Even though threat modeling plays a vital role in addressing cyberattacks, many companies were slow to adopt the cybersecurity tool. Threat modeling was done manually, an extremely time-consuming task, and in a fast-paced threat landscape, manual processes can't struggle to keep up.
Threat modeling is evolving because threat vectors are evolving. The flow of information is more unpredictable than it was just a few years ago, so the threat modeling that was once used doesn't work today.
Threat modeling won't be done just at the design phase and it is not going to be a siloed feature. It is time to rethink the approaches, according to speakers at the 2021 (ISC)² Security Congress.
"When we start talking about threat modeling and its future, we start to identify some potential issues," said Simone Curzi, principal consultant, cyber, with Microsoft, speaking during the session.
Many of the tools available today are open source and should:
- Be able to gather threat intelligence from threat libraries
- Have dashboards that shows data from threat intelligence and offers mitigation options
- Scale to business needs
- Integrate with business infrastructure
- Offer robust reporting
Many organizations use the tools the wrong way or depend on tools so much that security teams take a lazy approach to monitoring threat modeling. Others are concerned only with their most valuable applications, deciding that manual threat modeling is so time consuming there is no viable reason to expand threat modeling to other applications. Or some organizations attempt threat modeling across the entire company, which, Curzi pointed out, is a mistake.
"While coverage is important, quality is also a key factor for the success of the practice: Too many organizations are applying threat modeling as a compliance activity, done to pass a gate, instead of relying on it to design secure solutions," Curzi said, in a post-conference interview.
As a consequence, decision makers are starting to question the merits of threat modeling, because if not done properly it invites little value for the cost.
What can threat modeling tell a business
The market surrounding overall threat intelligence is growing in response to the evolving threat landscape and larger attack surface and is expected to reach $20 billion annually by 2027. Cloud computing, social media, smartphones, and IoT are not only generating a lot more data but also offering new vectors for threat actors to exploit.
When done well, threat intelligence improves on the threat model to better find security issues, which cannot be identified by any other means, putting them in context of the possible attacks which may happen. "Threat modeling is the only security methodology which is focused on the analysis of the design of solutions," said Curzi.
"The analysis is usually based on the business context; this allows focus on what matters the most, and to identify mitigations and strategies to provide the most efficient and effective protection," said Curzi.
When included in the software development phase and tied in with developers and their issue tracking systems, threat modeling can be enormously fruitful in terms of understanding how well we are progressing towards a more secure state before going to production, according to Archie Agarwal, founder and CEO of ThreatModeler.
"As threats are understood and controls mandated to thwart those threats, these controls can be pushed to developers in the form of tickets to weave into their normal development routines and those tickets then tracked to analyze what has and has not been implemented," Agarwal said in an email interview.
What quality threat modeling looks like
The evolution of threat modeling is moving from a manual approach to automated tools, but organizations must remember that threat modeling is a journey, not something to switch on overnight, said Jack Freund, VP, head of cyber risk methodology at BitSight, speaking at the conference.
There are four levels of development to provide guidance as organizations begin to build their threat modeling:
- Level one is limited to whiteboard practices — basically just writing things down — and has no integration at all.
- Level two is the foundational level, focused on the technological things that can be controlled and managing the threat modeling to the technology and not integrated with the business side.
- Level three begins to bring in the business side of things, with a greater emphasis on business prioritization and a partial integration with tools and processes.
- Level four is full integration with processes and tools and achieving continuous improvement in every facet of the threat modeling practice.
The move from level one to level four takes the organization from a siloed situation to something more holistic with full integration and greater business buy-in.
Responsibility for threat modeling
Companies are responsible for providing secure solutions. Threat modeling is an increasingly important part of the security solution and is starting to be recognized as one of the most effective approaches.
"More and more we are seeing governmental regulations mandating threat modeling," said Agarwal.
Because of the regulatory requirements, organizations without internal expertise are outsourcing their threat modeling to managed service providers. However, with the advent of automated threat modeling tools, more companies are keeping the threat modeling process in house to avoid third-party security risks.
As a result, expect threat modeling to become an essential approach everyone will be required to adopt in the near future.