Threat Modeling Increasingly Important


Posted on by Robert Ackerman

At some point, those who examine the steady spread of cyber breaches and compare them to the growth of cybersecurity spending among companies and other private sector organizations must scratch their heads and wonder why both keep rising.

 

Shouldn’t one or the other eventually slow? As companies keep spending more for cybersecurity, shouldn’t they get more bang for their buck?

 

The answer is that simply throwing money at the problem for new and presumably better cyber tools doesn’t address the bigger issue of why hackers keep winning. What is sorely needed is more threat modeling, a sophisticated, proactive strategy that combines the big picture with innumerable details across the attack surface to evaluate cybersecurity threats. This involves identifying potential threats and developing tests and procedures to detect and respond to these threats. 

 

A typical threat model includes threat intelligence, asset identification, mitigation capabilities, risk assessment and threat mapping. And aside from protecting networks and applications, threat modeling can also aid in securing ubiquitous IoT devices, as well as various processes the business depends upon. In addition, because threat modeling can be conducted at any point of the software development process, it can even help identify overlooked security loopholes in the codebase. These could be remediated with better security coding practices.

 

This may almost sound like a no-brainer to some. But the reality is that security often gets scant attention in some sectors. 

 

After all, we live in a world in which some employees use the word password as their computer password and leave their mobile devices unattended and more than 80 percent of U.S. companies have been successfully hacked. In addition, roughly two thirds of global companies hit by cybercrime in the past year have been hit more than once, according to Cymulate, an Israeli-based cybersecurity company that specializes in attack surface protection. 

 

Here is a typical example of how threat modeling can be helpful. Say that a company installs a web application firewall behind some critical applications. If things are done right, it’s added protection. For the firewall to work properly, however, it needs to be configured, and an employee needs to maintain it. These requirements seem obvious but are often overlooked. Also often forgotten, it turns out, are still-active resources from old cloud infrastructure. In both cases, hackers may gain entry to the company.

 

According to Enterprise Strategy Group, 69 percent of organizations have experienced some type of cyberattack that started with the exploit of an unknown, unmanaged or poorly managed digital asset. To beat hackers, a company needs the visibility to know what it should be protecting, and threat modeling fits this bill.

 

Today is a particularly inopportune time for companies not to optimize digital protection. According to the Identity Theft Resource Center, an organization that tracks organizational breaches in the U.S., there were 1,393 data compromises in the first half of 2023, higher than total annual compromises reported every year between 2005 and 2020, except for 2017. This puts 2023 on pace to set a record for publicly reported breaches in a year, passing the record high 1,862 compromises in 2021.

 

This is happening while the U.S. and the rest of the world continue to spend more. According to worldwide security spending forecast by International Data Corp., spending will soar to $219 billion in 2023, compared to less than $200 billion in 2022 and $150 billion in 2021. This is due, in part, to the explosion of the global hybrid workforce, which often needs new gear, as well as more spending to fight increasingly creative and destructive attacks

 

Threat modeling is systematic and structured, but still in some ways is an art as well as a science.

 

It’s drawn from earlier security practices, especially so-called “attack trees” – conceptual diagrams developed in 1990s that showed the variety of ways in which something could go wrong, and why. Some Microsoft employees circulated a document – "The Threats to Our Products" – widely deemed to be the first definitive description of threat modeling. The STRIDE threat model, first developed at Microsoft in the ‘90s, is still in use today. Other more recent models include PASTA and TRIKE, an open-source threat modeling methodology.

 

Steps typically involved in the threat modeling process include, besides asset identification, a list of the potential threats to the system and their severities and how they can be addressed. In addition, data flow diagrams provide high-level, asset-centric views of systems and data flow attacks. Many threat modeling tools also produce threat scores and data for calculating risk and identifying required fixes

 

Threat modeling best practices have also moved to the forefront, regardless of which methodology a company chooses.

 

One is that as much as possible, threat modeling should be made a priority during system development. If this can be incorporated at the start of a project, there are fewer problems later because a secure viewpoint is already baked into an application or system. Another best practice is not to view applications and systems in isolation from one another. Everything should be viewed as piece of a comprehensive attack surface because an organization is only secure if every asset is constantly protected. Changes in applications and systems can easily affect other applications and systems.

 

Lastly, users of threat modeling must always remember that a threat model is a “living” document that requires constant updating. Cybersecurity never stands still. 


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Analytics Intelligence & Response

Application Security Testing vulnerability assessment software integrity threat management threat intelligence

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs