Article highlights:
Traditional risk models are inadequate for complex threats.
Threat modeling articulates threats and models control effectiveness.
Limitations of traditional models: oversimplification, difficulty demonstrating impact, treating cyber as a risk.
Modern platforms offer structured repositories and standardised models.
Threat modeling optimizes investments, is responsive to changing threats, allows better analysis, qualifies control effectiveness and simplifies compliance reporting.
Many organisations are finding that traditional approaches to risk modeling are no longer fit for purpose in today's increasingly complex and constantly evolving threat landscape. This often results in investment decisions and operataional priorities being focused on 'gut-feel' or 'policies and compliance', rather than addressing the real threats and risks. What we need is a more agile and responsive way of prioritizing cyber security investments that is oriented towards current threats and tactics. One such approach that is gaining momentum is Threat Modelling - an intelligence-led approach that helps organizations articulate threats in a structured way and model control effectiveness. In this article, we will explore the evolution of threat modeling, its current applications and its promising future.
Traditional risk modeling approaches, most notably the 5x5 risk matrix we have all come to know and love, are overly simplistic. I remember once getting into an argument with one of the mainframe admins at an organisation I worked at. He wanted to host internet websites on an Integrated for Linux (IFL) partition on the production mainframe, the same mainframe that hosted the organisation's core ERP system. We aregued in and out for days about the likelihood and impact of an attack against the IFL partition and the the potential to impact the core platform. In the end, I realised that the whole converstaion was futile - as everything turned out to be a medium-5 risk. At the end of the day, the likelihood of my turning a light switch off bringing down the mainframe was very unlikely. However, if it did happen, the impact would be catastrophic. Therefore the lightwsitch posed a medium-5 risk to the organisation. Of course this is a stupid argument, but it highlighted to me the limitations with applying such a simplistic risk assessmen framework to such a complex problem.
An other client I was talking with recently was lamenting about thier frustration asking their investment subcommittee for funding for their security program. The board's Risk Management Comittee (RMC) had a single cybersecurity risk that rolled up literally thousands of individual 5x5 cybersecurity risks, covering everything from individual missing patches on critical systems to the potential for ramsomware attacks to halt operations. The problem was that this person was unable to demonstrate how the multi-million dollar security program was going to make a material impact to the enterprise cybersecurity risk posture - even though common-sense would suggest that the scope of the program was absolutely going to have a material impact on reducing the likelihood and impact of a major cyber attack.
Finally, a CEO of a large manufacturing company I helped recover from a major ransomware attack participated in a round-table with other CEO's to share his experience. One of the more obvious questions asked was "What would you do differently knowing what you known now?". His response astounded me. He said "Like most organisations, we were tracking cybersecurity as a risk at the board level. We had an investment program and were improving our controls according to best practices. But what I've come to understand from my experience with this attack is that cyber is not a risk - it's a threat. You need to treat cyber the same way you do your competitors. They are constantly evolving and looking for new ways to impact your business". This is such a great insight and another illustration of why traditional approaches to modelling and managing cyber risks are no longer fit for purpose.
Threat modeling has its roots in the field of software development, where it was initially used to identify vulnerabilities and design secure applications. You may recall STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege) and DREAD (Damage potential, Reproducibility, Exploitability, Affected users, Discoverability), which was popular for a time. But most applications of early threat modelling relied on Excel tables or Word documents. As such, they were point in time and did not scale well. They were also limited in their applicability beyond software development. Other threat modelling approaches evolved to try and address some of these limitations, including attack trees and misuse-cases/stories, but they all invariably still suffered from similar limitations in terms of extensibility/re-use, scaleability and practicality.
One of the big changes we've seen in the last few years has been the development of threat modelling platforms that bring together many different elements of threat modelling, providing a structured data repository and language for expressing an enterprise threat model, along with workflows, reporting and analysis tooling, to allow for a much richer and flexible approach. These new tools allow complex threat models to be developed over time, that capture the detailed intricacies of enterprise technology systems and secuirty architectures, combined with intelligence-derrived threat models aligned to standards, such as the
MITRE ATT&CK framework.
With the development of more structured and consistent ways of representing and categorising threats, combined with technology that allows threat modelling to be extensible and scale, leading organisations are once again taking a serious look at threat modelling as a solution to re-align their strategies with a risk-based and intelligence-led approach.
By adopting a modern approach to threat modeling, organisations can:
- Optimize investment: By understanding how effective the control posture is relative to current threat activity, organisations can allocate security resources more efficiently, ensuring that investments are focused on specific controls that will provide the greatest benefit. No more arguing with the investment subcommittee about how the multi-million dollar security investment won't materially move the overall cyber risk from 'High' to 'Low'.
- Be more responsive to emerging threats: Continuously update and adapt control posture based on current threat activity. Being able to demonstrate how specific threat activity impacts the control posture is a powerful way to capture the organisational will necessary to re-prioritise investments and resources.
- Conduct 'what if' analysis: Simulate different attack scenarios to predict how well security controls will stand up to potential shifts in the threat landscape. This approach can also be used to qualify the impact on overall risk posture from differen control strategies. For example, what happens if a particular control is decomissioned or if technology is changed?
- Simplify compliance and governance reporting: The structured nature of threat modelling allows for easier and more responsive assessments and reporting of control effectiveness, enabling organizations to streamline compliance and governance reporting processes.
Threat modelling is already delivering improvements in many leading organisaitons today. There are some now who are looking to further enhance the capability by introducing new capabvilities including automated security control effectiveness measurement. Leveraging Continuous Delivery technology, it is possible to automate control effectiveness testing and feed the results of this testing back into the threat model - providing quantiative and current data to demonstrate control effectiveness. This approach will be a game changer, providing the missing link that connects threats to controls and controls to control effectiveness - which is what boards and regulators care about most.
By moving beyond traditional risk modeling approaches, organizations can implement more agile and responsive security strategies. The evolution of threat modeling through automation, standardised and strcutured models and extensibility, is enabling organizations to proactively identify and mitigate new and emerging threats, optimize security investments and simplify compliance and governance reporting. As the field continues to advance, with capabilities such as real-time security control testing, threat modeling holds great promise to help organisations thrive in the face of ever-evolving cyber threats.
Algebra is comitted to helping you simplfy your cybersecurity. To this end, we have assets and accelerators, backed by experienced and passionate people, to help you discover how you could leverage Threat Modelling to simplify your cybersecurity.
Contact us if you would like to know more.