Can threat modeling keep security a step ahead of the risks?

With significant breaches becoming a near daily occurrence, it’s clear that attackers are managing to stay one step ahead of many organizations. It’s clear that security professionals and CIOs aren’t focusing closely enough on the threats and the data that matter.

[4 key elements for proactive application security]

Consider the findings of our most recent annual Global Information Security Survey, conducted by PricewaterhouseCoopers and CSO. According to the more than 9,600 execs surveyed saying that their organizations have increased IT security spending: the number of attacks they’re enduring and the costs of those attacks are rising.

So it’s not so surprising to learn that only 17% of those respondents bother to classify their business use of data, roughly 20% have procedures dedicated to protecting intellectual property, and a surprisingly low 26% inventory assets or conduct asset management.

If enterprises are to improve, they need to more precisely understand the actual threats poised against their organization and the vulnerabilities in their IT enterprise. The fix? Threat modeling.

It’s not a new concept, we innately conduct risk assessments and threat models for ourselves. “We all conduct risk assessments and threat models in our daily lives, whether we think about it or not. We think about who might want to break into our car and the neighborhood we’re in. So we do it all the time that way,” says Wendy Nather, research director, enterprise security practice at 451 Research.

We’re not always good at this, fearing shark attacks more than accidents around the house, for instance. People tend to get more jittery when boarding an airplane than when getting behind the wheel of their car. Emotions take over, and they often to for enterprises as well.

To improve their decision-making, organizations need to quantify their risks the best that they can.

Move away from emotion-based decision making

“From an organizational perspective, it’s important because a business needs to understand who and what the threats are, just as you want to know who your competitors are and who might pose a threat to you in that way,” says Eric Cowperthwaite, vice president, advanced security and strategy at Core Security Inc., and former CISO at Renton, WA-based Providence Health and Services. “Otherwise the CEO is just awash in all of the fantasy in news all of the time,” he says.

[ERM: Old concept, new ideas]

Threat modeling is not a new concept to some vertical markets, such as banks, financial services, and those in the critical infrastructure or delivery of critical services. “Banks have done threat modeling for fraud forever,” says Nather. “I think that as time goes on though, that industry has learned that they have threat model for more than just fraud,” she says.

Makes sense, business conditions, threats, and vulnerabilities are always changing. Perhaps now more than ever, and that’s why periodic threat models are necessary. For instance, when it comes to banks and financial services, Nather explains, as more of their customer transactions moved online, the banks have had to take into account their customers’ credentials and how they could be compromised, or even how their customers may, themselves, try to commit fraud.

When Cowperthwaite was the CISO at Providence Health and Services, he says they would regularly threat model to gain a better understanding of the risks the organization faced, calm the common emotional reactions to fast-breaking security news, and better focus their security spend. “The value of threat modeling to both the CISO and the organization is primarily the ability to more effectively and efficiently manage risks,” he says.

“Most security programs today at least try to be risk based, and simply put, a risk is a threat that is external, internal, or environmental, plus the vulnerability. Threat modeling is important to determine those threats that could target you, and how well prepared you are against those specific threats. Otherwise you end up trying to protect yourself against everything,” he says.

[Study finds big gap about app security between execs and IT staffers]

Cowperthwaite recalls when the news surrounding state-sponsored attackers first surfaced, primarily targeting technology firms at that time. “Everyone was running around thinking the sky was falling because they were reacting emotionally,” he explains. “They weren’t considering the likelihood that these specific attackers would target their organization. What they weren’t looking at was a proper threat model about who the attackers were actually targeting, what they wanted, and their capabilities,” he says.

“In my threat model, I didn’t determine those attackers to be a risk to us because of the model of their threat and behavior. We were a not-for-profit, and it didn’t appear that we had anything that would be of value to them and we concluded they were not a significant risk to us,” Cowperthwaite says.

So what and who are necessary to threat model? It ranges from business leaders to development and operations teams, to security teams to rank the business criticality of data, applications, and infrastructure. The latter can also identify vulnerabilities within those applications and systems and the threat actors that would want to target them and why.

When listing threat actors, it’s important not to get caught up in thinking that every threat is a potentially significant risk to your organization. “It’s not about defending against all possible threats,” says Nather, “but those that are most probable.”

How would those actors most likely target your organization? Whether cybergangs looking for financial information, hacktivists seeking to deface your web site, or nation states seeking trade secrets, how would they most likely try to achieve their aims? Based on your vulnerability and risk assessment, how likely would they be to succeed? Close the biggest, most important, most probable attack/vulnerability gaps first.

The result from the exercise should be increased security, while reducing costs because the threats that are unlikely or don’t target your organization won’t be focused on — only those threats that pose a significant enough risk to the organization. It also eliminates a lot of the emotional guesswork, Cowperthwaite says.

Stefan Frei, research VP at independent security research firm NSS Labs, says that it’s also crucial to carefully vet the real-world abilities of the technical controls one depends. Oftentimes, their defenses aren’t running to the effectiveness that is assumed, they’re not maintained properly, or, as Frei explains, it’s not too uncommon for multiple instances of anti-malware, intrusion-prevention systems, and other defenses from different vendors to miss the same version of advanced malware. “That’s just another reason why it’s so important to threat model often,” Frei says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.