If organizations want to be able to defend themselves from the risks that matter the most to their business, they need to understand the actual threats they face and the vulnerabilities those adversaries are most likely to exploit.
There’s no better way to do this than through threat modeling.
The reality is, however, that most organizations not only don’t threat model, they don’t have the pieces in place to even start. What do I mean? They don’t know what data they have, have attempted to assign value to it, or understand where all of their data reside or what systems they have in place.
Consider this: A global security survey conducted by PwC and CSO found that about 17 percent of the respondents classified the business use of their data, while 20 percent had procedures dedicated to protecting intellectual property, and only 26 percent even inventoried assets or conducted asset management.
These organizations don’t know the nature and number of systems running in their environment, they don’t understand the sophistication of the threats that are aligned against their data and business-technology systems.
So how can enterprises get better at managing their risks? They need to threat model, of course. But even before they get to threat modeling, they need to tackle the basics. They need to take the steps to quantify their data and systems based on their value to the company and risk to the business if compromised. After doing this, organizations will have a much better sense of their environment and data and their value to the business.
Next up: understand the value of the different types of data to adversaries and likely attackers.
What types of attackers would be interested in targeting your enterprise? Most any enterprise is a likely target from competitors and ordinary data thieves. These types of breaches can decimate trust with customers, destroy revenue-generating applications and systems, provide competitors with unlawfully gained insight, drain bank accounts, and bring all types of other havoc.
Other types of attackers also can affect businesses, including extortionists, nation-state attackers, and activist hackers or hacktivists. To adequately and efficiently secure any enterprise, it’s crucial that security teams understand how these different types of threat actors target and threaten enterprises.
Only when the threats are understood clearly, along with the data and systems likely to be targeted, can organizations better take the steps necessary to strengthen the weaknesses in their defenses. It’s rather silly, in fact, to start buying technology and putting in place the processes and defenses necessary to secure data and systems until these exercises are first completed.
Consider threat modeling your map to help guide your security and risk management program so you can determine what risks threaten what assets and know what controls should be in place. Enterprises that don’t threat model are in danger of not adequately spending to protect those systems, overspending to protect data and systems, spending on the wrong things, or responding poorly to ever-changing threats hitting the headlines.
So how do you threat model? It is a book-worthy topic. But, from a very high level, you need to pick a system or application — or if your organization is small enough the entire organization — and determine the value of systems and the threats they face. After that, you decide how they must be secured with those considerations in mind.
The app or system must be reviewed for how it works, what data it holds or manages, how traffic flows through it, what are the dependencies of the system, how are users and systems authenticated, and so on. Does the system handle regulated data? Are the data sensitive to your business, partners, or customers if stolen? It’s difficult to provide details on how to threat model without looking at a specific system or application. That’s why we will provide resources below that will provide everything you need to know about threat modeling and where to start.
After the application or system is understood for its value and risk, it’s time to look at who could potentially target it. Are there financial data that would be a juicy target for data thieves? Are there data that could be used in identity theft? Are the data (or your business) a potential political target for activities? Could the data your organization possesses be used to levy attacks against partners or customers? There are many more threat actors to think about than simply financial attacks and fraud.
After the application and security needs are addressed, look at the app and system for potential vulnerabilities and attack vectors.
After all that is completed, it’s time to determine the proper security controls to put into place. What kinds of tests against the system (vulnerability, logic, etc.) tests need to be run against it? How about encryption, types of authentication? Ways to simplify the system?
Threat modeling has gained more popularity recently, but it’s not a new concept to some vertical markets, such as banks, financial services, and those in the critical infrastructure or delivery of critical services.
I think it is a practice that is worthwhile for any organization that has data worth protecting to conduct.
Here are some additional resources that will help you get there:
A Starting Threat Modeling Resources
Beyond Continuous Monitoring: Threat Modeling for Real-time Response.
The SANS Institute has an excellent paper on Threat Monitoring and Real Time Response.
The Open Web Application Security Project (OWASP) Foundation has an overview of a number of leading threat modeling frameworks.
The Microsoft Threat Analysis and Modeling tool
According to Microsoft, this tool enables organizations to utilize known information, including business requirements and application architecture, to produce a threat model.
The CERT from the Carnegie Mellon University’s Software Engineering Institute’s CERT OCTAVE Methodology.
Threat Modeling: Designing for Security
An excellent, accessible book on threat modeling by Adam Shostack.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!