By Mark Sayer, 31st August 2023

Article highlights:

Traditional risk models are inadequate for complex threats.

Threat modeling articulates threats and models control effectiveness.

Limitations of traditional models: oversimplification, difficulty demonstrating impact, treating cyber as a risk.

Modern platforms offer structured repositories and standardised models.

Threat modeling optimizes investments, is responsive to changing threats, allows better analysis, qualifies control effectiveness and simplifies compliance reporting.

Many organisations are finding that traditional approaches to risk modeling are no longer fit for purpose in today's increasingly complex and constantly evolving threat landscape. This often results in investment decisions and operataional priorities being focused on 'gut-feel' or 'policies and compliance', rather than addressing the real threats and risks. What we need is a more agile and responsive way of prioritizing cyber security investments that is oriented towards current threats and tactics. One such approach that is gaining momentum is Threat Modelling - an intelligence-led approach that helps organizations articulate threats in a structured way and model control effectiveness. In this article, we will explore the evolution of threat modeling, its current applications and its promising future.

Traditional risk modeling approaches, most notably the 5x5 risk matrix we have all come to know and love, are overly simplistic. I remember once getting into an argument with one of the mainframe admins at an organisation I worked at. He wanted to host internet websites on an Integrated for Linux (IFL) partition on the production mainframe, the same mainframe that hosted the organisation's core ERP system. We aregued in and out for days about the likelihood and impact of an attack against the IFL partition and the the potential to impact the core platform. In the end, I realised that the whole converstaion was futile - as everything turned out to be a medium-5 risk. At the end of the day, the likelihood of my turning a light switch off bringing down the mainframe was very unlikely. However, if it did happen, the impact would be catastrophic. Therefore the lightwsitch posed a medium-5 risk to the organisation. Of course this is a stupid argument, but it highlighted to me the limitations with applying such a simplistic risk assessmen framework to such a complex problem.

An other client I was talking with recently was lamenting about thier frustration asking their investment subcommittee for funding for their security program. The board's Risk Management Comittee (RMC) had a single cybersecurity risk that rolled up literally thousands of individual 5x5 cybersecurity risks, covering everything from individual missing patches on critical systems to the potential for ramsomware attacks to halt operations. The problem was that this person was unable to demonstrate how the multi-million dollar security program was going to make a material impact to the enterprise cybersecurity risk posture - even though common-sense would suggest that the scope of the program was absolutely going to have a material impact on reducing the likelihood and impact of a major cyber attack.

Finally, a CEO of a large manufacturing company I helped recover from a major ransomware attack participated in a round-table with other CEO's to share his experience. One of the more obvious questions asked was "What would you do differently knowing what you known now?". His response astounded me. He said "Like most organisations, we were tracking cybersecurity as a risk at the board level. We had an investment program and were improving our controls according to best practices. But what I've come to understand from my experience with this attack is that cyber is not a risk - it's a threat. You need to treat cyber the same way you do your competitors. They are constantly evolving and looking for new ways to impact your business". This is such a great insight and another illustration of why traditional approaches to modelling and managing cyber risks are no longer fit for purpose.

Threat modeling has its roots in the field of software development, where it was initially used to identify vulnerabilities and design secure applications. You may recall STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege) and DREAD (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability), which was popular for a time. But most applications of early threat modelling relied on Excel tables or Word documents. As such, they were point in time and did not scale well. They were also limited in their applicability beyond software development. Other threat modelling approaches evolved to try and address some of these limitations, including attack trees and misuse-cases/stories, but they all invariably still suffered from similar limitations in terms of extensibility/re-use, scaleability and practicality.

One of the big changes we've seen in the last few years has been the development of threat modelling platforms that bring together many different elements of threat modelling, providing a structured data repository and language for expressing an enterprise threat model, along with workflows, reporting and analysis tooling, to allow for a much richer and flexible approach. These new tools allow complex threat models to be developed over time, that capture the detailed intricacies of enterprise technology systems and secuirty architectures, combined with intelligence-derrived threat models aligned to standards, such as the MITRE ATT&CK framework.

With the development of more structured and consistent ways of representing and categorising threats, combined with technology that allows threat modelling to be extensible and scale, leading organisations are once again taking a serious look at threat modelling as a solution to re-align their strategies with a risk-based and intelligence-led approach.

By adopting a modern approach to threat modeling, organisations can:

1. Optimize investment: By understanding how effective the control posture is relative to current threat activity, organisations can allocate security resources more efficiently, ensuring that investments are focused on specific controls that will provide the greatest benefit. No more arguing with the investment subcommittee about how the multi-million dollar security investment won't materially move the overall cyber risk from 'High' to 'Low'.


2. Be more responsive to emerging threats: Continuously update and adapt control posture based on current threat activity. Being able to demonstrate how specific threat activity impacts the control posture is a powerful way to capture the organisational will necessary to re-prioritise investments and resources.


3. Conduct 'what if' analysis: Simulate different attack scenarios to predict how well security controls will stand up to potential shifts in the threat landscape. This approach can also be used to qualify the impact on overall risk posture from differen control strategies. For example, what happens if a particular control is decomissioned or if technology is changed?


4. Simplify compliance and governance reporting: The structured nature of threat modelling allows for easier and more responsive assessments and reporting of control effectiveness, enabling organizations to streamline compliance and governance reporting processes.

Threat modelling is already delivering improvements in many leading organisaitons today. There are some now who are looking to further enhance the capability by introducing new capabvilities including automated security control effectiveness measurement. Leveraging Continuous Delivery technology, it is possible to automate control effectiveness testing and feed the results of this testing back into the threat model - providing quantiative and current data to demonstrate control effectiveness. This approach will be a game changer, providing the missing link that connects threats to controls and controls to control effectiveness - which is what boards and regulators care about most.

By moving beyond traditional risk modeling approaches, organizations can implement more agile and responsive security strategies. The evolution of threat modeling through automation, standardised and strcutured models and extensibility, is enabling organizations to proactively identify and mitigate new and emerging threats, optimize security investments and simplify compliance and governance reporting. As the field continues to advance, with capabilities such as real-time security control testing, threat modeling holds great promise to help organisations thrive in the face of ever-evolving cyber threats.

Algebra is comitted to helping you simplfy your cybersecurity. To this end, we have assets and accelerators, backed by experienced and passionate people, to help you discover how you could leverage Threat Modelling to simplify your cybersecurity. Contact us if you would like to know more.

By Mark Sayer, 12th July 2023

The recent data breaches at Optus, Medibank and Lattitude have impacted millions of Australian residents and sent shockwaves through corporate Australia. While cybersecurity risk has featured in most board discussions in recent times, the scale and impact of the recent data breaches has elevated data security risk, in particular, as the major business risk of our time.

However the data security landscape is complex, with many factors contributing to the increasing ease with which criminals can access data and the impact it has on their victims:

1. Increasing Cyber Threats: Cybercriminals continue to evolve and employ sophisticated techniques to gain unauthorized access to sensitive data. The frequency and complexity of cyber attacks, such as ransomware, data breaches, and phishing, have escalated significantly. As a result, organizations face constant threats to their data integrity, confidentiality, and availability. Maintaining robust data security measures is essential to mitigate these risks and protect valuable information.


2. Proliferation of Data: The volume of data being generated and processed by organizations has grown exponentially. From personal information to intellectual property, financial data to trade secrets, organizations store a vast array of sensitive data. The sheer volume and diversity of data make it an attractive target for cybercriminals. Data security ensures that this information remains confidential, reducing the potential for financial loss, reputational damage, or legal ramifications.


3. Regulatory Compliance: Governments and regulatory bodies worldwide have introduced stringent data protection regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Non-compliance with these regulations can result in severe penalties, legal consequences, and damage to an organization's reputation. Implementing robust data security measures is necessary to meet regulatory requirements and maintain trust with customers, partners, and stakeholders.


4. Expanding Attack Surface: The rapid adoption of cloud computing and the rise of remote work have transformed the traditional IT landscape. While these advancements offer numerous benefits, they also introduce new challenges to data security. Organizations must secure data across multiple cloud environments, ensure secure access for remote employees, and protect data as it traverses networks outside the traditional corporate perimeter. Strengthening data security measures is crucial to safeguard sensitive information in this distributed and interconnected environment.

Data Loss Prevention (DLP) is a key control in the aresnal of most organizations seeking to protect their sensitive information from unauthorized access, accidental disclosure or loss. However, many DLP initiatives end up failing to achieve their intended benefits. While every DLP project is unique, there are several recurring themes that contribute to many project failures. Avoiding the same pitfalls is key to setting the foundation for a successful DLP implementation. Here are some of the common themes I have observed across DLP projects that have failed to deliver their intended benefit:

1. Complexity and Over-Engineering: Complex DLP implementations that are overly customized or difficult to manage can hinder success. Over-engineering the solution with unnecessary features or overly restrictive policies may cause high numbers of false positives, resulting in user frustration and operational fatigue.


2. Insufficient Change Management: Transitioning to a new DLP solution requires effective change management practices. Failure to communicate the purpose, benefits, and impact of the DLP project to stakeholders can lead to resistance, lack of buy-in, and ultimately project failure.


3. Inadequate Integration: DLP solutions should integrate seamlessly with existing security infrastructure, such as SIEM (Security Information and Event Management) systems, email gateways, and endpoint protection tools.


4. Lack of Continuous Monitoring and Optimization: DLP is an ongoing process, requiring continuous monitoring, evaluation, and optimization. Organizations must regularly assess and update policies, refine classification schemes, and stay updated with emerging threats and compliance requirements.


5. Unrealistic Expectations: Setting unrealistic expectations regarding the capabilities and limitations of a DLP solution can lead to disappointment and project failure.

By addressing these common pitfalls and taking a proactive and holistic approach to DLP projects, organizations can increase their chances of success and enhance their data protection capabilities effectively.
Algebra is comitted to helping you simplfy your cybersecurity. To this end, we have assets and accelerators, backed by experienced and passionate people, to help you simplify and accelerate your Data Loss Prevention journey. Contact us today to find out more - we are here to help!