Using threat modeling to prove security success

Archie Agarwal shares experience and insights on how to move threat modeling from a confusing exercise to a powerful tool for security leaders

Do you threat model? If so, when and how do you use it? If not, why?

I’ve been fascinated with threat modeling for nearly two decades. My work advising non-security startups over the last few years really got me thinking about the possible role of threat modeling. Imagine a way for technical and business leaders -- without a formal background in security -- to rapidly assess threats against their minimum viable product. That’s a key first step, early in the process, to building security in.

From time to time I poke around on social media, looking for insights. Asking about threat modeling is how I met Archie Agarwal. Our initial discussion was packed with passion and energy.

Archie Agarwal (LinkedIn, @threatmodeler) is the Founder, CEO and Chief Technical Architect of ThreatModeler. He has leveraged his more than ten years of real-world experience in threat modeling and threat assessment to help numerous Fortune 1000 companies in setting up their threat modeling process. Archie has also created numerous threat models for web, mobile, cloud, IoT, SCADA, drone, aircraft, and various other systems and technologies for various companies. Through his experience, he has brought several innovative advancements to threat modeling field and is the principal author of the VAST threat modeling framework.

Our initial conversation both confirmed my instincts on startups, and got me excited about exploring potential pathways. But then he really got my mind going by suggesting security leaders to take advantage of the untapped power of threat modeling. Archie laid out a way to go beyond the typical considerations to use threat modeling to prioritize effort and measure success. It becomes a tool for security leaders to elevate their practice, and those around them.

Here are my five questions with Archie:

 

What is the biggest challenge people face when they start to think about threat modeling?

In my experience working with various fortune 1000 companies, the biggest challenge people face when they start to do threat modeling is their understanding of why they need to do it. Threat modeling has been a part of the SDLC toolset for years. But so often people limit the scope of their threat modeling to only considering single applications in isolation. That’s understandable. Traditional threat modeling is relatively time consuming and resource intensive. Working with limited budgets, security teams traditional threat modeling methodologies can only allocate resources for those applications considered critical or high risk.

The result of such a process, though, is that the CISO and security team are unable to develop an understanding of their comprehensive attack surface - which is, ultimately, why organizations should be doing threat modeling. Organizations can do threat modeling with a limited scope to proactively identify application threats. Doing so will positively impact the development team’s ability to produce secure applications under tight deadlines. However, a limited-scope threat modeling process provides nothing to the CISO regarding the organization’s overall threat posture or the degree of effectiveness which security initiatives provide toward reducing the comprehensive attack surface. Without such information, the CISO’s ability to prioritize activities or objectively justify new budget requests is severely limited.

You suggest that threat modeling has a compelling ultimate goal beyond typical use. What is it?

The threat landscape continues to evolve. This has prompted many organizations to consider threat modeling as a “must-have,” particularly for their critical and high-risk applications. When threat modeling is included as part of the application design process, potential security threats can be identified up front and addressed during the initial coding phase. This provides tremendous cost savings over waiting to identify the same issues during the testing and scanning phase, and then asking the developers to provide the necessary remediations. But, again, this is just the tip of the iceberg for what a mature threat modeling process can provide.

A mature enterprise threat modeling process provides a full understanding of the organization’s comprehensive attack surface relative to its unique attacker population. Security executive can thereby address organizational priorities with specific initiatives which yield measurable results against quantified expectations. By analyzing the comprehensive attack surface, the CISO can stay on top of new and emerging threats proactively which ultimately provides the data to prioritize mitigation strategy and, ultimately, minimize the organization’s exposure from those threats. Furthermore, today’s organizational IT systems are highly interconnected through the Internet. Threat modeling, done properly, provides security teams with the downstream impact of threats to shared components and application interactions. As the threat models are updated with every change to the system, security teams can automatically see how many new threats are added to the comprehensive attack surface and make sure to properly mitigate them (at least the critical and high ones) before new applications or updates go into production.

How can someone use threat modeling to prioritize actions and controls based on an enterprise perspective?

Threat modeling is all about providing actionable outputs to the relevant stakeholders. When a single application is threat modeled, the actionable output is primarily for the development team so they can write secure code. Similarly, when the operational system is threat modeled, the ops team receives the appropriate security requirements before their project is implemented. However, if the various threat models are connected to one another in the same way in which the applications and components interact as part of the IT system, the result is a comprehensive attack surface which the CISO can use to understand the entire threat portfolio across the enterprise.

Analyzing the attack surface provides the security executives with the necessary data-driven approach to prioritize the mitigation strategy. The analysis will include the top ten threats of the organization’s full IT environment. These top threats will constitute a specific percentage of the entire threat profile. The CISO can then develop and prioritize three to five key initiatives to address and mitigate these threats. The result is a more quantifiable means of implementing security controls with success that can be measured over time. This gives a degree of knowledge and confidence to all the stakeholders about the state of their cybersecurity, and can be objectively presented to the CFO or board members.

How does threat modeling allow someone to measure and prove the success of their efforts?

At the application level, the benefit of threat modeling can be seen by comparing the cost and effort required to create a functional and secure product with and without the threat modeling process. With threat modeling the developers have the mitigating controls and security requirements before they start coding, allowing them to write secure initial code. Several years ago the NIST reported on the cost difference between secure initial coding and remedial coding. Not surprisingly, remediation costs increase dramatically the later in the development process a security vulnerability is discovered. Multiply the cost difference between threat modeling and remedial coding by the number of annual development initiatives and the success of threat modeling is easy to demonstrate.

When the CISO has the insight into the attack surface and the top threats identified across the entire IT environment, they can start to look at what controls will actually help in reducing the overall risk and provide the biggest bang for the buck. For example, suppose control A reduces the risk by 3% whereas control B reduces the risk by only 0.5%. It is obvious which control he or she should purchase and implement. Mature threat modeling also solves another challenge faced by CISOs: understanding which existing controls can be better implemented to mitigate more high-priority threats. However, this level of understanding can only be achieved by analyzing the comprehensive attack surface. To summarize, attack surface analysis provides CISOs a clear, consistent and actionable enterprise view - one which they can use as a baseline to measure the results of their decisions and clearly communicate those decisions to the various stakeholders.

How do you recommend a security leader get started with threat modeling?

In our discussions over the past four years with many organizations interested in threat modeling, the most common answer we hear when we ask why they want to do threat modeling is,  “We want to be proactive.” Yet when we press further we realized there is a general lack of understanding among security leaders why they should do threat modeling, what can they gain out of it, and how to go about doing it. We have also seen organization start threat modeling, but after building few threat models they either shelved the initiative or severely limited the scope because they couldn’t measure the ROI. The reason is they were building threat models for individual applications in isolation. The output generated was, of course, of limited value on an organizational level.

When an organization wants to roll-out a threat modeling process, it is very important to start by clearly articulating what they want to accomplish defining a clear path to that end with measurable goals. By clearly stating the goals and objectives of their threat modeling process, they can achieve a measureable ROI. Deciding on whether to do threat modeling on isolated applications, systems, or for an enterprise is a matter of cost-benefit analysis. Failing to establish clear goals and objectives, though, will result in failure and lost of precious time, money, and resources. If properly implemented, threat modeling can become the most important tool in a CISO’s arsenal for cyber security.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.