Threat modeling needs a reset

Organizations need to rethink their approach to threat modeling or risk losing its value as a key defense in their cybersecurity arsenals.

The traditional approaches to threat modeling can be very effective, but they don’t scale well enough in the current computing and threat landscape. As more business operations shift to digital it becomes too time consuming to tackle all of an organization’s high-priority threats, leaving too many vulnerabilities unaddressed.

How can this process be streamlined? Organizations should start by realizing that they are doing threat modeling backwards, and that they need to reverse how these models are developed.

Modeling for a simpler time

In broad terms, threat modeling involves stepping back from the daily grind of security to get perspective on your systems, assess network and digital resources, identify vulnerabilities within the context of the threat landscape and prioritize plans that cover protection, response, remediation, and recovery. In some cases, a threat modeling team could consist mostly of security professionals and architects. In other cases, organizations could bring together a variety of stakeholders, including application owners, help desk personnel, administrators, and others.

Those teams have a number of well-defined frameworks to follow, such as STRIDE, which was developed at Microsoft in 1999. Threat modeling sessions typically start with something akin to a whiteboarding session, with security experts and stakeholders discussing risk factors and brainstorming ideas on what to do about them. And that’s what must change.

If you start your process with a blank slate every time by drawing diagrams of your system components and architecture on a whiteboard, you are already behind if the goal is to scale threat modeling across your applications.

As technology and digital systems become more pervasive in fast-evolving, cloud-based environments, a group of experts sitting in a room for a couple hours just cannot compete with increased threats being made against multiple systems. This is because a large organization can have hundreds of systems. To make matters even more challenging, new threat vectors are constantly emerging with the growth of the Internet of Things—covering everything from automobile and traffic lights to industrial control systems and connected products sitting in people’s living rooms.

In many ways, hardware vulnerabilities and the IoT constitute brand new ground, creating new types of targets such as, for example, the Colonial Pipeline. How could you model such an array of new attack vectors with the current, labor-intensive approach? The answer is: you couldn’t.

Cut to the chase

A nascent trend in the industry is to start the threat modeling process from the other end. Instead of starting with a whiteboard and a room full of people asked to think like hackers in trying to identify potential threats, organizations can scan their existing systems, incorporating data on current and likely threats.

The silver lining of digital transformation is that most systems have a way to expose data that can help you identify components or processes that introduce business risk. With structured data and tools to analyze it, security practitioners can quickly generate different models of their system risk to highlight threats, vulnerabilities, and weaknesses across the organization.

If you do this in an automated way that is repeatable, you can not only perform threat modeling on hundreds of applications simultaneously, but you can do it on a near real-time basis to continuously monitor the organization’s security posture, based on active systems.

Tools can automatically scan systems for metadata to model threats in a variety of areas, such as within source code repositories, cloud management tools and configuration management databases. And organizations can draw on commercial or open source databases of vulnerabilities associated with various technology components, such as the OWASP Top TenMITRE ATT&CK framework, and a host of databases put together by security providers.

By matching the technology assets found from those system scans to a database of known component weaknesses and vulnerabilities, an organization can quickly determine its baseline security posture. It can then build on top of it, deciding which vulnerabilities justify a full whiteboard brainstorming session. This approach would create a more efficient, effective way of applying threat modeling’s advantages to the full range of threats that an organization deems could pose the greatest risk factors.

Modeling for the future

Threat modeling’s time hasn’t passed – it’s still an incredibly valuable tool in addressing risks and vulnerabilities. But the established method of threat modeling slows down the entire process too much if you want to cover all of an organization’s operations.

A team of experts conducting a brainstorming session is still viable for what an organization might call its “crown jewels”—such as systems holding payment information or sensitive personal data. But the key is to identify those systems and vulnerabilities while getting a risk assessment of an entire organization.

By reversing the process—using automated tools and the wealth of threat information available to first assess risks enterprise-wide—an organization can address the full slate of high-risk threats more quickly, without any of them being overlooked.

It’s a trend that is beginning to emerge in the industry. Considering the continuing evolution of the computing and threat landscapes, it would be to everyone’s benefit if it catches on.