Threat modeling is a proactive approach to identifying threats and design flaws in a system, network or organization. Without exception, all major companies building software need to threat model in some form or other. As the cyber threat landscape continues to evolve, it is essential that organizations use threat modeling practices to protect their assets and customers - before software is in the hands of the end user.
Fraser Scott is VP of Product at IriusRisk.
The value of threat modeling is enormous: whether it be creating efficiencies by prioritizing cybersecurity efforts, mitigating potential threats, or meeting regulatory requirements. Getting threat modeling right has tangible benefits, like increasing and supporting developer output - ultimately raising up an organization's bottom line.
Half the battle is already won: many companies know they need to threat model. However, there are competing theories about how best to implement it in an organization. Security teams can feel overwhelmed by the number of different approaches and it can be difficult to determine what course of action will be most effective and, crucially, how to go about putting these practices in place: threat modeling’s goldilocks problem.
Establishing where to employ threat modeling
Before beginning any threat modeling, it is essential to understand why an organization needs it. Knowing where threat modeling should be applied gives organizations the tools to tailor the approach. This includes: business criticality, identifying the assets and systems critical to operations; compliance requirements; any prior security incidents, and how those came about; the organization's current development culture and security posture; and, of course, resources and budget.
It’s important to understand at this point that threat modeling is never a one-time event - it's an ongoing process that should be repeated regularly, especially when changes are made to software and infrastructure. This also isn’t just a technical process, it's a people process too. It’s essential to understand what is required in terms of bridging the gap between developers and security teams. Both groups have a different set of aims and aligning them should be an overarching priority of any threat modeling implementation.
Too hot or too cold: picking the approach that’s ‘just right’
The first thing to consider when implementing an approach is flexibility. All approaches should be initially tested with specific groups and pilot teams in order to quickly establish what’s working and what’s not. This ‘dress rehearsal’ allows for revisions before being scaled across the organization. Experimentation is crucial - for instance, if threat modeling is conducted by a team working on cloud-based products, it needs to be assessed whether this same approach will work with a software team. A lack of experimentation could risk major blockages down the line which prevent a smooth organization-wide adoption.
There are essentially two main schools of thought on threat modeling approaches: shallow and broad, or deep and narrow. Neither is preferable: it depends entirely on what suits each organization best.
Shallow and broad
This approach aims to establish as wide an understanding of threat modeling as possible within an organization, by taking a very lightweight approach to threat modeling that keeps things simple, and leverages Security Champions or a train-the-trainer model. The value of this approach is that in a short amount of time, large parts of the organization are familiar with threat modeling practices and are making conscious decisions in their work that factor in threat modeling. This approach can be especially effective in creating a broader, more security aware culture.
This can also lay a solid foundation for deeper threat modeling work, but as a ‘light touch’ approach, the depth of knowledge is fairly limited and will require further training later down the line as a consequence. It also means letting go of control as each team will be threat modeling differently to the rest. It can also be a bigger challenge for organizations that operate in highly regulated environments, as it may not provide the level of detail needed to meet requirements.
Deep and narrow
This approach is much more targeted: it aims to create ‘threat modeling champions’ within an organisation that have a deep practical understanding and results in a much more mature end-to-end implementation. This smaller group will apply extensive threat modeling, showing real tangible value, and ideally become advocates for it within the business, pushing others to factor it into decision making and sharing their expertise.
However, this approach is not without its drawbacks - it risks a minority of the organization understanding threat modeling and facing an uphill battle to encourage wider organizational adoption. What worked for the narrowly scoped teams may not apply universally to the rest of the organization. It also inevitably requires more work from those participating: a deeper approach can be time and resource intensive, which can be a lot to ask of already stretched developer and security teams.
The value of getting threat modeling right
The main and most obvious benefit of getting threat modeling approaches right is the protection an organization has from security threats. Once equipped with the tools to mitigate against those threats, it makes it much easier to build better and more secure software, adhere to regulatory requirements, and ensure resources are allocated effectively. A huge amount of this value lies in deciding which approach to take. In selecting the right strategy for the specific needs of an organization, the value of threat modeling can be easily demonstrated to developers without it being just another item on the to-do list. Indeed, this value can extend all the way through a company: if practices are implemented well and adopted with limited friction, senior management and other stakeholders will be able to quickly see a return on investment and ultimately an improvement in the organization's bottom line.
