rima

------------------------------
Rima Bose
Vice President
J P Morgan Chase & Co

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------

Hi Rowan,

I hope you are well, we have just began running remote threat modelling workshop with our teams at ITV. We found we have success using Miro boards (https://miro.com/about/), they're very interactive and collaborative for everyone involved in the workshop.  Plus it includes lots of integrations to other applications which helps tracking the lifecycle of the identified threats. 

Hope the above helps. 

Gareth

------------------------------
Gareth Williams
Cyber Security Analyst
ITV Plc
------------------------------

Original Message:
Sent: Aug 20, 2021 07:56:20 AM
From: Rowan Sheridan
Subject: Threat Modelling with remote participants

Hi there, hopefully you can help.

I am researching the best way to do security threat modelling while all participants are working remotely.

My question is, has anyone successfully done this before? Normally everyone is in the same office room with a lots of yellow post-it, discussing threats, categorising them and prioritising them.

I'm trying to make the process as easy and as slick as possible. I've got the video conference software sorted but was wondering if you can recommend templates or something similar to help facilitate the process.

If so, what would you recommend?

Thanks in advance!

------------------------------
Rowan
------------------------------